Well that has been the consensus among most security folks since the 80s. Yep, when we leave the mindset of "im not gonna get hacked because of my fully updated ubuntu" to "shit everythings fucked what should I do" We (or at least me) think about how to work around hardware backdoors. The sad but true answer is security through obscurity. Running netbsd on a dreamcast is a good example, a firmware backdoor or other ring 0 trick would be a pain in the ass. It might be just as "easy" but that same amount of work could be applied to iphone backdoors which for 99.9% of attackers is a better target. It's not secure in the true sense of the word, but it's like hiding in a forest instead of a open field.
Make them work for it. Getting hacked is part of the plan.
so its essentially infinite money vs infinite intelligence? and immovable object vs an unstoppable force? how would that pan out?
is any windows system before xp/vista a reasonable option? or would that be per-exploited due to it already having been in the sphere of tech? or would it be good as it is now out of the mainstream sphere of thought save for hobbyists?
Jason Hall
Well, it depends. For running some old software and non networked uses it's fine. It definitely has some easy bugs to exploit especially if it hasn't had 10+ years of patches installed. I would imagine it is still a big target as lots of 3rd world countries have thousands of xp machines, plus the embedded version runs on atm's and point of sale devices around the world today. Vista is slower than 7 ignoring its similar security situation. I think with some real hacking xp can be more secure than people think, like running modern linux software through cygwin. But even then lack of aslr and an ancient kernel will still put it behind modern linux/unix. In summary, I don't think it is the kind of obscurity one would want to protect against off the shelf exploits/tools, for that there are better options. But if you have a special setup and/or can prove things about it's behaviour then it's as good as anything. The worst choice is always things like pic related.
so essentially the only way to have true security is to find something up to date and make it yours per-se, and don't outsource your security to an "entities"
Jonathan Brown
That is right.
It is actually the unmaintained or unfunded projects that have the even more decent code while the well-funded ones/technologies (usually adopted as the standard after a code-off) are filled with backdoor ops and more and have more flaws but "muh performance" card over "that much more secure candidate".
This one is very true but I also advice to put them inside RAR/ZIP or else regret the copy being infected with the most sophisticated self-propagating worm programs much worse than any ransomware. I probably still have old firefox ms binary that isn't Soros'd somewhere but it's probably wormed now (I'll be looking at the modified date). On open source case, I find it hard to make old binaries work out of dependency hell distros (if you know one that isn't that plus non-glownig distro, let me know) and it is a lot easier to do portable software "copy, paste, and run" software on windows and it is much better unlike on linux distros where you need internet and sideloading is too bothersome (updated dependency breaks old programs).
Terry was a winfag and doesn't know any OpSec that is why the CIA caught up on his plans.
Noah Perez
this makes me think of arch-linux (primarily the memays about having to do every microscopic thing on it)
could you explain this bit for me, how does something get "wormed"? will keeping it in an always offline drive/machine prevent it from being compromised?
Hudson Robinson
For a high trust archive I would take all the old binaries and do 3 different checksums on each one then print out the results and store them with the copy. Also modify dates can be faked. If you want a comfy linux 2.4 distro DSL (damn small linux) is great, the package repos are still up too. It shouldn't be too hard to find 2000s era debian or slackware isos either. Linux source is archived all the way back too. For maximum oldfag points run it on a palm device, zarus(?), or original xbox.
Not that kind but what I mean is when they're setting standards for like say cipher standards where AES is adopted. Same goes to a lot of standards that are rigged from the beginning and the ones that won are glower friendly If you plugged in your hard drive over your friend's worm-owned PC it will infect most of executables in an instant. It is the worst kind of infection since even the antivirus softwares will shut their mouth because it's embarrassing to tell the user that the antivirus executables have been infected with worms and the only way to fix it is to remove everything since it is near impossible to unpatch the malware code injected to even the system files. One infection I saw was so good that it even prevented offline startup scan from malwarebytes and eventually auto-deleted any executable with filename/description about any known antivirus softwares.
I usually put them under ZIP/RAR since even legitimate hack tools are sometimes suspected as viruses though it is detected as W32.hacktool which means it is just a hacktool but they delete them fast (even windows loader/activator).
Asher Lee
When i said physical copies i meant more like CD/DVD-Rs. I know it seems cumbersome to have a fuck ton of disks floating around, but if you come up with a system it's not that big of a deal. My strategy for keeping it clean and easy is to mark disks with release dates so i have an idea of when i should check for new releases, store the latest versions in a binder with dividers for category for ease of access, and keep old copies in paper cases, bundled with other old versions of the same software, stored in boxes with dividers and with a masking tape tag on the first disk just so the name of the software is readable without pulling bundles out. Glowniggers can't fuck with read-only optical media.
If you wanna archive on hard drives or flash media I recommend creating par2 files to prevent bit rot and mount read-only when not adding files.
Nathan Bell
This thread is dumb. OP had a decent idea (that many other people had) but developed it in a totally brainless way.
These agencies have other concerns besides pwning OP. Even for that, there are millions of people like OP to pwn. Their resources are extensive, but not infinite. In fact it's common for them to have resource shortages because government is inefficient.
Their hours don't scale comparably like that because see Mythical Man-Month. A lot of people are also there to collect a paycheck, not to be the best they can be, so they give no fucks. Say you get dumped with 100 other cases on some lowly mook's desk. He's only going to do the bare minimum so he can write a report and get his boss off his ass so he doesn't make him work weekends again. Not to mention these are government agencies and do (((equal opportunity employment))). The CIA is now ran completely by women for instance. That's the extent of baseline threat model: Advanced tools, operated by disinterested monkeys, mostly dragnet.
If you are doing something really bad - and I don't mean extra spicy memes - this changes, of course. At that level compsec is kind of irrelevant. They could park a surveillance van and when you're at work come in to do evil maid. They could even corrupt your actual maid with threats or money. They could kidnap you and take you straight to a black site because due process is irrelevant if you say "national security". But if you're attracting that sort of attention, you are either running a major criminal operation (think millions of dollars) or you are a rebel that poses serious threat to the government. People who do this have much more sophisticated security, including humint and physical sec, so the obscure 0-day in your netbsd or whatever the fuck becomes a trivial detail. But if you're an international criminal mastermind, what the fuck are you even doing on this board?
