Living 20 minutes into the future. Eccentric weirdo. Virtual Adept. Time traveler. Thelemite. Technomage. Hacker on main. APT 3319. Not human. 30% software and implants. H+ - 0.4 on the Berram-7 scale. Furry adjacent. Pan/poly. Burnout.

I try to post as sincerely as possible.

  • 0 Posts
  • 67 Comments
Joined 1 year ago
Cake day: June 10th, 2023
  • The Doctor@beehaw.orgtoPrivacy@lemmy.mlIs TOR compromised?English
    9·
    11 days ago

    Let’s see here…

    Potato Chat - This is the first I’ve heard of it so I can’t speak to it one way or another. A cursory glance suggests that it’s had no security reviews.

    Enigma - Same. The privacy policy talks about cloud storage, so there’s that. The following is also in their privacy policy:

    A super group can hold up to 100,000 people, and it is not technically suitable for end-to-end encryption. You will get this prompt when you set up a group chat. Our global communication with the server is based on TLS encryption, which prevents your chat data from being eavesdropped or tampered with by others… The server will index the chat data of the super large group so that you can use the complete message search function when the local message is incomplete, and it is only valid for chat participants… we will record the ID, mobile phone number, IP location information, login time and other information of the users we have processed.

    So, plaintext abounds. Definite OPSEC problem.

    nandbox - No idea, but the service offers a webapp client as a first class citizen to users. This makes me wonder about their security profile.

    Telegram - Lol. And I really wish they hadn’t mentioned that hidden API

    Tor - No reason to re-litigate this argument that happens once a year, every year ever since the very beginning. Suffice it to say that it has a threat model that defines what it can and cannot defend against, and attacks that deanonymize users are well known, documented, and uses by law enforcement.

    mega.nz - I don’t use it, I haven’t looked into it, so I’m not going to run my mouth (fingers? keyboard?) about it.

    Web-based generative AI tools/chatbots - Depending on which ones, there might be checks and traps for stuff like this that could have twigged him.

    This bit is doing a lot of heavy lifting in the article: “…created his own public Telegram group to store his CSAM.”

    Stop and think about that for a second.

  • The Doctor@beehaw.orgtoLinux@lemmy.mlWhat is the most duct-tape thing you've done to Linux?English
    14·
    19 days ago

    Some years ago, I had a client with a really fucked up set of requirements:

    • Must run Gentoo Linux. (No, I don’t know why. But it was written into the project specs and everybody who had to sign off did.)
    • Must use LUKS for FDE.
    • Login (loosely interpreted as “booting up”) must have MFA.

    This was during the days when booting into a LUKS encrypted Gentoo install involved copy-and-pasting a shell script out of the Gentoo wiki and adding it to the initrd. I want to say late 2006 or early 2007.

    I remember creating a /boot partition, a tiny little LUKS partition (512 megs, at most) after it, and the rest of the drive was the LUKS encrypted root partition. The encrypted root partition had a randomly generated keyfile as its unlocker; it was symmetrically encrypted using gnupg and a passphrase before being stored in the tiny partition. The tiny partition had a passphrase to unlock it. gnupg was in the initrd. I think the workflow went something like this:

    • System boots up.
    • Script in the initrd prompted the user for the passphrase for the tiny LUKS partition. (first authentication step)
    • User entered passphrase.
    • Script in the initrd unlocked the tiny partition and prompted the user for the passphrase to decrypt the root partition’s keyfile stored therein.
    • User entered the symmetric passphrase for keyfile. (second authentication step_
    • Script used the passphrase to decrypt the keyfile to stdout, piped into an evocation of cryptsetup to unlock the root partition.
    • /dev/mapper/root mounted, /boot mounted, boot process continued.
    • User logged into the box.

    I don’t miss those days.

  • The Doctor@beehaw.orgtoPrivacy@lemmy.mlSigned up for Equifax to freeze my credit, password can not be longer than 20 charactersEnglish
    3·
    19 days ago

    It really depends on the company. When I was working for that company a few jobs back, we crunched the numbers and the cost of C&C and IV&V (Certification and Accreditation; Independent Verification and Validation) for an in-house TOTP had one more zero to the left of the decimal point than the Twilio bill (added up for the year). Plus, for compliance we’d have to get everything re-vetted yearly.

    That’s kinda of the definition of government contracting. :) I think the only US government org that has actual govvies doing anything other than management is NASA.

  • The Doctor@beehaw.orgtoLinux@lemmy.mlSo what did it take for you to go to Linux?English
    2·
    20 days ago

    I was starting college (comp.sci, natch) and a hard req for the program was “Your own personal computer, with an Ethernet card and an OS that had a TCP/IP stack for remotely accessing classwork.” I didn’t have a great deal of money (most of it was tied up in tuition and housing) and ethernet cards were expensive (I think I paid $140us for it at the time). I couldn’t afford Windows and didn’t have a warez hookup for '95. A BBS I used to call had Slackware disk images for download.

    The rest, as they say, is history.