Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
Cup Runneth Over
Aug 8, 2009

She said life's
Too short to worry
Life's too long to wait
It's too short
Not to love everybody
Life's too long to hate


https://www.theregister.co.uk/2017/10/13/us_hack_back_law/?mt=1508202813102

Stand your cyberground

Adbot
ADBOT LOVES YOU

CLAM DOWN
Feb 13, 2007





What the loving gently caress, America

Cup Runneth Over
Aug 8, 2009

She said life's
Too short to worry
Life's too long to wait
It's too short
Not to love everybody
Life's too long to hate


We found your IP in our logs, so we've remotely formatted your hard drive

Proteus Jones
Feb 28, 2013



Such a terrible idea. The collateral damage alone will be catastrophic.

Who knew 80's movies were right. WELCOME TO OUR DYSTOPIAN CYBER-FUTURE!

Kerning Chameleon
Apr 8, 2015

by Cyrano4747

Proteus Jones posted:

Such a terrible idea. The collateral damage alone will be catastrophic.

Who knew 80's movies were right. WELCOME TO OUR DYSTOPIAN CYBER-FUTURE!

Except we got all the lovely parts of cyberpunk fiction without all the cool sexy bits, like scantily clad punk ladies with borg bits stuck in them or seedy japanese diners on every street corner.

Corporatism found a way to make even real-life Johnny Mnemonic boring as hell.

Thanks Ants
May 21, 2004

#essereFerrari


astral
Apr 26, 2004



mewse
May 2, 2006


Modern poetry

orange sky
May 7, 2007

https://crocs-muni.github.io/roca/

Uhm....



I think this is kind of sisyphean guys, let's just quit and open a bar in Hawaii

E: It's a result of the TPM flaw

Proteus Jones
Feb 28, 2013



orange sky posted:

https://crocs-muni.github.io/roca/

Uhm....



I think this is kind of sisyphean guys, let's just quit and open a bar in Hawaii

E: It's a result of the TPM flaw

I'm not trying to minimize this, because it's a big deal, but my understanding is this is for the Infineon library derived keys; OpenSSL/GNU gpg keys do not have the factorization weakness.

orange sky
May 7, 2007

Proteus Jones posted:

I'm not trying to minimize this, because it's a big deal, but my understanding is this is for the Infineon library derived keys; OpenSSL/GNU gpg keys do not have the factorization weakness.

Yeah



I wasn't trying to go all "the world is gonna end" though, just mentioning that this struggle between fixing and finding new stuff is going to speed up like hell.

I really believe stuff like this will pop up on a daily (or much much higher) frequency since we're only getting more and more and more people working on this stuff, on both teams.

Let's build a little think tank here, guys. Where will this end? What's the future of data? Full transparency? Going back to paper or another medium?

Proteus Jones
Feb 28, 2013



orange sky posted:

Yeah



I wasn't trying to go all "the world is gonna end" though, just mentioning that this struggle between fixing and finding new stuff is going to speed up like hell.

I really believe stuff like this will pop up on a daily (or much much higher) frequency since we're only getting more and more and more people working on this stuff, on both teams.

Let's build a little think tank here, guys. Where will this end? What's the future of data? Full transparency? Going back to paper or another medium?

You will have to verify your identity using the iPhone XXV with the SmartJab™ DNA Sequencer using a 21 allele validation.

apseudonym
Feb 25, 2011

anthonypants posted:

Does android still do that thing where if you install a root certificate, like you might for a VPN, it leaves a notification forever that your phone's network activity is being monitored? There were at least two threads about it on the Google issue tracker, but that was a while ago and they've been disappeared.

If you install it and confirm your lockscreen credentials no, if its installed via API yes or you have no/clear the lockscreen as well.


You shouldn't install a CA into the device wide user added CA set for a VPN, if you do you're doing something wrong, the builtin legacy VPNs dont require it and any VPN app will let you provide there so its only trusted for what it should be trusted for.

Thermopyle
Jul 1, 2003

...the stupid are cocksure while the intelligent are full of doubt. —Bertrand Russell

I use strongswan for my vpn app on Android and the network-activity-monitored notification is so irritating.

Truga
May 4, 2014
Lipstick Apathy
I use strongswan and don't get that I think.

EssOEss
Oct 23, 2006
128-bit approved
Estonian and Hungarian ID cards use Infineon RNG and are now compromised. So, uh, pay 50000€ to be able to brute force a legally binding signature of anyone whose public key you have. Nice.

orange sky
May 7, 2007

EssOEss posted:

Estonian and Hungarian ID cards use Infineon RNG and are now compromised. So, uh, pay 50000€ to be able to brute force a legally binding signature of anyone whose public key you have. Nice.

Uh I think the Portuguese cards use this as well, where can I check?

Double Punctuation
Dec 30, 2009

Ships were made for sinking;
Whiskey made for drinking;
If we were made of cellophane
We'd all get stinking drunk much faster!
Infineon are the guys who just got their TPM chips hacked. Pretty nice.

anthonypants
May 6, 2007

by Nyc_Tattoo
Dinosaur Gum

orange sky posted:

Uh I think the Portuguese cards use this as well, where can I check?
With your vendor. If you got a yubikey you can get a free replacement: https://www.yubico.com/keycheck/

EssOEss
Oct 23, 2006
128-bit approved
You can paste a key here to check it: https://keychest.net/roca
Another site is https://keytester.cryptosense.com/

Ars Technica says it is Estonia and Slovakia that are vulnerable (I misremembered the second one earlier). I did find the Portugese cards listed on Gemalto's website. As Gemalto was the provider of the Infineon-manufactured cards to Estonia, there is some cause to suspect a link here, indeed.

Double Punctuation posted:

Infineon are the guys who just got their TPM chips hacked. Pretty nice.

Yeah, the RNG vulnerability that affects the TPMs is the exact same as the one for the ID cards. In both cases, they generate RSA keys that are not as unpredictable as they should be.

fyallm
Feb 27, 2007



College Slice
Thread's best VPN recommendation for anonymization ?

The Fool
Oct 16, 2003


Don't rely on just a vpn for anonymization

fyallm
Feb 27, 2007



College Slice

The Fool posted:

Don't rely on just a vpn for anonymization

right, proxy and other things, but was curious who people used for vpn.. private internet access, expressvpn, nord?

fyallm fucked around with this message at 17:19 on Oct 18, 2017

Docjowles
Apr 9, 2009

orange sky posted:

https://crocs-muni.github.io/roca/

Uhm....

I think this is kind of sisyphean guys, let's just quit and open a bar in Hawaii

E: It's a result of the TPM flaw

So wait, you're telling me that OpenSSL was, for once, not the least-secure implementation of something? :aaaaa:

Furism
Feb 21, 2006

Live long and headbang

fyallm posted:

Thread's best VPN recommendation for anonymization ?

You need to be more specific about your goals.

anthonypants
May 6, 2007

by Nyc_Tattoo
Dinosaur Gum

fyallm posted:

right, proxy and other things, but was curious who people used for vpn.. private internet access, expressvpn, nord?
Gonna link this again https://gist.github.com/kennwhite/1f3bc4d889b02b35d8aa

EVIL Gibson
Mar 23, 2001

Internet of Things is just someone else's computer that people can't help attaching cameras and door locks to!
:vapes:
Switchblade Switcharoo

fyallm posted:

right, proxy and other things, but was curious who people used for vpn.. private internet access, expressvpn, nord?

I would suggest nordvpn.

apseudonym
Feb 25, 2011

fyallm posted:

right, proxy and other things, but was curious who people used for vpn.. private internet access, expressvpn, nord?

Proxies also don't annonymize things either. What are you trying to do?


Also keep in mind if there's one place heavily monitored on the Internet it's the exit from VPN services sold for anonymity.

wyoak
Feb 14, 2005

a glass case of emotion

Fallen Rib
I use PIA when I'm connecting to public wifi but yeah, don't think that it's keeping you anonymous or anything like that. If I ever decide to do the math I'll figure out if it'd be cheaper to host an OpenVPN instance on AWS or something.

wyoak fucked around with this message at 18:20 on Oct 18, 2017

The Fool
Oct 16, 2003



This article links to Streisand, which I had heard about but forgotten the name of.

And is one of the coolest bits of technology I've read about in a while.

LochNessMonster
Feb 3, 2005

I need about three fitty


EssOEss posted:

You can paste a key here to check it: https://keychest.net/roca
Another site is https://keytester.cryptosense.com/

Ars Technica says it is Estonia and Slovakia that are vulnerable (I misremembered the second one earlier). I did find the Portugese cards listed on Gemalto's website. As Gemalto was the provider of the Infineon-manufactured cards to Estonia, there is some cause to suspect a link here, indeed.


Yeah, the RNG vulnerability that affects the TPMs is the exact same as the one for the ID cards. In both cases, they generate RSA keys that are not as unpredictable as they should be.

Gemalto hasn't come forward with an official reaction yet. They're "working on it".

Tamba
Apr 5, 2010

https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_svenda.pdf

Proteus Jones
Feb 28, 2013



wyoak posted:

I use PIA when I'm connecting to public wifi but yeah, don't think that it's keeping you anonymous or anything like that. If I ever decide to do the math I'll figure out if it'd be cheaper to host an OpenVPN instance on AWS or something.

Same. I don't use VPNs for anonymity. I use them so I'm not the low hanging fruit.

Thermopyle
Jul 1, 2003

...the stupid are cocksure while the intelligent are full of doubt. —Bertrand Russell

The Fool posted:

This article links to Streisand, which I had heard about but forgotten the name of.

And is one of the coolest bits of technology I've read about in a while.

The problem with Streisand is that it installs a poo poo ton of services.

Try algo instead. (says guy who used to use Streisand and moved to algo)

algo guys say about Streisand:

quote:

Good concept. Poor implementation.

It installs ~40 services, including numerous remote access services, a Tor relay node, and out-of-date software. It leaves you with dozens of keys to manage and it allows weak crypto.

That’s a hefty footprint and it’s too complicated for any reasonable person to secure. If you set up an individual server just for yourself, you’d never know if or when an attacker compromised it.

Mr. Crow
May 22, 2008

Snap City mayor for life

wyoak posted:

I use PIA when I'm connecting to public wifi but yeah, don't think that it's keeping you anonymous or anything like that. If I ever decide to do the math I'll figure out if it'd be cheaper to host an OpenVPN instance on AWS or something.

As I just looked I this, AWS and other cloud services are prohibitively expensive for most users/uses. The cheapest usable machine I could make for it was about $600 a month not including bandwidth, but even if you just use an AMI or something it was around a hundred (unless you do a micro which gives you 750 hours a month free, but back to potatoe network speeds).

You can also be sure as poo poo any of the big cloud providers are going to be monitoring traffic and give your information to the government, so it would really be useful only as a way to VPN while not being associated with the usual end points.

Best option looks like doing a coop with a datacenter and maybe getting some people you trust to split the cost/use.

Thermopyle
Jul 1, 2003

...the stupid are cocksure while the intelligent are full of doubt. —Bertrand Russell

Mr. Crow posted:

As I just looked I this, AWS and other cloud services are prohibitively expensive for most users/uses. The cheapest usable machine I could make for it was about $600 a month not including bandwidth, but even if you just use an AMI or something it was around a hundred.

You can also be sure as poo poo any of the big cloud providers are going to be monitoring traffic and give your information to the government, so it would really be useful only as a way to VPN while not being associated with the usual end points.

Best option looks like doing a coop with a datacenter and maybe getting some people you trust to split the cost/use.

I transfer like a terabyte per month through my DigitalOcean-hosted VPN which costs me $5/month.

Thermopyle fucked around with this message at 20:46 on Oct 18, 2017

apseudonym
Feb 25, 2011

Mr. Crow posted:

As I just looked I this, AWS and other cloud services are prohibitively expensive for most users/uses. The cheapest usable machine I could make for it was about $600 a month not including bandwidth, but even if you just use an AMI or something it was around a hundred (unless you do a micro which gives you 750 hours a month free, but back to potatoe network speeds).

You can also be sure as poo poo any of the big cloud providers are going to be monitoring traffic and give your information to the government, so it would really be useful only as a way to VPN while not being associated with the usual end points.

Best option looks like doing a coop with a datacenter and maybe getting some people you trust to split the cost/use.

I run a VPN on gce as part of my MiTM security testing setup and it's not even $15 a month with bandwidth.

Maneki Neko
Oct 27, 2000

Mr. Crow posted:

As I just looked I this, AWS and other cloud services are prohibitively expensive for most users/uses. The cheapest usable machine I could make for it was about $600 a month not including bandwidth, but even if you just use an AMI or something it was around a hundred (unless you do a micro which gives you 750 hours a month free, but back to potatoe network speeds).

You can also be sure as poo poo any of the big cloud providers are going to be monitoring traffic and give your information to the government, so it would really be useful only as a way to VPN while not being associated with the usual end points.

Best option looks like doing a coop with a datacenter and maybe getting some people you trust to split the cost/use.

Amazon Lightsail?

https://amazonlightsail.com

Potato Salad
Oct 23, 2014

nobody cares


Multi implant authentication

Adbot
ADBOT LOVES YOU

orange sky
May 7, 2007

Potato Salad posted:

Multi implant authentication

All servers open to everyone in a world information sharing utopia

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply