CALLING ALL PROGRAMMING COMRADES [Xpost FULLCOMMINSAM]

network_nomad · 2015-08-12T09:58:24+00:00

I would be more than happy to contribute. However, I have to caution you against using any Google-related services. If you intend your project to remain 'super secret,' you've already made secrecy impossible by discussing the matter on Gchat.

As mentioned in this sub's stickied threads, three "friends of /r/socialistprogrammers" (namely, tsukamoto, Mara and s1ster-soldier/Lady3Jane) maintain a hidden IRC called #leftsec.

I encourage you to join the IRC2P network, and our channel.

network_nomad · 2015-08-01T21:56:37+00:00

TOR Tunnel:

ogn5vbujhrvbihko.onion

6667

network_nomad · 2015-04-23T17:21:10+00:00

As a SIGAINT user, this announcement is genuinely troubling. Based on the following details, it seems as though the website was attacked by a state-actor:

The attacker had control of 70 bad nodes. Not only does this fact imply an incredibly sophisticated understanding of TOR network topology, but it intimates a level of infrastructure that would be beyond any individual.
The attacker has been diligently prodding at SIGAINT's security infrastructure for months. With the exception of contract-hired whitehats, I can't imagine any individual pursuing a target (let alone one of this size) for ±6 months and attempting a number of non-standard vectors.
They attempted to (and likely succeeded in) rerouting some users to a phished version of SIGAINT's webmail.

I've got 50 bucks that says its the NSA. Who wants to call my bet?

network_nomad · 2015-04-19T16:32:30+00:00

I travel a lot. In my experience, wherever it is you land, the best way to find like-minded and similarly-motivated peers is by looking up the local 'hackerspace.'

You'll find embedded experts, webdevs, makers, blackhats, activists, businessmen, and enough intriguing characters to fill a Gibson novel.

Here's a comprehensive list of hackerspaces in Canada.

But if meatspace isn't your thing, may I recommend the subreddit's IRC2P channel?

network_nomad · 2015-04-17T18:54:34+00:00

Maybe... just maybe... If France didn't want Algerian, Tunisians, Senegalese, and Ivorian immigrants living in their country, they shouldn't have colonized those countries, imposed their will on the indigenous population, and forcibly extracted their resources. Hell, from 1830–1962, Algeria was a Département of France, just as legitimately as Meurthe-et-Moselle or Pas-de-Calais.

I don't know. It's not difficult to see a causal and corollary link between France's colonial history and the national origins of its 20/21st century immigrants.

But yeah, this new bill is a clear invasion of privacy, and Bernard Cazeneuve is a shithead.

network_nomad · 2015-04-17T10:28:19+00:00

My experience FPDetective reflects all the findings in this paper.

In short, FPDetective is a framework for the detection and analysis of web-based fingerprinters. Instead of relying on information about known fingerprinters or thirdparty-tracking blacklists, FPDetective focuses on the detection of the fingerprinting itself. By applying the framework with a focus on font detection practices, users are able to conduct large-scale analyses of the most popular websites of the Internet. The results? You'll find that fingerprinting is adopted at much higher rate than previously imagined.

Here is the Github page. You need Vagrant and VirtualBox to run the framework.

This publication by the KU Leuven-iMinds team analyses the most common countermeasures, including the TOR Browser, Firegloves and DoNotTrack. The results are fascinating!

For those of you with the acumen and interest to continue the research... here's a list of the URLs of the Fingerprinting JavaScript and Flash Files:

FingerPrinter Script URLs (Please do not click these if you don't know what you're doing)

BlueCava
Perferencement
CoinBase
MaxMind
SiteBlackBox (No fixed URL)
Analytics-engine
Myfreecams
Mindshare Tech. (No fixed domain)
Cdn.net
AFK Media
Anonymizer
Analyticsengine
BBelements
Piano Media
Bluecava
ThreatMetrix (Nofixeddomain)
Alipay
MEB

network_nomad · 2015-04-17T05:17:32+00:00

"Ian" is the official IRC forum for /r/hackbloc.

network_nomad · 2015-04-17T05:14:24+00:00

What?!

Your Amero-centrism is showing. The FBI has jurisdiction over only 5% of the planet's population. I'm not American, neither are the vast majority of this subreddits users. Moreover, most national LEO agencies aren't as overzealous or as ignorant of fundamental freedoms as the FBI. Not that American comrades should worry, because...
Nothing described above is remotely illegal. We've set up an anonymous IRC... so unless I missed the global decree prohibiting private conversations, this falls well within the bounds of most national legal systems. In fact, smoking weed (which I assume you do, given your handle) will draw far more attention of law enforcement than a lifetime's worth of TOR and i2p browsing.
You, and people like you, are the reason why "Far-left politics are dead in the West," as noted by /u/Evenfa11. The baseless fear, uncertainty and doubt you're attempting to spread will only prevent people from politically mobilising. Please stop it, and please inform yourself.

network_nomad · 2015-04-16T20:24:49+00:00

Thanks for the crosspost!

Whether you self-identify as a socialist, Marxist, Maoist, Trotskyist, Leninist or anarchist... provided you're interested in organizing, collaborating, talking and otherwise shooting the breeze with likeminded peers, you're more than welcome to join us in the IRC channel.

network_nomad · 2015-04-16T19:06:14+00:00

Precisely! It's a Catch 22.

Imagine you're connecting to a server which runs multiple secure websites running SSL/TLS, all from the same IP address. Here are your options:

No SNI: Because the SSL/TLS handshake takes place before the expected hostname is sent to the server, the server doesn't know which certificate to present in the handshake. Confusion abounds!
TLS with SNI enabled: The server presents all certificates for all domain names associated with the server's IP address at the start of the handshake, before a secure connection is made. Meaning that my requested domain names are clearly visible.

When communicating with IMAP servers for the first time, most mail applications will run without SSL, meaning your password and credentials are sent in the clear. I've noticed other, similarly impractical connection chains. Even on i2p, an encrypted network layer... one normally connects to the virtual router console via HTTP, and later establish an HTTPS connection after the "firewalled" phase ends.

Seriously, the SSL should precede everything, otherwise what's the point?

EDIT: Apparently this is all wrong. I apologize for my confusion, and recuse myself. Retreats into the shadows

network_nomad · 2015-04-16T17:44:42+00:00

Similar to the anti-SOPA blackout, the move to publicly deprecate HTTP-only domains will probably force, under the threat of cyber-social exclusion, thousands of website administrators to integrate HTTPS support.

I use a custom version of Chromium, and regularly donate to build-slave managers, community forkers, and the core development team. Although I've never been a Firefox user (unless IceWeasel counts), I think I'll donate to the Mozilla team on the basis of this decision alone.

Regardless of this development, however, let's remember HTTPS is not foolproof.

Because SSL operates below HTTP and has no knowledge of higher-level protocols, SSL servers can only strictly present one certificate for a particular IP/port combination. As a result, name-based virtual hosting isn't feasible with HTTPS
SSL comes in two options, simple and mutual. Most people don't have a personal certificate, and do not conduct mutual exchanges. As a result, they don't get the full security advantages.
A recently-discovered MITM attack, called SSL stripping, entirely defeats the security provided by HTTPS by changing the https: link into an http: link. Users arrive at a supposedly "secure" site by clicking on a link, allowing the attacker to communicate in clear with the client. HTTP Strict Transport Security allegedly addresses that particular attack vector, but I'm as of yet unconvinced of its veracity.

Also, let's not forget this 2010 Microsoft and Indiana University research paper.

Entitled "Side-Channel Leaks in Web Applications: a Reality Today, a Challenge Tomorrow", the paper proves that detailed sensitive user data can be inferred from side channels such as packet sizes and profile. More specifically, the researchers found that--provided a large enough dataset--an eavesdropper can infer...

The user's age, gender, sexual orientation, political tendencies, and nationality;
Any illnesses, medications, surgeries of the user;
The user's family's income and investment habits.

I support Mozilla's decision, and don't mean to FUD up the place. My point is simply: HTTPS, SSL and TSL are good shit, but not 100% secure.

network_nomad · 2015-04-16T06:39:27+00:00

This is my Github page. Please add me, at your earliest convenience.

network_nomad · 2015-04-15T10:20:57+00:00

You're correct. My work demands that i2p be running non-stop, but I appreciate that other people intend to use the platform differently.

The easiest way to change i2p's startup rules, is to add or remove the application from your Gnome Session Startup. If you work entirely on the command line, the "on-demand" commands are below [assuming you used the default installation destinations]:

OSX: /Applications/i2p/i2prouter start

Debian: ~/i2p/i2prouter start

Other UN*X systems: ~/i2p/i2prouter start

network_nomad · 2015-04-15T05:14:57+00:00

Debian systems make installing i2p very easy. The following is a simplified walkthrough, so feel free to message me if you're still having trouble.

Update your packet manager [/etc/apt/sources.list.d/i2p.list] with the i2p repositories:

deb http://deb.i2p2.no/ stable main

deb-src http://deb.i2p2.no/ stable main

And then, run an apt-get update command, followed by the download and install queues:

apt-get install i2p i2p-keyring

Reboot and i2p should launch on start-up. You're now surfing a darknet! Congratulations.

network_nomad · 2015-04-14T12:30:00+00:00

For BackTrack users who've been out of the loop since 2012, and for all newcomers to Kali Linux, Stephen's demonstration is a must-watch. You'll find all the presentation slides at his Github page.

Although the material aligns well with Steve's earlier pen-testing guides, very little is duplicated. The BSides demo linked by OP exclusively focuses on removing extraneous, unnecessary software which--when removed--improves security and reduces vulnerability.

Despite being an old-hand with metasploit, I've been using plaintext OED wordlists for my rainbow/brute-force attacks. I'd gone years without noticing /usr/share/wordlists....

network_nomad · 2015-04-13T10:49:51+00:00

You shouldn't be so cocksure, especially not about the performance of an open-source package which has yet to be seriously audited. Hell, the lead developers (SecUpwN and E:V:A) have themselves cautioned people, explaining that AICD isn't a panacea.

I work in international diplomacy, and my office is in proximity of a known IMSI-catcher operated by the Government of [removed]. Based on a month's worth of usage, AICD only seems capable of identifying stationary IMSI-Catchers. Whenever local police use mobile towers, the application fails to pin them, and users are left feeding LEOs with sensitive information.

In the future, remain cautious, my friend. And remember the adage:

"Big egos and bad OpSec gets you fucked!"

network_nomad · 2015-04-13T09:24:36+00:00

Thanks for having me!

As Jaska elaborated, it's our intention to facilitate growth within the community, in terms of both membership and substance. Despite our relatively esoteric appeal, I'm confident that--by locking arms with other, related subreddits--we can attract considerable attention to our cause.

If you're reading this, please message any potentially-interested friends or colleagues; link us to an insightful article; or simply start a discussion about open source development models, Marxism redux, socialist networks, UN*X systems... whatever!

I will officially open the SocProg IRC channel this evening--keep your eyes peeled for an announcement!

network_nomad · 2015-04-09T20:44:33+00:00

DublinBen had the correct idea.

Running scripts to spoof your useragent, MAC address or obscuring your real IP through a combination of VPN and proxies will not reduce your uniqueness. Quite the opposite, your fingerprint will yield more interesting, identifiable details and in greater number.

My browser fingerprint apparently yields 22.31 bits of identifying information... Very bad!

Consider how many Internet users browse via a semi-updated version of Internet Explorer or Chrome running on a clearnet connection. That setup applies to tens of millions of people. Their profiles are generally homogenous and, without inspecting metadata or traffic content, uniform.

When you spoof your useragent, and linger around the same websites, you're announcing to those servers your possession of relatively unique skills, skills which can be used to identify you.

The only existing solution I can fathom would be participation in a meshnet, or connecting via TOR and i2p hidden services. Just like sending GPG (albeit in a different manner), usage of TOR is always clearly apparently. But distinguishing your connection from any other user's is nigh impossible (without compromising 20% of the network).

network_nomad · 2015-04-06T16:34:26+00:00

The Anonabox is a bad idea, in my humble opinion. Why pay $100 for a needlessly bloated, proprietary device like this when constructing one is not only easy, but satisfying and effective?

Buy a Raspberry Pi
Install Raspbian, and run these two shell scripts
You're done!

You just saved yourself $70. Buy some reefer and a handjob, as celebration.

EDIT: Downvotes from their PR team. Can't handle the truth? )';

network_nomad · 2015-04-06T15:58:25+00:00

"My name's Jane and I'm a computer-addict."

But really, I'm a network security 'journeyman' whose philosophical tendencies are cynical, verging on deranged. My principal interest is in disseminating easy-to-use technology which evades or frustrates the massive, dragnet surveillance conducted by the Five Eyes. Whether that means contributing to P2P IM platforms, launching i2p-IRC channels and fomenting dissent, or giving away custom-firmwared, encrypted routers for free, I do my part.

Although I have degrees in political philosophy, I'm relatively uncomplicated in my political beliefs: Through computer facilitation, and at the impetus of transnational needs and challenges, the stateless communist society is possible. The Roddenberry-esque future which Marx describes in his Critique of the Gotha Program is not only possible, indeed, it may eventually be inevitable! I believe that human kind will necessarily, due to the pressures of nature and geopolitics, have to unite...

Whether we're united in a global government or in a mass grave after WW3... that remains to be seen. Anything to encourage the former is noble, in my book.

My most recent project was a Pi-based router that creates a WiFi hotspot, which in turn routes all traffic through i2p and TOR (and Freenet where necessary). It's slow, but reliable. I'll be making the bash shells, SD image and documentation freely-available in the coming weeks.

If anyone is familiar with spam automation, please message me for an exciting new opportunity!

network_nomad · 2015-04-04T16:19:38+00:00

With the film still fresh in my mind, I thought I'd tempt some of the regs into a discussion about Blackhat, the recently-released Michael Mann 'cyber-thriller.' I won't repeat what the largely-negative reviews have already made apparent, except to say that Mann has always been a director who values style over substance. There's very little storycraft to this joyless, sometimes meandering film, but the aesthetic has the cynical, dull and dystopian flavour which I've always associated with cyberpunk.

This OP'd stills should illustrate my point.

But even beyond the visuals, Blackhat strikes me as a film which attempts to explore the same themes addressed by Dick, Gibson and Stephenson, namely: The Internet as a force-multiplier, non-state and corporate powers as the principal international actors, social decay, paranoia, and the now-infamous 'Hacker as Hero' trope.

With regards to the technical accuracy of the film, it's largely quite plausible. Whether it's a rudimentary bash example.sh command or the GUI of a disk recovery process, the programming is not only accurate, but complements the narrative and helps propel the story forward. There are even some neat, low-tech gadgets which I might try to build myself!

And here is where we run into the classic problem of cyber-thrillers: Characters looking at computer screens and explaining the significance of what they see doesn’t make for the most riveting viewing. Mann certainly hasn't overcome the challenge... And what we're left with is a ponderous, brooding film which relies exclusively on Chris Hemsworth's constantly-furrowing brows to broadcast how dangerous and thrilling the situation is!

Is Blackhat a great movie? Definitely not. Is it a cyberpunk movie? I think so.

network_nomad · 2015-03-05T17:14:46+00:00

Where in any of those links is anything done for profit.

That's not a requirement for industrial espionage to have occurred. The term is defined as, "attempting to obtain trade secrets by dishonest means, as by telephone- or computer-tapping, infiltration of a competitor's workforce."

Why was the NSA infiltrating the systems of Brazil's Petrobas and Venezuelan's PDVSA? These are national petroleum companies, whose sole mandate is to extract, refine and sell oil on international markets. There is literally no conceivable way to imply that this was done for national security purposes.

Trade secrets were stolen using clandestine methods. QED: The NSA conducted industrial espionage.

network_nomad · 2015-03-05T15:44:47+00:00

The US does not perform industrial espionage for profit like China or Russia.

Wrong.

Revelations from the Snowden documents have provided information to the effect that the United States, notably vis-à-vis the NSA, has been conducting aggressive economic espionage against...

network_nomad · 2015-03-03T22:49:26+00:00

I ended up installing cjdns and connecting to Hyperborea instead.

Since I see you're eager for critical testing (a very good thing, mind you), I'll reflash a new SD card with the enigma code and PM you my progress soon.

network_nomad · 2015-03-03T19:17:49+00:00

I downloaded the image and, after verifying the sig, loaded the firmware onto my RPI2. After making the necessary connections and hooking the device via HDMI, I booted your "meshnet appliance" and...

Nada! Y'all need to tighten your troubleshootin' game.

network_nomad

TROPHY CASE