* Posts by NonSSL-Login

385 publicly visible posts • joined 13 Nov 2015


Twitter tries to lure brands back with spend-matching scheme


Clinical echo bubbles

Letting advertisers dictate what can be posted and what can't be posted on social media platforms can only harm free speech imo.

Reddit has lost a lot of users simply because of huge over moderating and deletion of perfectly normal posts, that one person might have reported because they are a snowflake and instead of a mod looking at the post it seems auto-deleted from a report now.

Normies forever complaining about every post on every platform because they have nothing better to do is creating sterile echo bubbles where no one wants to share an opposing opinion because of downvotes, the chance of account banning due to spurious reports etc.

At least we always have IRC to fall back on to for free speech and opinion sharing because most normies can't figure that one out and even if they could, there is no one to complain too.

UK Supreme Court snubs Assange anti-extradition bid


He probably thought he would be more likely to end up the US if he got airborne anywhere.

Look at how the US diverted the Bolivian presidents plane with political pressure when they thought Snowden was on it.

He was right not to trust the US to use dirty tricks to get him but if he was right overall in the path he took the last few years will be subject to debate once things pan out for him in the next couple of years...

US to attack cyber criminals first, ask questions later – if it protects victims


The same US...

....that will only use its expansive surveillance net for catching terrorists?

The same one which hasn't stopped a major attack with all its bulk collection but one might argue it has used for business espionage and other such financial and political gains?

Yeah, allowing them to pro-actively attack 'criminals' is a great idea going by their track record...said no one.

For those worried about Microsoft's Pluton TPM chip: Lenovo won't even switch it on by default in latest ThinkPads



should Microsoft & Trusted be put in the same sentence.

Besides their integration with the NSA is so strong now you never know if its Microsoft or the NSA adding that nice new feature which happens to give them more info or attack vectors

UK intel chief says MI6 must outsource innovation – and James Bond's in-house 'Q' is nonsense


Re: Does Dominic Cummings

He had a white Labrador and a white stick while walking around Barnard castle if that counts

China's hypersonic glider didn't just orbit Earth, it 'fired a missile' while at Mach 5


The USA put most of its eggs and budget in to the spy on everyone's internet and cyber warfare and probably will continue to do so because of the economic advantages industrial espionage gives its businesses and keeping the rich wealthy.

Rather than divert funds they will ask for more to power a new arm of the industrial military complex.

China trying to export its Great Firewall and governance model


Words of war via groups wanting and doing the same things

Bit rich coming from a 5 eyes country and I suspect they just published it as a proxy to hide the real source.

Between the NSA snooping on all citizens of not just one country, but many and the MPAA and RIAA censoring websites in many countries one has to wonder who is learning from who when it comes to the west and China.

If a Facebook or payment alternative came to be that was not under American control, they would fight tooth and nail to destroy it or take it over. China is no different.

China is not going to convince anyone attending this event to do anything they dont want to do. Everyone will push their own agendas and maybe politics will be used to try and force some co-operation.

Same shit, different day.

Data transfers between the EU and the US: Still unclear on what you're supposed to do? Here's an explainer

Big Brother

Blah blah blah

In the end I fully expect our UK politicians to sell us out to their american counterparts so ultimately they can do what they want with our data and we lose all the GDPR protections we got while part of the EU.

All the inbetween is mostly fluff. The outcome will be the same no matter what our input is or how much of it there is. /Cynic

Anonymous: We've leaked disk images stolen from far-right-friendly web host Epik


Re: anon who?

Trying to control an organised mess is like trying to keep hold of a cat covered in baby oil


Re: anon who?

I am not sure if this is an oxymoron or not but... Anons are a collective of individuals and individual groups

The way to think about it is anyone can call themselves Anonymous xyz and release/hack something and attribute it to Anonymous or a subset of it.

While there was a core anonymous community and some hacker groups affiliated with the core community, the idea was to not have a leader or core group which could be targeted while letting the name and idea spread far and wide

UK MoD data strategy calls for social media surveillance on behalf of 'local authorities'


Mass surveillance

Give us ALL the data ALL the time. We will work out what to do with it later...

1984 was a warning, not a guide.

IKEA: Cameras were hidden in the ceiling above warehouse toilets for 'health and safety'


Re: Excuses, excuses

Maybe its to see who comes out the toilet and in to the corridor a lot perkier and chest puffed out more than on the way in to the toilets...

Ex-DJI veep: There was no drone at Gatwick during 2018's hysterical shutdown


Almost impossible to spot except....for their clearly visible and known MAC addresses which make them stand out like a sore thumb if you are looking for them in signals of any frequency.

Commercial drone scanners do exactly that on the usual frequencies and the police or the army used something like that at the time and found sod all. That's when they started going on about it being a complicated attack as they assumed the 'drone' either had a pre-programmed path so no radio signal or it had been modified by an 'expert' to run on a different frequency which 2.4ghz scanners could not see

Ransomware-hit law firm secures High Court judgment against unknown criminals


Re: Actually

That may be the case but....all that will happen is the hackers will post the data publicly as a result of the court action which shows that this company does not intend to pay.

We can argue that might have happened without the court case anyway so this company is one up but what are they going to achieve by punishing one person they may catch with the data further down the line of the hundreds, if not thousands who will have their hands on it.

Proton welcomes Sir Tim Berners-Lee to its advisory board – as ProtonMail suffers a privacy backlash

Big Brother

Re: SUS!

Yes they could potentially changed the code they serve up but it only takes one whistleblower to say that happened for the whole company to be destroyed.

Mega had the right idea with a browser extension with the code in so if used, you would not be vulnerable to a server side code change. ProtonMail should offer something similar.

Any company could be taken over and covertly run like the Germans and US did with Crypto AG. Im not sure what your point is. With pretty much any external service you are putting your trust in the company not to do bad stuff with your data. If you use Gmail or Hotmail its guaranteed your emails are passed along and accessible to the 5 or 14 eyes.

Big Brother

Re: SUS!

All the decoding is done locally on the browser if you use Protonmail web mail.

Depending on when your account was created, there is a separate mailbox unlock password to decode the encrypted blob sent to your browser after you use your login password. From what I understand they made it a single password more recently for new users, so assume the login password gets re-used to unlock the content too. Old users like myself still have 2 different passwords, one to login and one to decode the mailbox.

It will be interesting to hear if that change enabled more surveillance or not. Maybe Tim can look in to that for us!

The gist I got from the articles is they started logging for that account when asked to by the court order, rather than giving out previously logged information. But its hard to trust the medias accuracy when reporting precise details of things these days so I guess we will get clarification eventually but remain not sure for now.

LA cops told to harvest social media handles from people they stop, suspect or not

Big Brother

Re: Nothing they can do about it.

Is the list similar to the list of organisations who can view any Brits (except us VPN users) past years of internet website visiting history?

* Metropolitan police force

* City of London police force (Dummy corporate police IMO)

* Police forces maintained under section 2 of the Police Act 1996

* Police Service of Scotland

* Police Service of Northern Ireland

* British Transport Police

* Ministry of Defence Police

* Royal Navy Police

* Royal Military Police

* Royal Air Force Police

* Security Service

* Secret Intelligence Service


* Ministry of Defence

* Department of Health

* Home Office

* Ministry of Justice

* National Crime Agency

* HM Revenue & Customs

* Department for Transport

* Department for Work and Pensions

* NHS trusts and foundation trusts in England that provide ambulance services

* Common Services Agency for the Scottish Health Service

* Competition and Markets Authority

* Criminal Cases Review Commission

* Department for Communities in Northern Ireland

* Department for the Economy in Northern Ireland

* Department of Justice in Northern Ireland

* Financial Conduct Authority

* Fire and rescue authorities under the Fire and Rescue Services Act 2004

* Food Standards Agency

* Food Standards Scotland

* Gambling Commission

* Gangmasters and Labour Abuse Authority

* Health and Safety Executive

* Independent Police Complaints Commissioner

* Information Commissioner

* NHS Business Services Authority

* Northern Ireland Ambulance Service Health and Social Care Trust

* Northern Ireland Fire and Rescue Service Board

* Northern Ireland Health and Social Care Regional Business Services Organisation

* Office of Communications

* Office of the Police Ombudsman for Northern Ireland

* Police Investigations and Review Commissioner

* Scottish Ambulance Service Board

* Scottish Criminal Cases Review Commission

* Serious Fraud Office

* Welsh Ambulance Services National Health Service Trust

Hole blasted in Guntrader: UK firearms sales website's CRM database breached, 111,000 users' info spilled online


Re: An iframe? Really?

I wondered if there was an iframe on their site that took content from another site and the other site was hacked and the code put in there, so it was executed as if on the same domain.

Or it was a RFI and a message was sent to the admin that did something similar.


Re: Solution

Outsourced to Crapita...


Re: Why bother with plasma cutters?

"Horse Battery Staple"

Now that is a different party altogether!


Re: Why bother with plasma cutters?

Cable tie cock ring and a baseball bat....kinky!


Re: Guntrader is roughly similar to Gumtree

Ridiculous copyright and trademark laws means you will probably get a higher fine and jail time for using that name than you would be for selling stolen guns on there *

* For joke purposes, I don't think stolen items were sold on this gun site or Gum.....oh wait a minute, i'll get my hat

We can't believe people use browsers to manage their passwords, says maker of password management tools


Re: We can't believe people use browsers to manage their passwords

There is exploitation in the context and memory of the memory and theres sandbox breaking RCE.

In theory its easier to grab stuff the browser has access too, like cookies and passwords from a drive by exploit than full access which gives you access to memory and files outside of that context.

If you are fully compromised then the passwords can be grabbed from anywhere. Password managers weak spots are the unencrypted passwords in memory and despite a few tricks some employ, its trivial to read them once unlocked. If the password manager isnt active though, there is small chance of anyone cracking the dormant database of some of these that use decent passwords. You have to wait until its used.

I have not used the browser to save most passwords since I first used a tool to extract passwords from most browsers some 20 years ago. Then there was other browser exploits to do the same and bEEf/beefproject and some of that stuff is enough to frighten you away from saving passwords and cookies past each session.

The advice I never see given is to use different emails as well as different passwords. Use a different email address for your bank and finance stuff than you do other things. Even if you use the same password, credential stuffing is not such an issue. Not that I recommend using the same password except on all the genuinely unimportant sites that can't be used to gain more info or social engineer info out of others.

As for 2FA....depends on the 2FA (sms is not secure) and where did you save your seed for your code generation? Use it on important things but handle the backups of codes carefully.....

Stating the obvious and leaving out a lot of the obvious.


Re: Training

I wonder how many large companies had cybersecurity traiing in mind during the last 12 covid months other than wanting to secure their VPNS and gateways.

When you hear any reports with 'the last 12 months' in it you have to factor in our dear friend covid


Re: Mixed model

Joking aside, password.txt is generally a lot more safer than keeping them stored in your browser!

International law enforcement op nukes Russian-language DoubleVPN service allegedly favoured by cybercriminals


Security services don't like data holes in their mass surveillance machine

Always wondered if the double/triple VPN tunnels caused issues for the 5 eyes system and this action seems to verify it.

While the 5 eyes spliced optical cables can hoover up all the data and store for a few months at least, they can't easily automate and link the traffic of tunnels inside tunnels. So instead took down a service that didn't have an obvious way to link data like some Double Hop providers where if you go in ip you always come out at or a known IP related to the joining node.

So have your router with wireguard connected to one VPN or your own server and they have another machine on your network used as a gateway before the router with OpenVPN to another provider. Add a third layer with yet another OpenVPN or Wireguard provider with your own machine/virtual machines and even throw TOR in to the equation of you want.

Just means that someone will have to try hard to descramble it all manually which they will only do in extreme cases which most averages joes having all their data logged are not. If they really want someone let them waste a 0day exploit on them rather than bulk logging everyones data. Make it hard for them

Would-be password-killer FIDO Alliance aims to boost uptake with new UX guidelines


Lost Devices

Losing a device and thus access seems to be a major concern for many.

Despite the insecurities, with a phone and an SMS 2FA you can lose your phone, get a new one and still have the same number to receive a token and continue to login to your accounts.

Lose a USB 2FA key and you are unable to login is the general thought. Similar to OTP generators when losing/changing phones I guess you can save a seed somewhere but most people are not sure so don't risk it.

People need to know the info and not in market speak.

FBI paid renegade developer $180k for backdoored AN0M chat app that brought down drug underworld


Cat and mouse game

[i]"Operation Trojan Shield has shattered any confidence the criminals may have in the use of hardened encrypted devices," Grossman concluded.[/i]

What will happen is that in future some richer criminals will pay to have the phones pentested before they put faith in to them. Simply seeing traffic going to a few different IP addresses and the amount of data being similar or more than any message or image sent would have set of alarm bells in this case.

Remember Anonymous? It/they might be back, and it/they are angry with Elon Musk


Anyone can be anonymous

Its not from one of the core anonymous groups and likely one person. Seems kinda obvious if you know their stuff.

If anyone other than an individual was involved they would have told him to make it less drivel and more concise.

Normally the hacks have been done already before a video is made and you get the idea this guy doesn't know about sql injections yet alone a buffer overflow. Not that a PR spokesman needs to have those skills but in the past they did...

Anyone can be anonymous, that is how the group was made. Anyone who hacks something or protests can attribute it to the name/cause and keep the movement going so to speak. But there was/is a core group which is mostly quiet and I am sure a few will splinter to be in the limelight again when the hackers get a good target and making money from ransomware dies off...

GCHQ boss warns China can rewrite 'the global operating system' in its own authoritarian image


Re: Global operating system

In this particular topic one assumes Global operating system = Communication networks.

If you don't want to use chinese or russian hardware in your telephone and internet structure then you have to make your own equipment. Same with China and Russia if they want to get rid of western technology out of theirs.

The problem is we can't trust our own UK or US government to do the right thing when creating our own equipment as they are hellbent in creating back doors and breaking the security, so its not much better than accepting the superior chinese 5g hardware for example.

He talks about "industry standards" and its those standards both the GCHQ and the NSA like infiltrate and sway to a point they are insecure and not fit for purpose. Until they get off their mass surveillance horse I dont see how they can complain about foreign gear.

Bank of England ponders minting 'Britcoin' to sit alongside the Pound


Re: Shitcoin.....

I don't want to put a label on any crypto as being for criminals but Monero/XMR is preferable over bitcoin because of its anonymous nature.

Bitcoin just more well known among the public and easier to buy, which is probably why its used in ransomware etc but I wouldn't be surprised if it gets changed in to XMR, moved around a bit and then even possibly converted back to bitcoin or another coin later.


I think the only use for it would be similar to the USDT coin or whatever it is which crypto exchanges have more as a coin that reflects the price of the USD, so it can be used as a trading pair or to move your assets out of volatile crypto to a more stable fiat based crypto.

It alllows crypto exchanges that don't deal with any fiat (you cannot put money in or out, only move crypto in and out of the exchange) to have a safe space. Probably more regulation and big sam looking over you if you have real money wallets although i'm not 100% on that.


The world desperately needs to get away from the US control of payment systems such as Visa, Paypal etc. Too much control of money under the influence of sometimes just one person/country.


Re: And may they experience the same hell the rest of us

The blockchain is a decentralised public ledger/database of information which cannot be deleted, leaving a public verified log of every transaction between bitcoin addresses/wallets.

Additions can be made that show the movement of coins between one address another, which is how it is known how much is in each wallet.

Only those with the keys to a wallet can initiate a move of bitcoin between wallets which other machines connected to the blockchain verify with crypto/maths and after so many write to the blockchain to confirm, its written as a done deal.

Its useful because its distributed, a standard, and not modifiable. Banks and services have lots of internal and unique ways of doing things with different charges, especially between banks so the fact this is a standard and cheaper than most other setups is good for them as well as not being editable. Its possible for a banks system to be hacked and a bank balance edited. While there are checks and balances, it can still be done by IT administrators among others. With a blockchain they cannot edit this value. They can only move digits from one place to another, leaving a trail.

For banks it can create standards and lower costs, while also giving them more ways to play with making money, as well as being able to do everything they can already do with it. Not necessarily a good thing where banks are involved.

It can be used as a way to prove ownership of items such as art or even cargo containers. If two copies of an expensive painting turn up, in the future it will be the person who can prove they have ownership of the painting because they still maintain ownership of its certificate on the blockchain.

Movement of shipping and signing off ownership can all be done on a distributed blockchain that all companies can see and build their systems to read the blockchain as a central database.

As to if Bitcoin or CoinX is needed, as well as the different blockchains, over some other standard un-editable shared database.....I don't think we can trust any bank or organisation to come up with a standard without everyone else trying to make their own standard too. Its like asking the media companies to get involved with the nice and easy and cheap standard Netflix them they all deciding there is more profit making their own Disney+, Amazon Prime/whatever streaming service, giving us a fragmented more costly market thats not connected,

Signal app's Moxie says it's possible to sabotage Cellebrite's phone-probing tools with booby-trapped file


Re: On a more serious note...

If he doesn't, Celebrite can never be sure they have closed all 'known' vulnerabilities in their software which would keep their evidence in court questionable.

Ok they will most likely start compiling with address randomising and stuff with the compiler and other features to make it more difficult to exploit but its slim they will find all the original bugs, especially when they have to parse so many different types of files.

I have a feeling the software will leak to a site like the Piratebay in the near future and some reverse engineering coders will have some fun if their phone ever gets confiscated at the border or by the police :D

United States' plan to beat China includes dominating tech standards groups – especially for 5G


Re: "Plan [...] includes dominating tech standards groups"

We already know what happens when the US influences tech standards groups....naff security that the NSA can abuse for mass survelliance.

No thanks to more of that.

Update on PHP source code compromise: User database leak suspected


Re: Legacy is always a problem

It can be costly to upgrade to Wife 2.0 depending on how long Wife one was in place.

Chrome 90 goes HTTPS by default while Firefox injects substitute scripts to foil tracking tech



Brave does upgrade connections to HTTPS automatically by default and has done so for at least 6 months, despite being based on Chromium.

It also has an icon in the url bar to turn of strict HTTPS for the current site you are on.

What annoyed me with Chrome a few years back is when they decided to hide the HTTP/HTTPS from the URL bar so if you wanted to copy and paste a domain from the url bar to say ping it, you also got the invisible HTTP/HTTPS meaning you had to edit the paste every time.

Looking forward to more advances in the browser anti-tracking and also keeping an eye on Googles 'new privacy features' which will do nothing to increase my privacy.

Security pro's time-travelling Twitter bot suspended after posting download link for Adobe Acrobat for MS-DOS


Repeal Copyright Laws - Save Culture

Copyright laws are so overpowered that companies now just delete content and suspend accounts after emails from automated bots, even though they know a majority may be wrong, because they are scared of being sued under ridiculous copyright laws.

Copyright laws need to be brought back inline with how they were originally, not Disneys and Hollywoods life + 70 years or whatever monstrosity they lobbied for and got.

Culture is being lost and in some cases no created at all because of harsh copyright laws. Don't get me started on anti-circumvention parts and Sonys HDCP stuff through its part in the HDMI standards organisation....

US newspaper's 'Biden will hack Russia' claim: A good way to reassure Putin you'll leave him alone



This announcement was not for Russia but propaganda for American citizens to give the impression that anything Russia and China can do with hacking, America can do too. They are constantly hacking targets but have maybe slacked a little with choosing enough proper targets.

These days though, foreign governments seem to be ahead of the US with actual hacking. The US is too busy with mass surveillance and building backdoors in to American products and worldwide standards that they often have the keys to begin with and don't even need to reverse engineer software to get their exploits.

But a good news article in news outlets that are happy to do the governments bidding can at least change public perception of the truth.

GitHub bug briefly gave valid authenticated session cookies to wrong users


Lies, damn lies and statistics

2020 stats have monthly active users of Github at 40 million. 0.001% is 400 users affected unless im still half asleep and need more caffeine.

PR department obviously though 0.001% looked better than 400 users having full access to code they should not have access too.

Brave buys a search engine, promises no tracking, no profiling – and may even offer a paid-for, no-ad version



If it gives good search results, i'm there!

I use DuckDuckGo as my main search engine but have to use Google occasionally when DDG fails me. As much as I hate to admit it, Google still gives the best search results most of the time. If DDG just gets optimised more then I will never have to use the evil Google again but for now, its an occasional necessary evil.

Bing I was never keen on but do love its birds eye view maps which is so much better than Googles satellite view, so that is my current map search engine.

I use Brave Browser (Even if my User Agent might say something different....) and happy to support them if the cost is small and reasonable.

Ease of switching and good results to keep those that switched is key for success here!

Revealed: The military radar system swiped from aerospace biz, leaked online by Clop ransomware gang


Too often

UK ISP's often send firmware updates to their routers. Sometimes a few times a week when they get it wrong the first times.

Often around midnight to 2am they would update and reboot, causing a smart device in the bedroom to flash brightly to tell me it had no wifi access and causing some random wifi lights not to reconnect.

Removing ISP's routers out the equation solves 99/100 problems

1Password has none, KeePass has none... So why are there seven embedded trackers in the LastPass Android app?


Re: KeePass implementations

KeePassXC is great for linux and KeePassDX on android is a good pairing with it as both support v4 databases with the different encryption options which many other versions don't.

Uncle Sam accuses three suspected North Korean govt hackers of stealing $1.3bn+ from banks, crypto orgs

Black Helicopters

Re: Really?

The North Koreans must have found the NSA's implants so the US can afford to go public with the accusations and the fact they got the keys to the crypto wallets, via another agency of course.

Amazing how companies get the crypto returned but not individuals.

Brave browser leaks visited Tor .onion addresses in DNS traffic, fix released after bug hunter raises alarm


Its been there a good few months.

Considering how well the Tor browser goes to avoid fingerprintable data to be sent, down to things like the window size, I did wonder if Brave sends its Own UserAgent and other info which would make it stand out like a sore thumb on the Tor network,.

Just 2.6% of 2019's 18,000 tracked vulnerabilities were actively exploited in the wild


Lies, damn lies and statistics

How many of those 18,000 were local exploits rather than remote?

How many of the exploits were auth bypass or remote code execution vs some cross script issue that needs interaction from an admin while logged in?

How often were the same RCE and privilege escalation used because no other exploits were needed?

My honour, I rest my case.

Signal boost: Secure chat app is wobbly at the moment. Not surprising after gaining 30m+ users in a week, though


Depends on what you want. Short version, if you just want basic secure chats with friends or some groups, use signal. If you like all the bells,whistles and pretty stuff + more functionality and not so worried about security/nasty threat actors, use Telegram. There is nothing to stop you using both and getting the best of both worlds.

Signal is encrypted with end to end and does some neat tricks to store any data it has to in a way that signal can't read it itself. Its great as a replacement SMS program but obviously only msg's send from other signal users will be encrypted so it relies on more people on it to be more useful as an encrypted SMS replacement.

Signal only recently introduced groups and while the feature is pretty basic, it works just fin for group chats. Encrypted voice calls work ok too as long as you have a decent data connection.

Telegram isn't as secure by default as Signal (doesnt encrypt one to one chats unless you manually set it as a private chat) but has more features. Lots more animated stickers/icons if you like that kind of thing in your chat but where it stands out is the extra things you can do with it, especially in group chats. Polls, bots that do things. An API so you can create your own bot/do your own thing which relates to whatever interest you have.

Telegram has introduced some features Signal had like messages that delete after however long you set. Good for security in case someone got psychical access to your phone to read your messages but also as a way of keeping your phone and chat clean.

World’s largest dark-web marketplace shuttered after Euro cybercops cuff Aussie


Blip in the Matrix

I assume a take-down means a temporary void before the sellers and buyers move to another site and start building reputation again as if nothing happened.

The cops get the server so can maybe link bitcoin addresses to accounts, of which most of the sellers would not be on an exchange so not immediately identifiable.

Communication for sales on such sites usually use PGP so they will get a lot of encrypted messages and mostly metadata, which we all know can be useful.

Overall with all the money spent for what is gained on these big operations, I wonder if its always worth it or its just keeping people in jobs.

Trump administration bans eight Chinese apps


The US wants to be in charge of every payment system in the world so it controls the whole flow of money. Saying that, most of this seems to Trump having a hissy fit over China for his own reasons.

Paypal and VIsa blocking payments to come companies on behalf of the US government and also their media cartels, aka the RIAA & MPAA/Hollywood, shows they cannot be trusted to do so.

Give me a non-US option and I will use it. I will continue to use Alipay over Paypal but really need a nice alternative to Google/Apply pay as paying by phone tapping is so handy (+secure due to token and outlets not getting your actual card details) and the only reason I have held off getting the Hauwei P40 Pro. Been hoping with Trump on his way out all the Huawei bullshit will be out the window in time for me to get a useful P50 Pro.

If I was a business, I would probably prefer to keep information to my local country. As an individual, its preferable to give my data to China & Russia as I don't trust my own government and it's allies to use the information against me me in some form or another.