Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > Haus of Tech Support > Your Operating System has Poor Operational Security
 
  • Post
  • Reply
Wiggly Wayne DDS
Sep 11, 2010

Crack posted:

OK I have a few opinions. First of all, please don't use chrome because gently caress google. Same goes for google search (you can use an anonymising service like startpage or disconnect) gmail, google docs, google analytics (can you even still block this?). At the least delete emails not "archive" them, if you think you might wish to view it later download via a secure protocol to an email client, and backup. Noscript is great!
Sounds like you're using a third-party email provider and don't have your emails encrypted. Don't know what you're gaining from deleting them - they've already been processed or have been stored elsewhere. What would you consider a secure protocol and which client would you use to download these emails? What makes Noscript better than the alternatives (uBlock, etc)?

quote:

Also turn your phone off when you aren't using it, better yet remove the battery. Not only will you be saving yourself from cancer but I'm sure everyone has heard of the stingray by now. I also use D-VASIVE which disables the mic etc if I'm not using that functions. Finally, please get RedPhone, TextSecure, Signal, w/e, and advise your friends to do the same. More adoption of this tech is better for everyone, it's Snowden approved and from a couple talks I watched of his Moxie is p much top of the game right now and appears to be doing it for the right reasons. Related to that, don't trust SSL (padlock) as implemented right now. And pgp isn't great.
First off if you've got an adversary prepared to tap your mobile you've got bigger problems. Secondly that's not how stingray works, and removing your battery is advice given for a different attack - wrong advice that's useless these days anyway. Let's leave the cancer part to the side and stick to technical discussion. Relying on a third-party app to disable your microphone is amusing, but recommending RedPhone/TextSecure/Signal is correct (specifically those three products). This is getting into more privacy matters than strictly endpoint security, but it could be worth discussing. Can you explain what precisely you mean about your comments on SSL and PGP?

quote:

Please don't use dropbox. Or Hola. If something is free, how do the developers profit and maintain servers? Same goes for pirated content - in this case though I'm not talking about the dev behind the content but the dev that's put some sneaky code into that pdf of some esoteric magazine or whatever where it's fairly unlikely there have been enough downloads / educated users to leave a warning that you've been owned.
This is more or less true and worth knowing.

quote:

If you're still using WEP it might be time to consider suicide, but WPA is vulnerable too now because Moxie has generously offered WPA/WPA2 cracking as a cloud service for 30 dollars or something, you get results in 20 mins or 40 iirc (if vulnerable).
None of this information is very helpful advice. How should a wifi network be configured? Can you explain your rationale in detail?

quote:

If your housemates are idiots it might be a good idea to disable all incoming / outgoing connections on your router because if you are reading this thread you quite possibly already have malware and aren't the best educated on it. Oh and if you are paying rental for some plastic poo poo your isp provides (with a modem too!) try and return it and invest in an actual router.
What routers would you recommend? How do you "disable all incoming / outgoing connections" on your router? Why would doing this improve security at all? Remember that your housemates still need to go online, and you don't have authority over a shared line/their machines.

quote:

(disclaimer: I'm no security expert but i love my :tinfoil: hat, and I think information security is equally or even more important for many people than pure focus of viruses etc)
It's hard enough to clear misconceptions without people giving, at best, half-true advice. You seem to be learning based off of headlines rather than anything of substance, but it's a start. If you could provide explanations this could prove to be a learning experience for everyone.

* # ¿ Jun 2, 2015 20:31
  • Quote
Adbot
ADBOT LOVES YOU

# ¿ May 2, 2024 07:03
  • Quote
Wiggly Wayne DDS
Sep 11, 2010

Crack posted:

Thanks for the criticism people, hopefully I can learn something from it. I'll respond to a post now and another later otherwise these posts will be too large.


fixed.


Yeah to be honest I think email in its current form is pretty hosed. I actually have an email account setup on a trusted personal friend's server - who is skilled enough to run a secure mail server for a few people (I'm not skilled enough to maintain one, but my friend contributed some pretty major stuff to linux back in the day and apparently is fairly fluent in this type of stuff). They are encrypted on the server and when I delete them there isn't a secret backup on a vault somewhere. What you get from deleting them is if someone hacks your gmail acc they prob don't have access to googles vault so they can't steal your ID. Nevertheless not many people have this option so it breaks anyway if I send / receive any unencrypted email to abc@gmail.com as it will be stored there.

Mailpile looks very nice for DLing emails, and I think that going forward much better protocols are being developed (LEAP or w/e, look at mailpiles security roadmap too).

I never claimed NoScript was better than uBlock, just that it was great (I stand by that). I honestly haven't really followed uBlock, I didn't really look that much into and thought it was more an adblock alternative rather than providing the other features in NoScript. In fact, looking at the webpage it doesn't actually tell me if it has the same features, like actually blocking.. scripts, and providing XSS protection (ABE). for example, using this website I got tabnabbed using uBlock open with default settings, and with setting strict blocking. I had to enable reader view, and I'll probably forget to do that for every website I visit. OTOH NoScript blocked it instantly with default block all settings.


Tabnabbing for one? Still works in latest ff and chrome as far as I can tell.


Can you explain how it's wrong / useless? How can an attacker remotely turn on the mic without power? I also factory reset my phone regularly, and occasionally buy new sim cards with cash and don't register my details to the network operator. Given it is powerless most of the time and whatever data does exist is wiped at least bimonthly, there isn't that much data useful or available for the average attacker - maybe after a long targeted campaign they would be able to collect some, but half the year I live in an area that has literally no base station coverage so my phone just sits on a shelf, and don't have wifi. I see my friends face to face in general. Yeah using a 3rd party app is perhaps a little dodgy, but my phones generally off anyway and the guy who made it (McAfee) is even more paranoid than me.

Regarding SSL I was really talking about the flaws with CAs (ie "padlock" symbol). The thing is meant to prevent mitm attacks but fails when you can buy your own CA for yourself and make your own certs, or hack / exploit a website and get it that way e.g. look at comodo, here is a great talk about how flawed the current implementation is.

PGP requires too much user education (tried to get my mum to use it but she gave up), and doesn't have forward secrecy or deniability. Compared to something like pidgin and OTR, which is like 3 clicks (install pidgin, click addons, enable OTR) or TextSecure.

OK, this isn't a networking thread so I won't go into any detail about networking specifics, but I do believe obviously WEP is insecure (do you challenge that?). To figure out how to correctly configure the network go on the croudcracker website and see their methodology of cracking, and select a password that will be too complex for it. I mean it is a balance, it's unlikely anyone will spend $17 or whatever (the price goes up based on the dictionary used) to try and get the password but it's good password practice anyway. One of my neighbours has their SSID as "The NSA" which tempts me to waste $17 to see if I can get in though...

Again not a networking thread (but like any actual router).

Disable with a jammer or some scissors on the cable coming from the modem(/router combo). I find these tools empower me with authority over the network. It would improve security by limiting the attack vector to like USB drives or something and the attacker has a hard time controlling the infected machine. I should point out as it apparently wasn't obvious I wasn't really being serious with that comment.


I began my last post with this and I'll end this one with the same. If something looks like an opinion, it probably is one. If something looks like advice, do your own research rather than blindly following the advice of some guy on an internet forum (probably the best advice in general, especially as time passes and the tech changes). I am not a security expert, work in the security industry, or have consulted anyone that does, so anyone looking for security advice please do not take anything I say in any of my posts (apart from the preceding sentence) as informed, educated or up to date genuine security advice. I am primarily posting in this thread to learn and try to get people to at least think about privacy and information security as issues in addition to just viruses or whatever.
You have mental problems and should not be near an electronic device. Please avoid giving any advice or opinions in the future.

* # ¿ Jun 4, 2015 15:32
  • Quote
Wiggly Wayne DDS
Sep 11, 2010

Crack posted:

But what about uMatrix?!
This discussion is more for the average user - if you use uMatrix either you know what you're doing or want to believe you do.

* # ¿ Jun 13, 2015 15:51
  • Quote
Wiggly Wayne DDS
Sep 11, 2010

ThermoPhysical posted:

Yes, I read it twice before asking and it says nothing about cloud-based AVs or if they're even worth anything. Basically it starts out how antivirus programs are outdated and not worth buying and then some settings for traditional AVs that arent cloud-based.

I wanted to know if anyone's tried Panda and seeing if it's worth it. Maybe put something about cloud-based AVs in the OP?
lol

* # ¿ Jul 30, 2015 16:16
  • Quote
Wiggly Wayne DDS
Sep 11, 2010

Mr Chips posted:

what, nothing about applocker/SRPs on Windows?
Advice on that is just going to lead to people breaking their own systems, but it should be talked about of course.

* # ¿ Oct 22, 2015 08:36
  • Quote
Wiggly Wayne DDS
Sep 11, 2010



 It won't stop malware but it's useful to control software with callbacks.

* # ¿ Sep 3, 2016 13:48
  • Quote
Wiggly Wayne DDS
Sep 11, 2010

Samizdata posted:

You know, most of EMET is baked into 10, albeit without the granular controls. Also, how to you justify "DEATH TO THIRD PARTY AV, but not THAT third-party AV!"? (As Defender was originally from Giant Software if I remember correctly)
Expertise

* # ¿ Oct 7, 2016 20:50
  • Quote
Wiggly Wayne DDS
Sep 11, 2010



 remember kids even the run of the mill exploit kit allows for single-serve exploits, don't trust a second check on an url

* # ¿ Nov 5, 2016 00:27
  • Quote
Wiggly Wayne DDS
Sep 11, 2010



 stick to configuring your own vpn on a home server or vps rather than touching the poo poo paid ones

* # ¿ Feb 3, 2017 10:30
  • Quote
Wiggly Wayne DDS
Sep 11, 2010



 ...............

no.

run openvpn and configure it. paid services will use outdated libraries, pre-shared keys and as much garbage as possible

* # ¿ Feb 3, 2017 10:49
  • Quote
Wiggly Wayne DDS
Sep 11, 2010

Seaside Loafer posted:

Really honestly? I cant tell from the meta humor sometimes :) I'll do it as a stopgap if its real.
any tool you'll find is a thousand times less shady than running xp in 2017, nevermind it being tied to steam where some transaction has to be occurring

if they're refusing any guidance and you've even offered to do it all for them you have to weigh your options up as poo poo going wrong in the future will fall back on you

* # ¿ Jun 1, 2017 15:07
  • Quote
Wiggly Wayne DDS
Sep 11, 2010



 judge a company by how they respond to vulnerabilities, not that they've existed at all in an evolving codebase

* # ¿ Jul 11, 2018 19:54
  • Quote
Wiggly Wayne DDS
Sep 11, 2010



 well you need to understand you're not a normal user, and that sms 2fa was always a terrible idea. you failed to mention your android phone is jailbroken, so let's just give up on securing that - no random online people aren't where you get trustworthy firmware for the most critical secret storage a regular person has. then look at your strange obsession with protonmail, if that poo poo shuts down tomorrow what are you doing? you seem to love putting the eggs in one basket and trust them wholeheartedly. let me be blunt: if you don't trust google then you shouldn't be using android, and you really don't want to use the play store so you need to make informed trade-offs.

which gets us to the core of the question: what exactly are you trying to protect at this point?

is your your personal information? that was already online and you're not using gdpr to cleanse that from the internet. if it's that gaming review site you've mentioned in the past no one cares and you're going to overlook something obvious anyway may as well be upfront about yourself there if you want it to be a job

just want to shutdown your online presence and walk away? just tell google to delete the accounts and personal data. you're going to have to trust them on that front anyway, you're not changing that situation regardless of which law you try to invoke

far as email schema you either go with a random username per-identity or service on a public-facing service, of you go with <rand16>@downsdu.ck. all you're getting there is an idea of who's been breached or selling your info. you already have a password vault, the unique email isn't anything difficult to document

also yes use actual 2fa on everything, why the hell is that a question. if you're not then how the hell would you trust one of those dumb front-emails that you've setup? i mean you can't anyway but let's entertain the premise

* # ¿ Aug 22, 2018 16:57
  • Quote
Wiggly Wayne DDS
Sep 11, 2010



 you haven't pissed anyone off, you're just not making a lot of sense and seem to be throwing out scattered ideas without telling us what you're protecting, who from and why. those are pretty critical if you want your approach evaluated, otherwise we don't know the situation you're in and will give terrible advice

just break down what you're trying to protect, who you expect are trying to get it, what you'd lose if they got it, the amount of resources (manpower/experience/time) available, and why it's so critical. then recommendations can be made with context

* # ¿ Aug 22, 2018 22:07
  • Quote
Wiggly Wayne DDS
Sep 11, 2010



 what do you have against street cleaners

* # ¿ Aug 23, 2018 17:12
  • Quote
Wiggly Wayne DDS
Sep 11, 2010

DoctorTristan posted:

Do you know the difference between a straw man and an analogy?
he never mentioned straw men, please keep to the topic

* # ¿ Aug 23, 2018 17:52
  • Quote
Wiggly Wayne DDS
Sep 11, 2010



 how many vpn services that advertise "no logs" do you think have been caught logging? the ones that don't are the major exceptions and panama isn't what you're looking for

* # ¿ Feb 16, 2019 11:09
  • Quote
Wiggly Wayne DDS
Sep 11, 2010

OSU_Matthew posted:

The point isn’t to hide from state level actors but just a reasonable modicum of blocking trackers, especially ones that associate and log activity correlated with your usual IP addresses. Yes you still need to configure your browser to block third party cookies and trackers and install unlock origin and everything, and DNS over HTTPS is also a great thing, but we’re not Jamal Khashoggi trying to hide from our government dismembering us , just trying to block some overabundant third party tracking and tunnel traffic over public WiFi to avoid the shitshow of people being easily able to sniff out what’s going over the wire (including credentials and unencrypted

Yes, some VPNs are absolutely a shot show, and you should review any service before using it. For fun, here’s a view of what information is publicly visible when you browse the web:

https://ipleak.net/

A good VPN and browser configuration clears off a lot of that information. It’s low level fruit that’s easy and effective, what’s not to like when done well? If you’re worried about say the Mexican government phishing you and installing the Pegasus Trojan on your phone so a hit can be carried out because of your critical coverage (RIP Javier Valdez and his colleagues), then taking advice on a dead gay comedy forum isn’t a great idea. For the rest of us, I’d argue that it’s pretty ok, and that just saying something is trash without providing any context, argument, or examples isn’t especially helpful. I’m always looking to learn more, so please, show me what I am missing instead of just saying I’m wrong because if one service sucks, then everything must suck.

And yes, this discussion isn’t counting stuff like pixel based tracking and whatnot, or the fact that anyone could buy my SSN and credit report for the price of a cup of coffee (though credit reports are usually a bit more expensive, usually around 20$ if memory serves me correctly), or that you should be using say DuckDuckGo for your searching if you care about subverting some of google’s tracking. Electronic Foundation Frontier is a good resource to peruse as well, if anyone has the time or interest in going down the internet privacy rabbit hole:

https://ssd.eff.org/en
hate to be the bearer of bad news but trackers trying to tie activity to ips is a few decades old by now. that and if you've glanced at the history of the forums you may have noticed that there's an intersection of users who actually have pegasus-level concerns and including misinformation to placate the general end-user is not something that can be given in good conscience.

please do not mistake you're understanding of tracking and security for advice to be given out to the general user. especially if you are not taking any notice of their concerns and asking the prudent questions to figure out what they're protecting and how much they're willing to invest time and resource-wise.

* # ¿ Feb 17, 2019 00:53
  • Quote
Wiggly Wayne DDS
Sep 11, 2010



 whoever is giving you other opinions please share so we can bemuse ourselves at them

* # ¿ Jan 14, 2022 03:10
  • Quote
Wiggly Wayne DDS
Sep 11, 2010

Subjunctive posted:

My daughter (high school) had an assignment this week to spec out a PC build for a fictional graphic designer, and two of the items the teacher expected to see on the list were antivirus software (he recommended ESET) and malware removal software (MalwareBytes). I explained to my daughter that we are a Windows Defender house and that I would come and talk to the teacher if he objected. Some things are worth fighting for.
well which colorimeter did the teacher recommend??

* # ¿ May 26, 2023 21:53
  • Quote
Wiggly Wayne DDS
Sep 11, 2010

Magnetic North posted:

Is this a joke/meme? Or is this real?
it's a dumb thing that some malware check for but i wouldn't go and do it for random user setups

* # ¿ Mar 5, 2024 12:58
  • Quote
Adbot
ADBOT LOVES YOU

# ¿ May 2, 2024 07:03
  • Quote
Wiggly Wayne DDS
Sep 11, 2010



 all a vpn is doing is changing where your requests for any resources online are coming from. so effectively you're paying for a company to see where all your packets go to by you giving it to them first and them pinky swearing they're not reselling data. this is marketed under the guise that you're only doing it with stuff you don't want other people to know about too soooo

* # ¿ Mar 5, 2024 18:09
  • Quote
  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > Haus of Tech Support > Your Operating System has Poor Operational Security