Stuff that doesn't need it's own Thread

I was about to quote Khannie's post then remembered he gets grumpy when people do that. At this years DefCon, John Mcafee spoke about many things including the eventful year he had last year but he also spoke about an app he created called DCentral1 which audits the permissions requirements of the apps installed and gives each one a rating. My friend found it interesting that his banking app requires access to his camera.

I recommend installing it and checking what you have. You can tweak the thresholds your self, so its ok if your camera app needs access to your camera, or your gallery app needs access to your SD card, but you can quickly see if your wall paper app is reading your calls.

You can get it from the play store.

How do we feel about blog links? And by we, I mean the gods mods of the security forum. Work asked me to write about my trip to DefCon 22 for their corporate blog. I intend on copying the text to my personal blog and if there is interest, pasting it here. Im not looking for bigger readership or anything I just thought some people would be genuinely interested in this forum.

If there is interest, but we are not happy about posting links, I can paste the text as a comment instead.

Interested in hearing thoughts.

P.S. A thread for stuff that doesnt need its own thread was a great idea!

syklops wrote: »

How do we feel about blog links? And by we, I mean the gods mods of the security forum. Work asked me to write about my trip to DefCon 22 for their corporate blog. I intend on copying the text to my personal blog and if there is interest, pasting it here. Im not looking for bigger readership or anything I just thought some people would be genuinely interested in this forum.

If there is interest, but we are not happy about posting links, I can paste the text as a comment instead.

Interested in hearing thoughts.

P.S. A thread for stuff that doesnt need its own thread was a great idea!

Hi syklops, I'd be very interested to read about your experience. For the record I have shamelessly linked to my own Security blog in the past but if it's to provide info that isn't available elsewhere, which of course would be the case if you want to recount your own experiences, I think it can be justified.

syklops wrote: »

Def Con 22 - A report from the frontline

Just spotted a typo which will get changed soon, it says Turn out this year was 11,000, that should read Turn out last year was 11,000. This year was over 15,000.

Sklops,

I just wanted to thank you for this, this was a fascinating read, I'm only sorry you had to queue up so long!

I am awed you got to meet jduck in person, also am taking on board what you said about contactless payment. As a matter of fact I switched banks recently because my own was insisting on giving me a card to use for contactless - frankly I don't see how it saves time - the 3 seconds it takes me to enter my PIN isn't the problem, usually the teller inserting my card the wrong way round!

Will you go back next year? My Uncle lives in Nevada so I'm seriously considering paying a visit.

Recondite49 wrote: »

Sklops,

I just wanted to thank you for this, this was a fascinating read, I'm only sorry you had to queue up so long!

I am awed you got to meet jduck in person, also am taking on board what you said about contactless payment. As a matter of fact I switched banks recently because my own was insisting on giving me a card to use for contactless - frankly I don't see how it saves time - the 3 seconds it takes me to enter my PIN isn't the problem, usually the teller inserting my card the wrong way round!

Will you go back next year? My Uncle lives in Nevada so I'm seriously considering paying a visit.

I am hooked on Def Con now and will definitely be going back next year. I don't know why I didn't go before now.

Flights plus accommodation came to about 2K, plus $220 for the DefCon ticket. I spent an additional 300 on equipment, and another 200 on booze (:eek:). Tbh, that is easily doable with a bit of scrimping and saving.

I'm also thinking we need an Irish DefCon. I know there is Iriss, but its more like Blackhat rather than DefCon. I already have ideas for names, but I'll write about that later.

Currently working on a blog on hacking android phones using the OTG cable I bought. I'll paste it here when done.

Rucking_Fetard wrote: »

:eek::eek:



USB Condom protects your devices from nasty ports

Beer in the hotel/casino was 8 dollars a bottle. In the hot nevada heat its very easy to have 5-6 beers in the course of the day and not really feel buzzed. 6 x 8 is $48. Have a cocktail in the evening(1) and its $13 so daily spend on booze was about 61. Three and a half days. Yep

The last day we went to an off license in the morning(I love the liberty of an off license open at 8 am!) and bought a six pack and put it in our bags. That is frowned upon by some Goons, but the day before we met a guy with a cooler on wheels filled with ice and beer and he said so long as he didnt wheel it around the lobby no one had a problem, so we thought why not. For 12 dollars I got 6 bottles of stella. Next year I'll do the same.

AnCatDubh wrote: »

Nice one.

Just throwing random stuff into it it comes up with a funny;

A given password holycowsbatman!-- will take 3 months to crack whereas if I add a third hyphen for it to become holycowsbatman!--- it takes 3 days.

I know there's repeated characters in there and 'widely used combinations' as the tool will respond, but the repeated characters (though not as many of them) were there in the first example as were the combinations.

Most recent advice i've come across all makes a virtue of elongating your password which I kinda get in terms of the theory of it. If i keep adding hyphens to elongate the password then it increments the time taken as you might expect.

Does it look like a bug in there somewhere or does that look like reasonable behaviour of the checker?

Hi Ancat,

Although I'm a little rusty when it comes to password "salting" as I understand it, the warning about repeated characters is because it results in a more predictable hash of your password, hence the "3 days" - I agree though that bigger is always going to be better.

I ran your password there through howsecureismypassword.net - adding a hyphen as you did means the difference between 20 and 849 billion years for a desktop PC to crack it, so I think you're on the right track.

The reason for my preoccupation with long passwords has to do with a software "Dead Man's switch" on which I'm currently working (have posted about this in a separate thread in this forum).

An essential part of this is that the password generated is one which is near nigh impossible to commit to memory, also one which cannot be cracked even by a supercomputer.

In a nutshell, the idea is to store the password in an encrypted file on a server (currently I'm using one in Iran). A script is constantly running on the server with a timer, which unless it's reset every 24 hours will securely erase the file.

Whenever you want to unlock your encrypted drive all you need to do is log into the server, decrypt the file and copy and paste the password.

This sounds elaborate but it seems to me the only way that you can't be compelled to hand over the key. Provided you can hold out for 24 hours, then the data can't be retrieved.

Of course any fool can invent a security system that they can't get around themselves so I'd be very interested to hear your thoughts on this in the other thread.

Rucking_Fetard wrote: »

Electromagnetic Warfare Is Here

What I use instead of Google services

Twilight

Very much enjoyed the article you posted about alternatives to Google RF, many thanks.

During my exile from the Information Security forums, I have been looking at ways to beef up my SSH sessions and have been very tempted by Google Authenticator.

As you all know it's an open source app which helps generate OTP's which you can access from your APP on your phone. These codes need to be entered before you can connect to your server over SSH.

While the server side software is open source, the application for Android and iPhones isn't, and contains some google specific code. Fortunately there is an open source alternative Authenticator called FreeOTP.

This can import the keys created by Google Authenticator and help log you in.

My question though is can this really be trusted - if an app has been created by the Gods of google, even open source, can we be sure they've found every bug and there's no backdoor?

The redacted list(e.g. without the passwords) can be downloaded from here so you can check if you or a friend/loved one is affected. Some users say the passwords are not their current ones but was one they used in the past which suggests it came from another site which people registered with which has been compromised.

Apparently this is the biggest leak of passwords in one go in history, but can't find any data to back up that particular claim.


Edit: People, people, people. Of the just under 5 million accounts, how many used the word "password" to form the basis of their password?


19,646.

Rucking_Fetard wrote: »

https://www.cyphertite.com/

Opensource encrypted storage


The Moment of Truth: Kim Dotcom, Glenn Grenwald, Edward Snowden, Julian Assange

Jist is:Dotcom has an email apparently from Warner Bros to NZ Prime Min about getting Dot to NZ with the intention of raiding Mega and extraditing Dot. And New Zealand Launched Mass Surveillance Project While Publicly Denying It


Wikileaks released FinFisher


Get out and walk people...

Thanks RF,

Just had a look at Cyphertite, looks promising.

There's a very generous initial offer of storage space of 8GB although it seems this is more for archiving purposes rather than actual cloud storage a la Dropbox, I could be wrong though, what do you think?

Unlike Wuala, SpiderOak, Dropbox et. al there also isn't currently an Android app to automatically upload your pictures to the cloud which is a must for me as I like to take my handy camera phone on protests and it's good to be able to make sure your content is proof against seizure.

There doesn't seem to be any way of limiting the upload speed of a backup and in fact the site's FAQ says specifically that the software is designed to make maximum use of your connection.

The company is incorporated in Chicago in a "high security data facility" - possibly the most significant of the FAQ's and answers:

Is there any legislation in the US that obligates you to report information about your users to US intelligence agencies?

There are no laws that obligate us to share any information with US intelligence, law enforcement or other government agencies. In the U.S., like in most other jurisdictions, we may be served with a valid warrant forcing us to hand over a user's data. That data, however, is completely encrypted and will be indecipherable to anyone who does not have access to the users keys. We do not have access to users keys nor can we be forced to decrypt your data.

All the same a warrant canary would be nice. Personally I'd feel more comfortable if their servers were located somewhere like the Caymans but there you are.

The FAQ also claim that their secure storage passes the mud puddle test.

It's also immensely reassuring to know they use open source software to encrypt the data and the source code for the software is available from the site.

For the purists, an in depth explanation of the crypto they use can be found by visiting this page, then clicking "Read More".

For the TLDR didn't read crowd, Cyphertite uses 256-bit AES-XTS to encrypt file data.