#FOR NOT FOLLOWING BASIC OPSEC!!!!! YOU ARE A *GENERAL*!!!!!!!!!!!!!!! | Explore Tumblr posts and blogs

paranoidsbible · 6 years ago

Text

Preventing Stylometry

===Preventing Stylometry=== Non-profit and free for redistribution Written on September 6th | 2018 Published on February 3rd | 2019 For entertainment and research purposes only

#Stylometry #security #privacy #text #prose

7 notes · View notes

girlsguidetogettinghigh-blog · 6 years ago

Text

The Guide

The definitive run-down on staying safe while filling the chop bowl, written for my sisters everywhere who just want to get cooked.

The following is a composite of general wisdom, links to information that you will find helpful as well as guides to installing and using encrypted communication applications so we can all safely get crooked. This is just a general guide however, common sense and trusting your gut will always trump my anecdotal advice. The technical aspect is apt, I have a student loan that proves I’m somewhat competent.

First and foremost, with the advent of it being publicly known that most if not all of the Vegetable Australia groups have been compromised, a lot of the availability is gone. Scammers have successfully exploited this gap and now I have heard stories from multiple women who have been ripped off blind. This really gets my panties in a fucking knot so I stole most of this guide and rewrote it with a woman’s touch.

The critical advice I give to all of you girls, is know your state laws regarding drug use and possession.

This is a very simple and easy to understand page outlining the laws in New South Wales. Searching google will result in similar pages for the other states. Knowing your rights is exceptionally important, regardless of if you’re up to mischief or not.

If you’re an inexperienced user, the Psychonaut Wiki has a brilliant page on just about everything you need to know. Ranging from usage, effects as well as medication interactions.

Another page that offers plenty of information, secondary to the first I have linked is the Erowid General Page. The first page I linked is essential knowledge, the second is additional homework. Learn your stuff ladies.

Further Reading

When you’re buying a name brand, use this resource to verify it’s what they say it is. You can quite literally shut down someone by sending them a picture verses picture comparison. Don’t get ripped off because someone called it something fancy.

One of the best things you can do is learn about a concept called operation security, or OpSec for short. Keeping yourself and your data safe is crucial to keeping yourself out of a courtroom. This pages outlines a very in-depth analysis of operational security.

On top of this, most people aren’t aware of how much personal information they give away publicly and the implications of such. More often than not, people use the same password for everything too; this is horrible from a security standpoint. Learn about passwords here.

Want more of an in-depth look at what encryption is and how it works? This page should tell you everything you want to know about the actual tech behind these applications as well as it’s limitations and legality.

What’s a VPN and do I need one is something I get asked a lot, familiarise yourself with this page and decide based off that. Make sure you read reviews and are aware of privacy laws in your state.

Read this page about being a decent buyer or buy the book and read the whole thing then give it to your friends. I don’t make anything from this and I’m not affiliated at all, I just abide by these myself as best I can. Your parents probably knew or followed most of these themselves and the whole thing is free and worth reading while you’re couch-bound.

An Introduction

Now, before we jump in, I’d like to mention that the trade has changed dramatically in the last twenty years. Users today have little if any respect and widespread availability has lead to very little loyalty. I have seen people threaten dealers despite the fact it’s an admission of being complicit to a drug deal. I have watched Facebook groups be infiltrated by boys playing the big man and within the week it’s completely trash.

Follow these general pieces of advice and you should be well on your way to picking up something delicious with relative ease and heightened security.

The Golden Rules

The number one rule when buying from anyone you meet online is to only pay with cold hard cash. Real sellers only take cash and don’t want to leave an electronic paper-trail. Anyone who tells you it can be traced is probably trying to scam you.

Most scammers are easy to spot if you use logic. Generally all of them run advertisements showing that they sell essentially anything you could ask for. Stick with the sellers who only sell weed, it’s just generally safer. Scammers will ask you to prepay with a cash transfer or a gift card of some sort, usually bought from a convenience stores. This is an obvious tell.

Do not buy any of the gift cards or Steam cards and under no circumstances should you give them any serial numbers or receipt numbers. Countless people have been ripped off using these various methods and they are getting exceptional intricate and talented at lifting coin.

Try to avoid Craigslist, as it is full of scammers operating from other countries. Sometimes you might have some luck but I am sceptical at best.

Making Contact Safely

Most sellers with half a brain can be contacted through a free app known as Wickr Me, which is available from Google Play or iTunes. We generally don’t use anything else, if you’re seeing Kik, or WhatsApp I would be wary.

If configured correctly any and all of your messages sent through Wickr will self destruct after being read and are encrypted between devices. The application will also block screenshots if you’ve asked it to, and it will warn you if an app is recording or using an overlay on your device.

If the seller tells you that they want anything other than cash or anything similar, don’t bother with them at all. There is a one-hundred percent chance you end up with your cash gone and a packet of batteries.

Meeting Places and General Safety

Make sure to meet in a place you feel safe, preemptively plan locations and trial-run them to see how you fair. It is important to maintain an element of control but to be flexible in case your friend has requirements of their own. Someone asking for very specific places that you can’t establish as safe probably is going to knock you over.

Most people are genuine, but there are a few out there ready to steal your money. Don’t inherently trust someone because they’re a stoner. If you knew how many consoles I’ve been offered.

Make sure you can physically see and confirm what you’re buying before you hand over any cash at all. The seller won’t hand you product worth money until he’s been paid as per his requirement in this deal, so make sure to ask the seller to bring it in a clear bag or container, so you can see what you’re getting. This is common sense and any dealer will generally comply.

Ask to meet in a public place when you first meet someone, you’re both humans and there is nothing illegal about getting a coffee before going for a drive together.

Don’t meet them in an alley or a dark, deserted area. You’re asking for trouble. In some of these situations it’s unavoidable, if you have to; make sure you bring someone or better, multiple people.

If you don’t like the look of the person you are meeting, don’t let them get into your car and do not get into their car. If you don’t like someone’s house or you feel you’re being boxed into a kill-zone. Leave immediately. It’s not worth it.

Don’t make a large purchase the first time you meet if you’re a little bit scared. Try to buy a small amount like a fifty or a quarter, and then if you feel comfortable with the seller, increase your purchase size. Remember that it would be better to get busted for a stick than an ounce.

So, Are they Legitimate?

Asking for photos of product before you purchase is basically necessary. You’re going to determine based off this part of the interaction if they’re indeed genuine and legit.

Anyone who offers detailed close-ups, as well as pictures on a scale with the weight clearly visible or even with a timestamp is showing a certain level of tact and professionalism from the get-go.

Someone who speaks proper English and uses correct grammar is inherently going to seem more professional than someone who doesn’t finish sentences with a period. Be aware of this when you deal with someone, their vernacular will reveal a lot about their socio-economic situation and how they interact with others.

A phone call, that you record is a good way to avoid officers of the law as well as establish some repour between yourself and the dealer.

Don’t bother pissing around with Bitcoin, it’s not worth the effort, time or loss of finances you’ll experience. Unless you know what you’re doing, stay off Tor.

Dealers have lives too, don’t expect an answer right away or at all. You’re not entitled to one, however most sellers want your money too so generally it’s not a problem. Remember that they’re doing you a favour, treat them and the exchange as such.

Here’s an example of some legitimate looking photos:

>img

Figure 1. Here, the dealer is showing a weight as well as a current timestamp with their Wickr address. I have very little reason to doubt someone at face value when it’s this tier of service.

> img

Figure 2. This is the average level I expect someone to be up to, if there’s a weight and a clear photo; I have a relative element of trust in the dealer. This should be what you look for at a minimum.

> img

Figure 3. Closeups also help you verify the strain and that it’s not a scam. Asking for these while you see pictures of a scale is a good way to weed out scammers who claim_ it’s already bagged and sealed_.

Purchase Quality and General Pricing

Prices everywhere will vary from seller to seller and often are based around socio-economic demographics too. The richer the area, the higher the markup. Nicer suburbs usually dictate nicer quality but it is not absolute. Expect that some groups of people are simply going to get ripped off, purely because they’re completely oblivious.

The better the quality, the more you will pay. I shouldn’t need to explain this. However, make sure you’re certain when you pay more.

Weed is illegal, so is not regulated or tested for pesticides or mould like you get with something from Coles. Be careful of what you are smoking. If it doesn’t look right, throw it out. Dying to get high is a literal term.

Prices usually go up when there is a drought on, which tends to happen from around the end of the year up until the Australian outdoor harvest in March. Christmas prices are hell, I suggest highly that you stock up to save yourself from exorbitant prices. On the flipside, this is entirely reasonable; dealers have lives too and the Christmas period is a total jerk to everyone. Be mindful.

Below is a fairly comprehensive pricing guide for strains ranging from home-grown bush to hydroponic fruit:

Gram – $15-$25

Eighth (3.5g) – $45-$70

Quarter (7g) – $80-$120

Half (14g) – $140-$220

Ounce (28g) – $240-$400

These prices are usually for pick up, which you will need to factor in your own transport for obviously. If you want delivery, it’s reasonable that you should expect to pay an extra amount. Check Uber for an estimate regarding fuel if they’re asking for an odd amount. It may be cheaper and safer for you to use public transport discretely, but an Uber is always paramount to safety assuming you’re not carrying irresponsibly.

Installing, Configuring and General Wickr Advice

This is a quick throw-together I wrote showing how you can install Wickr on your laptop. Having someone message you on Wickr at an inopurtune time can really tie you in a knot and ultimately it’s safer not having evidence just laying around on your phone. However, it is a necessary evil the majority of the time. Because of this, it is critically important that you configure your Wickr correctly.

Installing Wickr on Windows

Following these screenshots should be self-evident. You should have absolutely no issues with It on a laptop. Simply download the current executable and follow the installer. At the end, it will launch. You can now create an account.

Step 1. Download the latest executable and run it.

Step 2. You’ll be prompted with this screen. Click Next.

Step 3. Choose wherever you want to install the program.

Step 4. Go ahead and install the application.

Step 5. It will take a few moments to minutes depending on your computer.

Step 6. You’re all set. Click to Finish to launch and you’re done.

Step 7. Now the application will open. Either login to your existing mobile account, which will not sync conversations so I suggest you install both the portable and desktop application at the same time. You can now configure Wickr properly.

Installing Wickr on an Android/iPhone

Notice: You should be competent at installing applications on your mobile device by this point. Simply follow the process on your chosen platform’s app store and you will be prompted with a similar screen and a similar configuration process.

Configuring Wickr on Any Platform

The first of the two steps we need to take to ensure our conversations remain private is to set a Burn-on-Read timer, which once our contact has opened and read the message, our message is set to delete itself off both devices within a set time frame. In this case, thirty minutes is our timer until it will delete itself. To configure this on any platform, simply click the fire icon.

Figure 1. The Burn-on-Read timer function.

Secondly, we need to set an expiry date so that if our messages don’t get opened, they will still delete themselves off both devices in the conversation. To do this, follow the same process as before and click the clock icon.

Figure 2. The expiration time function.

This process should be fairly self-evident no matter what you’re using. Google it if you run into problems. Never send messages before you’ve configured yourself.

With all this in mind, stay safe girls. None of us want to see a sister get hurt or scammed. Share this site around with your friends. The more of us who are in the know, the fewer of us end up getting burnt.

If I missed anything, or you have something to add please let me know. Lots of love, you can catch me fluttering around on my Wickr: candyfairy.

1 note · View note

blaise-comp6841-public · 5 years ago

Text

Week 5 Lectures

Morning Lecture

Wired Equivalent Privacy

With WiFi, unlike a wired connection, it is easy for other people to access packets that are being sent through the air. This means that you would want to encrypt your data before sending it.

WEP is very basic encryption with many vulnerabilities. What was interesting is that even though vulnerabilities were found, people kept using it for a while because they didn’t have many alternatives.

Data sent in a WEP frame is broadcast, and only those with the correct MAC address will read it. But this doesn’t stop other people from taking these packets, modifying them and resending them.

Encryption is done using RC4 (which uses a random number generator), and XOR. The data is encrypted, but the order and structure is still the same. So given a packet, it is known which bits correspond to the IP packet’s destination IP address.

An attacker can take a packet sent by someone else, modify the packet’s destination IP address, and send it back to the access point. Instead of the attacker doing work, the access point will decrypt it and send it back to the attacker! Note that the attacker’s IP and the victim’s IP addresses are the same for the first 3/4 of bits, so there aren’t many different combinations to try.

This is an example of mixing data and control - changing the addresses within the IP packet (which is inside the WEP frame) also changes the control.

Phreaking (phone hacking)

Phones back in the day sent tones of different frequencies for control e.g. the frequency 2600Hz was used to give a free phone call.

There was a Captain Crunch promotion where they gave out whistles with frequency 2600Hz - the same frequency as the tone for free phone calls. So people bought the cereal and abused this to get free calls.

The main problem was that tones used for control were sent along the data line.

Guest Lecture - Doctor

There is a lot of bias going on even in the medical world, with patients, pharmaceutical companies, and with doctors.

Observation bias is when seeing what other people are doing influences our decisions. For example, there is a hormone tablet for breast cancer offered after a surgery which has a chance of preventing the cancer coming back, however it has some side effects. A doctor who just saw a patient who decided to take the tablet may become biased towards supporting the decision to use the tablet for the next patient.

There is also the idea of “quid pro quo”, something mentioned in the Social Engineering lecture. Sometimes pharmaceutical representatives take doctors/nurses out for a free lunch and tell them about a new drug. Because of this favour they have done, these doctors/nurses are more likely to recommend the company’s drugs.

What’s scary is that sometimes you think you are not being biased, but in reality you are subconsciously leaning towards one side or another. Next time I make a judgement on something, I’ll try to check if I am truly being fair, or if I’m just following my instincts.

A majority of problems occuring is from human error, be it negligence or poor judgement. Take for example hygiene. It is difficult to get doctors to wash their hands regularly or follow proper hygienic procedures, because they either forget or think its too much of a hassle.

A study showed that adding checklists in surgery halved the infection rate. Checklists have really simple things on them, and are cheap to create, but its usually the simple steps that aren’t followed which lead to poor hygiene. So instead of investing in high end equipment to reduce bacteria levels slightly, in this instance, it was more effective to bring about a culture change on the simple things.

Evening Lecture

Extended seminar - OPSEC (Operations security)

Protect information that could be used by the enemy against you

Identification of critical info

Analysis of threats

Analysis of vulnerabilities

Assessment of risk

Application of appropriate OPSEC measures

Random pieces of info aren’t useful, but together they can do damage.

Origin - Vietnam war

Snowden - “What would be the impact if my adversary were aware of my activities?”

If your threat model is too high - don’t do it.

How to OPSEC?

If you don’t need to share information, don’t.

If you do something you don’t want people to know about, ensure it can’t be traced back to you

Avoid bringing attention to youself

This is hard to pull off, so tradeoffs must be made e.g. where do you want to be secure, or and where do you want to be visible. It’s hard figure out how much you want to hide.

Avoid sharing information - only share if it’s needed, beware of social media, metadata, indicators - expensive clothes

Keep identity secret - Tor browser to remain anonymous,

You can use a false identity - hard to maintain

Be forgettable - blend in with everyone else so that you don’t draw attention to yourself

“There are no case studies of good OPSEC - you never hear about them.”

Case studies

WW2 - American congressman bragged that American subs survived because Jap depth charges weren’t deep enough. This cost the US lives, as Japanese set them deeper.

MI6 agent exposed because of wife who left Facebook on public.

Harvard bomb threat

Bomb threat listed his exam hall

Guerilla mail adds originating header - found out it was Tor

Tor was used on campus wifi - don’t be logged in if you want to be anonymous

Silk road - Ross Ulbricht

Asked for help with set up on his real email

Used same alias on multiple sites

Tor and VPN used in wrong order - negligence

Richard’s comments

Someone with good OPSEC used different computers and toolkits for different personas.

Even first contact is dangerous - you can roll back in time to when people were young and connected their accounts etc.

Extended seminar - Passwords

Most passwords used are weak. It’s hard to remember and to type a complex password, so people tend not to use them.

Passwords often use personal information such as name and birthday. So hackers can try cracking passwords using this information.

Good passwords are long without english grammar patterns.

Passwords are broken

Passwords are weak - full of meaning (47% based on name), often reused over multiple sites.

Personal Information Attack

Fake Facebook profile (Sally) - can see partner’s name, birthday, education, hobbies, pet’s name

cup.py - many combinations of passwords based on personal information, common replacements (a -> 4)

Password Crackers

John the Ripper on Kali Linux

Hashcat - for hashes

Why are passwords bad?

hard to remember and type good passwords

complicated rules for generation (letters, numbers, symbols)

regular renewal

little incentive to create unique passwords

low probability, high impact risk

Password Storage: bad practice

Some are still stored in plain text - mostly small to medium sized companies

Facebook had stored plaintext passwords in an internal database

Bad hashing (md5, sha1) - Rainbow tables are designed to match with passwords

Demo - using Linkedin passwords file

In 2012 - Linkedin was hacked, and passwords leaked.

Saeed had a file with the list of userid:hashedpassword.

Used Google - sha1 to reverse the hashed password

Looking through the first 1000 lines, 4 people had the same password

10000 lines - 26 people

Passwords frequency in descending order: password, 123456, LinkedIn

If you have a bad hash, anyone with google can hack passwords

John the Ripper - automatically cracks the passwords based on the hashes

Salt - add random string to end of the password, you get 2 different hashes. This way, there isn’t a problem if many people had a password. LinkedIn did not have a salt.

Best practices for storing passwords

Use a strong encryption method like a hashing function such as sCrypt or BCrypt

Store the salted hash, not the password

Salts should be long (at least 256 bits)

Don’t store password hints

Another solution - let a bigger company handle it. Log in with Google or Facebook, however this is

Maybe we can get rid of passwords altogether - but not yet.

Password Generation

Better ways to come up with memorable passwords

correcthorsebatterystaple

length of word creates enough entropy

avoids english grammar patterns

don’t use common words

passphrases

long and with wacky lexicon but good syntax to make it hard for AI to generate

memorable

initialisation of a phrase

take first letter of each word, removes English letter frequency

New policy - NIST 2016

don’t force regular password changes

don’t enforce composition rules

don’t provide password hints

allow user to opt for passwords to be viewed while typing

limit number of failed login attempts

Richard: just keep a list of bad passwords, don’t use any.

Long passwords are better than just adding symbols and numbers.

Richard: we think our passwords are good, but we overestimate it. Humans are bad at generating passwords - we follow patterns.

Buckland’s Lecture

Merkle Damgard construction

https://en.wikipedia.org/wiki/Merkle%E2%80%93Damg%C3%A5rd_construction

SHA2 - different types depending on size (SHA-256 means SHA2 with 256 bits)

We have a long message, but we need a small hash, so we break the message into blocks.

This is a method of building collision resistant cryptographic hash functions from collision resistant one way compression functions.

It is used in hash algorithms such as MD5, SHA1 and SHA2.

The message is split up into blocks.

The algorithm starts with an initial value, the initialisation vector (IV).

The result so far (initially just the IV) is combined with the next message blockis, then the compression function f is applied.

Step 3 is repeated until all blocks have been added.

The last result may be passed through a finalisation function.

Bank messaging problem

We want integrity and authentication. MACs give us both.

We can add the secret key before the message, and then hash it.

MAC: h(key|data)

The problem with this is that an intercepted message with known hash and message length can be extended. This is a length extension attack.

Take the hash, append a new message to it and pass it into f, the compression function. In this way, you can modify the message, even without knowing the secret key.

HMAC (hash-based message authentication code) puts the password after the message, instead of the beginning. h( key | h(key|m) )

Digital Signature

DSA - Digital Signature Algorithm

A digital signature is used to verify authenticity of digital messages or documents. A valid digital signature gives the recipient strong reason to believe the message was truly from the sender (authentication) and that the message was not altered in transit (integrity).

Signing larger files directly takes a long time. To sign large files, hash the file and then sign the encrypted hash.

Collisions with digital signatures

A collision attack requires half the number of bits in the hash size.

Example: Alice has a pdf saying “I will give Bob $100″, then Alice signs it, and sends it along with the signature to Bob. If an attacker can create another document with the same hash as Alice’s document, then the attacker can use the same signature with this new document, so it looks like Alice has signed the new document.

The attacker can change 1 bit in each document that doesn’t change anything visible (e.g. whitespace) and then keep hashing them until you find 2 identical hashes. Ask Alice to sign the first document, and you can reuse the signature for the second one.

Passwords

Password attack types:

online - typing the password on a website manually

website can detect

offline - obtaining the file containing hashes of passwords and decrypting locally

/etc/shadow

password file used to be protected by md5

Salt is random data added to the password before hashing. Salts help to prevent collisions in the case that users have the same password. Salts also protect against the use of rainbow tables, because the password will need to be hashed with the random salt to be in the table.

#lectures

0 notes

mcdouglecompany-blog · 5 years ago

Text

Collapse- 90% Of The U.S. Population Will Die Within 6 Months, Prepping for beginners and 6 Immutable Prepper Laws.

Collapse (90% Of The U.S. Population Will Die Within 6 Months)

Prepping for beginners - top 10 guide

6 Immutable Prepper Laws

Collapse (90% Of The U.S. Population Will Die Within 6 Months)

https://youtu.be/ZqRMMgrv_kQ

Prepper Princess

Collapse (90% Of The U.S. Population Will Die Within 6 Months)

Prepping for beginners - top 10 guide

https://youtu.be/o9niShq9_Dg

City Prepping

Published on Oct 26, 2018

SUBSCRIBE 251K

New to prepping? Not sure where to start? In this video we'll cover the top 10 things you should do to lay a foundation. Get the new Inergy Apex and save $550 from their regular sales price by using "CityPrepping" at checkout using this special link: https://glnk.io/p5q/city-prepping LINKS FOR VIDEO: 1. Water storage **Videos to watch:** -- 7 steps for water preparation: https://www.youtube.com/watch?v=VHTSw... -- How to purify and filter water making it safe to drink: https://www.youtube.com/watch?v=690L4... -- How to store water for emergencies (containers and places to put them): https://www.youtube.com/watch?v=Ju3he... **Items to get** -- 5 Gallon stackable: http://amzn.to/22z7j0F -- 7 Gallon non-stackable: http://amzn.to/1ZeQHt2 -- 55 Water storage: http://amzn.to/1ZeVv1D 2. Food **Videos to watch** -- How to easily build a 2 week emergency food supply: https://www.youtube.com/watch?v=OSgot... -- How to make your own Freeze Dried food for SHTF: https://www.youtube.com/watch?v=buPli... -- Why you should add freeze dried food to your preps: https://www.youtube.com/watch?v=RI2Y4... -- How to dehydrate apples for long-term food storage: https://www.youtube.com/watch?v=gfZC_... **Items to get** -- The prepper's cookbook: http://amzn.to/2mSumrH -- Freeze dried food: http://amzn.to/2y5Jirm -- Dehydrator: http://amzn.to/2Cut7Yq 3. First Aid **Videos to watch** -- How to build a trauma kit: https://www.youtube.com/watch?v=l34aX... **Items to get** -- Pre-built first aid kit: https://amzn.to/2CQhPwG -- Trauma kit: http://bit.ly/2seJZJk 4. Sanitation **Videos to watch** -- How to dispose of human waste (poop and pee) after a disaster: https://www.youtube.com/watch?v=uWeYt... 5. Ability to cook **Videos to watch** -- How to cook after a disaster (fuel sources): https://www.youtube.com/watch?v=Qodga... -- How to cook after a disaster (cookware and utensils): https://www.youtube.com/watch?v=Ug-2W... -- 6 easy meals to cook over a fire after a disaster: https://www.youtube.com/watch?v=ZFkmv... -- Top 5 reasons you should get a rocket stove now: https://www.youtube.com/watch?v=XFzue... **Items to get** -- Solostove: http://amzn.to/2gOazrx -- Coleman gas grill: http://amzn.to/2o10V8s -- Rocket stove: http://amzn.to/2spkolg 6. Power source and lighting **Videos to watch** -- Solar Generator: https://www.youtube.com/watch?v=bE2V8... -- Solar vs Gas Generator: https://www.youtube.com/watch?v=reOL0... **Items to get** -- Flashlight: https://amzn.to/2JsYSBx -- AAA Batteries: https://amzn.to/2AB5aMy -- AA Batteries: https://amzn.to/2SxsNwg 7. Have cash on hand **Videos to watch** -- How to survive a financial crisis: https://www.youtube.com/watch?v=d2mA1... 8. Communications **Items to get** -- HAM Radio: https://amzn.to/2CQNtdg 9. Mobility **Videos to watch** -- How to build a bug out bag: https://www.youtube.com/watch?v=LtmIu... -- How to build bug out bags for the family: https://www.youtube.com/watch?v=9QQxU... **Items to get** -- Items listed here: https://www.cityprepping.com/building... 10. Self Defense and OPSEC **Videos to watch** -- Top 5 prepper firearms: https://www.youtube.com/watch?v=CyfMY... -- OPSEC: https://www.youtube.com/watch?v=rNhlg... DISCLAIMER: This video description contains affiliate links, which means that if you click on one of the product links, I’ll receive a small commission. This help support my channel and allows me to continue making videos. Thank you for the support! Support the channel by clicking here before you start shopping on Amazon: http://amzn.to/2vbNo1l (heck, even bookmark it for future use if you're feeling extra generous). Follow me on: Instagram - https://www.instagram.com/cityprepping Facebook - https://www.facebook.com/cityprepping Twitter - https://twitter.com/cityprepping Visit online - http://www.cityprepping.com

6 Immutable Prepper Laws.

https://youtu.be/hexFyXBKoFw

City Prepping

6 foundational prepper laws to keep you and your family safe in the event of a major catastrophe. Items referenced in the video: - water storage: http://amzn.to/1Z4cPpS - water preservative: http://amzn.to/1Ugrih6 - medical kit: http://amzn.to/1XVxYEt - R.A.T.S. tourniquet: http://amzn.to/1UgteGc - QuickClot: http://amzn.to/1XVycLE - Israeli Bandage: http://amzn.to/1XVxZbm - Mapul Dynamic "Art of the Carbine": http://amzn.to/1Rv4dTc - firearms training: http://www.rain6.com - how to build a bug out bag: https://www.youtube.com/watch?v=LtmIu... - C.E.R.T. training: https://www.fema.gov/community-emerge... - Links to the other first aid videos referenced in the video: http://www.cityprepping.com/4-basic-f...

--------------------------------------------------------------------

HELP ACU SPREAD THE WORD!

Please send to friends, post on Facebook, twitter, etc…

Over 3,000 commercial free archived shows are available on our podcast site here.

Ways to subscribe to the American Conservative University Podcast

Click here to subscribe via iTunes

Click here to subscribe via RSS

You can also subscribe via Stitcher

You can also subscribe via SoundCloud

If you like this episode head on over to iTunes and kindly leave us a rating, a review and subscribe! People find us through our good reviews.

FEEDBACK + PROMOTION

You can ask your questions, make comments, submit ideas for shows and lots more. Let your voice be heard.

Download our FREE iOS App.

Download our FREE Android App.

Email us at americanconservativeuniversity@americanconservativeuniversity.com

Note- ACU Students and Alumni are asked to commit to donating Platelets. Make an Appointment Today! Call The Red Cross at 1-800-733-2767

Click here to download the episode

0 notes

terabitweb · 5 years ago

Text

Original Post from McAfee Author: John Fokker

Everyday thousands of people receive emails with malicious attachments in their email inbox. Disguised as a missed payment or an invoice, a cybercriminal sender tries to entice a victim to open the document and enable the embedded macro. This macro then proceeds to pull in a whole array of nastiness and infect a victim’s machine. Given the high success rate, malicious Office documents remain a preferred weapon in a cyber criminal’s arsenal. To take advantage of this demand and generate revenue, some criminals decided to create off-the-shelf toolkits for building malicious Office documents. These toolkits are mostly offered for sale on underground cybercriminal forums.

Announced today, the Dutch National High-Tech Crime Unit (NHTCU) arrested an individual suspected of building and selling such a criminal toolkit named the Rubella Macro Builder. McAfee Advanced Threat Research spotted the Rubella toolkit in the wild some time ago and was able to provide NHTCU with insights that proved crucial in its investigation. In the following blog we will explain some of the details we found that helped unmask the suspected actor behind the Rubella Macro Builder.

What is an Office Macro Builder?

An Office Macro Builder is a toolkit designed to weaponize an Office document so it can deliver a malicious payload by the use an obfuscated macro code that purposely tries to bypass endpoint security defenses. By using a toolkit dedicated to this purpose, an actor can push out higher quantities of malicious documents and successfully outsource the first stage evasion and delivery process to a specialized third party. Below is an overview with the general workings of an Office Macro Builder. The Defense evasion shown here is specific to Rubella Office Macro Builder. Additional techniques can be found in other builders.

Dutch Language OpSec fail….

Rubella Macro Builder is such a toolkit and was offered by an actor by the same nickname “Rubella”. The toolkit was marketed with colorful banners on different underground forums. For the price of 500 US Dollars per month you could use his toolkit to weaponize Office documents that bypass end-point security systems and deliver a malicious payload or run a PowerShell Code of your choice.

Rubella advertisement banner

In one of Rubella’s forum postings the actor was detailing the toolkit and that it managed to bypass the Windows Anti Malware Scan Interface (AMSI) present in Windows 10. To prove this success, the post contained a link to a screenshot. Being a Dutch researcher, this screenshot immediately stood out because of the Dutch version of Microsoft Word that was used. Dutch is a very uncommon language, only a small percentage of the world’s population speaks it, let alone an even smaller percentage of cybercriminals who use it.

The linked screenshot with the Dutch version of Microsoft Word.

Interestingly enough we reported last year on the individuals behind Coinvault ransomware. One of the reasons they got caught was the use of flawless Dutch in their code. With this in the back of our minds we decided to go deeper down the rabbit hole.

Forum Research

We looked further into the large amount of posts by Rubella to learn more about the person behind the builder. The actor Rubella was actually promoting a variety of different, some self-written, products and services, ranging from (stolen) credit card data, a crypto wallet stealer and a malicious loader software to a newly pitched product called Tantalus ransomware-as-a-service.

During our research we were able to link different nicknames used by the actor on several forums across a timespan of many years. Piecing it all together, Rubella showed a classic growth pattern of an aspiring cybercriminal, started by gaining technical security knowledge on beginner forums with low op-sec and gradually moved to some of the bigger, exclusive forums to offer products and services.

PDB path Breitling

One of the posts Rubella placed on a popular hacker forum was promoting a piece of free software the actor coded to spoof email. The posting contained a link to VirusTotal and included a SHA-256 hash of the software. This gained our interest since it provided a possibility to link the adversary to the capability.

Email spoofer posting including the VirusTotal link

Closer examination of the piece of software on VirusTotal showed that the mail Spoofer contained a debug or PDB path “C:UsersBreitling”. Even though the username Breitling isn’t very revealing about an actual person, leaving such a specific PDB path within malware is a classic mistake.

By pivoting on the specific PDB path we found additional samples on VirusTotal, including a file that was named RubellaBuilder.exe, which was a version of the Macro builder that Rubella was offering. Later in the blog post we will take a closer look at the builder itself.

Finding additional samples with the Breitling PDB path

Since Breitling was most likely the username used on the development machine, we were wondering if we could find Office documents that were crafted on the same machine and thus also containing the author name Breitling. We found an Office document with Breitling as author and the document happened to be created with a Dutch version of Microsoft Word.

The Word document containing the author name Breitling.

Closer inspection of the content of the Word document revealed that it also contained a string with the familiar Jabber account of Rubella; Rubella(@)exploit.im.

The Malicious document containing the string with the actor’s jabber account.

Circling back to the forums we found an older posting under one of the nicknames we could link to Rubella. In this posting the actor is asking for advice on how to add a registry key using C#. They placed another screenshot to show the community what they were doing. This behavior clearly shows a lack of skill but at the same time his thirst for knowledge.

Older posting where the actor asks for help.

A closer look at the screenshot revealed the same PDB path C:UsersBreitling.

Screenshot with the Breitling PDB path

Chatting with Rubella

Since Rubella was quite extroverted on the underground forums and had stated Jabber contact details in advertisements we decided to carefully initiate contact with him in the hope that we would get access to some more information. About a week after we added Rubella to our Jabber contact list, we received a careful “Hi.” We started talking and posing as a potential buyer, carefully mentioning our interest the Rubella Macro Builder. During this chat Rubella was quite responsive and as a real businessperson, mentioned that he was offering a new “more exclusive” Macro Builder named Dryad. Rubella proceeded to share a screenshot of Dryad with us.

Screenshot of Dryad shared by Rubella

Eventually we ended our conversation in a friendly manner and told Rubella we would be in touch if we remained interested.

Dryad Macro Builder

Based on the information provided from the chat with Rubella we performed a quick search for Dryad Macro Builder. We eventually found a sample of the Dryad Macro Builder and decided to further analyze this sample and compare it for overlap with the Rubella Macro Builder.

PE Summary

We noticed that the program was coded in .NET Assembly which is usually a preferred language for less skilled malware coders.

Dynamic Analysis

When we ran the application, it asked us to enter a login and password in order to run.

We also noticed a number-generated HWID (Hardware-ID) that was always the same when running the app. The HWID number is a unique identifier specific to the machine it was running on and was used to register the app.

When trying to enter a random name we detected a remote connection to the website ‘hxxps://tailoredtaboo.com/auth/check.php’ to verify the license.

The request is made with the following parameters ‘hwid=&username=&password=’.

Once the app is running and registered it shows the following interface.

In this interface it is possible to see the function proposed by the app and it was similar to the screenshot that was shared during our chat.

Basically, the tool allows the following:

Download and execute a malicious executable from an URL

Execute a custom command

Type of payload can be exe, jar, vbs, pif, scr

Modify the dropped filename

Load a stub for increase obfuscation

Generate a Word or Excel document

It contains an Anti-virus Evasion tab:

Use encryption and modify the encryption key

Add junk code

Add loop code

It also contains a tab which is still in development:

Create Jscript or VBscript

Download and execute

Payload URL

Obfuscation with base64 and AMSI bypass which are not yet developed.

Reverse Engineering

The sample is coded in .Net without any obfuscation. We can see in the following screenshot the structure of the file.

Additionally, it uses the Bunifu framework for the graphic interface. (https://bunifuframework.com/)

Main function

The main function launches the interface with the pre-configuration options. We can see here the link to putty.exe (also visible in the screenshots) for the payload that needs to be changed by the user.

Instead of running an executable, it is also possible to run a command.

By default, the path for the stub is the following:

We can clearly see here a link with Rubella.

Licensing function

To use the program, it requires a license, that the user has to enter from the login form.

The following function shows the login form.

To validate the license the program will perform some check and combine a Hardware ID, a username and a password.

The following function generates the hardware id.

It gets information from ‘Win32_Processor class’ to generate the ID.

It collects information from:

UniqueId: Globally unique identifier for the processor. This identifier may only be unique within a processor family.

ProcessorId: Processor information that describes the processor features.

Name: This value comes from the Processor Version member of the Processor Information structure in the SMBIOS information.

Manufacturer: This value comes from the Processor Manufacturer member of the Processor Information structure.

MaxClockSpeed: Maximum speed of the processor, in MHz.

Then it will collect information from the ‘Win32_BIOS class’.

Manufacturer: This value comes from the Vendor member of the BIOS Information structure.

SMBIOSVersion: This value comes from the BIOS Version member of the BIOS Information structure

IdentificationCode: Manufacturer’s identifier for this software element.

SerialNumber: Assigned serial number of the software element.

ReleaseDate: Release date of the Windows BIOS in the Coordinated Universal Time (UTC) format of YYYYMMDDHHMMSS.MMMMMM(+-)OOO.

Version: Version of the BIOS. This string is created by the BIOS manufacturer.

Then it will collect information from the ‘Win32_DiskDrive class’.

Model: Manufacturer’s model number of the disk drive.

Manufacturer: Name of the disk drive manufacturer.

Signature: Disk identification. This property can be used to identify a shared resource.

TotalHead: Total number of heads on the disk drive.

Then it will collect information from the ‘Win32_BaseBoard class’.

Model: Name by which the physical element is known.

Manufacturer: Name of the organization responsible for producing the physical element.

Name,

SerialNumber

Then it will collect information from the ‘Win32_VideoController class’.

DriverVersion

Name

With all that hardware information collected it will generate a hash that will be the unique identifier.

This hash, the username and password will be sent to the server to verify if the license is valid. In the source code we noticed the tailoredtaboo.com domain again.

Generate Macro

To generate a macro the builder is using several parts. The format function shows how each file structure is generated.

The structure is the following:

To save the macro in the malicious doc it uses the function ‘SaveMacro’:

Evasion Techniques

Additionally, it generates random code to obfuscate the content and adds junk code.

The function GenRandom is used to generate random strings, chars as well as numbers. It is used to obfuscate the macro generated.

It also uses a Junk Code function to add junk code into the document:

For additional obfuscation it uses XOR encryption as well as Base64.

Write Macro

Finally, the function WriteMacro, writes the content previously configured:

Under construction

We did also notice that the builder uses additional functions that were still under development, as we can see with the “Script Generator” tab.

A message is printed when we click on it and that indicates it is still a function in development.

Additionally, we can see the “Decoy Option” tab which is just a template to create another tab. The tab does not show anything. It seems the author left this tab to create another one.

Rubella Similarities

Dryad is very similar to the Rubella Builder; many hints present in the code confirm the conversation we had with Rubella. Unlike Rubella, Dryad did have a scrubbed PDB path.

Both Rubella builder and Dryad Builder are using the Bunifu framework for the graphic design.

The license check is also the same function, using the domain tailoredtaboo.com, Below is the license check function from the Rubella builder:

Tailoredtaboo.com Analysis

We analyzed the server used to register the builder and discovered additional samples:

Most of these samples were Word documents generated with the builder.

A quick search into the domain Tailoredtaboo showed that it had several subdomains, including a control panel on a subdomain named cpanel.tailoredtaboo.com.

The cPanel subdomain had the following login screen in the Dutch language.

The domain tailoredtaboo.com has been linked to malicious content in the past. On Twitter the researcher @nullcookies reported in April 2018 that he found some malicious files hosted on the specific domain. In the directory listing of the main domain there were several files also mentioning the name Rubella.

TailoredTaboo.com mentioned on Twitter

Based on all the references, and the way the domain Tailoredtaboo.com was used, we believe that the domain plays a central administrative role for both Rubella and Dryad Macro Builder and can provide insight into the customers of both Macro Builders

Conclusion

Toolkits that build weaponized Office documents, like Dryad and Rubella, cater to the increasing cybercriminal demand of this type of infection vector. With the arrest of the suspect comes an end to the era of Dryad and Rubella Macro Builder. Based on his activity, the suspect looked like quite the cybercriminal entrepreneur, but given his young age this is also a worrisome thought. If only he would have used his skills for good. The lure of quick cash was apparently more enticing than building a solid long-term career. We at McAfee never like to see young talented individuals heading down a dark path.

Indicators of Compromise

URL / Website:

hxxps://tailoredtaboo.com/auth/check.php

Hash Builder:

Dryad: 7d1603f815715a062e18ae56ca53efbaecc499d4193ea44a8aef5145a4699984

Rubella: 2a20d3d9ac4dc74e184676710a4165c359a56051c7196ca120fcf8716b7c21b9

Hash related samples:

93db479835802dc22ba5e55a7915bd25f1f765737d1efab72bde11e132ff165a

ad2f9ef7142a43094161eae9b9a55bfbb6dff85d890d1823e77fc4254f29ef17

c2c2fdcc36569f6866e19fcda702c823e7bf73d5ca394652ac3a0ccc6ff9c905

3c55e54f726758f5cb0d8ef81be47c6612dba5a73e3a29f82b73a4c773e691a3

74c8389f20e50ae3a9b7d7e69f6ae7ed1a625ccc8bb6a52b3cc435cf94e6e2d3

388ee9bc0acaeec139bc17bceb19a94071aa6ae43af4ec526518b5e1f1f38f07

08694ad23cafe45495fa790bfdc411ab5c81cc2412370633a236c688b07d26aa

428a30b8787d2ba441dba1dbc3acbfd40cf7f2fc143131a87a93f27db96b7a75

93db479835802dc22ba5e55a7915bd25f1f765737d1efab72bde11e132ff165a

c777012abe224126dca004561619cb0791096611257099058ece1b8d001277d0

5b773acad7da2f33d86286df6b5e95ae355ac50d143171a5b7ee61d6b3cad6d5

a17e3c2271a94450a7a7c6fcd936f177fc40ea156de4deafdfc14fd5aadfe503

1de0ebc0c375332ec60104060eecad77e0732fa2ec934f483f330110a23b46e1

b7a86965f22ed73de180a9f98243dc5dcfb6ee30533d44365bac36124b9a1541

The post McAfee ATR Aids Police in Arrest of the Rubella and Dryad Office Macro Builder Suspect appeared first on McAfee Blogs.

#gallery-0-6 { margin: auto; } #gallery-0-6 .gallery-item { float: left; margin-top: 10px; text-align: center; width: 33%; } #gallery-0-6 img { border: 2px solid #cfcfcf; } #gallery-0-6 .gallery-caption { margin-left: 0; } /* see gallery_shortcode() in wp-includes/media.php */

Go to Source Author: John Fokker McAfee ATR Aids Police in Arrest of the Rubella and Dryad Office Macro Builder Suspect Original Post from McAfee Author: John Fokker Everyday thousands of people receive emails with malicious attachments in their email inbox.

#McAfee Security

0 notes

webittech · 7 years ago

Text

How I figured out how to quit stressing (for the most part) and love my danger show Lessening protection and security dangers begins with comprehending what the dangers truly are.

I have a sound level of distrustfulness given the domain I possess. When you compose things about programmers and government offices and all that, you basically have a larger amount of incredulity and alert about what arrives in your email inbox or flies up in your Twitter coordinate messages. In any case, my distrustfulness is likewise in view of a discerning assessment of what I may experience in my everyday: it depends on my danger show.

In the most essential sense, danger models are a method for taking a gander at dangers with a specific end goal to distinguish the in all likelihood dangers to your security. What's more, the specialty of risk displaying today is across the board. Regardless of whether you're a man, an association, an application, or a system, you likely experience some sort of scientific procedure to assess hazard.

Risk displaying is a key piece of the training individuals in security frequently allude to as "Opsec." A portmanteau of military heredity initially signifying "task security," Opsec initially alluded to keeping an enemy from sorting out knowledge from bits of delicate yet unclassified data, as wartime publications cautioned with trademarks like "Free lips may sink ships." In the Internet age, Opsec has turned into a significantly more comprehensively material practice—it's a mindset about security and protection that rises above a particular innovation, device, or administration. By utilizing danger demonstrating to recognize your own specific heap of dangers, you would then be able to move to counter the ones that are no doubt and generally risky.

Risk demonstrating doesn't need to be advanced science. A great many people as of now (deliberately or subliminally) have a danger show for the physical world around them—regardless of whether it's changing the locks on the front entryway after a flat mate moves out or checking window secures after a robbery in the area. The issue is that not very many individuals pay any kind of general consideration regarding protection and security dangers online unless something awful has just happened.

That is not from an absence of exertion by bosses and industry. By and large, society burns through billions on data security every year, and it's ordinary for workers of numerous types to experience some sort of advanced security preparing nowadays. In any case, neither the security business nor the media have standardized danger displaying. General society frequently gets besieged with bits of tradecraft (or more regrettable, security "folkways") consistently—every time another malware danger develops, a TV columnist will unavoidably tell watchers that their best insurance is "an unpredictable secret key."

Furthermore, however it's anything but difficult to discover guidance on the most proficient method to "remain safe" carefully, a significant part of the solid counsel doesn't appear to truly stick. Maybe this is on account of that counsel doesn't generally coordinate with the genuine needs of the general population searching for it.

"There's a considerable measure of stuff going on, and we as technologists tend to hop to exhortation like 'utilize Signal' or 'utilize Tor' without asking, 'what is important to you?'" said Adam Shostack, who created apparatuses and approachs for engineers to do danger displaying for their product while at Microsoft. Shostack built up the CVE standard for following programming vulnerabilities and is presently a free creator, an expert, and an individual from the Black Hat Review Board.

Demystifying the danger demonstrate

As of late, Shostack has been working with the Seattle Privacy Coalition (SPC) on a protection risk demonstrate for the general population of Seattle in view of Shostack's way to deal with danger displaying for programming designers. Proposed to demystify danger demonstrating for normal individuals, Shostack's summed up approach comes down to a group of four of inquiries:

What's going on with you? (The thing you're attempting to do, and what data is included.)

What can turn out badly? (How what you're doing could uncover individual data in ways that are terrible.)

What are you going to do about it? (Recognizing changes that can be made in innovation and conduct to keep things from turning out badly.)

Made you do a decent showing with regards to? (Re-evaluating to perceive how much hazard was diminished.)

What Shostack's approach doesn't straightforwardly address are the particular wellsprings of dangers to protection and security. That is something Shostack doesn't see as being especially useful, since that piece of risk displaying isn't really something the normal individual can manage. "Advising individuals to be on edge all the time does minimal great," he said.

Yet, other security specialists Ars talked with felt that understanding what sorts of dangers a man is well on the way to experience is a key piece of building an individual risk demonstrate—one along the lines of the Electronic Frontier Foundation's five-question structure:

What would you like to secure? (The information, interchanges, and different things that could cause issues for you if abused.)

Who would you like to shield it from? (The general population, associations, and criminal performing artists who may look for access to that stuff.)

How likely is it that you should ensure it? (Your own level of presentation to those dangers.)

How terrible are the outcomes on the off chance that you fall flat?

What amount of inconvenience would you say you will experience with a specific end goal to attempt to keep those? (The cash, time and comfort you're willing to get rid of to secure those things.)

I've endeavored to combine the two methodologies above into an arrangement of ventures for the normal mortal—or if nothing else, for somebody helping the normal mortal. The Ars Threaty Threat Assessment Model (or, as a few perusers have requested, the Ars Threaty McThreatface Assessment Model) presses everything into three compound inquiries and a cleanser bottle guideline:

Who am I, and what am I doing here?

Who or what may attempt to upset me, and how?

What amount would i be able to remain to do about it?

Do this process again.

For the TL;DR, you could skim ahead to "what amount would i be able to remain to do about it?" But with dangers continually changing and advancing, helping individuals initially see how to evaluate their dangers prompts better security in the long haul contrasted with only after a speedy arrangement of tips. It's the instruct a man to angle approach, and it begins with a straightforward inquiry.

Who am I, and what am I doing here?

Your identity, what you are doing, and where you are doing it are for the most part main considerations in figuring out what dangers you confront. For example, measurements demonstrate your danger of biting the dust in an auto collision is drastically lower when you're sitting in your family room. Electronic dangers to your security, individual, and fortune will be diverse in light of your identity and what you do—and what you have done previously.

Where you work, your social and political exercises, your reputation, social associations, travel, and different figures all play your risk demonstrate, as well. Such attributes present diverse arrangements of potential dangers to your security and protection, and these qualities could draw in various sorts of potential enemies.

Obviously, a few exercises welcome hazard all by themselves in view of the sort of data being uncovered. In the realm of risk demonstrating, these are regularly alluded to as "resources"— the vital snippets of data you need to use in a movement however at the same time need to secure:

Mastercard information: yours, or (on the off chance that you offer stuff) a customer's.

Managing an account information: account numbers, steering numbers, e-keeping money usernames and passwords.

Expressly distinguishing data: Social Security number, date of birth, wage information, W-2s, visa numbers, drivers' permit or national ID numbers.

Protected innovation: like that treatment for an Ars activity motion picture I've been taking a shot at.

Delicate individual or business data and interchanges: messages and messages that could be utilized to humiliate, shakedown, or detain you.

Politically touchy data or exercises that could get you stuck in an unfortunate situation with your manager, the administration, law requirement, or other invested individuals.

Excursion designs that could be utilized to target you or others for misrepresentation or different types of assault.

Different business or individual information that are monetarily or sincerely fundamental (family computerized photographs, for instance).

Your personality itself, in the event that you are attempting to remain unknown online for your insurance.

Snippets of data that could be utilized to uncover your benefits are similarly as fundamental to secure as the advantages themselves. Individual true to life and foundation information may be utilized for social designing against you, your companions, or a specialist co-op. Keys, passwords, and PIN codes ought to likewise be considered as important as the things that they give access to.

Other "operational" data about your exercises that could be abused ought to likewise be considered, including the name of your bank or other money related administrations supplier. For example, a lance phishing assault on the Pentagon utilized a phony email from USAA, a bank and insurance agency that serves numerous individuals from the military and their families.

0 notes

furynewsnetwork · 8 years ago

Link

LISTEN TO TLR’S LATEST PODCAST:

By Richard Pollock

Former Director of National Intelligence (DNI) James Clapper’s creation of a cloud-computing platform in 2013 made it far easier for officials like former White House National Security Advisor Susan Rice to ‘unmask’ individual Americans without creating a digital paper trail leading back to her, The Daily Caller News Foundation’s Investigative Group has learned.

Clapper’s system enabled tens of thousands of government officials to share previously off-limits intelligence information, according to knowledgeable officials who tracked the cloud-computing initiative of the former DNI under President Barack Obama.

Commander Jennifer E. Dyer, a 21-year naval intelligence officer, told TheDCNF that Clapper’s effort dramatically altered the rules that previously barred access to phone records of U.S. citizens unless there was prior approval following rigorous National Security Agency (NSA) review.

NSA can compile phone records of American citizens talking to foreign officials under Section 702 of the USA Patriot Act. It allows the spy agency to legally eavesdrop on innocent American citizens who are inadvertently swept up in telephone conversations with foreign officials. NSA can keep the records for as long as five years.

The 702 provision expires at the end of the year unless Congress reauthorizes it. Citizens normally are referred to as “American A” or “American B” in the 702 reports. The names are “masked” from intelligence officials.

Dyer says that all changed after Clapper’s cloud computing system was put into place.

“After the technology had changed and the workplace policies had changed, basically that access was based on ‘user permissions’ that would allow you to look into the database itself. You didn’t have to ask anyone at NSA to retrieve the information,” Dyer said.

“As long as the permissions on your user account were such that you were certified to have access to that information, then you could go in and get it yourself,” Dyer said. “A key aspect of cloud technology is that to do that retrieval, you don’t have to set up the whole line of an ‘audit-able’ chain.”

Clapper served as Obama’s DNI from 2010 to 2017, and in 2011, he set into motion wide ranging “reforms” that sought the creation of a cloud computing platform tied to Intelligence Community IT Enterprise, or ICITE.

“IC Research,” another Clapper innovation, also permitted greater intelligence agency collaboration within the cloud. Clapper justified his move in the name of improving information-sharing among intelligence officials and breaking down barriers between agencies, a policy encouraged following the Sept. 11, 2001, terror attacks.

But Clapper’s changes lowered security standards for sharing NSA and CIA intelligence data. Many top intelligence officials were enabled to access raw intelligence about U.S. citizens as a result.

Obama also pushed for more aggressive information sharing in the final days of his administration when he authorized all 17 U.S. intelligence agencies to access raw NSA data through Executive Order 12333. He amended the Reagan era executive order Jan. 3.

Auditing unmasking actions to determine who received individuals’ names is also made more difficult with cloud computing, according to Dyer.

Earlier this year, retired Lt. Gen. Michael T. Flynn was unmasked, and his name was leaked to the media. He briefly served as President Donald Trump’s national security advisor before being fired for misleading Vice President Mike Pence about a conversation with Russia’s ambassador to the U.S.

The number of Section 702 American citizen “targets” since Clapper’s system began in 2013 has surged from 89,000 to 106,000 in 2016, a 19 percent increase according to a 2016 report from the former DNI’s office.

Similarly, the number of intelligence community employees who share information now exceeds 50,000, compared to only 9,000 in 2014, according to Kendrea DeLauter, IC Desktop Environment Joint Program Manager at the Defense Intelligence Agency (DIA).

Ashley Gorski, an ACLU staff attorney for its National Security Project, told TheDCNF the standards for surveillance and unmasking of private citizens are too low.

“Seventeen different agencies shouldn’t be sifting through Americans’ emails without ever obtaining a warrant,” Gorski said. “The standard for unmasking someone’s identity in these intercepted communications is a low one, and the risk of abuse is real.”

Retired Col. James Waurishuk, who twice served on the National Security Council, told TheDCNF security precautions under the Clapper system were “diluted because more people now had more access.”

Waurishuk believes it will be difficult to trace Rice’s unmasking requests as she sought the information from subordinates. “Susan Rice is not going to be sitting there, reading thousands of intercepts,” he said.

Dyer agreed, saying “Susan Rice is not going to have any literal IT involvement. I’m sure it’s the worker-bee who did the actual work.”

Waurishuk, who is the vice president of OPSEC, an advocacy group for former Special Forces and intelligence officials, believes Rice was emboldened given that the cloud system reduced a digital paper trail.

“Because they knew they were doing illegal stuff, the last thing they want to do is have a paper trail. I think they never believed they were ever going to get caught,” he told theDCNF.

Clapper’s new system of “collaboration” for intelligence officials met resistance from some within the intelligence community. Gregory Treverton, who was National Intelligence Council chairman under Clapper, conceded in a January 2016 report that many intelligence officials believed some of the information-sharing went too far.

He said many intelligence officials complained there were “too many,” attempts at collaboration.

Clapper’s $600 million contract for the new system met fierce opposition from other high-tech companies when it was awarded to Jeff Bezos’ Amazon Web Services. The rivals charged that Bezos received preferential treatment.

The Government Accountability Office (GAO) upheld a protest IBM and another unnamed firm submitted in 2013, and the agency ordered the bid reconsidered.

Clapper failed to evaluate prices comparably, and he waived a bidding requirement only for Amazon, according to Ralph O. White, managing associate general counsel for procurement law at GAO. AT&T and Microsoft also filed complaints about the Amazon win.

Judge Thomas Wheeler of the U.S. Court of Federal Claims ruled in favor of Amazon’s request for judgment in October 2013.

The activist group, RootsAction.org, collected 15,000 signatures in a petition drive, complaining “Amazon’s offer wasn’t the low bid, but it won the CIA contract anyway.”

Bezos is a well-known liberal who owns the Washington Post. He hired former Obama White House Press Secretary Jay Carney as a top executive in his company.

Follow Richard on Twitter

Content created by The Daily Caller News Foundation is available without charge to any eligible news publisher that can provide a large audience. For licensing opportunities of our original content, please contact [email protected].

WATCH TLR’S LATEST VIDEO:

The post Obama/Clapper Intel ‘Reforms’ Helped Rice ‘Unmask’ Americans appeared first on The Libertarian Republic.

via Headline News – The Libertarian Republic

#IFTTT #Headline News – The Libertarian Republic

0 notes

paranoidsbible · 6 years ago

Text

Windows Special One – B: Physical Security

===Windows Special One – B: Physical Security=== Non-profit and free for redistribution Written on June 21st | 2018 Published on August 19th | 2018 For entertainment and research purposes only

++++++++++++++++++++++++++++++++++++++++++++++++++++ DISCLAIMER The Paranoid's Bible and its writers hold no responsibility for the acts of others. The Paranoid’s Bible is for research and entertainment purposes only. Please visit our blog for more PDFs and information: http://www.paranoidsbible.tumblr.com/ ++++++++++++++++++++++++++++++++++++++++++++++++++++ ===Preface=== One of the most highly ignored points of privacy and security for anyone is the physical security and location of someone’s tech. It doesn’t matter if you air-gap your rig, have a safe for your tech, or simply remove the HD and ram due to the simple fact that if you aren’t actively working on securing your tech and adopting certain practices, you will trip up in the long run. This is why this supplementary guide was created – to help better explain some points within Windows 7 Special 1. +++++++++++ ===Old Tech is Best Tech=== Old tech (2009 or older) is preferred for anything deemed important where OPSEC, activism or projects (you don’t want out) are concerned. In general, older tech is needed when you don’t want a backdoor on your system at the hardware level. You’ll also want to do your research before purchasing anything off the internet, however remember that governments are known for hijacking deliveries and implementing their own malicious software or substituting the hardware for their own backdoored tech. This means basically that your best bet is to start scrounging around secondhand shops, rummage sales, estate sales, and the classifieds to find any old tech you can buy on the cheap (with cash). Buying old tech this way is also beneficial in the sense that you don’t have anything of yours (info wise) tied to its purchase, ergo another area of exposure covered. This isn’t to say you can’t build yourself some tricked out and maxed out gaming rig, but you need to practice some restraint and look toward compartmentalization. The gaming rig should be used only for things like gaming, various forms of media and entertainment, and non-serious surfing. A second rig for your more serious items, like banking and purchasing items online while yet another rig is used for extremely serious matters that can be correlated to things like activism, research or whatever you don’t want people knowing about. ===Remember this:=== Don’t have two rigs on at the same time – if one rig is on, all others are to be turned off and not connected to any wires at all. This is to prevent potential time correlation or logins being tracked at the ISP level or if there are potential infections like keyloggers or anything similar. Your network, again, should always be hard wired and one rig connected at a time. ===Note:=== Stay away from INTEL and NVIDIA at all costs for non-entertainment based machines. +++++++++++ ===Compartmentalization and Computers=== As we stated above and in the guide that this one supplements: Compartmentalization is needed. It’s quite a basic thing to grasp and commit to once you understand what you want VS what you need. If you’re going to be streaming, watching stuff online, do day-to-day browsing (non-serious login), participate on sites like Reddit or Tumblr, or things like gaming then a decoy/normie rig can be made with modern hardware and even modern software if you observe the needed tweaks, modifications and security protocols. However older hardware should be used for “disposable” or “burner” rigs that are created specifically for things like activism, surfing non-surface sites (E.G: Sites you can only access with software or VIA knowing the address), porn usage/viewing…etc This isn’t to be confused for purpose-made rigs, like a rig dedicated for the creation of art (Completely offline, files transferred VIA USB or external HD after being sanitized) which would lessen potential cross contamination. Another example of purpose-made rigs would be a rig created specifically for taxes and online banking, usually done VIA a laptop with its wireless disabled and microphone(s) and camera(s) disabled too. This way it can’t connect to Wi-Fi networks or be used as a “remote viewer” on its user(s). Purpose-made rigs usually are use-as-needed items that are offline or (temporarily) disassembled (E.G: Removal of ram, battery and HD) until its next use. Simply think of paying bills online, however to avoid potential cross contamination or infection or even interference from modifications, the purpose-made rig for banking and bills is used only for that. No games, movies or any real modifications to the browser – just banking and bills. Practice this VIA setting up rigs for specific tasks (Online shopping | Banking | Entertainment) and soon you have less to worry about as not everything is sitting on one rig. The decoy/normie rig for entertainment will be the one seen usually online the most often and would be targeted if you ever get raided, warranted or whatever else for whatever reason whereas your other rigs were hopefully safe offsite or hidden out of harm’s way. Of course the biggest issue with purpose-made rigs is judging what is and isn’t needed. You don’t need a high-end graphics card or sound card, and rarely need anything over a dual-core for taxes, paying bills online and simple tasks when compared to a rig set for entertainment or constant surfing online (usually for research or streaming) but that doesn’t mean each rig has to be purpose-made from the ground up. If you have an old rig laying about or buy one that’s near complete, a few simple modifications to it will suffice. ===Note:== Don’t forget that security must also be taken into consideration for each rig, as should settings. Always be aware what you’re doing with each purpose rig, especially settings. Just because one setting is needed for one rig it might not be for another rig due to interference with tasks or performance. +++++++++++ ===Decoy Computing Explained=== We’ve used and explained the term a few times already but we feel the need to further expand upon what we mean when we say: Decoy Computer A decoy computer/rig is quite simply a modern-tech built rig. It’s a computer made with modern tech and a modern operating system. It’s used mainly for entertainment purposes and general browsing practices. This is the rig your ISP, and any others who watch, will notice using your connection the most. Be it VIA the MAC address or some other form of ID, the decoy rig will be the main rig that’ll be sought after if you’d ever do anything to attract attention to yourself. The decoy rig is also the one that’s considered the most disposable as it’ll most likely be the most aesthetically pleasing to those who see it which means that if you have someone break into your house then that rig will most likely be targeted, thus leaving the other rigs hopefully alone. You should, honestly, go “hog wild” and enjoy building the decoy rig. Make it how you want to do what you want, however since it’s modern hardware and software NEVER use it for anything but entertainment and nonsensical browsing or research. NEVER store anything of importance on this computer. DO follow proper OPSEC and INFOSEC when using it, and remember to use common sense. Secure the rig as much as possible which means, yes, do use encryption and other viable security options. This rig is ultimately used for pleasure and is set up in such a way that it’ll be seen as the one worth money or of main use which should mean that it’ll be the one most sought after or taken in case of theft. The decoy rig is an important part of physical security as it helps distract people from searching further into your home. So, yeah, it should be in plain sight and insured to cover costs if stolen or taken. +++++++++++ ===Physical Security & You=== So we’re not boring you with more chapters we’ll be making a list that’ll help you figure out what you need to do or can do to secure your technology and rigs. This physical checklist should help even the most amateurish individual step up their game and ensure kerfuffles are kept to a bare minimum. ---Things to Remember--- • Don’t fall for the gate keeping and memes concerning towers. You don’t need an expensive, supposedly high-end tower meant for gaming or with a see-through panel. You only need to worry about air flow, having enough space for your hardware, enough ports for fans, and be able to actually get your hands inside to work on it. If you want a high-end “gaming rig,” and plan to buy such a fancy tower be aware that those will be targeted more often than a “plain” tower. ===Remember this when purchasing any tech:=== Fancier it looks, or more aesthetically pleasing, or in trend the more likely it’ll be targeted by thieves, exes, or untrustworthy individuals. • If it shines, it might as well be gold. Again, one of those things that attracts unwanted attention is lighting. If you add excessive lighting (especially fans that “glow”) you attract attention. Even if you own a cheap and nearly disposable rig, the lights on fans or other pieces of hardware that glow/light-up will attract the attention of people. If someone were to break into your home, see your rig and look through the side and see lights they’ll most likely assume it’s worth more than what it truly is because of the aesthetics alone. • If you find it tedious, then so do they. Simple things like the purchase of a pillowcase, or protective sheet, used to cover your monitor and/or tower (when unplugged and cable(s) removed) as a “protective measure” from dust or dings while away or not in use will tend to annoy people to the point of ignoring said items. It also displaces your tech, in a sense, through a simple disguise. While not truly effective in preventing theft or as a true disguise, it’ll dissuade people from trying to use or poke around your tech simply due to the fact that removal and exact (re)placement of everything will take some work. People are lazy, exploit that. ---Basics--- • Configure Bios - Enable your bios password to prevent unauthorized entry and to prevent changes to bios (This is your first password). - Ensure the desktop boots from the hard drive only, never diskette, USB or CD-rom drive. - Disable all cache options. - Prevent and/or disable all express (gate) or instant online boot-up settings. • Passwords & Encryption - Encrypt your system (Usually your second pass). - Enable your system pass (Your third pass). - Enable your computer to automatically lock for you if not in use (E.G: Screen saver password option). - Always lock your computer when not in use or leaving it for a few minutes. - Always shut down your rig when not in use for extended periods of time. - Do NOT use a password manager or any sort of password saving abilities. This will allow people to gain access to your system and/or accounts, especially if saved VIA a 3rd party service or on your rig. This is most due to risk of exploits or leaks. • Check your rig - Does it have built-in preventative features? - Alarm or prevention to start if case is open? - Slot to lock the case VIA a padlock to prevent it from being open? - Can you at least modify it to secure it to another object? • Cable locks - Avoid using the adhesive and insert items that come with the lock. Actually cut a hole on the bottom of your rig or the top (if there isn’t a slot available for the explicit purpose of physically locking your rig) and thread the lock through it. Attach to an anchor, or even through an eyelet drilled and epoxied into your floor or wall. This will act as a deterrent and prevent most grab and runs besides acting as a way to frustrate people who try to seize your tech. • Avoid wireless/Wi-Fi/smart gadgets - If it can access the internet, or you can access it over Wi-Fi it'll be a potential hazard. - Literally don't use any wireless network. - Look into a centralized Wi-Fi and/or cellular blocker for your home. - Or look for signal blocking alternatives such as a faraday bag or fabric (Place individual items in the bags or line a trunk or locker with the fabric and store items there). • Remove peripherals when not in use. - Think of this as lessening your chance of people trying to use your devices when you’re not there to monitor them. -Placing something like the keyboard in a drawer under clothes or other items being one of the most basic moves. -The same applies to any input device like a mouse, camera or microphone. If you can unplug and remove it from your tech, then do so. • Prevent use of your keyboard With enough practice, most people can use a QWERTY board without even looking. If you can get to this point in your usage, then look into buying stickers to cover the characters on your keyboard (some blank stickers exist for this but match to your colors). You can use a sharpie if it matches exactly the color of your keyboard or you can purchase keyboards with the keys already blank. If you’re an enterprising individual, buy “translator stickers” of non-Western characters for your keyboard. It’ll deter people and make them assume your computer isn’t in “English” however blank keys are preferred. Note: If you want to make things harder, you can buy an ABC keyboard where the characters are “in order” of the alphabet. Learning to use this by muscle memory and using blank stickers can actually cause would be users to have such a fit of rage that they may just shove the keyboard through the wall or break it. • Location, location, location... - Position your desk, rig and monitor so others can't see them - Ensure they aren't visible from windows (or install privacy film - https://www.amazon.com/Frosted-Privacy-Window-Film-Treatment/dp/B06X3XDQQ4/) and blackout curtains. - If it’s in sight, it’s in mind. If you have your computer or tech directly in your room or out in the open in another room, and people can see it, then it’ll be in thought. If you own or rent your living space, then look into using a room that isn’t at the front of the house and/or where you sleep. Try putting it in the middle or near the back, to avoid it being snatched up in a smash and grab or by a desperate individual/relative/roommate. If it has to be in your room, then ensure its seen as “unusable” VIA the above basics and some minor modifications (when not in use) like removal of the power cable or important parts like the HD. • Know your neighbors - Are they potential allies or potential threats? - Can you befriend them and ask them to help keep an eye on your place? - Do they have surveillance on their property, like cameras? - Can these also be used to check yours? - Are they too curious or not interested enough in the area? • Sanitize your work area - Always tidy up and have a lockable container for anything and everything - Always store these lockable containers in a larger lockable container, like a locker, chest or safe - Get a lockable filing cabinet, disguise VIA a sheet or something similar to make it appear like a piece of furniture (E.G: Like an end table) - Always file papers away, no matter how small (E.G: Even a post it note) - CDs, DVDs, USBs, external HDs, internal HDs...etc all need a secure place to be stored. - Be it a storage locker or case for HDs, or a small personal safe that can be stored under a bed. - You'll need something to store everything (Remember: A place for everything and everything in its place). ---Stepping up your Game--- • If you can avoid using it, then do so. If you don’t need it for business or school, or work, then avoid excessive frivolities like webcams and microphones. Even something as small as an RGB strip could lead to issues down the line, especially if it’s from some unverified source or a cheap knockoff being sold online. There are exploitations everywhere, especially when it comes to items that can be “plugged” into your tech. ===Remember:=== Not everyone needs a webcam, microphone or a high-end monitor with built-in speakers. • Lack of plugs equates lack of interest. Relying on ignorance and laziness of others, the removal of cables tends to put people off of investigating tech. This is doubly so for computers and monitors. If it doesn’t have the cables, it must be broken or not working. This is the line of thought for many, especially for those who seem like they know what they’re doing. This helps prevent energy waste, potential damage from brown/blackouts and really dissuades people from a randomly grabbing things when desperate or looking for something that’ll make a quick buck. • Unplugging, removing and storing external memory devices when not in use. It doesn’t matter if the device is encrypted or not. Given enough time, someone, somewhere will be able to decrypt it and dig into your information, or at the very least destroy it so you can’t access it. If you’re not actively using or don’t plan to use it while logged into your devices – REMOVE IT AND PUT IT AWAY! Get a storage case or a protective case, place the external device inside and hide it. Out of sight and potentially out of mind of most people. • Purchase and anchor a trunk or cabinet/locker with a built in lock or install a lock onto it. - Anchor to floor or wall - Important items should be placed here. - Lock it, if it doesn't have a lock install one • Install locks on drawers - Install rubber sheets on your desk and drawers to lessen static and dampen vibrations - Now that your drawers are semi-safe, install locks on them and move smaller item into said drawer • Purchase cases and locks - Much easier to steal the HD than it is to take the entire thing - It also pays to have a storage case + lockable case to store said storage case in - Use both cases to secure and lock your HDs when not in use - Pain to do but worth it in the long run • Remember: HD cases are a long con. If you’re ever away for an extended period of time, you may appreciate the use of protective shells or cases for your HDs. This is mostly due to the fact that, if you’re going to be gone for more than a day, then the removal and storage of your HDs will be in dividends in the long run VIA the decreased risk of losing the data stored on them. While not a day-to-day maneuver for most, it’s something worth remembering and doing if you’ll ever be gone for extended periods. • Store and hide backups - Pack up the backups, if they can't steal anything else these could be their next target. • Disable drives while away - Remove your drives - or purchase a "drive lock" for your various drives. - The simpler solution is to remove the power cable or SATA cable to prevent use. - Some people use glue to kill their USB ports too. - Or you can buy some cheap USBs and make a small, nearly unidentifiable colored mark on a part of it and "color code" your ports to know when they've been moved or used. - Literally double check your ports and plugs before starting up your rig. • Check the PB's home security guide - Gives you ideas on how to better secure your abode - https://paranoidsbible.tumblr.com/post/156566985089/home-security-and-you - Install locks on the room(s) you plan to have your computer(s) and tech in. - When not in use, unplug everything and sure nothing electrical is running when your lock the room. • Prevent Dumpster Diving - Collect all scrap metal (Aluminum, tin, steel...etc) and wires to be taken in yourself (plus you gain a bit of cash). - Dismantle first, separate second (scrap, recycle, throw away...etc), throw away and recycle last (this allows you to see the inner workings, which is pretty cool and gives you some knowledge) besides allowing to destroy what you can. - Deface (color, paint...etc), shred, then burn or mix in with the trash (especially animal waste) any and all paper items or similar items (receipts, old documents…etc). - Take your bins into your garage or yard (if possible) to prevent digging. - Separate to your trash and recycling to be on the safe side (enough fines or tickets, authorities might dig/investigate). - Peel off the paper/wrappers from cans and bottles (to prevent identifying what you eat or drink) and wash out any containers you can too (helps prevent potential mishaps to those who work at the recycling plants and also prevents their machines from choking on loose debris). This is to further prevent people from digging or guesstimating your habits. - Invest in a composter. The less trash and items you throw out, the less chance of people digging or being interested. This is also a good way to lessen waste in dumps. ---Time for Escalation --- • Mobile proximity alarms - While not usually used by civilians, it's a good method to spook would be thieves. Depending on the alarm, some will set off a physical alarm while others alert you VIA email or text. You want to opt-in for the ones that have a physical alarm that is both separate and built-in (or whichever is best for your needs). This way, once it's removed from a specific area it'll alert not only you but others nearby. • Set up surveillance - Install both false and legitimate cameras to confuse would be thieves. - Look for "spy cameras" or "micros" that are small enough to hide around the area where your computer(s) and tech are installed. • Look into storing your printers - many of today's printers store document contents in their own on-board memory. - If your printer is stolen and used in a crime, it could be tied to you until you’re proven innocent. • Know where your lines are - Where are your cable and phones lines? - How are they connected to your abode? - Is there an outside hook up or is it inside? - Can you check easily for taps or bugs put by a 3rd party (ABCs have better toys, this is more aimed at snoops)? - Can you access these easily to prevent the need for a repairman (fixing breaks at or inside the house level)? +++++++++++ ===Air Gapping Further Explained=== As we stated previously, the civilian version of air-gapping isn't as involved or complicated however it can be depending on your needs and wants. This is why it's such an important step in any anti-forensic setup, and even if you aren't into anti-forensics it's still good to take up simply to ensure your systems stay safe. The biggest thing that we'll be discussing in this chapter is the various things that you can do to bolster your air-gap setups besides what was covered in the other guide(s). First things first however, we have to state that this guide won't cover Faraday cages. That will be its own guide later on. So, just to refresh your memory and to summarize air-gapping: It's a security measure where one isolates a computer and/or a network to prevent it from connecting to the internet or form any sort of external connection. Simply put, a segregated system incapable of connection to anything be it wirelessly, wired or through any other means. It's a system that can only be accessed by an entity in person. You have to be physically in the same room to operate the machine. Depending on the severity of the security plan, some systems require a certain amount of space between it and any internet capable devices. Other plans require no hardware or tech that can receive or send signals within the same building whereas there are those that use faraday cages and "grounded rooms" to prevent anything entering or leaving the room without full knowledge by security. Such extremes are due to Van Eck phreaking, light transmissions, and similar exploits. The biggest threat, though, is the end-user. If the end-user isn't privacy or security conscious then any measures might as well be null and void. We know it seems like a mess, however using what you've learned from this guide and various other guides you'll be able to prevent a lot of potential trouble and harm to you, yourself, your tech and those around you. Many leaks don't make it to the public due to people not learning proper anti-forensic and physical computer security methods and knowledge. An air-gapped rig is useful, even if it's just to store backups or to create various graphical works like art or posters to lessen potential contamination and meta-data. Simply put: An air-gapped machine is similar to a viewing station at a library. You can review sensitive files, however unlike a viewer you can modify, edit, save, backup and generally whatever you want to files on this neutered machine. It's also a good point to make that certain individuals use air-gapped machines to ensure their own code and projects don't get stolen or spied on. Now onto the list. > Encryption - If it can be encrypted, encrypt it > Prevent internet access - Literally the most basic concept for an air-gapped rig - No internet, ever. - To scan files before transferring between rigs, create a "clean rig" - A "clean rig" is a rig specifically meant to be updated and connected only to the internet when you update security software - Using the "clean rig," you can scan files before transferring them to an air-gapped rig - This is to prevent a stuxnet-like scenario besides prevent connections to the air-gapped rig - Remember: Software and hardware have backdoors and exploits, always ensure the rig(s) for air-gapping never touched the internet - Look up Cottonmouth-I to see what the NSA has been doing > Use a desktop where possible - Desktops are easier to configure on a hardware level - They're also easier to modify to your needs - If you must use a laptop or netbook, physically remove all wireless hardware > Keep it off if not in use - Don't turn it on if you're not using it - Always remember to shut it off - Never have an air-gapped rig near anything that can connect to the internet - If you're going to be away from the rig for a few minutes, remember to lock it > If you're using a rig meant to be offline or as a file backup - Use glue to destroy built-in Ethernet - Remove or disable the network interface card (NIC) - Some people who're more handy have actually modified their mom boards to permanently prevent internet access > Turn off all audio - Remove sound cards - Disable microphones and speakers - Look into Michael Hanspach and Michael Goetz, two people who found it possible to transmit data VIA sound sent through microphones and/or speakers. > Less peripherals, more security - Less is more when it comes to air gapping - Keep air gap rigs purpose built - Lookup Yuval Elovici and Moti Guri and their research and what they did with light alone. - Moral of the story: Keep air gapped machines out of sight ensuring it can't be seen by literal outside parties. > No cards, please. - Unless the air gapped machine is purpose built, keep cards out - No graphics - No USB (save for built in ports) - No Sound - No Ethernet - No cards. Period. > Keep all wireless objects away from air gapped machines - No Wi-Fi - No Cell phones/smart phones (remove batteries when not in use) - No radios - Everything that can broadcast or receive should be kept away - Again, look up the research by Mordechai Gur and Yuval Elovici. > Invest in background noise - Laser microphones can and have been used to listen in on people - This means that if someone was so invested to do so, they could try listening in on your keyboard's clicks - Either modify your keyboard or purchase a clickless board - Invest in heavy blackout curtains - Also invest in a white noise machine (or crank up some loud music or a fan or air purifier) - It's also a good idea to use a dry erase board or chalk board (kept out of sight) to communicate with people near your air-gapped machine - Look into purchasing one of these even - https://www.amazon.com/Shomer-Tec-SHLSD-Laser-Surveillance-Defeater/dp/B00ABV7J0C/ > Tint your windows - As stated previously above, buy security/privacy film for your windows - Invest in blackout curtains > Research your monitors - Look into using privacy film for your monitor(s) - To prevent Van Eck phreaking avoid tube/CTR monitors - Invest in a newer monitor but after you ensure it's only a monitor - Avoid anything with wireless, blue tooth or any other sort of connectivity outside of a hardwire connection - Look into privacy screens/films (measure carefully and find the one best suited for you) - https://www.amazon.com/Akamai-Office-Products-Diagonally-Measured/dp/B071F8XS2P/ > Monitor who comes and goes - Just like any business or enterprise, you too are at risk from a disgruntled individual - If you don’t monitor the access to your air-gapped tech, anyone can make an entire backup of it - If they don’t need access to it, then don’t allow them access to it > Remember the 3… 2… 1… backup strategy > 3 backups > 2 on different media > 1 stored offsite > Always encrypt these backups +++++++++++ ===Ghetto Camouflage=== While not the most politically correct term, it is however one of the more well known names for the tactic at hand – Compromising the aesthetic appeal of an item in order to camouflage its worth and value so that it isn’t targeted or seen as a profitable grab. This is usually done through the marring of an item’s outward appearance VIA superficial means, like aftermarket “rust” stickers or through the chipping or breaking of non-essential corners. Some simply remove decals and labeling to make the item look for generic however regardless of what you can or should do, we will take it up a step and explain several ways to accomplish the above tactic. • Hide in plain sight Purchase old dell or gateway towers (think of those old beige ones) to place your hardware into. Not only unsightly but also usually looked over and almost instinctually known to be “worthless”. With some slight modifications, you can easily fit modern hardware into these towers and they’re cheap enough to be used as disposable towers that you can sticker bomb or modify to your heart’s content. • Sticker Bombing Take a disposable tower or one you don’t care about and cover it head-to-toe in vinyl stickers. Cheap, effective and if you happen to get a few “Waifu” or “Anime tits” stickers from a grab bag bought online, it’ll only further steer people away from going after your tech. The more “weebish” or out there the better, however any bag of vinyl stickers will work. Check Amazon for cheap quantities to buy without breaking your wallet. • Alternative towers Some enterprising people will convert items like hat boxes or an old TV set into a tower for their hardware. Most people won’t suspect a boot or literal toaster, however because of the uptick in these mod-towers there are now videos and websites dedicated to creating them and sharing tips/tricks on how to accomplish certain tasks. So, while a decent measure it may be a temporary one as the trend continues. • Blemishing Previously mentioned above, the act of blemishing usually revolves around the act of degrading the aesthetic appearance of an object VIA superficial means, like cracks, chips, rounding corners, adding scratches or simply removing decals and some details. The entire point is to make something that ultimately works like it is brand new yet looks like it’s old and abused. +++++++++++ ===Afterword=== While the just the basics, there is so much else one could do to physically lock down their rig and miscellaneous tech, however it becomes greatly complicated the further you research what you can do. This is why we stuck to the basics with a mixture of corporate and government tactics. The biggest advantage is basic INFOSEC and OPSEC to ensure you don’t say or do the wrong thing in front of parties not in the know.

#physical security #computers #security #privacy #paranoids bible

6 notes · View notes

paranoidsbible · 7 years ago

Text

Uncle-Daddy’s Big Book of Deception 2.0

===Uncle-Daddy’s Big Book of Deception 2.0=== Non-profit and free for redistribution Written on July 3rd | 2017 Published on July 3rd | 2017 Extra (RED) Herring Edition For entertainment and research purposes only

+++++++++++++++++++++++++++++ DISCLAIMER The Paranoid's Bible and its writers hold no responsibility for the acts of others. The Paranoid’s Bible is for research and entertainment purposes only. Please visit our blog for more PDFs and information: https://www.paranoidsbible.tumblr.com/ +++++++++++++++++++++++++++++ ===Preface=== When I shot the PB team a PM on their blog I didn’t expect my critique to become a quick gig of helping them hammer out a guide on deception. After much consideration and a few shots of cheap tequila, I agreed to help them out. Because why not? They have a decent idea and are trying to help the pitiful users of today’s internet. So here you guys & gals go: a guide on being a deceptive bastard on the internet and preventing people from getting a good grasp on your information. +++++++++++++++++++++++++++++ ===SEO and Privacy=== So Search Engine Optimization (SEO) is one of those magical things everyone has to learn, to an extent, for anything they do online to be successful, especially websites and blogs. It’s also one of those things that no one would think can be applied to INFOSEC but it can. To an extent, SEO tactics can be used to further rank and quickly index red herrings and canaries. Now, one thing to remember is there are such things as Black Hat SEO, which is aimed more toward search engines than organic traffic (White SEO). The truth is, regardless what tactics you plan to use, they all have a place when it comes to preventing people finding your information. You should really give it a search and checkout the various articles, blogs and forums on SEO. Who knows, you might actually find something of use that I didn’t make mention of here. +++++++++++++++++++++++++++++ ===Clone Wars=== If you’re reading this, then I’ll assume you’ve read The Paranoid’s Bible guide and the guide on OPSEC. You should have a grasp on the DOs and DON’Ts of the internet. However this will break those rules just a teensy bit in order to help you create garbage data and digital noise to obscure your real identity and information. The PB tells you that you should always use a unique username for each account and never repeat this username elsewhere, yet there is an exception to this rule: Cloning. While cloning has several names, I’m partial to the term cloning because it gets the message across—make multiple accounts across the internet using the same username but with different information concerning the basic image of its creator. When you create an account you always end up adding just a tiny bit of yourself to it. Using the ‘About Me’ or ‘Description’ or those pesky bios… you’re going to use these and differentiate each account by giving it its own persona. So while you’re following the advice of the PB team and their various guides, these cloned accounts will be vastly different. Go nuts and use your imagination but remember some simple facts. Globally, European names aren’t all that common. Look at the current global makeup of the Earth’s population. Islamic-like names of Muhammad are quite popular, as are Asian names and East Indian names. While the majority of Western sites are heavily European and Americentric, it doesn’t hurt to mix it up with a Vash or Aiko. Of course, you can then flesh it out a bit more by giving them a European or American-sounding last name and background. You want these accounts to be completely different from your own. Everything about the personas being made for these accounts are not to be related to you or your ‘main account’. You don’t want them to ever communicate with each other or touch in any way. You must keep them completely separated, which is why you’ll be making them on various forums, social media sites and chats. The more ground you cover, and the more varied the accounts are the less likely people can make a cohesive argument as why this piece of information or that data is supposed to be related to you. For example, you make an account on deviantART. They’ve a little bio app that you can adhere to your profile. So, if you made yourself a Tumblr account, then the deviantART account is to not only be different in description but also look. If you hate Undertale, then the deviantART persona loves it. You like yellow, they love blue. So on and so forth until you’ve suddenly a teenage female artist with an Asian background who moved to the U.S. and knows very little about their own Asian heritage, ergo they cling to their last name which sounds Japnese-ish. By doing this, if someone were to ever look for information to use against you or to grab your dox, they end up on a wild goose chase where they’re looking for someone who doesn’t exist. +++++++++++++++++++++++++++++ ===Dirty SEO Tactics==== There are numerous ways to pollute a search engine’s results with “dirty pages”. Their page rank might not be all that existent, however they do tend to clutter around specific search terms like a username or a piece of common information laced into profiles or bios in order to throw someone off a trail. Now, to do this you need to have clean and organic looking back links. However one good way to populate an account with seemingly organic back links is to use one of the numerous “generators” that usually end up hurting your SEO in the long run. We don’t care about the long run, though. This is a short game tactic that translates into, in the long run, a small, albeit affective little trail duster meant to help cover some of your tracks. These three links are a good start; however there exist numerous “generators” that can be used. Using these three for all of your clone accounts should help you spark a little bit of a boost in their appearance on Google and Bing. With enough accounts under a similar or the same username, you can basically pollute the search results to help cover your main account with the clone accounts. https://www.freebacklinkbuilder.net/ https://sitowebinfo.com/back/ https://www.indexkings.com/ Ensure you read the PB’s “Internet Primer” to help you reduce Ads and pop-ups when using these websites. While not intentionally malicious, numerous sites, like these, can have malicious Ads or pop-ups. They also will only give you a small boost in your garbage collecting on search engines, so always ensure you stagger what accounts get hit with these and always aim to use the smallest amount of available or offered links. A handful, like 10 or 20, will look less suspicious than, say, 2500. You should also checkout forums, which can be found easily be searching for things like “Black Hat SEO” and “SEO”. +++++++++++++++++++++++++++++ ===Get a Friend Involved=== Let’s say you’ve a friend that you really trust and they’re interested in privacy and security just like you. ==Here’s a suggestion:== Get them involved. Have your friend help you by using one of their own persona/clone accounts to accuse one of yours of being something that currently upsets the moral majority. From there, work in some fake dox and a handful of other pieces of information. Work those bits and pieces into a believable “dox” and have your clone/persona take it a bit too personally and start acting like you’re panicked. Delete the blog after a few days of the drama, let your friend’s persona/clone do some victory posting and move on. People will believe that that information belongs to you and follow that trail instead of looking for your real information. And, if you followed the PB’s namesake you should have very little information out there. You can even be lazy and just make your own callout blog to attack your own persona/clones. In the end, though, you just want to create enough tension and static to misdirect people. +++++++++++++++++++++++++++++ ===Mean Girling=== One of the best things you can do is to create a clique of totally separate and unique accounts whenever you sign up for any account you plan to use for a period of time. This clique will be referred to as the Mean Girls as they’ll ultimately be the opposite of whatever account you create and be controlled opposition. So, the purposes of these accounts are to spread some pseudo-dox and act as controlled opposition. This means if you create a political blog that’s semi-conservative, then you create (with a VPN or proxy or TOR) 1 to 4 accounts that’ll act as the clique of Mean Girls. They’ll work their way into being legit by simply following several people or accounts or whatever and have simple responses or posts that seem to fit the opposition of whatever your (main) account is about. If you can queue posts, then do so on those accounts VIA reblogs or whatever’s popular, be it fandom junk or miscellaneous images. You won’t have to spend so much time on these accounts and they can simply run off the queues, appearing to be active. Whenever the mood strikes or you want to lay down some herrings, bring up one or more of the mean girls and have them attack you, making outrageous claims and posting (obvious to you) false information, like state, location or whatever. Ignore them, don’t respond or tell them they’re blocked. This will then cause that information to be picked up by search engines and attached to the searches for your account/username, thus giving you even more ground coverage of false information in search results. Do this enough; staggering it by months or years, and you’ll have polluted your search results while not actively doing anything bad or obvious. Then, if someone does try to dox you, they’ll have to sort through all sorts of garbage data. +++++++++++++++++++++++++++++ ===Midwestern Theory=== The PB team had a guide for this one however you don’t need an entire guide for what can fit in a chapter. I won’t bore you with the excessive details but some time ago when Newgrounds was the in-thing, someone got upset at people for making the claim that there were a lot of Californians online. This led to the Midwestern netizen forced meme that quickly died out. The claim of being Midwestern is actually a good ploy when covering up your tracks. The Midwestern accent (https://en.wikipedia.org/wiki/Midwestern_accent) is easy to mimic and if you watch some Youtube videos (https://www.youtube.com/watch?v=-DlxCDlIfh0), you should find yourself being able to pick it up and force it when need be. Ideally you should never let anyone see your face or hear your voice, yet it does come in handy just in case. Mix the various “Midwestern quirks” with setting all your accounts’ time zones to “Central” and keeping tabs of the time (https://www.worldtimezone.com/time/wtzresult.php?CiID=32119) (Always pick a random city or state in the Midwest) and mix in some research on “College towns” (https://www.collegeraptor.com/college-rankings/best-colleges-in-the-midwest/)… you should be able to spice up your bios and descriptions with something akin to a specific college team or name dropping a college or university that you go to and study at. So when you log off or leave your account, stating something like “OMFG! It’s 12:30 am! I have to go and sleep! I have a compsci class @ 9!” Keep this up with several accounts, adding in the oddball California town or Florida town, and you’ll have created enough static to keep people scoping out the wrong area for information. Though keep in mind that a lot of plant life in the Midwest tends to spread out into non-Midwestern areas. Take a picture or two of common plants around the US that appear in the Midwest, too. Figure out what’s a common park or nature preserve in the area of your false town/city and look at the common trees or plants in the area. Take a picture of something that is in your area that is in that area, too, and tag it with #Yellowstone park or whatever is popular in that area. And suddenly… you’re a Midwestern grilling in sub-zero temperatures because you want your burger. Don’t forget to show your almost zealous obsession and support for that area’s sports teams and no one is going to suspect a thing. Maybe spice in some local news from the area and make a comment on the weather (It isn’t that hard to look up a weather report through Google) and you’re good as Gold. You’re a real Midwesterner now, bro. ==Note:== You can literally apply all of the above to any state or location in the US. Get creative, spread the trash. +++++++++++++++++++++++++++++ ===Positivity Feeds=== When creating clone accounts and applying the above, it’s best to leave a few accounts aside for picture or quote spam. These accounts, if they have queue functions, can serve as a means to wipe out image and search results with positive trash. This means you could create a flickr and photobucket account with nothing but .gifs of cats playing or images of literal plants. Apply this to several accounts, applying very little in the way of black hat seo, and you may be able to create what we call a positive feed. These are neutral or positive results when people do a search query on you, your accounts or usernames. They’re literally nothing but junk data yet they’re not bad either simply due to the fact it’s kittens or puppies or plants or images of cute girls doing cute things or even smug anime girls. Working through enough accounts and mixing in positivity feeds can ultimately help hide information but is also a good way to drain out any call out posts or so called dox drops. +++++++++++++++++++++++++++++ ===Be a Good Person, Share=== The PB team has in their namesake guide way to opt out of Google maps, among others. Take the information for getting out of Google maps (and others) and make a flyer. Print it out, take it to Kinkos or some other print shop, or go to your local library and print some copies there. Make some wheat paste (shown below) and paste them all over your town (Put paste on wall and smooth, then put your poster up and slather on paste and smooth it on it too.). Soon a whole mess of people will be blurring out their houses on the online maps, and this in turn messes with the real estate sites to the point of anyone trying to look up your information finds a mass of blurred out houses. This causes a mix of the “Streisand effect” and reasonable deniability. ==WHEAT PASTE HOW-TO== Flour (wheat works best) Sugar 1 Cup of Water Container with a lid • Boil a cup of water. • Put 3 tablespoons of flour into a bowl • Add 10 teaspoons of cool water until it forms a runny mix • Once the water has boiled, add the runny mix to the boiling water. Stir well! • Keep stirring. The mixture will foam up while it boils, so the constant stirring is essential to keep it from bubbling over and to keep it from getting chunky. • Keep the mixture boiling for 2 minutes. • Take the boiled mix off the heat. Add 2 tablespoons or more of sugar (added strength) • Let it cool. Pour into an appropriate container for carrying with you. It will keep well for about a week. • Learn more @ https://destructables.org/destructable/wheatpaste-recipe-putting-postersbillboard-alterations • Spray with a clear sealant or hairspray to help weatherize and make the poster last longer. Police, military members, and their families can opt-out of a wealth of databases. Some take it to the extreme and have their houses blurred out. If enough people in your area begin to blur out their houses and look into other means of removing their information, you’ll soon see a bit of a trend that can affect several blocks when it comes to viewing houses on any online map. This means that you can not only safely blur out yours but it’d be near impossible to guess whose house is whose. It’s only defeated if they have an address, and that’s if it’s actually your address to begin with. Let these people rant and rave as they knock or send a malicious package to the wrong house. If anything happens, since it broke into the realm of reality, they’ll end up being arrested and charged with several crimes. ==Fun fact:== Not many places care about doxing, especially the police. Most modern “dox” is openly available information. This is why you must work toward suppressing it through opting out of websites and databases. If someone takes it from the internet to the realm of reality, lawsuits and arrests can happen. +++++++++++++++++++++++++++++ ===Don’t Neglect Reality=== No one’s denying the PB’s effectiveness when it comes to lessening the overall data of yours online, however until they discuss ways to limit information bleeding offline you’ll need to take a few extra precautions outside of creating noise and lessening your data. They do have a PDF on how your privacy’s invaded, yet that only covers so much. Be a little bit nihilistic and apathetic. Don’t care as much and don’t react if you are doxed or some gets a bit too close. Ignore them; work on lessening your information. In the offline realm however you should work on creating some good for yourself. This means work on cleaning up your neighborhood, keeping your property clean and being nice to your neighbors. Look into doing some volunteering and charity work. Create some good will toward yourself and lessen the general impact in case anything comes toward you and your life. By doing this you can create a large support focus toward you and what good you’ve done. People will be in disbelief and outright call the claims made against you false. Ever wonder why politicians and famous people, even the internet famous, never get much crap and have an unusually large support behind them? What they do is quite simple: Act like a good person. With bit of charity under your belt and by observing social protocols enough by simply greeting people and saying your “Please” and “Thank yous” you’ll create an air of being someone half way decent. People will see this and any accusations made against you will result in either demand for blood or death of someone who dares attack you. Now you shouldn’t encourage the bloodlust or wanting of death, however simply using your time wisely and helping your community can act as a good cover. Someone comes around and harasses you; someone who might have power will come to your aide possibly. It also doesn’t hurt to remove your information and have it replace with falsified information. Checkout https://reddit.com/r/freebies and keep an eye out for free magazine subscriptions. Fill out a few, regardless what they are, with your home address and a burner cell’s number. The name can be made up, possibly made to match the cultural and ethnic makeup of your area. Think about it. What are the most common people in your immediate area? White? Black? Hispanic? It doesn’t matter as long as you pick the majority and follow suit with their name. It’ll help further push that static to help cover your tracks. So if you’ve a large number of Hispanic families in your area, using a Hispanic sounding first and last name on your free magazine subscriptions can help you replace all your removed database records with falsified ones. Go the extra step, load up on other freebies. Anything you don’t need or want can be donated to a number of homeless shelters or shelters for women and/or children. Gives you an extra push in being a good person too! +++++++++++++++++++++++++++++ ===Afterword=== Outside of following the PB’s advice, using a VPN, a non-propriety OS and not touching social media there’s not much else you can do. While being deceptive and sprinkling lies and half truths into your conversations and online shenanigans helps, most of us who were born in the 80s and 90s have screwed up royally and will never truly be un-doxable or secure. Work toward anonymity and spread the PB’s information to as many people as you can. I should note however that your text and how you type can give you away too. Look into using a text editor and use Basic English spelling and grammar. Mix in some chat speak and some texting quirks and you should be able to keep the personas even more separated and unique.

#security #dox #privacy #infosec #cybersec

6 notes · View notes

paranoidsbible · 8 years ago

Text

An Internet Primer

===An Internet Primer=== Non-profit and free for redistribution Written on August 24th | 2016 Published on August 24th | 2016 For entertainment and research purposes only

++++++++++++++++++++++++++++++++++++++ ===DISCLAIMER=== The Paranoid's Bible and its writers hold no responsibility for the acts of others. The Paranoid’s Bible is for research and entertainment purposes only. Please visit our blog for more PDFs and information: http://www.paranoidsbible.tumblr.com/ ++++++++++++++++++++++++++++++++++++++ ===Preface=== While many still argue about how their own views on the history of the internet are the truth, we do know the core timeline consists of the “Electronic computer” being developed in the 1950s. From there the ARPANET was created and quickly adopted the Internet Protocol, which soon began a wildly discussed and argued about origin story of the internet sometime in the 80s. However, while many will even argue the core facts to the point of the internet being born either earlier or later in the timeline, we do know that Usenet wasn’t too far away. With the birth of Usenet, things like the BBS, Internet forum and terms like “Eternal September” quickly cropped up in a rapid session of growth and expanse. Now things like Blogging or Social Media are common, and people with rose tinted glasses grow remorseful of how inclusive the internet has become. Now, the early adopters and users aren’t too far off with their remorse, sadly… You see, many of the modern day users have grown complacent and wholly unaware of even the simplest uses of OPSEC. This guide aims at giving the average user a simple and quick primer to enhance their privacy and security when using the internet. This guide isn’t a quick-fix or one-button solution to your problems or concerns, however it’s better than nothing when paired with the other guides listed in the “Blue Primer”. __References__ • Net History (http://www.nethistory.info/History of the Internet/origins.html) • Internet Society (http://www.internetsociety.org/internet/what-internet/history-internet/brief-history-internet) • History of the Internet (https://en.wikipedia.org/wiki/History_of_the_Internet) • ARPANET (https://en.wikipedia.org/wiki/ARPANET) • Internet protocol (https://en.wikipedia.org/wiki/Internet_Protocol) • Usenet (https://en.wikipedia.org/wiki/Usenet) • BBS (https://en.wikipedia.org/wiki/Bulletin_board_system) • Internet Forum (https://en.wikipedia.org/wiki/Internet_forum) • Eternal September (https://en.wikipedia.org/wiki/Eternal_September) • OPSEC (https://en.wikipedia.org/wiki/Operations_security) • Blog (https://en.wikipedia.org/wiki/Blog) • Social Media (https://en.wikipedia.org/wiki/Social_media) ++++++++++++++++++++++++++++++++++++++ ===The Browser=== The gateway to the internet, for the modern and average user, is their browser (https://en.wikipedia.org/wiki/Web_browser). It’s a piece of software meant to help people transverse the World Wide Web by retrieving and presenting information resources taken from the internet. The modern browser is pre-built, requires hardly any tweaking, and is rarely, if ever, fully customizable. However, as more people aim for a free software or an open-source style of use, more browsers do offer some level of customization that range from modifying the settings under the hood to themes and other frivolous aesthetical customizations. With so many choices, people usually stick to Internet Explorer or Google chrome; however these browsers leave a lot of wanting when it comes to usability. Chrome also has a notorious past of spying on you (http://betanews.com/2015/06/24/is-google-chrome-spying-on-you/) without giving you a warning, which shouldn’t be such a surprise with all the claims of Chrome being a botnet (https://wiki.installgentoo.com/index.php/Botnet) and not asking permission (http://www.netcompetition.org/antitrust/google-on-chrome-we-dont-need-your-permission) for accessing a user’s computer. Ultimately, anything with Microsoft or Google is unavoidable, sadly, and a lot of work has to take place in order to avoid leaking information or having it sold. But that’s the way things flow as of late, especially when “Don’t Be Evil” is dropped in favor of “Do the Right Thing” (http://blogs.wsj.com/digits/2015/10/02/as-google-becomes-alphabet-dont-be-evil-vanishes/). So, what does that mean for the average user? Research your quickly dwindling choices for what browser you should use, which will reside between two browsers and one’s many, many flavors. If you want something other than Mozilla Firefox, then try Brave (https://brave.com/) (Not recommended due to its newness) or Palemoon (https://www.palemoon.org/) (Based upon a fork of Firefox) or IceCat (https://www.gnu.org/software/gnuzilla/). However, for the sake of usability and quick to use features, we recommended, begrudgingly, Mozilla Firefox (https://www.mozilla.org/en-US/firefox/new/). When you visit Firefox’s webpage, select the appropriate version for your operating system. Once downloaded, double click and follow the on screen prompts. When it comes to selecting “Standard” or Custom” ensure you select custom. ***Leave the default installation path, unless you wish to install elsewhere. *** ***The reason for removing the installation service is quite simple: *** Less communication between the browser and other sources, the less information leaked. Now ensure you've also unchecked/disabled the "Maintenance service" before proceeding. Selecting shortcuts/icons is ultimately up to you. The same applies to it being the default browser—it’s up to you. Once installed, it’s time for some basic customization and add-on installation. The first thing you’ll notice is an “import wizard” pop-up. You don’t want to import anything unless you’ve some backups of your bookmarks. Other than that, ignore it and wait for the browser to load. From there, we’ll ignore the “Firefox account” prompt. You don’t want to sync or backup, anything, unless it’s an html or json file for your bookmark backups. Syncing accounts and saving passwords spells doom, gloom and big brother (sometimes literally your big brother or sister) spying on your info and peaking into your accounts and other online items (if not leaking it in a data dump). Seriously, ignore prompts to sync or save information. You’ll also want to ignore the private browsing mode. It’s not private, information is still saved, and people can still use exploits to get at your information. Press the ALT button on your keyboard to get the menu bar to appear. From there, select the tools menu and then the “Options” submenu. Press ALT button > Tools menu > Options sub-menu. When the options window pops up, you’ll want to start in the “General tab” Disable/uncheck “Always check if Firefox is your default browser” and set your homepage to whatever you want. Never let files save to downloads, you want to have it “Always ask” where to save them. On top of that disable all the "Tabs" options but "Open news windows in a new tab instead". We do suggest using “Start Page” (https://www.startpage.com/) for your homepage and search engine needs. Now click the "Search" tab and uncheck everything and delete all the "One-click Search Engines" options. From there, Go to the start page website, you should see an “Add to Firefox” option, select that. You should also, to prevent accidental use, remove all other search engines from the “Search” tab. Google, among several other engines, tend to cache and keep track of your search history and click stream (https://en.wikipedia.org/wiki/Clickstream). On top of that, Google, Yahoo, Microsoft, and a few others, will store and keep your search history saved to your accounts if logged into them, at all, while searching. On the “Content tab,” uncheck/disable everything but "Block pop-up windows". Now select the “Advanced” button and click it. From there, disable the option titled "Allow pages to choose their own fonts, instead of my selection above". This just prevents sites from using intrusive and generally distasteful fonts and also limits their control over your browsing experience and browser. Everything in the “Applications tab” should be set to always ask or preview in Firefox. The only thing you can safely set to a default application would be shockwave flash, which should be disabled by default in the plug-ins menu. The “Privacy tab” should be straightforward; however most will recommend that you disable “Third-party cookies" but since this primer is aimed at providing some security, privacy, yet retain usability for the average user… You should disable everything but: "Use Tracking Protection in Private Windows"; "Accept cookies from sites"; Clear history when Firefox closes. Set 3rd party cookie to never, if you wish, however some banking sites lose functionality due to this. You should also set "Keep until" to "I close Firefox". Now click the "settings..." tab on on the Privacy menu and select everything there. In the “Security tab,” it’s again straightforward; however please do understand that the whole “Blocking dangerous and deceptive content” options are disabled due to the fact that, again, the less communication given over to the browser and its creators the better you’re off security and privacy wise. Basically uncheck everything but "Warn me when sites try to install add-ons". ***Ignore the sync tab. *** Everything in the “Advanced tab” is straight forward and should be self explanatory. Advanced > General > Disable/uncheck everything but the four settings under "Browsing. Advanced > Data Choices > Uncheck all Advanced > Network > Check all and set cache to 0 Advanced > Update > Uncheck all and set to "Never check for updates" Advanced > Certificates > Set to "Ask me every time" and check the one setting there. Once done, exit out of Firefox and start it up again. This is just to ensure everything sticks and is working due to some of the more current versions of Firefox have had a habit to ignore settings from time to time and resetting things to default. Now we’ll go to the Firefox Add-on page and work our way toward customizing Firefox a bit to improve usability and its overall feel. First off, we’ll work on the aesthetics aspect a bit just to improve the overall feel of the browser due to its copy-catting of the Apple simplicity meme. ***You’ll want these add-ons:*** • Black YouTube Theme - https://addons.mozilla.org/en-US/firefox/addon/black-youtube-theme • Classic Theme Restorer - https://addons.mozilla.org/en-US/firefox/addon/classicthemerestorer/ • Smaller View - https://addons.mozilla.org/en-US/firefox/addon/smaller-view/?src=search You should notice a considerable difference in your browser once restarted. More precisely, it’ll be easier to navigate and find your menus now. The YouTube theme is simply preference and feels easier on the eyes compared to the default theme of the site. Now, before we continue forward with the add-ons. Let’s do a bit of tweaking to the look of the browser. You should see icons on the upper right-hand corner. Right-click on the icons and select “Customize,” which should open up a new tab/window that’ll allow you to move the icons as you wish. Remove all the icons present, except the down arrow/download icon. From there, close the window and right-click on the bar, again, and select the three bars/toolbars shown. You can also ignore the “Menu Bar” option if you wish to just use the orange drop-down menu. In the URL bar, type in About:config. You should see something similar like the below cap. Uncheck the “Show this warning next time”. And then, from there, click the “I’ll be careful, I promise!” button. In the search bar within the about:config window, ***enter this:*** browser.newtabpage.directory.source You should see a string with the name you searched, double-click it and delete the string of text. Once done, exit out of that tab and open a new tab. Click the cog wheel icon in the right-hand corner and select “Show blank page”. You should now be rid of those pesky tiles and most of the ADs that Firefox forces down your throat. You can now add the rest of the add-ons, which you can find listed below. Add-ons: • Better Privacy - https://addons.mozilla.org/en-US/firefox/addon/betterprivacy/ • BluHell Firewall - https://addons.mozilla.org/en-US/firefox/addon/bluhell-firewall/ • Configuration Mania - https://addons.mozilla.org/en-US/firefox/addon/configuration-mania-4420/ • Decentraleyes - https://addons.mozilla.org/en-US/firefox/addon/decentraleyes/ • Disconnect - https://addons.mozilla.org/en-US/firefox/addon/disconnect/ • HTTPS Everywhere - https://www.eff.org/Https-everywhere • PureURL - https://addons.mozilla.org/en-US/firefox/addon/pure-url/ • Quick Java - https://addons.mozilla.org/en-US/firefox/addon/quickjava/ • Self-Destructing Cookies - https://addons.mozilla.org/en-US/firefox/addon/self-destructing-cookies/ • Smart Refer - https://addons.mozilla.org/en-US/firefox/addon/smart-referer/ • Track Me Not - https://addons.mozilla.org/en-US/firefox/addon/trackmenot/ Now restart the browser. You should get a pop-up from HTTPS Everywhere, hit “No” and then right-click anywhere and select “Customize”. You’ll want everything arrange to your own taste, note that there exists an icon with two cog wheels. This belongs to “Configuration mania” and should be added for ease of use and access. Now, click the orange menu button and click the add-on menu. We’ll be working our way down the list, alphabetically, and modifying a handful of settings for some of the add-ons before we end this chapter. Starting with “Better Privacy,” go ahead and hit “Options”. You’ll want to select the “Options & Help” tab and adjust your settings to look similar to the ones listed below: • Delete flash cookies on exit - checked • Add LSO item to Firefox ‘Clear History’ dialog – unchecked • Always ask - unchecked • Delete flash cookies on application start - checked • Delete cookies by timer – checked • Not if modified within time interval – checked • Time interval 1 second • LSO delete shortcut – blanked • Also delete flashplayer default cookie – checked • On cookie deletion also delete empty cookie folders – checked • Notify if new LSO is stored – unchecked • Auto protect LSO sub-folders – checked • Disable ping tracking • Prevent Firefox ‘Clear recent history function’ – checked • Portable mode – unchecked Everything else can be ignored and you can go directly to “Configuration Mania” and select “Options”. Browser tab > Tab Browsing > Everything checked but the below: • Enable about:newtab – unchecked • Close the window when closing its last tab – unchecked • Open the results in a new tab when searching from search bar –unchecked • On CTRL + TAB – unchecked • On taskbar (windows 7) – unchecked Now head over to the “Bookmark icons (favicons)” tab. Browser tab > Bookmark icons > Uncheck the two settings there. Finally go to the “Web API” tab in browser tab and deselect/uncheck everything there. From there, find the “Security” tab that should be right under the “Browser” tab and select the “Javascript” tab, everything there should be checked and all the other tabs left alone. Now, before we select “Smart Refer” please go to about:Config by entering “About:config” into the URL bar. From there, search for: network.http.sendRefererHeader You’ll want to either set it to 0 to not send a ref or to 1 to keep things somewhat clean and compatible. 2, however, is default and will always send a ref. So, ‘0’ if you don’t want to send a ref or ‘1’ to prevent most cross-site tracking and keep compatibility when visiting websites. Now go to “Smart Refer” and select “Options”. ***Set the drop down to: *** Send nothing as a referrer, looking like a direct hit. Once done, go and mosey on over to “Track Me Not” and hit “Options”. Set your settings as such: • Enabled – checked • Use tab search – unchecked • Enable query burst – checked • All search engines checked • Query frequency: 10 per min • Disabled – checked • Persistent – unchecked • Use list – checked • Generate queries – unchecked Once you’re in TMN’s options, you’ll want to use recommend RSS feeds for the add-on (hit validate once done): http://www.nytimes.com/services/xml/rss/nyt/HomePage.xml|http://rss.cnn.com/rss/cnn_topstories.rss|http://rss.msnbc.msn.com/id/3032091/device/rss/rss.xml|http://www.theregister.co.uk/headlines.rss|www.reddit.com/r/science/.rs|http://www.reddit.com/r/aww/.rss|http://www.reddit.com/r/kawaii.rss|http://www.reddit.com/r/kittens.rss|http://www.reddit.com/r/pcmasterrace.rss|http://www.reddit.com/r/steam.rss We also recommend these words for your black list: bomb,porn,pornographie, porn, pornography, rape, rapists, rape culture, bombs, pipebomb, ied, bdms, bdsm, raping, raped, murder, murdering, lolicon, loli, cp, child porn, pthc, jbhc, shota, shotacon, ISIS, ISIL Once done with the add-ons, head on over to about:Config once more. You’ll want to implement these three settings to ensure you limited some of the tracking methods employed by websites and online trackers commonly found on Tumblr and other social media platforms. ===Settings to change:=== • browser.display.use_document_fonts = 0 • dom.storage.enabled = false • browser.sessionhistory.max_entries = 2 Once done, you can add whatever add-ons you want, ***however remember this simple rule: *** If you don’t need or use it, don’t install it or enable it. That’s why we had you install Quick-Java. Quick Java’s little bar, which is added to Firefox upon installation, allows you to disable and enable certain plug-ins on the fly. This is a wondrous little time saver and is a good thing to have at hand when you wish to browse the internet. When browsing, without having to login or watch something, your settings with quick-java should look something like this: Everything red/disabled but I (Images); A (Animations); CS (Style) When you do need to log into an account or want to watch YouTube or something similar, you’ll need it to look like this: Everything red/disabled but JS (Javascript); C (Cookies); I (Images); CS (Style) Give or take the fact that you may need to enable flash (The “F” button). However, YouTube, and some other sites, are offering the use of HTML5 and Flash. So, if you don’t need to enable flash, don’t do so. Flash can leak a lot of data in the end. It also helps to outright not have anything enabled (sans the last three buttons) when you’re just doing research or looking up something. Only enable cookies and JavaScript (the “JS” and “C” buttons) when you actively need to log into an account or a website. This will help lessen the data diarrhea your browser has and help you retain some privacy without breaking your browser, yet many more configurations and add-ons are needed to even achieve some form of security or privacy. ***And, just as an FYI: *** This shouldn’t break your browser, at all, or your use of any websites. If something doesn’t work properly, try disabling BluHell Firewall by clicking the blue-devil icon on your browser. If that doesn’t work, try disabling Clean links, which has an icon of a broom wrapped in a chain-link. Outside of those two add-ons, you don’t need to disable anything as nothing should break or prevent you from logging into any websites. Ultimately though, this configuration, and the add-ons suggested, only helps lessen the effectiveness of the trackers and counters offered to civilians and the public at large. Some Ads will be blocked, along with a metaphorical ton of malicious content, however you’ll need to look into using Peerblock and Hostman if you want to lessen it even more so than what you can with this browser setup. We offer two guides that discuss the use of Peerblock and Hostman, among other things. However, save those for a later date as they’re a bit more advanced than what this guide has to offer. We’ll also be hosting what we call the “Blue Primer,” which is an archive of the most basic of information for those who wish to lessen their data footprint, prevent tracking and lessen their chances of being doxed. If you haven’t gotten this guide from the blue primer, please look into downloading it and reading the other guides within it. As for this chapter of this guide… you’re done! Move on to the next chapter, reader. ***P.S:*** Avoid using password storage, password sorters and similar features or add-ons. Write down your password, if you must, and hide it where no-one will find it but you. ++++++++++++++++++++++++++++++++++++++ ===E-mail=== Electronic mail (https://en.wikipedia.org/wiki/Email), shortened to E-mail, is one of many means to exchange digital messages between computers and their users. However, since seeing frequent use in the 60s to now, e-mail has become used more as a means of identification than communication when needing to sign up for an account or do some sort of business based task, or being a responsible adult and working on your taxes or banking. Now, e-mail is just one of the many methods sites use to prevent bots, scammers and spammers from joining their communities. When you need to sign up for an account, you usually need to provide an e-mail from a provider that they’ve yet to blacklist (***Example:*** most common temporary e-mail services have been blocked by FaceBook). The average internet user will usually use of the main three: Google; Hotmail/Live/Outlook; Yahoo. • https://www.gmail.com/ • https://login.live.com/ • https://login.yahoo.com/ Sometimes Yandex (https://mail.yandex.com/), among similar non-US based e-mail providers will be used, however the main three tend to rule. The issue with the main three (Shortened from now on to MT) is that they require a lot of data and “verifications” to ensure that it’s you who’re signing up or at least not someone with malicious intent. This wouldn’t be such a large issue if it wasn’t for the fact that the MT are notorious data collectors who work in unison with the government, among other groups, to not only data-mine and spy, but also possibly put down dissenters. If any of this comes to light as being true and not just some gossiping theories put forth by many privacy groups, then that just shows how much of your information is at stake. However, with the MT track records, it shouldn’t be that big of a stretch to see how or why they’d work with the government. But what does this mean for you, someone who needs an e-mail address and doesn’t want to risk their information or someone knowing they’re a part of “Sexy Jewish Singles” with the kink of “Eating pork on the Sabbath”? Well, the first step you should take, outside of doing the bare minimum to secure your browser, would be to look into using alternative e-mail providers when signing up for an account. There are numerous providers, however not all will exist or become permanent fixtures in the years to come, which means you have to pay attention to news and keep an eye on the services to use. As of now, Privacy Tools has a wonderful list of e-mail providers (https://www.privacytools.io/#email) you can use, and since most of us are frugal-minded to the point of being cheap, these four should hopefully sedate your lust for a free, secure e-mail provider. E-mail providers: • Mail Fence - https://www.mailfence.com/ • Open Mail Box - https://www.openmailbox.org/ • Proton Mail - https://protonmail.com/ • Tutanota - https://tutanota.com/ The four e-mail providers are free, yes, and support a variety of features aimed at protecting your privacy, however they aren’t like your usual e-mail provider. They often don’t ask for a secondary e-mail or a security question, nor do they offer any means to do so in case of someone taking over. Another issue, for many, is the fact that you can’t sync or linking accounts together—this is a good thing, though. Syncing, storing or linking accounts is something you shouldn’t do, at all. Your accounts should always be separated, never touching and kept as far apart from each other as possible. Now, personally, we recommend you use a mix of these e-mails each time you create an account or sign up for some service or another that isn’t tied to you offline(***Example:*** like banking, bills, school or work). You see, as much as we dislike the MT, you should honestly have one account on each specifically for stuff that’s offline. The reason for this is simple: You’ll generate enough of a trail to not be suspicious. For instance, Google, as much as it’s a heavily invasive mega-corp, does have a pretty decent setup for their GMAIL service. You should create an account there and have it used specifically for your banking, bills and similar items. Hotmail/Outlook/Live mail is way below GMAIL, however you should use this specifically for school and similar items to keep people away from your financial records, yet close enough to a normal provider that no one will question you if you simply state that they can send it to you over e-mail instead on some social media site. Yahoo, as much as it’s a disastrous service and corporation, won’t look out of place for business related subjects or questions. It’s simply a matter of coming up with a professional sounding username for the MT accounts and keeping them separated from each other. Never using the same MT account for different applications or accounts, and never letting them touch each other. With that out of the way, however, you should try to keep each account, regardless of the provider, isolated from each other—never using the same user, password, secondary e-mail, or information, ever. The only time you should ever use your legitimate information is for the MT accounts, which should only be used for work, school or financial items. ***Remember:*** Never save your passwords on your computer and never use a password manager. Write down your password and the piece of paper with it somewhere safe and away from people trying to find it. Use a lockbox if you must, but never save this info on your computer. Also look into writing down each account’s information down and hiding that paper, too, so you never forgot it. ***Remember 2:*** Use one of the free e-mail services to create a mess free secondary e-mail to use with the MT e-mails. ++++++++++++++++++++++++++++++++++++++ ===Passwords=== Your password (https://en.wikipedia.org/wiki/Password) is the key to your account, without it you can’t login without going through an entire process of laziness meant to make it easier on the geeks who run the website you’re a part of or at least the “Help desk”. You see, that’s all a lost password request is: Laziness. It doesn’t mean you’re lazy, though, it just means you’re forgetful like everyone else. However, the people who run the site don’t want to deal with properly verifying your claim to your account, so they created these claims of simplicity where you submit a request to retrieve or change your password. That is where laziness comes in. Anyone who spent time researching you and applied a liberal dose of social engineering will be able to guess certain security questions and your e-mail addresses to the point of being able hijack your account(s). This is why it pays to keep e-mails separated, not to use the same username twice, and to have a strong password. Your password should be eight (8) to 15 (15) characters long and consist of randomly select characters that range from upper case letters (ABC) to lowercase letters (abc) to numbers (123), punctuation (.,;?!) and special characters ($%#). Your password will not only be hard to remember, but also hard to guess. This is why you should write it down on a piece of information and hide it in a lockbox or locked drawer where no one will get at it, ever. You should also avoid password managers, syncing your information, using “Master passwords,” reusing your password, or saving it on your computer or phone. Think of your password as a unique key and each account a unique door—you need a specific key for a specific door, ergo never use the same password twice. Always randomize your passwords, their length and the characters used to the point of each one never being overly similar. ++++++++++++++++++++++++++++++++++++++ ===Accounts=== An account is like a membership you apply for when you join a community or a website. And like a membership, the difficulty to obtain an account ranges from something as easy as a username + password or to the near-impossible where you need to provide an arm length’s of information and an invite code. Regardless of what you’re signing up for, however, you need to learn to compartmentalize each account and profile into its own isolated object. You don’t need to interlink your information, account or anything like that. You don’t even need to sync it up to your e-mails or our phone. You don’t need 40+ accounts across the internet. You need what you need, and at that, you only need it if there’s a reason for it. So, in theory, what accounts do you truly need? ===Steam or Origin?=== You don’t need them, however gaming is a decent way to unwind and do something mindlessly to try and clear your head of troublesome thoughts. Honestly, though, do you really need any of those accounts? Well, yes, if you don’t believe in piracy or simply wish to support the developers you prefer. But you don’t need it to live or survive. There are plenty of non-DRM options that range from freeware to physical media options that don’t need an internet connection in order to play it. ===YouTube?=== You don’t need to one to watch videos or enjoy them. You only need an account if you, yourself, plan to comment, rate or upload videos. Do you really need to do that? There hundreds of ways to express yourself that don’t require you sitting in a chair, staring at your computer, and reviewing bottles of Fuji water from when it first was released. You’ll need accounts or simply want to make an account, for whatever reason, and participate in the community or reap the benefits of releasing your information for that slim chance of being “Internet famous”. No matter the reason, though, you need to treat your account and its associated profile as a contained fire during a camping trip. You want to give only as much information as is required, not what they offer you to give up. For instance: Your username shouldn’t be your real name or a nick name that you’ve been called before. It should be completely unique and unrelated to anything else you’ve made, claimed, were called or even thought about using. It should also be different from the e-mail address that you’re using for the account. Ultimately, outside of paid accounts or billing information, not a single thing on your profile should lead back to you or be associated with you or anything related to you. You shouldn’t use the same password, e-mail address, username or anything that you’ve used on another account. And, at that, no account should be linked, synced or associated with each other in any way possible. These accounts and profiles, depending on their settings, should be made as private as possible and be as minimalistic as possible. You could, in theory, supply false information in your bio or “about me” to create a false digital trail just in case, however leaving no information is better than leaving some. And, truthfully, you should avoid having more than ten (10) accounts at any given time. When an account is no longer useful, you should just follow the Paranoid’s Bible PDF and how to properly dispose of an account and the information associated with it. Never leaving a trace behind and letting the account and its information pass peacefully away before deletion. ++++++++++++++++++++++++++++++++++++++ ===Afterword==== This is nothing more than the barest basics needed to keep some sort of privacy when using the internet and trying to avoid being doxed during some kind of discourse. This won’t make you 100% anonymous, nor will it make you undetectable when it comes to the government, yet it’s better than nothing.

#internet #primer #security #infosec #cybersec #paranoidsbible

5 notes · View notes

paranoidsbible · 8 years ago

Text

Uncle-Daddy’s Big Book of Deception

Uncle-Daddy’s Big Book of Deception Non-profit and free for redistribution Written on September 13th | 2016 Published on September 13th | 2016 For entertainment and research purposes only

================================================= DISCLAIMER The Paranoid's Bible and its writers hold no responsibility for the acts of others. The Paranoid’s Bible is for research and entertainment purposes only. Please visit our blog for more PDFs and information: https://www.paranoidsbible.tumblr.com/ ================================================= Contents DISCLAIMER 2 Preface 4 Clone Wars 5 Dirty SEO Tactics 6 Get a Friend Involved 7 Midwestern Theory 8 Be a Good Person, Share 9 Don’t Neglect Reality 10 Afterword 11 ================================================= Preface When I shot the PB team a PM on their blog I didn’t expect my critique to become a quick gig of helping them hammer out a PDF on deception. After much consideration and a few shots of cheap tequila, I agreed to help them out. Because why not? They have a decent idea and are trying to help the pitiful users of today’s internet. So here you guys & gals go: a guide on being a deceptive bastard on the internet and preventing people from getting a good grasp on your information. ================================================= Clone Wars If you’re reading this, then I’ll assume you’ve read The Paranoid’s Bible PDF and the PDF on OPSEC. You should have a grasp on the DOs and DON’Ts of the internet. However this will break those rules just a teensy bit in order to help you create garbage data and digital noise to obscure your real identity and information. The PB tells you that you should always use a unique username for each account and never repeat this username elsewhere, yet there is an exception to this rule: Cloning. While cloning has several names, I’m partial to the term cloning because it gets the message across—make multiple accounts across the internet using the same username but with different information concerning the basic image of its creator. When you create an account you always end up adding just a tiny bit of yourself to it. Using the ‘About Me’ or ‘Description’ or those pesky bios… you’re going to use these and differentiate each account by giving it its own persona. So while you’re following the advice of the PB team and their various guides, these cloned accounts will be vastly different. Go nuts and use your imagination but remember some simple facts. Globally, European names aren’t all that common. Look at the current global makeup of the Earth’s population. Islamic-like names of Muhammad are quite popular, as are Asian names and East Indian names. While the majority of Western sites are heavily European and Americentric, it doesn’t hurt to mix it up with a Vash or Aiko. Of course, you can then flesh it out a bit more by giving them a European or American-sounding last name and background. You want these accounts to be completely different from your own. Everything about the personas being made for these accounts are not to be related to you or your ‘main account’. You don’t want them to ever communicate with each other or touch in any way. You must keep them completely separated, which is why you’ll be making them on various forums, social media sites and chats. The more ground you cover, and the more varied the accounts are the less likely people can make a cohesive argument as why this piece of information or that data is supposed to be related to you. For example, you make an account on deviantART. They’ve a little bio app that you can adhere to your profile. So, if you made yourself a Tumblr account, then the deviantART account is to not only be different in description but also look. If you hate Undertale, then the deviantART persona loves it. You like yellow, they love blue. So on and so forth until you’ve suddenly a teenage female artist with an Asian background who moved to the U.S. and knows very little about their own Asian heritage, ergo they cling to their last name which sounds Japnese-ish. By doing this, if someone were to ever look for information to use against you or to grab your dox, they end up on a wild goose chase where they’re looking for someone who doesn’t exist. Dirty SEO Tactics There are numerous ways to pollute a search engine’s results with “dirty pages”. Their page rank might not be all that existent, however they do tend to clutter around specific search terms like a username or a piece of common information laced into profiles or bios in order to throw someone off a trail. Now, to do this you need to have clean and organic looking back links. However one good way to populate an account with seemingly organic back links is to use one of the numerous “generators” that usually end up hurting your SEO in the long run. We don’t care about the long run, though. This is a short game tactic that translates into, in the long run, a small, albeit affective little trail duster meant to help cover some of your tracks. These three links are a good start; however there exist numerous “generators” that can be used. Using these three for all of your clone accounts should help you spark a little bit of a boost in their appearance on Google and Bing. With enough accounts under a similar or the same username, you can basically pollute the search results to help cover your main account with the clone accounts. https://www.freebacklinkbuilder.net/ https://sitowebinfo.com/back/ https://www.indexkings.com/ Ensure you read the PB’s “Internet Primer” to help you reduce Ads and pop-ups when using these websites. While not intentionally malicious, numerous sites, like these, can have malicious Ads or pop-ups. ================================================= Get a Friend Involved Let’s say you’ve a friend that you really trust and they’re interested in privacy and security just like you. Here’s a suggestion: Get them involved. Have your friend help you by using one of their own persona/clone accounts to accuse one of yours of being something that currently upsets the moral majority. From there, work in some fake dox and a handful of other pieces of information. Work those bits and pieces into a believable “dox” and have your clone/persona take it a bit too personally and start acting like you’re panicked. Delete the blog after a few days of the drama, let your friend’s persona/clone do some victory posting and move on. People will believe that that information belongs to you and follow that trail instead of looking for your real information. And, if you followed the PB’s namesake you should have very little information out there. You can even be lazy and just make your own callout blog to attack your own persona/clones. In the end, though, you just want to create enough tension and static to misdirect people. ================================================= Midwestern Theory The PB team had a guide for this one however you don’t need an entire guide for what can fit in a chapter. I won’t bore you with the excessive details but some time ago when Newgrounds was the in-thing, someone got upset at people for making the claim that there were a lot of Californians online. This led to the Midwestern netizen forced meme that quickly died out. The claim of being Midwestern is actually a good ploy when covering up your tracks. The Midwestern accent (https://en.wikipedia.org/wiki/Midwestern_accent) is easy to mimic and if you watch some Youtube videos (https://www.youtube.com/watch?v=-DlxCDlIfh0), you should find yourself being able to pick it up and force it when need be. Ideally you should never let anyone see your face or hear your voice, yet it does come in handy just in case. Mix the various “Midwestern quirks” with setting all your accounts’ time zones to “Central” and keeping tabs of the time (https://www.worldtimezone.com/time/wtzresult.php?CiID=32119) (Always pick a random city or state in the Midwest) and mix in some research on “College towns” (https://www.collegeraptor.com/college-rankings/best-colleges-in-the-midwest/)… you should be able to spice up your bios and descriptions with something akin to a specific college team or name dropping a college or university that you go to and study at. So when you log off or leave your account, stating something like “OMFG! It’s 12:30 am! I have to go and sleep! I have a compsci class @ 9!” Keep this up with several accounts, adding in the oddball California town or Florida town, and you’ll have created enough static to keep people scoping out the wrong area for information. Though keep in mind that a lot of plant life in the Midwest tends to spread out into non-Midwestern areas. Take a picture or two of common plants around the US that appear in the Midwest, too. Figure out what’s a common park or nature preserve in the area of your false town/city and look at the common trees or plants in the area. Take a picture of something that is in your area that is in that area, too, and tag it with #Yellowstone park or whatever is popular in that area. And suddenly… you’re a Midwestern grilling in sub-zero temperatures because you want your burger. Don’t forget to show your almost zealous obsession and support for that area’s sports teams and no one is going to suspect a thing. Maybe spice in some local news from the area and make a comment on the weather (It isn’t that hard to look up a weather report through Google) and you’re good as Gold. You’re a real Midwesterner now, bro. ================================================= Be a Good Person, Share The PB team has in their namesake PDF a guide on opting out of Google maps, among others. Take the information for getting out of Google maps (and others) and make a flyer. Print it out, take it to Kinkos or some other print shop, or go to your local library and print some copies there. Make some wheat paste (shown below) and paste them all over your town (Put paste on wall and smooth, then put your poster up and slather on paste and smooth it on it too.). Soon a whole mess of people will be blurring out their houses on the online maps, and this in turn messes with the real estate sites to the point of anyone trying to look up your information finds a mass of blurred out houses. This causes a mix of the “Streisand effect” and reasonable deniability. WHEAT PASTE HOW-TO Flour (wheat works best) Sugar 1 Cup of Water Container with a lid • Boil a cup of water. • Put 3 tablespoons of flour into a bowl • Add 10 teaspoons of cool water until it forms a runny mix • Once the water has boiled, add the runny mix to the boiling water. Stir well! • Keep stirring. The mixture will foam up while it boils, so the constant stirring is essential to keep it from bubbling over and to keep it from getting chunky. • Keep the mixture boiling for 2 minutes. • Take the boiled mix off the heat. Add 2 tablespoons or more of sugar (added strength) • Let it cool. Pour into an appropriate container for carrying with you. It will keep well for about a week. • Learn more @ https://destructables.org/destructable/wheatpaste-recipe-putting-postersbillboard-alterations • Spray with a clear sealant or hairspray to help weatherize and make the poster last longer. Police, military members, and their families can opt-out of a wealth of databases. Some take it to the extreme and have their houses blurred out. If enough people in your area begin to blur out their houses and look into other means of removing their information, you’ll soon see a bit of a trend that can affect several blocks when it comes to viewing houses on any online map. This means that you can not only safely blur out yours but it’d be near impossible to guess whose house is whose. It’s only defeated if they have an address, and that’s if it’s actually your address to begin with. Let these people rant and rave as they knock or send a malicious package to the wrong house. If anything happens, since it broke into the realm of reality, they’ll end up being arrested and charged with several crimes. Fun fact: Not many places care about doxing, especially the police. Most modern “dox” is openly available information. This is why you must work toward suppressing it through opting out of websites and databases. If someone takes it from the internet to the realm of reality, lawsuits and arrests can happen. ================================================= Don’t Neglect Reality No one’s denying the PB’s effectiveness when it comes to lessening the overall data of yours online, however until they discuss ways to limit information bleeding offline you’ll need to take a few extra precautions outside of creating noise and lessening your data. They do have a PDF on how your privacy’s invaded, yet that only covers so much. Be a little bit nihilistic and apathetic. Don’t care as much and don’t react if you are doxed or some gets a bit too close. Ignore them; work on lessening your information. In the offline realm however you should work on creating some good for yourself. This means work on cleaning up your neighborhood, keeping your property clean and being nice to your neighbors. Look into doing some volunteering and charity work. Create some good will toward yourself and lessen the general impact in case anything comes toward you and your life. By doing this you can create a large support focus toward you and what good you’ve done. People will be in disbelief and outright call the claims made against you false. Ever wonder why politicians and famous people, even the internet famous, never get much crap and have an unusually large support behind them? What they do is quite simple: Act like a good person. With bit of charity under your belt and by observing social protocols enough by simply greeting people and saying your “Please” and “Thank yous” you’ll create an air of being someone half way decent. People will see this and any accusations made against you will result in either demand for blood or death of someone who dares attack you. Now you shouldn’t encourage the bloodlust or wanting of death, however simply using your time wisely and helping your community can act as a good cover. Someone comes around and harasses you; someone who might have power will come to your aide possibly. It also doesn’t hurt to remove your information and have it replace with falsified information. Checkout https://reddit.com/r/freebies and keep an eye out for free magazine subscriptions. Fill out a few, regardless what they are, with your home address and a burner cell’s number. The name can be made up, possibly made to match the cultural and ethnic makeup of your area. Think about it. What are the most common people in your immediate area? White? Black? Hispanic? It doesn’t matter as long as you pick the majority and follow suit with their name. It’ll help further push that static to help cover your tracks. So if you’ve a large number of Hispanic families in your area, using a Hispanic sounding first and last name on your free magazine subscriptions can help you replace all your removed database records with falsified ones. Go the extra step, load up on other freebies. Anything you don’t need or want can be donated to a number of homeless shelters or shelters for women and/or children. Gives you an extra push in being a good person too! ================================================= Afterword Outside of following the PB’s advice, using a VPN, a non-propriety OS and not touching social media there’s not much else you can do. While being deceptive and sprinkling lies and half truths into your conversations and online shenanigans helps, most of us who were born in the 80s and 90s have screwed up royally and will never trulybe un-doxable or secure. Work toward anonymity and spread the PB’s information to as many people as you can. I should note however that your text and how you type can give you away too. Look into using a text editor and use Basic English spelling and grammar. Mix in some chat speak and some texting quirks and you should be able to keep the personas even more separated and unique.

#anti dox #anti doxxing #security #privacy #opsec #info #garbage data

5 notes · View notes