2015 Hacker's Manual Recommended Security Toolchain

Is the mere inclusion of these in a popular british tech magazine a sign that these are mostly useless against anyone except non-state actors? This is from a few years ago so who knows what other strides have been made in algo-cracking.

Are the current privacy best practices completely fucked?

Attached: linuxsecurity.png (763x525, 616.84K)

Other urls found in this thread:

fz474h2o46o2u7xj.onion/
archivecaslytosk.onion/CtG33
warosu.org/g/thread/S69830214#p69831770
bootstrappable.org/
quora.com/What-is-a-coders-worst-nightmare/answer/Mick-Stute
dl.fefe.de/gnupg.dif
blog.fefe.de/?ts=aa285889
arstechnica.com/tech-policy/2016/06/tor-developer-jacob-appelbaum-quits-after-sexual-mistreatment-allegations/
newstarget.com/2017-08-14-firefox-browsers-will-soon-block-fake-news-flagged-by-george-soros-linked-left-wing-groups.html
linux-apps.com/p/1281679/
twitter.com/NSFWRedditGif

Very much doubt GPG is compromised.

OMEMO is a better OTR
Veracrypt replaced TrueCrypt
Cryptocat has been discontinued and was always a little suspect

Other than that it's a very good baseline set of things you should be using daily.

I would think so too.

We know literally nothing about the people behind Tails and Tor is a project that was released and is funded by the us govt. If anything these tools are just designed so only certain entities are capable of accessing it and has nothing to do with privacy.

And how do we know when something they suggest such as TrueCrypt suddenly becomes useless too? It all seems extremely suspect.

...

SSL was patched after Heartbleed became known - exploit was likely known by NSA and others, but is now mostly useless since the patch.
Tor is still not broken (despite what you keep hearing).
OTR - no idea, never used it.
TrueCrypt is an old fave that nobody seems to still use... pity. As far as I know it's still reasonably secure, and Wikipedia details many of those limitations.
GPG is not PGP, which was insecure very early on.

I dunno about the other two.

Tails is a Debian-based Linux distribution with an public bug tracker and reproducible builds. How much would you need to know about the people behind it to be in a better position to judge its trustworthiness?

It's advisable to use Tor as part of a layered anonymity strategy. Not because it probably has backdoors, but because it's definitely not perfect.

How do you even function as a person?

And if a person doesn't like Tails for whatever reason, they can use heads instead.
fz474h2o46o2u7xj.onion/

He does not. That's why he posts here.

Cryptocat was dangerous amateur hour since its inception and is thankfully ~dead now. GPG is plagued by a complete idiot of a developer (Werner Koch, always make sure to write down names) to the point I wouldn't be surprised if he gets paid to sabotage it, but as far as I can tell it's still the best option available for slow communications. For IM it sucks dick but in my opinion IM generates far too much metadata for the really big guns anyway. TrueCrypt is still doing pretty well. Can't say much about the rest that hasn't been said already.


SSL has some critical fuckup every other month, and then there are the ten million CAs from god knows where that your system trusts by default. It's a complete joke against states.

Yep, CAs are complete fuckery.

I switched to LUKS after its developers vanished without trace. Miss the hidden volume feature sometimes though. Veracrypt seems nice but I already got used to LUKS when I first heard about it.
was compromised. Cryptocat devs are incompetent morons who shouldn't be let anywhere near computers.
archivecaslytosk.onion/CtG33

The rest is secure as far as I'm concerned, especially GPG. Until proven otherwise of course.


HTTPS is not the same thing as TLS. HTTPS relies on TLS to provide privacy and data integrity and certificate authorities to verify otherwise unauthenticated public key exchange.

I'm not sure where you got HTTPS from. Admittedly it was unclear whether I meant the protocol or OpenSSL, but both are garbage -- the protocol is an overcomplicated turd and OpenSSL is so well-trodden territory by now that I'm not going to go into detail.

TLS itself doesn't rely on CAs as far as I'm concerned so I simply assumed you were talking about HTTPS.

I actually can't think of anything that uses TLS without CAs on the spot. Tor, maybe? I vaguely recall something in that direction but that might be wrong. Distros usually use GPG.

SSL can still be stripped and connection can be downgraded. Session hijacking (sidejacking) tools like Faceniff were prevalent. There was a tool called SSLstrip you could use in conjunction with arp spoofing or DNS spoofing. Back in the say there was a really fun tool called subterfuge for this. The vuln related to sslstrip was fixed. sslsplit became the new tool. I'm not sure what tools people are using these days. I'm sure SSL can be defeated to this day.

TOR was originally funded by the DoD and was developed for Naval personel send secure communications from countries that they were never supposed to be in. There are ways to de-anonymize TOR users. There was a metasploit module for this. There have been numerous methods of attacking TOR in the past. It is likely there are numerous methods of de-anonymizing TOR users. Also numerous TOR nodes are owned by law enforcement.

True Crypt had some issues with a weakness in encryption. There are numerous other tools for creating encrypted containers. Also even with weak encryption you can put one encrypted container inside another or encrypt a file over and over again each round with a separate password or key.

OTR. Anons like it. Never used it personally.

GPG is still trusted.

CryptoCat. Questionable. Dude who invented it was murdered.

Tails. I could never get it to work.

If you want a really secure network find a VPS service that doesn't LOG and accepts cryptocurrency as payment.

You can chain SSH connections and forward other traffic through SSH. You can also use a proxy between each connection. Probably have issues with timeout. That or just set up a VPN on a VPS server offshore.

Using heavy encryption is likely to get you monitored. Since agencies can basically hack you with indemnity these days if they can't break your encryption and intercept your transmissions they will probably try to hack your endpoint and exfiltrate data directly from your system.

Attached: matrixback2.jpg (1152x864, 1.22M)

...

good post, you know your shit

Tails is insecure, because it uses systemd. I'm not a cracker, but I guess they use only minimalistic software, that can be trusted - less code, less bugs.

2015 TrueCrypt
2019 VeraCrypt

Completely unncessary attacks considering you misunderstood my point about mentioning TrueCrypt as an example.

I never trusted SSL either, that is straight up placebo. Tails I always assumed is some deep agency distro even if the NSA supposedly had slides saying it was against their interests and Snowden told the journalists to use it, but even he has moved to Qubes

It doesn't end there. Need strong ciphers and high TLS. Site doesn't work? Well don't use it.
Probably MitM'd site. If you use weak SSL they can crack those data they got from submarine cables they spliced someday or some folding@home type of bruteforce.
It takes one joint effort for the beans to spill.
Recommended by glower "former CIA". Never use this if your life can be in danger.
Standards have standard backdoors.
Standardized digi-comms are bad opsec. Analog ham or btfo.
Better than bitlocker but untrusted. Still better than nothing but windows will just pass the keys over the cloud. Standards have standard backdoors.
Good but it's only a matter of clever and severe bugs to be found.
RIP.
Recommended by glower "former CIA". Never use this if your life can be in danger.
Standards have standard backdoors.

Snowden didn't "move to Qubes." Tails and Qubes are tailored to wholly different use cases and threat models.

Okay so what alternatives do you suggest user?

First what is at your end? Your paid ISP will have logs so whatever is your first step is it will be backtracked.
So you downloaded this cryptocurrency client app from that mirrorlist. Then used some VPN over your home network? Come on..
Secure is not synonymous with anonymity.
If you want true security cut off from the internet or any wirelessness/network and use good encryption and not be stupid enough to run or plug stuff there. DMA attacks exist so you better destroy those SD and PC card slots. Maybe even the LAN port has DMA who knows?
If you want anonymiyt just buy a burner modem + subscriber IM from separate places far apart while also taking measures on your online habits (like youtube playlist) and hardware fingerprint or even your waking/surfing hours which they can calculate from your working/offline/sleep hours to get your TZ so be sure to be as /b/ as possible.

Why does the goods have to be purchased far away or apart? Barcodes are data. The metadata is how close those two items are and it must mean that you live there. Don't underestimate the invest in the investigation.
Your last problem would be triangulation. Whitelist only one CellID and boost your signal outside the digital/analog modulation range, in short it is your location data through signal strength from 1, 2 or 3 CellID if you haven't blocked those yet.
Example is if you get good signal on 2 Cells it means you're at the center. On three Cells you can be triangulated immediately!
They can even shut down the CellID or power grid per suspected location and see if you lose activity for a day.
This is why the FCC only wants you to have FCC approved shit so you can easily be triangulated like a small insect trapped in mesh wire about to be scorched.

Unless someone has to die again or be accused with rape charges etc.
Redhat mafia strikes again.

Tor

I doubt Tor has any easy backdoors, unless there's some glaring architecture flaw that nobody's figured out yet, but usually there's at least speculation about those before an actual proof-of-concept can be executed.

Why no backdoors? Simple. The government understands that a backdoor is something any actor can use. They can't backdoor it and use it without compromising themselves. That's why most pushes for backdoors come from smaller organizations (generally police who want to access people's texts) or target technology that is common among consumers but completely disused in security circles.

Not to imply every government organization knows about security and has actually solid implementations. But given that the Navy uses Tor and FBI, CIA, NSA, etc all routinely try to find major flaws and publish them it's not hard to believe the implementation is pretty secure.

Nothing is truly "bulletproof" but you need to make it as difficult as possible. The more layers you add, the better. The more layers the average person adds, the better.

Tor is nothing if you have zero OPSEC, anyways. Silk Road got taken down because the owner posted an e-mail on a username tied to his real identity, not because Tor has a backdoor.

Attached: 43260dd2af3f7f62ae090e48870630bfd12d9d757eee14139fab863df9d42470.jpg (387x375, 13.87K)

Now that's kinda where the NSA differs from the rest of the government in that they don't seem to care as long as nobody notices... which is a short-term plan in practice. The NSA being the thoroughly unprincipled actor that it is, it is simply not interesting in keeping the wheels turning until they have no choice in the matter. Conversely, the DoD (which built Tor) sees far more value in an "unbreakable" system than a "broken" one.

An interesting point to make here is that the NSA (which is built primarily for industrial espionage and mass surveillance) are basically tax-payer supported mercenaries that break and enter into computers networks and sell information to whoever pays them, usually either in money or political cover. It's already well-known that they have whole stations operating in the Middle East (Reuters scratched the surface of that not long along when they did a piece on one in the U.A.E.), and they pretty much give Israel a discount price for unfiltered access, but a bit more bothersome is that the NSA sat on their ass during 9/11 and the 2016 Presidential Elections... and then they arrested Reality Winner when she leaked the proof of the ballot tampering methods used by the Russians, which in turn prompted the Dutch to go public with their own role which exposed the NSA's attempts to play dumb.

Anyway, the multiple failures on their record, they decided to do some face-saving and assist U.S. Cyber Command in prevent a repeat of the last election's problems but only because... they have no choice.

How retarded you are! There are no alternatives.

I admit I don't know much about how they differ in the use cases besides the bootable v virtualization models they use. There is just a fog over Tails development history that reminds me of TrueCrypt.

I wonder if that's really what happened. Although it's believable that someone who runs a drug outlet gets sloppy sometimes.

Tails uses systemd, sadly.
Systemd is nu so many many exploits.

Reminder that the people spreading FUD about Tor are SHILLS
Link below is to a halfchan archive. The thread was pushing the whole "Tor is compromised" meme and using the "restoreprivacy" site, but look into the chain of posts starting with this one. You will find that the people spreading this anti-tor stuff are funded by shady VPN companies to push people towards their products, and the FUD-spreaders are banking off of this. They also push (((Moz://a))) Firefox and Brave, which have had numerous privacy issues in recent years. Furthermore they support the use of and use (((analytics)))
Do not trust these people
warosu.org/g/thread/S69830214#p69831770

Attached: behindthispost.jpg (491x491, 42.27K)

Tails still uses systemd. Doesn't need to.
Systemd has exploits on the daily.

ettercap was fun too.

Personally I prefer VPNs over Tor. They proxy all traffic instead of just supported apps, and they are MUCH LESS BLOCKED. That's the big thing Tortards are missing.

No UDP over tor, so can't circumvent game bans automagically, got to fwd a tunnel over tor. :(

Can someone explain what exactly Tails is? I was under the impression it was a distro, but is that not the case? Is it like Whonix? Is Whonix a distro?
What if someone else is using some other PGP implementation? What if it's a different version of GPG?

Tails is a distro, specifically a distro you'd use on a USB stick.
Whonix is also a distro. Whonix is meant to be run using two VMs with some weird routing in between them.
IDK about GPG with other PGP implementations (pretty sure it would still work, as GPG is just an implementation), but different GPG versions won't matter. It's not like they're constantly tweaking the algorithms. It's still all the standardized AES, RSA, etc.

Thanks for clearing that up for me.

You realize that literally any PKI system has to set trust anchors somewhere, right? That's an indictment of shitty defaults, not the entire concept of TLS. Set up your own CA, issue certs to you and your buddies, and you're mostly safe.

Leaked NSA internal docs show that they consider deanonymizing tor to be a pain in the ass, which is infinitely more valuable of a perspective than some possible shill on an imageboard.

Untrusted how you dumb nigger? It's been formally audited.


It's literally Torbrowser + a minimal Linux that sends all your traffic through the circuit.

Packet timing can easily give you the source, right?
Theoretically speaking, IF YOU WERE IMPORTANT ENOUGH OF A TARGET, some triple letter agency could ask all ISPs about current traffic coming into Tor network and going out of it. If packets consistently have same time intervals between coming into Tor network and coming out of it(read similar, for easier explanation) then you got your "match". Of course, this is just a theory but all agencies around the world talk with each other except in some geopolitical cases.

ie lemme give you a situation

Attached: Kultna_posuda_u_obliku_ptice.jpg (250x323, 14.81K)

VPNs ALWAYS cooperate with the police, even if they lie to their customers about not holding your info.

That's not how it works you retard.

Unless you get a VPN from Russia or some strange, unknown place on Earth. What is interpol gonna hack you over your Mongolian tackboard browsing habits? Doubt it. Maybe in some distant apocalyptic scenario in which they're mercilessly hunting down 2D waifus.

My fucking face when...

Attached: 1551657019427-g.jpg (180x204, 11.96K)

>

Avoiding systemDicks is a very good reason indeed tbh.

Pure garbage. The Heads fork is far more secure.


Tor is literally run by a rabbi. pics related. Anyways, i2p has always been better. Tor has always used confusing settings and nonfunctional default settings to deanonymize the vast majority of users. Then there is the fact that the public facing code has vulnerabilities that the internally used code does not. Then there's the fact that even people into security never compile their own code, so everyone is downloading compromised versions of the software anyways. Even then, the compilers are compromised, so you have to use multiple compilers and compare the hashes. Finally, if you're using unmodified AMD or Intel chips, then the head spooks can take complete control of your PC anyways and the anonymity attempt is futile. That's why Power chips from IBM are getting popular, but they are much more expensive than comparable Intel/AMD ones.

Attached: 6ee92306e7b5910cfe90127884f7d3d997d196cae6bfb0aa788035a41a8cd63b-pol.jpg (1911x970 153.6 KB, 514.34K)

I think you miss the point of Tails. Tails is something that whistleblowers like Snowden use when they're on the run and shit. In that circumstance, I don't think you'd have the luxury of finding the exact configuration of special snowflake hardware that works with Heads (Heads uses Linux-Libre). Obviously I've never been in that situation, but I imagine you'd have to take what you can get. You need that reliable driver compatibility that comes with a more blobby kernel.
That being said, on your home systems where you can have guarantees about the hardware that's used, I can absolutely see your point about Heads being better.

Can you elaborate?

You really don't think an organization with hundreds of billions of dollars in budget won't develop a more secure fork than what is on GitHub? None of the head spooks use the unpatched software available to the public. They even have custom hardware from companies like Intel for them that don't have to security holes for the public.

And this applies only to Tor rather than i2p, because?

Attached: Girls.png (449x401, 490.09K)

You see his IP right?
List of tor exist nodes is public, right?
You can jam his IP into browser and POP "this is tor exit node"
fuck off

Kill and eat these white girls!

It applies to all open source code, but Tor is openly funded to the tune of millions of dollars by the Feds. The point though is that the high level Feds use more secure forks than what is released on GitHub or wherever, and written by the same authors. Tor is also openly run by a rabbi, where i2p is not, and it is hurt by file sharing whereas i2p is not.

What did he meme by this?

ded
ded
ded

Attached: ded.webm (1280x720, 1.81M)

Didn't read the post, but compilers are compromised.
bootstrappable.org/

did he died?

That link is literally install gentoo.jpg and compile your compiler three times. Where's the proof that compilers are compromised at either the binary distribution or source code level? Since x86 CPU's and nearly every other architecture are non deterministic reproducable builds are near impossible. There's alot of shit you would have to redesign to get reproducable builds like disabling OOE and the MMU.

I decided to start a new thread to answer. >>>1039291

ded

...

CAs do not work as intended because there are too many, and they are incentivised to ruin security for profit
banning self-signed TLS as fallback is also rubbish
it's better than nothing, but it's no holy prophet

Turd polishing, that's what it is. I use it myself, but let's not kid ourselves.

Tell me more

His code is complete and utter spaghetti, he's as uncooperative as it gets and rather than keeping the codebase small, he keeps adding one useless shit feature after another. Compare the sizes of the GPG releases some time. If you know German, you can search Fefes Blog, the guy behind it did a personal audit of GPG (including published patches) around 2007 and wrote some stuff on the topic, but I'm sure you can find stuff in English too.

Also as a personal anecdote, when I once tried to patch out the 4096 bit RSA limit out for test purposes, I had to remove the hardcoded number 4096 from three different places or so and shitloads of code that could have been pure was linked to I/O routines for no fucking reason, in the way complete beginners tend to write garbage like this:void square_number(){ int x; scanf("%d", &x); printf("%d\n", x*x);}

More like install GuixSD (or Nix), because it's devs care about reproducible builds. I didn't see anything about reproducible builds nor binary bootstrapping on gentoo's wiki.
Did you read the website carefully? Compilers can't be trusted, because the earlier version of the same compiler builds the next version. Imagine there was a bug or a malware in the first version of a compiler and it causes every program (including a compiler) to be unsafe.
Here is an example of compiler-based malware:
quora.com/What-is-a-coders-worst-nightmare/answer/Mick-Stute

Attached: 78e.jpg (600x605, 45.84K)

GCC has a build option to do that, but if the initial compiler is compromised, it's useless. I don't think that's intended as a mitigation for these kind of attacks.
At some point you have to assume one compiler in the chain as trusted. Maybe there's something involving old Fortran compilers on bootstrappable.org

What I found (in my admittedly quite short search) was dl.fefe.de/gnupg.dif (linked on fefe.de) - is that the the complete diff of all his patches? Because in blog.fefe.de/?ts=aa285889 he says
>Given the ramshackle state of massive GnuPG code base, its not clear whats the best path forward. A code audit is one possibility, but such reviews typically cost a minimum of $100,000 for complex crypto programs, and it''s not unheard of for the price to be double that.
Seemingly quoting Matt Green of Johns Hopkins University. He then says (translated):
>Or you're lucky and goold ol' Fefe throws you a bunch of patches for free - in his sparetime. And then Werner Koch decides to trash the gifted $100K patch and I have to maintain my own patch in parallel for 9 years.

How do you not know that "Green" is a jewish surname? Never trust a kike, retard. Nearly everyone with surnames containing color words is jewish, most commonly gold, silver, green, roth (red), and schwarz (black).

How is Tor hurt by torrenting?
Why is the rabbi so important to you? Did you get nicked by your mohel?

>triple jewed: paid for jew service, exposed logs to glownigs, anonymously sell data to third-parties in datamarket
baka!
roundrobin AES and Camellia crypto over your Openwrt installed with shadowsocks.
Let me repeat once again:
Tor project is compromised.
arstechnica.com/tech-policy/2016/06/tor-developer-jacob-appelbaum-quits-after-sexual-mistreatment-allegations/
TBB is Soros-compromised.
newstarget.com/2017-08-14-firefox-browsers-will-soon-block-fake-news-flagged-by-george-soros-linked-left-wing-groups.html
Exit nodes glow.

It's been two years since this article. Mind pointing me to something that FF blocks that something like Brave doesn't? I have both installed, just need some search/link suggestions

Any opinions on this?

linux-apps.com/p/1281679/

never mind.

What is OTR

HAPAS ARE SUPERIOR TO WHITES

HAPAS ARE SUPERIOR TO WHITES

HAPAS ARE SUPERIOR TO WHITES

I smell rats.

This is a good thing.

Schizophrenia is one hell of a drug.

This is a good thing.

Why is there so much racism in this thread?

What's the difference between 4 Chan and 8 Chan?