#I have use free and paid protonmail at times | Explore Tumblr posts and blogs

ryttu3k · 4 years ago

Text

Night Road quote text dump, because I've been deluging a friend with quotes and want a place to keep them all.

We're a bit like that, yeah:

They direct you to a hulking Malkavian named Severian, and the sullen giant directs you in turn to Gibberish Mike.

Fortunately, it turns out that "Gibberish" Mike is just Australian.

Practical concerns:

"That's it!" Elena says, leaning over your shoulder. "That's his yacht. Oh, and this is all about him. Very useful." She snaps a picture of the email with her phone, then the two of you get out of there before the technician returns. You head down the elevator and then back to Elena's Datsun.

You're so pleased by how well that went that that it takes you a few minutes to remember you're in Arizona.

"His yacht?" you finally ask.

Fun with bungalow ownership:

After a day of fitful dreams, you throw on your leather jacket and engineer boots and get ready for another night. You step outside to check your Integra. A neighbor parks next door in her Ford Super Duty and gives you a friendly little wave. You've been practicing this. You're ready.

"Howdy, neighbor."

"Howdy!" she responds before heading inside.

Fucking nailed it. You're one of them.

This is legitimately how I got the Messy Critical achievement:

You grab a hoe.

You rip through the underbrush with savage efficiency, staying a few steps ahead of the pushcart as Julian scans. You work in a trance, chopping and hammering. Only when you hear Julian shouting do you realize that you're holding a busted length of wood.

The head of your hoe is buried in the beautiful round black door of Prince Lettow's Rolls-Royce.

Raúlblocked:

You head to Raúl's place, but he's not there. You find a note hidden above the door that reads, "Problems in Phoenix. (Jesus Christ has returned? Stole a car?) Contact me right away for major jobs and I'll come back. Already missing you." And there's a ProtonMail address with some of the security contact codes you agreed upon earlier.

But it looks like Raúl will be occupied dealing with the Lord and His automotive crimes, and he won't be able to wander around Tucson with you.

Pattermuster doesn't get paid enough:

"Hello? What? Well, the blood can't be 'everywhere.' Surely that's an exagger—okay—okay, fine. Okay. Okay, I'll get—okay. Five minutes. What? No, Sissy Spacek. No, Sissy—you're thinking of Rosemary's Baby. No, Carrie had the prom scene. With all the pig's—yes, it was Sissy Spacek, I'm sure. That much blood? Jesus. Okay, hold—five—okay, five minutes."

Valid question:

Do they teach ax fighting at Quantico?

Julian Meyer:

"Man, it's been a while," Julian says, leaning against your door frame. "I remember the nights we spent keeping that elder asleep with offerings of blood, the days curled up together in the desert. Wasn't it romantic?"

"That never happened, Julian. You made up our relationship and tried to sell it as a novel until the old Prince of Tucson threatened to execute you." '

"Vampire romance was big at the time," Julian says with a shrug. "And I changed our names. I still don't know why no one wanted to buy it."

Dammit I thought I was done with uni:

"Awful," Dr. Caul says with a little shudder. "But now your real studies can begin."

Your real studies consist of a syllabus (thirty pages) and a trunk full of books (35,000 pages).

"Are you disappointed, Rook?" she says with a little laugh. "Were you expecting something more mystical? A bolt of cosmic enlightenment? A conversation with your Holy Guardian Angel, who would reveal the answers you seek?" She bangs the trunk as technicians get ready to load it into your car. "Get reading."

An enthusiastic boss:

You reunite with Pattermuster down in the morgue, where he's pumping his fists as a thin-blood on a gaming laptop watches with a worried expression because she can't tell if he's incredibly happy or insanely mad.

"Rook!" Pattermuster shouts, his eyes full of Blood, "you did it! You brilliant child, you did it! We're safe. Oh, thank God, we're safe." He pulls you into an embrace, then punches a brick wall because he's so happy, showering all three of you in dust.

I thought that was Finland?:

You catch all sorts of whispered gossip as you cross the rooftop garden.

"Camp Scheffler?"

"Gone. That Outlander courier had something to do with it."

"I heard the Russians helped the SI burn it down."

"That's ridiculous. There's no such thing as Russians."

Pot, kettle:

"Julian," the Eagle Prince says, "you will locate Reremouse with the equipment Vane brought. Once we find him, we will strike shortly before dawn. I have prepared a stake sufficient to pierce even his old hide."

"That easy, huh?" Julian says.

"No, but—"

"Your plan is ridiculous, convoluted, and dangerous," Julian says.

"And you have a better one?"

"Absolutely," Julian says. "We use Stonehenge to teleport him to Mesopotamia."

The must-have appliance:

He's a black outline in the glow of a single yellow bulb... and then the bats descend.

And then the bats get torn to pieces, because Pattermuster pulls his two katanas out of nothing and turns into an undead Cuisinart for a few seconds.

But aesthetic:

Leave it to a vampire to bring a sword to a gunfight.

It is pretty cool though:

"Oh my God," Julian says. "You're going to use the car engine to fling Prometheus into Reremouse's heart."

"Dammit, Julian, I am not doing this because it's fun. I am scrambling for every advantage I can because we only have one chance to stop Reremouse, and if we fail, the Second Inquisition will descend on us like wolves on a wounded deer."

"It's still cool," Julian mutters.

A e s t h e t i c:

The Camarilla looks unkindly on vampires who dress like Elvira, Mistress of the Dark, but what's the point of being dead if you can't look the part?

#JustToreadorThings:

You sleep badly and awaken to an aching and acute Hunger that crowds out other thoughts. But when you approach the Rolls-Royce, you find Lettow and Julian seated on a blanket, evidently in fine spirits. They're holding stainless steel mugs as they watch the last purple streaks fade from the western sky. There's something perfect about the composition before you: the two Kindred in their working clothes with their backs to you, the blue-black clouds, the faraway mesas framing the scene.

"I fear we've lost the Aesthete," Lettow muses. "Luka? Luka!"

It's just good sense:

A lot of keypads use 0911 as an emergency override for police and fire. That doesn't work, but a common default password causes the elevator doors to slide right open.

Change your defaults, people.

They draw the line at 31%:

Not all problems can be solved by putting a brick through a window, but at least 30 percent can.

Descriptive:

That's when your Nissan makes a sound like a bunch of typewriter keys dropped in a blender, and the whole truck lurches to a halt.

Munch munch:

"There are tags attached to all the payroll numbers," you say. "FNMA. PFC. What are they?"

"FNMA?" Antonio says. "That's Fannie Mae. The loan commission. Privatized in 1968. PFC…"

"Pavlodar Fried Chicken," Janet says. "Damn Commies."

Courier what did you do:

When you try to start your Mercedes, it vomits black smoke. That's not good. You kill the engine.

"Pop the hood," Julian says. "I'll get it up and running."

He checks the motor. There's a long pause.

"Did you melt a bunch of cheese in here or something, Vane?"

“I remember crawling out of a Nieuport 20 outside Gibraltar," Prince Lettow says. "The engine looked like that. Of course, ours had been on fire."

"Engine looks like Vane fed a bunch of sardine cans into a paper shredder," Julian says.

Almost!:

So Lettow is cute. I'm going to talk to him and see if he might be interested in a handsome young courier who almost has his own car.

Scientist life:

A beaker of cold coffee on her desk has a pencil in it; she flicks the pencil away and drains the entire beaker, then looks you in the eyes.

Domesticity:

"Wow, Vane," the Banu Haqim says, "did you finally settle down. Where's the wife and kids? Why don't you get me a beer, and we can talk about football and quote some Bible verses at each other?"

I really want to know where the fake werewolf came in:

"...so the whole fucking Cadillac is on fire, and I'm kicking and kicking, trying to get the window to break!" Dove says.

"Right, right, because —" You're trying to follow this story, and it isn't easy.

"Because I'm still handcuffed to the guy who was pretending to be a werewolf, right. And I finally kick through the window, rip half the dead fake werewolf's arm off to get free — I'm out of my fucking mind now, with all the fire — and I finally crawl out of the car."

"And get clear before it — do they blow up?"

"Escalades? I dunno, probably not," Dove says. "But anyway, I'm finally clear, so I run across the parking lot, laughing because I'm just thrilled not to have met final death chained up to that guy. And I barely have time to look up before Lettow comes screaming around the corner in a Ford Bronco with the lights off and runs me over. I was in the wrong Cadillac the whole time."

"No!"

"Two black Cadillac Escalades in the parking lot of the Marriott," Dove says. "How was I supposed to know which one — anyway, that's why I don't get to drive anymore. That's why Lettow wants assholes like you driving."

"Driving what?" you ask. "Because I need a car."

Dove shakes her ugly head. "I'll get you something. Give me a few hours to work on it, and I'll send someone to find you."

Cars are everything:

You still don't know how Julian plans to go from "divert a few funds and data streams from the Camarilla" to "transform the global information panopticon in a way that ends the Masquerade but keeps vampires safe," but he has a nicer car than last time, so he must be doing something right.

Guys please be nice to Raul:

"There appears to be a vampire hunter outside," he says, "investigating your electric vehicle."

"Send your bird to peck his eyes out," Julian says. "I'm not going outside until I find my sneakers."

Cheese?:

Over the next few minutes, you cough up a glorious wad of bullshit involving MKUltra, the Philadelphia Experiment, Star Wars (the movie), Star Wars (the Reagan-era government program), Jackson Pollack's CIA connections, the history of federal cheese, and the secret mastermind behind the seventies gas crunch.

In fairness it's a pretty rare sound:

You're way up in Limberlost, near the mall and the Walmart, when Riga settles on the roof of a Safeway. You reverse into the parking lot in case you need to get out fast and scan the cars at the pumps. It looks quiet. Then you hear a faint ringing.

The sound is musical, hypnotic. It reminds you of your childhood, and for a long time you just sit there in the driver's seat, remembering what it was like to be alive. But what is that sound? What memory from…?

Oh, right.

The pay phone next to the ice merchandiser is ringing.

It's a skill!:

Not every member of Clan Toreador joins their august ranks because of their great beauty or artistic genius. Some people end up vampires because of their extensive knowledge of Adobe After Effects.

Big Pirates of the Caribbean energy:

"I'd kind of like to give Lettow here a horse and a sword and let him tear through an entire police barracks," Julian says. "Tell me that wouldn't be fun."

"One thing I learned from Napoleon," Lettow says, "is that the most powerful cannon is useless if you cannot see your target. We know the location of one small encampment. That isn't enough to start shooting."

"You knew Napoleon?" Julian asks.

"Napoleon was my horse," Lettow says.

#vampire the masquerade #vtm night road #vtmnr #vtmnr spoilers

25 notes · View notes

96thdayofrage · 4 years ago

Text

“Special thanks to BitDefender for helping fix our issues,” DarkSide said. “This will make us even better.”

DarkSide soon proved it wasn’t bluffing, unleashing a string of attacks. This month, it paralyzed the Colonial Pipeline Co., prompting a shutdown of the 5,500 mile pipeline that carries 45% of the fuel used on the East Coast, quickly followed by a rise in gasoline prices, panic buying of gas across the Southeast and closures of thousands of gas stations. Absent Bitdefender’s announcement, it’s possible that the crisis might have been contained, and that Colonial might have quietly restored its system with Wosar and Gillespie’s decryption tool.

Instead, Colonial paid DarkSide $4.4 million in Bitcoin for a key to unlock its files. “I will admit that I wasn’t comfortable seeing money go out the door to people like this,” CEO Joseph Blount told The Wall Street Journal.

The missed opportunity was part of a broader pattern of botched or half-hearted responses to the growing menace of ransomware, which during the pandemic has disabled businesses, schools, hospitals and government agencies across the country. The incident also shows how antivirus companies eager to make a name for themselves sometimes violate one of the cardinal rules of the cat-and-mouse game of cyber-warfare: Don’t let your opponents know what you’ve figured out. During World War II, when the British secret service learned from decrypted communications that the Gestapo was planning to abduct and murder a valuable double agent, Johnny Jebsen, his handler wasn’t allowed to warn him for fear of cluing in the enemy that its cipher had been cracked. Today, ransomware hunters like Wosar and Gillespie try to prolong the attackers’ ignorance, even at the cost of contacting fewer victims. Sooner or later, as payments drop off, the cybercriminals realize that something has gone wrong.

Whether to tout a decryption tool is a “calculated decision,” said Rob McLeod, senior director of the threat response unit for cybersecurity firm eSentire. From the marketing perspective, “You are singing that song from the rooftops about how you have come up with a security solution that will decrypt a victim’s data. And then the security researcher angle says, ‘Don’t disclose any information here. Keep the ransomware bugs that we’ve found that allow us to decode the data secret, so as not to notify the threat actors.’”

In a post on the dark web, DarkSide thanked Bitdefender for identifying a flaw in the gang’s ransomware. (Highlight added by ProPublica.)

Wosar said that publicly releasing tools, as Bitdefender did, has become riskier as ransoms have soared and the gangs have grown wealthier and more technically adept. In the early days of ransomware, when hackers froze home computers for a few hundred dollars, they often couldn’t determine how their code was broken unless the flaw was specifically pointed out to them.

Today, the creators of ransomware “have access to reverse engineers and penetration testers who are very very capable,” he said. “That’s how they gain entrance to these oftentimes highly secured networks in the first place. They download the decryptor, they disassemble it, they reverse engineer it and they figure out exactly why we were able to decrypt their files. And 24 hours later, the whole thing is fixed. Bitdefender should have known better.”

It wasn’t the first time that Bitdefender trumpeted a solution that Wosar or Gillespie had beaten it to. Gillespie had broken the code of a ransomware strain called GoGoogle and was helping victims without any fanfare, when Bitdefender released a decryption tool in May 2020. Other companies have also announced breakthroughs publicly, Wosar and Gillespie said.

“People are desperate for a news mention, and big security companies don’t care about victims,” Wosar said.

Bogdan Botezatu, director of threat research at Bucharest, Romania-based Bitdefender, said the company wasn’t aware of the earlier success in unlocking files infected by DarkSide. Regardless, he said, Bitdefender decided to publish its tool “because most victims who fall for ransomware do not have the right connection with ransomware support groups and won’t know where to ask for help unless they can learn about the existence of tools from media reports or with a simple search.”

Bitdefender has provided free technical support to more than a dozen DarkSide victims, and “we believe many others have successfully used the tool without our intervention,” Botezatu said. Over the years, Bitdefender has helped individuals and businesses avoid paying more than $100 million in ransom, he said.

Bitdefender recognized that DarkSide might correct the flaw, Botezatu said. “We are well aware that attackers are agile and adapt to our decryptors.” But DarkSide might have “spotted the issue” anyway. “We don’t believe in ransomware decryptors made silently available. Attackers will learn about their existence by impersonating home users or companies in need, while the vast majority of victims will have no idea that they can get their data back for free.”

The attack on Colonial Pipeline, and the ensuing chaos at the gas pumps throughout the Southeast, appears to have spurred the federal government to be more vigilant. President Joe Biden issued an executive order to improve cybersecurity and create a blueprint for a federal response to cyberattacks. DarkSide said it was shutting down under U.S. pressure, although ransomware crews have often disbanded to avoid scrutiny and then re-formed under new names, or their members have launched or joined other groups.

“As sophisticated as they are, these guys will pop up again, and they’ll be that much smarter,” said Aaron Tantleff, a Chicago cybersecurity attorney who has consulted with 10 companies attacked by DarkSide. “They’ll come back with a vengeance.”

At least until now, private researchers and companies have often been more effective than the government in fighting ransomware. Last October, Microsoft disrupted the infrastructure of Trickbot, a network of more than 1 million infected computers that disseminated the notorious Ryuk strain of ransomware, by disabling its servers and communications. That month, ProtonMail, the Swiss-based email service, shut down 20,000 Ryuk-related accounts.

Wosar and Gillespie, who belong to a worldwide volunteer group called the Ransomware Hunting Team, have cracked more than 300 major ransomware strains and variants, saving an estimated 4 million victims from paying billions of dollars.

By contrast, the FBI rarely decrypts ransomware or arrests the attackers, who are typically based in countries like Russia or Iran that lack extradition agreements with the U.S. DarkSide, for instance, is believed to operate out of Russia. Far more victims seek help from the Hunting Team, through websites maintained by its members, than from the FBI.

The U.S. Secret Service also investigates ransomware, which falls under its purview of combating financial crimes. But, especially in election years, it sometimes rotates agents off cyber assignments to carry out its better-known mission of protecting presidents, vice presidents, major party candidates and their families. European law enforcement, especially the Dutch National Police, has been more successful than the U.S. in arresting attackers and seizing servers.

Similarly, the U.S. government has made only modest headway in pushing private industry, including pipeline companies, to strengthen cybersecurity defenses. Cybersecurity oversight is divided among an alphabet soup of agencies, hampering coordination. The Department of Homeland Security conducts “vulnerability assessments” for critical infrastructure, which includes pipelines.

It reviewed Colonial Pipeline in around 2013 as part of a study of places where a cyberattack might cause a catastrophe. The pipeline was deemed resilient, meaning that it could recover quickly, according to a former DHS official. The department did not respond to questions about any subsequent reviews.

Five years later, DHS created a pipeline cybersecurity initiative to identify weaknesses in pipeline computer systems and recommend strategies to address them. Participation is voluntary, and a person familiar with the initiative said that it is more useful for smaller companies with limited in-house IT expertise than for big ones like Colonial. The National Risk Management Center, which oversees the initiative, also grapples with other thorny issues such as election security.

Ransomware has skyrocketed since 2012, when the advent of Bitcoin made it hard to track or block payments. The criminals’ tactics have evolved from indiscriminate “spray and pray” campaigns seeking a few hundred dollars apiece to targeting specific businesses, government agencies and nonprofit groups with multimillion-dollar demands.

Attacks on energy businesses in particular have increased during the pandemic — not just in the U.S. but in Canada, Latin America and Europe. As the companies allowed employees to work from home, they relaxed some security controls, McLeod said.

Since 2019, numerous gangs have ratcheted up pressure with a technique known as “double extortion.” Upon entering a system, they steal sensitive data before launching ransomware that encodes the files and makes it impossible for hospitals, universities and cities to do their daily work. If the loss of computer access is not sufficiently intimidating, they threaten to reveal confidential information, often posting samples as leverage. For instance, when the Washington, D.C., police department didn’t pay the $4 million ransom demanded by a gang called Babuk last month, Babuk published intelligence briefings, names of criminal suspects and witnesses, and personnel files, from medical information to polygraph test results, of officers and job candidates.

DarkSide, which emerged last August, epitomized this new breed. It chose targets based on a careful financial analysis or information gleaned from corporate emails. For instance, it attacked one of Tantleff’s clients during a week when the hackers knew the company would be vulnerable because it was transitioning its files to the cloud and didn’t have clean backups.

To infiltrate target networks, the gang used advanced methods such as “zero-day exploits” that immediately take advantage of software vulnerabilities before they can be patched. Once inside, it moved swiftly, looking not only for sensitive data but also for the victim’s cyber insurance policy, so it could peg its demands to the amount of coverage. After two to three days of poking around, DarkSide encrypted the files.

“They have a faster attack window,” said Christopher Ballod, associate managing director for cyber risk at Kroll, the business investigations firm, who has advised half a dozen DarkSide victims. “The longer you dwell in the system, the more likely you are to be caught.”

Typically, DarkSide’s demands were “on the high end of the scale,” $5 million and up, Ballod said. One scary tactic: If publicly traded companies didn’t pay the ransom, DarkSide threatened to share information stolen from them with short-sellers who would profit if the share price dropped upon publication.

DarkSide’s site on the dark web identified dozens of victims and described the confidential data it claimed to have filched from them. One was New Orleans law firm Stone Pigman Walther Wittmann. “A big annoyance is what it was,” attorney Phil Wittmann said, referring to the DarkSide attack in February. “We paid them nothing,” said Michael Walshe Jr., chair of the firm’s management committee, declining to comment further.

Last November, DarkSide adopted what is known as a “ransomware-as-a-service” model. Under this model, it partnered with affiliates who launched the attacks. The affiliates received 75% to 90% of the ransom, with DarkSide keeping the remainder. As this partnership suggests, the ransomware ecosystem is a distorted mirror of corporate culture, with everything from job interviews to procedures for handling disputes. After DarkSide shut down, several people who identified themselves as its affiliates complained on a dispute resolution forum that it had stiffed them. “The target paid, but I did not receive my share,” one wrote.

Together, DarkSide and its affiliates reportedly grossed at least $90 million. Seven of Tantleff’s clients, including two companies in the energy industry, paid ransoms ranging from $1.25 million to $6 million, reflecting negotiated discounts from initial demands of $7.5 million to $30 million. His other three clients hit by DarkSide did not pay. In one of those cases, the hackers demanded $50 million. Negotiations grew acrimonious, and the two sides couldn’t agree on a price.

DarkSide’s representatives were shrewd bargainers, Tantleff said. If a victim said it couldn’t afford the ransom because of the pandemic, DarkSide was ready with data showing that the company’s revenue was up, or that COVID-19’s impact was factored into the price.

DarkSide’s grasp of geopolitics was less advanced than its approach to ransomware. Around the same time that it adopted the affiliate model, it posted that it was planning to safeguard information stolen from victims by storing it in servers in Iran. DarkSide apparently didn’t realize that an Iranian connection would complicate its collection of ransoms from victims in the U.S., which has economic sanctions restricting financial transactions with Iran. Although DarkSide later walked back this statement, saying that it had only considered Iran as a possible location, numerous cyber insurers had concerns about covering payments to the group. Coveware, a Connecticut firm that negotiates with attackers on behalf of victims, stopped dealing with DarkSide.

Ballod said that, with their insurers unwilling to reimburse the ransom, none of his clients paid DarkSide, despite concerns about exposure of their data. Even if they had caved in to DarkSide, and received assurances from the hackers in return that the data would be shredded, the information might still leak, he said.

During DarkSide’s changeover to the affiliate model, a flaw was introduced into its ransomware. The vulnerability caught the attention of members of the Ransomware Hunting Team. Established in 2016, the invitation-only team consists of about a dozen volunteers in the U.S., Spain, Italy, Germany, Hungary and the U.K. They work in cybersecurity or related fields. In their spare time, they collaborate in finding and decrypting new ransomware strains.

Several members, including Wosar, have little formal education but an aptitude for coding. A high school dropout, Wosar grew up in a working-class family near the German port city of Rostock. In 1992, at the age of 8, he saw a computer for the first time and was entranced. By 16, he was developing his own antivirus software and making money from it. Now 37, he has worked for antivirus firm Emsisoft since its inception almost two decades ago and is its chief technology officer. He moved to the U.K. from Germany in 2018 and lives near London.

He has been battling ransomware hackers since 2012, when he cracked a strain called ACCDFISA, which stood for “Anti Cyber Crime Department of Federal Internet Security Agency.” This fictional agency was notifying people that child pornography had infected their computers, and so it was blocking access to their files unless they paid $100 to remove the virus.

The ACCDFISA hacker eventually noticed that the strain had been decrypted and released a revised version. Many of Wosar’s subsequent triumphs were also fleeting. He and his teammates tried to keep criminals blissfully unaware for as long as possible that their strain was vulnerable. They left cryptic messages on forums inviting victims to contact them for assistance or sent direct messages to people who posted that they had been attacked.

In the course of protecting against computer intrusions, analysts at antivirus firms sometimes detected ransomware flaws and built decryption tools, though it wasn’t their main focus. Sometimes they collided with Wosar.

In 2014, Wosar discovered that a ransomware strain called CryptoDefense copied and pasted from Microsoft Windows some of the code it used to lock and unlock files, not realizing that the same code was preserved in a folder on the victim’s own computer. It was missing the signal, or “flag,” in their program, usually included by ransomware creators to instruct Windows not to save a copy of the key.

Wosar quickly developed a decryption tool to retrieve the key. “We faced an interesting conundrum,” Sarah White, another Hunting Team member, wrote on Emsisoft’s blog. “How to get our tool out to the most victims possible without alerting the malware developer of his mistake?”

Wosar discreetly sought out CryptoDefense victims through support forums, volunteer networks and announcements of where to contact for help. He avoided describing how the tool worked or the blunder it exploited. When victims came forward, he supplied the fix, scrubbing the ransomware from at least 350 computers. CryptoDefense eventually “caught on to us ... but he still did not have access to the decrypter we used and had no idea how we were unlocking his victims’ files,” White wrote.

But then an antivirus company, Symantec, uncovered the same problem and bragged about the discovery on a blog post that “contained enough information to help the CryptoDefense developer find and correct the flaw,” White wrote. Within 24 hours the attackers began spreading a revised version. They changed its name to CryptoWall and made $325 million.

Symantec “chose quick publicity over helping CryptoDefense victims recover their files,” White wrote. “Sometimes there are things that are better left unsaid.”

A spokeswoman for Broadcom, which acquired Symantec’s enterprise security business in 2019, declined to comment, saying that “the team members who worked on the tool are no longer with the company.”

Like Wosar, the 29-year-old Gillespie comes from poverty and never went to college. When he was growing up in central Illinois, his family struggled so much financially that they sometimes had to move in with friends or relatives. After high school, he worked full time for 10 years at a computer repair chain called Nerds on Call. Last year, he became a malware and cybersecurity researcher at Coveware.

Last December, he messaged Wosar for help. Gillespie had been working with a DarkSide victim who had paid a ransom and received a tool to recover the data. But DarkSide’s decryptor had a reputation for being slow, and the victim hoped that Gillespie could speed up the process.

Gillespie analyzed the software, which contained a key to release the files. He wanted to extract the key, but because it was stored in an unusually complex way, he couldn’t. He turned to Wosar, who was able to isolate it.

The teammates then began testing the key on other files infected by DarkSide. Gillespie checked files uploaded by victims to the website he operates, ID Ransomware, while Wosar used VirusTotal, an online database of suspected malware.

That night, they shared a discovery.

“I have confirmation DarkSide is re-using their RSA keys,” Gillespie wrote to the Hunting Team on its Slack channel. A type of cryptography, RSA generates two keys: a public key to encode data and a private key to decipher it. RSA is used legitimately to safeguard many aspects of e-commerce, such as protecting credit numbers. But it’s also been co-opted by ransomware hackers.

“I noticed the same as I was able to decrypt newly encrypted files using their decrypter,” Wosar replied less than an hour later, at 2:45 a.m. London time.

Their analysis showed that, before adopting the affiliate model, DarkSide had used a different public and private key for each victim. Wosar suspected that, during this transition, DarkSide introduced a mistake into its affiliate portal used to generate the ransomware for each target. Wosar and Gillespie could now use the key that Wosar had extracted to retrieve files from Windows machines seized by DarkSide. The cryptographic blunder didn’t affect Linux operating systems.

“We were scratching our heads,” Wosar said. “Could they really have fucked up this badly? DarkSide was one of the more professional ransomware-as-a-service schemes out there. For them to make such a huge mistake is very, very rare.”

The Hunting Team celebrated quietly, without seeking publicity. White, who is a computer science student at Royal Holloway, part of the University of London, began looking for DarkSide victims. She contacted firms that handle digital forensics and incident response.

“We told them, ‘Hey listen, if you have any DarkSide victims, tell them to reach out to us, we can help them. We can recover their files and they don’t have to pay a huge ransom,’” Wosar said.

The DarkSide hackers mostly took the Christmas season off. Gillespie and Wosar expected that, when the attacks resumed in the new year, their discovery would help dozens of victims. But then Bitdefender published its post, under the headline “Darkside Ransomware Decryption Tool.”

In a messaging channel with the ransomware response community, someone asked why Bitdefender would tip off the hackers. “Publicity,” White responded. “Looks good. I can guarantee they’ll fix it much faster now though.”

She was right. The next day, DarkSide acknowledged the error that Wosar and Gillespie had found before Bitdefender. “Due to the problem with key generation, some companies have the same keys,” the hackers wrote, adding that up to 40% of keys were affected.

DarkSide mocked Bitdefender for releasing the decryptor at “the wrong time…., as the activity of us and our partners during the New Year holidays is the lowest.”

Adding to the team’s frustrations, Wosar discovered that the Bitdefender tool had its own drawbacks. Using the company’s decryptor, he tried to unlock samples infected by DarkSide and found that they were damaged in the process. “They actually implemented the decryption wrong,” Wosar said. “That means if victims did use the Bitdefender tool, there’s a good chance that they damaged the data.”

Asked about Wosar’s criticism, Botezatu said that data recovery is difficult, and that Bitdefender has “taken all precautions to make sure that we’re not compromising user data” including exhaustive testing and “code that evaluates whether the resulting decrypted file is valid.”

Even without Bitdefender, DarkSide might have soon realized its mistake anyway, Wosar and Gillespie said. For example, as they sifted through compromised networks, the hackers might have come across emails in which victims helped by the Hunting Team discussed the flaw.

“They might figure it out that way — that is always a possibility,” Wosar said. “But it’s especially painful if a vulnerability is being burned through something stupid like this.”

The incident led the Hunting Team to coin a term for the premature exposure of a weakness in a ransomware strain. “Internally, we often joke, ‘Yeah, they are probably going to pull a Bitdefender,’” Wosar said.

1 note · View note

scotiaeire · 4 years ago

Text

TECH: DOUBLE EDGED SWORD.

WE ALL USE IT. MOST FOLKS HAVE SMARTPHONES, LAPTOPS, PCS, WHATEVER DEVICE THEY ACCESS THE NET WITH.

WE GOT OURS FOR PRACTICAL REASONS. HUBS IS PERMANENTLY DISABLED SO HE NEEDS TO KEEP IN TOUCH WITH HIS MED SPECIALIST AND FAMILY ABROAD (SINCE BREXIT MEANS WE CAN’T RESETTLE IN HIS COUNTRY AS AN INTACT FAMILY), ETC.

BANKING..NOW, BANKS REQUIRE YOU TO VALIDATE WHO YOU ARE BY PHONE *BEFORE* YOU CAN EVEN ACCESS YOUR FUCKING ACCOUNT!

DO YOU KNOW (AND THIS IS HOW OLD I AM) I ACTUALLY REMEMBER THE DAYS BANKS PRACTICALLY BEGGED YOU TO PUT YOUR CASH WITH THEM. THEY’D EVEN OFFER YOU BONUSES FOR DOING SO. AND NO, YOU DIDN’T NEED A PHONE TO BANK WITH THEM. NOW, MY HUSBAND’S BANK ACTUALLY CHARGES US FOR HAVING AN ACCOUNT WITH THEM! SOMETHING IS SERIOUSLY MESSED WITH THAT...

SOMEBODY NEEDS TO GIVE BANKS A GOOD KICK UP THE ERSE....

I ALSO FREELY ADMIT I DOWNLOAD THINGS I WANT TO WATCH. GAVE UP TV YEARS AGO WHEN YOU WERE GETTING HOUR LONG SHOWS IN WHICH HALF THE SHOW WAS ADS (AND THEY BLARED) AND, HAVING SMALL BAIRNS AT THE TIME, SEX PHONE ADS IN THE MIDDLE OF THE DAY.

AND OF COURSE, THE NEWS. ALWAYS THERE, ALWAYS DEPRESSING THE FUCK OUTTA YE....NOTHING GOOD ON TV. EVEN THE SOAPS, ONCE GOOD FOR THE ODD GIGGLE, GOT MISERABLE, “GRITTY AND REALISTIC” WHICH IS NETWORK-SPEAK FOR “DRUGS, DRINK, ABUSE AND SEX” AND THAT BROKE THEM.

THEN OF COURSE THERE WAS INDYREF 1 FOR SCOTLAND IN WHICH WESTMINSTER’S MOUTHPIECE, THE BBC, TOLD LIE AFTER LIE TO CHEAT SCOTLAND OF INDEPENDENCE. THE EVIDENCE IS THERE FOR THOSE THAT DENY IT. “PENSIONERS WILL LOSE THEIR PENSION UNDER A FREE SCOTLAND”

SHITE.

“SCOTLAND CAN’T SURVIVE FINANCIALLY WITHOUT ENGLAND’S YEARLY GRANT”

SHITE AND LIES..IT’S A RETURN OF A *TINY* PORTION OF OUR *OWN* TAXES, WHICH ARE PAID MORE OF THAN THE ENGLISH, AND NOT A GRANT. AND GIVE US OUR OIL PROFITS BACK YOU THIEVING BASTARDS.....WE’LL MANAGE JUST FINE.

OH WAIT..I KEEP FORGETTING I’M NO LONGER SCOTS, SORRY...SIGH.

BUT I WAS, ONCE....

ANYWAY, BACK TO TV. DAMNED IF I’D PAY A LICENSE FEE TO THE BBC. (STANDS FOR “BACKSTABBING B*STARD C*NTS”, SORRY FOR LANGUAGE. BUT AGAIN, IT’S JUSTIFIED)

SO I QUIT, IGNORED THE THREATS OF PROSECUTION ETC, LIT THE FIRE WITH THE THREATENING LETTERS, AND BEGAN DOWNLOADING WHAT I WANTED TO ACTUALLY WATCH, AS OPPOSED TO GOV AGENDA, DEPRESSING NEWS AND SAME OLD SAME OLD AMERICAN IMPORTED SHOWS. (TRY SOME SCANDINAVIAN OR GERMAN SHOW ...”DARK” IS A GOOD EXAMPLE) BE A BIT MORE CHOOSY ABOUT WHAT GOES INTO YOUR BRAIN. BECAUSE ONCE IT’S IN THERE, IT NEVER COMES OUT AGAIN. JUST SAYIN’....

AND THAT WAS THAT.

BUT NOW THEY’VE MADE IT SO THAT UTILITY COMPANIES AND OTHER NECESSITIES IF YOU LIVE IN A HOUSE CAN’T BE PAID FOR OTHER THAN THROUGH BANKING, MOSTLY ONLINE, AND FOR THAT MORE AND MORE BANKS INSIST ON YOU OWNING A SMARTPHONE AND GIVING THEM YOUR NUMBER. WHY IS THAT?

SO WE KEEP THE SMARTPHONE BUT MOSTLY, IT’S TURNED OFF, IN A PLASTIC BAG AND IN THE FRIDGE.

AYE, DAMN RIGHT I’M PARANOID. SICK AND TIRED OF THE HSE’S MESSAGES POPPING UP TELLING US TO DOWNLOAD THE COVID19 TRACKING APP WHICH I’VE ZERO INTENTION OF DOING (DOESNAE WORK AND IS NOTHING BUT SPYWARE)

AND FOR ACTUAL PHONE CALLS WE’VE A LANDLINE (AYE, WE’RE RETRO, OLD SKOOL) AND A NOKIA WHICH JUST TEXTS AND CALLS, THAT’S IT, FOR IF WE GO OUT.

WHICH WE DON’T NOW. LOCKDOWN AGAIN.

I AM NO TECHY SMART PERSON. QUITE THE OPPOSITE. BUT I’VE BEEN ONLINE SINCE THE LATE NINETIES. AND I REMEMBER HOW “FREE” THE NET ACTUALLY USED TO BE WHEN IT CAME TO SPEECH AND BROWSING.

NOW? IF YOU SO MUCH AS *LOOK* AT A PIC OF SOMETHING, YOU’RE GUARANTEED GOOGLE WILL SEND YOU, FIVE MINUTES LATER, AN AD RELATED SOMEHOW TO WHATEVER YOU LOOKED AT. GO ON AMAZON, BUY SOME KNICKERS, YOU’LL BE PLAGUED WITH KNICKER ADS FOR AT LEAST SIX MONTHS THEREAFTER....

SO I DELETED MY GOOGLE ACCOUNT. IT WAS DIFFICULT AND I’D TO GET MY DAUGHTER TO DO IT FOR ME. BECAUSE THEY *REALLY* DON’T WANT YOU DOING IT. SERIOUSLY NOT. THEY MAKE IT VERY HARD FOR THE NON TECH PERSON TO DELETE A GOOGLE ACCOUNT.

FOR MAIL, I RECOMMEND PROTONMAIL. SECURE. NO SPYWARE (GOOGLE ADMITTED THAT YES, THEY SHARE FOLKS’ EMAILS, AND I DON’T KNOW WHAT BOTHERS ME MOST..THAT THEY DO IT AND ADMIT IT, OR THAT NAEBODY GIVES A SHIT!) AND THEIR VPN IS EXCELLENT, BETTER THAN MOST.

EVEN NOW, AT THE AGE I AM, WITH ALL THAT’S WRONG WITH ME HEALTHWISE, I’D GO OFF GRID IN A HEARTBEAT AND *KNOW* I COULD MANAGE JUST FINE.

WHAT STOPS ME? HUBS AND DAUGHTER. THEY’D HATE IT.

BUT THAT’S ALL THAT STOPS ME. AND THERE STILL MIGHT COME THE DAY I PULL THE PLUG ON IT.

MEANWHILE, I KNOW IT’S BECOME SO MUCH OF A HABIT OF TODAY’S GENERATION THAT THEY ARE LOST WITHOUT THEIR DEVICES, THEIR TECH, THAT THEY’LL TAKE THE SPYWARE, THE ADVERTISING CAMPAIGNS, AND BTW, THE OTHER BLOG I WROTE ABOUT SCOTLAND’S NEW HATE CRIME LAW? THE ONE WHERE THEY MONITOR YOU *IN YOUR FUCKING HOME*!? ASK HOW THEY’LL DO THAT, WITHOUT TECH....

IS IT WORTH IT, JUST TO GET ALEXA TO TURN YOUR DAMN LIGHTS ON WHEN YOU COULD GET UP OFF YOUR ARSE AND FLICK A SWITCH?

MEANWHILE, I AM *THIS* CLOSE TO DOING THIS TO OUR SMARTPHONE...

#TECH #NOT ALL IT'S CUT OUT TO BE #MORE THAN IT'S MEANT TO BE #NONE OF IT GOOD

1 note · View note

thelaughingmuse · 5 years ago

Text

Stay safe out there - privacy, datastuffing, and changing your (ad) identity

I’ve seen several posts on my timeline today that tell users to uninstall Chrome. That’s a start...but it’s only a start.

If you use ANY browser but you stay logged in to any g00gle service (like YouTube), g00gle will be able to track your activity. So log into those services only occasionally, on ANY browser. (Best: open a private browsing tab, check Gmail, log out.)

You can also install <a href=“https://privacybadger.org/“ target=“_blank”>Privacy Badger</a>, and <a href=“https://github.com/cowlicks/privacypossum“ target=“_blank”>Privacy Possum</a> on just about any of the major browsers. Privacy Badger is by <a href=“https://www.eff.org/“ target=“_blank”>EFF</a>, and it blocks a lot of really intrusive cookies and tracking requests. Privacy Possum is a fork of Privacy Badger, and it sends junk data - essentially, it does what the Kpop stans did with Trump’s Tulsa rally. I use both of these plugins at the same time, and I haven’t had any websites break on me.

If you think you’d like to use a different free mail service, give ProtonMail a try. They have a totally free option that gives you the email address of your choice PLUS a good amount of storage, or paid plans. Their least-expensive paid plan is $48 per year, gets you 15G of storage, and lets you download and install ProtonVPN. ProtonMail and its attendant services are hosted in Switzerland, which means that your data on their servers cannot be accessed by any of the <a href=“https://en.wikipedia.org/wiki/Five_Eyes“ target=“_blank”>Five Eyes</a> countries. Nor by any of the Nine Eyes nor 14 Eyes countries...because Switzerland is not part of any of those treaties.

Another way you can mess up advertiser tracking is to <a href=“https://www.groovypost.com/howto/reset-your-ad-tracking-id-on-your-android-or-ios-device/“ target=“_blank”>regularly (2-4 times a year) change your advertiser ID</a>.

#security #privacy #EFF

2 notes · View notes

marcilled · 5 years ago

Note

Have you ever heard about Mailfence? How does it compare to Protonmail?

I actually haven’t heard of it before!

I just checked it out, and this actually looks very enticing indeed... I’m surprised I hadn’t heard about it until now. Turns out this is actually quite comparable to Protonmail.

Although it seems like a good counterpart to proton, I’ve noticed a few things while browsing through its website, which make me hesitant to recommend it over protonmail.

Pros to Mailfence:

They offer their own suite of software alongside emails, including a calendar and docs. Proton has calendar software in open beta for paid users right now, but they don’t even have docs. All this is for free users of mailfence. (This seems to be the main thing that sets it apart from Protonmail, as far as I can tell)

They very directly state in their privacy policy that they will not cooperate with the NSA or other surveillance agencies

15% of their profits from paid accounts are donated to the EFF and European Digital Rights Foundation

Provides a public transparency report / warrant canary, despite being based in a country where gag orders are not law (protonmail does this as well)

Seems to offer similar end-to-end encryption / PGP email as protonmail

Offers app-based 2FA, as does protonmail

Has no ads, does not share user information with 3rd parties unless legally obligated to do so, as does protonmail

...Basically, most of the things protonmail does, they also do, other than providing additional software that Proton doesn’t have. So if you need private and secure docs, maybe they’re worth checking out.

However, along with these pros, I noticed quite a number of cons to using them.

Their mobile apps (both android and ios) are available to paid accounts only. Protonmail allows free users to use their mobile apps

Their software is proprietary, meaning third parties cannot freely view and audit the software to independently verify their claims of privacy + security

If your (free) account is inactive for 12 months, your account will be suspended, and 4 months after suspension your account will be completely deleted. This is the sort of thing Yahoo does with old accounts, which is honestly really frustrating. Protonmail keeps your account and its contents indefinitely.

Small complaint, but you must provide an external email address just to sign up for the service. Protonmail might ask for an external email or SMS verification under certain circumstances, but most of the time you should just need to solve a captcha.

That isn’t to say this makes their service terrible or anything; quite the contrary, I think it seems like a really great alternative to protonmail. But, you should do your research before you consider this type of thing, if you’re really planning on switching to a new email provider.

For me, personally, I’d say Protonmail is really the way to go. It’s the easiest for people to jump into using, coming from the bigger and more mainstream email providers. Plus, the developers are wholly focused on digital rights and privacy + security.

Another alternative that I’ve personally tried out is Tutanota. They offer a lot of stuff that these two services provide as well, although I believe they’re a bit smaller of a company and don’t have quite as ambitious goals as these two.

Anyway, I hope this helped !

#privacy #security #email #mailfence #protonmail #quoog-is-here

11 notes · View notes

baddog1981-blog · 5 years ago

Text

How to order a web-hosting account, VPS or a dedicated server anonymously?

As a person working for a privacy-conscious web-hosting company, I receive lots of questions on how to buy a truly anonymous web-hosting, VPS or a dedicated server. Below I'll try to sum up the most important points to consider in the anonymous ordering process. Before we start I'd like to warn you that nothing is 100% anonymous and untraceable so if you're planning something criminal like selling drugs, doing child porn or similar stuff my advice is: don't do it - most probably you will be located and prosecuted.

First, you need to know that you should avoid US- and UK-based hosts, because of the national surveillance programs these countries are running. It's also not recommended to keep your data in one of the countries of the so-called "fourteen eyes", an intelligence collection and sharing group. "Fourteen eyes" organization consists of the USA, UK, Canada, Australia, New Zealand, France, Denmark, Norway, the Netherlands, Belgium, Germany, Italy, Spain and Sweden. This group of countries has signed agreements to spy and monitor each other's citizens and there's a very high probability that your data can be leaked and connection wiretapped by the government agencies without your consent.

Next step, you'd like to make sure that the provider you have chosen is well-established and reputable and will not disappear with your data. In any case, you should keep your offline backups at all times. You'd want to check when the company was established (also the domain age to make sure the company has been around for a while). You could also read some reviews online. However, you should take online reviews with a grain of salt as many companies offer paid reviews nowadays. Some negative publicity ordered by the competition is also not something completely unheard of.

Undoubtedly, the most important step is preparation for ordering, which includes registering a disposable or anonymous email address, getting a good VPN provider, which keeps no logs, perhaps also an RDP to use as a proxy to make an order. This step is really important as leaving your real IP at some point or having it recorded may lead to full exposure. For secure email you could use Tutanota or Protonmail. Make sure you sign up with a VPN provider with a no-logs-recorded policy and pay with crypto. For pre-sales inquiries you can use a secure messenger like Telegram or Signal with self-destructable chats. As an extra layer of security you can use a disposable RDP server.

Next, registration process. It goes without saying that the website has to be secure (https protocol) and there has to be some billing system installed. Provider using nulled scripts is a no-no as nulled scripts may contain backdoors and also lead to your info leaking and eventually being published online or used to blackmail you. Anonymous registration can be of several different types: email registration, where you only need a valid email address to register or a full one, containing your name, address etc but with a disclaimer that your info is not being checked. So, despite leaving obviously fake info, like John Doe for example, you still will get registered.

Moving on to the payment methods. Good sign is that the provider accepts Bitcoin or some other cryptocurrency as a payment method. Some really paranoid people would want to pay with Monero, Zcash or some other privacy coin. Other anonymous payment methods are quite rare nowadays. I can think of prepaid cards (Paysafecard etc), good old cash or Western Union with fake sender's name. The latter two however are unsafe as cash may disappear at the post office and WU transfer may get stuck if the provider will fail to receive it on time for example. You won't be able to reclaim it as sender's name is fake.

These are only some of the aspects of ordering a server anonymously. If you need any advice or assistance please don't hesitate to contact me. Also feel free to contact me if you'd like to share some ideas on how to stay anonymous.

#privacy #anonymous #vps #dedicated servers #hosting

1 note · View note

arcticdementor · 6 years ago

Link

Scott Alexander argued for Kolmogorov complicity - in short, to quietly shut up and let the crazies take over while you go off and do your work in areas the crazies aren't attacking. This is one of the last few interesting articles he wrote about politics and the "culture war" before banning the subject from his site and subreddit for fear of his career after being repeatedly doxxed and threatened by SJW activists.

Unfortunately, as we've seen, there is nothing the crazies won't attack and attempt to take over. Universities, Silicon Valley, Hollywood, comic books, video games, science fiction, you name it. Kolmogorov complicity is not an option. And frankly, Kolmogorov wasn't some honorable man who simply nodded along with the Communists while turning away to do his real work in mathematics - he cooperated with the Soviets in driving their political opponents out of mathematics. That's not defensible.

…

So, you're tired of tech companies censoring the Internet and SJWs ruining everything? Don't just roll over and let them win, but fight back - but fight back smartly, without putting yourself at risk. Instead of becoming complicit, become a spy. That's the core of my thesis.

…

Most of this is informed by my background in the tech industry, but some of it may be applicable to other industries, in particular individuals in large public companies and public universities. In addition, any of this which talks about legal remedies is going to be primarily centered on the United States, though you may have similar legal remedies elsewhere in the world. Please note that I am not a lawyer, and if you are in a position where you need a lawyer, you should talk to a real lawyer instead of taking advice from the Internet.

Just one thing first and foremost - if you can avoid it, never sign an arbitration agreement.

…

From now on, you're not fighting them in the open. Forget the "marketplace of ideas" - you're a spy. Except instead of being paid off by a country or an industrial competitor, you're in it to fight a war for freedom of speech within Western society. It's tragic that it's come to this, but that's the state of affairs that we find ourselves in.

So, how do you go about this? There are two things to keep track of: illegal actions, and political activity; and two classes of action: company policy, and people advocating for these things. Any way you slice it, you've got to collect the information, exfiltrate it safely, and sit on it until it's time to expose them. Anything that's embarrassing for the company, anything that's illegal, any individual that's getting away with stuff that you wouldn't be able to? Save it for posterity.

…

You must save this stuff on a medium that is not under corporate control. Not only do you not want to lose access of the data when you inevitably leave the company, you need to have control over the stuff you're planning on leaking in a way that they can't track. Don't sit there and email screenshots from your work email to your personal email. That's stupid. Don't save it to your work computer and then try to plug in a USB stick and transfer it off, either. That's trivial for corporate IT to detect these days. Most of the megacorps have very locked down computers and will flag that kind of thing immediately. Don't think "oh well I'll just turn the wifi off and do it" either, they'll send the alert as soon as you connect again.

The safest thing I've come up with is to have a camera (or cameraphone) that is in no way associated with work (don't use the phone that has your company's security app on it!), and take pictures of the screen of your laptop. Most of these companies let employees take laptops home. If you put your laptop on a table, prop your elbow up on a table, and get a good focus angle, it's possible to take pretty good pictures of the screen. Or get a tripod. Oh, and don't store these pictures on a cloud that's controlled by the company you work for. That one's kind of obvious, but if you work for Facebook and put all the pictures on Instagram... well, one day you just might find that you can't log into your account anymore and oh also you've got a meeting with HR on your calendar that day that you didn't know about. Funny thing, that... Don't be stupid. Like I said at the beginning, you're a spy. Keep the spy mindset.

Timing's key, too. Don't dump the data the day you post a 40,000 word manifesto on the company email server and quit. Revenge is a dish best served cold, and your goal is to be anonymous. SJWs want to virtue signal and get credit for being the wokest person on the planet; your goal is to expose them without anyone knowing you did it.

…

If you are trying to bring legal action against the company, the first thing to remember is that you must have "standing". This means you have to be able to demonstrate to a court that you were directly harmed by a particular action. It's going to be very hard for you to do this even if the company is actively discriminating against your ethnic or racial group. (For example, if they're discriminating against white men, and you're a white man who got hired, you weren't "discriminated against" in the hiring process - going to be hard for you to win that case, obviously; and it's close to impossible for you to ever win a case that you didn't get a promotion you deserved because they can always just say "well we promoted someone else who was qualified".) As you can see from the Damore lawsuit, this is time-consuming, requires a ton of money for lawyers, and you may end up in front of some SJW judge or someone who's paid off by the company you're suing.

…

Alternatively, you can go after them in the media. As we know, most of the mainstream media is covering for these bastards, so you're forced to turn to the partisans like Breitbart Tech or maybe the weirdos with principles like Glenn Greenwald. If it's your first time talking to the reporters, you'll probably want to go in anonymously - make a new protonmail account, use Telegram, that kind of thing. They may require you to show proof that you really do work for the company before you can convince them; at that point you're just going to have to decide whether or not you trust them.

If you really can't get ahold of anyone in the media, consider just dumping it on the internet. Of course reddit bans doxing, but there are websites that don't. Just make sure you're doing it from an IP that can't be tracked back to you - if you're going to dump it all on the internet, do it from free wifi somewhere, use a VPN, etc. Don't do it from your home internet from the same IP address you log in from. You don't want that information getting back to you.

And it goes without saying - keep your fucking mouth shut. Don't start going "oh man did you see those leaks on the internet yesterday" and getting into arguments about it. If it explodes and goes viral there will inevitably be water cooler talk about it; stick to the safe stuff: "Never say anything you wouldn't want on the New York Times front page", "If they catch the guy he's going to be fired so fast it'll make his head spin", that kind of thing.

…

So, you run your own business and want to safeguard it against SJW takeover?

You want to do all the same checking up on your potential employees that you would in the above case, but it actually gets harder for you here, because you are going to be required to maintain some sort of reasonable race/gender balance, particularly if your company grows. If you're consistently turning away SJWs more than likely a number of them will be women, and they'll try to hit you for not hiring "enough" women. Especially if you're in a field which is predominantly male, this kind of lawsuit can be extremely difficult to fight off. The best defense may be to flip the numbers around - interview and turn down a large number of men specifically so that you can claim that you're hiring a higher percentage of women who interview than you do men who interview.

…

You might see groups pop up at larger companies that are semi-political or appear that they offer some opposition to the SJW hivemind. It's tempting to link up with like-minded individuals, but it's best not to be active in those groups. If you're vocal in those groups, it effectively paints a target on your back. Keep your mouth shut and blend in. Stick to work at work, leave your politics at home, and fight the battle in secret.

#ryeixn #reddit #culture war roundup #slate star codex #read the whole thing

2 notes · View notes

ms-demeanor · 3 years ago

Text

No despairing on my posts, only radicalizing.

If you want to take action here are some things that you can do TODAY that will make you less vulnerable to these sorts of harms:

Create an account on Cryptpad.Fr - Cryptpad is an open-source, zero knowledge collaboration tool that is an excellent browser-based replacement for Gsuite. It doesn't have app support, but it is a really fantastic tool to work on shared documents in a secure way. You don't even have to have an account to access and work on a document. Free accounts come with 1GB of personal storage; this is actually a LOT of storage if you're keeping in good practice of storing your important files locally rather than online. It's also a great free, non-google, non-microsoft office suite that is more portable than Libre Office. If you do have the funds to support them as well as creating an account, please consider it.

Create a ProtonMail account. Protonmail is an end-to-end encrypted email service based in Switzerland that allows you to create free accounts with a limited amount of storage. Please note: while ProtonMail has zero-knowledge storage, they can be compelled to produce the user information that they have access to, including login and IP address data. If you need to make sure that no one knows you're logging in to protonmail you need to log in through an anonymizer like TOR.

Learn how to use TOR - which is very easy; it's pretty much like just using any other browser. Download it, install it, poke around a bit, and do some light-weight browsing. People think it's scary because it's something that hackers use and that governments yell about; it's not. It's also not ideal for day-to-day use, but it's good to already have it running when you need it instead of scrambling to use it in a panic if the EARN IT act passes.

Start using a password manager. If there is nothing else from this list that you do today, this is the one thing you should do. The other stuff can wait until later, but if the internet may soon be less secure as a result of EARN IT, the very least that you can do is secure your logins. Bitwarden is a free, portable, exceptionally functional Open Source password manager that has wonderful resources on its website that teach people at all skill levels how to effectively use the product. Please, Please, Please, PLEASE as the random ass hacker-type person in your life I am *BEGGING* you to use a password manager. And Bitwarden is free, but if you get the paid version for $10 a year you can get encrypted file storage and sending tools as a part of the package. Learning how to create and send encrypted files can be confusing and frightening for people who haven't done it before. It is VERY easy with Bitwarden and they have a lot of accessible info teaching you how to use that tool.

The time has come for us to all become badass security nerds, friends. These are the first little steps and the nice thing is that they are very easy steps that will take you a long way toward being more secure online.

For real your cellphone and your computer should 100% NOT be backing up your photo storage or anything else to any variety of icloud or onedrive.

I'm aware that in some ways I'm a weird luddite but this is one of the major, major problems that I have with so much of the modern technology landscape existing as tools that allow you to access your data rather than tools which allow you to store your data.

Look at the data that you have. Look at what you are storing. Ask yourself "if the internet stopped working tomorrow, would I be able to access this information?"

If the answer is "no" you have 2 problems:

1 - You don't actually have that information and can easily lose access to it.

2 - You may not know who DOES have access to that information. If it's encrypted storage you're probably somewhat secure, but IS it encrypted storage? Or is it stored in plaintext on someone else's server?

So my deal with the EARN IT Act is that I don't super duper trust any of our government systems to do fuck all. I think it's worthwhile to contact your representatives, but I don't know that it will actually DO anything.

However YOU can do something.

If you don't want your data accessible to companies that will scan it and test it and pass it on to the government, don't give those companies your data.

Store things locally. Learn how to send and share encrypted files. If you have to store things online, store them with encryption that *you* have set up.

Honestly I'm pretty sure this is going to be bad. I'm pretty sure there are going to be significant security compromises as a result of the EARN IT Act and that we're going to get so buried in breached data that it's going to fundamentally alter how we have to identify ourselves in ways that will be more difficult to use while making people easier to track.

It's shit, and I hate it, and the internet is getting smaller and more fenced in and the big fun platforms that were easy to use and that let people of all technical skill levels share and collaborate that we had a couple decades to explore are now things that will just be a means of exploitation.

It fuckin' blows, friends.

But it also means that NOW is the time to fundamentally re-think how you interact with the internet. Ask yourself how you send data, and where you keep it. Ask yourself who has your information and how it is secured. Ask yourself what would happen if someone who hated you had access to your primary email account for a day, and ask yourself how you would try to fix what they fucked up.

EARN IT sucks, but this is NOT one of those instances in which you are helpless if it passes. Right now, before it passes, talk to the non-internet people in your life about why it is bad:

- It will mean that the government can see all your stored files - It will mean the websites you store files on will not be allowed to encrypt those files - It will mean that any asshole hacker who can access those systems can access all that data that will now be unencrypted.

This shitty act will make EVERYONE who uses the websites that are subject to the EARN IT act more vulnerable to data breaches, ID theft, and exploitation from hackers while ALSO enabling effortless surveillance by our own government.

This is bad, so tell your relatives and friends and co-workers to tell their representatives WHY it is bad by using this site: https://act.eff.org/action/stop-the-earn-it-act-to-save-our-privacy

The site is very easy to use and literally you do not even have to navigate to a separate page to contact your representatives.

And in case that doesn't work, in case it passes anyway, ask yourself what you're doing. Ask yourself who has your data. Ask yourself who can see what you've stored online, and learn what you need to do to make sure the answer is "*I* own my data, and I control who has access to it."

22K notes · View notes

sexybabyhelp · 7 years ago

Text

Some tips on ultra-privacy

You'll have to decide how much privacy to strive for. Lots of sugar babies gladly give out their regular phone numbers. That's not a good idea. If you really want to live like a secret agent, this post will tell you how.

First leave no information with the website

There are some good reasons to not want to leave any easily identifiable information on the sugar baby site (typically Seeking Arrangement). Examples of this would be your phone number, your real name, where you go to school, where you work or even what your Kik handle is. There are a few reasons why. First, you might get stuck with a stalker. You might get in trouble throuh a law enforcement sting. The site could get hacked and you could be outed or blackmailed.

Another reason is that the people at SA are really not your friend. You're probably going to screw up eventually and get thrown off the site and you'll likely want to come back. You can make a new profile but if you use the same email or password or put the same phone number or Kik handle in your messages, they have scanning algorithms to link you to the past account and will throw you off again. Or perhaps someone will complain about you and they'll link the accounts manually. So, the solution is to never put information that can be linked. This includes using the same photos.

Email accounts

Everyone knows they can get new email accounts at Google or Yahoo. I recommend another site called protonmail.com. This is a more secure, encrypted email that no one can read except you and your recipient. Not even the protonmail people can read them. They let you set up the email account without any other info like phone number or previous email account. They don't even ask your name.

If you're like me and you create new email addresses all the time (I have legit resasons for this), they will complain eventually that you are making lots of emails from the same IP Address and will ask you for a phone number. We'll explain how to deal with that in a bit.

Ways of communicating offsite

There are a few principle ways I communicate off the site. From least secure to most secure there is text, Google hangout, Kik and Dust. Texting is the most common but it is the least secure. If it's your regular number, they might be able to google it and find our who you are.

Kik is a free messaging app that runs on all phones. I recommend everyone have that. It's fairly common for people to have it. It's anonymous, encrypted peer-to-peer communication. It's pretty safe and performs better than text anyway. What's App is kinda similar though it required you to give them your phone number so I don't like it. Kik only has a few annoyances.

If you really want to be secure, there is an app called Dust which goes one step further than Kik. This is real secret agent stuff. On Kik, you can delete your messages and they exist nowhere except on the other persons's phone. But if you said anything incrimidating, it is sitting there on some dude's phone forver. In principle that could be used against you as evidence. Now, we're not expecting you to be starting terrorist cells or anything but still. Wouldn't it be nice if when you deleted the message, it deleted it from both phones? That's what Dust does. It has a few other nice features. Messages automatically delete after a day. The company is a startup backed by Mark Cuban of Shark Tank fame but also of getting-arrested-for-insider-trading fame, hence the app.

I suggest using Dust for delicate situations where what you're saying is something you wish gone from the world after the person reads it. Or when you really don't trust the other person or fear they might get themselves in trouble with the law.

Google hangout is about as good as Kik and can be used by anyone who has a gmail account (and I think others as well) but not Kik. But just tell them to install Kik. Takes five minutes. Email is pretty clunky so I avoid that.

But how do we talk if neither of us shares our phone or Kik on the site?

I always ask for the other person's phone number or Kik. I never give mine on the site's message box. But what if both people followed this same practice. What if the other person refuses. There are some options that allows you to exchange information without it being left there on the website. Check out the website 1ty.me. You can make a message that self-destructs. It can only be read once. So if some snoopy person at the website clicks on your link later, it will not bring up the info if the other person already read it. If you just want to delete it, just go there yourself.

Where else? There are some anonymous online chat rooms. I don't have any to recommend but you can look around.

Want to hide your IP Address? You probably don't need to but there are a couple of ways. The best way is to buy a VPN service. It costs a little bit of money but I like having it. You can select anywhere in the world and it looks like your connection is coming from there. I like the sevice https://www.privateinternetaccess.com/ but there are other good ones as well (and plenty of bad ones). Don't confuse this with proxy services which are riskier.

Ever wonder how terrorists and criminals meet on shady underworld message boards without the authorities just tracing where they are coming from? And actually there are plenty of legit reasons to not want to be tracked (i.e. human rights activists). You can use Tor and the Tor browser. Essentially this is a service that scrambles the connections so that there is no tracing back. If you want to Google some sensitive shit, don't Google it at all. Use the Tor browser with the Duck-n-go search engine. It's free to install. Please however use responsibly. Don't be a criminal. Many websites will block the Tor browser (it can sorta be detected but not traced). That's why I prefer the VPN service. Whereever I am in the world, it looks to everyone like I'm from Chicago (or wherever I pick).

Other phone numbers for texting

It's hard to avoid text. Most people just want to text and not install some app like Kik. So how do you text without using your actual phone number? There are a few ways. There are some paid services like Hushed where you can get another number. There is also Google voice which is free but I don't really like the app. I tried Hushed and liked it for a bit until I realized it was dropping messages. I was depressed because it seemed that no one was writing back ;(

Wouldn't it be great if you could just get a disposable number and throw it away when your done. You can. There are apps and websites for that. One that I use is textnow.com. It works in the browser which is also great when you'd rather type with your hands and not your thumbs. Finally, this is very useful when sites want your phone number to set something up or verify your identify with a second factor (we'll send you a secret code etc). This is how you get around that annoyance.

Credit cards

This post is already long so I won't get into credit cards very deeply. It's hard to pay anonymously online and that's by design. The government wants to know who is buying what. You can however buy some pre-paid cards and they can be used for that. For example if you are paying on SA for either the premium services or boosts, the site will have your number. If you get thrown off (all of us do eventually it seems), you can't just come back with a diffent email but same credit card. But you can use a prepaid card. Unfortunately, you have to email them to set this up. I'm looking for a better way. Paypal doesn't always work or shield your name. Never use the same credit cards on different accounts.

Now you're a secret agent. Use your newfound freedom responsibly. And don't underestimate the power of the dark side!

17 notes · View notes

iamskyuvraj-blog · 7 years ago

Text

Encrypted Mail and Websites which offers Encrypted E-Mail service

Encrypted Mail and Websites which offer Encrypted E-Mail service

With the change in technology with respect to time, the way to convey or send messages are changed.And in present time Everyone wants better Security and privacy their messages. Communication in secret language or codes is known as Cryptography.Encrypted mail is a type of mail which is a mail with a secret language.Encrypted Mail is used to protect emails from password breaches and the NSA.We can understand it with Encoder-Decoder.Mainly Encoder-Decoder is used in communication (Electronics Communication).Let there is a sender which writes the message(or E-Mail) and then the Original message is Encoded It means that the Original message is coded in a secret Language(A set of codes) .after Encoding message forwarded to the Receiver and when it reaches to the Receiver then the message is decoded with the same language and then the original message can be found.And anyone or anything(Other than Sender and Receiver) will try to read or decode these types of email then Encrypted mail will be self Destroyed. I know above technical lines are hard to understand but as a B.Tech (EC) student, i tried my best to make everything simpler.So today In this post, we'll walk you through Encrypted Mail and how to encrypt your email using your own smartphone or other devices. So First you want to know what is Email encryption or what is Encrypted Mail? Above paragraph is enough to understand but I found some very good definition of Encrypted Mail on the net so "Encrypted Mail is encryption of email messages to protect the content from being read by other entities than the intended recipients. Email encryption may also include authentication." Most emails are of a type of not encrypted. By means of some available tools, persons other than the designated recipients can read the email contents. Email encryption has been used by journalists and regular users to protect privacy.Email encryption can rely on public-key cryptography, in which users can each publish a public key that others can use to encrypt messages to them while keeping secret private key they can use to decrypt such messages or to digitally encrypt and sign messages they send.If you're looking for a little personal privacy in your communications with friends and loved ones, or you just want to trust that the documents you email to your accountant or client aren't being intercepted and read, you'll need to encrypt those messages. Thankfully, There are some full-featured email clients (like Apple Mail, Microsoft Outlook or Mozilla Thunderbird)which provide native support for S/MIME secure email (digital signing and message encryption using certificates).Other encryption options include PGP and GNU Privacy Guard (GnuPG). Free and commercial software and add-ons are available as well, such as Gpg4win or PGP Desktop Email that support the OpenPGP type of encryption. In above Paragraph We have said that there are some Email clients are available which support Secure mail but there are also some more clients are available which supports Encryption of Email.

ProtonMail

ProtonMail is a free and web-based encrypted email service founded in 2013 at the CERN research facility by Jason Stockman, Andy Yen and Wei Sun.ProtonMail is designed as a zero-knowledge system, using client-side encryption to protect emails and user data before they are sent to ProtonMail servers, in contrast to other common webmail services such as Gmail and Hotmail. ProtonMail is run by Proton Technologies AG, a company based in the Canton of Geneva, and its servers are located at two locations in Switzerland, outside of US and EU jurisdiction. ProtonMail is the Only service that NSA can't Assess.An email sent from one ProtonMail account to another is automatically encrypted with the public key of the recipient. Once encrypted, only the private key of the recipient can decrypt the email. When the recipient logs in, their mailbox password decrypts their private key and unlocks their inbox. Emails sent from ProtonMail to non-ProtonMail email addresses may be sent with or without encryption. With encryption, the email is encrypted with AES under a user-supplied password and then stored on ProtonMail's servers. The recipient receives a link to the ProtonMail website on which they can enter the password and read the decrypted email. ProtonMail assumes that the sender and the recipient have exchanged this password through a back channel.It also Supports Android and iOS operating system and has a web Version as the interface. Get the Android App Get the iOS App Use the Web Version

Tutanota

Tutanota is an open-source end-to-end encrypted email software and freemium hosted secure email service based on this software, developed and provided by a German company Tutao GmbH.Tutanota was founded at the end of 2011 with the idea of making secure email easier than extant options like PGP.It’s similar to the likes of encrypted email Products ProtonMail, StartMail and Hushmail but says it’s putting more emphasis on usability, with a clean interface, features such as attachment encryption and support for different devices.With Tutanota encryption is done locally, on the client device, secured with a user’s own password (so that also needs to be strong, and their own devices need to defended from malware to ensure email security), before being uploaded and sent to the recipient via Tutanota’s servers, and then decrypted on the recipient’s device.Tutanota has no password reset option, so it says there is no way for it, as the email service provider, to be able to decrypt the data it’s sending. Which means it can’t be strong-armed by governments to hand over data. Nor is it data-mining your emails to sell intel to advertisers.it’s doing encrypted email in the web browser and also offering iOS and Android apps.It also takes donation to give premium services. Get the Android App Get the iOS App store Use the Web Version

Countermail

CounterMail is a secure and easy to use online email service, designed to provide maximum security and privacy without any unnecessary complexity.You can access your email account at any time, from anywhere in the world. Your account will always be encrypted and anonymous.CounterMail's encryption works automatically and transparently, it requires no specialized computer skills or knowledge. If you are comfortable using services like Hotmail or Gmail, you will be comfortable using CounterMail's secure email!They are using a strong encryption protocol called OpenPGP, with 4096 bits encryption keys to protect your data. To the best of publicly available information, there is no known method which will allow a person or group to break OpenPGP:s encryption by cryptographic or computational means.You can use its Services on Linux, Mac OS, and Windows OSs.You can try it for free for one week but after that, You have to pay $6.33/month. Unique features:- Diskless web servers USB Key option MITM protection True end-to-end security Anonymous email headers Easy installation with a certified Java applet Portable and secure email from any browser Secure forms (info) Android phone compatibility (info) Dynamic aliases (info) IMAP server, if you want to use your own email client Windows, MacOS X, and Linux support Use your own domain name Use the Web Version

Posteo

Posteo is not free and you have to pay 1uro per month for its services.Posteo is a company founded in 2009, companies in the legal form of a registered person businessman with headquarters in Berlin. The company provides encrypted e-mail services, contact management and calendar in ad-free and chargeable. The website of Posteo is available in German and English. The Web Interface offers a free voice dialing for more than 70 languages to operate the mailbox.In Posteo both registration and payment are anonymous possible. The data transfers between customers and Posteo are consistent with TLS encrypted. Posteo supports since August 2013, the encryption features Perfect Forward Secrecy, which is also supported by the e-mail providers like Google, Yahoo, GMX, Web.de, and T-Online.In this case, for each connection random, a new key generated by the connection is encrypted. This is to prevent a subsequent decryption of data tapped. Encryption is performed using an extended certificate of company Red Hat. Since the 12 May 2014 Posteo supports technology DANE / TLSA (DNS-based Authentication of name entries) and thus includes various vulnerabilities of Transportwegverschlüsselung commonly used SSL / TLS from; since the browser DANE does not support by default, the client is a browser add-on must first install. Also, the hard drives located in Germany Server are AES -encrypted. Since 12 November 2014 a two-factor authentication when using possibly via the browser, as it is also offered in Outlook.com, Gmail and Yahoo mail. Since October 2015 uses Posteo HTTP Public Key pinning to the HTTPS connection of the web interface secure for users.

Use the Web Version

Hushmail

Hushmail is a web-based email service offering PGP-encrypted e-mail, file storage, and vanity domain service. Hushmail offers "free" and "paid" versions of service. Hushmail uses OpenPGP standards and the source is available for download. If public encryption keys are available to both recipient and sender (either both are Hushmail users or have uploaded PGP keys to the Hush keyserver), Hushmail can convey authenticated, encrypted messages in both directions. For recipients for whom no public key is available, Hushmail will allow a message to be encrypted by a password (with a password hint) and stored for pickup by the recipient, or the message can be sent in clear text. As of December 22, 2015, Hushmail has a score of 1 out of 7 points on the Electronic Frontier Foundation's secure messaging scorecard. Hushmail has received a point for encryption during transit. It is missing points because communications are not encrypted with keys the provider doesn't have access to (i.e. the communications are not end-to-end encrypted), users can't verify contacts' identities, past messages are not secure if the encryption keys are stolen (i.e. the service does not provide forward secrecy), the code is not open to independent review (i.e. the code is not open-source), the security design is not properly documented, and there has not been a recent independent security audit.AIM, BlackBerry Messenger, Ebuddy XMS, Kik Messenger, Skype, Viber, and Yahoo Messenger also have a score of 1 out of 7 points. Use the Web Version

Startmail

StartMail is built by the people behind StartPage and Ixquick, the world’s most private search engines.People now use StartPage and Ixquick to find information millions of times per day, without being tracked or profiled.Then after some time they turned to their next challenge: email privacy. Everyone uses email, but sending regular email is like sending a postcard—it makes snooping very easy!Advanced encryption technology already exists to stop hacking and mass surveillance. Making this technology user‐friendly was their challenge.And That’s why they introduce StartMail from scratch: a total solution for protecting your email privacy that includes features like extra-secure data storage, disposable email addresses, and an ownership that will resist unwarranted intrusion. It has easy‐to‐use ‘one‐click’ encryption, and a very clear privacy policy. Use The Web Version So in this Post, We have discussed Encrypted Mail and Some Popular Websites which offers Encrypted Emails.if you found Any other website which has Encrypted E-mail service then share it through our Comment section. Read the full article

#Android #Apps #iOS #TipsandTricks #Windows

1 note · View note