/cyb/ + /sec/ - Cyberpunk and Cybersecurity General

I know I'm a tech brainlet. I want to encrypt and password protect files on Ubuntu but it seems so complicated.

You might want to check the FAQ.

My impression from my time as a programmer is that companies definitely prefer fresh meat: peak performance is expected at 25 and you are too old to continue at 40.

Peak performance means you will be on a slave ship working 70+ hour weeks. At 40 you have to be in a more management style job, or you will be kicked out with some strange explanation which will have no bearing on reality.

BUMP FOR DEFCON

Thanks. Another somewhat quiet day here.

Another thing about working in /sec/: you will have to keep updated, continuously. Zero day is hot, two day is not. So:

=== /sec/ News:
>Containers and license compliance
lwn.net/Articles/752982/
>So he looked at the Docker equivalent of "hello, world"; he used Debian as the base and had it run the echo command for the string "Hello LLW2018". In order to make that run, the image contained 81 separate packages, "just to say 'hi'". Beyond that, there is support for SELinux and audit, so the container must be "extremely secure in how it prints 'hello world'".

Extremely secure? You wish. However

>People do "incredibly dumb stuff" in their Dockerfiles, including adding new repositories with higher priorities than the standard distribution repositories, then doing an update. That means the standard packages might be replaced with others from elsewhere. Once again, that is a security nightmare, but it may also mean that there is no source code available and/or that the license information is missing. This is not something he made up, he said, if you look at the Docker repositories, you will see this kind of thing all over; many will just copy their Dockerfiles from elsewhere.

Right. And what does this mean?

>But it gets even worse, Hohndel said. Most people start with a Dockerfile they just find somewhere. If you look at the Dockerfile for Elasticsearch, for example, it installs gosu and uses the Dockerfile for OpenJDK 8, which in turn uses other Dockerfiles. One of those is for Debian "stretch", which also updates all of the packages.

>He has done a search of official Docker images and did not find a single one that follows compliance best practices. All of the Dockerfiles grab other Dockerfiles—on and on.

Anyone care for security?
>No one wants to hear about these problems, Hohndel said; he has tried.

There is a Cyberpunk group on Deviantart:
cyberpunks.deviantart.com/gallery/
A bit mixed but some is good.

Oldfag here, chiming in with a shot from the peanut gallery. Docker had the fanboi smell from Day 1. Anytime you have "new and fresh" tech that suddenly has a popularity contest around it, that's a sure sign something's fucked about it. Subjugating your reason and logic to "but everyone else is doing it" is not the hallmark of a person who knows their shit.

>systemd
Aggressive marketing campaign, project scope creep, large project size that makes auditing difficult, and now chunks of "modern" Unix desktops are hard-linked to it, making some projects Linux-only. Yes, it works - but beyond the command interface, do you really know what it's doing?

>docker
A rehash of jails, but it pulls down chunks of unaudited code from the Internet. What could go wrong? And now someone is pointing out that the jails won't save you from a shitty jail design. Another example of putting your brain in the denture glass and just drinking the kool-aid.

what comes next? Windows is already rife with this shit:
>Chrome
Phones home for every-fucking-thing.
>Mozilla
Paid ads are now a standard feature in the start page. No tracking here, move along.
>Windows 10
Phones home for a whole lot of shit.

It's not getting better, but that doesn't mean you need to go full Una in da woods.
>get older non-Intel CPU
AMD isn't perfect but it's cheaper and doesn't have Intel's backdoor bullshit. Old RISC stations are pricey and difficult to maintain, but if you have the knowledge, can be made into semi-airgap systems.
>Non-Windows OS
Suck it up. FreeBSD if you want 3rd party maintenance, or Gentoo if you want to roll your own. Debian drank the kool-aid starting at version 8, and it's just getting worse. Ubuntu is a regrettably necessary joke.
>stock up with as much RAM as possible.
The bullshit about "you only need" will kill you when you start getting serious about doing shit.
>make your firewall bidirectional
catch shit trying to phone home

>Another thing about working in /sec/: you will have to keep updated, continuously. Zero day is hot, two day is not
And this is why it makes sense to write a crawler that scans sources and pulls articles like this. Give it some targets and then aggregate that shit into a private RSS feed, all from the comfort of your own server.

>>make your firewall bidirectional
What, specifically, is a good way to do that? A lot of stuff that spies on you phones home over ordinary HTTPS on TCP 443. Is there any alternative to having to manually sniff traffic and look for IPs you don't like the look of and playing whack-a-mole with them? That sounds dubiously practical.

>Intel's backdoor bullshit

AMD has it too, actually.

I know. A quick search turns up
>en.wikipedia.org/wiki/AMD_Platform_Security_Processor
but it hints that CPUs from 2012 on backwards may be acceptable. Not really sure if that is true, but it would be worth a look.

You'll have to do a MITM via web proxy. You would need to:
1. issue your own CA
2. put your private CA cert on your browsing machine
3. use the proxy
4. have the proxy re-write traffic

By the way, this is what commercial products do for businesses - they do what is supposedly a transparent intercept, but in reality they simply MITM the certificate, using the scanning device as a CA, and the CA is installed on everyone's machine. It sounds ass-backwards but if you control the CA, the cert, and certainly the proxy (not a commercial product) then you'll have a fighting chance. You could probably do something like this with OpnSense (which was forked form PfSense).

Another potential option is to Snort that crap and have something home-brewed that would auto-whack-a-mole the connection when it starts seeing bullshit. Probably waaaaay too complicated and/or intensive to actually get it set up, but you get the idea.

Not sure but it looks like the FX series of AMD chips may have been the last "non-manageable" chips.

>Docker had the fanboi smell from Day 1.
Another set of examples are the Javascript libraries. Got a task? Start by loading up a GB of libraries, each relying on others. Indeed, what could possibly go wrong?

Reminds me of that mother of all crypto disasters in Debian. The security hole was large enough to fly an average sized gas giant through effortlessly. It is inconceivable that this was not picked up by at least half a dozen alphabet soup agencies for the duration it festered.

So now dockers have Debian deep down. Yes, that should be fine.

>Another set of examples are the Javascript libraries
Don't get me started. Install uMatrix and then watch as websites **load the latest code version dynamically from some other website on the fly**, all because it's "maintenance free". Which means, as a webmaster, you have no fucking clue what it just loaded. If a Javascript library becomes compromised, great, you just passed the compromise to hundreds, thousands, tens of thousands...who knows.

I can understand "we want the latest and freshest so we are always patched" but semantically downloading and approving the patch is not the same as simply offloading the entire patch direct from the source - notice the missing "approving the patch" when I said "direct from the source". There's no audit, no reading notes from the vendor, no nothing.

And this is what passes for good web design.

Oh yes. Web design. Loading scripts (including Google analytics) plus fonts from Google makes for incredible traffic analysis. Just open a web page and BRAFFFF! about 200 files are downloaded from Google. Plus a smattering from dozens of project web pages. Plus css files. And FB. And Apple.

At least the FAQs are without external dependencies.

I want to see a re-write tool that allows you a one-time download of their bullshit (minus Google's infamous urchin.js crap) such as fonts, so when you go to some webpage, it pulls local cached copy from your server. No tracking, no bullshit, and the page renders.

Fuck, this should be a github project from an anonymous coder. A transparent business-grade web proxy that does TLS intercepts using your own private CA, pulls and updates various library files (after approval and scanning), pulls and updates fonts, etc. When your client connects it connects via proxy, it receives the "approved" scripts, fonts, pictures, and any other elements. It would effectively limit traffic to pure HTML, chunks of CSS, and maybe a few other bits like streams, but the rest? Fuck that noise.

>this should be a github project from an anonymous coder
Very much agreed.

I think the simplest would be to bootstrap this off an existing project such as Smoothwall, which also has a reasonable ecosystem. It also has Snort which I consider also a must.

>Protects you against tracking through "free", centralized, content delivery. It prevents a lot of requests from reaching networks like Google Hosted Libraries, and serves local files to keep sites from breaking. Complements regular content blockers.

>[...] It comes bundled with a fair amount of commonly used files, and serves them locally whenever a site tries to fetch them from a delivery network. This saves bandwidth, and protects your privacy.

>Decentraleyes complements regular content blockers (e.g. uBlock Origin, and Adblock Plus).

addons.mozilla.org/pt-BR/firefox/addon/decentraleyes/

>What does it do to protect me when it has no choice but to allow a request?

>Even if a resource is not locally available, Decentraleyes offers improved protection by stripping optional headers from intercepted CDN-requests. This keeps specific data, such as what page you are on, from reaching delivery networks. Whitelisting a domain does not affect this measure.

github.com/Synzvato/decentraleyes/wiki/Frequently-Asked-Questions

Done.

Thoughts on OpnSense?
opnsense.org/

It's the PfSense fork I was talking about, using FreeBSD bits.

>opnsense.org/
That one is new to me, I'll have to take some time to look into that. Heritage seems to be from Monowall.

I think monowall begat pfsense begat opnsense. The big spat in 2017 was that pfsense announced they were gonna require AES-NI, which a lot of people who were running it on old C2D boxes and such didn't like. Supposedly part of the reasoning behind this was that the pfsense folks didn't much like the people who were just home users that would never buy their branded hardware or paid support. I don't know how much truth there is in that, but I know opnsense is specifically supporting anything x86-64, AES-NI or no. I think some of the people who forked thought pfsense was being too slow to release updates too.

Disclaimer: I no longer run pfsense and never did run opnsense, this is just stuff I heard on the internet.

So much truth here.

Emergency page 10 bump

Attached: daybreak2.gif (640x480, 123K)

Just got it at Steam Sale, Jesus fucking Christ it feels more hectic than Hotline Miami

Attached: 429005-ruiner-windows-apps-front-cover.jpg (720x1080, 77K)

bump

bump 2

Thanks. I am surprised it is so quiet here today.

LWN has a regular column on security well worth following, so here goes:

=== /sec/ News:
>Security quotes of the week
lwn.net/Articles/753373/
>With a $300 Proxmark RFID card reading and writing tool, any expired keycard pulled from the trash of a target hotel, and a set of cryptographic tricks developed over close to 15 years of on-and-off analysis of the codes Vingcard electronically writes to its keycards, they found a method to vastly narrow down a hotel's possible master key code. They can use that handheld Proxmark device to cycle through all the remaining possible codes on any lock at the hotel, identify the correct one in about 20 tries, and then write that master code to a card that gives the hacker free reign to roam any room in the building. The whole process takes about a minute.
>— Andy Greenberg in Wired

It makes you wonder how much is out there, just waiting for some auditing.

>Samsung Smart TV. During the first minute after power-on, the TV talks to Google Play, Double Click, Netflix, FandangoNOW, Spotify, CBS, MSNBC, NFL, Deezer, and Facebook—even though we did not sign in or create accounts with any of them.
>— The Center for Information Technology Policy at Princeton announces its IoT Inspector project

Another case of "What could possibly go wrong?"

Yeah, sadly it is. I think that's because a lot of the people live in the US (I live in Europe).

One of the 4 guys who has any idea what they are talking about returning for duty. I miss anything since I've been gone. I see the thread is still around
Most people I have met who are any good are a mix of the two, but hard work is more important.
If you are following the standard track, you will be booted to management or technical lead by mid 30s. If you are good though, I will hire you no matter what age you are.

eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now

full details are being released tomorrow it seems.

That reads like something that was known by the alphabet soup agencies years ago. Or am I too conspiratorical here? I guess there is a buffer overflow somewhere that causes autorun of whatever is decoded when automatic PGP is enabled.

Worse, it can be used to decrypt past emails:
twitter.com/mikko/status/995927790829670400

Attached: T_BR_LJO_00019a-min[1].jpg (1000x801, 113K)

more br kino

Attached: TerritoryStudio_BR_D_00039[1].jpg (1600x900, 165K)

Attached: primary_Luv-BR-2017[1].jpg (800x533, 85K)

bump

Bump with Destiny.

Attached: 1526077777817.jpg (600x936, 156K)

bump

Unfortunately the master key disaster had its roots in Europe.

Another glimmer of activity on Usenet News; alt.cyberpunk:
groups.google.com/forum/#!topic/alt.cyberpunk/zDINuT52uGU

I wish I had relevant stuff for these threads. I'm ever so slowly learning about this topic, but for now I just like the aesthetic.

Attached: 1524188805955.jpg (1068x662, 764K)

Finding relevant stuff is not a problem, is all over the news these days.

Post news about infosec or kino.

what would you do with owned wifi networks /cyb/

looks likes its an email client vulnerability.
efail.de/

own the rest that net has to offer

hot news: html in emails is a terrible idea

Thank's for the music.

Attached: MV5BMTAyMDc1MTU0MDBeQTJeQWpwZ15BbWU2MDI5MzU3Nw@@._V1_[1].jpg (580x900, 132K)

>that was known by the alphabet soup agencies years ago
bug is 17 years old.
>trusting a plugin to handle your PGP encryption
>using it on mozilla / outlook
>not doing your encryption / decryption on a airgapped computer with live distro burnt on a cd
Why are people even caring about privacy when they have no clue about security ?

Attached: 1526113639097.gif (413x469, 217K)

Ads drive the net. And not in a good way.
=== /sec/ News:
>Would you pay for an ad-free internet?
bbc.com/news/business-44066077
>The digital advertising industry is in crisis: ad fraud is rife, many online ads are never even seen and ad blocking software is threatening to undermine the internet's fundamental business model.

And that was before Adnausea. And how much money are we talking about?

>The World Federation of Advertisers, whose members spend about $900bn a year, says less than half of display adverts are seen properly. "Visibility", as it's known in the industry, is defined as 50% of the ad's surface area in view for a second, or two seconds if it is a video.

With a budget larger than the BNP of several countries there should never have been any doubt that there would be fraud, massive fraud. And in all forms.

I'm desperately hoping for a massive wave of web bankruptcies as more people neither see ads nor pay for things directly.

Welp

===/sec/News
gizmodo.com/email-no-longer-a-secure-method-of-communication-after-1826002682

At the end, decentralized alternatives ought to take off social media as advertising becomes less rampant.

Me too, the "web" is dead with monopolies that fed off ads, maybe this can change something.

One can dream...

>not to use HTML email can mitigate this vulnerability
Ha, glad to be on /cyb/, where we have discussed text based email clients are the right way to do e-mail.

A lot of misinformation is making its rounds.
lwn.net/Articles/754370/

Three letter agencies must be making a feast out of the mistakes from people failing on the misinformation.

===/sec/News
Important Warning — Critical vulnerabilities found in two widely-used methods for encrypting emails–PGP and S/MIME–could reveal sensitive content of your encrypted emails in plaintext.

thehackernews.com/2018/05/pgp-smime-email-encryption.html

Attached: 3[1].jpg (1280x534, 106K)

I think so too. The hilarious thing is that now they will try to complete whatever jobs they have remaining before the holes are closed, battling countless cryptominers using the same tools.

.Hack/sign, is it Cyberpunk?
youtube.com/watch?v=oCWXPM0xx2c

Some classic (old) papers on security:

acsac.org/2002/papers/classic-multics.pdf
... on Multics

ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf
... on trust

Jesus Christ is there no secure way to communicate online?

>With a budget larger than the BNP of several countries there should never have been any doubt that there would be fraud, massive fraud. And in all forms.
Some handy graphs just turned up. Scary.
>Wealth And Power
electronicsweekly.com/blogs/mannerisms/paranoia-corner/wealth-and-power-2018-05/
>Some remarkable foils from Reuters show the astonishing wealth of the big US tech companies.

These do indeed rival the BNP of several countries.

You can use encrypted ssh and set up your own mail network over such links.

just goes to show you the importance of forward secrecy. of course its inherently difficult to do that with email since you have to agree on a session key somehow. That and PGP is from the 90s when we didn't know any better so it punted.

Well there's already STARTTLS but it has to be negotiated as an upgrade from an unencrypted link, so it'll save you from passive but not active attackers. (since it starts unencrypted said active attackers can remain undetected - all you'll see is a server that claims not to support TLS) But that's only for transport, the message contents still have to be held on the mail server in the clear.

Of course there's better things we could be using to encrypt message text than PGP, and I think it's arguable that the whole web-of-trust shit that PGP likes was a mistake.

The art in that game is insanely good

Attached: Iching_Oracle.png (1024x1024, 277K)

Do ISPs/governments often perform DNS man in the middle attacks, and resolve DNS to their servers, rendering HTTPS/TLS meaningless and making all the web traffic visible to them?

Are such attacks feasible?

How much does your ISP really know about you as long as you use HTTPS/TLS?

Attached: 1525961686284.jpg (1469x1102, 320K)

Also, how do governments routinely spy on their citizens using software?

Attached: 1525985319124.png (480x640, 535K)

By all means available. Listening in on Intenet traffic is easy. many governments do that routinely.

Already made a thread for this (stupidly), but if someone can crack this salted unix md5 hash:

$1$salineso$skglVRXI/1KFedHbbM4j30

I'll give ya 10 buckaroos

bump

Evening Jow Forumsuys, I'm currently attending a university and am going to graduate in either one or two years (depending on what I mention below) with an IST degree with a focus in Cyber Security.

Today I went to an interview (the second one) for a program at my school that would pay for my tuition/books/etc., as well as provide a decently sized stipend each year, provided I work for a government agency for two years after I graduate. The program would require me to slow my graduation rate (from one year to two) as well as land me in a pretty shitty job to start with.

Do you think it's worth committing to if I'm accepted? (I'm fairly confident I will be.) Do you guys think it might be worth it to go into debt if I can theoretically get a better paying job after I graduate?

Also, does anyone have tips for someone studying said field, or things you wish you did/learned about when starting out? I'm in my first quarter of taking core classes, and I really like the field, but I feel like I should be more personally active in learning about it.

Attached: bugbait.jpg (305x297, 29K)

Would filling out a Nielson radio ratings survey compromise my security or privacy? Do they sell it or anything?

It is normal that the first job after graduation is not a god job. When you are young and free you should take the opportunity to move jobs freely, go to different countries and gain wide ranging experiences, professionally and also personally.

=== /sec/ News
Much has been said about facial recognition. It is however far from perfect:

>Face recognition police tools 'staggeringly inaccurate'
bbc.com/news/technology-44089161

>2,000 wrongly matched with possible criminals at Champions League
bbc.com/news/uk-wales-south-west-wales-44007872

You thought FB leaks were now ended? Right?

=== /sec/ News:
>Three million "intimate" user profiles offered to researchers
theregister.co.uk/2018/05/15/acebook_data_slurping/
>A report from New Scientist finds that the myPersonality app had been collecting and sharing the personal information for as many as three million users who had installed the app on their Facebook profile. The data has been passed to hundreds of researchers.

Will the madness never end??

another example of "if it is technical feasible, it is being done".

I can see the technical part of the equation. I just cannot understand how people can be this willing to pump all their most intimate info over to FB. Are they really sheep?

Was Case in Neuromancer an example of MGTOW?

never used facebook, but that's apparently one of those permission dialogues of an app.
if they get one of pic rel and confirm, they're beyond saving.

Attached: image[28].png (501x639, 25K)

You probably shouldn't post your profile...

isn't me, was one of the first results

>Access my data any time
>Chrome may access my data when I'm not using the application

If this doesn't raise more than just a few eyebrows we sure have a problem. Just what plans do they have in mind??

=== /cyb/ News:
Downloading new skills, Matrix style, would be handy. Some research downloading and transferring memories:

>'Memory transplant' achieved in snails
bbc.com/news/science-environment-44111476
>A team successfully transplanted memories by transferring a form of genetic information called RNA from one snail into another.
>The snails were trained to develop a defensive reaction.
>When the RNA was inserted into snails that had not undergone this process, they behaved just as if they had been sensitised.

Hopefully school can be reduced to something one pill in a few years time.

Attached: da3908n.jpg (1920x1080, 1.59M)

bump

FAQ writer here.

What chapters do you think we need to flesh out? Most parts are in place, the only chapter I have left is one on Cyberpunk in academia.

Oh, and chapters on Cyberpunk games and Cyberpunk music are also missing. Inputs are welcome.

It is about 130 KB in size, 28 A4 pages. In comparison the Wikipedia article is 13 pages long.