53 comments

[ 3.2 ms ] story [ 115 ms ] thread
More on the same theme... interesting grug, though pond author states Dear God, please don't use Pond for anything real yet. I've hammered out nearly 20K lines of code that have never been reviewed. Unless you're looking to experiment you should go use something that actually works.
Also relevant, and by the same author: http://www.slideshare.net/grugq/opsec-for-hackers
The Grugq is the most interesting person I follow on Twitter.
I don't get why he says "VPN connection to TOR => GOTOJAIL".

How is it OK that your ISP sees you connecting to Tor, but dangerous if your VPN provider does? Or is this about some other issue?

The NSA sees all. Using both a VPN and Tor is more suspicious than just using Tor.
Yes, hard to understand why he says that, maybe he meant TOR connection to VPN?
He says that Tor to VPN is OK, as long as you buy the VPN service anonymously. So I don't think that there's semantic confusion. Also, there is a clear downside to tunneling VPNs through Tor, in that it prevents circuit switching, which increases vulnerability to deanonymization.
This is cute, but it's also just a bunch of noise. Makes a lot of speculative claims without proof or citation. Reads like an overly verbose front page junk article of some non-existent cyberpunk gossip magazine.
I don't know why this was downvoted. A lot of this presentation is hard to take seriously for exactly the reasons vesche outlined, especially when the authors make howlers like praising Pond to the skies while the Pond author begs people not to make serious use of it.
FWIW this is the talk that got them (Ben Nagy and The Grugq) thrown out of Kiwicon (http://kiwicon.org/) for being transphobic, sexist and otherwise disrespectful to women and trans people.

See http://geekfeminism.wikia.com/wiki/Kiwicon_2014_expulsion

IMO it was justified, but guess you had to be there.

What I find interesting is that no matter how hard I google, I can't find this joke anywhere. Heard this story before and to this day curiosity is killing me.
The ad-lib appears to be included in the provided PDF.
Oh so that's the one, and that's this same presentation... Interesting. I for one, find the kicking out hardly justified.
Hmm, "ad-lib" -- given that slide, what did they plan to say? Anyway, it's interesting to me that the pics of mostly-naked men and ASCII Goatse hardly get mentioned, overshadowed by a verbal remark. Maybe the con has changed its policy in response, but did they preview the slide deck?
I don't know of any security conferences that preview slides. original research is presented regularly which means your hard work might leak by conference organizers who can't keep their mouths shut.

Alsp, many speakers are working on their slides and talk minutes before going on. These talks get finished notoriously late

Apparently they got in trouble for the ASCII Goatse too.
Yeah, if "got in trouble" == "it was mentioned in a few tweets", but mostly it seems focused on the trans remark. They quite literally assault the eyes of everyone in the room, and it only gets passing mention compared to a non-targeted[0], verbal insult to a certain class of people. Should the severity of an offense really be proportional to the oppression its victims are suffering?

[0] I mean they didn't point to a trans person in the room and say, "You're sticking out!"

And is pretty much a statement of fact.

"Sticking out like a white guy in a Mayan village" would probably have been non notable so I don't follow how it's offensive by switching the subjects.

Mentioning in minorities in contexts that aren't explicitly positive is pretty much a holocaust-tier offense.
Well, it isn't, but p.c. proponents certainly seem to make it seem that way. :-)
It's on page 30 of the PDF that the HN submission links to.
More cogent is the comment on page 17: "I wanted to remind people about Eldo Kim here ( the Harvard bomb threat hoax ). He had pretty good Concealment ( was using Tor ) but had no cover to explain WHY he was using Tor at that time, and then gave it up under questioning."
(comment deleted)
Or maybe he's just a jerk who can't learn from experience?
"A transgender Mongolian in the desert"? Is this really so gravely offensive?
It is if you're an overly sensitive SJW twat. Otherwise, no. It isn't insulting to desert-dwelling transgendered Mongolians, just a humorous ad lib pulled from the speaker's memory based on something they happened to have read recently.
You'll pardon me if I reject any argument premised on a notion of someone being an "overly sensitive SJW twat".

Comments like that say more about the person uttering them than their arguments.

I won't pardon that, because it shows your bad priorities of style over substance. That kind of flawed reasoning has too many negative consequences for me to merely overlook. Sorry.
I asked a friend and she gave me this explanation:

"It's not compassionate to remind transgender people that they're a minority that often has trouble "passing" and face extreme violence bc of that...if you were a trans woman in the audience who'd been beat up for not being able to pass as cis, how would it make you feel to have that treated like a joke"

Seems reasonable. I retract my previous comment.

It does seem reasonable, but does that mean it's not okay to joke about unfair bad things in general? What makes a similar argument valid/invalid?
>FWIW this is the talk that got them (Ben Nagy and The Grugq) thrown out of Kiwicon

See, fuck this. We are all fucked if style begins to trump substance in infosec, like it has in most everything else. Fucking marketing turds. The Grugq is dropping pearls before swine.

If you need to say rude things in order to convey your message, you might take a moment to consider whether or not your message is actually worth conveying.
Whether or not a message is perceived as rude is irrelevant and a matter of selfishness. Whether or not it is true is what you should concern yourself with if you mean to get things done.
I would say the talk itself is a triumph of style over substance.
According to the Pond docs:

> What a global, passive adversary (one who can observe all Internet traffic) can achieve:

> A GPA can learn who is using Pond and where their home servers are located.

It's probably a great piece of software, but how exactly does it fit into the theme of cover over concealment? At its current level of popularity, simply using Pond, without a proxy at least, paints a giant target on you in the eyes of such an adversary. GPG and Tor, for all their faults, do not have this property.

Pond works through Tor, and Pond servers are hidden services. I consider that using Tor makes me a target, so I go through at least three VPN services.
The guy is simply an Apple fanboi who like to rehash the same old tired security tropes while providing almost nothing new or of much value.
I have been trained well by now. Every time I see stuff like "try Pond" or click and use this tool. I am thinking -- I will be bumped up on the black list somewhere. I guess it is called thought self-censorship...
"chilling effect" is probably the term you're looking for, though maybe it's not an exact match.
Know what you mean. I know grugq to some extent, and really doubt this was his motivation. However, yes .. passive global network analysis (eg. NSA) can benefit. So I still have the same thought process, and switch signatures (browser+IP) before reading things like this. Just for compartmentalization...
This is great. Explicitly calling out Communication Events helps to remind us that everything we do is leaking information.

Also like the mention of cover. Every action you do should have some explanation. Why were you here? Why were you doing that? Why were you taking to them? How will these questions be posed and answered to random LEOs, lawyers, judges, etc.?

People seem to focus on some flashy part, like using Tor, but forget overall basics.

Like that kid nailed for making bomb threats. He had no cover story for why he was on Tor. He didn't shut up, and cracked. All be had to do was get embarrassed and say he was looking for porn, or looking at drug prices, and he'd have been fine.

Edit: It might be good for the cover to be slightly illegal, or damaging. Investigator grills someone, finally gets them to confess, and it's cause they were buying weed, or having an affair with illegal prostitues or hiding something from their family. Then the all the covert actions and software and nervousness make sense. (And the investigator will move on cause a simple possession charge isn't worth their time.) Just make sure the story checks out.

The police/interrogators want you to lie to them with a cover story so your alibi can be picked a part easily, correct response is to say nothing and get a lawyer. Even worse is admitting something illegal to them thinking they will just let it slide, more likely they will use your confession as cause to search your property.
Yes if you can avoid saying anything, fine. In the case of the bomb threat kid, there is no way to verify an alibi of "I was looking for drugs using Tor". And, a nervous seeming kid finally admitting he was looking for drugs fits pretty well and may have gotten the investigators to move on. They've limited time and resources.

At other places, like border crossings, you might not have the ability to refuse to say anything (especially as a non citizen). Being able to have a good cover may be the difference in being let go after a cursory look versus being detained for in depth examination.

And I really cannot imagine counter terrorism agents bothering to actually go forward charging that kid with attempting to buy pot or something. After all, if they suspect him off terrorism, that alone should be enough to get a search warrant and take his computers.

He was a bomb threat suspect so of course they would charge him with any petty crime he admitted to so they would get the excuse to further search his dorm, confiscate his laptop to get physical evidence of the bomb threat and detain him for further questioning. If he had said nothing and asked for a lawyer he'd still be in school.

This law professor explains why you should never talk to police, even if innocent http://youtu.be/6wXkI4t7nuc

So you're saying that, as a bomb threat suspect, they would not be able to convince a judge to give them a warrant for his laptop anyways?
Page 36: "Windows is currently the most secure mainstream OS. I mean, we can’t stand _using_ it, but that doesn’t change the facts. The kernel is golden, the userland protections are stellar, and the user experience is somewhere between the 8th and 9th circle of Hell."
I'm genuinely surprised to see Linux being dismissed as laughably insecure. I'd like to learn more -- particularly given that the main criticism is that the defaults are so bad. Does anyone know which distribution/kernel is being referred to?

Up until now, I'd thought of distributions like TAILS as offering excellent defaults, while providing good compartmentalization. I remember reading that Laura Poitras, Glenn Greenwald and Bruce Schneier all made use of TAILS when reading leaked NSA documents.

Among other reasons, the outright refusal of the Linux kernel developers (and Linus himself) to consider implementing the grsecurity patches have rendered it somewhat of a joke to the blackhats I know.