Pinned toot

Verifying myself: I am
@drwho in the
Fediverse.
BEGIN KEYBASE SALTPACK SIGNED MESSAGE. kXR7VktZdyH7rvq v5weRa0zkFLUiWS VPZ3U48F7ZtSgPj wefiNd7VuwhcPTR twvzOMIJnFa45ac 9x1UEDMIjFcn3nq u7Rlldjihk74ohS IGKUECH96urnVF1 gn7wM6ahu9MJY9m yvwzo8IX6Lq6cpz z4ALlqryKh5mHwX cJPmbQ5dBsHgbq3 i6cEnn0SUl8P3Ka t0p8kNuM9eWM4P0 eg8WT2QiaRGsAbz 4itKIoK47onnbZg 1E2xCGNDevM3J9s SBF2Sd9grU14k. END KEYBASE SALTPACK SIGNED MESSAGE.

Pinned toot

@packbat

Do what thou Wilt shall be the whole of the Law.

Infragard for laybeings:

Infragard is described as a public sector/private sector partnership (part of the FBI, though I don't know off the top of my head which one) where they share intel pertaining to information security with active security professionals. This means, you have to work for a company which is in a fairly important field, such as aerospace, a tier-1 or tier-2 ISP, finance, or software products. I worked at NASA at the time, and later went into fintech. Both times I had to join Infragard because I did information security as my job. When I worked as a pen tester for a consultancy, it was before Infragard existed, otherwise I'd have had to join.

Yes, I had to undergo a background check. They want to make sure that members work for established companies, actually do security work, and don't have any connections to criminal groups that would try to misuse the information (at the time it was Russian organized crime they were worried about).

Being a member of Infragard means you get access to bulletins a couple of weeks before the information goes public. Most of it is under Chatham House rules - you can use it, but you can't say "I got this from Infragard."

Unfortunately, most of this information is between three and six months out of date. If you do even a minimal amount of proactive intel gathering as a security practitioner (run honeypots, read your server logs manually once or twice a week), or have any kind of intelligence system in place () you'll scoop them easily.

Supposedly they have classified infosec intel that they disseminate, but I've never seen any of it. If I had, common sense says I'd stay the hell away from a site like hackers.town and not say a damned thing about this tempest in a teapot.

Infragard has periodic members-only meetings where they talk about stuff going on. The group nomenclature /APT [0-9]*/ was first brought up during some of these seminars. Once in a great while a speaker will bring up something timely, but most of the time the meetings are pretty much a waste of time. Most of the ones I went to had to do with security policy compliance (meaning, "Did you follow all the steps in $handbook to lock your shit down?"), logging and analysis, that Windows XP wasn't going out of support just yet (at the time), and stuff like that. It's usually two or three speakers with an MC from Infragard while the rest of us sit in uncomfortable plastic chairs drinking crappy coffee and eating more-than-halfway-decent bagels and muffins for breakfast.

Yes, I had to wear a suit to attend. Highly uncomfortable in the DC metroplex in the summer, I can assure you.

No super-secret info, tips, or tricks were given out. I wish. It's all stuff that you'd know anyway if you'd ever been a system administrator. Hell, most of the people there weren't even techies, they were policy wonks. Quite a few times I was the only person there who actually worked /with/ and /on/ computers in any capacity. I was certainly the only person there with long hair.

For the record, if you want the High Gibson 0-day intel, crash a room party or two at Defcon or HOPE. That's where the good stuff is.

Infragard does not solicit, demand, or even request intel from its members. Everything was push (they tell us stuff), not pull (we tell them stuff). I doubt they'd even listen to us if we did tell them anything. A couple of times I spoke to presenters during breaks to correct them, because their knowledge of something was incorrect (see above remark about doing proactive infosec stuff) and either their eyes glazed over or they "Well, actually"'d me.

It's nothing really impressive if you have a technical background. Most of the time you'd be bored out of your mind, unless you were a checkbox-checker that did C&A (certification and accreditation) work (which is NOT actually testing security, it's asking questions on a checklist, only about 1/3 to 1/2 actually have anything to do about actual infosec; but that's a rant for another time).

Ostensibly I'm still an active member even though I haven't logged into the Infragard portal in about three years, though I still get the e-mails (I currently have over 200 in a folder, unopened, because most of the information is simply useless), and I can't be bothered to sit on the phone for three hours until I get through to a human who can unlock the account I never log into, anyway.

At no time, to the best of my knowledge, were any of us questioned about things we knew about or did. We were never even asked about stuff we saw going on in our own networks. I certainly wasn't, and I saw a lot of shit flying around on the Net at the time. Nobody ever told (or even gently suggested) to any us to keep an eye and ear open for anything interesting happening on Twitter, Facebook, or anything else. Hell, at the time Infragard didn't even seem to know anything about Lulzsec's shenanagains at the time, nor did any of the other members I talked to at seminars. I was the only person in the DC Infragard chapter who did, because I'd tasked part of me with monitoring the situation.

If the FBI /did/ want to monitor the Fediverse... well, pull up your profile and hit View Source. You'll see an RSS feed for everything you post. Here's mine: hackers.town/users/drwho.atom

tl;dr, they could surveil the Fediverse with a feed reader or even a shitty Perl script. No NSA magick required. Not even an account on that instance is required. So, there would be no point to standing up an instance for the purpose of surveillance.

Ask me anything I forgot about. I'll answer honestly and to the best of my ability. If I don't know, I'll say "I don't know."

Love is the Law, Love under Will.

Pinned toot

Do what thou Wilt shall be the whole of the Law.

A little bit of hacker history, for folks who didn't live through it:

ia800504.us.archive.org/35/ite

Back in 1985, LEOs started setting up and running boards to sting hackers. They went to great lengths to make them look 'legit' insofar as the hacker community was concerned, even going so far as to use some of the phone phreaking tricks of the time to make the boards look more like the HPAC/V boards of the time.

The folks who ran those boards never, ever, ever mentioned they were cops, or indeed any kind of official. In point of fact, none of us knew until the raids were over and done with and the defendants went to trial.

That somebody - anybody - in the Fediverse would talk about their professional life and affiliations in any way flies in the face of how law enforcement agencies actually do stuff.

It also shows a profound lack of knowledge of what "information security professional" actually means. It's not code for "mercenary black hat h4x0r," it means that in our day jobs we do information security work. Sometimes it's red team, which many want to think it is. Usually it's blue team, which is not sexy, boring, or counterculture. But, we do it for a reason, which is we want to try to make life in the twenty-first century a little safer. Nobody ever counts the data breaches that don't happen, and that's because we work our asses off to keep them from happening. We read logs, run honeypots, complain on internal IRC servers, and yes, deal with professional organizations, the origins of some tend to make people act without thinking or even doing a Google search.

When you do incident response, you sometimes have to deal with law enforcement. There are times that, regardless of the severity the feds have to be called in, and you have to work with them. And sometimes, really bad things happen and the feds get called in because it's "holy fuck" bad. Like most of the botnets of the last five years.

Those of you who espouse organization and collective action are acting exactly the same way as groups that ostracize and accuse members who actually practice operational and information security, keep tabs on threats and collect intelligence of that which you are organizing against. And ignore their warnings.

Love is the Law, Love under Will.

Pinned toot

Do what thou Wilt shall be the whole of the Law.

Another bit of hacker history for you, if you didn't live through it:

Remember the Morris worm of 2 November 1988?

en.wikipedia.org/wiki/Morris_w

The one that helped inspire one of the movies hackers love to hate, _Hackers_?

The Morris worm used a couple of exploitation techniques that we consider largely obsolete these days, namely, buffer overflows and stack corruption for remote code execution. In 1988.

In 1988, hacking was pretty much "guess lots of passwords until you get lucky." That's it. That's what we had.

rtm (Robert Tappan Morris, Jr.) was writing RCE exploits in 1988. In comparison, _Smashing the Stack for Fun and Profit_ by Aleph1 (www-inst.eecs.berkeley.edu/~cs) was published in Phrack issue 49 (8 November 1996). Think about that for a moment. He was about seven years ahead of the state of the art for the hacker community.

RTM's father, Robert Morris senior worked for NSA between 1985 and 1994. He helped write some of the security standards that we take for granted these days, whether or not we realize that they were published in the Rainbow Books. He was also a Chief Scientist while at NSA.

There is an excellent chance (more likely a certainty) that most of the exploitation techniques that the hacker community takes for granted were discovered, perfected, and weaponized years before they were effectively rediscovered by the underground (or the professional infosec community). rtm certainly knew about some of those techniques, though exactly how remains a matter of speculation.

Are you okay with that state of affairs?

Love is the Law, Love under Will.

The Doctor boosted

This image from CNN looks like Clinton, W, and Obama are about to drop their first album.

I really really want to listen to this album.

The Doctor boosted
The Doctor boosted
The Doctor boosted

I was talking to Danielle about old friends, wondering out loud what they're doing and where they're at. one of the friends went by the name "yonderboy" and, when I spoke his name, his handle, out loud I had an epiphany. we, us older cyber citizens, the early settlers of the big-I-Internet are a kind of rhyme to the hippies of the 60s. they thought outside the box, they disbehaved and freaked the squares, and they carried with them new names. Flower Child. Moon River.

We carry new names with us. Mendax. Count Zero.

It's telling when you try to set up FreePBX, and everybody and their backup just downloaded the Raspbian respin. And the devs recommend it, too.

Got the batphone's ATA online (finally). I had to force a factory reset of the OpenWRT router I was using as a wireless bridge to turn it back into a NATting router, only the wireless NIC is the WAN and eth0 is the LAN interface.

Now the ATA is online but the phone has no dialtone. I know what that's from, it's a NAT issue. So I just have to poke a couple of holes in the OpenWRT bridge's firewall.

The Doctor boosted

OK, so if you need to reinstall #EliteDangerous on #Linux, the trick is to run the wine uninstaller and remove mono first, *then* do the usual protontricks crap.

The Doctor boosted

remember meeting irl? like bringing printouts of your best posts along to a date? I just miss that, yknow

TFW you're out of power outlets on your one power strip, and you'd have to rip a bookcase out of the wall to get access to the nearest outlet.

Tried to watch _The Highwayman_, which I haven't seen since I was little.

Nah.

The Doctor boosted

homophobia / generational assumptions 

Talking to a grandfather in my church. Last year he took his granddaughter to her church while her family was out of town and heard a horribly homophobic sermon. And so he had to sit down with her and then with her parents and discuss how vile and unloving this sermon was and the arguments against biblical homophobia.

Beliefs the young will save us ignore that sometimes it’s the elders who teach them.

The Doctor boosted

alias yeet="sudo apt remove"
alias yoink="sudo apt install"

The Doctor boosted

Less than $2000 left! I'd also love for us to breach the goal, and shoot past it, because she's still not going to make enough money every month. I know we can do it!

TL;DR: Disabled Native American has less than 30 days to pay back US Govt Disability for having earned “too much money” to collect disability (but not enough to live on).

$4 and a share on your socials will save her life.

gofundme.com/f/erasing-the-num

Welp, exposing Huginn's database over Nebula did not go well.

Used Homer (github.com/bastienwirtz/homer) to put together a cute little startpage for Windbringer, served over the loopback interface with lighttpd.

My only real complaint is that I'm not really able to add snowstorm.js to the HTML page. Or at least, not yet. I'll have to de-uglify the index.html page and add it at the bottom.

The Doctor boosted
The Doctor boosted

Starting ISP 

I do not plan to start my own ISP, but hypothetically if I wanted to in a rural area, how would one do that?

Where do you run fiber from? I understand you can off existing infrastructure?

Just curious how one would do this.

Fixed a couple of things. Or tried to.

Took apart my "start World War III" USB hub to figure out why the LED doesn't light up, or make any noise when you push the big red button. All of the switches work. All of the interconnections inside work. I replaced the LED. Maybe the FX chip is dead (though it still works as an unpowered USB hub).

Tried to flash the firmware on my oscilloscope. It requires, among other things, soldering two jumper pads on the back so the microcontroller will power up and go into boot loader mode (and not firmware mode).

As it turns out, the bootloader this particular microcontroller has does not do serial very well. My TTL-to-USB interface is properly detected but the o-scope doesn't care. I can't even ping it.

Did some research, and found out that just about everybody who ran into the "Failed to init device" problem had to try two or three other interfaces before they found one that worked. I guess buying a cheap-ass TTL-to-USB unit from China was not a good idea. Or maybe I didn't get the right cheap-ass TTL-to-USB interface. I don''t know.

Thinking I'm going to tinker with making Windbringer a proper startpage to organize my most often used links. Not sure if I'm going to go with a packaged startpage or tinkertoy together my own with existing stuff.

The Doctor boosted
love having things shipped from the usa
you have the choice between "yolo post" cheap and everything else costing an arm
Show more
hackers.town

A bunch of technomancers in the fediverse. Keep it fairly clean please. This arcology is for all who wash up upon it's digital shore.