/os/ - Online Security

News, techniques and methods for computer network security.


New Thread
X
Max 20 files0 B total
[New Thread]

Page: Prev [1] [2] [3] [4] Next | [Index] [Catalog] [Banners] [Logs]




 >>/196/
> no Tor hidden service
> suggests deanoning self via logging in to "Anon ID"
> while suggesting stronger way of deanon than cookies, they claim to not store IP
> just made post with Tor Browser with no JS, cookies only, no "anon id" crap
> post shows up as by "Outlander", suggesting that majority of users there deanon self across sessions
Gee, I wonder why people call it honeypot

Wanted to join their IRC
OFTC is a bunch of rulecucks. While they allow Tor access, they limit amount of connections per Tor exit node. I had to rotate circuit 11 times to connect.
> #masterchan Illegal channel name
Looks like "identified anon's" message on that imageboard is truth
> Why is someone possibly IRCOP banning users right and left in #masterchan?

Why the hell Tor Project uses this cucked network?




I have some observations to make.

## I just tested these systems:
MS DOS 6.22 runs in 384K of memory  (1994)
MS Windows 3.11 runs in 2MB of memory with a full mouse driven GUI (1994)
Macintosh OS 7.53 runs in 7.4MB of memory , full GUI + TCP/IP (1996)
Macintosh OS 8.1 runs in 13.2MB of memory, (1997)
Macintosh OS 8.6 runs in 26MB of meomory, (1998)

OpenBSD 6.1 starts in text mode command line in 27MB of memory 
OpenBSD 6.1 in Xenocara uses 65-80MB of memory to start up.

## from recollection:
Windows 7 800MB of memory (2009)

Parabola GNU/Linux starts in text mode cli using 150MB of memory
Parabola GNU/Linux in weston uses 300MB of memory 

If someone could fill in the blanks (ballpark) for Windowws 95,98, 200, XP,Temple OS, Minix, etc. That would be helpful.  The point I'm trying to make is that if you could have a working GUI with TCP/IP networking in 2-15MB of ram why the hell does Linux need 150MB to start up and release a console to me?  What the hell is going on in there?

How much does Alpine linux use? Minix? ReactOS? HelenOS? Temple OS? etc.

Less is better.
12 replies omitted. Click to expand viewer
Fresh install of Parabola/GNU/Linux-Libre/OpenRC

On an Intel core2 laptop 

boot into cli from OpenRC

$ free -h 

used 60 MB 

start xorg as root

# startx 

# free -h

used 75 MB

That's much more reasonable.  Goodbye systemd. 

Once I have everything working I'm going to backup my desktop and nuke it. It has Intel ME so I'll put parabola Open RC base onto it with Xorg and use it with mpv and retroarch, for streaming and gaming. I'll use other alternative hardware for more important / less resource intensive activities.   I like the memory usage from OpenBSD 6.3 more (27MB in cli after boot), and MS DOS 6.22 (348 KB) even more. Less things running in memory means a better chance of being clean. 

I have a retail box of MS DOS 5 from the early 90s on 5.25" floppies, before the advent of the internet(its clean).  MS DOS has no security, it's security is the physical security on my front door, but it's clean so that gives me privacy (unless I install malware); it's a pain to setup though, everything is manual configuration, that's the down side.

Alpine Linux on OpenRC
Fresh install on encrypted lvm with the services it said to start in the wiki guide. In command line on busybox.
$ free -m 
 120MB. 

I couldn't get X org to start, but it would probably add another 20MB on top of that.

Hyperbola with linux-libre-lts on OpenRC is similar to parabola.  Boots into user account in command line in at around 100MB xorg adds another 20MB ontop to around 120MB.  Booting into a user shell seems to be more memory expensive than starting as root.  

I want to boot to command line in no more than 20MB with a GUI that brings me up to no more than 40-50MB of memory usage.  Any more than that and there is too much going on.

Gentoo Linux (2021) 
Gentoo Hardened 10.3.0-r2 
Linux/x86 5.13.10-gentoo Kernel

text mode: 51 MiB

Fresh install running with Btrfs on LVM on LUKS. Hardened Gentoo amd64 no-multilib stage 3,70 packages emerged. Running dm-crypt, iptables, lvm and bash. Could probably trim it down to 40MiB with some other choices (shell, daemons etc).  I think this is going to be as good as it gets for Linux (for me) without changing things drastically. Maybe I'll switch my shell to ksh or dash or something else and see how it performs.

MacOS HighSierra (2017)

Installed on a MacMini 2011 with 16GB RAM, fresh install:

PhysMem: 4981M used (1945M wired)

The system needs at least 5GB to run properly, and uses up to 10-14GB of RAM when using applications. The memory usage is similar on Monterey.






Где Вы ищите свежие новости? 
Лично я читаю и доверяю газете https://www.ukr.net/. 
Это единственный источник свежих и независимых новостей. 
Рекомендую и Вам

Translation to English: Where do you look for the latest news? Personally, I read and trust the newspaper https://www.ukr.net/. It is the only source of fresh and independent news. I recommend it to you








When it comes to the desktop model of computing, Linux and BSD are not as secure as you think:

https://madaidans-insecurities.github.io/linux.html
https://madaidans-insecurities.github.io/openbsd.html

Some valid points raised there. If security is paramount, use Qubes OS. Alternatively, use ChromiumOS with all telemetry disabled and enjoy bottoming for Big G.



nice try grandpa
are you aiming for privacy, anonymity, security? VMs are unreliable from a paranoid security standpoint due to complexity, nevertheless if they provide anonymity, it may be worth it against larger foes that can compromise security with their access to exploits. Similarly with Tor Browser Bundle, sometimes it is better to blend in rather than to obscure your identity. a hoodie will be less conspicuous than a facemask.
 >>/1249/
> don't post modern photos except PNGs because of exif
you can strip exif data using 'exiftool' and other solutions. I have heard stories about cameras having hidden codes (and more likely, repeatable and detectable design flaws) that can be used to identify the module, but that's real rumor oojie boojie
> avoid all digitized vehicles
avoid vehicles especially with push-button ignition, vehicles with a disabled wireless unlocking mechanism would be preferable but there are vehicles with an option to disable the keyless wireless fob.   

 >>/1248/
> don't use social media
endchan is social media
> use a cheap private vpn
use someone else's vpn, don't leave a paper trail of payment leading to your credit card
> do not buy green appliances
enjoy getting vanned because your electricity company can tell when you're browsing the internet via the smart meter. green is just a color, but energy efficient appliances are easier to run off battery power and/or solar power sources.
 >>/1167/
> responding to phishing attempts at all
phishers may record a clipping of your voice to bypass automated vocal analysis software, which is luckily not commonplace, but nevertheless, do not give them information if possible
 >>/1306/
OpenBSD has a MAC randomiser inbuilt by default, isn't that a standard OS feature?
 >>/1328/
your password might have high entropy for a bruteforcing machine, but you're still relying on english grammar, which can be boiled down to rules no matter how complex they are
I would recommend creating a password using the FSF diceware list instead, as the words make less sense as a group, while still providing entropy


I'm not an expert but I have an IQ over 9000.
How I might attack a password.
A. List attack
I will get a list of "common passwords" derived from compromised user password list (the user account you made in ten seconds, 5 month ago because some Jew webpage made you).
> "12345678" and "nopassword".
B. low entropy Brute force of the password list
Common passwords with one character variance, common passwords with 2 character variance.
> 1234s6789, Nopassword1
The site made you add a symbol and a number, I'm so scared.

It's only if you got this far that any real effort has to be made, honestly if you're not special I will just give up and find a stupider person.

C. dictionary attack
Instead of guessing gibberish I will use whole words.
Long passwords are often made up of whole words and at this point I know your password is fairly long.
There are far more words in any given language than characters (this BTFO's Chinese users incidentally).
Many common phrases will already have been covered in A. "common passwords"
I start to assume things like "If there's a 'Q', the following character is 'u'"
The way this works technically a word and a phrase based attack aren't really separate 
> hitlerdidnothingwrong
> therighttobeararmsshallnotbeinfrienged 

If this didn't work you're a CHAD with a password like 
zgn$%w5jkgkn994 written under your mouse pad like my Grandma.

That's when we get into hash collisions, pre-computed hash values, hoping other elements (like servers storing plaintext password outputs) makes our life easier


 >>/1727/

I just finished installing Gentoo with btrfs on LVM on LUKS and spent 15 hrs configuring the kernel parameters to get iptables working with endwall.sh .  I have to add some more stuff for IPv6 to make it fully compatible with endwall.sh.

Here is my layout:

http://nguipxnkrp3qrzrlduhsatpcpwehnblzmlkc5ifiumxq4z5jlh4lwvid.onion/content/gentoo/layout.txt

sda is full disk encrypted OpenBSD 6.9, sdb is encrypted with unencrypted boot for Gentoo Linux.

Here is my current working kernel config:
http://nguipxnkrp3qrzrlduhsatpcpwehnblzmlkc5ifiumxq4z5jlh4lwvid.onion/content/gentoo/kernel_config.txt

you can copy this to /usr/src/linux/ and then overwrite .config , and run 

$ su
# cd /usr/src/linux
# cp kernel_config.txt .config
# make -j4 && make -j4 modules_install.
# make install
# genkernel --lvm --btrfs --luks --microcode --firmware --bootloader=grub2 --install --kernel-config="/usr/src/linux/.config" initramfs

Which will build the kernel and the initramfs.  This works with encrypted lvm with btrfs.  changing parameters in menuconfig

change parameters with

# make menuconfig 

and recompile and install the kernel and initramfs.  Works for me so far.

Gentoo is a time suck, and there is no way I would know anything useful about Linux or UNIX system administration and security if I had started with it.  I think a good progression is Debian > Arch > Parabola > OpenBSD > Gentoo > MS DOS + compile what you need manually.



thumbnail of 218.241.83.20_5900.jpg
thumbnail of 218.241.83.20_5900.jpg
218.241.83.20_5900 jpg
(55.23 KB, 1024x768)







In this thread we will discuss cryptography, cryptosystems, crypt-analysis, and tools for cryptography such as gpg and other tools. If you work in this field or hear of some relevant news about this field feel free to contribute.  Use hyperlinks and source citations to back up any claims made if necessary.
15 replies omitted. Click to expand viewer



 >>/1495/
Any radiocative isotope of an element should work.  In the video he's using Americium from a smoke detector.  You just need some random gamma and beta radiation from a decay event to set off the Geiger counter.   Any radio isotope will do.  Radioactive decay times and quantities are random and unknowable before the event occurs.

thumbnail of Youdontsay.jpeg
thumbnail of Youdontsay.jpeg
Youdontsay jpeg
(21.11 KB, 336x336)
How does a crypto operator in a client relationship protect themselves against duress?
We are already starting to see digital robberies, because crypto clients are typically anonymous and can use a range of access point the rick of Crypto-ATM robberies is increasing.
A two factor authorization and a silent alarm would be easy to set up- but this presents the risk that the silent alarm keeper could freeze accounts and make demands of clients.
A "two key" system can be used to ensure transactions and blocks are only made with the simultaneous cooperation of the Client and broker, but as with TOR if unilateral blocking is not possible the systematic takeover of brokering services is likely to eventuate.
While in theory if the broker was a bad-actor they still wouldn't gain access, the client would loose their protection without their knowledge- and a large number of bad-actor brokers would emerge to net a large number of clients.

Is this a problem inherent to a single origin (client centered) authorization chain?
Could the blockchain work in tandem in a two factor access system?



RC2014
http://rc2014.co.uk/

RC2014 is a simple 8 bit Z80 based modular computer originally built to run Microsoft BASIC. It is inspired by the home built computers of the late 70s and computer revolution of the early 80s. It is not a clone of anything specific, but there are suggestions of the ZX81, UK101, S100, Superboard II and Apple I in here. It nominally has 8K ROM, 32K RAM, runs at 7.3728MHz and communicates over serial at 115,200 baud. 

RC2014 is available in kit form for you to solder together.  Through-hole components are used throughout, making soldering easy, even for those with limited soldering experience.  Along with a selection of modules to extend functionality, such as serial terminals with HDMI output, digital input modules or, simple keyboard, the RC2014 is a very adaptable computer.

Assembly guides can be found here:
http://rc2014.co.uk/assembly-guides/

 Module information including schematic diagrams and technical descriptions can be found here: 
http://rc2014.co.uk/modules/

GitHub repository can be found here:
https://github.com/RC2014Z80/RC2014

Google Group for RC2014 owners can be found here:
!forum/rc2014-z80">https://groups.google.com/forum!forum/rc2014-z80

RC2014
http://rc2014.co.uk/
As soon as you turn RC2014 on you can start programming in Microsoft BASIC.  This is very easy to get started with and some very complex programs can be written.  To get right down to the metal, though, you can write your programs in Z80 machine code.

Development of the RC2014 has lead to a more powerful machine with pageable ROM, 64k RAM, compact flash storage and a whole range of expansion peripherals.  With the right modules, it’s now possible to run CP/M, which opens the RC2014 up to a wide range of software. 

RC2014 can be bought from Tindie:
https://www.tindie.com/stores/Semachthemonkey/

RC2014

Z80 Retrocomputing 18 - Z180 CPU board for RC2014
https://youtube.com/watch?v=D9u9hhNjcEY
Dr. Scott M. Baker
In this video, I build and try out a Z180 CPU board to replace the Z80 CPU in my RC2014 retrocomputer. Aside from simply being faster than the Z80 that I'm currently using, the Z180 offers a lot of on-board peripherals (serial IO, timers, interrupt controller, mmu, dma, etc). I benchmark the 20 Mhz Z180 against my 7.3728 Mhz Z80. I'm saving exploration of the onboard peripherals for a future video. For more retrocomputing projects, see http://www.smbaker.com/

YM2149/ AY-3-8910 Sound Card for the RC2014 computer 
https://youtube.com/watch?v=-iLwi9FagFE

rc2014-ym2149 Designed by Ed Brindley
Demonstration of my sound card for the RC2014 computer. The board is Open Hardware and was produced entirely with Open Source Software (as was this video) PCB now available on Tindie: 
https://www.tindie.com/products/edbrindley/ymay-sound-card-pcb-for-the-rc2014-computer/
Schematics and Gerbers for the board are available here:
https://github.com/electrified/rc2014-ym2149







Definitions and Threat Models

In this thread we discuss the definitions of Privacy, Security, Anonymity.  We also create and describe common threat models that chan users might face.  

Who is the enemy? What tools do they potentially have? What could they do to you?  How do you mitigate these threats and potential harms?
I'm going to provide my definitions without referencing any material.  This is in a personal computing context:

Privacy: What I do on my local computer only I know, the files I read from my local hard disk, the computational operations that I perform, the text files I create, the commands that I input are known only to me (the user).  These operations, inputs by keyboard and outputs to my screen / monitor are known only to the user, only I know what files I observed, how I interacted with them, edited them or saved them, and what commands I inputted to the keyboard to perform these actions.  Local files and operations on the personal computer are known only to the current user, and are ephemeral and gone once the computer is power cycled, unless I specifically made a log of the actions and stored it to disk intentionally.

Security:  Unauthorized users, programs, or processes are not able to access read, write or modify, or know the contents of files or operations performed on the personal computer.  Remote computer users can not access, retrieve, files or memory from my personal computer unless I have set up a server to do so and only within the context of the files being served.  Other persons with physical access to my computing device can not operate, or retrieve files or information from the device without authorization.

Anonymity: Actions performed in public whether observed or unobserved, are either unnoticed, noticed but unreported,  or noticed and reported but it is not possible to attribute the public actions to the source actor either due to lack of observable evidence, or the computational complexity.  Public here means remote computers that my personal computer connects to via internet routing technologies. Public access from my computer to another computer system hosting files or serving files and content via the internet.  Actions could include retrieving files, modifying files, or reading and posting text to a remote server by way of programs running on my personal computer.

People accusing each other of not grasping the separation or overlap of these concepts is perennial (comes up often). So I figured this should be sorted out in it's own thread. Post any additional definitions or links to proper definitions below.

Related concepts

Privacy: clean computing, no malware, no keylogging, no system logging.  No shoulder surfing. No cameras in your room. No microphones in your room. No screen captures. No position tracking. Public Key Cryptography for messaging (RSA). 

Security: Strong passwords, username/password access authentication, file permissions, Strong Encryption, Encrypted file systems, Encrypted files and folders. Firewalls, Access Control. Physical locks on your room, front door, windows, bars on the windows, physical key lock on the computer. 

Anonymity:  Face masks, hoodies, wigs and sunglasses, motor cycle helmets, black track suits, camouflage.  Tor, I2P, Proxies.  Typewriters, cork bulletin boards with tacks and push tacks,  No cameras, no voice recognition, no facial recognition.  Dead drops of floppy disks and USB sticks, SD cards. Sneaker nets.  Voice modulation/ modification dsp technologies, talking like Batman etc.  Text to speech...etc. 

I feel that personal computing privacy is the root of the other two concepts.  If there is a key logger or other related malware on your system (screen shot grabbers etc), your passwords are not secure (system and encryption), your actions and intentions are known, and your "Anonymous" discussions online through IM and message board posting, and potentially offline (dead dropping your manifesto that you typed on your computer) are also observable. 

Post more below

Analogies

Privacy: When I'm in my house I draw the blinds on my windows, and I can go into my shower, strip my clothes and shower naked, nobody can see what I'm doing except for me.  My walls form a visual privacy barrier, the running water masks the sound of my humming and whistling.   (Thermal imaging cameras can defeat this form of privacy).

Security: While I'm showering upstairs a delivery man comes to the door with a parcel, he rings the doorbell, and nobody answers,  from this he infers that there isn't anyone inside, and he tries the door handle to open the door.  It's locked with 2 deadbolts, so it doesn't open.   There are no open windows, and the windows are all barred up with security bars.  (Brute force or lock picking can defeat this form of security).

Anonymity: After finishing my shower, I open the front door and take the parcel in, and open the exterior, inside is a note with an address and some instructions, and another parcel.  I put on a wig with a fake mustache and beard, sunglasses and a hoodie.  I put on a black track suit and a motorcycle helmet, and go outside to my motorcycle and then I change the license plate to another stolen license plate belonging to another motorcycle owner that I stole earlier that day (borrowed).  My motorcycle is the most common manufactured brand, model, and color averaged over the last 10 years.  I proceed to drive at the speed limit to arrive at a house address mentioned in the note, to deliver the parcel that was placed at my front door by the delivery man.  I place it at his front door in a special lock box, and then I drive home.   Unless I was followed, hopefully the entire transaction was anonymous.  (defeated by being tailed, traced, tracked, or by camera surveillance network).

Regular anonymity for most people, means walking out your front door with no face masking apparatus, jumping in your car (with your license plate), going to the store, buying milk, being on camera, paying with a credit card, and driving home.  But nobody cares, since everyone needs food right? You are just one of many food eaters, not very unusual, so it goes unnoticed / unreported. (What most people think the internet is like...until you find out your were very wrong and uninformed about the danger...).



Post(s) action:


Moderation Help
Scope:
Duration: Days

Ban Type:


0 replies | 0 file
New Thread
Max 20 files0 B total
Refresh

Page: Prev [1] [2] [3] [4] Next | [Index] [Catalog] [Banners] [Logs]