cyph3rPunk
www.tomshardware.com
cross-posted from: https://lemmy.world/post/18283290 > … "The first of two versions of the RayV Lite will focus on laser fault injection (LFI). This technique uses a brief blast of light to interfere with the charges of a processor’s transistors, which could flip them from a 0 value to a 1 value or vice versa. Using LFI, Beaumont and Trowell have been able to pull off things like bypassing the security check in an automotive chip’s firmware or bypassing the PIN verification for a cryptocurrency hardware wallet. > > The second version of the tool will be able to perform laser logic state imaging. This allows snooping on what’s happening inside a chip as it operates, potentially pulling out hints about the data and code it’s handling. Since this data could include sensitive secrets, LSI is another dangerous form of hacking that Beaumont and Trowell hope to raise awareness of." …
www.wired.com
cross-posted from: https://lemmy.dbzer0.com/post/24829826
The headline was bit sensationalist. So, I shortened it.
> A video summary by Faan Rossouw of the Malware of the Day - XenoRAT/// > 🔗 Blog post located here: https://www.activecountermeasures.com/malware-of-the-day-xenorat/
www.buskill.in
Today we're ecstatic to [publish our first demo](https://www.buskill.in/3d-print-2024-05/) showing a homemade BusKill Cable (in the prototype 3D-printed case) triggering a lockscreen. | [](https://www.buskill.in/3d-print-2024-05/) | |:--:| | *Watch the [3D-Printed USB Dead Man Switch (Prototype Demo)](https://www.youtube.com/v/vFTQatw94VU) for more info [youtube.com/v/vFTQatw94VU](https://www.youtube.com/v/vFTQatw94VU)* | via [@Goldfishlaser@lemmy.ml](https://lemmy.ml/u/Goldfishlaser) In our [last update](https://www.buskill.in/3d-print-2023-08/), I showed a video demo where I successfully triggered a lockscreen using a BusKill prototype without the 3D-printed body for the case and N35 disc magnets. I realized that the N35 disc magnets were not strong enough. In this update, I show a demo with the prototype built inside a 3D-printed case and with (stronger) N42 and N52 cube magnets. # What is BusKill? BusKill is a laptop kill-cord. It's a USB cable with a magnetic breakaway that you attach to your body and connect to your computer. | [](https://www.buskill.in/#demo) | |:--:| | *Watch the [BusKill Explainer Video](https://www.buskill.in/#demo) for more info [youtube.com/v/qPwyoD_cQR4](https://www.youtube.com/v/qPwyoD_cQR4)* | If the connection between you to your computer is severed, then your device will lock, shutdown, or shred its encryption keys -- thus keeping your encrypted data safe from thieves that steal your device. # Why? While [we do what we can](https://www.buskill.in//buskill-onion-service-tor/) to allow at-risk folks to [purchase BusKill cables anonymously](https://www.buskill.in//bitcoin-black-friday-2023/#privacy), there is always the risk of [interdiction](https://docs.buskill.in/buskill-app/en/stable/faq.html#q-what-about-interdiction). We don't consider hologram stickers or tamper-evident tape/crisps/glitter to be sufficient solutions to supply-chain security. Rather, the solution to these attacks is to build open-source, easily inspectable hardware whose integrity can be validated without damaging the device and without sophisticated technology. Actually, the best way to confirm the integrity of your hardware is to build it yourself. Fortunately, BusKill doesn't have any circuit boards, microcontrollers, or silicon; it's trivial to print your own BusKill cable -- which is essentially a USB extension cable with a magnetic breakaway in the middle Mitigating interdiction via 3D printing is one of many reasons that [Melanie Allen](https://github.com/Goldfishlaser) has been diligently working on prototyping a 3D-printable BusKill cable this year. In this article, we hope to showcase her progress and provide you with some OpenSCAD and `.stl` files you can use to build your own version of the prototype, if you want to help us test and improve the design. # Print BusKill [](https://www.buskill.in/3d-print-2024-05/) If you'd like to reproduce our experiment and print your own BusKill cable prototype, you can [download the stl files](https://www.buskill.in/3d-print-2024-05/) and [read our instructions](https://www.buskill.in/3d-print-2024-05/) here: * [buskill.in/3d-print-2024-05](https://www.buskill.in/3d-print-2024-05/) # Iterate with us! **If you have access to a 3D Printer, you have basic EE experience, or you'd like to help us test our 3D printable BusKill prototype, please** [let us know](https://buskill.in/contact). The whole is greater than the sum of its parts, and we're eager to finish-off this 3D printable BusKill prototype to help make this security-critical tool accessible to more people world-wide!
> Backdoor found in xz liblzma specifically targets the RSA implementation of OpenSSH. Story still developing.https://openwall.com/lists/oss-security/2024/03/2...
AI summary of transcript: > groundbreaking exploration into transmitting LoRaWAN signals via unconventional means—utilizing microcontrollers lacking native radio functionalities. By tweaking GPIO pins on devices like the CH32V203, ESP32-S2, and ESP8266, OP demonstrates how to generate RF signals strong enough to communicate with commercial LoRaWAN gateways and access the internet. This method deviates from traditional approaches that rely on specific radio chips or RF capabilities. The experiment not only surpasses expectations in terms of signal transmission distance but also showcases a novel blend of ingenuity and technical prowess. Through this project, the resilience and adaptability of LoRa technology are put on full display, proving its capability to facilitate long-range communications under inventive conditions. The venture into RF technology and signal generation through hardware manipulation opens new avenues for utilizing microcontrollers in ways previously deemed impractical, marking a significant achievement in the field.
# DO NOT try this EVER. The feds **will** show up at your house and arrest you in less than 30 minutes.
> Welcome to the Advanced Meshtastic Series. We'll be getting into some of the more advanced things you can do with Meshtastic.
> Programs aren't capable of generating true random numbers, so how can we? Are they even useful? Dr Valerio Giuffrida demonstrates how to get a true random number from most computers.
arxiv.org
cross-posted from: https://infosec.pub/post/4424216 >Intell-dragonfly: A Cybersecurity Attack Surface Generation Engine Based On Artificial Intelligence-generated Content Technology. (arXiv:2311.00240v1 [cs.CR])
darknetdiaries.com
I just learned about this podcast today. Enjoy!
TETRA vendors caught breaking a basic rule: don't roll your own bespoke cryptographic primitives.
odysee.com
cross-posted from: https://monero.town/post/554820 > The two discuss the prominent blockchain privacy paper co-authored by Vitalik Buterin, the future of blockchain privacy vs surveillance coins. Alan explains why there’s a need to stop putting the state on a pedestal in the privacy debate in order to defend privacy in the future, the reason the US government doesn’t care as much about money laundering as long as it happens in US banks. >
In this talk we will discuss the radio jailbreaking journey that enabled us to perform the first public disclosure and security analysis of the proprietary cryptography used in TETRA (Terrestrial Trunked Radio): a European standard for trunked radio globally used by government agencies, police, prisons, emergency services and military operators. Besides governemental applications, TETRA is also widely deployed in industrial environments such as factory campuses, harbor container terminals and airports, as well as critical infrastructure such as SCADA telecontrol of oil rigs, pipelines, transportation and electric and water utilities. For over two decades, the underlying algorithms have remained secret and bound with restrictive NDAs prohibiting public scrutiny of this highly critical technology. As such, TETRA was one of the last bastions of widely deployed secret proprietary cryptography. We will discuss in detail how we managed to obtain the primitives and remain legally at liberty to publish our findings.
> Spies used to meet in the park to exchange code words, now things have moved on - Robert Miles explains the principle of Public/Private Key Cryptography > > note1: Yes, it should have been 'Obi Wan' not 'Obi One' :) > note2: The string of 'garbage' text in the two examples should have been different to illustrate more clearly that there are two different systems in use.
> Slides - [https://authress.io/l/codemotion](https://docs.google.com/presentation/d/e/2PACX-1vSlrYb8nmtlH8HcVgBRhCnF3-A-Av8WG5YHe6Nte5ly49uL-Ug2JK7wQnPJ6FYi5VZ69vt49y3emLtj/pub?start=false&loop=false&delayms=30000&slide=id.p) > > Conference: > Codemotion Madrid 2023 > https://talks.codemotion.com/why-you-... Can someone recommend a more secure method? I've been told many times that using git for secret management would present a potential vulnerability.
[Video-Based Cryptanalysis](https://www.nassiben.com/video-based-crypta)
www.theregister.com
> DEF CON Infosec super-band the Cult of the Dead Cow has released Veilid (pronounced vay-lid), an open source project applications can use to connect up clients and transfer information in a peer-to-peer decentralized manner. > > The idea being here that apps – mobile, desktop, web, and headless – can find and talk to each other across the internet privately and securely without having to go through centralized and often corporate-owned systems. Veilid provides code for app developers to drop into their software so that their clients can join and communicate in a peer-to-peer community. > > In a DEF CON presentation today, Katelyn "medus4" Bowden and Christien "DilDog" Rioux ran through the technical details of the project, which has apparently taken three years to develop. > > The system, written primarily in Rust with some Dart and Python, takes aspects of the Tor anonymizing service and the peer-to-peer InterPlanetary File System (IPFS). If an app on one device connects to an app on another via Veilid, it shouldn't be possible for either client to know the other's IP address or location from that connectivity, which is good for privacy, for instance. The app makers can't get that info, either. > > Veilid's design is documented here, and its source code is here, available under the Mozilla Public License Version 2.0. > > "IPFS was not designed with privacy in mind," Rioux told the DEF CON crowd. "Tor was, but it wasn't built with performance in mind. And when the NSA runs 100 [Tor] exit nodes, it can fail." > > Unlike Tor, Veilid doesn't run exit nodes. Each node in the Veilid network is equal, and if the NSA wanted to snoop on Veilid users like it does on Tor users, the Feds would have to monitor the entire network, which hopefully won't be feasible, even for the No Such Agency. Rioux described it as "like Tor and IPFS had sex and produced this thing." > > "The possibilities here are endless," added Bowden. "All apps are equal, we're only as strong as the weakest node and every node is equal. We hope everyone will build on it." > > Veilid > > Big launch ... medus4, left, and DilDog at DEF CON > > Each copy of an app using the core Veilid library acts as a network node, it can communicate with other nodes, and uses a 256-bit public key as an ID number. There are no special nodes, and there's no single point of failure. The project supports Linux, macOS, Windows, Android, iOS, and web apps. > > Veilid can talk over UDP and TCP, and connections are authenticated, timestamped, strongly end-to-end encrypted, and digitally signed to prevent eavesdropping, tampering, and impersonation. The cryptography involved has been dubbed VLD0, and uses established algorithms since the project didn't want to risk introducing weaknesses from "rolling its own," Rioux said. > > This means XChaCha20-Poly1305 for encryption, Elliptic curve25519 for public-private-key authentication and signing, x25519 for DH key exchange, BLAKE3 for cryptographic hashing, and Argon2 for password hash generation. These could be switched out for stronger mechanisms if necessary in future. > > Files written to local storage by Veilid are fully encrypted, and encrypted table store APIs are available for developers. Keys for encrypting device data can be password protected. > > "The system means there's no IP address, no tracking, no data collection, and no tracking – that's the biggest way that people are monetizing your internet use," Bowden said. > > "Billionaires are trying to monetize those connections, and a lot of people are falling for that. We have to make sure this is available," Bowden continued. The hope is that applications will include Veilid and use it to communicate, so that users can benefit from the network without knowing all the above technical stuff: it should just work for them. > > To demonstrate the capabilities of the system, the team built a Veilid-based secure instant-messaging app along the lines of Signal called VeilidChat, using the Flutter framework. Many more apps are needed. > > If it takes off in a big way, Veilid could put a big hole in the surveillance capitalism economy. It's been tried before with mixed or poor results, though the Cult has a reputation for getting stuff done right. > --- # [Veilid Source](https://gitlab.com/veilid/veilid) > > > The first matter to address is the question "What is Veilid?" The highest-level description is that **Veilid is a peer-to-peer network for easily sharing various kinds of data.** > > --- > > Veilid is designed with a social dimension in mind, so that each user can have their personal content stored on the network, but also can share that content with other people of their choosing, or with the entire world if they want. > > > --- > > The primary purpose of the Veilid network is to provide the infrastructure for a specific kind of shared data: social media in various forms. That includes light-weight content such as Twitter's tweets or Mastodon's toots, medium-weight content like images and songs, and heavy-weight content like videos. Meta-content such as personal feeds, replies, private messages, and so forth are also intended to run atop Veilid.
> Kevin Mitnick (RIP) visits Google's NYC office to discuss his book "Ghost in the Wires: My Adventures as the World's Most Wanted Hacker" with Eran Feigenbaum, Google's Director of Security for Google Apps. This event took place on August 17, 2011, as part of the Authors@Google series. > > Kevin Mitnick was the most elusive computer break-in artist in history. He accessed computers and networks at the world's biggest companies--and however fast the authorities were, Mitnick was faster, sprinting through phone switches, computer systems, and cellular networks. He spent years skipping through cyberspace, always three steps ahead and labeled unstoppable. But for Kevin, hacking wasn't just about technological feats-it was an old fashioned confidence game that required guile and deception to trick the unwitting out of valuable information. > > Driven by a powerful urge to accomplish the impossible, Mitnick bypassed security systems and blazed into major organizations including Motorola, Sun Microsystems, and Pacific Bell. But as the FBI's net began to tighten, Kevin went on the run, engaging in an increasingly sophisticated cat and mouse game that led through false identities, a host of cities, plenty of close shaves, and an ultimate showdown with the Feds, who would stop at nothing to bring him down. > > Ghost in the Wires is a thrilling true story of intrigue, suspense, and unbelievable escape, and a portrait of a visionary whose creativity, skills, and persistence forced the authorities to rethink the way they pursued him, inspiring ripples that brought permanent changes in the way people and companies protect their most sensitive information.
Secret texts buried in a picture of your dog? Image Analyst Dr. Mike Pound explains the art of steganography in digital images.
[DEFCON 31: August 10, 2023 - August 13, 2023 in Las Vegas, NV](https://networkinvegas.com/event/defcon/)
> In the early 1990s, a group of mathematicians, misfits, hackers, and hobbyists calling themselves "the cypherpunks" came together around a shared belief that the internet would either demolish society's artificial walls or lay the groundwork for an Orwellian state. They saw cryptography as a weapon against central planning and surveillance in this new virtual world. > > The philosophical and technical ideas explored on the cypherpunks' widely read email list, which launched in 1992, influenced the creation of bitcoin, WikiLeaks, Tor, BitTorrent, and the Silk Road. The cypherpunks anticipated the promise and the peril that lay ahead when the internet went mainstream, including new threats to privacy and the possibility of building virtual platforms for communication and trade that would be impervious to government regulators.
>In this video I explore an elaborate cryptographic internet puzzle orchestrated by a mysterious individual or group known as Cicada 3301. > >Puzzle: The puzzle I hid in this video has been [solved](https://www.lemmi.no/p/my-latest-puzzle).
L0pht Heavy Industries testifying before the United States Senate Committee on Governmental Affairs, Live feed from CSPAN, May 19, 1998. Starring Brian Oblivion, Kingpin (Joe Grand), Tan, Space Rogue, Weld Pond, Mudge, and Stefan von Neumann. This is the infamous testimony where Mudge stated we could take down the Internet in 30 minutes. Although that's all the media took from it, much more was discussed. See for yourself.
Soft White Underbelly interview and portrait of Gummo, a computer hacker from Jacksonville, Florida. Here’s a link to a follow up interview with Gummo: [Black Hat Hacker-Gummo (follow up) ](https://www.youtube.com/watch?v=3ZtkMmVDNEo&t=0s)
cyph3rPunk
!cypherpunk@infosec.pubThe people in this community hope for a world where an individual's informational footprints—everything from an opinion on abortion to the medical record of an actual abortion—can be traced only if the individual involved chooses to reveal them; a world where coherent messages shoot around the globe by network and microwave, but intruders and feds trying to pluck them out of the vapor find only gibberish; a world where the tools of prying are transformed into the instruments of privacy. There is only one way this vision will materialize, and that is by widespread use of cryptography. Is this technologically possible? Definitely. The obstacles are political—some of the most powerful forces in government are devoted to the control of these tools. In short, there is a war going on between those who would liberate crypto and those who would suppress it. The seemingly innocuous bunch strewn around this community represents the vanguard of the pro-crypto forces. Though the battleground seems remote, the stakes are not: The outcome of this struggle may determine the amount of freedom our society will grant us in the 21st century. To the Cypherpunks, freedom is an issue worth some risk.
Relevant Links:
"Security is mostly a superstition. It does not exist in nature, nor do the children of man as a whole experience it. Avoiding danger is no safer in the long run than outright exposure. Life is either a daring adventure, or nothing." Helen Keller