Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for April 2014

Vendor Hell

with 3 comments

i-e5cda06847a3fe41eb60bc9038b95b10-threat

Vendor conferences and webinars:

Yesterday many of you who might read my ravings saw my Twitter feed explode with rage over a vendor sponsored conference I attended on the “Target Hack” The invitation to this meeting local to me …well an hour away that is, promised new and interesting information on the Target case and I decided to attend in hopes that there would be some inside info. What I got instead was a chance to listen to the meanderings on the 2nd amendment by Asa Hutchinson and the community college version of X-Force’s state of the hack.

The finale though was the talk on the Target hack which was prefaced with “Everything I am going to talk about today is open source and from the news” …really now, this is your inside information that you said would be given? What proceeded was a description of information you could get by reading the news reports and in particular Brian Krebs blog on the subject. This was nothing like that which I had been lead to believe was on offer and it made my bile rise as you may have seen. It was a giant time suck and really should only have been on offer for those who hadn’t a clue about the hack. In fact, this may well have been useful were you an executive without a clue. Which I am not.

A proposal for a ratings system:

I left the conference after IBM had done their dog and pony show on Target with a headache and a real distaste for all things vendor. I know, this is the norm for the bulk of the people in this business but it made me start thinking on the hour drive home. Perhaps in a perfect world we could have a ratings system for these meetings. If we were to be completely efficacious we could craft a way to denote the level of information being given and those best suited to attend. I know this is likely a pipe dream but I just have to toss this out there.

While I was completely bored and enraged by the conference yesterday, it did have it’s merits for someone who had no clue about the Target hack. Chris Poulin did a fair job at describing the events that were in the news and in the blogs and I believe a lay person (exec) would have learned at least something from it. So could we perhaps work with vendors to get a ratings system as well as maybe work with them to inform our managements in an efficacious way? I know, I may be dreaming a bit here and sound like a Cavalry Unicorn but hey maybe an aneurysm from yesterday made me more open to the idea.

All I am really saying is that if we want to be better at getting our execs to understand some things perhaps we need to control our vendors a bit more and get them to actually be useful to us instead of just hawking bad data and wares. Perhaps the reality is we as security professionals need to look at all of these vendor offerings and choose which ones can be trusted to be at least somewhat informative and worth going to for our management. A simple rating system would be very helpful, let’s say a 1 for n00bs, 2 for intermediate people and a 3 for technical and competent people?

Please? Pretty please?

The community wants better communication? Start reigning these guys in:

I guess what I am saying is that with all of the hubbub over Cavalry and “doing better” I would suggest we first start working with vendors offerings. Let’s cut the bullshit right out and start getting our managements to offerings that will actually help them comprehend the job they are supposed to be doing. Perhaps that only really means not letting them attend anything from a vendor at all huh? Perhaps these are all just in reality boondoggles …which incidentally I feel security conferences are today anyway, that need to be avoided like the plague.

Maybe there is no winning here.. I feel the rage returning which is the prelude to the apathy again, turn, turn, turn. Look, we all complain every day about managements lack of comprehension so if we are going to fix that perhaps strictly monitoring their vendor conference attendance is a good start. As for us, well, we need to continue to be jaded about these calls, webinar’s and meetings accordingly. If yesterday was any indication for X-Force then I need to start pulling away from anything they put out there. I cited it in a tweet but I have no idea how they put a <1% attack traffic on Aerospace and Defense in their slide. Perhaps that datum might speak more to their lack of penetration and usefulness in the space though.. hmmm….

I guess in the end the words to live by are “Caveat Emptor Stupid!”

K.

 

 

Written by Krypt3ia

2014/04/25 at 12:36

Posted in DERP, Infosec

SEC BURNOUT and The Psychology of Security

with 7 comments

baby-crying

 

 

Recent Days of Whine and Wiping of Noses:

Recently I have had my sensibilities assaulted by the whining on my Twitter feed coming from soundbites from Source Boston as well as others talking about INFOSEC Burnout and community communication issues. What really grinds my gears is the sense that we are all  just helpless mental geniuses that need to learn how to communicate better to do our jobs more effectively as well as the whole “Woe is me no one listens to me” bullshit I keep seeing it reverberate across the community. Well I am here to tell you right now to stop blubbering and put on your big girl/boy/transgendered pants and cut it out.

Last week I had a long back and forth with someone who is “studying” INFOSEC burnout and throughout the conversation (yes hard really in 140 chars per yes yes yes I know Beau) I could not get them to nail down exactly how they were “studying” it as well as what would be the efficacy of doing so. What are the ends that justify the means of this study? Was there to be a self help book? Or are you just having a kumbaya “I’m in INFOSEC and no one listens to me!” bitch session at each conference?

At the end of the day people got hissy and I began to think more and more about just how entitled this community thinks they are as well as how smart they “think” they are. So smart that they can’t get past a problem that properly studied would likely give you all some perspective and solace perhaps and this chaps my ass. While some of you out there are being vocally the new INFOSEC Dr. Phil’s others just go about their day in the war and do their jobs without whining about it.

Not all of us have INOFSEC Jesus complexes.

The Problem Statement:

So here’s the general feeling I get from what I have seen (yes I went to an infosec burnout presentation) from the community on this whole burnout thing.

  • We can’t win the war and it’s hard to even win battles
  • The job is hard because the adversaries have no rules while we do
  • We are constrained by our managements
  • Our end users are morons
  • We’re the God damned smartest people in the room and no one listens to us!
  • We are just perceived as an obstacle to be bypassed or ignored

I am sure there are other complaints that weigh heavily upon the INFOSEC brow but these are the biggies I trust. Perhaps a real study with a real psychological questionnaire is required to get some analytical data to use for a proper problem statement but to date I have seen none. While I agree we work in a tough field from the perspective of “winning” the day and yes we are looked upon by the masses as an impediment and a cost centre this is not the problem set we need to work on. I propose that this problem set is the most self centered and useless one making the rounds today and smacks of every bad pop psychologist’s wet dream of making it big.

In other words; You are all problem solvers. Solve the god damned problem by studying the root causes and then implement what fixes you can come up with. What you are dealing with is human nature, the mechanics of the human brain, and the psychology that goes along with all of this. Apply that laser like focus you all claim you have out there on the problem set and you will in fact come to some conclusions and perhaps even answers that will make you see the problem in a pragmatic way. Once you do this you can then rationalize all of these problems at the end of day and hopefully get past all this self centered bullshit.

Then again this is a community full of attention seekers and drama llama’s so your mileage may vary.

The Psychology of Security:

Once, a long time ago, I found Bruce Schneier relevant. Today I don’t so much think of his mumblings as at all useful however he did write an essay on Psychology and Security that was pretty damn prescient. I suggest you all click on that link and read his one piece on this and then sit back and ponder for a while your careers. What Bruce rightly pointed out is that our brains are wired for “Fight or Flight” on a core level when we lived on the great savannah and that Amygdala (lizard brain) is often at odds with the neocortex, (the logical brain with heuristics) that often times helps us make shortcuts in decision making out of pattern recognition and jumping to conclusions to save the brain cycles on complex data that is always coming at it.

What Bruce and others out there have pointed out is that all of our experiences in security, good and bad, are predicated on the fact that primates at the keyboards are the problem set at the core of the issues. We create the hardware and software that is vulnerable. We are the ones finding and creating vulnerabilities that are exploited by bad people. We are the ones who at a core level cannot comprehend the security values and problems because we are not wired to comprehend them on average due to the way the brain formed and works even today. There are certain problems psychologically and brain wiring wise on the one hand and then there are the social and anthropological issues as well that also play a part in the problem statement. All of these things can and do hinder “security” being something that generally is comprehended and acted upon properly as a society and a species that play into our day to day troubles as INFOSEC workers and we need to understand this.

So, when I hear people decrying that security is hard and that they are burned out because you can’t win or that the client/bosses/those in charge do not listen to you please step back and think about Schneier’s essay. The cognitive issues of comprehending these things is not necessarily the easiest thing to do for the masses. Perhaps YOU are just the Aspergers sufferer who’s wired differently to get it, had you ever considered that?

Security is a complex issue and you INFOSEC worker, hacker, Aspergers sufferer, should look upon all of this as a tantalizing problem to solve. Not to whine about and then turn it on it’s ear that you need to be more soft, and listen to your clients/bosses to hear their woes. We all have problems kids. It’s just a matter of looking at the root of the issues and coming up with solution statements that work. In the case of the brain and cognition we have our work cut out for us. Perhaps someday someone will come up with a nice framework to help us all manipulate the brain to understand the issues and cognate it all efficiently… Perhaps not. Until then, just take a step back and think about the issues at hand.

A Pragmatic Approach To Your Woes:

So with the problem statement made above what does one have to do to deal with the cognitive problems we face as well as our own feelings of inadequacy in the face of them? The pragmatist would give you the following advice:

  • It is your job to inform your client/bosses of the vulnerabilities and the risks
  • It is your job ONLY to inform them of these things and to recommend solutions
  • Once you have done this it is up to them to make the decisions on what to do or not do and to sign off on the risks
  • Your job is done (except if you are actually making changes to the environment to fix issues)

That’s really all it’s about kids. YOU are a professional who has been hired to be the canary in the coal mine. You can tweet and twitter all you like that the invisible gas is headed your way to kill you all but if the miner doesn’t listen …Well you die. If you want to change this problem statement then you need to understand the problems cognitively, socially, and societally (corporately as well) to manipulate them in your favour at the most. At the least you need to understand them to deal with them and not feel that burnout that everyone seems to be weeping about lately.

Look at it this way, the security issues aren’t going to go away. The fact of the matter is they will only increase as we connect every god damned thin to the “internet of things” so our troubles around protecting ourselves from the digital savannah and that “cyber tiger” *copyright and trademark to me…derp** are not going to diminish. Until such time as the brain re-wires or we as a society come to grips with the complex issues of the technologies we wield today we as security workers will need to just deal with it. Either we learn to manipulate our elephants or we need to get out of the business of INFOSEC and just go hack shit.

Catharsis:

Finally one comes to a cathartic state when you realize that only YOU can fix your problems coping with your work. Sure, people can feel better if this sit around and bitch about their problems but that won’t stop their problems from being problems will it? Look at the issues as a problem statement Mr. or Miss/Mrs security practitioner as a problem to hack. Stop being a whiny bunch of bitches and work it out.

HACK THE GOD DAMNED SYSTEM!

Failing that, come to accept the problems and put yourself in the place where you are just the Oracle at Delphi. You impart your wisdom and say “You’re mileage may vary” and be done with it. Until such time as you manipulate the means that you get this across to the companies management and they make a logical decision based on real risk you just have to accept it. If your place of work has no real risk acceptance process then I suggest you get one put in place or perhaps find a new job. You are not Digital Jesus. You can’t fix everything and you cannot fix those who are broken like Jesus did in healing the blind and making a hell of a lot of fish sandwiches from one tuna can.

Either understand and come up with a way to fix the problem or accept it for what it is and move on.

Stop the whining.

K.

 

Written by Krypt3ia

2014/04/13 at 12:22

New Age INFOSEC

leave a comment »

 

Yesterday’s Source Boston keynote started bubbling up in Twitter like swamp gas releasing soundbites that were reminiscent to new age babble on how we as a community are bad communicators. While I agree that many in the community at large are bad at communicating anything other than self interest (i.e. con deadheads) I would have to say that there are many many more of us with day jobs who can communicate and do.

Often.

The fact of the matter is that if you are a con deadhead then perhaps Justine Aitel is talking to you, which she did coincidentally at a conference! Gross generalities make my eye twitch and so do new age koans about such a complex issue as information security. So I would like to address the snippets that came out yesterday in my usual style of bilious and yet hopefully thought provoking responses.

 

Screenshot from 2014-04-09 04:37:17

 

The first slide in the roster actually struck me as something I have been saying for quite a while but in this re-telling it’s much softer. I have been calling bullshit on the con deadheads for a while now but I guess it’s finally getting traction. The truth of the matter is that if you are just speaking at conferences all the time what the fuck are you really doing? You speak to the same crowds and often times of late you present the same god damned things. What is the fucking point?

So yes I agree with you Justine on this but I think you could be more blunt. If all you do is go from con to con partying and giving the same talks then you sir or madam are committing cyber douchery. It’s just that simple.

 

Screenshot from 2014-04-09 04:37:42

 

We develop secret knowledge and power? Holy what the fuck does that even mean? If this is the case then we are all collectively Dr. Evil at worst or Bloefeld at the best? We also suck at listening because we are evil geniuses? What the fuck does this even mean? Look we are technical people and we speak in technical language which often times seems like magic to the people who do not comprehend the rudiments of technology never mind some of its most complex theory and implementation.

We also suck at listening? Really? All of us? Gross generality much? Look there are two sides to the equation here and sure some of us in the community may not listen well. For that matter we may not listen at all except to our own base drum of LOOK AT ME! LOOK AT ME! but please, we aren’t the only problem here when it comes to the security problems of today. You are over simplifying things just a bit in a time when we need more complex and nuanced thought on the matter. The corker here is that all of this is being transmitted by soundbite by Twitter of all things.

#FAIL

 

Screenshot from 2014-04-09 04:38:10

Uh what? Are you going to tell me that Hitler wasn’t a great communicator? Have you seen those old movies of his speeches? I am in no way saying he was a huggybear but HOLY WTF are you on a roll with generalities and useless new age speech. So once again you see us as great technical masters of the universe and yet we are all portrayed as somewhere on the far end of the spectrum on the DSMV for Aspergers? Look, we may have great technical abilities in some cases. In others we may be just useless twats. Let’s not put this into axis of evil territory or paint us all with the same inept brush of bad communicators or sufferers of Aspergers here.

 

Screenshot from 2014-04-09 04:38:27

Oh here we go.. We need to be vulnerable to grow. Thanks Dr. Phil. How about instead we just be more self aware and able to comprehend the social surroundings we are in. Understand the system to work the system. Better yet how about you understand the system and the players to come to the place where you accept that nothing you do really matters unless the people WHO PAY YOU are willing to make changes or LISTEN to you. It has nothing to do with being soft or vulnerable and this kind of shit is just as bad as the polar opposite of “Real men don’t eat quiche”

Twattle.

 

Screenshot from 2014-04-09 04:39:14

No no no NO. The word CYBER is a mystical amulet that the masses use to infer some vague notion of all things magic and incomprehensible! This is not something we should promote whatsoever. It’s perpetuation should stop and you just crossed the Rubicon on this. This really burns me and that this idea was even floated makes my blood boil. You say you want to communicate but you are willing to compromise with the word CYBER instead of using real language to convey the complexities we deal with? Good God this is one of the most idiotic statements I have seen of late!

 

Screenshot from 2014-04-09 04:39:37

I agree.. Much of society at large has no idea what we do.  Do you really want to know why this is true? Have you ever tried to explain to them why it’s important and how it works? Even in small words? You get the glazed eyes and they begin musing on what Kim Kardashian is doing. THEY DON’T CARE TO UNDERSTAND! Still you want to call it CYBER and use general terms in an attempt to dumb it down so they get it? I am saying to you right here and right now that they won’t care and they won’t get it. It’s all fucking CYBER APT CLOUD MAGIC to them all.

 

Screenshot from 2014-04-09 04:39:59

 

So as an industry we are too self involved and unable to listen to the people we are tasked with protecting… Hmmm… Ok sure. We are a calamity of derp as an industry that has been riddled with FUD and sales buzzwords. We also have a populace of attention seekers with a real penchant for TNT Dramallama flogging. We wallow in our soup of “Ain’t I cool” and look at me look at me! It’s true. However, that is not the whole community and this is yet another generality that borders on the new age derpy.

I also would say just what is it we need to listen to? Listen to the companies and players who have agenda’s that make bad choices in the face of being told that they are vulnerable? Listen to the people who say that the work is too hard and that out of hand deny anything you say is relevant or important? Some actually put on a show and say they will fix things or change their ways but really, how many times have we seen that and then seen nothing change? Listening is just fine but the crux of the matter today is that you tell the client what is wrong and then say “You can fix this or you can accept the risk on this”

That’s it.

You don’t need to be a great communicator here or all new age fuzzy because the fact of the matter is that people will make decisions based on their own needs and desires and not the truth. What this community (and the one I speak of are the con deadheads) needs to do is grow up. Spend less time lauding their own ingenuity and grok a bit more on other things in the world. Perhaps there are a mass of Aspergers sufferers at these cons but that is no reason to paint the whole community of security with the same brush. I communicate just fine and I have come to accept the fact that all I can really do is present the information, the risks, and recommendations. It is up to the client to decide whether or not it is in their own interests to do anything about them. I just get them to sign off on the risks of not doing so and my job is done.

Enough of the new age fuckery…

K.

 

Written by Krypt3ia

2014/04/09 at 10:40

Posted in Infosec

ASSESSMENT: The ZunZuneo “Hummingbird” Social Network and The Cuban Spring

with one comment

Zunzuneo

 

Cuban Intranet and Internet Access:

Cuban internet access is minimal and very controlled the the government. There were as of 2011 about 124K addresses listed to the .cu domain on the internet belonging to Cuba and the average ownership of a computer was low. The same was true over cell phone ownership and use compared to other Caribbean countries. The regime’s control over all of the infrastructure pervades to the intranet being primarily a tool for propaganda and a means of control via surveillance on those who could access it.

Screenshot from 2014-04-06 07:13:01

Internet access though became a feature to the rich in the country or the political (both are the same in reality) and one could buy access to the internet for a hefty price underground. In fact some blogs have shown up over the years on the proper internet after dissidents paid for or obtained access either themselves or by exfiltrating data to outside sympathizers for publication on blogs like WordPress or LiveJournal. Generally, if you wanted a source of outside news you had to either buy access to the internet in the black market, get it on the streets from people with SW radios, or by some other means. This control over the media and technology has perpetuated the control of the Castro regime and allowed his dictatorship to continue.

CUBA CYBER

Cuban Telco:

Cubacel also is a single proprietorship of all cell phone communication (state run) on the island and in fact the ownership of cell phones is one of the lowest as well in the world for penetration of cell phone owners and use. This too means that the Castro government has greater control over what the people can access as well as a single point of surveillance that can be used as a mans of control as well. Of course today this is all being said in the age of the NSA tapping just about everything so please take this with a grain of salt and the knowledge of how that makes you feel about surveillance by any government.

Screenshot from 2014-04-06 07:24:17

I am unsure of the prevalence of cell phones today in Cuba but I am guessing that these statistics are only a little different today due to the controls that the Castro government has in place over it’s populace as well as the poverty rate of the island itself disallowing general ownership and use. While the numbers may have grown so too might the attitude of the government due to a shift in power from Fidel to Raoul Castro. While the former was a bit more hard line the latter seems to be a little more open to allowing the country to loosen it’s grip on the people and allow communications with the US. This may also play a part in easing the minds of the people into thinking they could in fact use cell phones and platforms like ZunZuneo to air grievances.

ZunZuneo:

The ZunZuneo platform went live in 2010 and was a “Cuban Twitter” which was text based on the cellular network on the island. It was in fact a program put in place by USAID (likely a covert program run by CIA in reality) and ran until about 2012 and at it’s end it had about 40 thousand users on the island. The broad idea of the project was to have the Cuban’s generate their own “buzz” around dissident ideas and allow them a means to text one another outside the controls (ostensibly) of the Castro governments eyes and ears. This though likely was not a complete success nor was the program a success from the standpoint of mass demonstrations happening either as far as can be seen by any news sources reporting on this.

ZunZuneo was inserted and run by contractors and purported to be a Cuban creation with cleverly hidden funds and controls from USAID/CIA. The program’s aegis was to insert itself, gain a user base, and then to start to send texts to the users to spur political unrest against Raoul and Fidel Castro’s government. In the end the program came to a sudden halt due to finance issues (alleged) but the reality is it never actually got the directive to insert itself as an influence operation. It operated unbeknownst to the users and in reality was a failure because I think USAID and CIA had hoped they would see dissent traffic on it’s own. It did not and thus perhaps the idea was seen as not feasible and the finances were withdrawn.

YOUTUBE

Influence Operations:

 

Screenshot from 2014-04-06 07:36:44

 

Influence Operations are nothing new and over the years many have been carried out on places like Cuba. With the advent of new technologies like the internet this has become even easier to carry out on average when the populace has easy and free access to the net. in the case of Cuba this is not so much the case like the DPRK. I would say though that Cuba has a much more permeable information border than the DPRK due to it’s geographical location as well as the current regime’s leanings towards opening up a bit more. Though it is still the case that the current government still holds all the keys to information flow as well as a secret police force that controls the populace who get out of line. So it is no paradise of freedom and beauty.

That the US decided to use USAID to carry out this operation is an interesting choice but in their charter is the mandate to “spread democracy” so while some might question the aegis here and say that this was a rogue operation I don’t necessarily agree with that. One must understand that at least USAID has access to many places under its mission in general of providing humanitarian aid so there is purview there. The question though becomes do we want to taint such an org in the future and deny access to critical areas where people really do need help? This will be the fallout from this in general globally and likely will hurt people in the end. As influence operations go though this was a bit of a flop in the short term however. In the long term though perhaps this may lead an internal company or group to create a new ZunZuneo because the 40 thousand people using it really enjoyed it. If someone were to create a new one and if the populace felt that they could in fact speak their minds freely, then maybe they would rise up.

ANALYSIS:

My analysis of the ZunZuneo operation is that it was a novel idea but lacked oversight. An influence operation that inserted itself as a platform for communication in a place where cell phones and internet access is tightly controlled was a gambit that was bound to fail in my opinion. This was in fact the digital equivalent of releasing balloons with propaganda over the DPRK (which is ongoing today) and does not have a penetration level at which a real traction could occur. It is my belief that the CIA/USAID thought that what they had seen with popular uprisings like the Arab Spring could be effected in Cuba internally by it’s populace. What they failed to comprehend was the amount of outside help the Arab Spring had from the likes of Anonymous and the general internet to assist them in carrying it out. In the case of the Arab Spring and other incidents the governments attempted to clamp down on communications that they controlled only to be denied absolute control by key players outside allowing access through POTS and other means.

In the ZunZuneo scenario two things did not happen to cause it’s failure at the end. One was that the populace who had access perhaps did not feel they could speak their minds because everything was on Cubacel to start with. The second was the fact that this program was not a populist movement from the start. You will note that the other “spring” incidents had access to the internet proper not only on twitter but also by other means. These countries already had a populace who had access to external information and were consuming it regularly. The same cannot be said about Cuba in general as I have described it above. The traction just wasn’t there because the people know already that the vehicle that the information operation was to use was already monitored by the government that is oppressing them.

At the end of the day though I have been seeing an easing in the Castro regime since Raoul took over from Fidel and this would I hope, continue as the two of them age into retirement (aka their graves) and the people might have a chance at that point to make a change. Time will tell just how much more Raoul opens things up post this little debacle. However flights in and out of Cuba are more plentiful and there is a flow of monies etc that could be much more beneficial in the long run than any influence operation ever could. My fear though is that the old guard Cubano’s in Florida may have had a hand in this as well and there may be more out there in the wings. It could upend the growth that has happened and that would be a shame.

K.

Written by Krypt3ia

2014/04/06 at 12:22

So you want to go to the Darknets huh?

leave a comment »

DW

 

DARKNETS!

I recently asked people on Twitter what they would like to see me write about here for a new post and the majority of people came back with something around the Darknets. So I am bowing to all those calls and I now present to you a post on THE DARKNETS! How to get there, what to see, and how not to get yourself into a shitload of trouble…

Well, I can’t vouch on that last one though…

I suppose though I should back up a bit and explain to some of you out there just what the darknet is. The darknet is actually just a sub-basement of the Internet that is comprised of systems on the regular internet that have a separate gateway to get to them and an infrastructure that is separate from the internet proper. Simply put, the basement analogy is really apropos due to two things. First, the connection to it is rather like taking a creaky and rickety old staircase into a dark basement in an abandoned building. Second is what you find once you are in that dark and creepy basement often times are things you want to never see again yet you cannot un-see.

So take care gentle reader for if you decide to follow me into the dank world of the DARKNETS you may encounter things that you might never recover from. Alternatively you could just laugh and laugh and laugh as you see some of these sites out there offering snake oil and drugs. Hey, maybe you can buy snake oil as a drug! Oh and yeah one more thing. If you decide to go anywhere near the child porn I will personally hunt you down and make you disappear into federal custody.

Just sayin….

Do you know the way to the Darknets?

Do you know the way to the DARKNET? Well obviously if you are looking at this blog post you don’t. That is unless you want a good giggle. Anyway, the darknet can be reached pretty dang easily today and you have a few choices on how to get there as well as varying versions of networks to choose from. The best way though for the casual observer would be to go to the Googles and just type in TOR BROWSER DOWNLOAD

Screenshot from 2014-04-03 13:15:33

You download the file for your system (one hopes it’s a Linux or UNIX system.. Or maybe even that MAC crap) and then install it. Once installed you RUN it. It’s really that simple. Of course if you are in Linux you unzip, save it to a directory, then run it (run as program not as a txt file thank you very much!) which will start the version of Firefox fr you that is already pre-configured to proxy to TOR.

Guess what.. If you have done this then you are able to get to the DARKNETS! Now you just need to find some links like to The Hidden Wiki (the first layer of 7 levels of DARKNET HELL! *waves at Dante*) This site was recently taken control of by the inimitable DOXBIN because of the amount of paedo links that it was allowing to fester. This is just one place where you can get links to the DARKNET sites out there though. You can in fact use the TOR SEARCH or something like that but the best way I have found of late is just to hit up Pastebin.

There you have it.. By doing some simple points and clicks and then using your frontal cortex a bit you too can be on the DARKNETS with the rest of us. Come on in! The water is… Well.. Scummy but it’s at least warm from all the kids peeing in the pool!

TOR vs. i2p:

Now some old timers may tell you that the TOR is full of Feds and that you need to just go straight for i2p for your DARKNET binges. I for one would tell you that this is a falsehood because i2p is FUCKING SLOW AS ALL SHIT. However, it is an option if you aren’t in a hurry to see anything and you want to see different content than what you may map out on the TOR DARKNET.

Another word of warning on the i2p front is that you have to be a bit more savvy than the usual user to make this one work for you and to correctly manage and configure your system because YOU are also a router within the arcology when you get on i2p. You can of course change that and secure the system more so that you aren’t going to be pwned but you have to keep this in mind before you just go download and run it.

Be.

Forewarned.

On the other end of the spectrum you can also go download the full TOR node setup and make youself a page or you can just use it to access the net in a configuration of your choice (secure one would hope) instead of the pre-configured browser bundle. If you choose to do this just make sure you understand what you are doing and do keep an eye on the versions out there. TOR seems to be a target for security flaw hunting by the likes of the NSA so ya know, you kinda have to be careful if you are out there doing things you perhaps shouldn’t be on an un-secured version.

Personally I use all of the above but as you might have guessed from above, I find the idea of all the caching on i2p to be rather tedious so I don’t go there often. You can in fact find gateways to both DARKNETS if you GOOGLE for them. These are gateways that allow you to enter by using the CLEARNET (i.e. internet) as the gateway with a node handling all the routing for you. I don’t know about their security but let’s put it this way; people can see your traffic in the clearnet so… Yeah…

Abandon hope all ye who enter here…

Ok so now you know how to get the software, what to click and where to get links. Now comes the abandonment of hope. See once you get inside the darknet and you start looking around you realize just how much of it is lame, how much of it is illegal, and how much more of it seems to be rather puerile. I have spent hours, aw hell, let’s say days in there looking around. I have laughed, I have cried, and it changed my life like “Cats” the musical. The gist here is prepare yourself for an experience that may just leave you slumped in your seat saying “Is that it?”

Alternatively you might be able to find new and interesting sites that no one really knows about (if you do please tell me!) such as a nice site on furry on furry cosplay sheise movies. Who really knows what you will find. Take a stroll around and see what you see. Mostly though I think you will find that unless you start messing about with the technology deeply, you will just see the same things everyone else does.

Porn

More porn

Drugs markets

chans

dropboxes

etc.

I for one have begun looking at the intracacies of things like transient sites and covert url exchanges but that’s just me. You might want to do other things. All of these things though usually are shall we say more exotic in nature to begin with and mostly considered illegal and this is why they are in the DARKNET to start. They think that it’s all anonymous and that you can then not only access the DARKNET but the internet without leaving a digital trail. This of course has been shown to be wrong.

The Arcology:

This brings me to the arcology of the DARKNET and security. There are ways that you can in fact be tracked by wily people who can poison the network with their own nodes or be sniffing their exit data. In one case it has been posited that the whole of the onion router system could be cracked by the use of nodes under the control of a determined adversary.

This is an interesting idea as are all of the others out there on how to de-obfuscate users on the DARKNET. Be aware that the NSA is more than likely working on this if not already there and monitoring traffic. Why aren’t more people being arrested then you ask? Well, then how would they get the really bad guys if they tipped their hand huh? Cracking the DARKNET would be a HUGE thing and a real tipping of the scales were it to get out in the open. Is it happening now? I am not sure but what I am sure of is that they are trying very very hard to make it happen at the very least.

So gentle reader go forth, get the software, secure it as best you can and then wade into the DARKNET! Remember, the water is warm because of all the pee.. And remember too that; “We are the reason we can’t have nice things”

K.

 

Written by Krypt3ia

2014/04/03 at 17:55

Posted in DARKNET