Basejumper.com - archive

Any jumpers out there using encryption? I just started learning and was looking to test out what I have. Let me know and I'll post my public key.

I did for a while a couple of years ago. Nowdays, I just don't care that much, and I also realized how security is not a product but a complete system and when you start to realize this you just see all the other possible attack vectors and you're like "fuck that shit".

But I think it's a good idea, not only encryption but cryptographic authentication also.

yeah your right that it is a complete system to stay stealthy.
VPN encrypted tunneling, PGP mail, proxy servers, etc.

Learning as I go

Yes, but the problem with those solutions are that they add complexity to your system. When I say system, I mean everything from the house that your computer is in to the little microcontroller on your motherboard that's in charge of a couple of LEDs, to the software you're using from circuit firmware to application level software.

Last year at the CCC in Berlin, a guy demonstrated how you could use a wire inside the computer (I think it was a wire for some status LED) for RF-emissions to create a hidden channel. Of course, the strength of such a signal is not that great but it makes you think a lot about the possibilities.

A couple of years ago, I played around with a piece of software written by a german guy ( http://www.erikyyy.de/tempest/ ). It basically turns your CRT monitor into an AM transmitter. Makes you think. There's a lot of things inside your computer that can be made to transmit information.

Over at work, they showed us these information security movies from the late eighties complete with data tapes, 5.25' floppies and everything. Now this was before everything got complicated, right. Even back then they where able to read CRT monitors remotely. It's called RÖS over here, you might want to do a search for compromising emissions on google.

Also, if you use VPN tunnels or other kinds of proxy tech you need to be aware that, while it might make you more anonymous to your peers, you hand over the control of your information to an unknown third party. It's bad enough your traffic has to pass through your ISP, now it passes through some computer that tells you "hey, if you got stuff to hide, let me hide it for you. I promise I won't look at anything." Well, you see the problems here.

I did a little research a couple of years ago. I wrote a socks5 server (a kind of proxy server), deployed it and published the IP on various proxy lists. within minutes, very interesting traffic was passed through my computer. There was another guy some time ago who set up a TOR exit node and sniffed the traffic, he got stuff from embassies and corporations. People didn't realize anonymity is not the same as security.

Let's say you use PGP mail and you use an open implementation like gnupg that can be trusted. You verified the hashes to make sure that your download wasn't tampered with along the way. You use this application on a computer that you also use for surfing the web. Now we all know web browsers don't have the cleanest record when it comes to security. Add all the shit like Flash, stuff like the GDI+ bug of '05 and you realize that there's a lot of ways for people to enter your computer. Hell, microsoft released a remote vuln report on their TCP/IP implementation a couple of month ago. Who else knew?

So you use a pgp implementation on a system like that. You think it's secure? It's not secure. And then you hand your traffic over to untrusted third parties. Security is not about the applications you run, it's a complete concept.

What you need is a machine not hooked up to anything. Not even a wall socket. It must not be allowed to comunicate with the outside world at all. Copper mesh cage as in "Enemy of the State". A power generator too. Diesel. And you need a simple machine. You can build your own with TTL logic, but that might be a bit too much. A microcontroller based design (avr or arm are good) or something FPGA based will probably do. Have an SD card slot on it, a keyboard and a minimal display (like an HD44780 or a cheap Nokia display). Make that two SD slots, one for the keys and one for the outgoing (encryped and signed) data. Make sure the hardware cannot be tampered with in any way (easier said than done, physical security is hard work too). Make sure the keys are protected.

After a while of thinking like this, you'll either become an insane conspiracy theorist or you'll say "fuck it" and realize there are more fun things in life to care about.

But a little security might be better than none :)

OMG That's a lot of interesting info
Speaking of microcontrollers, who wants to see a working base jumping AAD (it counts the delay, not the altitude) based on a 3-axys accelerometer, an arduino and a servo?
I'll let my teddy bear jump it.

Your reply should be in the other thread titled "Things that make you say Holy Shit"!

You are right that there are many many ways for information to get out to the public or in the hands of hackers. I guess I'll go as far as I can before I go crazy, although sometimes I think I'm already pretty close!

I am starting all of this on a new mac and am really trying to pay attention to what information is going where but I am a novice computer user and know I miss lots of things. Your statement about anonymity ans security not being the same is so true and I am always thinking about the two. You definitely need a combination of the two.

I have encrypted my entire HD and am not downloading anything to it unless I know it's safe and I have an encrypted file folder to put it in. I am also using an encrypted USB stick to download various things instead of doing it directly to the HD. I use a portable version of foxfire browser when I can to surf the web so no history is stored on the HD. I will be using GnuPG for email encryption where applicable.

I agree with you about the VPN service knowing your details and have attempted to shield myself somewhat from them knowing too much by opening the account anonymously with bitcoins.
What are your thoughts on using VPN over TOR network or the other way around? Isn't that another layer of privacy?

I have entertained the idea of having a computer not online at all and only transferring data back and forth between other computers by USB stick or something similar. A Faraday cage is a good idea

Thanks for your insights I've got a lot to think about! Any other info is appreciated!


On an interesting side note... As I was researching VPN services a familiar name popped up. Ddog's new business is providing VPN cloud services. Cryptocloud. Haha he could have used this before all of his legal problems. At first I thought this would be a decent company to go with but then found out it was his... maybe it's part of his "deal" with the authorities to start this up to collect information on possible illegal activities?

That's the spirit :)

But how can you know what's safe? The data passes through a lot of nodes on it's way to you and often times you can't validate the source.

The software companies developing anti-virus products had all these experts telling people that "pictures can not contain viruses, neither can documents. all you have to watch out for is executable programs or MS Word files with macros".

Well, that turned out to be false. The software dealing with pictures and documents can have flaws too. Adobe had some serious flaws in their products that made it possible for .pdf files to execute arbitrary code (or rather, the rendering software for said format executed it), and this one was fun too: http://technet.microsoft.com/...ty/bulletin/ms05-053

Jailbreaking iphones used a .pdf rendering vuln for some time.

But they control the information flow to and from your computer. Maybe you logged in on facebook without SSL once, or signed up to the Apex BASE web shop. They can perform traffic analysis on everything, mapping your internet habits. Your ISP can do this if you're not using a VPN service.

When it comes to safety and security, be it in BASE jumping or in information technology, I'm a firm believer of the KISS principle.

If you're using TOR to access your VPN service, you're hiding your VPN service from your ISP. That might be good. But if your VPN service is a rouge one, it makes no difference in the long run. And if you're protecting yourself from the police, the VPN service doesn't have to be rouge for your information to get into "blue" hands.

If you're using a VPN service and then TOR, your ISP knows what VPN service you're using and you're putting your complete trust in the TOR exit node, a bad thing to do.

Just keep in mind that USB is a very complex protocol by itself. The USB stick actually tells your computer "Hello, I'm a USB mass storage device" and your computer says "ok, sounds good. I'll use you as one". But what if the USB stick told your computer "Hello, I'm a USB human interface device" and your computer said "ok, sounds good. I'll accept input from you then". Let's not forget that there might be vulnerabilities in the USB stack on your system, or all the fancy autorun stuff like u3.

That is interesting. Ddog was before my time as a jumper, but I have read articles about his activities.

do i miss something here?

you are all talking about pgp, vpn tunnels, proxis, encryption, etc, even about the hardware layer of your pc maybe not being secure, but then you run on windows?

if youre paranoid and you really want to have a safe system then stay away from portable devices, do not use wifi networks, and use an os that is anywhere close being safe like any stable linux distribution, or if your really want to be safe openBSD, and try to prevent installing additional software.

modeling any ms os into a safe by additional software (anti spyware,/virus/ firewalls, etc) is like trying to build a bomb shelter on basis of a cardboard box.

I don't see anyone who says they're using microsoft as their OS, but maybe I am the one missing something :)

Now that's what I'm saying! Or at least, that's what I mean when I say "security is not a product but a complete system". A security system is only as strong as its weakest link. (And cleanliness is next to Fordliness ;) )

whoops, sorry, then im totally with you on this... ;-)

Dude! You're overthinking it!

I found a object today, should I rebuild a dishwasher to send you the information to your microwave oven or just mail it?

I guess a good old, plain e-mail will do :)

something like this?

http://kidsheaveninlisle.com/images/100_4560.JPG