I believe that is the case, if you inspected the HTTP headers and found if to show Linux instead of Windows. my last experience with that would have been years ago. Arch does like to compile things from source instead of using binary blobs, and compilers and configs can undo a lot of the work the torproject has done to combat fingerprinting, which is why it’s recommended to run the pre-built binary and install no plugins. However it’s important to note that it ALSO gives you a unique JavaScript fingerprint every time, when tools use as much information as possible to generate a fingerprint, because it generates new information on every reload. That’s why OPSEC is important and for can’t help you if you use it wrong. If you login to 2 different unlinked sites in the same session, and you don’t want them to be linked, too bad now they’re linked via JS fingerprinting. JavaScript is more or less a programming language within the browser, and you’ll never escape JavaScript fingerprinting. Which is why it’s important to learn how to use tor properly, and leave JS disabled as much as you can.
One thing you can do with your arch build is use the fingerprinting tool to see how unique you are, then get a new identity, then go back and do it again. Does it now say you’re one of 2 people who have used the tool, or does it show you’re (again) unique? If the latter, then it’s working (at least enough) properly.
Tor browser from the arch repos is not stock torbrowser. Add repos for torproject/guardian project/whatever it’s called now, or use the torproject.org installer.
It’s much better to go through the list of data brokers manually and submit your information twice a year, if you have the time. Like doing taxes, but for privacy.
There’s a whole lot of caselaw surrounding this, and they will get someone to destroy the pipes to find out when they were flushed (their word goes, good luck finding someone impartial to say that wasn’t what happened). I wish court cases were built on 1’s and 0’s like computer code but that’s just not the way the world works.
They don’t. They actively work with them to bypass all legal anti-mass-surveillance frameworks in place.
If you think you’re safe from the global internet surveillance dragnet just because you don’t live in the US, then boy do I have some news for you.
Once this bill passes, there is absolutely nothing stopping the NSA from doing an IP lookup on this comment/my account, and putting me into a “potential domestic terrorist - watch closer” list. A list that will eventually be used later, for some reason or another, so let’s just hope we never get an authoritarian in the White House with stacked courts! That could never happen here, could it?
P.S. If you live in the US, just part of your connection going to another country (be it a CDN or server hosted in Canada, or US server gets overwhelmed and switches to Canada) - full content logs for you.
Cointelegraph is (was at least?) a reputable source for national security news. It’s mainly for OSINT and national security interested folks who know better than to do the majority of their research on a smartphone, so it may not be great on mobile, I don’t know.
Snowden chose Russia because the other option was life as a political prisoner without a chance at a fair trial. Egotist, sure, but at least we know what we know now. Can you imagine how fucked we’d be if he never leaked them?
And regardless of the source, (site or person quoted), what he’s saying is absolutely true. The NSA is about to be able to gather ALL mass communications and look at them whenever, without a warrant which was the only safeguard before.
I’m legitimately about to throw my tech into a fucking dumpster and get a dumbphone and a smartphone with all hardware removed besides what’s required by Briar.
Most will read this and think I’m being overly paranoid. When I talked about the FVEY (now 14EYES) surveillance dragnet before the Snowdon leaks, everyone thought the same.
Since some people are having issues with the site, here it is from the ACLU:
ACLU Statement on Congress Passing Bill that Massively Expands the Government’s Power to Spy on Americans Without a Warrant
This bill would reauthorize Section 702 surveillance for two more years without any of the necessary reforms to protect Americans’ civil liberties
WASHINGTON — The House of Representatives passed a bill today that will reauthorize Section 702 of the Foreign Intelligence Surveillance Act for two years, expand the federal government’s power to secretly spy on Americans without a warrant, and create a new form of “extreme vetting” of people traveling to the United States.
When the government wants to obtain Americans’ private information, the Fourth Amendment requires it to go to court and obtain a warrant. The government has claimed that the purpose of Section 702 is to allow the government to warrantlessly surveil non-U.S. citizens abroad for foreign intelligence purposes, even as Americans’ communications are routinely swept up. In recent years, the law has morphed into a domestic surveillance tool, with FBI agents using Section 702 databases to conduct millions of invasive searches for Americans’ communications — including those of protesters, racial justice activists, 19,000 donors to a congressional campaign, journalists, and even members of Congress — without a warrant.
“Despite what some members would like the public to believe, Section 702 has been abused under presidents from both political parties and it has been used to unlawfully surveil the communications of Americans across the political spectrum,” said Kia Hamadanchy, senior policy counsel at the American Civil Liberties Union. “By expanding the government’s surveillance powers without adding a warrant requirement that would protect Americans, the House has voted to allow the intelligence agencies to violate the civil rights and liberties of Americans for years to come. The Senate must add a warrant requirement and rein in this out-of-control government spying.”
In the last year alone, the FBI conducted over 200,000 warrantless “backdoor” searches of Americans’ communications. The standard for conducting these backdoor searches is so low that, without any clear connection to national security or foreign intelligence, an FBI agent can type in an American’s name, email address, or phone number, and pull up whatever communications the FBI’s Section 702 surveillance has collected over the past five years.
The House passed all the amendments to expand this invasive surveillance that were pushed by leaders of the House Permanent Select Committee on Intelligence (HPSCI), the committee closest to the intelligence agencies asking for this power. The bipartisan amendment that would have required the government to obtain a warrant before searching Section 702 data for Americans’ communications failed 212-212.
I see. Textual communication has a pesky habit of not conveying tone unless you intentionally craft it to. It bugs me that there are so many people who negatively judge someone for decades-old attitudes and worldviews, when positive change should be commended.
Not you, since your comment was in jest, but I question the motives of those think that way unironically.
It’s not even a matter of gaining control of nodes, they can simply blackhole your access to good nodes so you end up with nodes controlled by them. Easy but loud, although it seems to be what’s going on in a number of cases, and not many people are talking about it. Tor used to alert you to this, but now it’s quietly tucked away into a log file. There are other vulnerabilities present in tor and the tor project devs don’t seem particularly interested in them, with the DoS attacks requiring the community itself to step in with hacky solutions. I’m of the mind (never would have found myself saying this) that the tor project at large is compromised.
Monero is currently being hit by a (likely) black marble attack which is why it’s so slow. They’re basically flooding transactions (1/3 to 2/3 of all transactions able to be processed at any given time) so that the anonymity that makes monero work is severely degraded. Whether it breaks past transactions remains to be seen, but it absolutely weakens the anonymity of transactions done during (possibly shortly before and after) the attacks.
What I’m talking about wrt tor is traffic shaping or node DoS leading to a Sybil attack. When the (state)actor has the ability to drop all packets from you to NON attacker-controlled guard nodes, and then once you’re connected to a dirty guard, drop all connections to non-controlled relay and exit nodes, it’s done. There’s also an ongoing DoS attack that is able to make any guard/entry/relay/exit use 100% CPU making them unusable and it’s been going on for months now. You can see it on the tor forums (relay-operators) and someone posted about it in more detail on the monero subreddit the other day.
If everyone gets busted all at once (2022-2024 market takedowns is as close to that as it could come IMO) then everyone immediately stops using tor and starts using i2p or freenet or whatever system they may not have broken yet. That’s baaahd for business, said the wolf in sheep’s clothing.
Although they did run a cp site for months before shutting it down, so they’re clearly not opposed to the long-game, especially if it involves national security (it does.)
Find a good girl that doesn’t mind. Mine doesn’t care at all, she has her interests and I have mine. I’ll sit there and listen to her 5 minute lectures on makeup and perfumes, and every once in a while I’ll tell her about a vulnerability or something cool I found, and I know she’s paying as much attention as I do about makeup, but at least I can understand the basics of makeup without years of experimentation and learning.
True, it makes it harder to stay secure when people around you don’t care or don’t know how, but its still possible. Just have to set some solid boundaries sometimes.
Friendly reminder that Bluetooth has a larger network stack than Wi-Fi. Much more code, much larger available attack base. There have been many numerous Bluetooth vulnerabilities that allow remote code execution or theft of files.
This is truly becoming a surveillance state, in no way that can be debated. That want to be able to access everyone’s innermost thoughts (texts, notes, recordings, calendars, contacts, photos, you get it) without any chance of someone being able to protect against it.
Reminder that Google was the 2nd or 3rd company to commit to NSA’s PRISM program of feeding American’s data for future analysis.
No you’re not being paranoid its how it works. No browser isolates tabs like you’re talking about unless you use containers. Google owns the largest ad company on the internet, so any site that embeds their tracking scripts (most of the Western internet) will send the page you visited to Google, so they know what pages you’re going to, and highly likely use that information to inform the YouTube algorithm about you. Even if you have a tracker blocker installed, like unlock Origin, if you use Google they still know which link you clicked and what you searched.
What guarantees do you have that Malus doesn’t copy your key to their cloud?
I remember when I used a Samsung Galaxy as by daily driver a couple years back. I enabled full disk encryption and thought okay great, now that’s done. I noticed a very small, brief popup on my screen that lasted a few seconds, and it was a notice that my key had been sent to Samsung servers. Apparently you have to disable that option that’s hurried deep in the settings somewhere no one would think to look, and change your password again. If I hadn’t caught that brief notification at the bottom of the screen (not the normal location for notifications), I’d never have known.
The encryption password is also a max of 15 characters.
Thank you for doing the work. More of it needs to be done. I don’t know what your workflow is, but running Android-x86 and injecting into the virtualbox networking process to strip the SSL should still work, unless the app uses certificate pinning. I wish I remembered the name of the program, but it’s specifically for injecting into a running exe and hooking all network calls to pull ALL network data from that specific app. It’s not Fiddler or Wireshark or any of those. Fiddler and wireshark will work fine if you add your self-signed cert to the Android CA list, as long as certificate pinning isn’t used in the app. You can point wireshark to the virtualbox network adapter so it doesn’t listen on your other adapters. Also, most apps in the app store, play store, and F-Droid likely will not have much maliciousness. Play Store has the highest chance. But I think you’ll have better luck using all the major search engines and searching for “free VPN android” without any adblockers, using an android phone (Google & co easily detect user-agent manipulation) running chroming. Making note of all the paid ads, and then getting the first 10 pages of URLs, and then comb those links (all the ad links & result links) and download any .apk that shows up. Keep an eye out for more ads on those pages as well. Use a fresh android-x86 for each analyzed VPN apk.
There may be a better, easier way, but this was how I quickly analyzed the network data of android malware as of a few years ago.
Edit: other keywords to find shady vpns are ads for things like “watch porn in Utah” and “express VPN”, " nord VPN", etc. You’ll want to do the search within android as Google and Bing will allow the malvertisers to target specific operating systems, along with locations and other variables.
Also for checking into the servers that show up, and any interesting domains, you can use shodan and similar tools, and there is a great site (name escapes me now, similar to domaintools and urlscan.io though) that shows what domains run on certain IP addresses and also the owners and creation dates, although cloudflare and private whois entries make those less useful today. But that will potentially allow you to unmask ‘networks’ of shady free VPN providers.
That seems to be the case, probably a killswitch-type feature, ensuring the VPN is working. Additionally, addr[.]cx is a free GeoIP lookup service, and I assume bigbrolook (OP - Big Brother is a term for a surveillance state, the porn definition is only used for 5-10 years) is/was another one. You can confirm with waybackmachine.
Seems to be an amateur free VPN using free infrastructure. Most of the time the free VPNs that turn their users machines into a proxy or do other dirty things will be obfuscated and require at least a bit of reverse engineering, not just opening a debugger and peeking.
Not trying to cast shade here, but isn’t a master’s thesis after you know a subject incredibly well, and aren’t you supposed to look at things no one has looked at before? In case you’re not in tech and this is a master’s for another subject, this has been done.
You’ll want a provider with a ton of servers. For bypassing service level blocks, either a VPN like Express with thousands of servers or your own VPN is the way to go. there are docker images for setting up a VPN on a $5 VPS.
it depends on your risk tolerance. do you need to stay as anonymous as possible (with VPN as layer 1) or do you need to be able to watch shows in a different language? Mullvad and IVPN have a limited set of rented and owned servers that are setup for security and privacy. Express, Nord, and those less ethical VPNs don’t care about that, they just want as many cheap servers as they can possibly get.
Sure here’s the correction, and why I’d never trust them with anything sensitive.
They had a no-log policy, and all mail is PGP encrypted on their servers and proton to proton is encrypted in transit and at rest (it doesn’t travel), decrypted only client-side in the browser or with proton bridge, with your account password acting as the PGP key password.
They could have designed the system so they couldn’t be forced to add that backdoor, or at least automatically notified all users when an unauthorized change was detected, or they could have shutdown, or they could have revoked their warrant canary, but instead they were caught when the court case came to light and they were caught with their pants down, and revoked their no-log policy. https://arstechnica.com/information-technology/2021/09/privacy-focused-protonmail-provided-a-users-ip-address-to-authorities/
This weekend, news broke that security/privacy-focused anonymous email service ProtonMail turned over a French climate activist’s IP address and browser fingerprint to Swiss authorities. This move seemingly ran counter to the well-known service’s policies, which as recently as last week stated that “by default, we do not keep any IP logs which can be linked to your anonymous email account.”
That’s why I asked if the proton VPN is token-based and completely disconnected from the proton email account, or if they’re the same login. If the latter, it’s trivial to request the IP address of email account xxx@proton.me
See the last points in the article: run by activists, and would rather shut down than cooperate with law enforcement.
I don’t know if proton is run by activists, but I do know they’ve cooperated with law enforcement by inserting code to log user requests when coming from a specific user. Plenty of articles about the court case, and it’s also why they did away with their no-log policy.
Also, are their logins token based or username based and connected to the protonmail account?
Designed in Germany/Falkenberg and fairly manufactured in our own factory in China
That sounds like a red flag from a security perspective. If you own the factory and everything in it, then why even have it in China? And who is being hired in this warehouse for this security/privacy phone in this Chinese factory?
IVPN servers are all well-known and catalogued. ExpressVPN partly buys hacked machines to user as proxies for their paid tier user VPNs, so they are much less likely to be blocked. They have a lot more… troubling history, that would make me never visit their download site.
Kape Technologies has announced plans to acquire ExpressVPN for $986 million. I do have concerns about this because Kape was once considered a malware provider.
Reuters indicating that ExpressVPN CIO Daniel Gericke is among three men fined $1.6 million by the US Department of Justice for hacking and spying on US citizens on behalf of the government of the UAE (United Arab Emirates).
Kape Technologies has had quite a convoluted history. According to a report in Forbes, a company called Crossrider was formed in 2011 by “billionaire Teddy Sagi, a serial entrepreneur and ex-con who was jailed for insider trading in the 1990s. His biggest money maker to date is gambling software developer Playtech,” and Koby Menachemi.
Menachemi was a developer for Unit 8200, an Israeli signals intelligence unit responsible for hacking and collecting data (think of it as part CIA, part NSA, and part high school, because the unit hires and trains teenagers in hacking and coding skills).
the newly renamed Kape Technologies set out on an acquisition binge. The company started buying in 2017, acquiring CyberGhost VPN for about $9 million. Next, in 2018, came Mac antivirus company Intego for $16 million. A few months later, Kape gobbled up another VPN provider, ZenMate, for about $5 million. A year later, in 2019, Kape spent $95 million for Private Internet Access, one of the best known VPN providers at the time.
There’s more to the story as well, but you can be sure that all your data is belong either being proxied by a botnet, or being used to spy on you. ‘I have nothing to hide!’ you may say, but I’m sure you have an app or two that still uses insecure HTTP update checks, which can be intercepted to trigger a malware installation.
I still remember being a young kid (11-12) and running a program to scan my local ISP in my small town (back then small ISPs could easily get government grants and become a monopoly) for insecure SMB servers or something. I suddenly got a flood of results like
-
/private/passwords.txt
-
/administrator/USD###-users.txt
All kinds of tasty things. Very excite. Then the results started pouring in by the thousands…
-
YOU-ARE-VIOLATING-CFAA
-
FBI-DOORBELL
-
FIRSTNAME-LASTNAME.EXE
-
PWN3D-LMAONOOB
Things like that. I immediately shut my computer down and that was probably the first time my dad saw me not eat for a day. Didn’t ask why I wasn’t sleeping much the week after that 😄
Also I Googled for the filenames and found nothing. So if you’re the 50-70 year old who wrote that script and happen to see this, I’d love to get a message with the ISP name. They are in a number of small-medium size towns around my hometown now.
Sucks that I have to preface but people can be jumpy here. This is genuine curiosity, I’m actually asking, because it’s really probably something I should already know. Can you explain the nuance to me please?
My understanding, speaking mostly of apps/websites, I know jobs can be much different:
Most places have the first factor as a password.
First factor (or “login”) = username+password pair.
For the longest time that was all there was, “your login” was just a login, which meant a username and password combination. Then 2FA/MFA (“2 factor authentication / multi-factor authentication”) came along in the form of username+password combo plus SMS/email/Google Authenticator/Yubikey/etc to verify as the 2nd form of authentication. You can have 3FA 4FA 5FA whatever if you want and if it’s supported by the app/website. So 2FA is MFA, but MFA is not necessarily 2FA.
I know jobs can be set up a lot differently.