/cyb/ /sec/ general: cyberpunk and cybersecurity

GAME OVER Edition

/cyb/ /sec/ general is for discussion of anything and everything related to cyberpunk and cybersecurity.

>what is cyberpunk?
pastebin.com/raw/Jpci0dqD

>cyberpunk directory
pastebin.com/raw/HiTA1yXK

>nothing to hide? please.
youtu.be/pcSlowAhvUk

>cybersecurity essentials
pastebin.com/raw/0AjC2mcD

>cybersecurity resources
pastebin.com/raw/98vvNwcH

>thread archive
archive.rebeccablacktech.com/g/search/subject/cyb/

>thread backup
cyberpunked.org/

>previous thread
>irc://irc.rizon.net:6697
join #Sup Forumspunk and #Sup Forumssec

Other urls found in this thread:

cl.cam.ac.uk/~sps32/sec_news.html
silentcircle.com/buy/
scs.hosted.panopto.com/Panopto/Podcast/Podcast.ashx?courseid=b96d90ae-9871-4fae-91e2-b1627b43e25e&type=mp4
edx.org/course/how-code-simple-data-ubcx-htc1x
functionalcs.github.io/curriculum/
papl.cs.brown.edu/2016/
functionalcs.github.io/curriculum/#org2b55624
twitter.com/jcase
slashcrypto.org/2017/05/17/5k_Error_Page/
twitter.com/NSFWRedditGif

Anyone working on any cool projects? I've got an old oculus dk2 I want to do something with. The lag is bad though. Thought about adding camera and a heads up display. Basically a super fucking complicated android overlay. Anyway. Kinda cyberpunk.

Is it worth running a botnet?

People complain about Win10 phoning home

Is there no way that outgoing requests to Microsoft can be blocked automatically?

Meaning wangblows phones home as normal, but the request is blocked from actually going through

Possible?

tfw i still cant even find some browser that doesn't try to fucking spy you

Yes its possible.
Install windows firewall controller 4 freeware. set to medium security and secure rules Disable non WFC rules. it will stop all outgoing except what you chose.

even win10 apps is blockable like cortana and such bullshit.

check it out man

For what purpose?

I might have to stop using DDG, earlier it popped a message up offering to give me tips on privacy in exchange for my email address. It was amazing.

To make money.

I'll try it, cheers dude

Know of any full lists of botnet requests that it makes? Think the Sup Forums wiki used to have one but it's down

How?

With fraud

Meme post here and I apologize, but someone stole my personal and work phones in early April. I've gotten several two-factor authentication texts from their accounts, which is weird. Are they using my number? How can I backtrack the phones?

Report your phone as stolen to the police. Report the work phone as stolen to your IT dept.

you can add a lockscreen remotely, and enable GPS so you can see where your phone is.

on an android anyway

>tfw OP keeps using the shitty /sec/ resources pastebin

Yo what distros do you guys use?
Thinking about getting into Void Linux.

hahahahahaha

ok

Is that CDE?

You're gonna become a fucking gargyle? Aren't you socially retarded enough as it is?

Pfsense has OS detection and blocking.

cl.cam.ac.uk/~sps32/sec_news.html

I'll be waiting for your comments on this.

Iridium and Brave are the only serious browsers at the moment.

What can you even do with a botnet? I'm not actually interested in doing anything malicious. Back when I was a kid, I went through a phase where I would download those runescape phishers from YouTube and then find the gmail account it mailed all the data to. It was incredibly effective, I ended up with hundreds of username/passwords. I never did anything with them, I just signed into people's accounts and read all their stuff. It was usually mundane stuff but some of it was cool. I also used to look at people's unsecure webcams and stuff. I've always had a weird interest in watching strangers, while having complete respect of privacy of people I know.

Most of us use Debian/Ubuntu or Windows. In the industry you will find either Windows, RHEL/CentOS or FreeBSD.

How did you get the passwords? I'm not quite sure I follow.

Only worth it if you don't mind eventually being jailed for 20 years at some point in your life.

...

cute

how do i get into this

The way those phishers usually worked was by claiming to be a "gold generator" or something, and telling the victim to enter their account information into a GUI. It logged whatever the victim inserted into the Username/password field, then immediately sent it to a gmail account. 9 times out of 10 the username and password of the gmail account was unencrypted, so you could just sign into that gmail account and piggyback off of it. Sometimes I'd change the password of the email account, but that was stupid as it just let them know something was up.

any cheesy but fun cyberpunk movies like Hackers(1995)?

Swordfish lol

I consider Logan's Run (1976) to be the earliest movie I ever encountered that had most of the common cyberpunk elements.

In Logan's Run, there was a central computer system that tracked every person in society, and when they turned 30 years old, the computer summoned them to enter "Carrousel" -- a ceremony in which they would end up getting killed. The plot was classic cyberpunk -- it focused on a small group of people who resisted the system, escaped it, and ultimately wanted to destroy it.

Has anyone seen any movies prior to Logan's Run that have most of the common cyberpunk elements? (Dystopian or authoritarian urban society, a heavy reliance on information technology, and a focus on those who are marginalized or who resist the system.)

Is it true that there's a shortage of cyber security workers? Is it even a good job to have?

It's a lot better than Software Development/Being a code monkey.

If you can't find a job just go black hat, after all crackers are the reason Cyber Security workers are even working. Who knows you might score big.

Stop it at your router.

I'm rewriting Forban in Ruby.

This.
If you get into hacking and infosec just go blackhat after your job or some shit.
That's where all the 'cool' hacker type stuff is at anyways

Now that Lavabit email is back, is there anyway to get all your old emails back? I lost a lot of memories when they went down.

I'm working with making a solar charged light system for my bike.

What is the most easy way to make a meshnet
B.A.T.M.A.N
OLSR
or Wifi-S?

...

lynx

>and read all their stuff
>complete respect of privacy
did you ever once notify them? grey hat at best.

there's a shortage, but imho it's not worth the risk.

Yes there's a shortage. Yes it's a good job, often pays twice what developers make.

You can quickly get into the executive board if you go into security as well. This is how:

- get dev job, either junior or senior.
- program shit
- start writing your own security tests of whatever it is you're making (read gray hat python to do this, Art of Software Security Assessment, ect).
- often corporations have no security department so will just appoint you security lead or head.
- from there start taking infrastructure security, read books about security management (google has written many, or read google's SRE book and apply it to security tests)
- apply to be Chief Information Security Officer
- congrats your CISO on the board

>often corporations have no security department so will just appoint you security lead or head.
valid

This has probably been asked before, but how reliable is the security on Signal?

Extremely reliable.

The problem is how reliable is the security on your device. Probably joke tier. So don't use it for anything super seekrit that involves you going to jail.

your favorite phone's chipset is compromised. the manufacturer can keylog you no problem. the software is secure though i think. these phones might be legit though: silentcircle.com/buy/

>the software
to clarify, Signal

I'm starting college with a major in Computer Networking/Cyber Security
how fucked am I

when if ever should one use selinux?

you'll know the first time they tell you what software to use for class. if it only runs on windows, you're fucked.

It's not.

If you want a decent phone, get a Nexus 5x or 6p. Install CopperheadOS on it. Then use Signal. That's as good as security as you can get with a mobile device.

Also phones these days no longer allow the baseband any DMA. It's a (micro) serial connection these days.

if that happens, drop out immediately and do your own research and if necessary, work at mcdonald's

what's not, the blackphone?

SELinux is useful for creating a sandbox for looking at PDFs or for your browser. Like if you ran Firejail and then created an SELinux lockout for Firejail otherwise not very useful.

SELinux was just supposed to be a temporary fix, it was a Proof Of Concept that the NSA showed the Linux dev team what could be done to minimize attacks and Linux team being lazy as fuck never did sweet fuck all to roll their own mandatory access control and just went with the SELinux kernel mod/hooks.

I'd suggest Grsecurity but that ship has sailed I don't even know if arch/gentoo fags can still use their patches anymore

Blackphone has had a lot of problems, thegrugq has written extensively about them in the past.

It's a proprietary phone without any kind of real exploit mitigation. CopperheadOS does have real exploit mitigation, and costs 1/4 the price.

If you were any kind of drug dealer you would be using Iphones anyway (latest ones with secure enclave) and texting each other in code. If you were some sort of nation state agent you'd be using SubgraphOS

seems legit. every time i've tried implementing it, it was a massive timesuck. i'm aware it was an nsa thing...go figure it's not practical.

interesting

>tfw too intelligent for computer programming so you had to settle for cyber security

>you will never be an operating system/kernel developer

>larping that never using phones (or computers for that matter) is possible
i just realized you didn't address the issue of firmware backdoors. do either of these OSes update the phone's firmware? if not, especially if it's proprietary firmware, there's no way to confirm or deny the existence of firmware vulnerabilities.

texting as in using Signal, and iPhones as in buying them through a third party and using VPNs out of the country. Typical street gang running a dial a dope operation is doing exactly this.

Read any of the Andrew S. Tanenbaum books. There's also CS:APP book, which has free lectures here: scs.hosted.panopto.com/Panopto/Podcast/Podcast.ashx?courseid=b96d90ae-9871-4fae-91e2-b1627b43e25e&type=mp4

I'm actually reading Modern Operating Systems right now and pretending I'll actually some day be able to write for the linux kernel

sure that works, until you get keylogged and triangulated. i'm still waiting for an answer to

Of course there will be firmware vulnerabilities, but the question is does it have DMA to the application OS which is no.

It does however have access to phone storage, as evidence by the Samsung backdoor discovered by ReplicantOS, however if you're using Signal that is encrypted so useless.

If you're really paranoid put your phone in airplane mode and carry around a mobile wifi AP, use that with a VPN. Problem is that mobile wifi will likely leak your location everywhere by broadcasting your mac (which you can't change as mobile AP's are all proprietary) so don't be carrying it to any hits of your drug dealer enemies with it leave the phone at home.

>tfw working in my dream job, infosec
>people think I'm awesome, knowledgeable, etc
>very insecure about myself and my knowledge, I feel like a cheater. there are much better people than me (perhaps not at this place, though)
love my job, but fucking hell, sometimes I wonder if shit will hit the fan some day because of my (known or unknown) mistakes, or something

that's called imposter syndrome, everybody has it.

there's always somebody 'better' than you at whatever it is you're doing, but I guarantee they have the same imposter syndrome

Did you pursue a traditional education or are you self-taught? Just curious. I'm interested in getting into the field and I'd like to know what actually works for people.

>drugs are bad mmkay

>access to phone storage
and devices like touchscreens which can be keylogged

>mobile AP's are all proprietary
this seems questionable but i don't care enough to research it myself right now

I wouldn't start with the linux kernel.

I would go to FreeBSD/OpenBSD instead first as it's easier to do commits. Or try GuixSD they're always looking for people, and have a Linux Libre kernel they use you could work on then later push upstream the changes.

Just keep at it and read shit, like the classic Lions Guide to a TImesharing OS. Personally I wouldn't bother with kernel.org because it's entirely samsung and corporate shills who work on it these days

this is why i refuse to work in the medical industry. supply and demand is a thing. thank god hajeeb didn't get your job. keep researching.

>cyberpunk
>cybersecurity
>uses pastebin

???

the problem is I don't even know how to program and I only have a basic grasp on the concepts behind it

yep. we're all gonna die. soon.

How are they going to keylog with CopperheadOS or Iphone. Maybe if you're a terrorist and they want to burn a 100,000+ USD 0day. If you have a VPN how exactly are they supposed to get the telemetry back of the screen movements now we are talking a 150,000+ USD exploit as it needs to hide itself in LinkedIn updates or something and piggyback to it's C&C server.

I'd be more worried about police just watching you with binoculars typing on your phone and following you around than any kind of remote exploit at that level.

go on edx.org and look up 'how to code'. It's HtDP but done by a UBC professor edx.org/course/how-code-simple-data-ubcx-htc1x

Then do CS:APP as linked above (you can buy that book for $20 on Abe Boks).

Then finish the Tanenbaum book it will actually make sense. CS:APP is self contained you don't even need to know C it will teach you enough or crash course read K&R as you go.

Well I understand Modern Operating systems 100% and I find it absolutely fascinating. I just don't know how to program.

I'm going to check out the other resources though because I really wanna learn how to do this stuff

what kind of router would let you do this?

I've got a netgear something or other, it's decent but the interface is total dogshit and I doubt it'll let me block things so specifically

he's talking about a Router router, not a consumer wireless access point/modem/router combo

for the sake of the argument, i'm being as paranoid as possible. wouldn't "they" only have to burn that $150,000 0day once? what if "they" used a hardware exploit that talked to exploited cell towers. can't patch that without replacing the phone and/or tower server. that wouldn't require linkedin or anything...just straight send serialized keystrokes over 3g/4g from the phone to the tower then to fuckall.

make your own router openbsd runs on those cheap arm boxes or buy a ubiquity lite

a hardware exploit would definitely be more expensive, but you only have to spend the money once.

I wrote this: functionalcs.github.io/curriculum/

Pick and choose from it. The authors of HtDP also have a second book here free papl.cs.brown.edu/2016/ but it assumes you've already done how to design programs (HtDP) book/course, which is the above edx.org linked course. It's a 3 part series, easy to do, done in Racket, you get really good and writing functions and can just ease into C it's how I learned.

CS:APP is here functionalcs.github.io/curriculum/#org2b55624

You just keep doing it until you get it.

But the hardware would need direct memory access to the application OS which it does not anymore, not since like 2009.

Just get SubgraphOS on a laptop and change the wifi MAC every day. Throw out that laptop after a month and use a new one bought used off craigslist or something. I assume you aren't a terrorist if you are I suggest you immediately join ISIS and hopefully die in the deserts of Syria.

what if there was memory built into the cpu though?
lol no i'm i voted for Trump. MAGA. libertarian for like 10 yrs.

There is, it's a system on chip but it's connected serially to the application OS (for now) so a hardware exploit wouldn't do shit. Police are much more likely to just find you via opsec failures (you giving away too much info like every hacker has ever done) and holding you for a week without a lawyer like they typically do.

You should just follow people on twatter who know these things like thegrugq or twitter.com/jcase

>There is, it's a system on chip
i'm gonna go ahead and count this as a win. also, i'll agree with you that
>Police are much more likely to just find you via opsec failures
this proves nothing, but i don't actively test this kind of thing. i like reading about it though. great conversation.

>Did you pursue a traditional education or are you self-taught?
failed engineering student, dropped out before 3rd year of college (and 6 actual years in 2 different unis...)
what worked is contacts + CVEs + a bit of knowledge of a lot of things. in fact, me joining the company was almost an accident.

you have to keep learning, reading articles/news, doing/trying things, etc. infosec is broad and fun, and now you can even make a lot of money while learning. for example, OWASP + bug bounties = $$$, and stuff like this makes it rewarding:
slashcrypto.org/2017/05/17/5k_Error_Page/
also, keep reading stuff from bug bounties, these things are very motivational. I mean, some people find really cool stuff, some people make easy $$ from dumb mistakes

That is an awesome resource you assembled, thanks a ton for doing the legwork. Wish more anons were helpful like you.

If you get any kind of good at Standard ML go apply to Janes Street Capital they use OCaml, and it's fintech so you make a stupid amount of money.

They have a security department too, in fact the 'hardened' OCaml libraries they use are pretty interesting which I use these days

Thanks for the goldmine

>The lag is bad though

Is your PC under-powered? If it's dropping below 75 fps then something's wrong.

What are some good/fun vulnhub images? Bored as fuck.

Yes. And add to this links et al.
text based browsers are the safest with the fewest dark corners for malware to hide.

>management
That's where all the boring stuff happens, you want to get in on the good security stuff you have to learn it and put tons of effort in it.
Minimum cert you want to get is CISSP in you want to get into management.

You can still use grsecurity with 4.9 LTS look up minipli maintains 4.9 LTS with grsec.

Metropolis (1927) is frequently cited as early Cyberpunk.

I saw Logan's Run. Talking sense to a computer to blow it up was old after Star Trek.

The chance to get rich of bug bounties is very small, hell the worst part about it is there is no way to check if your bug has already been reported and if it is you ain't get shit poof wasted hours/days/months..

>cl.cam.ac.uk/~sps32/sec_news.html
Checking:
>created 14-10-2011 -- last modified 07-02-2013
OK, so it is dead.


>I'll be waiting for your comments on this.
Why?

>OK, so it is dead.

What do you mean?

>Why?

Because this is a cyber security thread you imbecile.