The Internet/Computer Communications Post

View Latest Activity

Home Forums Radio & Communication The Internet/Computer Communications Post

Viewing 37 reply threads
  • Author
    Posts
    • #96922
      SeanT
      Keymaster

        Last Friday at the Northern VA meet-up a question was posed about “hardening” a computer and it’s files and communications. I agreed to put some info together and post it here on the forum. Well…. As I have been thinking how to organize and present it, it became apparent that the layers were going to get deep pretty fast.

        So let’s start this off by saying the only secure computer is the one that has never been turned on and is at the bottom of a hole filled with concrete.
        That being said, there then become 2 basic categories/types of computing devices that have utility for people.
        Type #1 is the “stand alone” or what is known as air gapped. This means that the computer is not connected in any way to any type network that will allow it to communicate with other devices other than directly connected peripherals.
        Type #2 is the “networked” computer. Anyone reading this post is using a networked computing device because this forum is hosted on a server located in a data center that is available to users via the public Internet.
        Within the realm of networked computing devices, there are Local Area Networks (LANs) and Wide Area Networks(WANs). There are other descriptions but for simplicity sake, let’s discuss these 2.
        LANs are groups of computers in a local area like an office or home that are aware of the others in the LAN and are able to transfer data or share services like a printer among themselves only. Outsiders are not able to join.

        WANs are a collection of LANs that are internetworked via a multitude of different methods but the underlying principle is to allow a LAN based computer to communicate with other networks. The glaring example of this concept is a connection to the public Internet.
        Once computers are internetworked, then the data that each has stored on it becomes ‘at risk’.
        The challenge then becomes how do we leverage the utility and benefits of internetworking with maintaining the security and integrity of our own information.
        The see-saw is security vs. availability and there is no perfect formula.
        Getting back to the question I was asked, one common answer is securing information by encryption. This is essentially ‘locking’ the data from clear easy view. The way this is done is by using a private key. The key is a string of text that is used as a component in a very complex math problem to convert the data into a new version that requires the same key to decode it. This works well only if you never want to share that data.
        Since one of the points of internetworking computers is to share data, we need a different method to be able to share the data while still keeping it secure. This different method uses a key pair with a public key and a private key.

        This is a decent description of how it works:
        http://www.techrepublic.com/article/a-beginners-guide-to-public-key-infrastructure/

        Since that already is a lot to digest, I will add more to this later along with some methods that can be used to help increase data security.

      • #96923
        Corvette
        Participant

          I’m of the opinion if its on a computer anyone can get to it. I lean a lot to the opinion it was designed that way too. Time and time again proof is surfacing that nothing is safe on a computer..Even AQ has figured this out limiting its net use for information and relying more on human to human contact to move information..Its also low maintenance and if the hammer drops and takes the power grid and net, you still function.

        • #96924
          SeanT
          Keymaster

            I’m of the opinion if its on a computer anyone can get to it.

            This is pretty much true. File encryption can make it really hard for someone to view the data so that is the direction I plan to go next post when I get the time. If someone gets the encryption private key, it is game over though. Brute forcing the decryption is really flipping hard and time consuming.Usually the best way is:
            http://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis

          • #96925
            Corvette
            Participant

              I never graduated to the level most of society has when it comes to technology. IMO its an illusion, and a very fragile one at that. The only thing i carry that comes close to technology is a flashlight that takes 2 AA batteries..

              If you’re computer savvy (and you seem to be), good one you. Skills like that will be needed. It takes all kinds..

              Good post.

            • #96926
              Corvette
              Participant

                Stickied

              • #96927
                SeanT
                Keymaster

                  Ok let’s add more to the reading pile…
                  http://wald.intevation.org/frs/download.php/1385/gpg4win-compendium-en-3.0.0.pdf

                  This is the documentation for an open source encryption based email and file encryption called Gpg. The former choice for this was called PGP and stood for “Pretty Good Privacy” and it was!! It has since been bought and commercialized by Symantec Corp. and is now called Symantec Endpoint Encryption. It is a solid, enterprise grade product. It is used in the enterprise I work in to encrypt the hard drives of all windows based laptops.i am no shill for them, just stuck having it.

                  http://www.gpg4win.org/
                  This free software offers users the same tool set based on the same methodology. It will encrypt your files and using the various plug ins and extensions you can use it to send encrypted emails fom a variety of email clients including Microsoft Outlook. If you are a Thunderbird user, that is supported and it even has its own email client called Claws you can use.
                  As an aside, if you don’t use a client based email, there is hushmail available which uses the same type of encryption built in that is web based.
                  https://www.hushmail.com/
                  Please be aware that the SSL based hushmail does server side encryption which relies on the user sending their pass phrase to the server side and the result is that it could be captured , the java based keeps the encryption on the client side. In either case hushmail will upon Canadian court order turn over data for a targeted user. Although that is a risk, this works well to keep the “snoops” that tap into backbone networks and look at all the data that passes like NSAs PRISM:
                  http://en.m.wikipedia.org/wiki/PRISM_(surveillance_program) from keying on word patterns, etc.

                  I will reiterate the most important thing to remember about encryption is KEEP THE KEY SAFE. KEY = YOUR PASSPHRASE
                  DO NOT WRITE IT ANYWHERE. IF YOU THINK YOU MIGHT FORGET USE A HINT NO ONE ELSE WILL DECODE.
                  One hint method I use is an easy question with a purposefully WRONG answer. That way someone that has built intel on you will think that they hit the jackpot when they find the hint!!

                  I think that’s enough for tonight.

                • #96928
                  SeanT
                  Keymaster

                    Ok let’s add more to the reading pile…
                    http://wald.intevation.org/frs/download.php/1385/gpg4win-compendium-en-3.0.0.pdf

                    This is the documentation for an open source encryption based email and file encryption called Gpg. The former choice for this was called PGP and stood for “Pretty Good Privacy” and it was!! It has since been bought and commercialized by Symantec Corp. and is now called Symantec Endpoint Encryption. It is a solid, enterprise grade product. It is used in the enterprise I work in to encrypt the hard drives of all windows based laptops.i am no shill for them, just stuck having it.

                    http://www.gpg4win.org/
                    This free software offers users the same tool set based on the same methodology. It will encrypt your files and using the various plug ins and extensions you can use it to send encrypted emails fom a variety of email clients including Microsoft Outlook. If you are a Thunderbird user, that is supported and it even has its own email client called Claws you can use.
                    As an aside, if you don’t use a client based email, there is hushmail available which uses the same type of encryption built in that is web based.
                    https://www.hushmail.com/
                    Please be aware that the SSL based hushmail does server side encryption which relies on the user sending their pass phrase to the server side and the result is that it could be captured , the java based keeps the encryption on the client side. In either case hushmail will upon Canadian court order turn over data for a targeted user. Although that is a risk, this works well to keep the “snoops” that tap into backbone networks and look at all the data that passes like NSAs PRISM:
                    http://en.m.wikipedia.org/wiki/PRISM_(surveillance_program) from keying on word patterns, etc.

                    I will reiterate the most important thing to remember about encryption is KEEP THE KEY SAFE. KEY = YOUR PASSPHRASE
                    DO NOT WRITE IT ANYWHERE. IF YOU THINK YOU MIGHT FORGET USE A HINT NO ONE ELSE WILL DECODE.
                    One hint method I use is an easy question with a purposefully WRONG answer. That way someone that has built intel on you will think that they hit the jackpot when they find the hint!!

                    I think that’s enough for tonight.

                    Next post will be more about the snoops and ways to avoid the easy trail back to you when using the internet.

                  • #96929
                    Corvette
                    Participant

                      All this stuff (and more) is covered in detail in the Security Manual as well. https://forwardobservermagazine.com/product/security-the-resistance-security-manual/

                    • #96930
                      SeanT
                      Keymaster

                        Internet usage leaves footprints all the way along the data path and this data can lead back to the originator. There are several ways to disrupt this trail depending on what type of communications you are doing.
                        Simple web browsing can be forced thru an anonymous proxy wich is like an electronic ventriloquist. It makes your source address appear to the destination as something different than it really is. There are hundreds or thousands of proxy servers available around the world for use. They are set up then taken down all the time so using a search engine to find a current list of available proxies is the easiest way to find one. You will need to know enough about your web browser and or operating system to set the proxy up correctly.

                        An other option is To use an anonymous routed network like Tor:
                        http://en.m.wikipedia.org/wiki/Tor_(anonymity_network)

                        A different choice is to use a VPN service which uses a clien program to build an encrypted tunnel to another network and the result is that your address source will be that of the network you have made your VPN connection to. These are useful if you need to appear to be sourcing from a particular country. The example is if you are traveling, and need acces to your bank, they may block certain IP spaces that are located in geo-regions the bank feels are threats. By using a VPN, you can connect to a network in the US, essentially fooling the security layer that inspects where the traffic is sourcing from.
                        http://www.pcmag.com/article2/0,2817,2390381,00.asp

                      • #96931
                        Corvette
                        Participant

                          Sean and Sam,

                          what do you think of the technique of creating an email account and sharing the log in w/ your buddy?

                          All you have to do is to save something as draft and if both log in from VPN or similar (TOR?) it should be very very difficult for anyone to intercept? yes?

                        • #96932
                          Ronald Beal
                          Participant
                          • #96933
                            SeanT
                            Keymaster

                              Sean and Sam,

                              what do you think of the technique of creating an email account and sharing the log in w/ your buddy?

                              All you have to do is to save something as draft and if both log in from VPN or similar (TOR?) it should be very very difficult for anyone to intercept? yes?

                              That would keep the data locally on the mail systems servers. (I am assuming you mean a free webmail account). It would have to be created when sourcing from an anonymized location. Displaying the contents of the message will be data packets that could be intercepted. Technically possible? yes, if the snoop had the SSL certificate/key to do a man in the middle attack. Likely? not so much unless you are seriously on someone’s radar.

                            • #96934
                              Corvette
                              Participant

                                MVFM, al Qaida and other terrorist organizations started doing that several years ago. I don’t believe it’s any more secure than any other method, and likely less so.

                                Traffic analysis plays a large role in discovering multi-user email accounts. I would much rather communicate via encrypted email like Unseen (that transits the server instead of the internet at large).

                              • #96935
                                Corvette
                                Participant

                                  Just remember… the NSA has already cracked TOR:

                                  Bah. I hear that all the time but the fact of the matter is that NSA doesn’t “crack TOR”, it cracks users. So stay anonymous, use a computer that’s not linked to you, use that computer in public places and not from your home, and you make Tor quite safe.

                                  If Tor wasn’t safe (with a few caveats) then no one would use it.

                                • #96936
                                  SeanT
                                  Keymaster

                                    Just remember… the NSA has already cracked TOR:<br>

                                    http://www.washingtonpost.com/blogs/the-switch/wp/2013/10/04/everything-you-need-to-know-about-the-nsa-and-tor-in-one-faq/

                                    Sort of, but I get your point.

                                    This stuff is a cops and robbers exercise where the robbers always have a little head start so one must keep in tune with current technologies and techniques. The real point of all this is that privacy and security using the public internet is a challenge execute perfectly 100% of the time.

                                  • #96937
                                    Max
                                    Keymaster

                                      Note: This is not Max’s response/content. Just a glitch from the transition to subscription.

                                      The NSA HAS NOT broke Tor at all, please don’t spread FUD.

                                      Here is a presentation called “Tor Stinks” leaked by Snowden explaining how can the NSA try to identify a TOR user.

                                      http://www.theguardian.com/world/interactive/2013/oct/04/tor-stinks-nsa-presentation-document

                                      What NSA can do is to identify some Tor traffic that looks interesting and try to redirect that traffic to certain systems that will try to identify the user trying to exploit the browser via javascript or removing the HTTPS.

                                      As you see there is too much trying and no certainty and they aren’t breaking Tor at all, they just try to exploit the application layer for hosts generating “interesting” traffic.

                                      TURN OFF JAVASCRIPT, USE HTTPS AND DON’T USE PERSONALLY TRACEABLE ACCOUNTS with Tor and you’ll be safe.

                                      I’m writing a course about computer security targeted specially for people who doesn’t knows much about computers.
                                      The course is absolutely FREE and includes practical exercises with step by step instructions.
                                      The Anonymous Browsing chapter is about Tor and how it works.

                                      Just check it in my blog and feel free to contact me if you have any question:

                                      http://apx808.blogspot.com/p/computer-comsec-course-index.html

                                    • #96938
                                      Joe (G.W.N.S.)
                                      Moderator

                                        I am a user/operator when it comes to computer/internet privacy. I rely on experts to keep me updated to the various threats to privacy.

                                        I don’t fall for internet hyped rumors.

                                        It’s work to keep up with it, but rely on real experts and evaluate your realistic goals for your comfort zone.

                                        I am thankful to people like Sam, APX, and Sean for keeping me informed.

                                      • #96939
                                        SeanT
                                        Keymaster

                                          TURN OFF JAVASCRIPT……

                                          Just be aware that if you do turn off java script in your browser, some of the web pages you use will not operate properly. It is a balance as always between security and availability.

                                          http://www.howtogeek.com/138865/htg-explains-should-you-disable-javascript/

                                        • #96940
                                          Max
                                          Keymaster

                                            Note: This is not Max’s response/content. Just a glitch from the transition to subscription.

                                            As SeanT mentions, some sites won’t work correctly without Javascript, that’s why Tor comes with the NoScript AddOn installed and with Javascript activated by default.

                                            After “Freedom Hosting” (the biggest hidden services hosting service) was compromised, LE agencies installed a javascript 0 day exploit for Firefox in all the pages hosted there, that would reveal the user’s real IP address.

                                            If you just want to browse and really need it turn javascript on, but if anonymity is crucial turn it off and avoid pages that require it to work, they are potentially unsafe.

                                          • #96941
                                            Max
                                            Keymaster

                                              Note: This is not Max’s response/content. Just a glitch from the transition to subscription.

                                              Good overview of security with recent Snowden revelations….

                                              “Does Encryption Still work”….
                                              https://securityinabox.org/en/node/3291

                                              I’ve looked at both sides of the argument on Tor and some of the NSA docs…I’d agree that it is still generally secure if you do your part.

                                              There are limited cases where it may be compromised, and includes outdated software along with personal lapse in operational discipline….it is usually the human component that fails.

                                              The endpoint security is usually where the breach occurs…and if “ABC” wants it bad enough and you are a priority, you will be owned. Message here – keep a low profile whenever you can.

                                              One other note on email systems per Sam’s post which may need a little more detail. It isn’t the encrypted email that ensures emailing avoids circuitous internet routes, it is the fact that 2 users are on the same service / system. So if 2 people are using Unseen email, encrypted or not, the Unseen mail server will check itself first for the recipient. If it is found as another Unseen customer, the mail stays on that server. If not, your email gets bounced around the internet for a while, with copies left on all those intermediate servers. “encrypted” is a plus in both cases to ensure that the content cannot be read even though the metadata about the message is wide open.

                                              If anyone with better knowledge than me of mail server operation thinks that this is not the case in general, (that 2 users on the same system won’t traverse the net) then please clarify. I’m not an email server admin.

                                            • #96942
                                              SeanT
                                              Keymaster

                                                If anyone with better knowledge than me of mail server operation thinks that this is not the case in general, (that 2 users on the same system won’t traverse the net) then please clarify. I’m not an email server admin.

                                                I manage mail relays that process around 4M messages a day. A mail relay generally will have a list of domains that they are the ‘authority’ for , meaning they will accept the mail for any recipient in that domain. If it receives a message for a different domain, it will look up where to send it. This is what happens when you send a message to a list of people in many different domains.

                                                Sometimes a mail system will be designed to send a message from one user in the domain to another user in the same domain and use a relay to get it to the mail server where the recipient mailbox is hosted but it wouldn’t ( shouldn’t) use the internet to get there unless the network is widely distributed.

                                                There are different processing functions for inbound mail vs outbound mail as well.

                                                I can tell you that owning the relay allows all sorts of things to be done to include BCC someone on every message from/to someone. Change the recipient invisibly to the sender. lots of things…..

                                              • #96943
                                                Max
                                                Keymaster

                                                  Note: This is not Max’s response/content. Just a glitch from the transition to subscription.

                                                  Mail is an obsolete technology , the only secure way to use it is to exchange email encrypted end-to-end, that means encrypting the info yourself using GPG with strong keys, I use 4096 bits.
                                                  Use the strongest key you can, remember the NSA is storing internet traffic for 15 years as revealed in Snowden’s leaked documents.

                                                  I don’t trust a 3rd party to keep my secrets safe, even less a company, history shows that companies will be pressed legally to reveal the contents of the emails they store, provide the keys or include backdoors.
                                                  Besides, usually you need to send emails to people using a different service than yours and their internal encryption becomes useless.

                                                  Here are some articles telling you about what happened with Hushmail and Lavabit.

                                                  https://en.wikipedia.org/wiki/Hushmail#Compromises_to_email_privacy
                                                  http://www.forbes.com/sites/kashmirhill/2013/08/09/lavabits-ladar-levison-if-you-knew-what-i-know-about-email-you-might-not-use-it/
                                                  http://www.forbes.com/sites/parmyolson/2013/08/09/e-mails-big-privacy-problem-qa-with-silent-circle-co-founder-phil-zimmermann/

                                                  And here is how to set up Enigmail to send encrypted email easily.
                                                  http://apx808.blogspot.com/p/email-and-cryptography.html

                                                • #96944
                                                  Max
                                                  Keymaster

                                                    Note: This is not Max’s response/content. Just a glitch from the transition to subscription.

                                                    Thanks Sean, that is consistent with what I’ve seen. In the case of Unseen, they do say their same-domain mail stays local, so at least in their case (assuming no relays and we can trust them) the out-of-band transmission risk is minimized. Not trying to push Unseen, just using it as an example.

                                                    @APX – I understand your point of view and can’t disagree, I use 4096 bit as well when possible. The unfortunate fact is that email is still the dominant form of communication and will continue to be for quite a long time for a majority of our community’s users. I would suspect no more than 1%-5% of our related “liberty” community users have the desire or current knowledge to move past email at this time.

                                                    The ultimate driver will be when alternatives are available at the same price point, availability and ease-of-use that email has for everyone today. Even encryption is useless if the other party is not encryption-savvy…and that happens to me daily.

                                                    Given that email will continue to be the dominant communication for most of those around us, there are practical things that can be done to minimize the signatures and profiles if someone needs to communicate. Many of those you already mentioned or alluded to:

                                                    1) use encryption, and use the largest keys offered (4096 where possible).
                                                    2) Where possible, use same-system emails between you (so, unseen-to-unseen, hushmail to hushmail, countermail to countermail).
                                                    3) Always be aware that a company can be compromised either via country specific data retention / privacy laws or more underhanded ways via “agency” strongarming. So, companies like Unseen (domiciled in Iceland) or Countermail (Sweden) are more attractive than hushmail, google or yahoo due to strong retention and privacy laws.
                                                    4) Compartmentalize. Don’t put multiple recipients on the same email, especially if they are in different domains.
                                                    5) TANSTAAFL – There Ain’t No Such Thing As A Free Lunch. If the product is free, then “you” are the product. So, if it is important enough to keep private, then it is important enough to spend a few coins with with a reputable company. CAVEAT – There are some open source exceptions, with Tor and TAILS being the most well known.

                                                    I like to apply Culper’s education on SPACE to email and electronic communications. Signature, Profile, Association, Contrast and Exposure.

                                                    http://guerrillamerica.com/2013/08/space-analysis/

                                                    just my .02.
                                                    loach

                                                  • #96945
                                                    Corvette
                                                    Participant

                                                      This is an interesting discussion. I am by no means an expert in network security and privacy, however i’m a systems and networking manager (Artificial Intelligence Engineer) and this topic has been on my mind. I’m writing my thesis and doing research on Steganography in Wireless Sensor Networks (such as IEEE 802.15.4). Basically it’s radio (PHY) level encryption that is currently being researched by a couple universities (including my own) that attempts to “hide” data at the physical, radio layer of wireless communications.

                                                      Why do I bring this up? Given my minimal knowledge of Network and Privacy, I personally believe that if you are a target (i.e. if you are on an NSA list), you WILL be found out / compromised. I have done some research with TOR, and yes, using the same type of methods described in my first paragraph, TOR users CAN be traced and found by embedding secret codes at the PHY layer that can then be tracked no matter how many times the traffic is proxy-redirected, worldwide.

                                                      Yes, using TOR will drastically improve your chances of being “found”, but again: if you are a target, they can find you. Sorry :).

                                                      Oh, and BTW: hello NSA spy; glad you are reading this discussion. Perhaps you will become the next American Hero: Edward Snowden

                                                    • #96946
                                                      Max
                                                      Keymaster

                                                        Note: This is not Max’s response/content. Just a glitch from the transition to subscription.
                                                        __________________________________________________________________________

                                                        Please disregard what Stinger said in the previous post as it is nonsense and he provides no proof for any of his assertions in regards to Tor.

                                                        Stinger you say “I have done some research with TOR” “and TOR users CAN be traced”

                                                        What research have you done?
                                                        Where are the papers supporting your research?
                                                        Have you posted about your discoveries in the Tor development list?
                                                        What radio has to do with TOR?
                                                        What the fuck is the PHY layer in Tor? Tor is completely built in the application layer.

                                                      • #96947
                                                        Corvette
                                                        Participant

                                                          Roll easy APX…Don’t turn this into a pissing flame war..

                                                          Bergmann

                                                        • #96948
                                                          Corvette
                                                          Participant

                                                            APX808,

                                                            Cool your jets man, i’m not trying to attack in any way or top anyone’s comment; i’m merely joining in the discussion to provide my thoughts (and again, limited knowledge) for the purpose of informing and also for myself to learn more about this very important topic.

                                                            I probably should have provided resources to back my thoughts; please see the below paper:

                                                            Please also see the below paper:

                                                            My specific research isn’t on Tor, but rather in the 802.15.4 wireless protocol (which, incidentally has a application in Military and possibly covert communications for patriots such as ourselves; which is why I mentioned it).

                                                            No, I have not posted any discoveries in the Tor development list. My research, again, doesn’t deal with Tor directly, but can and has been applied to Tor.

                                                            As far as the PHY layer in Tor, correct, of course Tor exists in the application layer. Of course you know that anything having to do with our good old standard network communications (802.3 Ethernet, 802.11 WLAN) involves the MAC and PHY layers. I’m sure you are familiar with the OSI model since you appear very strong-willed on this topic. Read the papers, and let me know what you think…interesting stuff.

                                                          • #96949
                                                            Corvette
                                                            Participant
                                                            • #96950
                                                              Max
                                                              Keymaster

                                                                Note: This is not Max’s response/content. Just a glitch from the transition to subscription.

                                                                The papers you provide mention traffic correlation attacks that is a theoretical attack vector for Tor network and has been around for a long time without much success.

                                                                As was mentioned in a Snowden leaked document called “Tor sucks” the NSA can try to identify some specifically targeted users, but isn’t a sure technique. And to target the attack to you, they need to identify you as a HVT before.

                                                                Recently there has been a real traffic correlation attack to Tor, and a planned presentation at BlackHat 2014 that was cancelled, supposedly it was was is now known as “relay-early attack”

                                                                That problem has already been patched, more information can be found at:

                                                                https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack

                                                                Tor isn’t perfect but it works, there is a lot of people using it at this same moment to avoid oppressive regimes in many countries.
                                                                We should be very careful when we discuss its effectiveness to avoid scaring not tech-savvy guys and work to make everyone use Tor, that way correlation attacks will become less likely.

                                                                I have been participating in the Tor dev-list for some time, if you’re interested in Tor and have the technical background to understand what they talk about you can get a lot of good information out of it.

                                                              • #96951
                                                                Corvette
                                                                Participant

                                                                  Yes, the techniques in the papers I posted definitely aren’t mainstream. They definitely proved that it worked, though, it looks like.

                                                                  You have a really good point about getting more people to use Tor to avoid correlation attacks.

                                                                  Thanks for sharing; i’ll have to jump on the dev-list. Like I said, i’m no expert by any means, but I have a fair bit of networking knowledge and experience: i’d love to learn more about Tor.

                                                                • #96952
                                                                  Max
                                                                  Keymaster

                                                                    Note: This is not Max’s response/content. Just a glitch from the transition to subscription.

                                                                    APX, Stinger, I’d like to thank you both for your passion and knowledge. It is critical that we don’t take anything for granted. What is secure today may not be secure tomorrow, and you are both pentesting the “system” in your own ways. I was never a fan of techno-religious wars, so it is good to see that you quickly moved past that and into solving the problem at hand. We’re all on the same team, so thanks for pulling together and making our team stronger through your sharing and cooperation.

                                                                    Red Team Rule 29: If you are happy with your security, so are the bad guys.

                                                                    ~ffio

                                                                  • #96953
                                                                    Max
                                                                    Keymaster

                                                                      Note: This is not Max’s response/content. Just a glitch from the transition to subscription.

                                                                      Do not let cyber criminals steal your sensitive data online and lean how military grade encrypted communication system can help you protect your organization

                                                                    • #96954
                                                                      Max
                                                                      Keymaster

                                                                        Note: This is not Max’s response/content. Just a glitch from the transition to subscription.

                                                                        not sure if this is the correct forum to post this or not. When using TOR to log in to the forums, it appears that redirection to a fake log in screen happens. I am not very computer savvy, but thought a warning might be appropriate

                                                                      • #96955
                                                                        Corvette
                                                                        Participant

                                                                          stumpknocker,

                                                                          Can you attach screenshots to what you are talking about? Never had this issue, but I also don’t use Tor hardly ever; don’t see the need at this point unless it’s VERY sensitive material

                                                                        • #96956
                                                                          Max
                                                                          Keymaster

                                                                            Note: This is not Max’s response/content. Just a glitch from the transition to subscription.

                                                                            Today I got in the forum using Tor and it worked fine, no weird logins as you mention.

                                                                            This forum login page doesn’t implements https so I would never login using Tor or your credentials could be sniffed at the exit node, sending credentials in non https forms can compromise your account and also your anonymity while using Tor.

                                                                            As Stinger mentioned, a screenshot would be really helpful.

                                                                          • #96957
                                                                            Max
                                                                            Keymaster

                                                                              Note: This is not Max’s response/content. Just a glitch from the transition to subscription.

                                                                              Used TOR thru VPN to access/login to the forum. Didn’t let the page grab return data. Just the regular slightly stripped GUI version came up and the bad certificate for wpengine.com

                                                                              ~out

                                                                            • #96958
                                                                              FreedomOak
                                                                              Participant

                                                                                I create IT security plans for paranoid organizations. This thread is an example of good intentions and lots of info but lacks context and a systematic approach to the problem of how to keep your data confidential and protected.

                                                                                If you are not systematic your infosec plan will fail horribly. Things that people do wrong: using Google services (cough cough Max), not using encryption correctly, not using Linux, not using VPN correctly, not using Signal, and not upgrading your families IT security. Even doing all the right things will fail at some point due to consumer grade hardware being backdoored at the hardware level. The point however is to use the conveniences of modern technologies without compromising your opsec and doing just one or two of these tools is not enough in the era of massive agency penetration of computer systems.

                                                                              • #96959
                                                                                Joe (G.W.N.S.)
                                                                                Moderator

                                                                                  As time goes by I’ve been adding the…

                                                                                  Note: This is not Max’s response/content. Just a glitch from the transition to subscription.

                                                                                  …to various Threads.

                                                                                  Giving the large number of Posts in various subforums, I update as I find them.

                                                                                  I create IT security plans…

                                                                                  Always good to have some more SME’s to keep awareness up!

                                                                              Viewing 37 reply threads
                                                                              • You must be logged in to reply to this topic.