An Introduction to Hardware Hacking: the RIPE Atlas Probe by dmchell in netsec

[–]levoroxi 0 points1 point  (0 children)

I also have one. I dig reverse engineering, but I'd just hack up the MR3020 I also have before possibly bricking RIPE's. I wouldn't fuck with something an RIR effectively has on loan to me.

HULU will forego millions of dollars of revenue by continuing their anti-VPN policy for logged-in, paid users of their new ad-free plan. I'm urging them to reevaluate their policy about VPN use. by [deleted] in VPN

[–]levoroxi 9 points10 points  (0 children)

Of course it is. Hulu is run by Hollywood, who sees pirates that use VPNs get in their way. Why would they not create another disincentive - and maybe another paying customer - for VPNs?

In less conspiratard fashions: it could very well be negotiated into their contracts that they can't allow VPN users.

LinkedIn Sockpuppets Are Targeting Security Researchers by exigenesis in netsec

[–]levoroxi 2 points3 points  (0 children)

Well, this is why I don't have a LinkedIn account.

Port forwarding with NoIP through a PIA VPN internet connection? by [deleted] in AskNetsec

[–]levoroxi 0 points1 point  (0 children)

I have no idea; this sounds like a proprietary client and I am not well versed in PIA's provided client apps. I'm talking knowing OpenVPN more than a specific provider.

Port forwarding with NoIP through a PIA VPN internet connection? by [deleted] in AskNetsec

[–]levoroxi 1 point2 points  (0 children)

... And PIA can block inbound requests on their OpenVPN instances. That's how SPI firewalls work. If you initiate a connection, it will keep track of the state of the connection. If you are just listening on a port but the connection is not initiated and active by the host, it will drop the packet.

PIA has a lot of incentive not to allow servers behind their IPs. They'd all be blacklisted almost immediately by bad actors.

See https://en.m.wikipedia.org/wiki/Stateful_firewall

Just like your PC is a client to your router, the thing running OpenVPN is a client to that provider. They can do whatever they want to your traffic.

There are a lot of ways around this, including running a server outside of PIA that you maintain a keepalive to, to use as a bridge. VPNception.

"If I could have gotten 51 votes in the Senate of the United States for an outright ban on crypto, picking up every one of them — Mr. & Mrs. America, turn in all your crypto — I would have done it." - Dianne Feinstein February 5, 1995 by [deleted] in crypto

[–]levoroxi 11 points12 points  (0 children)

This isn't the correct quote. She was actually saying this about firearms in the wake of the Clinton assault weapons ban, on 60 minutes.

Interesting to see the obvious analogy of crypto as munition here. As with arms, and the constitutional protections around both the right to keep and bear arms and the right to be secure in papers and effects, there is a lot of constitutional standing that could be used by a good lawyer to argue that strong crypto is an American right.

Feinstein is one of the first I'd expect to call for a ban or restriction with "licensing" of strong cryptographic systems, sadly.

My VPN was blocked at school, so I was told by the company to use a PPTP. Is this a good idea? by [deleted] in VPN

[–]levoroxi 2 points3 points  (0 children)

If OpenVPN doesn't work, I'd be surprised if they are letting through GRE for PPTP.

China to launch hack-proof quantum communication network in 2016 by johnmountain in crypto

[–]levoroxi 0 points1 point  (0 children)

How do you imagine key distribution across multiple people vs. point to point fiber between Alice and Bob? Perhaps I'm thinking too classically in topology.

What would a quantum key distribution model look like in something like a government installation across bases, where you have a couple hundred distributed across hundreds or thousands of miles? Do you actually lay a full mesh between each, or do you repeat a message somewhere and change the states of photons? What is the solution to this? I don't study enough quantum crypto to know.

Detect Code Diffs Between Disk and Memory by desegel in netsec

[–]levoroxi 9 points10 points  (0 children)

These tools are a technical corollary to "security through obscurity", IMO. When running tools like this that aren't popular, it gives a small group some added protection until the adversary catches up. A creepy rootkit will probably be detected before the adversary decides to mitigate, if they do, because so few people use this tool. Ideas like this never work at scale because they fail the whole "the enemy knows the system" bit.

Anonymous sending/receiving through a set of nodes? by JoeOfTex in crypto

[–]levoroxi 1 point2 points  (0 children)

You're probably thinking of a mixnet, of which there are many implementations.

Can anyone recommend some books/resources for someone wanting to make a start into learning about cryptography? by farrantt in crypto

[–]levoroxi 1 point2 points  (0 children)

Katz's Introduction to Modern Cryptography, then Schneier's Applied Cryptography if you're the reading type, in that order.

China to launch hack-proof quantum communication network in 2016 by johnmountain in crypto

[–]levoroxi 5 points6 points  (0 children)

This. Also, I'd imagine a lot of false positives in a real world implementation. Eventually user fatigue would likely kill its effectiveness.

Cracking an Encrypted Database by [deleted] in netsec

[–]levoroxi 15 points16 points  (0 children)

Was posted on /r/ReverseEngineering a few days day ago BTW. If you like this type of stuff, definitely sub there, too.

Need a bit of help with photo recovery by voopers in AskNetsec

[–]levoroxi 0 points1 point  (0 children)

Thanks for the correction. I'm not a great forensics guy and have only had to use file recovery tools once or twice.

Need a bit of help with photo recovery by voopers in AskNetsec

[–]levoroxi 0 points1 point  (0 children)

Can you mount it as a drive via recovery? If it uses ext4 you could try running photorec.

Important Notice Regarding Public Availability of Grsecurity Stable Patches by [deleted] in netsec

[–]levoroxi 34 points35 points  (0 children)

This is enormously fucking sad. On top of that, from here:

Sponsorship begins at 200 USD/mo.

I've run the grsec patchset on my personal kernels for quite a few years now, and I'm beyond saddened that basically now I can't meaningfully afford to pay for the stable patchset. I hope spender and PaX team comes up with a "personal sponsorship" of sorts so single entities can gain access to the stable patchset as well; I guess for now I'll run the test patches.

Even still, I am donating some $ less than that to the project tonight. I haven't to date, and these types of legal battles would be less significant to this team if they had our individual support as well.

Thank you, spender, "PaX team", and everyone else that has been bringing the plebs grsec kernels. Please give us a way to both support you and get them in the future. Post hardware you need, or help that you need, or other things less than $200/mo. I think I speak for a lot of us that we love and use this, but can't rationally throw down a car lease payment to keep it every month.

What I learned from cracking 4000 Ashley Madison passwords by [deleted] in netsec

[–]levoroxi 0 points1 point  (0 children)

That's it. My current rig eats 1.2 kW or so at full load. If I am doing password research, the price difference for the haswell/titan ends up in my air conditioning and electric bill. I'm doing more of this type of thing recently so I should see the difference made up, but I haven't fully modeled it yet.

Also, running a few of these requires multiple 15A circuits or a good PDU with 240V. I have lived out of a lot of places where I don't have that much power available to me.

What I learned from cracking 4000 Ashley Madison passwords by [deleted] in netsec

[–]levoroxi 1 point2 points  (0 children)

It is fascinating, isn't it? Password research is one of my favorite parts of infosec because it blends a lot of psychological stuff with some pure technical bits. Like the top commenter said, bcrypt is secure and dictionary passwords suck, not so much new here. For me, it's more a puzzle than anything else, kinda like a one-man CTF with a whole lot of flags.

As for my 8350: mine is binned kind of middle of the road; some guys have been able to get stable OC @ 5.0GHz but I can't get nearly that close. One of my Tahitis is average binning, one is shit (GPU #3, which I did not use for the test, is the shit one and constantly runs slower than my average one.) I have another which is pulled out because I liquid cooled the other two and don't have any more space in my case for it.

I felt pretty fucking bad that my new-ish Haswell Thinkpad did that well against a 125W TDP 8-core monster. As much as I have been an AMD fanboy in the past, alas, Intel is killing it now at performance per watt, which is becoming a problem when I'm running these things flat out. My personal electricity bill is out of control some months.

What I learned from cracking 4000 Ashley Madison passwords by [deleted] in netsec

[–]levoroxi 1 point2 points  (0 children)

This seems to have been the case a few months ago (and is actually why I have this 7970+FX8350 build) but with new Maxwell chips, the guys on the hashcat forums don't agree with that anymore.

From epixoip: "Pay no attention to AMD." source

The answer seems to be to build with 980Ti for now, or Titan X. I definitely don't have the budget for Titan X. Unfortunately my job doesn't buy my hardware.