Privacy Badger Privacy
I'm curious about the recommendation of Privacy Badger. Since it has a learning heuristic based on the sites you visit surely it can be turned into a privacy vulnerability if someone hasn't already done so.
Linux Foundation project director Konstantin Ryabitsev has publicly-released the penguinistas' internal hardening requirements to help sysadmins and other paranoid tech bods and system administrators secure their workstations. The baseline hardening recommendations are designed that balance security and convenience for its …
Yes, a lot of the 'privacy' enhancers can/could 'accidentally' steal/profile all your data
eg Ghostery - run by Evidon (advertiser) mostly OK if you never share the Ghostrank data
& TrackMeNot - a great RSS driven background search anti-profiler, but allegedly can see all your surfing
& OpenDNS - gets you away from your ISP DNS, but can be subverted & is based in the USA/NSA, probably.
(I *think* I was attacked once through OpenDNS. I know I was attacked and the best fit is that my DNS was being observed during the attack, but I'm a paranoid security type)
these tools are all local client defense things - server side tracking is harder to defeat, other than more TMN style tools? anyone have the wget code to test the far end of the RPC?
summary is that I very much LIKE PrivacyBadger, I have proved price differences from PeasyJet, averaging a twenty percent saving, when dumping as many tracking elements as possible
Quote from OA
"Zoz in his DEF CON talk showcases oxygen, copper, and thermate injection, and custom-made explosives."
UK based participants in these projects had better be careful with this particular suggestion. Try explaining to an SO-13 incident response team (or whoever it is these days) that you are actually practising good data security when they arrive through your windows at 4am. Isn't it Thermite?
Seriously: if a hard drive was encrypted using LUKS as recommended - especially if you take the Debian default setting of writing random numbers to the whole drive during installation so that it is harder to find the section of the drive where your encrypted data resides - is there any need for actual physical destruction?
is there any need for actual physical destruction?
SSD (solid-state disk drive) says , Y E S - burn me! (remember that GCHQ/NSA/5-eyes took out various cache-chips, keyboard controllers, BT chips etc on the mobo's that had but slightly touched Snowden)
for the rotary HDDs, a month in the garden in a plastic bucket with ten-pence worth (2.2lbs) of Natrium Chloride ionised in a gallon of natural universal solvent maintained at ambient temperature has so far been my chosen method.
MOD-Plod would find it hard to make an accusation of terrizm for this, other than my reading subversive literature online, such as El'Reg.
Here you are: OpenBSD download link.
Thank you, thank you, Is that the door over there?
Yep. That'd be my first choice as well. Look up the entry for 'Paranoid' and there's Theo.
Me? One signature and they own my ass, again irrelevant of whatever I'm doing or not doing. I play the security game to prevent blowback where I've been living for the last fifteen years.
The problem with OpenBSD is to use it as more than very minimal desktop you ended up bringing in so much of the same hardly audited desktop crap from Linux that your attack surface goes through the roof regardless. I love OpenBSD but lets be honest and say their hardware support can be spotty and its probably not the OS you want to be running on say a laptop (sleep functionality or 3D drivers are not always where they need to be).
I have a lot of luck running it on older Lenovo laptops the (S)L410 runs like a dream with all hardware supported (My company just surplussed a couple thousand of the bastards, so you can probably pick them up for 50-100 buck depending on specs).
As for security, I've found that OpenBSD + XFCE + Firefox (With the recommended extensions) is much more resistant to Metasploit than a Debian install with the same software.
I can believe that as OpenBSD uses significantly less system resources than Linux and does tend to run better on older hardware (it tends to be newer hardware the support can be missing). I just wish installing Firefox didn't bring in near as many packages as it does but this isn't the OpenBSD folks fault.
Sadly it looks like the @depends on both packages (seamonkey, firefox) are largely the same including this horseshit. The @wantlibs are very similar as well. Can never get enough Pango.
@depend multimedia/gstreamer1/plugins-good,-main:gstreamer1-plugins-good-*:gstreamer1-plugins-good-1.4.5p0
Despite its controversial nature, SecureBoot offers prevention against many attacks targeting workstations (Rootkits, "Evil Maid," etc), without introducing too much extra hassle. It will not stop a truly dedicated attacker, plus there is a pretty high degree of certainty that state security agencies have ways to defeat it (probably by design), but having SecureBoot is better than having nothing at all.Alternatively, you may set up Anti Evil Maid which offers a more wholesome protection against the type of attacks that SecureBoot is supposed to prevent, but it will require more effort to set up and maintain.
Hardly a glowing endorsement.
Yeah, but better a backdoor than a wide open doorway. If the TLAs can subvert the Secure Boot, they've essentially subverted at the hardware level, which is beyond most people's ability to get around, which means you can either bend over or cut the wires and go manual, which for a project such as this means abandoning it. Your choice.
MS doesn't hold the keys, it's up to the OEM to decide what keys are available in the UEFI firmware for SecureBoot processing. SecureBoot is a UEFI standard, not a MS one.
MS just requires support for Windows secure boot - just like Apple does on it devices.
Good security starts at the perimeter and if you are using a dedicated hardware based firewall with dpi and other goodies, that should trap a lot of the bad stuff. The rest is common sense use of the internet and things like Adblock and Noscript on Firefox to provide fine grained control over scripts and cross site references that are allowed to run.
Have never used any antivirus software here, but none of our machines have experienced any bad stuff in > 10 years. There are risks, but there's loads of FUD around on this subject as well...
Good point. I work from home mainly, with separate hardware interface subnets for domestic, lab and other services, so the chance of cross corruption is perhaps limited. I've never checked printers, but they are all so old that I doubt if they would be a target.
One client I worked for had a serious internally generated infection that cost days it not weeks of development time. They bought in a cheap batch of usb memory sticks (with virus installed), didn't check any of them, plugged in and wondered why nearly the whole site became infected. That could have been avoided simply by disabling autoplay using Tweakui, whatever. It's amazing just how many sites don't have unified securiy policies that would cover that sort of thing.
I'm not obsessive about security, but, for example, would ideally like all internet facing systems to be none Intel architecture, though that is getting more difficult to do as the cpu arch gene pool continues to shrink...
That is why I made friends with a deep-sea fisher. Every few months I go out on a trip with them and throw my old disks (sans top covers) into the Pacific beyond the continental shelf. I challenge anyone to get to my information once its been subjected to 10 million Pascals of pressure and the salinity of the ocean, let alone recover that 20 cubic inch object from millions of square kilometers of thick muck.
...when you can break WPA2 on the fly (trivial!) and insert custom packets into the live stream in a way that is impossible to detect without .GOV level resources.
Apparently the hardware to do this can be put into a microdrone and thanks to very inexpensive mass storage it is enough to break even a string of words +3PRN based password.
memo to self, setting at the *minimum* a 28 digit alphanumeric upper case, lower case, symbols and never using the same password twice along with at least 16K encryption at both ends would be a minimum.
If you haven't been through the code with a fine toothcomb and accounted for every single line and exactly what is being called from memory when, its probably been pwn3d already.