PaulyD

​Can someone walk me through this? I have tried for the past two days, to get both Mint 15 and Ubuntu 13.04 to install /boot to an SD Card. I keep getting "grub-install failed" errors. I've done this before with Ubuntu 11.04 when I had Windows on the first partition, but on this fresh disk, I get the error. The SD is fine, GParted can work on it, no problem. I'm stuck. ​ ​As an alternate, can I just copy /sda1 (DD?) to the MicroSD and then delete sda1? I think I'd need to edit fstab, correct? ​ ​Also, anyone know how to change the encryption from AES to Twofish? No alternate .iso's for the latest builds, and 12.04 LTS uses CBC instead of XTS. (lvm2?) ​ ​Thanks guys.

Ok, we've all seen Darren and Kos go after Android. My question is, how do you tech users protect your phone while out and about...while keeping high tech usability? I'm going to list my setup and I'd like to see where you guys see vulnerability. I know it will be worse than a stock phone, but how bad? Galaxy Nexus running a custom AOSP based ROM (Rasbean Jelly 4.2.1). Franco kernel. Rooted, with SuperSU and Busybox installed. TWRP Custom Recovery. Bootloader locked, but unlockable within OS with BootUnlocker App. JB encryption enabled with a 16 character, full ASCII, non-dictionary password using every character type. Pre-boot password changed with EncPassChanger App, to 35 characters, same as above. Debug off. All Developer Options off. All permissions removed from adb in system/bin on the phone. I wish Darren would go over protection as well as exploitation, more. Thanks!

Awesome, thanks for weighing in on this. Looking forward to what you come up with when you find the time. Pauly

Thanks for the reply. The server has USB access for a number of things. DumpIt (among other things) could be run, unfortunately. I'd love to JB Weld all the USB ports, but can't :) DumpIt That's why int0x80's USB Attack Code was interesting.

Nope, nothing illegal, just a privacy advocate. CISPA passed the US House, and it will only get worse. Full disk crypto is useless on an always on server. I've seen int0x80 post here occaisionally, so maybe he'll see this. Thanks.

I have to run Windows on a few boxes (one of them an always on server) and am looking for some anti-forensics ideas similar to what int0x80 discussed in his talk at the Louise and his bash scripts on Github. Right now I've got CCleaner, Bleachbit, Clean After Me, and USB Oblivion kicking off as scheduled tasks. Each one runs 6 hours after the other. I've also got BCWipe v5 running Transparent Wiping (any user or system delete calls go through it's driver, and receive a one pass psuedo-random wipe) and an encrypted Swap. I'd love to get a few more ideas from any Windows users...especially for attacking unknown USB devices and generating thousands of dummy files of varying sizes (encrypted). Thanks.

I disagree with this part. If I tunnel a VPN over Tor, all the exit node see's is the encrypted tunnel...much the same as what an ISP would see from a regular VPN connection. How are you thinking the exit node is breaking OpenVPN? PD

The guys that don't make mistakes...haven't been caught. There are a lot more members of these groups, than the 5-10-15 that have been caught recently. If you do it right, you're chances are good. Unfortunately, doing it 'right', every time, all the time is hard. It's exactly the opposite of physical security. Normally the good guys have to be right 100% of the time...whereas the bad guys have to only get lucky once. In this case, you are in the good guy role and have to be perfect...LE just has to get lucky. If you tunnel a paid for in cash or Bitcoin VPN through Tor, the VPN doesn't know you, and the exit node can't sniff you. If you pick the right VPN, in a privacy friendly country, there is nothing to 'give' to the friendly detective. Heck, Riseup, based out of Seattle, has fought, and won, in the courts, over protecting their users...and that's in the land of the National Security Letter. Never from home...never. You're going to have to put miles on your car. And never from the same place twice. The full weight of the USA still took 10 years to find OBL...so I'm not fully convinced of their omnipotence. The Sabu thing is a perfect example. He screwed up and they got his address. He screwed up again and they sniffed his true MAC. Big boy rules...you can never screw up...ever...and that's a hard thing not to do. PD

If you're going to stick to a removable drive, TrueCrypt is the most popular solution. If you want to do your Linux install, a dm-crypt/LUKS LVM install, with /boot on a USB or SD Card is what I do. If you want two factor authentication, get a Yubikey and set one of the slots to 'Static Password' mode (slot 1 is easiest to use). Memorize a 32 character pass phrase and put a 32 character random string (generated with KeePass, for example) into the Yubikey. Right now in the US, the courts are 50/50 with compelling a user to reveal a pass phrase, so splitting it up between your brain and the Yubikey is a good practice...the Yubikey Nano is easily 'lost' :D PD

If there is indeed 2 USB ports: https://www.yubico.com/yubikey-nano ? But is logging in 'dismounted' and then docking, really a problem? YubiKey looks like the solution. PD

Mullvad here. Takes Bitcoin. So does Air. PD

For Windows Users: I wonder how Defense Wall would handle the USB? It quarantines all USB drives by default. It does really well on all the tests I've seen (as in 100%). Not 64bit though. PD

Yeah, physical access is a killer to almost everything. The container containing the hidden container is "out there" to grab, true...but in the case of the Hidden OS, getting that container (2nd partition) from a powered down laptop, is a little tougher. I'm thinking some sort of malware for the former...but the latter requires you to 'not know where your laptop is', multiple times. You can security tape the laptop shell, and grind out the phillips head slots and fill with JB Weld if you want...no more upgrades though :) PD

The CO case will hopefully be overturned on appeal. Another fact in that case was that the lady was given complete immunity. Now, that judge was still a freedom hating moron, but who knows if he would have ruled the same had she not been given immunity. You don't need to remember 3 good pass phrases....just one, for the Hidden OS. The other two are expendable and don't have to be massive. You can add or delete from the Hidden Volume with no worries, where did you see that? Writing to an unprotected Outer Volume can damage the Hidden, but that's it. A variation I'm working on now is to boot only off of external media...if not, it boots into an unencrypted Windows install...why advertise at the checkpoint, if you don't have to. PD

Tormail would be first, you can even set up Thunderbird. http://www.tormail.net Privat DE Mail would be next. http://privatdemail.net/en/ Riseup.net, but they require an application and a long wait. Running your own server can be free with hMail Server http://www.hmailserver.com/ or Axigen Mail Server http://www.axigen.com/mail-server/free/ Or you can pay about $100 once and get something like Ability Mail Server http://www.code-crafters.com/abilitymailserver/ No-IP.com offers free MX records. Countermail seems great too, but is it $60 a year, or once? There is COTSE.net, again for pay. All but the first 3 are about privacy, not anonymity, so combine the two: Tormail for anonymous messages, and the rest to keep BigGov out of your mailboxes...cuz they're in there, no doubt...Hotmail/Live Mail don't even charge LE to snoop. PD

Windows: TrueCrypt with Hidden OS option, various containers for different stuff. DefenseWall, Sandboxie, KeePass, LastPass. Alternate on other boxes, Comodo in Proactive Security mode, or Online Armor with Avast! 6. Linux: Sacrificial Windows OS that logs on automatically. Behind that, Ubuntu 11.10 on encrypted LVM. /boot on a an SD Card (anti Evil Maid). SD Card in wallet when not in use. Hardened with some tutorials from essayboard.com (Installment 2) GUFW for the firewall. ClamAV, rkhunter, and chkroot. Thinking about trying out Avast! for Linux. I'm new to Linux. PD

Yes, this is only for WPS Pins. I had a vulnerable Buffalo running DD-WRT. After disabling all WPS related options (also called AOSS on Buffalo), the only way in was the 256bit WPA2 key. Note:I did not run the tool, just changed the settings so that WPS wasn't an option that was offered when connecting. PD

Thanks guys. Yes, I'm putting in a 'normal' MAC and filtering isn't active on the router. I haven't tried another distro, but I can try BackTrak on a Live CD. I haven't sniffed the packets (brand new to Linux, coming from Win7), can I do this from the terminal or do I need to install WireShark? I also got an Intel 6200 series card at the same time. I'm going to swap that in and try...and maybe drive down to Starbucks to test...could be my router (DD-WRT based Buffalo). I'll keep you posted. PD

Copy and paste from UbuntuForums...no action over there: __________________________________________________________________ MAC Changing Trouble Ubuntu 11.10 on an Acer TimelineX 11.6" I swapped out the OEM Broadcom card with an Intel 633 Centrino-N 450mbs card. The swap went well, even adding the third antenna, and I have the card working fine. I connect to a Buffalo 450mbs router. My problem is with changing the MAC. This is about privacy and not anything malicious. I'd just like to decrease my footprint when connecting to AP's that aren't my own, that's all. Using the Terminal I can do: ifconfig wlan0 down ifconfig wlan0 hw ether ad:dr:es:sh:er:ex ifconfig wlan0 up ...and receive no errors. If I then ifconfig, it shows the new address, so far, so good. I'm very familiar with when it doesn't work, having tried the Broadcom card and getting SOIFFIOC (sp?) errors about too many files open I can also use macchanger -r or the macchanger-gtk GUI and also change the address with no errors. The problem comes when I try to re-acquire my Buffalo AP. It will sit there scanning for a long while, eventually pop up the password screen (which I assume means it see's the new MAC) but then never connect. It just keeps popping up the password box again, and again. Should this just 'work', or do I need to do something in the Network Manager GUI where it lists the wireless networks? Right now there is just my original AP, Auto Connect, DHCP Automatic, and it lists the wlan0 card and the burned in MAC. I've also tried 'Cloning' from here, but again, no connection. Thanks in advance, P Edit: P.S. There is no MAC filtering on the router, and I've even tried clearing out the DHCP reservation for the old MAC/IP. _______________________________________________________________________________________________________________________________ Thanks, glad to be here. Been watching for years. PD