Blog‎ > ‎

Whonix, Privacy, AIP, IPv6, PayPal, DHT Kademlia, Security by Obscurity

posted Feb 5, 2016, 9:17 PM by Sami Lehtinen   [ updated Feb 5, 2016, 9:18 PM ]
  • Checked out excellent privacy: Whonix - DoNot! - Most of people DoNot know these things. Even if I didn't find any surprises from the list. They didn't warn that end-to-end encryption could potentially be a bad thing, because OpenPGP and others usually use persistent public / private keys. If you use those, it's extremely easy to track you down. Reminder about not mixing modes of anonymity is very good reminder. Point of using clearnet and Tor at the same time is very important. It's actually preferable to have separate physical workstations and locations so it's easier to disassociate identity. At this location, I'm doing this, and rest is done at the other location. Just like separating work & home. As they say "This page highly risks to state obvious things", that's right. Any of the things mentioned weren't new at all. - As we've all experienced: It's extremely difficult to get any normal user to follow any kind of sane OpSec protocol. They didn't say it directly but avoiding a certain browsing pattern is also very bad. Let's say you visit 5 sites always in pretty much same order. Then your session is pretty much identifiable already.
  • It's classic dilemma, use same services as everyone else and try to hide in crowd. Or use something else and hope they don't notice. But actually you're standing out of crowd in red jumpsuit. It's just like my personal OpenPGP key, which uses custom cipher preferences. Which means that I guess I'm in the less than 1% of all OpenPGP users which makes it always immediately identifiable. Don't change settings, applies to this very much. Yes, nothing new. But it's good to remind you about that using niche services or 'better settings' than others, will just make you very visible. It isn't hiding in plain sight at all. Or doing something like modifying browser language or cipher preferences. Which I've done on my normal desktop. So it doesn't matter whatever IP address I use. Screening app can immediately pick up my workstation, wherever it is in the world. Or my mobile, it connects my personal mail server. Even if connection is encrypted, if the login is successful it's almost 100% guaranteed it's me, or hacker who has gained access to my email. Ha, probably the hacker wouldn't be using IMAP4 anyway.
  • Reminded my self about Air-independent propulsion (AIP). - Also checked out the A26 Submarine for Sweden by SAAB Kockums. Some acronyms are just so funny "GHOST (Genuine HOlistic STealth)" - Type 612.
  • Yay! Global IPv6 adoption is over 10% according Google IPv6 Adoption Measurements.
  • Got the news that Microsoft Windows 10 leaks encryption keys to Microsoft. Just for security purposes, and doesn't even notify the user about the leak. - Thank yo so much! What was the point of encryption in the very first place? Was it to make all data accessible? Or was it meant more like to be access control, I'm not quite sure right now.
  • It's highly confusing that PayPal is providing at least three different user interfaces when paying. That easily leads to confusion. I would prefer PayPal looking like PayPal whenever I use it. PayPal confusing user experience.
  • Implemented a DHT network Crawler for a friend. It took a while to remind my self about all the details of DHT (Kademlia) network. But it wasn't that hard after all. I think it took just a few hours to get it to work. The exact algorithm being used to crawl the network hasn't been yet implemented. But the routines to fetch required data are there. As well as the compressed data storage where the data will be stored after collection. Some friends suggested using random lookups. But I think I'll prefer more like binary tree approach where network is split into half until the lookups start to overlap. We also maintain list of known nodes, so there's pretty good idea how many nodes should be expected based on previous crawls. Random is random, binary approach provides systematic complete network scan results.
  • Do you think security by obscurity applies only to computer software? Nope, it's also very much present in physical world. We had a minor issue because we needed to enter one place and we didn't happen to have a key for the place. What was needed? A screwdriver. It took about five minutes to get the idea and get it completed which allowed us trivially entering the third floor premises. I can't really imagine who designed the locking / security solution, but it was just stupidly easy to buy pass. Nothing was broken, just a few access panels opened with screwdriver and wires connected with the screwdriver. So much lulz! Oh boy, did we laugh. But also this is very worrying. We really don't imagine we could be the only people in the world figuring out something as ridiculous as this was. Break in and entry? Hmm, nope. Just entry. When we left, we closed the access panel. I thought this is the stuff they do in the movies, and nobody's really actually silly enough to implement things it so badly.