I'd like to apologize to the /d/OpSec community and /u/wintermute
by /u/StarScream999 • 2 days ago* in /d/OpSec
Hi,
I'd like to come here and just say my piece, apologize and leave it that. I ask you please not to cut me for shreds for my past mistakes. I've gotten plenty of that already. We've all made mistakes, and I believe everyone should deserve second changes. This is not a fake apology to save face.
There are manyy opinions to various topics, and we all have our own opinions about what is best. I have a setup I personally feel is secure. I've been using the internet since probably quite a few of you were born, but I'm not trying to brag, but trust me that I've seen just about every type of security vulnerably and I'm honestly not exaggerating or try to brag, but, once you get to be my age, you will have seen a lot too.
I have my own way of doing my own personal security, and from now on I will try to refrain from sharing that in most circumstances. I do understand that a lot of people on here are EXTREMELY concerned about their PC's absolute and total security, with absolutely no possibility for holes or leaks and using practices that I may not be familiar with and I guess I didn't fully appreciate that.
However, I want to clear up three misconceptions that are being addressed at me constantly.
1) Misconception 1 - I advised users to turn ON JavaScript permanently. I ABSOLUTELY never did or say that. Here is what the situation was:
A user said he was trying to access a service on a Google Maps website and I told him he had two options, he could either turn on JavaScript, access the website, then close that website and turn JS back off. I told him he could either do that or use a clearnet browser. I see now that that was a mistake on my part and I should not have advised someone to turn on JS (plus, btw, have you ever tried turning on JS in Dread? You can barely click a link without being bombarded with error messages that you have JS turned on).
I should have told him to copy the URL, paste it under his Signal "Notes to Myself" section, and then he could visit it when he was out of TAIL/TORs/whatever and visited it in a clearnet browser (which I would hope most people here have all the privacy/security/spoofing extensions, and hopefully using a VPN running and thus be free of being tracked. Then he could open Signal for desktop is his OS and copy and pasted the URL. Or some other secure method to save the URL, of his choosing.
If you would like me to post a list of the extensions and modifications I use to my clearnet browser, I would be happy to post a my list of the extensions I use for my own personal security and I think no one will have any qualms about my setup (except my choice of browser, maybe). If you are a Chromium browser fan these extensions would of interest to you - and there are always Firefox alternatives, and IF you a Firefox user, in which case, use /u/just_no's Firefox hardening guide.
/post/245daa5d5c95ce1d1e10
[1/5]
2) Misconception 2: My Opposition to TOR Browser's Letterboxing feature - I want to address the rumor that I told people to turn off the blocks/bars (aka Letterboxing) on the side of their browsers. Although, I personally am not agreement with TOR Project's implementation of this plan, I respect that many people would want to use it. I hold out hope someone can develop an extension that will send spoofed browser screen dimension data to the server on the other end via spoofed metadata. You can spoof just about all the other metadata your browser sends, why not this?, and I have confirmed it can be done, but I haven't found anyone who has made such an extension yet, but am looking into it and see what I can find.
All I did was ask a question about it and then posted where in the about:config it was found. I NEVER advocated anyone shut it off, just posted where it was found if anyone else did not want to use this feature. Not to mention, I am personally visually impaired and so I could not read the screen with the letterboxxing on. By all means, I advocate everyone leave this feature on as it could have an extermely slight chance to be a future possible risk factor for fingerprinting your browser. I never want to construe what I'm saying on here is 100% BULLETPROOF ADVICE. These are just my thoughts, ideas, and suggestions. If I had a signature, I would write that in there.
Also on the issue of "open source" being better. Have you, yourself personally ever gone through an open source project and reviewed the code for bugs, added/removed code from it, or made any thorough examination of the code base for this software? I very much doubt that there are many out there that have OR EVEN CAN read the programming languages these open source software projects use. I know I can't. If you have, big shout out for looking out for the community. So, just like we have to have faith Microsoft isn't lying about Bitlocker, you are still putting faith on a group of other people that they are competent and are reviewing open source software capably and competently, not accidentally sticking bugs in it, not breaking it, not leaving exploitable holes in it, etc.
TOR Letterboxxing: https://support.torproject.org/tbb/maximized-torbrowser-window/
[2/5]
3) Misconceptions/Opinions on Bitlocker
A lot of people are very untrusting of software that is closed source and I can understand that. I wish all software in the World was open source. Unfortunately, there is simply always going to be proprietary software that we have to use for various features, whether it be casual, or for business purposes, or etc.
In ANY post I mentioned Bitlocker, I ALWAYS also mentioned VeraCrypt as a secondary option. We all have different PC setups and sometimes have to do with what we're limited to using.
I do believe Bitlocker is safe for an average user. Bitlocker has been 3rd party verified numerous times and uses XTS-AES 256bit encryption. Millions of personal users and major Fortune 500 companies use Microsoft software and use Bitlocker to make their data stays secure from corporate espionage and other threats. They have IT departments that secure all the backend, and for me, I am my own IT administrator. And I sincerely believe I have plugged all the holes that Microsoft leaks back to it's servers with tools such as O&O ShutUp, and many other utilities and gone through the registry for hours and configuration deep inside Windows to make sure I'm secure. I have a packet monitor that I watch all traffic coming and going at the time.
Did the FBI Lean On Microsoft for Access to Its Encryption Software?
How the feds asked Microsoft to backdoor BitLocker, their full-disk encryption tool
Can a physical attacker compromise a Windows machine with UEFI, secure boot and bitlocker?
If Bitlocker had a back door in it, SURELY someone would have found it by now and Microsoft's reputation as a trustworthy company would be completely ruined.
Having said all that, if you believe Microsoft/Bitlocker/Apple/whoever have been compromised by a 3 letter agency please make a separate thread if you want to discuss that. I personally feel confident Bitlocker is secure, regardless of the fact that is is closed source.
So, from this point on, I will no longer be recommending Bitlocker to users and instead be recommeding either VeraCrypt and possibly CipherShed (which I just learned about and is another fork from TrueCrypt, which is what VeraCrypt is.)
O&O ShutUp: https://www.oo-software.com/en/shutup
Did the FBI Lean On Microsoft for Access to Its Encryption Software?: https://bitbin.it/HS3qFIpn/
How the feds asked Microsoft to backdoor BitLocker, their full-disk encryption tool?: https://boingboing.net/2013/09/11/how-the-feds-asked-microsoft-t.html
Can a physical attacker compromise a Windows machine with UEFI, secure boot and bitlocker?: https://security.stackexchange.com/questions/73331/can-a-physical-attacker-compromise-a-windows-machine-with-uefi-secure-boot-and
VeraCrypt: https://veracrypt.fr/en/Downloads.html
CipherShed: https://www.ciphershed.org/trust/
[3/5]
/u/StarScream999 0 points
2 days ago*
These are the three most common complaints I get. I too get a lot of flak for saying Wickr is probably safe in my thread that was meant to be a debate with some hopefully other well versed users on the subject discuss their opinions. But I spent about 5-6 hours going over ALL the publicly available data on Wickr, as well as two studies (there's a third, I'll have to check if it's out yet)
I STRONGLY ENCOURAGE you to read the thread before you just jump to a speculative conclusion that's either based on your opinion or has no sources/references/peer reivewed studies that back up your assertions. But again, if you feel Wickr has been compromised please start another thread about that or post in my thread on the about it in my thread
Secondly, I want to apologize to /u/wintermute. I've been using Adderall lately, and after discussing it with /u/martinatchet, we came to the conclusion there's a high likelyhood it's meth. I've dedicated I'm going to titarate the dosage and get off it as it doesn't seem to be a good combo for me (and dextro amphetamine or much milder and euphoric enducing compounds are what I'm looking for), not the drug the Nazi's used (Pervitin) to barbarically overun Europe in a matter of months and weeks. I'm not in a war. I'm just on an internet forum.
Now, I don't want to use that as an excuse for my behavior, but it did make much more aggressive and angry than I should have normally been. I don't expect you to forgive me, and you don't have to. But, I just want to say I'm sorry I said those very rude, crude and insulting things to you. I really feel like such an idiot for it looking back in retrospect. I'm disappointed I won't be able to moderate CafeDread, but I can live with that.
[4/5]
So, I repent on the Holy DMN Bible. I hope some of you are able to forgive me, but I realize there are some people out there who will hate me no matter what I say.
But, I will try and stop posting as much in this subdread, read more instead of answering questions, and throughly research TOR OpSec more.
What I would REALLY love to get back to is my thread "Guide to Cleaning House/Prepping for a Possible Raid (Hypothetical/Looking for Feedback)" as I think this already has a lot of good information, it just needs to be complete.
/post/b628eb9a9b4e1779d2fa
This is nothing to do with computer security (per se although we might dive into HDD wiping/encryption), but is specifically about the legal aspect of OpSec. I was looking for feedback/advice and suggestions for the best way to clean house and make it an all inclusive quick read for those people who might have just gotten word that they might be being investigated by LEA, a very quick guide put together with all the relevant information they should do to make their house safe if they are worried about the jack booted LE kicking in their doors over a few pills or some weed.
I'm looking for people that have experienced controlled deliveries, as well as the best way to clean house or hide your stash.
So, once again, my sincerest apologizes especially to /u/wintermute, who I was a complete asshole to and he did not deserve all the abuse I sent his way. I was wrong and just did not see it. Like many of you who are on the dark net to purchase drugs, you probably have a mental illness and are struggling to self medicate to ease the daily pain of mental illness. I, myself, am mentally ill as well, suffering from anxiety and co-morbid depression. Again, I'm not trying to use that as an excuse, but I just want to put that out there as you judge how to respond to this thread. I'm sure there will be plenty of abuse thrown my way.
-SS
[5/5]
So, what was Wintermute's response?
/u/wintermute M 1 points
1 day ago*
I couldn't agree more.
This whole "apology" is just another show and I don't see any reason to make a public drama out of it instead of just telling me via PM. The only reason this posts exist is so he can refer to it later.
Don't feed the troll.
