How to browse the internet without being spied on.

[GnomeToys]

For anyone bored enough to start disassembling code, IDA 7.0 is freeware. 

 

I try not to be that bored.  ?

 

https://www.hex-rays.com/products/ida/support/download_freeware.shtml

[misteraven]

Almost seems time to start a homebrew group. Anyone here into Arduino?

 

Wanted to put a project together that what look for power outages and switch to a battery bank instantly once grid power drops so I can run my water pump in case of outages. I know @Mercerhas built something similar, so wondering if maybe we can get a discussion (group) going?

[GnomeToys]

I have various microcomputer type boards laying around but never messed with them much outside of work.  Always like reading about projects though.   I can help out with programming questions in general , and compiler toolchain issues.  Have some random parts laying around people might be interested in too, I'll never use them and got them free / cheap.  I'd be interested in a group.

 

 

 

 

[misteraven]

[GnomeToys]

Meanwhile, I try to figure out at what point AWS upped my EC2 limits to a combined total of 200TB of SSD storage and about 500TB more of miscellany...  and just by best estimates, somewhere hovering around ~1000 xeon cores.  In one region.  I didn't even bother trying to figure out the bandwidth but most of them are at least 10Gbps links.

Note that I registered the account and asked for one multi-gpu instance so I could play with Tesla V100 hardware last year after writing a completely incoherent reason for the request since those are in hot demand...  decided just setting everything up let alone doing anything with it was going to eat too much money, paid $12 for a few hours worth,  and left.  In January some ridiculous bill for hundreds of dollars showed up in my inbox so I called the fuckers because I hadn't logged in.   Got refunded for that (and for the time I'd actually used).  The person at AWS said they'd been running some kind of machine learning software to predict instance use and it must have activated them (I SEE WHAT YOU FUCKING DID THERE, DENIABILITY ?  ).  Naturally AWS Neptune started trying to recruit me a week later.  

The funniest part is there aren't any GPU instances in the list anymore, and one of those was all I had asked for in the first place...  not enough space / computing power to store and encrypt all of the data created by a small country since 1980 and the bandwidth to DDoS them afterwards.  ?
 

Edited August 1, 2018 by GnomeToys

[misteraven]

Adding some levity to the discussion...

 

 

[Mercer]

That is the exact mindset of the majority of young intellectuals pursuing degrees in the social sciences. They will have no other venue for their PHD's trans studies but to find work in the government. I deleted all of my original tweets years ago, and half my posts on here worried about the random times I've called people faggots.

Edited August 2, 2018 by Mercer

[GnomeToys]

 

[mn1_fuckos]

Any thought on reddit getting hacked? I believe I read that they were not going to notify their users whose profile information was accessed. 

 

 

Also I use dropbox mainly for business shit I have yet to try and upload any of phone photos.

 

 

Edited August 2, 2018 by mn1_fuckos

[Mercer]

Sort of unrelated to this thread but a clear example of shit that got out of hand a decade after it was posted.

 

 

 

https://www.cnet.com/news/guardians-of-the-galaxy-3-stars-react-to-disney-firing-james-gunn/

[GnomeToys]

The last one says more about Disney being shitbags as employers.  Also in general, but plenty of other things say that.  They already knew about this.  His directing history has the "James Gunn's PG Porn" TV series with such exciting episodes as the "Squeal Happy Whores" and "A Very Peanus Christmas" Peanuts spoof which I'm going to go watch as immediately as possible.  Assuming nobody at Disney was paying attention in 2008, in  2016 he had writing credits in

Dolphinman Battles the Sex Lobsters :

Quote

Sgt. Kabukiman NYPD contracts a deadly new STD, The Sex Lobsters, and unknowingly spreads it around town while visiting Tromaville's best orgy spots. Only Dolphinman can find the cure and save the day!

The old tweets were convenient for the asses trying to get him fired, but his bigger mistake was complaining about Trump if I pieced things together correctly.  But yeah, go on and act all shocked, Disney. 

Or it might just be karmic payback for Scooby-Doo 2: Monsters Unleashed ?

 

Seriously though, at least this guy probably isn't going to be hurting for work or anything.  DC Entertainment should hire him and make a green lantern movie that doesn't suck ass. 

 

 

[GnomeToys]

I can't comment on what's going on in this one because I'm lacking background on it but it sounds dodgy as fuck:

http://www.daily-journal.com/news/local/kankakee-chief-investigates-critics/article_c77bf066-910d-11e8-a37e-cbe13f4cf7fd.html

 

Quote

In a brief interview at the police station, Dumas said he searched the database for Menz because Menz posted a photo on Facebook of Mayor Chasity Wells-Armstrong’s city-owned Tahoe parked on city property.
...

In the post, Menz commented, “Hey, check out Mayor Chasity Wells-Armstrong’s new ride! This is a big upgrade from the Chevy Malibu that (former Mayor) Nina (Epstein) used to drive. If you feel nostalgic for the Malibu, don’t worry, though, it is in storage at the fire department.”

...

 

The chief said the photo concerned him.

 

“You can post anything about me you want on Facebook, but not the mayor. She is a protected class,” he said.

 

He said she was in a protected class because she was an elected official. He didn’t say which law gave that distinction for elected officials, although civil rights and hate crimes laws do not.

 

Dumas questioned why someone would post a photo of the mayor’s city-owned car with license plate number.

Internet readers question ability of Kankakee, Il. police chief to point correct side of gun away from himself,

 

[misteraven]

Quote

“You can post anything about me you want on Facebook, but not the mayor. She is a protected class,” he said.

Quote

State police spokesman Matthew Boerwinkle said the state prohibits the LEADS database from being used for personal reasons and that its use must be connected to legitimate criminal investigations.

Shocker!

 

So much for government by the people for the people when the political class have their exceptions and privileges.

 

Or that authorities might abuse the information that they collect, rather than maintain use for *lawful* purposes as intended (never mind that *lawful* is a fluid term and what might be lawful today, could very well be unlawful tomorrow, though I suspect that the databases wouldn't be purged to allow a fresh start since the rules have changed).

 

Keep that in mind when you hear the debate come up surrounding allowing for a gun registration database and how that might be a very bad idea.

[GnomeToys]

I saw the reddit breach and wasn't too concerned.   Github was also breached though, which may have more implications for (mostly) small time software companies who used private repositories there as a free versioning system, which like most cloud storage is a bad idea unless you're running an online service in the first place.  In that case you're better off with a paid service which offers some kind of insurance / support for hacks like this.  It won't prevent them but you'll get better response and notification.   I logged into github and was greeted with "your password was leaked in a recent data breach.  you should change it"...   but the account itself was still active and the same password still worked, so exactly what help is that message?   

 

Whatever small town shit is going on there is just a symptom of the problem.   Stuff like this, regardless of who was caught and what the results were, is downright terrifying:

https://www.washingtonpost.com/news/true-crime/wp/2018/04/27/golden-state-killer-dna-website-gedmatch-was-used-to-identify-joseph-deangelo-as-suspect-police-say/?utm_term=.999ca8e33ce9

 

Keep in mind this is someone who was identified by a familial genetic match rather than their own DNA actually being in a database, and since DNA is left damn near everywhere just by the act of walking around, this is alarming as fuck. 

 

Yeah, they caught a serial rapist with this technique.   It also messes up and leads to invasive searches on people who have fuckall to do with anything, which that article also covers:

 

 

Quote

 

On the more dystopian side of the spectrum, Wired reported on a filmmaker named Michael Usry who was accused of a 1996 murder in Idaho Falls nearly 20 years after the fact — coincidentally the same month that Phoenix police got their break in the Canal Killer investigation.

Usry, who was a teenager at the time of the killing, was picked up by police at his doorstep in New Orleans in December 2014, Wired wrote. He was interrogated by an FBI agent and spent a month under suspicion — all because the killer’s genetic code was similar to his father’s, whose DNA sample had been obtained by Ancestry.com.

 

Fucking lovely...

[El Jefe Uno]

On 7/30/2018 at 5:58 PM, Mercer said:

I wanted to do one of these for how to use macs + iPhones  and wondering if anyone in here uses any of the following.

 

1. Dropbox as opposed to iCloud, also if used, do you use the camera uploads feature?

2. Password manager?

3. Hazel, or manually writing your own applescript for automation?

4. A firewall to monitor all connected activity?

5. a VPN service?

1. I use Dropbox, but I manually upload as opposed to the camera upload feature. 

2. LastPass.

3. I use Hazel - set it up awhile ago and rarely touch settings now. Nice to "set and forget" some automation.

4. I use Little Snitch and I setup a Pi-Hole (https://pi-hole.net). Nice thing about the Pi Hole is that it blocks most ads at the network level.

5. I've used a few different VPN providers and have been using ProtonVPN lately.

 

Happy to answer any questions if anyone would find it helpful.

[GnomeToys]

You can also edit /etc/hosts to include entries for sites that don't like being blocked. 
Or,  add ones you do like to prevent DNS lookup from happening so any tracking at the DNS lookup level doesn't occur and you route directly to the site you want (and are then only tracked by all the routers in between.  ?   ).    This requires that the site has a stable IP address that can be used for access or you being willing to keep it updated if it doesn't.   It speeds initial connections up a tiny amount since no lookup occurs if used this way.   

 

Pop open a shell and

# sudo nano /etc/hosts

 

Basically you add entries like:

 

127.0.0.1		www.facebook.com
::1			www.facebook.com

66.228.55.176		forum.12ozprophet.com

 

The first is an IPv4, second is IPv6.  The first two lines redirect www.facebook.com requests to your local machine which just causes them to timeout if you don't have a webserver running;  downside is you have to add all subdomains manually.   If you set up a local server that doesn't accept connections from outside hosts and just replies with 404 or similar you can speed up that kind of blocking. 

 

The last line resolves the forum address locally, assuming the address remains constant.  These types are more of a pain to use since things aren't necessarily constant with target IP.

 

The 127.0.0.1 blocking relies on the TCP/IP stack on the OS not being messed up.  I've read vague reports of both mac & windows 10 ignoring blocks of apple.com & microsoft.com respectively, so setting up blocking in a firewall is preferable.   An older machine that can run some minimal linux or BSD and a spare network card can handle filtering things for you at a much more configurable level than a consumer router, which is a good reason to keep an old computer around.   There are lots of tutorials on setting this kind of thing up on the web and it has become much easier in more recent *nix.  

 

[misteraven]

To block subdomains, you need to setup a local DNS server like https://www.linux.com/learn/intro-to-linux/2018/2/dns-and-dhcp-dnsmasq

 

Thought you could add wildcards to the hosts file to cover subdomains, but apparently not. That said, its apparently not too tough to run Dnsmasq and with that you could add wildcards. I think it would be near impossible to cover all sudomains manually for a lot of these types of sites. Probably easier to reroute whatever IP block they have. 

 

 

 

[GnomeToys]

Yeah the wildcard thing makes it a bitch.   There are a couple of giant hosts files compiled over the years since I wrote the article about abusing it that way that can be helpful.

 

For windows I've got a small batch file that I run on any software that might be wanting to phone out to servers that I don't care to be sending god knows what to.  It unfortunately doesn't work on Windows "modern UI" apps because any updates create a new directory with new GUID appended, but it could be set up to do a wildcard  run in task scheduler if needed. 

 

@echo off 
echo Outbound Firewall Block Rule Adder v0.2
echo ---------------------------------------
echo 

echo Specified directory %1
echo Scanning directory... 
echo.

@echo on
FOR /R %1 %%X IN ("*.exe") DO ( 
	IF EXIST %%~fX (
		netsh advfirewall firewall add rule name="Scripted: Block Software: %%~X" dir=out program=%%~fX profile=any localip=any remoteip=any interfacetype=any action=block description="Automatically created outbound firewall rules by batch"
		netsh advfirewall firewall add rule name="Scripted: Block Software: %%~X" dir=in program=%%~fX profile=any localip=any remoteip=any interfacetype=any action=block description="Automatically created inbound firewall rules by batch"
	)
)

@echo off
	
echo.
echo Completed. 

Just copy to firewallAllTheThings.bat or whatever, run it with a directory as input, and it recursively adds all executables to windows advanced firewall. 

 

I do this for practically any non open source freeware I have to download for whatever reason these days on general principle. 

 

[GnomeToys]

Note:  Do not accidentally run that on something like C:\, for obvious reasons.    Blocking loopback shouldn't happen, but if it does windows will become unbootable. 

 

This script doesn't catch errors in command line entry:    usage is

whatever.bat [folder]

 

It should just quit if you don't pass it any arguments but I wrote it quickly to do one thing and didn't bother with error checking there. 

 

No guarantees are made, I am not responsible for any damage caused by this file, by reading this agreement you agree to disagree with this EULA which clearly states in an obfuscated fashion that it is being intentionally unclear about everything.  Reverse engineering this batch file is a violation of international copyright law, so do it.  It may be reverse engineered by reading it, like everything else.  Reading is a violation of international copyright law.  Void where prohibited. 

[misteraven]

Big data meets Big Brother as China moves to rate its citizens

The Chinese government plans to launch its Social Credit System in 2020. The aim? To judge the trustworthiness – or otherwise – of its 1.3 billion residents.

 

https://www.wired.co.uk/article/chinese-government-social-credit-score-privacy-invasion

 

--------------------------

 

Inside Cuomo’s plan to have your face scanned at NYC toll plazas

Facial-recognition cameras at bridge and tunnel toll plazas across the city are already scanning drivers’ visages and feeding them into databases to catch suspected criminals, Gov. Andrew Cuomo revealed Friday.

 

https://nypost.com/2018/07/20/inside-cuomos-plan-to-have-your-face-scanned-at-nyc-toll-plazas/

[misteraven]

Kinda what we were already talking about... You can browse the web privately, use crypto and take a bunch of other precautions, but soon enough it won't really matter. In much the same way Facebook and Google use a pixel to trace all upstream / downstream traffic and see enough of your online movement and footprint to fill in the gaps, soon enough they'll be able to do the same in the real world. You can still *hide* but reality is that the algorithms will quickly evolve to a level of sophistication to no doubt flag people that aren't following the expected thresh hold for participation.

 

George Orwell couldn't have even imagined how far and fucked up reality would become when he was drafting 1984.

[GnomeToys]

Pretty much that.  I look at 1984 as a warning nobody took seriously, because it wasn't quite 1984 yet in 1984... 

There was also always the implication / thought that went along with references to that book that if that shit happened,  people wouldn't stand for it, or it would involve some fundamental takeover of the government and there would be a revolution, etc...

 

Unfortunately for everyone they just did it to themselves and paid for the privilege instead...  ?

 

It worked on me, too, because here I am typing on it.  ?️

 

 

 

 

 

[GnomeToys]

This is random, but has anyone noticed an upswing in computer security related news (exploits / malware) basically telling people to not go to websites they haven't heard of, while in the same general segment (on broadcast TV) mentioning some dumb new feature of a social media website?  I feel like there's a push to keep people from taking advantage of the internet fully in terms of the useful side and use the parts that are idiotic as much as possible.

 

 

 

[GnomeToys]

https://arstechnica.com/tech-policy/2018/08/facebook-violates-apples-data-gathering-rules-pulls-vpn-from-app-store/

 

[GnomeToys]

Well, looks like we're not the only ones officially sick of this shit.   The originators of the Internet bring you...

 

The Brandeis program

https://www.darpa.mil/program/brandeis

Quote

The collection and analysis of information on massive scales has clear benefits for society: it can help businesses optimize online commerce, medical workers address public health issues and governments interrupt terrorist activities. Yet at the same time, respect for privacy is a cornerstone principle of our democracy. The right to privacy, as Louis Brandeis first expounded in 1890, is a consequence of modernity because we better understand that harm comes in more ways than just the physical.

 

Quote

The vision of the Brandeis program is to break the tension between: (a) maintaining privacy and (b) being able to tap into the huge value of data. Rather than having to balance between them, Brandeis aims to build a third option – enabling safe and predictable sharing of data in which privacy is preserved.

 

It's not perfect, but something that could be standardized on would be better than nothing. 

Edited August 24, 2018 by GnomeToys

[misteraven]

On a similar tip, recently had a conversation with @diggityoff social and web, the subject of which quickly turned into a slew of targeted ads which further proves that there is certainly a creepy sharing of data that crosses between services and functions. Our conversation did not occur via a browser or social media and the subject (screen printing) is obscure and specific. Somehow our conversation (again, wasn't googled or done via a social media platform) was somehow intercepted and led to a bunch of screen printing ads clogging his social media feed.

 

100%, text and voice communication is being intercepted without your knowledge or permission.

[diggity]

Was talking t my wife tonight about these furniture mover things that are like Whoopi’s cushions. Came to bed. Got amazon ads for them. Never looked them up. No idea what they are really called. Have an ad. Back offf Hal. 

 

Quick edit. We were talking irl. Not on the phone. Our phones were locked and not in use at the time. 

Edited August 28, 2018 by diggity

[misteraven]

12 hours ago, diggity said:

Was talking t my wife tonight about these furniture mover things that are like Whoopi’s cushions. Came to bed. Got amazon ads for them. Never looked them up. No idea what they are really called. Have an ad. Back offf Hal. 

 

Quick edit. We were talking irl. Not on the phone. Our phones were locked and not in use at the time. 

scary shit.

[misteraven]

FYI...

 

[GnomeToys]

One of the funniest targeted ads I got was after I kept chain-posting a bunch of deep dream'd pictures of Tubgirl until I found one that would get through the image recognition neural net of some website...  at that point the neural net they were using for targeted ads either exploded, got weird data from the analysis of "objects in image" on deep dreamed tubgirl, or was way the hell too accurate...  the next page refresh gave me an ad that was a link to apply for a job as a forensics agent at the FBI.   I nearly shit myself laughing. 

 

On the minimal hardware thing, lots of people do that I think...  or in the case of lots of people I know they just hack the fuck out of anything they're concerned about.   It seems like most fall into the "totally embrace" or "get the hell off my lawn" categories depending on how jaded they are from dealing with the whole mess, and I can imagine Bill Gates is pretty fucking jaded about now.  IMHO a lot of the attitude change towards technology is more a function of the fact that most people using it don't understand the implications of it. 

 

For example, one thing Apple probably got right in the long run was never adding support for BluRay to their machines...   the standard effectively requires a black-box rootkit to be loaded with the operating system if you want to play movies.  It isn't a rootkit in the sense of somebody being able to remote control the machine with it, but the standard itself requires that it be so heavily obfuscated / encrypted that there's no real way of auditing that without an enormous amount of effort. 

One of my projects at work was to spend about 6 weeks trying to reverse engineer commercial bluray player software for both the bluray people and the company involved to determine what kind of effort it would take.   Ironically the movies that they bought me for that task were the first non-pirated movies I'd owned in years, and part of the reason I had to sign an NDA for the whole thing was that they gave me the keys required to pirate them (let's pretend the internet didn't exist and I couldn't look that up in 5 seconds).  It didn't really matter whether I knew exactly what I was looking for or not, I was seeing how much of a clusterfuck it would be to get to them using just that piece of software and whatever crazy shit I could come up with.  I failed to find anything, which probably kept that company in business. 

 

Anyway, the sheer amount of software functioning against anything you try to do to it on the machine you paid for is fucking amazing in the case of something like that.  I'd think of one way in, oops, too obvious, their driver is blocking me.  Ok, how about...   now the operating system itself is blocking me.   Etc, etc...  Obviously someone broke it, or this wouldn't have been an issue.  I just think they used a huge shortcut that didn't involve any of that mess.  ?    The point is all of that crap basically tossed in at the insistence of a single industry...   I don't really think any of this is being used for monitoring or anything dodgy other than the usual copy protection that you can circumvent by spending 10 seconds on google, but it's interesting how pervasive it is. 

 

Another fun fact:  Pirated BluRay disks in exactly the same video format with the encryption stripped off play faster.  This isn't anything to do with the encryption itself, which is pretty much transparent, it's the crazy-ass Java virtual machine the player has to run in order to initialize the decryption process and run the menuing system.  Just like in Windows 95 days, Java manages to make everything it touches slow.  ? ?  

 

Anyway, I'm relating that fun bit of experience because it's just an example of a high end consumer level variant of invasive software / hardware.   It's absolutely nothing compared to stuff like:  

https://en.wikipedia.org/wiki/Intel_Management_Engine

https://en.wikipedia.org/wiki/Intel_Active_Management_Technology

 

ARM has a similar set of layered crap running under the OS and I wouldn't be surprised to find nasty crap in it either.  I haven't looked at it much so I'm not sure. 

 

https://developer.arm.com/technologies/trustzone

 

It isn't just processors, either;  anything that has a boot ROM can be made into a weapon of sorts.  This comes to mind immediately:

 

https://www.wired.com/2015/02/nsa-firmware-hacking/

 

So the biggest problem (and the reason I tend to just bitch about targeted ads / corporate / marketing) is that nearly all of the hardware that could be called a computer is designed to be spied on and breaking it free of that state varies from extremely difficult to impossible depending on the design of the hardware itself.  Because of that I'll bitch about the lower level stuff, but at this point in time I can't see any way around it without spending a year auditing the relatively simple (1990s) level of hardware I'd be capable of auditing myself for firmware crap like this, another year learning enough about circuit layout in processors and ROM to de-cap and analyze a bunch of identical models of those, etc...   anything on that level quickly becomes silly.