Notices by Tinker ☀️ (tinker@infosec.exchange)

Reminder to go to your local library and volunteer to speak on their behalf. Let them know that if folks try to come and ban books that you'll speak publicly against them.

We found out folks were going to be commenting at our library calling for banning books.

So.

We all went and spoke out against them.

Only one person got up and called for a ban. She went first. Everyone after her started calling out her behavior and telling the library staff to keep the books.

The first woman and a couple others soon left before the end of comments.

Drive them out. Protect our libraries.

Satire is dead.

~=8 Character Passwords Are Dead=~

New benchmark from the Hashcat Team shows a 2080Ti GPU passing 100 Billion password guesses per second (NTLM hash).

This means that the entire keyspace, or every possible combination of:
- Upper
- Lower
- Number
- Symbol

...of an 8 character password can be guessed in:

~2.5 hours

(8x 2080Ti GPUs against NTLM Windows hash)

#Hacking #Infosec

This has become a passion project of mine.

Open sourced, general purpose computing hardware.
Open sourced, cell phone tailored operating systems to run on that hardware.

Ideally anyone should be able to grab Off the Shelf (OTS) equipment, load an open sourced OS on it, and go.

And with that.... That's all I've got. If you're working on similar, reach out to me.

I'm ignorant in so many aspects of this, but I'm learning. I've got some work done, but there's still more.

Writeup on Installing KDE Plasma Mobile onto a Raspberry Pi, part of my TinkPhone project.

Cheers to all that helped and offered encouragement and support!

#TinkPhone #Phone #FOSS #RaspberryPi #KDE

https://www.tinker.sh/kde-plamo-rpi/

Wanna see an Internet Easter Egg?

Run a traceroute on the hostname: "bad.horse"

Linux: ~/$ traceroute -m 100 bad.horse
Windows: C:\> tracert -h 100 bad.horse

Popular Mechanics wrote an article about us!

@dallas_hackers #hacking

“Want to Be A Hacker? Go to Dallas.”

https://www.popularmechanics.com/technology/a24676415/dallas-hackers/

Dear $marriottMember,

In light of the recent breach, please sign into your Marriott profile and change your password.

hxxp://www.marriott.mal/passwdReset

Signed,
Marriott (We swear!)

Grandpa? Tell me about the cyberwars!

So there I was... Hunkered down behind the firewall trenches under a barrage of TCP scans!

All I remember seeing was an onslaught of SYN, SYN, SYN!!! We met them with RST after RST after RST!

#MicroFiction #SmallStories #TootFic

Identity Thieves that *copy* data from Surveillance companies are doing this same thing as those companies - using data of our lives against us without our input or control.

We should have control over our data.

This is a political issue.

Technology has only and will only continue to allow this surveillance at massive scale.

Vote, run for office, conduct civil disobedience (if you’re willing to face the consequences), call your representatives and hold them accountable.

#Privacy

Note: when a breach claims “stolen data” nothing is stolen.

Stolen implies that the original content is no longer available.

Data is copied.

This is why breaches at Equifax, Experian, Transunion (TLO), etc. have little impact on those corporations.

They can still do business.

#Privacy #Hacking #Infosec

Mastodon: Your DMs can be read by the admin(s) on your specific instance.

Twitter: Your DMs can be read by the entire Twitter Corporation.

This wired article ( https://www.wired.com/story/join-mastodon-twitter-alternative/ ) about Mastodon is mostly good. It covers the basic features and talks about a shift from Twitter to Mastodon.

It confuses one key issue though, and that’s the “culture” of Mastodon.

What we’re seeing now across the Fediverse are the first adopters. The fringe. The queer. The hackers. The staunch individualists. The communal care takers.

As Mastodon becomes more mainstream, the “culture” will shift.

If you’re here for the culture, be wary... 1/2

Now this is Social Engineering.

Stuttering John live records his vishing (voice phishing / conning over the phone) of the White House.

He actually gets in touch with President Trump on Airforce One.

#SocEng #SocialEngineering #InfoSec #Phishing #Vishing

http://stutteringjohnpodcast.libsyn.com/the-stuttering-john-podcast-4

There goes my hope for #KaiOS (a fork of FirefoxOS).

“Google Leads Series A Investment Round in KaiOS to Connect Next Billion Users”

#Google #FOSS #FuckOffGoogle

https://www.kaiostech.com/google-leads-seriesa-investment-round-kaios-connect-next-billion-users/

We've prepped and have a list of targets.

Let's hack their email servers and send an email from their CFO to their Accounts Payable staff. Wire some money to an offshore account.

#hacking #phishing #infosec

https://www.tinker.sh/phishing-using-an-email-server-against-itself/

So what I’m understanding is that I need to make it look like I’m coming from the EU and choose EU settings in order to get a semblance of privacy protection from centralized surveillance web sites?

#GDPR

Your daily dose of dystopia...

Google's thought experiment of the "Selfish Ledger."

Understanding the user so completely as to change the behavior of that user, then applying that at scale to change the behavior of entire populations.

#Google #DeleteGoogle #FuckGoogle #Privacy

https://www.theverge.com/2018/5/17/17344250/google-x-selfish-ledger-video-data-privacy

With all this in mind, from a Corporate Standpoint the risk is minimal. There are other more prevalent, less esoteric attacks that will get an attacker access to clear text emails than #efail.

From a privacy standpoint of folks who may be targeted by systemic attackers, there is an issue. The risk is minimized in that it is still a targeted attack (they have to send an email to *you* with an old encrypted message buried in it).

As such, the real Attack Scenario here is a Nation State attempting to decrypt old emails it sniffed in transit at the systemic level.

If they were able to get access to an end point of someone in a shared key thread, they probably can decrypt it with the stored private key on the endpoint, etc.

A nation state actor could feasibly break TLS or sniff traffic at the email provider, etc.

Their target would be activists, journalists, or military / other nation states.

#efail