D. Ebdrup posted:

what's cool about it is that the US law-enforcement and three-letter agencies never attack tor itself, and every single idiot who's been busted for doing illegal poo poo on tor has been tracked down by very well-established and -known attacks which show how terrible at OPSEC they are (or how hard OPSEC is)

Rufus Ping posted:

this isn't true

even if you don't count exploiting TBB as "attacking tor itself" (because they're actually firefox vulns even when novel), the 2014 RELAY_EARLY attack on the tor network proper was funded by the FBI

(i maintain a relevant list here)

Rufus Ping posted:

this isn't true

even if you don't count exploiting TBB as "attacking tor itself" (because they're actually firefox vulns even when novel), the 2014 RELAY_EARLY attack on the tor network proper was funded by the FBI

(i maintain a relevant list here)

dougdrums posted:

Not quite the Tor network, but said three letter agencies have been known to use zero days targeting Firefox/the Tor browser, for the better.
https://bugzilla.mozilla.org/show_bug.cgi?id=857883
Using JavaScript was the opsec fuckup in this case tho

E: I'm hella slow, guess it wasn't a zero day.

D. Ebdrup posted:

would secure boot loader functionality, which the freebsd standard loader has, help with preserving signed-pointer relocations?

D. Ebdrup posted:

did you see https://www.eetimes.com/document.asp?doc_id=1335237 ? CheriBSD, a fork of FreeBSD consisting of about ~100 commits worth of diffs to make it run on CHERI, will hopefully not end up being that

rjmccall posted:

no it’s kindof an independent thing. it’s not really security engineering, it’s just basic toolchain engineering: somebody has to design a way to represent a signed pointer in global memory in elf and then write patches to elf assemblers, linkers, loaders, etc. to honor them

rjmccall posted:

i am something of a cheri skeptic; there’s a lot of hardware/memory overhead and it still doesn’t protect against certain kinds of vulnerability

quote:

Although these cases rarely involve national security issues, documents reviewed by Reuters show that law enforcement agents have been directed to conceal how such investigations truly begin - not only from defense lawyers but also sometimes from prosecutors and judges.

The undated documents show that federal agents are trained to “recreate” the investigative trail to effectively cover up where the information originated, a practice that some experts say violates a defendant’s Constitutional right to a fair trial. If defendants don’t know how an investigation began, they cannot know to ask to review potential sources of exculpatory evidence - information that could reveal entrapment, mistakes or biased witnesses.
...
The unit of the DEA that distributes the information is called the Special Operations Division, or SOD. Two dozen partner agencies comprise the unit, including the FBI, CIA, NSA, Internal Revenue Service and the Department of Homeland Security. It was created in 1994 to combat Latin American drug cartels and has grown from several dozen employees to several hundred.
...
“Remember that the utilization of SOD cannot be revealed or discussed in any investigative function,” a document presented to agents reads. The document specifically directs agents to omit the SOD’s involvement from investigative reports, affidavits, discussions with prosecutors and courtroom testimony. Agents are instructed to then use “normal investigative techniques to recreate the information provided by SOD.”

A spokesman with the Department of Justice, which oversees the DEA, declined to comment.

But two senior DEA officials defended the program, and said trying to “recreate” an investigative trail is not only legal but a technique that is used almost daily.

A former federal agent in the northeastern United States who received such tips from SOD described the process. “You’d be told only, ‘Be at a certain truck stop at a certain time and look for a certain vehicle.’ And so we’d alert the state police to find an excuse to stop that vehicle, and then have a drug dog search it,” the agent said.

After an arrest was made, agents then pretended that their investigation began with the traffic stop, not with the SOD tip, the former agent said. The training document reviewed by Reuters refers to this process as “parallel construction.”

The two senior DEA officials, who spoke on behalf of the agency but only on condition of anonymity, said the process is kept secret to protect sources and investigative methods. “Parallel construction is a law enforcement technique we use every day,” one official said. “It’s decades old, a bedrock concept.”

A dozen current or former federal agents interviewed by Reuters confirmed they had used parallel construction during their careers. Most defended the practice; some said they understood why those outside law enforcement might be concerned.

“It’s just like laundering money - you work it backwards to make it clean,” said Finn Selander, a DEA agent from 1991 to 2008 and now a member of a group called Law Enforcement Against Prohibition, which advocates legalizing and regulating narcotics.

quote:

An egregious example of this law enforcement tactic occurred in 2004 when, through intercepted phone calls and their own subsequent surveillance, the DEA discovered that Ascension Alverez-Tejeda was transporting drugs from Los Angeles to Washington state in his car. To search the vehicle without revealing the phone calls as their original source, DEA agents set up an elaborate ruse.

Alverez-Tejeda and his girlfriend were stopped at a traffic light. As the light turned green, the car in front of them started to move and then stopped quickly. Alverez-Tejeda braked in time, but a truck rear-ended him. As Alverez-Tejeda inspected the damage, police arrived and arrested the truck driver for drunken driving. Officers instructed Alverez-Tejeda and his girlfriend to drive their car to a parking lot, leave the keys in the car, and sit in the police cruiser for processing. Just then, a car thief jumped into Alverez-Tejeda’s car and drove off. Police recovered the car, obtained a search warrant, and found cocaine and methamphetamine.

Other than Alverez-Tejeda and his girlfriend, every person involved in this piece of theater was a DEA agent or local police officer: the person driving the car in front of Alverez-Tejeda’s, the “drunk” truck driver, even the supposed car thief. While a federal judge ruled that the DEA hoax violated Fourth Amendment protections against unreasonable search and seizure, an appeals court overturned the ruling and described this abuse of Alverez-Tejeda’s constitutional rights as “relatively mild.”

Trabisnikof posted:

Other than Alverez-Tejeda and his girlfriend, every person involved in this piece of theater was a DEA agent or local police officer: the person driving the car in front of Alverez-Tejeda’s, the “drunk” truck driver, even the supposed car thief. While a federal judge ruled that the DEA hoax violated Fourth Amendment protections against unreasonable search and seizure, an appeals court overturned the ruling and described this abuse of Alverez-Tejeda’s constitutional rights as “relatively mild.”

Soricidus posted:

the dude was guilty so clearly it was fine to violate his constitutional rights. maybe you should try not being a hispanic if you want due process

Lain Iwakura posted:

i like that journalists talking about infosec ask good questions

https://twitter.com/ShadowBankerCEO/status/1205603083415379974

Lain Iwakura posted:

i like that journalists talking about infosec ask good questions

https://twitter.com/ShadowBankerCEO/status/1205603083415379974

Trabisnikof posted:

double post because I was reminded of this absurd example where the dea fake a car crash and a car theft just so they could lie and hide the real reason they wanted to search the car:

Lain Iwakura posted:

i like that journalists talking about infosec ask good questions

https://twitter.com/ShadowBankerCEO/status/1205603083415379974

rjmccall posted:

ptrauth includes some builtin functions for sign/auth, but for the most part you don't use them as a programmer; what you generally do is use something like the __ptrauth qualifier to opt in to stronger signing than the default abi rule for a particular pointer. like if you have a hand-rolled v-table (incredibly common in c code), you'd put a different __ptrauth qualifier on each function pointer field, and then another qualifier on the v-table pointer field in your object type. the abi instability doesn't affect explicit uses of that qualifier, it just means that if you dig around in the language implementation (e.g. if you cast blocks to struct Block * and read fields out), what you see with the current compiler might not be what you'd see in a future compiler as the abi evolves

but no, there's no way to use any of this yet in an app. it's all upstreamed (just to the apple llvm fork, not yet to the root llvm repository), so i think you can try it out, and there might be a preview toolchain available. however, the store will reject binaries with an arm64e slice or which use the armv8.3 instructions in the arm64 slice

Lain Iwakura posted:

i like that journalists talking about infosec ask good questions

https://twitter.com/ShadowBankerCEO/status/1205603083415379974

Shame Boy posted:

it's pronounced tracer-t

Trabisnikof posted:

double post because I was reminded of this absurd example where the dea fake a car crash and a car theft just so they could lie and hide the real reason they wanted to search the car:

Shame Boy posted:

really? my wife was on it (prescribed) for a bit and it was fine. didn't really, like, do anything, but it was fine... is it a long-term use thing?

Lutha Mahtin posted:

absolute garbage and you were a shithead to more than 2 people so you aren't even trying here

Volmarias posted:

Blockade posted:

https://www.reddit.com/r/sysadmin/comments/eaphr8/a_dropbox_account_gave_me_stomach_ulcers/

Soricidus posted:

lol at storing data in expensive enterprise dropbox. everyone knows it’s more cost effective to split it across your devs’ personal icloud and onedrive accounts

Methanar posted:

guys I got it.

free onedrive > middleware arbitrator > s3 API > s3-fuse > mongodb

eventually consistent as gently caress

Proteus Jones posted:

This made me twitch so hard I almost broke my neck

Bulgakov posted:

the beauty of it all is some lazy mongodb config means the database will be open to the public internet at large and after someone on a darknet market forum has downloaded it all and put it up for sale it will still be a bunch cheaper than having bought proper services

Vomik posted:

galaxy brain: at least we have an offsite backup