|
why wouldn't you just download the official iso. did you know? if you don't activate windows 10, a few features are locked out but it mostly works?
|
# ¿ Jan 6, 2017 03:33 |
|
|
# ¿ May 5, 2024 05:46 |
|
Achmed Jones posted:I'm a founding member of my company's new security team. A week ago, I was a hobbyist with an OSCP certification. We're starting on risk assessment, prioritization, and all that, but I'd love any links y'all might have (or books to read) that'll help us out. are you already familiar with this article? https://medium.com/starting-up-security/starting-up-security-87839ab21bae Shaggar posted:the torrent is probably advertised as activation cracked once I needed a windows vm and was anxious about it. I bit down and just downloaded and installed windows 10, figuring that I'd just reinstall the vm if the evaluation period ran out. instead it turned out that windows works at, like, 99% capacity without activation. you can't configure telemetry, personalize the taskbar, things like that Heresiarch posted:you still can't download a windows 7 ISO from MS afaict, but they even have a tool for downloading windows 10 downloading windows was, for the longest time, exclusively allowed to msdn subscribers. except windows 2000, because it had java built in and the settlement with sun means they can't distribute it any longer in any way or form, you have to find a 3rd party reseller that still has it
|
# ¿ Jan 6, 2017 18:24 |
|
I wonder if 1password could use a custom keyboard instead of the clipboard, as an interface between password database and applications
|
# ¿ Jan 6, 2017 18:41 |
|
ratbert90 posted:Random question: on our appliance, we use a built-in hardcoded wildcard certificate. of course it's not secure, it's not hard at all to dump the private key shared by all appliances, but it's just for bootstrapping, the admin interface (with a hardcoded default password that must be changed at the first login btw ) has a function to generate a unique private key and a csr, and load a new certificate. you need something like that our appliance requires adding a line to the hosts file with the initial hostname and ip of the device, but you could skip that step by using a hardcoded hostname like device.domain.tld that resolves to the hardcoded initial ip
|
# ¿ Jan 6, 2017 19:43 |
|
just my luck, I get out of kitty jail just in time for the thread to be disappeared <> italy is currently being rocked by a bizarre scandal of the cyber persuasion. the occhionero siblings, entrepreneurs in the finance sector, freemasons and by all accounts smart people (he's a nuclear engineer, she's a chemistry phd), are found to be conducting a multi-year spearfishing campaign against politicians, entrepreneurs and... other freemasons. their spyware appears to have been entirely developed in-house, and it's been active since at least 2011. kaspersky describes it as "amateurish" but I've gotten my hands on a recent sample and it appears to have been developed by someone who, if not a cybercriminal, has at least an idea of how malware analysis is done and how to slow it down. well, at least the anti-analysis protection and obfuscation was, and I know it's not a commercial framework because the few unobfuscated strings are unique to the malware on the other hand, the occhionero siblings made huge, gigantic opsec blunders, and I argue that they had outside help with the malware development, because they clearly aren't serious criminals. consider the strongest piece of evidence against them: the malware exfiltrates data by sending e-mails and uses a commercial component to do so, which requires a license code to unlock. not only the malware contains said license code, but italian police asked the fbi for help, the fbi obtained the name of the licensee, and it was the occhionero brother: the guy had virtually embedded his real name in his phishing malware on the other other hand, when the police came to arrest them, the brother rebooted the bitlocker-encrypted computer and now refuses to provide the password, while the sister locked her smartcard by entering the wrong pin several times. it's not going to help them much because the amount of evidence against them is impressive: they didn't just embed personally identifying information in the malware, they also hosted the c&c server on their company's website, and they talked about their dirty business on regular cleartext phone calls, that the police duly wiretapped all considered, the campaign wasn't terribly successful. of about 18000 targets, only about 10% are estimated to have been compromised the motive is still a mystery. insider trading seems to be the current consensus the malware samples I've seen raise some extremely obvious red flags when run in the simplest of the automated analysis tools, and they're clearly part of a shared lineage dating back years, so it's a little amazing to me that it took so long for it to be noticed
|
# ¿ Jan 16, 2017 22:49 |
|
flosofl posted:Cool post, and keep us updated. This seems bizarrely inept. fun fact: they kept the information stolen from other freemasons in a folder (or category, I should reread the report) called "BROS". spankmeister gave a good summary of freemasons in italy and their historical significance Powaqoatse posted:but it does seem that they are "serious criminals" (if guilty) so i dunno what you mean by that one sentence inexperienced and super cocky is what I mean some gossip: it seems the sister's defense will throw the brother under the bus. italian press is inadvertently playing into their hand by being good ol sexists: they aren't a criminal enterprise but "an engineer and his sister", he is "a nuclear engineer" while she's painted mostly as a healthy eating freak and marathon runner, completely glossing over her considerable professional and academic resume and personal investment in the crime. one article in particular is this whole funny little sketch, where she comes to jail with a bag of expensive designer clothes and as soon as she has to leave it unguarded to go to her first hearing, the lot is stolen. she shakes her head, gets on the phone with a friend, and tells her in a controlled but exasperated tone to bring her a couple changes of the cheapest, ugliest clothes she can find. curtains, polite tittering from the dames some technical details: contacts in the italian malware research community have shared a recent sample of eyepyramid (the official name of the malware - author given! - and an obvious reference to the all seeing eye). I'm very rusty re. reverse engineering as I haven't done it professionally in years, and only rarely recreationally, but I can tell a few things beyond a shade of doubt:
I said that it would be obvious it was written in vb.net even if it didn't use the vb.net runtime library, and I'll explain why. let's look at a typical routine, messily and partly incorrectly decompiled by dotpeek: C# code:
initially I thought this bizarre code pattern (repeated over and over) was a form of code flow obfuscation. it doesn't make sense though, because if you can alter code flow, why do it in this very specific, deterministic way that isn't terribly hard to undo? why a try/catch and a switch? well, thanks to my past experience with visual basic (my first "serious" language!), I soon recognized it as "on error resume next", a notorious error non-handling construct that just throws any errors away. on classic vb, "on error resume next" actually produces more efficient code, as it omits error checks. on a platform like .net where errors are reported through structured exception handling, always, the compiler has to emit... that. mark position, catch exception, switch on current position, goto next statement. the above function simplifies to a more palatable: C# code:
C# code:
other telltale signs of vb.net are the many reference variables, which are illegal in c# but not in vb (dotpeek can only decompile to c#): C# code:
Powaqoatse posted:also please dont troll negrotown (i hope thats what it was) nein tyrante e: unbroke tables hackbunny fucked around with this message at 06:31 on Jan 17, 2017 |
# ¿ Jan 17, 2017 06:24 |
|
sorry to disappoint with a relatively lame post and no eyepyramid update, but the opera 12 source code has just been leaked: https://github.com/prestocore/browser already dmca'd lol but mirrored here: https://bitbucket.org/prestocore-fan/presto/ it's out and about! if you're still using opera 12 for some goddamn reason (not even I am) it's time to quit it for good
|
# ¿ Jan 17, 2017 17:47 |
|
Powaqoatse posted:goddamn youre amazing no I'm really not but thanks anyway btw there is no writeup yet, and all my contacts have gone silent so I guess they won't give updates outside of official channels from now on. everything you'll read here from me is an Official SA Forums Exclusive™ (tagline: "Where your count") spankmeister posted:Did you try de4dot? (and then ilspy) no! but I will now. I have to redo my work from scratch anyway I'm not too familiar with .net reversing, basically I tried to load the sample in ida pro, ida gave up due to "corrupted" metadata, and I literally turned to a wikipedia search for ".net decompiler", and found ilspy and dotpeek. they both have their strengths and weaknesses (eg. ilspy supports vb.net, but dotpeek doesn't poo poo the bed as much), and neither is quite as good as java decompilers like procyon and () jad. they recommended I try dnspy to edit things like the invalid symbol names before running the assembly through a decompiler, but if a tool can do it automatically, even better I have time to spare and I'm running out of interesting cars to buy in gran turismo 6, so I'll give it another shot. stay tuned ynohtna posted:hrm, i think you need to spend a few days gently meditating on the purity of procrastination I'm lazy but patient and I can do repetitive chores for hours no problem. the non-lazy alternative is finding or writing a symbolic execution engine that supports .net and p-invoked native code, because I imagine that crypto routines are native. alternatively hand-coding hooks for all external routines. and that's e: crazysim posted:i should add there's a de4dot integrated/engine replacement of ilspy called dnspy oooh so much to learn hackbunny fucked around with this message at 19:24 on Jan 17, 2017 |
# ¿ Jan 17, 2017 19:16 |
|
hackingteam : https://motherboard.vice.com/read/after-cellebrite-breach-hacking-team-lashes-out-against-vigilante-hackers
|
# ¿ Jan 18, 2017 01:30 |
|
Wiggly Wayne DDS posted:more eyepyramid info, it uses a lot more third-party software than previously thought: https://blog.trendmicro.com/trendlabs-security-intelligence/uncovering-inner-workings-eyepyramid/ dang I'm slow. apparently I have one of the most recent samples! crrr.exe, but the table at https://documents.trendmicro.com/assets/Appendix_uncovering-the-inner-workings-of-eyepyramid.pdf doesn't include the c&c url (it's still https://webdav.hidrive.strato.com/users/oncole3991 btw, and don't bother going there as the account has been deactivated), and their "notable email addresses" column is misleading, it's really the usernames of the exfiltration webdav boxes, afaict btw thanks spankmeister and/or whoever recommended de4dot because it was a godsend I did eventually write the code to bruteforce the string encryption/anti-debugging protection hybrid algorithm, found some of the webdav boxes used for exfiltration, and wouldn't you know one of those was still up! I'm terribly curious what's inside those files. I have to look up the exact encryption scheme used but the key and iv should simply be derived by hashing the filename
|
# ¿ Jan 19, 2017 01:25 |
|
yoloer420 posted:DnSpy still handles vb code horribly. dotpeek works better for now, even when decompiling vb to c#
|
# ¿ Jan 19, 2017 01:29 |
|
eyepyramid trivia: there's some unused code related to captchas, functions to download/upload both images and text from <url>/captcha/<unique id>. the same module contains code to scrape forms from the page currently open in IE and upload them. no idea about the captcha stuff but it seems out of place. I wonder if eyepyramid is part of a larger family of malware
|
# ¿ Jan 19, 2017 01:34 |
|
Wiggly Wayne DDS posted:from what i surmised the captcha section is a misdirect when communicating moderately sized blobs to weird domains the code seems simply unused to me, and the "captcha" url component would go through the usual sha1 obfuscation anyway, so I'm not sure about this. and it really seems to be related to captchas, as it can for example deserialize received data to a System.Drawing.Image unless you're talking about an older sample, I guess. crrr.exe/d3ad32bcb255e56cd2a768b3cbf6bafda88233288fc6650d0dfa3810be75f74c does nothing with it
|
# ¿ Jan 19, 2017 02:33 |
|
A Man With A Plan posted:While very cool, I'd recommend a lot of caution with putting any computer-linkable stuff related to you on a server that will almost certainly be part of a criminal investigation. I took precautions. barring stupid mistakes I should be fine
|
# ¿ Jan 19, 2017 03:38 |
|
Phone posted:brianna wu has weighed in on the meitu thing ITS A MATTER OF NATIONAL SECURITY brianna who?
|
# ¿ Jan 20, 2017 16:52 |
|
eyepyramid update: I'm now 99% sure that the sample I was given is just a download-and-execute and that the real payload is elsewhere. bummer. all it does outside of executing other components downloaded from the c&c is to disable various os and office security features, attempt to kill antivirus software, and open windows firewall writeup on the string encryption/self-protection hybrid later. man, what a drag
|
# ¿ Jan 23, 2017 03:46 |
|
LeftistMuslimObama posted:i bet it was really someone's big ole donger. some guy on the plane had to buy another seat in which to sling his truly gargantuan and yet somehow tenderly beautiful meat monster and the captain radioed down to the tarmac "houston we have the biggest drat darn ding donger i ever did see were gonna need to burn some fuel so we can get this elegant creature there iykwim"
|
# ¿ Jan 23, 2017 15:49 |
|
why do I keep raving about eyepyramid's string encryption? because you see, it's actually quite interesting. let's take the typical encrypted string:C# code:
C# code:
C# code:
and remember, you heard it first here: it's a Dead Gay Forums Exclusive™ - Where Your Count hackbunny fucked around with this message at 05:19 on Jan 24, 2017 |
# ¿ Jan 24, 2017 03:02 |
|
huh it was quick, I wonder what I was getting wrong the first time. as I mentioned, the "carrier" type of agent uses a different master key to decrypt its sensitive strings. since the master key is derived from a number of runtime checks, and only one set of outcomes is the correct one (i.e. it allows the decryption of strings that allow the malware to work), we can deduce a little bit more about the purpose and operation of the malware. specifically, the master key is derived from an array of booleans, filled thus:C# code:
|
# ¿ Jan 24, 2017 04:40 |
|
Bhodi posted:I suspect this is a check to short-circuit similar to RunningInVMAndApplicationOlderThan5Days to prevent 'dev' builds (built after the hard-coded feb 2015 date) executing automatically. It's a way to pin auto-execution to only code that has (presumably) been tested to work in the build-test vm framework and prevent auto-execution for newer code, though it's a really wacky way it do it. I could see doing it this way if you have some sort of framework that you use for both development of new features and testing of the operation of mature ones, and your build system inserts that date into the code based on last tested-good configuration (or you alter it manually). note that the protection code only prevents communication with the c&c and exfiltration hosts. the malware uses a different set of checks at startup, and iirc the build date check isn't among them (ok, I checked, and the only build date check done at startup is IsBuildOlderThan8Days) Munkeymon posted:makes it harder to change the date just to see how the behavior changes or get the date-based behavior you want? but only carrier does this check, hgrghk and tmpwebshell don't. no, it occurs to me it's because of code I haven't shown yet: when a carrier downloads other agents, it performs several freshness checks on their last modified and build dates Munkeymon posted:why the autorun checks? do analysis tools like to just use windows autorun to start the malware in the VM? this: Volmarias posted:Sounds like the opposite; starting it manually to see what it does would result in nothing if "true" was the expected value here. Chalks posted:The use of a paid for library implies for me that more than one person was developing this, and the second less experienced person probably just picked up a library for sending mail that they had used in a previous legitimate project without realising it was tied to their personal details. It seems impossible to believe that someone who was so deep into illegal activity wouldn't simply pirate a copy of the library (or if it was the more experienced developer, I'm sure they would be capable of interacting with the email protocol directly or at least using an open source alternative) don't underestimate MailBee, it seems an incredibly good library. it's not just an smtp client, it does imap too, and even smime. oooh I almost forgot, there's a couple embedded x509 certificates, I really should dump them. it could be interesting Chalks posted:I guess there wasn't any information released about how long ago the license for the mail library was purchased vs when the malware first included it? I expect the dates will be some time apart. I'll have to look for older samples. this thing has been around, under everyone's radar, for almost 6 years!
|
# ¿ Jan 24, 2017 14:12 |
|
huh actually. hm. they're not the kind of certificates I expected. the first is a root authority, Global Systems Comm. CA. is it even legit? supposedly a company in singapore. anyway, this is installed as a trusted ca in the system certificate store the second is an encryption certificate, as I expected (it's used to encrypt messages with s/mime), but it doesn't have any interesting information: it's self-signed and the subject common name is simply "Administrator", clearly a test certificate generated with some wizard on a windows machine. maybe a bit more interesting is the issue date: sept 12th 2011, it's been around for a while. sadly, it's probably not an easily searchable pattern because the byte array is built element by element by compiler generated code. if only I could get my hands on just another sample... the expiration date is a little weird, jan 28th 2039, which doesn't seem a nice round date. maybe it's hardcoded in the wizard, does it ring a bell for anyone? (fake edit nevermind, it is a round date: 10000 days after the issue date)
|
# ¿ Jan 24, 2017 14:52 |
|
huh. just today I looked in my spam folder and found a long forgotten sign-up confirmation e-mail from them. clicked the link and the site was down. I open the secfuck thread and welp
|
# ¿ Jan 27, 2017 16:51 |
|
guy I helped with the eyepyramid analysis finally released his writeup: http://blog.talosintel.com/2017/01/Eye-Pyramid.html some notes: quote:The sample is written in .Net and it is heavily obfuscated. Although at first sight we can also extract some interesting strings which are useful for possible ClamAV or Yara signatures. The author paid attention to hide the core functionalities by using either known .Net obfuscators or cryptography to hide crucial information such as URLs, email addresses and credentials. as I noted before, the obfuscators, for one reason or another, were actually unable to hide a large number of uniquely identifying strings, for example argument or enum names, such as hgrghk, tmpwebshell and THISPROPERRUN. go ahead and google them, they're unique to eyepyramid and will reveal a few more samples (that however don't appear to be downloadable. anyone have access to a yara-searchable repository and wants to give me a hand?). the order for custody against the occhioneros pops up in that search too and it's full of details on the c&c infrastructure and the kind of exfiltrated data... I should really go and reread it more closely, and cross-reference it with what I have quote:Generally speaking, reversing .Net applications is not a difficult task because it is possible to decompile the binary. There are many tools do it such as ILSpy, dotPeek, etc. We first tried decompiling the sample with ILSpy but the obfuscation was heavy and all over the place. As a result the ILSpy output was not very useful and we had problems identifying the entry point of the application. The sample cannot be debugged, and it does not run inside virtual machines due to several and sometimes trivial (but effective) anti-debugging and anti-vm checks. dotpeek works a little better, but barely: it still produces non-compiling output, due to not supporting visual basic, which produces .net code that can't be decompiled to c# - some examples:
the entry point is actually easy to find: just ask dotpeek (or dnspy) to jump to it. sure, you can't grep for "main" because it's been renamed by the obfuscator, but the metadata can't be obfuscated so much that the entry point isn't hardcoded in the executable and easy to look up (or the executable won't run!). for example, in my sample, the entry point is token 600003D, as shown by a simple dumpbin /clrheader: pre:Microsoft (R) COFF/PE Dumper Version 14.00.23918.0 Copyright (C) Microsoft Corporation. All rights reserved. Dump of file d3ad32bcb255e56cd2a768b3cbf6bafda88233288fc6650d0dfa3810be75f74c.bin File Type: EXECUTABLE IMAGE clr Header: 48 cb 2.05 runtime version CFF54 [ 10DD60] RVA [size] of MetaData Directory 1 flags IL Only 600003D entry point token 1DDCB4 [ 6E02] RVA [size] of Resources Directory 0 [ 0] RVA [size] of StrongNameSignature Directory 0 [ 0] RVA [size] of CodeManagerTable Directory 0 [ 0] RVA [size] of VTableFixups Directory 0 [ 0] RVA [size] of ExportAddressTableJumps Directory 0 [ 0] RVA [size] of ManagedNativeHeader Directory Summary 2000 .reloc 42000 .rsrc 2000 .sdata 1E4000 .text code:
quote:For instance, it creates a registry key named 'default.reg' and it is added to the registry by directly invoking the regedit command. this is glossing over a couple important points. first, all writes to the registry, both additions and deletions, go through temporary .reg files passed to regedit (yes! .reg files can delete keys and values, other than adding/changing them. it's a little known feature), no idea why. maybe the malware author was lazy second, the default.reg file is extremely interesting. not only it seems part of a named component, as its full name is in fact Shutil.default.reg (and there's a few other unobfuscated references to "shutil" scattered about), but it does many, many things of note. I'm extrapolating a little, but it seems to:
here is the whole thing for your reading pleasure: http://pastebin.com/28BdEsvY something about default.reg rubs me the wrong way. it looks copy pasted from another project, as the list of av software doesn't match the list embedded in the executable, there's a couple of weird comments embedded in it, and there's that component name (Shutil). sadly I don't get any google matches for the weird random alphanumeric strings in comments quote:The next step is to check and 'fix' the security descriptors of many folders via 'cacls.exe'. Specifically, this code is interested in the Windows Firewall and a long list of possible antivirus software (among them also 'ClamAV for Windows'). To find these programs the malware looks in typical locations such as ProgramFiles, ProgramFiles (x86), etc. You can see from the picture below 'cacls.exe' and part of the security products list: or more specifically:
quote:As we already said the sample is still obfuscated and it massively adopts cryptography. As reported by other sources, the strings are encrypted with 3DES. Here we report how the key is generated and the overall structure for the encryption phase. The key is an array of 16 booleans at the beginning all set to false. The key is initialized in the the steps listed in the table below. The result of every step is a boolean value (true/false). minus the fancy graphics, I have already given you a thorough (and much more accurate, ha) rundown of this part in my previous Dead Gay Forums Exclusive Report quote:so much for my scruples dude redact that poo poo, you're a professional goddamnit quote:If this is less than 46.5 GB and the operating system is Windows XP, this is not a valid environment actually hard drives use base 10 units so no, it's 50 GB quote:Another interesting point is related to the way in which the domains are rotated. This is not a real a domain generation algorithm (DGA), because the domains are not generated on the fly. This is simply how the agent gets the required information. This works in the following way: I didn't get around to it but yes, it does this! another clue that some thought was put into this malware quote:The exfiltration is done mainly via email and partially via WebDAV and HTTP. in the sample me and this guy analyzed, this entire part of code is, actually, completely unused and effectively dead so this is all at best an educated guess. I mean the code does do what he says it does, but from this sample alone we have no idea what conditions actually trigger it, and what kind of data is actually exfiltrated. well, in fact, I have an idea about some of the data: operational logs, for example, are encrypted and sent as s/mime emails; plus, there's a component that screen scrapes the page currently open in IE, makes a list of all form fields, serializes it to xml, compresses it, and e-mails it; maybe more but my time to play with eyepyramid ran out quote:There are other executables that appear to be executed, such as 'stkr.exe', but the analysis of that malware in beyond the scope of this post. For the reader interested in a further analysis, the sha256 for 'stkr.exe' is: 0af665d7d81871474039f08d96ba067d5a0bd5a95088009ea7344d23a27ca824. this sample is publicly known and downloadable. I might give it a shot. some time. maybe well. I looked at the strings dump at least. all of our good old friends like THISPROPERRUN, THISCANDIDATE, tmpwebshell and of course our beloved star, hgrghk are all there having a party. sadly string dumps aren't indexed for searching so I can't use the known keywords to find other samples under https://www.hybrid-analysis.com/ quote:The authors would like to thank the research community for sharing the hashes and 'hackbunny' for the support and information sharing. quote:Posted by Paul Rascagneres at 2:40 PM this isn't the guy I helped with the analysis btw, it must be his boss
|
# ¿ Jan 31, 2017 04:53 |
|
hackbunny posted:so much for my scruples dude redact that poo poo, you're a professional goddamnit almost forgot! one of the passwords you can see in that string dump is "caccoletta". it means "litte booger". themoreyouknow.gif
|
# ¿ Jan 31, 2017 05:00 |
|
cheese-cube posted:this. but what happened to your av hackbunny? someone's idea of a joke
|
# ¿ Jan 31, 2017 05:04 |
|
Bonfire Lit posted:turns off UAC and "UAC remote restrictions". if you connect to a computer via smb with a local account with admin privs (as opposed to a domain account with local admin privs) windows usually disables the admin group in your token. the second setting turns that off, I don't know where the point is when UAC is already disabled but maybe it's in order to keep access if someone turns UAC back on via the control panel I don't get the point though! it seems completely unrelated to anything the malware does btw remember that webdav folder that investigators missed? and the files I downloaded from it? I managed to decrypt two out of four, and they're lists of accounts on gmx.com. nothing new basically, just a copy of data investigators already found elsewhere. I wonder about the other two files... my sample contains no reference to them. I'll try to brute force them, all I need to do is reverse sha1 a couple short, simple strings. why can't I use existing rainbow tables you ask, because the idiot hell fucker who cumpissed this abortion of a malware encodes the strings in utf-16 before hashing them, I answer
|
# ¿ Jan 31, 2017 14:29 |
|
Wiggly Wayne DDS posted:it still sounds like stitched together hackforums tutorials kinda yeah ate all the Oreos posted:lol malware written by shaggar ... but I'm afraid this is closer. do you know what format these configuration files are in? they are serialized .net objects. specifically, NameValueCollection objects serialized with BinaryFormatter, a ridiculously verbose format for a key-multivalue map that can only contain strings Subjunctive posted:I never considered character encodings as a way to protect against rainbow tables, but in hindsight it's obvious. who has ebcdic tables? there are some really clever and effective ideas in there but I think this one is entirely accidental the way remote files are encrypted, string encodings notwithstanding, is one of the clever and effective ideas, imo. files are encrypted with their filename as the key, and the filename is replaced with its hash before it's written anywhere. only the original code, where the filename is in cleartext, can both locate the files and decrypt them: the two files I could decrypt? I could only do it so quickly because the names (ghkch and hgrch) are in clear text, in the code. it also shows a degree of opsec foresight that not all information is included in all agents: if you catch one, you can only decrypt the files relevant to it. all local files (like caches of remote files, or temporary files) are similarly encrypted, and sometimes padded with random data. it's somewhat well thought out on the other hand the key derivation from the filename is very weak (key = md5(utf16(filename)), iv = sha256(utf16(filename))), the encryption is 3des for some reason (pity it isn't des), and the obfuscation of the filename is a straight unsalted sha1 hash instead of something more expensive, like bcrypt or scrypt (sure, salting the hash means you can't just open the file by its filename hash, you have to list the directory and check the filenames one by one, but since all remote files are on webdav or ftp, you can list directories no problem). the weak hashing of the filename, and the nature of filenames used elsewhere in the code (short, lowercase alpha strings), make me confident that I could probably bruteforce them not to mention the jucier details in the order of custody (that I really really really should read) that show that the siblings communicated operational details on cleartext channels, but that's a story for another day hackbunny fucked around with this message at 15:15 on Jan 31, 2017 |
# ¿ Jan 31, 2017 15:13 |
|
Cybernetic Vermin posted:don't think this is about npapi support, but rather the extensions based on the xul/xpcom framework, basically the same customization level that turned the same base application into both firefox and thunderbird with just different xml/javascript tossed in gently caress xul/xpcom extensions. yes, they can do anything. they can completely rewrite the functionality of the application. it's a really bad way of doing things, and xul so bad that it's bad even for legit use nothing against xpcom and xpconnect though. love those guys
|
# ¿ Feb 7, 2017 15:51 |
|
have the duress password irreversibly lock the account for two weeks better yet have the duress password delete your stupid account
|
# ¿ Feb 12, 2017 17:19 |
|
apseudonym posted:Generally I'm not convinced there are many situations where they'll just go "darn, foiled by this clever nerd" and not just make your life rather unpleasant. why would they do that? Volmarias posted:Pretty much this. What a shame, you're failing to cooperate, time to go to a detention center where your rights don't exist because technically you're still at the border until you "smarten up". why would that happen?
|
# ¿ Feb 12, 2017 23:12 |
|
apseudonym posted:I mean, yeah? That's been the legal precedent and its not like they're going to say "darn, foiled by this clever nerd" when you refuse to provide them access. but he did foil them? they can't write anywhere that he's a pedophile. it's not a small victory for a pedophile that was caught why do people have to turn instantly dumb and resort to absolutes when certain topics are discussed. no consideration of risk, reward, precedent, just straight to the scenario where they beat you for the password (which is trivial to solve btw: just don't know the password). why the hell would they do that?! (answer: because the solution is too much work and you'd just throw your hands up and pretend it's unsolvable) you desperately want to frame the border police poo poo, how about this: the usa is now the kind of country with an asterisk next to it in international travelers guides
|
# ¿ Feb 13, 2017 04:49 |
|
apseudonym posted:I wouldn't call being held in contempt of court until he provides access winning. "the worst that could happen", when you're a pedophile and you get caught, handily beats that, I'd say apseudonym posted:I don't think any of these duress features have been properly thought through in any of the considerations you listed. Your adversary doesn't care if you don't know your password or if you wont share it, this isn't some sovereign citizen poo poo where you say some magic gotcha and they shrug and give up, they want the access and dont give a gently caress about excuses and if they think you're lying they can be pretty lovely to you. there are tons of magic gotchas that make people shrug and give up. they're called laws. the usa in particular is full of magic gotcha laws, like all the magic spells around traffic stops. moving in groups, open-carrying firearms, is another magic gotcha that has proven in the past to make police look the other way instead of gratuitously harassing someone. that you would intentionally confuse refusing to pay taxes or whatever part of the social contract is it sovereign citizens want to get out of, with violation of loving rights, makes me furious. what in the gently caress is loving wrong with your head, that you will side with authority unquestioningly, as if nothing could be done so apseudonym, here I am, returning to my country, like the nasa employee from the article. I have taken precautions because, like the nasa employee from the article, I look like An Enemy of the country. I don't know the password to this social media account. my father does, and he has been instructed to contact a lawyer if anyone asks it. he lives outside of your jurisdiction btw YOU DONT LIVE IN A REPRESSSIVE REGIME YOU GIGANTIC WIMP
|
# ¿ Feb 13, 2017 05:39 |
|
ate all the Oreos posted:just let them look through your poo poo unless you have something to hide, citizen better yet ask a lawyer or legal defense organization and not some random forum Midjack posted:boy howdy i sure am enjoying watching this chicken get hosed I just wanted to add schindler's list but instead of schindler it's a regular guy: "herr schindler these don't look qualified workers to me!" "welp the gig's up, ship them off to the ovens" *spends rest of war in mansion catching up to favorite radio dramas* "laut lachen that schlemiel what a character" hackbunny fucked around with this message at 06:10 on Feb 13, 2017 |
# ¿ Feb 13, 2017 06:08 |
|
LMO imo it's perfectly reasonable that a trans person would close their social media profiles. I'm sure you can think of more than a few events in recent memory that could have made you realistically do it. maybe you'll actually do it for real
|
# ¿ Feb 13, 2017 06:28 |
|
the only qualified statement we can make about it is that we aren't qualified to make statements about it, though
|
# ¿ Feb 13, 2017 07:04 |
|
flosofl posted:Jesus, shut the gently caress up. You're gonna get the thread closed. Go to D&D and masturbate about laws and civil resistance there. enrique, my salts! not a closed thread nooo 😱
|
# ¿ Feb 13, 2017 10:00 |
|
stack protection, aslr etc. force you to start from advanced* techniques like heap spraying, rop, etc. if you disable them you can approach binary exploitation from the basics, like return address overwrite. it's good for teaching
|
# ¿ Feb 13, 2017 13:55 |
|
Deep Dish Fuckfest posted:algorithms? why didn't i think of that! "algorithms" is a buzzword for "squeezing blood from a
|
# ¿ Feb 13, 2017 23:03 |
|
new proposed law in italy will regulate forensically sound "implants" (ie. trojan horses) for lawful client-side "wiretapping": https://boingboing.net/2017/02/15/title-italy-unveils-a-law-pro.html
|
# ¿ Feb 15, 2017 22:27 |
|
|
# ¿ May 5, 2024 05:46 |
|
Sapozhnik posted:actually a friend linked me to this are you sure? quote:Volatility does not provide memory sample acquisition capabilities. For acquisition, there are both free and commercial solutions available.
|
# ¿ Feb 16, 2017 19:37 |