40
tmpnull
1y

Paranoid Developers - It's a long one
Backstory: I was a freelance web developer when I managed to land a place on a cyber security program with who I consider to be the world leaders in the field (details deliberately withheld; who's paranoid now?). Other than the basic security practices of web dev, my experience with Cyber was limited to the OU introduction course, so I was wholly unprepared for the level of, occasionally hysterical, paranoia that my fellow cohort seemed to perpetually live in. The following is a collection of stories from several of these people, because if I only wrote about one they would accuse me of providing too much data allowing an attacker to aggregate and steal their identity. They do use devrant so if you're reading this, know that I love you and that something is wrong with you.

That time when...

He wrote a social media network with end-to-end encryption before it was cool.

He wrote custom 64kb encryption for his academic HDD.

He removed the 3 HDD from his desktop and stored them in a safe, whenever he left the house.

He set up a pfsense virtualbox with a firewall policy to block the port the student monitoring software used (effectively rendering it useless and definitely in breach of the IT policy).

He used only hashes of passwords as passwords (which isn't actually good).

He kept a drill on the desk ready to destroy his HDD at a moments notice.

He started developing a device to drill through his HDD when he pushed a button. May or may not have finished it.

He set up a new email account for each individual online service.

He hosted a website from his own home server so he didn't have to host the files elsewhere (which is just awful for home network security).

He unplugged the home router and began scanning his devices and manually searching through the process list when his music stopped playing on the laptop several times (turns out he had a wobbly spacebar and the shaking washing machine provided enough jittering for a button press).

He brought his own privacy screen to work (remember, this is a security place, with like background checks and all sorts).

He gave his C programming coursework (a simple messaging program) 2048 bit encryption, which was not required.

He wrote a custom encryption for his other C programming coursework as well as writing out the enigma encryption because there was no library, again not required.

He bought a burner phone to visit the capital city.

He bought a burner phone whenever he left his hometown come to think of it.

He bought a smartphone online, wiped it and installed new firmware (it was Chinese; I'm not saying anything about the Chinese, you're the one thinking it).

He bought a smartphone and installed Kali Linux NetHunter so he could test WiFi networks he connected to before using them on his personal device.

(You might be noticing it's all he's. Maybe it is, maybe it isn't).

He ate a sim card.

He brought a balaclava to pentesting training (it was pretty meme).

He printed out his source code as a manual read-only method.

He made a rule on his academic email to block incoming mail from the academic body (to be fair this is a good spam policy).

He withdraws money from a different cashpoint everytime to avoid patterns in his behaviour (the irony).

He reported someone for hacking the centre's network when they built their own website for practice using XAMMP.

I'm going to stop there. I could tell you so many more stories about these guys, some about them being paranoid and some about the stupid antics Cyber Security and Information Assurance students get up to. Well done for making it this far. Hope you enjoyed it.

Comments
  • 7
    A lot of those are badly implemented pseudo security things...

    Said the guy who uses 255 character passwords where neccessary, implements next to anything with encryption and solders/sews IR leds to his hat to disrupt cellphone and surveillance cameras.

    Being a tinfoil hat is cool, but being a tinfoil hat correctly is hard.
  • 3
    @ilPinguino ikr. This is what happens when you're 'into' security without knowing security yet. All the education coming from 4chan and reddit.
  • 3
    @irene hashes are good. Salted hashes are better. Hashes of hashes form patterns if you use the same function, which he would have been in many cases.

    Edit: to follow up on this, double hashing is a thing, but it shouldn't just be hash and hash again. There needs to be an additional process to add layers of security. Such as adding a salt.
  • 6
    @tmpnull Well, I'm into security the fun way...

    I wasn't always working behind a desk.

    - Reflections in car windows can be used to track a chaser.

    - So can your smartphone, with a degree of dexterity, but that's hard to pull off without causing suspicion.

    - Pretending to tie your shoes is one of the most effective ways to surely identify one. Do it in a place with witnesses if possible.

    - When blending into a crowd, use your forearms to push people aside.

    - A book and a bench do wonders if you need to be stationary in public for a longer time without arousing attention. Noone reads a newspaper for hours. Flip pages and know the book a little to keep your cover.

    - If a key doesn't open a lock, try pushing it downwards repeatedly while slightly turning it. That's the same way a bump key or the bumping technique with a lockpick work.

    - Yes, the trick with the rolled newspaper from the Bourne movies works.
  • 2
    @ilPinguino

    - look backs rarely work

    - looking like you're meant to be there makes you invisible

    - learn your route. Learn your route. Learn your God damn route.

    - eat when you can

    - sleep when you can

    - don't try to lose a tail, just go to the fallback plan

    - don't look for irregular behaviour, look for repeat appearances

    - when was the last time that dog went toilet

    - have a solid cover story but don't be too fast with your answers

    - compliance is more effective than defensiveness
  • 5
    @tmpnull I see a fellow tinfoil hat my friend.

    - Drywall is better than nothing, but not much.

    - A spare knife never hurts... at least you, that is.

    - 5m and below, close combat beats a gun.

    - Encrypting is good, but hiding encrypted information well beats being interrogated.

    - They won't crack your encryption, they'll crack you, so hide it.

    - In an interrogation, fear is more effective than pain. Adrenaline and endorphines numb down pain, but can enhance the effects of fear. Most modern intelligence agencies know and use this (waterboarding, sensory deprivation, attack dogs etc).

    - Never catch a fall with your arms. A broken arm is useless, a broken rib is tolerable.

    - If you've got something to hide, don't insist on your citizen rights - hide it well enough that you can comply without fearing its discovery.

    - Some people will stop after finding one thing. If a dime bag of grass gets you into less trouble than secret files, get and "hide" one.
  • 1
    @ilPinguino You win XD ahahaha

    - A spare knife never hurts... at least you, that is
  • 0
    @tmpnull Cynicism, while despised by society and frowned upon by many, can REALLY keep you healthy.

    There's a reason why cops, paramedics and firemen often have a hefty sense of humor. If you lose your sanity, you lose the battle.

    Also: Inaction takes a harder toll on your mind than pointless action. Do SOMETHING. The Brits once turned the tide of the Battle against Rommel - how so? Their new officers had the soldiers, who were idly expecting Rommels offensive before. do training drills, fix/clean the equipment and build props instead.
  • 2
    @irene

    If you think someone is following you and you're in a crowded place, just crouch and pretend to tie your shoe.

    - You can observe anything behind you fairly well.

    - You stopped, but you had a reason to. If the person you suspect stops as well, you'll have quite an amount of certainity.

    - If you're conceal carrying something on your lower leg (gun, knife, whatever), you can ready it rather inconspicuously depending on your holster.

    It puts you into a disadvantageous position for close combat though, so be careful about doing that in a place without witnesses (despite almost no one would probably interfere with a fight even in the largest crowd, many potential witnesses offer a nice amount of security).
  • 2
    I want more stories!
  • 4
    I sew IR LED's into my hat and clothes too. although these help to blind most 'night vision' cameras, it will also make you a huge target in real night vision goggles that don't use IR as light.

    I am bit paranoid about facial recognition, IR lights to not combat that, but there is line of clothing and a pair of glasses I hear that can. I will most probably purchase these in future once facial recognition becomes standard almost everywhere. That is probably the only thing I am truly worried about.

    My online presence and my communique they can have. being able to id me on camera, I do not like.
  • 2
    @hash-table Worried about facial recognition? I have just the thing for you:

    https://amazon.com/Bristol-Novelty-...

    Although that MAY cause more people to photograph you... And maybe it's not too wise to enter a bank wearing one of those :).
  • 2
    @ilPinguino

    Nice! buying it now that is brilliant :D
  • 2
    @hash-table If I ever see you in public, I'll buy you a fish.
  • 4
    He ATE a sim card?? 😳
  • 3
    I don't have a link to this mask (middle of class so can't look right now, just finished a final), but I like this one best
  • 0
    @hash-table and what night vision doesn't use IR?
  • 0
    @devios1 and he ate it raw
  • 0
    @tmpnull That must have been *cough* loads of fun the next day.

    Wouldn’t a Bic lighter have been a more… digestible plan?
  • 0
    @korengali

    IR lights you up like a flare. All military night vision does not use IR otherwise you would be biggest target in entire night. They use ambient light.
  • 0
    @hash-table they receive ir, not project it.
  • 0
    @korengali

    They can see IR yes, but they do not use it to see in the night. Most cheap commercial cameras do.
  • 0
    @korengali

    And don't you think of they receive it where would the IR be generated for them to see? Cheap commercial night vision projects IR to use as the light source. Military night vision does not.
  • 0
    I'm well aware of how they work bud.
  • 2
    @infernalempress someone featured in the list has already pointed out to me that it wasn't 3 HDDs. It was 2 HDDs and an SSD. I'm definitely going to make more posts about my brethren.
  • 0
    @korengali

    I am also well aware how they work, considering I used them almost every day in the Marine Corps, but your initial question either isn't clear enough for me to understand what you are trying to convey, or indicates a misunderstanding somewhere.

    asking what night vision doesn't "use" IR, I answered -- high end night vision doesn't use IR, yes it can see light in the IR spectrum, but it does not 'use' IR. So it is obviously a difference of our definition of 'use'.
  • 0
    @hash-table I'll grab the 64-pack of Crayolas and tuck ya in pal.
  • 0
  • 0
    Alright I'll play nice. Your first post did not imply your use of "use" meant emitting. Your follow up ones did, that's where the confusion came in. I was in Afghan a couple years, I know pretty well how they work as well. The point I was trying to make with my first post was that they all NVGs use (not emit) IR wavelengths.

    Friend.
  • 0
    @korengali

    Sure I can see where the misunderstanding comes from in my initial comment here:

    "it will also make you a huge target in real night vision goggles that don't use IR as light." and what I meant by 'use', was doesn't produce its own IR lightsource. But really it will make you a target in all night vision goggles, even ones that produce IR light to illuminate the night. However this is also the reason you can blind cameras that produce/emit IR because they don't have safety mechanism in place to block overabundance of light.

    Which is why your response to the question confused me and I tried to go into further clarification, because not everyone on here understands the fundamental differences between commercial night vision/cameras that produce their own light source using IR light and ones that use strictly ambient light. My definition of use is that it produces it, which is ambiguous, so I apologize about my lack of writing skills.
  • 1
  • 0
    @irene might be something for me. I'm into that whole cyberpunk thing anyway... 👨🏼‍🎤
  • 1
    I would probably just die in most of @ilPinguino situations...
  • 1
    @hell trust me, humans can take a lot of damage before dying... I mean, we survive amputations, fractured bones can heal to the point where the limb is fully usable again and so can many other injuries (we also have competitions in consuming substances or pursuing activities that hurt us and consume poison for fun. We're more orcs than elves, basically)
    Still, it's no pleasure to get hurt (few things beat adrenaline and endorphins, but still, not worth it)... Though dumb luck is a factor that probably did get me through most shit. That and my sense of humor.
Add Comment