logicalconfusion

So much for eBay and Staples.

@digininja It will suffice in wonderland. security is important. My friend is a prominent artist in NYC. He makes a triple digit salary for his graphics work. He so scared of someone holding him up at gun point while he's deep in thought he asked me for solutions on how to destroy his network. I know that we're not going enjoy multi platform protocols in the near future. We can however engineer hardware. He's looking for an RFID device that will blow up (DBAN -instantly) his HD.

Thats nice. I got linux, mac os x, win 7, and a proprietary OS written by NASA - honestly. I want the network to self destruct (erase the data or lock up) if I happen poop my pants and run out in a mad rush. any suggestions?

Whats the best way to lock up a system when a wirless device belonging to the owner is 21" from the keyboard? I had to run outside and help my frantic neighbor extinguish a bush fire his kid started by throwing a bottle rocket into a pile of dry leaves yesterday. As I was hosing it down it occurred to me I left my outlook open. I'm looking for a ubiquitous, OS agnostic, device or secure protocol such as bluetooth that will lock up the system in the event of an emergency. The incident reminded me of a famous story I read....

For some reason my vsftpd.conf file allows the system users, added using useradd and groupadd commands to browse other directories - even though I set the jailed option. Can anyone figure out what I did wrong in vsftpconf. I want clients to RW and browse just one directory! Its like vsftp auto logs into the root directory. Here’s how it looks: listen=YES anonymous_enable=NO local_enable=YES write_enable=YES #local_umask=022 use_localtime=YES xferlog_enable=YES chroot_local_user=YES secure_chroot_dir=/var/run/vsftpd/empty pam_service_name=vsftpd rsa_cert_file=/etc/ssl/private/vsftpd.pem

I want to mirror a site on my hd. The application or script must d/l the entire site, including java scripts and gifs - x levels from the specified URL. I don't know of any for nix that can covert the d/l into M$'s .chm and similar formats. Any recommendations?

seems like you'd have to write a script to load every time you open a CLI and then parse the "text directly input" to AES cmd utilities.

is closed source generally more secure? Most corporations avoid using open source operating systems since closed source systems are controlled. I think its best to avoid anything not directly from M$ if you want real security. you'll always have someone to sue; don't forget the tinted glare protector.

Thats true. It is possible to undermine SSL security @ insecure locations such as cafe's using utilities such as SSL strip. Lets forget about SSL security for a second. The person sitting next to you can easily stick you up for your pswd in a cafe. Your neighbor can break into your house and rip off the little post-it under your keyboard while you're AFK - shopping for groceries. It happens all the time. Anything is possible. I think his goatee needs a trim...just like guy holding the "FAIL" sign in your pic, nothing personal, just a joke. Hak5 is awesome....at least they're trying. I enjoy the show. If you compare hak5 with a non-"hacker" site such as gnu.org or even the ubuntu forums you'll see they're using SSL, security, which, again can be compromised. Now we all know that SSL was designed to prevent eaves-dropping a long time ago. LogMeInHamachi and sshutle(freeware) is meant for tunneling into a secure locations but the data is ultimately going through ISP servers on the other side, un-encrypted. I'm looking for a solution to shield us from the ISP and the blackhat's antenna. I guess i'll have to dig around for detailed info. VPNs are an option....

Thanks for awesome suggestions on how to deter sniffers and ISP intrusion. We have to figure out why the entire web isn't on SSL! I don't think it has much to do with cost. Hak5 isn't using SSL. They're not taking proactive measures to protect your security or anonymity as security "professionals." Mr. Goatee Kitchen likes to refer to himself as a L33t H4XoR. Hak5.org is sponsored the likes of godaddy, citrix, jacktrheads(hobo threads). Do a reverse DNS on the domain and you'll see all the other possible affiliates paying for Shannon's pineapples I really doubt that M$N, Yahoo, Dogpile, etc, is unaware of https like their competitor Google(they got all got enough capital to invest in HTTPS - ask the guy who owns facebook). My friends and I are re-researching just how secure SSL actually is and why certificate authorities such as Verisign Inc. deliberately avoid government agencies and security researchers from enforcing standards. ISPs ought to publicly announce known network infra-structure weaknesses along with the marketing polices, IMHO. We're not living in third world communist/fascist emirate of Mars..... just my two cents....Stay tuned....

That's a very good point. I personally would never retrieve sensitive info on public PC. Losing the USB drive wouldn't matter. Its pretty easy to program a thumb drive to like DBAN its contents every so often or check the CPU ID, before self destructing. All this reminds of an old Bond movie....

I'll look into how BEAST and CRIME attacks are executed. I bet there's a lot more to cracking SSL encryption than checking the software on the server and then shaping packets to modify its default configuration. I mean, HTTPS Every Where is endorsed by the EFF! SSL Strip and the other techniques mentioned seem applicable when hacking archaic sites that were never properly configured in the first place. Why isn't there a list in place for researchers like GRC, listing sites that can be easily compromised? Now here's one for the for the hak5 team. Why doesn't hak5 implement encryption? They're pretty security focused. Pls don't reply with "IF you sleep with itchy butt u wake up w/ smelly finga" responses like they do on the backtrac forums.

Well true crypt can create hidden partitions. TC can run in "portable" mode if there's a version of it installed on each OS. I was thinking of a universal format like zip that's recognized by all the major OSes. I'll write congress....they they can persuade the IT industry to set a default standard that works like True Crypt on all major OSes. Either way, its good to know that TC is around. Changing the partition ID is a good idea. Thanks.

YUP! I remember it from way back in the day! Zip file encryption is a lot like decompiling ol'skool 16bit VB3 appz, remember a password is just a permutation that never changes unless that NSA is involved So, now its time for a plat-form independent encryption scheme? Any ideas?

Great idea. I'll stick to cloud based solutions like Iron Key, that Hak5 Pirate mentioned. I thought Iron Key was just a plain old USB drive with some kind of proprietary encryption app. built-in :D lol. I think its best to use a three-layer approach, True Crypt combined Encrypted Zip file stored on a secure network that can be accessed by LogMein Hamachi or Open VPN. Its too bad there's no like real built-in OS mechanism that can transparently encrypt files on the fly while the USB is connected, like a dongle. I know that Win7 implements Bitlocker...wish it was compatible with all the other OSes. Too bad Iron Key costs an arm and leg!

ok! Now we all see that M$ really doesn't care. With all the open source encryption protocols out there, there's not one universal standard that works well with all the processors that Crocodile Dun-dee just mentioned. Lets pretend ARM and all the others in the market didn't exist. What if it was just Win/Linux/OS X. The last time I checked Iron key isn't GALVANIZED! Bid Lan-den can screw us all over by forcing his belly dancers to stomp it w/ ti-89 camels. I'm looking for a safe method that's portable for the clouds....

My gf recently lost her thumb drive loaded with pics of us, out in the woods. She lost it at a Bingo tournament in a local church. I don't think the seniors are going to upload our naked pics but now I'm scared. From now we decided to encrypt all our info on USB drives, only out of necessity. I thought of using of using True Crypt to hide files. Its a great free application. The only problem is that its not inherently installed on Windows/Linux/OS X. There must be an easier way. any ideas?

okay, again we're back to where we started. You keep referring to local data! Whats if its not local. MITM attacks are only possible is if the network admin is dumb enough not to monitor who's in the middle. Libraries, cafe's, etc pay people(legal - non H1 visa wokers) to monitor their networks just so fat guys with software can't around sit and sniff/compromise security in hopes of finding the cure for cancer. So, it comes down to a question of SSL security and what you think is security. I don't think they hire people to chose the word "password" as a scheme for protection (256bit). It all boils down to what ppl want sniffers to see. pls refer with examples on how SSL encryption was cracked. I don't think it's occurred to Darren Kitchen and Shannon Morse that the government might be using their techniques to lead hak101 fans right into a camera.

Neat! I didn't know that this particular distro was available. Looks like its worth adding to my arsenal.

I checked distrowatch.com. There's no utility like Hiren's bootdisk for Linux. any recommendations?

I agree. Its not worth it to run SysRescueCD at this point. I managed to backup most of my files. Its just amazing how linux works when a directory like var gets deleted. I never thought I would be able to use Samba to backup files. I mean, the shit didn't even mount a USB drive from the cmd line or d/l files using a network cmd like apt-get. Now I definitely want to experiment with bkup and recovery utilities just to see how it works behind the scenes. I'll screw around by deleting and attempting to back up files on a VM. You're right, data is never really gone until its over-written( the bytes on the disk have to change). She actually didn't use rm at all. Nautilus can be used to remove system files just like rm by holding down the shift key. I'll write a small blog on recovering files soon. Imagine if D-BAN was implemented at the OS level....file recovery would be a pipe-dream!

yea! why bother. I think i'll just re-install. I'll test exundelete on the new system. Thanks! :D

I didn't expect to see rhetoric. Who's to say the person on the other end isn't being held at gun-point? If you mean to say that major corporations such as Chase, Goldmansacks, NASA, etc use SSL knowing that a call center rep. in the Philippines happened to read your post and undermine security, you've been online too long. SSL is a standard on secure systems. Please show proof that its trivial to hack.

I tried to reaching out using apt-get friend. Linux is a system, unlike windows, that gives root way too many privileges w/out warning. Once the var directory 's gone that's it! The system's pretty much dead in the water. Luckily, she toyed enough to create a backdoor on the LAN(pretty primitive backdoor), so I got all her nude pics off the system. Now the hard part is compiling the source. Do you guys know of any pre-compiled solutions. Please help I'm not going to get a good midniteshake until this is back up and running...

This is a nightmare! I got two apps from sourceforge, testdisk and extundelete. Both appear as source code files, so it's like I can't compile them with gcc on my BT5 R2. I don't think gcc is a part of the distro. any suggestions? I managed to back up the files using samba...now its time to play recovery.