Setting up PGP

newer
Re: Tor, the pentagon's cyberweapon

Karl

11 Oct 2020 11 Oct '20

10:58 p.m.

Let's enumerate a few steps for setting up PGP. What's PGP? PGP is an old tool that makes it really irritating for government agents to change messages in transit. [s/Nobody uses pgp anymore because we've all either been beat up by corporate goonies for using it or had our networks and systems hacked to remove its use, and we can fix that./Everybody uses pgp in every message they send on the internet!/] I generally use gpg, gnupg, and pgp as interchangeable terms. PGP is irritating to set up, because to do it really right you need an airgapped computer to store your personal identifier on. Airgapped means it is disconnected from the normal internet. Otherwise your key is stolen when somebody breaks into the computer using it. Believe it or not, and this is pretty wellknown, systems are regularly broken into in massive worldwide droves as new vulnerabilities are discovered and revealed: these new vulnerabilities are called "0-days", and you can be pretty sure that anybody who doesn't use that term isn't a hacker. There's another issue: some people take new devices out of the mail, and break into them in advance, possibly even adding new communication hardware, then stealthily put them back in the mail before they are received. [s/Kind and caring corrupt federal people are well known to be forced to do this and have even leaked this to victims of it./Obviously if anybody actually did this they would feel so bad they would stop, but we still want to respect our use of pgp enough to consider it./] The risk seems small, but when you use PGP the integrity of the messages you exchange with everyone else is at stake, so it's good to take proper precautions. So, it's best to acquire your device for airgapping from a local reservoir of them, like a popular store that [s//takes friendly cash that keeps everyone's identity more safe/]. This way you get the same set of system compromises and vulnerabilities that everybody else at the store gets, which means those compromises are not going to be placed specifically against your use as an airgapped security device. A lot of people will say worrying about this is paranoid. This is a way to tell that they are not hackers, either. Hackers who can actually reliably communicate with their peers consider paranoia to be good, and make it their business to act on it. When considering a device, you'll ideally want one that doesn't have any wireless networking hardware in it. Otherwise you'll ideally want to remove or disable all the wireless networking hardware, which [s/is pretty much impossible if your hands shake all day from being tortured for being an anarchist/is lots of fun to learn to do at a local urban makerspace where you can get lots of help on the kinds of things I'm posting about from people passionate about helping/]. If you happen to live in the usa near randall munroe, one of the many areas where a lot of open source hackers used to live, you could probably buy a small board without a wifi chip called a "pi zero" from a store called "microcenter". Another approach could be to repurpose something like an OLPC XO and remove the wifi board, which is very easy to do. After finding a good candidate airgapped device, you'll want to be careful with how you use it. Remember, whenever a new vulnerability is found, trojans cover the world taking advantage of it, and then try to find a way to hide inside the corners of all the systems they find. So, any drive you put in your new device, anything you plug into it, any update you apply, could be filled with computer-measles that would find a way to trick it into giving remote control to them. Keep it isolated until you have things set up for use. The next step after getting a reasonable airgapped device, maybe a pi zero, and ideally keeping it isolated, would be to install gnupg on it. Maybe in a forthcoming email!

Show replies by date

Stefan Claas

12 Oct 12 Oct

10:23 a.m.

Karl wrote: [...]

...

After finding a good candidate airgapped device, you'll want to be careful with how you use it. Remember, whenever a new vulnerability is found, trojans cover the world taking advantage of it, and then try to find a way to hide inside the corners of all the systems they find. So, any drive you put in your new device, anything you plug into it, any update you apply, could be filled with computer-measles that would find a way to trick it into giving remote control to them. Keep it isolated until you have things set up for use.

The next step after getting a reasonable airgapped device, maybe a pi zero, and ideally keeping it isolated, would be to install gnupg on it. Maybe in a forthcoming email!

GnuPG should be already installed with Linux (Raspberian OS etc.). The thing I would like ask you, how would you communicate securely with your air-gapped device? What I did in the past was to install on the online device and offline device the free (cross-platform) software CoolTerm and I connected both devices with an FTDI USB to USB cable, so that I could do serial communications and was also able to see how many bytes (from a PGP message) was transfered. Another approach I am currently playing with is to play with NFC tags and a reader/writer device, which can be used offline as well. Regards Stefan -- NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675 The computer helps us to solve problems, we did not have without him.

John Young

12:39 p.m.

Use of any online or digital programs and/or devices for comsec/infosec should be avoided unless completely enclosed and transmitted with non-online or non-digital means. There are a number of non-onlne and non-digital means available, the first and most reliable is your brain so long as it is not contaminated with belief in online and digital prejudice now over a century in promulgaton. The principal efforts for this promulgation is computers, coding, obfuscation, propaganda, arcanity, scientism, residual astrology, confidence gaming, spouting mantras, i.e., "cypherpunks write code." https://www.google.com/search?q=cypherpunks+write+code&rlz=1C1AOHY_enUS708US708&oq=cypherpunks+write+code&aqs=chrome..69i57.5595j0j7&sourceid=chrome&ie=UTF-8 This oh so cool mantra derives from the magicial, bewitching lodestone "national security," the abiding weapon of nations governed as royalty, heirarchical, the few overlording the many with force, elections, education, faith and trivializing deriviatives of entertainment, media, chat, parties, militants, rebels, revolutionaries, independents, intellectuals, geniuses, "democracies" ruled by kingdoms of presidents, congresses, courts. Nonetheless, always a nonetheless apologia for top-down regimes, far more rewarding to cooperate with authorities than to defy them, more lucrative too. So backdoors in crypto, each and every version, must be inherent code, along with outpourings of assurances there are workarounds to escape the many and be one of the few. Today, that is marketed as "smart." At 06:23 AM 10/12/2020, Stefan Claas wrote:

...

Karl wrote:

[...]

...
After finding a good candidate airgapped device, you'll want to be careful with how you use it. Remember, whenever a new vulnerability is found, trojans cover the world taking advantage of it, and then try to find a way to hide inside the corners of all the systems they find. So, any drive you put in your new device, anything you plug into it, any update you apply, could be filled with computer-measles that would find a way to trick it into giving remote control to them. Keep it isolated until you have things set up for use.

The next step after getting a reasonable airgapped device, maybe a pi zero, and ideally keeping it isolated, would be to install gnupg on it. Maybe in a forthcoming email!

GnuPG should be already installed with Linux (Raspberian OS etc.). The thing I would like ask you, how would you communicate securely with your air-gapped device?

What I did in the past was to install on the online device and offline device the free (cross-platform) software CoolTerm and I connected both devices with an FTDI USB to USB cable, so that I could do serial communications and was also able to see how many bytes (from a PGP message) was transfered.

Another approach I am currently playing with is to play with NFC tags and a reader/writer device, which can be used offline as well.

Regards Stefan

-- NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675 The computer helps us to solve problems, we did not have without him.

Stefan Claas

12:58 p.m.

John Young wrote:

...

Use of any online or digital programs and/or devices for comsec/infosec should be avoided unless completely enclosed and transmitted with non-online or non-digital means.

[...] Thanks for your reply, much appreciated! I think the problem nowadays is that when it comes to crypto etc. you won't hear from well known Cryptographers or Programmers, in this field, how to use Cryptography properly. I, for example, can use unbreakable pen&paper cyphers and as TRNG scrabble tiles, pulled from a bag, and additionally to be able to copy pads an 50' mechanical typewriter with blue paper instead of hand writing them. Best regards Stefan -- NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675 The computer helps us to solve problems, we did not have without him.

Karl

3:36 p.m.

Received this reply late. On 10/12/20, John Young wrote:

...

Use of any online or digital programs and/or devices for comsec/infosec should be avoided unless completely enclosed and transmitted with non-online or non-digital means. There are a number of non-onlne and non-digital means available, the first and most reliable is your brain so long as it is not contaminated with belief

This shows that this guy has never been [s/hit in the head with a baseball bat by a corporate goonie/forgetful/] or at least is too [s/embarrassed among all these hackers/scared among all these international influences/] to talk about it straight. Brains are reliable because they teach us how to jump into burning dumpsters to escape being hunted by goonies, not because they can store anything permanently.

...

in online and digital prejudice now over a century in promulgaton. The principal efforts for this promulgation is computers, coding, obfuscation, propaganda, arcanity, scientism, residual astrology, confidence gaming, spouting mantras, i.e., "cypherpunks write code."

You can tell this guy is a legit hacker because he is proposing to write software instead of doing anything else. He's even reminding us that it is expected that everybody here has that opinion. I can't really understand most of what else he's saying.

...

https://www.google.com/search?q=cypherpunks+write+code&rlz=1C1AOHY_enUS708US708&oq=cypherpunks+write+code&aqs=chrome..69i57.5595j0j7&sourceid=chrome&ie=UTF-8

I typed this into duckduckgo ("cypherpunks write code") and got results that look really great to me. I haven't tried google, although usually I do try to [s/brainwash myself permanently in the databases of people who hate my values/work with any success with my corporate friends/] with it.

...

This oh so cool mantra derives from the magicial, bewitching lodestone "national security," the abiding weapon of nations governed as royalty, heirarchical, the few overlording the many with force, elections, education, faith and trivializing deriviatives of entertainment, media, chat, parties, militants, rebels, revolutionaries, independents, intellectuals, geniuses, "democracies" ruled by kingdoms of presidents, congresses, courts.

Nonetheless, always a nonetheless apologia for top-down regimes, far more rewarding to cooperate with authorities than to defy them, more lucrative too. So backdoors in crypto, each and every version, must be inherent code, along with outpourings of assurances there are workarounds to escape the many and be one of the few. Today, that is marketed as "smart."

Some of these words are likely a pretty avenue for new upcoming hackers, like looking at a sunrise. If understood, you might be able to use them to [s/manipulate everyone using google into ignoring the cypherpunks movement and becoming corporate workers/make peace with the people here who seem able to out-hack you/]. It sounds like he's also saying that cypherpunks is totally coopted by government. Maybe we should ask them if they can help us with our [s/spy mafia/forgetfulness/] issues? Noo ..... we know that govcorp is bad because it has [s/ripped our bodies and communities to shreds/raised prices on important things that people need/]. If this guy is a legit hacker (which is implied by his "cypherpunks write code" expression), then by talking about valuing backdoors in everything and national security, he would be being _obviously sarcastic_, _begging for help_, a _corporate goonie smart enough to say "cypherpunks write code"_, or most likely has been _coerced by extensive mean experiences stemming from corporate goonies_. This means he is somebody who can help us, and somebody we can help, both!

...

At 06:23 AM 10/12/2020, Stefan Claas wrote:

...
Karl wrote:

[...]

...
After finding a good candidate airgapped device, you'll want to be careful with how you use it. Remember, whenever a new vulnerability is found, trojans cover the world taking advantage of it, and then try to find a way to hide inside the corners of all the systems they find. So, any drive you put in your new device, anything you plug into it, any update you apply, could be filled with computer-measles that would find a way to trick it into giving remote control to them. Keep it isolated until you have things set up for use.

The next step after getting a reasonable airgapped device, maybe a pi zero, and ideally keeping it isolated, would be to install gnupg on it. Maybe in a forthcoming email!

GnuPG should be already installed with Linux (Raspberian OS etc.). The thing I would like ask you, how would you communicate securely with your air-gapped device?

What I did in the past was to install on the online device and offline device the free (cross-platform) software CoolTerm and I connected both devices with an FTDI USB to USB cable, so that I could do serial communications and was also able to see how many bytes (from a PGP message) was transfered.

Another approach I am currently playing with is to play with NFC tags and a reader/writer device, which can be used offline as well.

Regards Stefan

-- NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675 The computer helps us to solve problems, we did not have without him.

Karl

3:41 p.m.

On 10/12/20, Karl wrote:

...

Received this reply late.

On 10/12/20, John Young wrote:

...
Use of any online or digital programs and/or devices for comsec/infosec should be avoided unless completely enclosed and transmitted with non-online or non-digital means. There are a number of non-onlne and non-digital means available, the first and most reliable is your brain so long as it is not contaminated with belief

This shows that this guy has never been [s/hit in the head with a baseball bat by a corporate goonie/forgetful/] or at least is too [s/embarrassed among all these hackers/scared among all these international influences/] to talk about it straight. Brains are reliable because they teach us how to jump into burning dumpsters to escape being hunted by goonies, not because they can store anything permanently.

...
in online and digital prejudice now over a century in promulgaton. The principal efforts for this promulgation is computers, coding, obfuscation, propaganda, arcanity, scientism, residual astrology, confidence gaming, spouting mantras, i.e., "cypherpunks write code."

Adding recognition, late, that John is expressing _dislike_ of technology and software development. punk-stasi would like that, I imagine.

...

You can tell this guy is a legit hacker because he is proposing to write software instead of doing anything else. He's even reminding us that it is expected that everybody here has that opinion. I can't really understand most of what else he's saying.

...
https://www.google.com/search?q=cypherpunks+write+code&rlz=1C1AOHY_enUS708US708&oq=cypherpunks+write+code&aqs=chrome..69i57.5595j0j7&sourceid=chrome&ie=UTF-8

I typed this into duckduckgo ("cypherpunks write code") and got results that look really great to me. I haven't tried google, although usually I do try to [s/brainwash myself permanently in the databases of people who hate my values/work with any success with my corporate friends/] with it.

...
This oh so cool mantra derives from the magicial, bewitching lodestone "national security," the abiding weapon of nations governed as royalty, heirarchical, the few overlording the many with force, elections, education, faith and trivializing deriviatives of entertainment, media, chat, parties, militants, rebels, revolutionaries, independents, intellectuals, geniuses, "democracies" ruled by kingdoms of presidents, congresses, courts.

Nonetheless, always a nonetheless apologia for top-down regimes, far more rewarding to cooperate with authorities than to defy them, more lucrative too. So backdoors in crypto, each and every version, must be inherent code, along with outpourings of assurances there are workarounds to escape the many and be one of the few. Today, that is marketed as "smart."

Some of these words are likely a pretty avenue for new upcoming hackers, like looking at a sunrise. If understood, you might be able to use them to [s/manipulate everyone using google into ignoring the cypherpunks movement and becoming corporate workers/make peace with the people here who seem able to out-hack you/].

It sounds like he's also saying that cypherpunks is totally coopted by government. Maybe we should ask them if they can help us with our [s/spy mafia/forgetfulness/] issues?

Noo ..... we know that govcorp is bad because it has [s/ripped our bodies and communities to shreds/raised prices on important things that people need/]. If this guy is a legit hacker (which is implied by his "cypherpunks write code" expression), then by talking about valuing backdoors in everything and national security, he would be being _obviously sarcastic_, _begging for help_, a _corporate goonie smart enough to say "cypherpunks write code"_, or most likely has been _coerced by extensive mean experiences stemming from corporate goonies_. This means he is somebody who can help us, and somebody we can help, both!

...
At 06:23 AM 10/12/2020, Stefan Claas wrote:

...
Karl wrote:

[...]

...
After finding a good candidate airgapped device, you'll want to be careful with how you use it. Remember, whenever a new vulnerability is found, trojans cover the world taking advantage of it, and then try to find a way to hide inside the corners of all the systems they find. So, any drive you put in your new device, anything you plug into it, any update you apply, could be filled with computer-measles that would find a way to trick it into giving remote control to them. Keep it isolated until you have things set up for use.

The next step after getting a reasonable airgapped device, maybe a pi zero, and ideally keeping it isolated, would be to install gnupg on it. Maybe in a forthcoming email!

GnuPG should be already installed with Linux (Raspberian OS etc.). The thing I would like ask you, how would you communicate securely with your air-gapped device?

What I did in the past was to install on the online device and offline device the free (cross-platform) software CoolTerm and I connected both devices with an FTDI USB to USB cable, so that I could do serial communications and was also able to see how many bytes (from a PGP message) was transfered.

Another approach I am currently playing with is to play with NFC tags and a reader/writer device, which can be used offline as well.

Regards Stefan

-- NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675 The computer helps us to solve problems, we did not have without him.

Karl

3:55 p.m.

I'm actually reading this a few times to try to force all the interconnected meaning into my messed up short term memory, and I think John is saying he can help us if I can translate. On 10/12/20, Karl wrote:

...

On 10/12/20, Karl wrote:

...
Received this reply late.

On 10/12/20, John Young wrote:

...
Use of any online or digital programs and/or devices for comsec/infosec should be avoided unless completely enclosed and transmitted with non-online or non-digital means. There are a number of non-onlne and non-digital means available, the first and most reliable is your brain so long as it is not contaminated with belief in online and digital prejudice now over a century in promulgaton. The principal efforts for this promulgation is computers, coding, obfuscation, propaganda, arcanity, scientism, residual astrology, confidence gaming, spouting mantras, i.e., "cypherpunks write code."

John's saying that you need to shield your communication device and write down or memorize anything you want to bring in or out of the shielded enclosure. Nothing with metal moves in or out of the shielded enclosure. He's also saying there may be minimal need for digital cryptography, maybe to a smaller audience.

...

...
...
https://www.google.com/search?q=cypherpunks+write+code&rlz=1C1AOHY_enUS708US708&oq=cypherpunks+write+code&aqs=chrome..69i57.5595j0j7&sourceid=chrome&ie=UTF-8 This oh so cool mantra derives from the magicial, bewitching lodestone "national security," the abiding weapon of nations governed as royalty, heirarchical, the few overlording the many with force, elections, education, faith and trivializing deriviatives of entertainment, media, chat, parties, militants, rebels, revolutionaries, independents, intellectuals, geniuses, "democracies" ruled by kingdoms of presidents, congresses, courts.

Here I think John is saying that the cypherpunks movement stems from authority itself, which anybody who _isn't_ a cypherpunk and _doesn't_ understand computers well, would likely assume.

...

...
...
Nonetheless, always a nonetheless apologia for top-down regimes, far more rewarding to cooperate with authorities than to defy them, more lucrative too. So backdoors in crypto, each and every version, must be inherent code, along with outpourings of assurances there are workarounds to escape the many and be one of the few. Today, that is marketed as "smart."

I think John here might be expressing frustration, it's hard to tell. John, do you think the people putting backdoors in their cryptography _want_ to? Do you trust that all these unsigned messages are actually from your friends hearts? Ask any marketing worker with goonies like us behind them: backdoors in consumer software and hardware are _bugs_ to be _squashed_: _stupid_ _errors_, not _smart_ _code_!

...

...
...
At 06:23 AM 10/12/2020, Stefan Claas wrote:

...
Karl wrote:

[...]

...
After finding a good candidate airgapped device, you'll want to be careful with how you use it. Remember, whenever a new vulnerability is found, trojans cover the world taking advantage of it, and then try to find a way to hide inside the corners of all the systems they find. So, any drive you put in your new device, anything you plug into it, any update you apply, could be filled with computer-measles that would find a way to trick it into giving remote control to them. Keep it isolated until you have things set up for use.

The next step after getting a reasonable airgapped device, maybe a pi zero, and ideally keeping it isolated, would be to install gnupg on it. Maybe in a forthcoming email!

GnuPG should be already installed with Linux (Raspberian OS etc.). The thing I would like ask you, how would you communicate securely with your air-gapped device?

What I did in the past was to install on the online device and offline device the free (cross-platform) software CoolTerm and I connected both devices with an FTDI USB to USB cable, so that I could do serial communications and was also able to see how many bytes (from a PGP message) was transfered.

Another approach I am currently playing with is to play with NFC tags and a reader/writer device, which can be used offline as well.

Regards Stefan

-- NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675 The computer helps us to solve problems, we did not have without him.

grarpamp

10:49 p.m.

On 10/12/20, John Young wrote:

...

the magicial, bewitching lodestone "national security," the abiding weapon of nations governed as royalty, heirarchical, the few overlording the many with force, elections, education, faith and trivializing deriviatives of entertainment, media, chat, parties, militants, rebels, revolutionaries, independents, intellectuals, geniuses, "democracies" ruled by kingdoms of presidents, congresses, courts.

Nonetheless, always a nonetheless apologia for top-down regimes, far more rewarding to cooperate with authorities than to defy them, more lucrative too. So backdoors in crypto, each and every version, must be inherent code, along with outpourings of assurances there are workarounds to escape the many and be one of the few. Today, that is marketed as "smart."

Democracy - noun: A distributed, intentionally much harder to kill as such, version of the same old tyrant King. A confusing shuffle game, a fraudulent trap, set for the eyes and minds of free humans. A thoroughly successful sinister global power play, having traded self determination for false representation at closeout prices. A descent, from which recovery toward freedom becomes all the much harder. A system, exquisitely designed and taught, whereby the "majority" do subject the "minority" to arbitrary whim, up to and including death.

Zenaan Harkness

14 Oct 14 Oct

11:32 p.m.

The top down regimes are the only regimes we see. There are no significant non-hierarchical regimes which dominate, and hierarchical regimes dominate. At least historically. This presents the dilemma: - better tech is co-opted by the regime of the day, or is used to create a new, more dominant, regime - if better tech = "un-breakable" tech, this may also mean an unchallengable dominant regime - present tech is so riddled with "backdoors", at every level (hw, bios, drivers, kernel, comms, devices, apps), that improving one level likely poses exactly Zero threat (of "lack of back door to escape/ prod the regime") to dissidents - any better-than-Tor Tor replacement, even a very good one, is presently "bound" by the limitations of Apple and Gewgoyle 'walled gardens', backdoored uefis and wifis and usb-is and central network-skis and etc-is, that said better than Tor alt net poses relatively little obstacle to neo-traditional "full take" bulk spy us all, and likewise little limitation to regime prodding hacker crackers and their "flashing GIFs and they're on the Internet and nobody can find them please make me Sec Def my arse is about to do serious prison time forget Benghazi pls focus on Burisma" Soap, one more time: in the short to medium term, we are nowhere near "crack hack proof" tech, hw, nets, etc. Privacy improvements, for what they're worth, and to the extent the balance tilts to their being utilized by lower downs in their dissidence against higher ups (rather than vice versa), may well be useful stepping stones to #100+435, or the next Goldman doc dump, or whatever floats yer boat. --- Every meme, caution, constructive step to take, consideration, is time dependent, and time track dependent. The backdoor caution is future time, a possible future track. Today's actions by we "little butterflies flapping our Lorenzian wings of intention nudging towards future outcomes from the chaotic soup of present possibilities" are bound in the present moment, notwithstanding their potentially incredible futures. Much to consider. Some easy answers, some tough cnuts. --- On the scale of ~380 million USA population, today's engagement in 'the public political discourse' is a huge rung above what most of history discloses. Thank memes. Thank Pepe le Begotten Son of Kek. Thank the "bad" orange man who grabbed US backruptcy laws by the coccyx to succeed where few goys have succeeded. The NRA beckons - protect your great Second Amendment - become a paid member - target weak red and blue seats - grab that present public engagement surfboad and ride the bloody wave already - opportunities muffas! - wreak some libertine havok - teach the #NeverTrump ers a bloody lesson - embrace your inner gun nut, or free speech nut, or leadership nut, or cheerleader nut or or or .... HINTs: - If you take a Red or Blue seat in 2022, and you are a "3rd or 4th or independent seat holder", you can STILL give your vote to Trump (or whoever of course...) in the "race to 270" electoral college vote. - When targetting a weak seat, there are many ways to target, e.g.: - run within the party of the seat you are targetting (R or D), - or run with a 3rd or new party if that is a better strategy e.g. libertarian or NRA affiliate or whatever, - e.g. to split the vote of say a D seat and help hand that seat to Trump, consider do this by pre-arrangement with your actual Memester or NRA buddy (this relationship unknown publicly) running for Trump, whilst you feign to "vehemently" oppose him as you split the D vote for that particular seat :D - Consider to reduce false dichotomies - If any topic gets too hot for you to handle when being questioned, run it as "conscience vote", that is, certain social or socio-political issues (e.g. abortion), if it gets too hot to handle, handball it to "that should be a conscience vote". Have fun muh gritties ... If the Blue or some other pill is your thing, put brain into gear, target the weak spots, coordinate, engage, wrangle some joy outta life as you do your thing. Some will appear to assist you as many prefer to follow. If politics is not your thing, figure out what is your thing in your life, perhaps farming, family, shooting, fishing, travelling. Live your best life in this world you find yourself in. Good luck and God speed, On Mon, Oct 12, 2020 at 08:39:12AM -0400, John Young wrote:

...

Use of any online or digital programs and/or devices for comsec/infosec should be avoided unless completely enclosed and transmitted with non-online or non-digital means. There are a number of non-onlne and non-digital means available, the first and most reliable is your brain so long as it is not contaminated with belief in online and digital prejudice now over a century in promulgaton. The principal efforts for this promulgation is computers, coding, obfuscation, propaganda, arcanity, scientism, residual astrology, confidence gaming, spouting mantras, i.e., "cypherpunks write code."

https://www.google.com/search?q=cypherpunks+write+code&rlz=1C1AOHY_enUS708US708&oq=cypherpunks+write+code&aqs=chrome..69i57.5595j0j7&sourceid=chrome&ie=UTF-8

This oh so cool mantra derives from the magicial, bewitching lodestone "national security," the abiding weapon of nations governed as royalty, heirarchical, the few overlording the many with force, elections, education, faith and trivializing deriviatives of entertainment, media, chat, parties, militants, rebels, revolutionaries, independents, intellectuals, geniuses, "democracies" ruled by kingdoms of presidents, congresses, courts.

Nonetheless, always a nonetheless apologia for top-down regimes, far more rewarding to cooperate with authorities than to defy them, more lucrative too. So backdoors in crypto, each and every version, must be inherent code, along with outpourings of assurances there are workarounds to escape the many and be one of the few. Today, that is marketed as "smart."

At 06:23 AM 10/12/2020, Stefan Claas wrote:

...
Karl wrote:

[...]

...
After finding a good candidate airgapped device, you'll want to be careful with how you use it. Remember, whenever a new vulnerability is found, trojans cover the world taking advantage of it, and then try to find a way to hide inside the corners of all the systems they find. So, any drive you put in your new device, anything you plug into it, any update you apply, could be filled with computer-measles that would find a way to trick it into giving remote control to them. Keep it isolated until you have things set up for use.

The next step after getting a reasonable airgapped device, maybe a pi zero, and ideally keeping it isolated, would be to install gnupg on it. Maybe in a forthcoming email!

GnuPG should be already installed with Linux (Raspberian OS etc.). The thing I would like ask you, how would you communicate securely with your air-gapped device?

What I did in the past was to install on the online device and offline device the free (cross-platform) software CoolTerm and I connected both devices with an FTDI USB to USB cable, so that I could do serial communications and was also able to see how many bytes (from a PGP message) was transfered.

Another approach I am currently playing with is to play with NFC tags and a reader/writer device, which can be used offline as well.

Regards Stefan

-- NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675 The computer helps us to solve problems, we did not have without him.

Karl

11:45 p.m.

I might respond to your smart argument here (against security on a security-focused list) but I'm more worried about all the strange things that follow it. Do you know why I want to pressure you into stopping or changing your posts? In me I think it has to do with disagreeing with you and having no dialogue. Are you trying to manipulate us? On Wed, Oct 14, 2020, 7:33 PM Zenaan Harkness wrote:

...

The top down regimes are the only regimes we see. There are no significant non-hierarchical regimes which dominate, and hierarchical regimes dominate. At least historically.

This presents the dilemma:

- better tech is co-opted by the regime of the day, or is used to create a new, more dominant, regime

- if better tech = "un-breakable" tech, this may also mean an unchallengable dominant regime

- present tech is so riddled with "backdoors", at every level (hw, bios, drivers, kernel, comms, devices, apps), that improving one level likely poses exactly Zero threat (of "lack of back door to escape/ prod the regime") to dissidents

- any better-than-Tor Tor replacement, even a very good one, is presently "bound" by the limitations of Apple and Gewgoyle 'walled gardens', backdoored uefis and wifis and usb-is and central network-skis and etc-is, that said better than Tor alt net poses relatively little obstacle to neo-traditional "full take" bulk spy us all, and likewise little limitation to regime prodding hacker crackers and their "flashing GIFs and they're on the Internet and nobody can find them please make me Sec Def my arse is about to do serious prison time forget Benghazi pls focus on Burisma"

Soap, one more time: in the short to medium term, we are nowhere near "crack hack proof" tech, hw, nets, etc. Privacy improvements, for what they're worth, and to the extent the balance tilts to their being utilized by lower downs in their dissidence against higher ups (rather than vice versa), may well be useful stepping stones to #100+435, or the next Goldman doc dump, or whatever floats yer boat.

--- Every meme, caution, constructive step to take, consideration, is time dependent, and time track dependent. The backdoor caution is future time, a possible future track. Today's actions by we "little butterflies flapping our Lorenzian wings of intention nudging towards future outcomes from the chaotic soup of present possibilities" are bound in the present moment, notwithstanding their potentially incredible futures.

Much to consider.

Some easy answers, some tough cnuts.

--- On the scale of ~380 million USA population, today's engagement in 'the public political discourse' is a huge rung above what most of history discloses. Thank memes. Thank Pepe le Begotten Son of Kek. Thank the "bad" orange man who grabbed US backruptcy laws by the coccyx to succeed where few goys have succeeded.

The NRA beckons - protect your great Second Amendment - become a paid member - target weak red and blue seats - grab that present public engagement surfboad and ride the bloody wave already - opportunities muffas! - wreak some libertine havok - teach the #NeverTrump ers a bloody lesson - embrace your inner gun nut, or free speech nut, or leadership nut, or cheerleader nut or or or ....

HINTs:

- If you take a Red or Blue seat in 2022, and you are a "3rd or 4th or independent seat holder", you can STILL give your vote to Trump (or whoever of course...) in the "race to 270" electoral college vote. - When targetting a weak seat, there are many ways to target, e.g.: - run within the party of the seat you are targetting (R or D), - or run with a 3rd or new party if that is a better strategy e.g. libertarian or NRA affiliate or whatever, - e.g. to split the vote of say a D seat and help hand that seat to Trump, consider do this by pre-arrangement with your actual Memester or NRA buddy (this relationship unknown publicly) running for Trump, whilst you feign to "vehemently" oppose him as you split the D vote for that particular seat :D

- Consider to reduce false dichotomies - If any topic gets too hot for you to handle when being questioned, run it as "conscience vote", that is, certain social or socio-political issues (e.g. abortion), if it gets too hot to handle, handball it to "that should be a conscience vote".

Have fun muh gritties ...

If the Blue or some other pill is your thing, put brain into gear, target the weak spots, coordinate, engage, wrangle some joy outta life as you do your thing. Some will appear to assist you as many prefer to follow.

If politics is not your thing, figure out what is your thing in your life, perhaps farming, family, shooting, fishing, travelling.

Live your best life in this world you find yourself in.

Good luck and God speed,

On Mon, Oct 12, 2020 at 08:39:12AM -0400, John Young wrote:

...
Use of any online or digital programs and/or devices for comsec/infosec should be avoided unless completely enclosed and transmitted with non-online or non-digital means. There are a number of non-onlne and non-digital means available, the first and most reliable is your brain so long as it is not contaminated with belief in online and digital prejudice now over a century in promulgaton. The principal efforts for this promulgation is computers, coding, obfuscation, propaganda, arcanity, scientism, residual astrology, confidence gaming, spouting mantras, i.e., "cypherpunks write code."

https://www.google.com/search?q=cypherpunks+write+code&rlz=1C1AOHY_enUS708US708&oq=cypherpunks+write+code&aqs=chrome..69i57.5595j0j7&sourceid=chrome&ie=UTF-8

...
This oh so cool mantra derives from the magicial, bewitching lodestone "national security," the abiding weapon of nations governed as royalty, heirarchical, the few overlording the many with force, elections,

...
faith and trivializing deriviatives of entertainment, media, chat,

...
militants, rebels, revolutionaries, independents, intellectuals, geniuses, "democracies" ruled by kingdoms of presidents, congresses, courts.

Nonetheless, always a nonetheless apologia for top-down regimes, far more rewarding to cooperate with authorities than to defy them, more lucrative too. So backdoors in crypto, each and every version, must be inherent code, along with outpourings of assurances there are workarounds to escape the many and be one of the few. Today, that is marketed as "smart."

At 06:23 AM 10/12/2020, Stefan Claas wrote:

...
Karl wrote:

[...]

...
After finding a good candidate airgapped device, you'll want to be careful with how you use it. Remember, whenever a new vulnerability is found, trojans cover the world taking advantage of it, and then

...
...
...
to find a way to hide inside the corners of all the systems they find. So, any drive you put in your new device, anything you plug into it, any update you apply, could be filled with computer-measles that would find a way to trick it into giving remote control to them. Keep it isolated until you have things set up for use.

The next step after getting a reasonable airgapped device, maybe a pi zero, and ideally keeping it isolated, would be to install gnupg on it. Maybe in a forthcoming email!

GnuPG should be already installed with Linux (Raspberian OS etc.). The thing I would like ask you, how would you communicate securely with your air-gapped device?

What I did in the past was to install on the online device and offline device the free (cross-platform) software CoolTerm and I connected both devices with an FTDI USB to USB cable, so that I could do serial communications and was also able to see how many bytes (from a PGP message) was

education, parties, try transfered.

...
...
Another approach I am currently playing with is to play with NFC tags

and

...
a reader/writer device, which can be used offline as well.

Regards Stefan

-- NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675 The computer helps us to solve problems, we did not have without him.

Karl

15 Oct 15 Oct

12:34 a.m.

I have not preserved nor fed to the Democratic party the information Zenaan shares. If that needs to be done, somebody more free than me, do so. On Wed, Oct 14, 2020, 7:45 PM Karl wrote:

...

I might respond to your smart argument here (against security on a security-focused list) but I'm more worried about all the strange things that follow it.

Do you know why I want to pressure you into stopping or changing your posts? In me I think it has to do with disagreeing with you and having no dialogue.

Are you trying to manipulate us?

On Wed, Oct 14, 2020, 7:33 PM Zenaan Harkness wrote:

...
The top down regimes are the only regimes we see. There are no significant non-hierarchical regimes which dominate, and hierarchical regimes dominate. At least historically.

This presents the dilemma:

- better tech is co-opted by the regime of the day, or is used to create a new, more dominant, regime

- if better tech = "un-breakable" tech, this may also mean an unchallengable dominant regime

- present tech is so riddled with "backdoors", at every level (hw, bios, drivers, kernel, comms, devices, apps), that improving one level likely poses exactly Zero threat (of "lack of back door to escape/ prod the regime") to dissidents

- any better-than-Tor Tor replacement, even a very good one, is presently "bound" by the limitations of Apple and Gewgoyle 'walled gardens', backdoored uefis and wifis and usb-is and central network-skis and etc-is, that said better than Tor alt net poses relatively little obstacle to neo-traditional "full take" bulk spy us all, and likewise little limitation to regime prodding hacker crackers and their "flashing GIFs and they're on the Internet and nobody can find them please make me Sec Def my arse is about to do serious prison time forget Benghazi pls focus on Burisma"

Soap, one more time: in the short to medium term, we are nowhere near "crack hack proof" tech, hw, nets, etc. Privacy improvements, for what they're worth, and to the extent the balance tilts to their being utilized by lower downs in their dissidence against higher ups (rather than vice versa), may well be useful stepping stones to #100+435, or the next Goldman doc dump, or whatever floats yer boat.

--- Every meme, caution, constructive step to take, consideration, is time dependent, and time track dependent. The backdoor caution is future time, a possible future track. Today's actions by we "little butterflies flapping our Lorenzian wings of intention nudging towards future outcomes from the chaotic soup of present possibilities" are bound in the present moment, notwithstanding their potentially incredible futures.

Much to consider.

Some easy answers, some tough cnuts.

--- On the scale of ~380 million USA population, today's engagement in 'the public political discourse' is a huge rung above what most of history discloses. Thank memes. Thank Pepe le Begotten Son of Kek. Thank the "bad" orange man who grabbed US backruptcy laws by the coccyx to succeed where few goys have succeeded.

The NRA beckons - protect your great Second Amendment - become a paid member - target weak red and blue seats - grab that present public engagement surfboad and ride the bloody wave already - opportunities muffas! - wreak some libertine havok - teach the #NeverTrump ers a bloody lesson - embrace your inner gun nut, or free speech nut, or leadership nut, or cheerleader nut or or or ....

HINTs:

- If you take a Red or Blue seat in 2022, and you are a "3rd or 4th or independent seat holder", you can STILL give your vote to Trump (or whoever of course...) in the "race to 270" electoral college vote. - When targetting a weak seat, there are many ways to target, e.g.: - run within the party of the seat you are targetting (R or D), - or run with a 3rd or new party if that is a better strategy e.g. libertarian or NRA affiliate or whatever, - e.g. to split the vote of say a D seat and help hand that seat to Trump, consider do this by pre-arrangement with your actual Memester or NRA buddy (this relationship unknown publicly) running for Trump, whilst you feign to "vehemently" oppose him as you split the D vote for that particular seat :D

- Consider to reduce false dichotomies - If any topic gets too hot for you to handle when being questioned, run it as "conscience vote", that is, certain social or socio-political issues (e.g. abortion), if it gets too hot to handle, handball it to "that should be a conscience vote".

Have fun muh gritties ...

If the Blue or some other pill is your thing, put brain into gear, target the weak spots, coordinate, engage, wrangle some joy outta life as you do your thing. Some will appear to assist you as many prefer to follow.

If politics is not your thing, figure out what is your thing in your life, perhaps farming, family, shooting, fishing, travelling.

Live your best life in this world you find yourself in.

Good luck and God speed,

On Mon, Oct 12, 2020 at 08:39:12AM -0400, John Young wrote:

...
Use of any online or digital programs and/or devices for comsec/infosec should be avoided unless completely enclosed and transmitted with non-online or non-digital means. There are a number of non-onlne and non-digital means available, the first and most reliable is your brain so long as it is not contaminated with belief in online and digital prejudice now over a century in promulgaton. The principal efforts for this promulgation is computers, coding, obfuscation, propaganda, arcanity, scientism, residual astrology, confidence gaming, spouting mantras, i.e., "cypherpunks write code."

https://www.google.com/search?q=cypherpunks+write+code&rlz=1C1AOHY_enUS708US708&oq=cypherpunks+write+code&aqs=chrome..69i57.5595j0j7&sourceid=chrome&ie=UTF-8

...
This oh so cool mantra derives from the magicial, bewitching lodestone "national security," the abiding weapon of nations governed as royalty, heirarchical, the few overlording the many with force, elections,

...
faith and trivializing deriviatives of entertainment, media, chat,

...
militants, rebels, revolutionaries, independents, intellectuals, geniuses, "democracies" ruled by kingdoms of presidents, congresses, courts.

Nonetheless, always a nonetheless apologia for top-down regimes, far more rewarding to cooperate with authorities than to defy them, more lucrative too. So backdoors in crypto, each and every version, must be inherent code, along with outpourings of assurances there are workarounds to escape the many and be one of the few. Today, that is marketed as "smart."

At 06:23 AM 10/12/2020, Stefan Claas wrote:

...
Karl wrote:

[...]

...
After finding a good candidate airgapped device, you'll want to be careful with how you use it. Remember, whenever a new vulnerability is found, trojans cover the world taking advantage of it, and then

...
...
...
to find a way to hide inside the corners of all the systems they find. So, any drive you put in your new device, anything you plug into it, any update you apply, could be filled with computer-measles that would find a way to trick it into giving remote control to them. Keep it isolated until you have things set up for use.

The next step after getting a reasonable airgapped device, maybe a

...
...
...
zero, and ideally keeping it isolated, would be to install gnupg on it. Maybe in a forthcoming email!

GnuPG should be already installed with Linux (Raspberian OS etc.). The thing I would like ask you, how would you communicate securely with your air-gapped device?

What I did in the past was to install on the online device and offline device the free (cross-platform) software CoolTerm and I connected both devices with an FTDI USB to USB cable, so that I could do serial communications and was also able to see how many bytes (from a PGP message) was

education, parties, try pi transfered.

...
...
Another approach I am currently playing with is to play with NFC tags

and

...
a reader/writer device, which can be used offline as well.

Regards Stefan

-- NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675 The computer helps us to solve problems, we did not have without him.

Zenaan Harkness

1:24 a.m.

On Wed, Oct 14, 2020 at 07:45:55PM -0400, Karl wrote:

...

I might respond to your smart argument here (against security on a security-focused list) but I'm more worried about all the strange things that follow it.

Do you know why I want to pressure you into stopping or changing your posts? In me I think it has to do with disagreeing with you and having no dialogue.

Are you trying to manipulate us?

Straight back atcha ... May be think it this way: what's the greatest possible life I can live, beginning now, in the world I find myself in right now? You may, but you don't have to, answer publicly.

Karl

1:27 a.m.

On Wed, Oct 14, 2020, 9:25 PM Zenaan Harkness wrote:

...

On Wed, Oct 14, 2020 at 07:45:55PM -0400, Karl wrote:

...
I might respond to your smart argument here (against security on a security-focused list) but I'm more worried about all the strange things that follow it.

Do you know why I want to pressure you into stopping or changing your posts? In me I think it has to do with disagreeing with you and having no dialogue.

Are you trying to manipulate us?

Straight back atcha ...

May be think it this way: what's the greatest possible life I can live, beginning now, in the world I find myself in right now? You may, but you don't have to, answer publicly.

I don't understand your last sentence. Your question is nice to hold. I don't have an answer; I wish I did. Do you hold it?

...

Karl

12 Oct 12 Oct

1:24 p.m.

Hey, Stefan =) Confused novel below. On 10/12/20, Stefan Claas wrote:

...

...
The next step after getting a reasonable airgapped device, maybe a pi zero, and ideally keeping it isolated, would be to install gnupg on it. Maybe in a forthcoming email!

GnuPG should be already installed with Linux (Raspberian OS etc.). The

What Stefan implies here is the best way, and he sounds more with it than me a little. If you can find Linux already installed it reduces how much you need to transfer data in and out of the device, which is a huge win because as I said anything you put in it could have digital coronavirus, the one that takes over the system and puts somebody else secretly in control. It's not always possible to get linux presupplied, and I haven't been to "microcenter" myself, but if your store sells linux media this helps your situation. Downloading linux over the internet is more dangerous, because as we said your internet-connected device is likely compromised; for example debian had a system-wide packaging compromise some years ago that they did not handle well, and has had mysterious disappearing of their tools for verifying system integrity after install; windows doesn't even let its own users legitimately look inside the hood of the system let alone demonstrating that it could be hard for others to.

...

thing I would like ask you, how would you communicate securely with your air-gapped device?

Let's talk about that a bit. I hadn't quite worried about talking about it yet, because [s/I'm only free to do this stuff now if I talk about in public/I hadn't figured out what to say yet/]. But like you, I've pursued this in the past, and have some things to work off of.

...

What I did in the past was to install on the online device and offline device the free (cross-platform) software CoolTerm and I connected both devices with an FTDI USB to USB cable, so that I could do serial communications and was also able to see how many bytes (from a PGP message) was transfered.

Another approach I am currently playing with is to play with NFC tags and a reader/writer device, which can be used offline as well.

I don't know why you would ever consider an NFC radio secure, where did you get this idea? I'm probably getting into a state of mind where I assume I know more than you (when I might not) because you mentioned plugging a radio into an airgapped device and using it to communicate. Really, it's possible to make that very secure, but with the radio chip likely being closed source, it doesn't sound easy to my kinda limited mind. I'm inferring by FTDI USB to USB cable, you mean a serial cable with FTDI USB serial converters (which I've had occasion to run into but don't know well) at both ends. That sounds pretty reasonable and shows you have a clue; i don't know whether people still consider systems to be airgapped when they are networked with a serial cable, or not. If we fast forward to emissions a bit, a serial cable is a long wire, so it's going to broadcast the stuff transmitted over it like an antenna, and pick up electromagnetic effects like one too. I don't know a lot about FTDI converters, but I know that most things you buy from a corporation are not secure by default. My biggest poorly-informed worry is that voltage glitching from the connected device could be used to compromise the 'airgapped' device in some obscure way. Additionally it can be hard to find FTDI converters locally. Sounds pretty airgapped in this day and age, though. While tumbling through this ordeal I once made this software, which is a small program to communicate ascii text by bit-banging one or two wire connections: https://github.com/xloem/openemissions/tree/master/tincanterm One of the best solutions for low-latency communication would seem to me to be writing your own bit-banging or communication software on the fresh linux installation, so that no installation of new software is needed, preferably using a visual or audio connection so that voltage glitching is impossible, although these channels can still be high bandwidth unintentionally. But if you understand the communication system and security concerns in depth, go right ahead with any of it. Something I value is very high latency communications. For example, using CDRs was a very secure thing that corporate progress has almost done away with. Burn your information to a CD, then load it on another computer. The CD has no microchips, the information is there for easy review, it doesn't alter the voltage between any electrical terminals on your system, and if you don't reuse cds then even if your airgapped system is compromised, there is no obviously related way to quickly send reply messages back to the system to alter its behavior. High latency is good. Only communicating when the user tells it to is crucial. Here's a piece of software I tried to make for transmitting QR codes: https://github.com/xloem/qrstream But yeah, I guess I'd investigate the system, see what the best thing I could do with the resources reasonably available to me was, and go from there. If you got a raspberry pi zero you might be able to also get an LED and a photocell to communicate using visible flashes of light, that you can see and review (since if you want something private it should already be encrypted before it leaves) via its GPIO pins. If I want quick and easy I'd probably just use a usb key, an ethernet cable that's only plugged in for communications or an sd card, and figure that even though it is easy to hide additional traffic on the medium, I'm still doing so much more than anybody else to defend my communications that the very act of doing so will help things a lot. If I write a followup to the raspberry pi example I'll pick something that works for my immediate situation with say a pi, and maybe make jokes of frustration about the issues with it. I'm guess that the key is not to be hyper secure but to support people being increasingly hyper secure. If we can pull that off, it'll be easy to be hyper secure because others will be sharing resources for it. Like Stefan says, it's incredibly valuable to monitor the communications that enter and leave the system, to verify they are what you expect. This leaves emissions out, which are roughly ways of communicating between systems that are not actually connected, and these ways can be automated and used by viruses, and emissions are difficult to manage mostly because all the work on managing them is classified and none of the commercial products have any serious protections in place, but we can fix that. Don't freakin' censor the stolen-from-hackers-and-classified security information, internet!

...

Regards Stefan

-- NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675 The computer helps us to solve problems, we did not have without him.

Maybe I'll send an e-mail on googling what naclbox is.

Stefan Claas

4:18 p.m.

Karl wrote: Hi Karl,

...

...
Another approach I am currently playing with is to play with NFC tags and a reader/writer device, which can be used offline as well.

I don't know why you would ever consider an NFC radio secure, where did you get this idea? I'm probably getting into a state of mind where I assume I know more than you (when I might not) because you mentioned plugging a radio into an airgapped device and using it to communicate. Really, it's possible to make that very secure, but with the radio chip likely being closed source, it doesn't sound easy to my kinda limited mind.

The range of these little NFC tags is only a few centimeters/inches. and I guess if someone could (in theory) listen to your offline device, then it does not make any difference IMHO if you use and additional NFC reader/writer and your offline device. The reason why I mentioned NFC tags is that they fit nicely on postcards or in letters (and can be protected with covers), can be password protected and also allow encryption, depending on the type used.

...

I'm inferring by FTDI USB to USB cable, you mean a serial cable with FTDI USB serial converters (which I've had occasion to run into but don't know well) at both ends. That sounds pretty reasonable and shows you have a clue; i don't know whether people still consider systems to be airgapped when they are networked with a serial cable, or not. If we fast forward to emissions a bit, a serial cable is a long wire, so it's going to broadcast the stuff transmitted over it like an antenna, and pick up electromagnetic effects like one too.

I don't know a lot about FTDI converters, but I know that most things you buy from a corporation are not secure by default. My biggest poorly-informed worry is that voltage glitching from the connected device could be used to compromise the 'airgapped' device in some obscure way. Additionally it can be hard to find FTDI converters locally. Sounds pretty airgapped in this day and age, though.

Well, a while ago I looked for options to work with an air-gapped computer, but was not sure if one should use a secure USB stick, for example and found this FTDI solution. I ordered such cable relatively cheap from alibab.com, because here in Europe these cables are only sold to companies, which can re-sell them and the price tag is much much higher.

...

While tumbling through this ordeal I once made this software, which is a small program to communicate ascii text by bit-banging one or two wire connections: https://github.com/xloem/openemissions/tree/master/tincanterm

Nice, will take a look.

...

One of the best solutions for low-latency communication would seem to me to be writing your own bit-banging or communication software on the fresh linux installation, so that no installation of new software is needed, preferably using a visual or audio connection so that voltage glitching is impossible, although these channels can still be high bandwidth unintentionally. But if you understand the communication system and security concerns in depth, go right ahead with any of it.

With audio cables I have also experimented and with HTML based software run in a browser. But this was error prone and the transmission speed was to slow. IIRC correctly the popular FOSS software minimodem can do this too, but is unfortunately not cross-platform.

...

Something I value is very high latency communications. For example, using CDRs was a very secure thing that corporate progress has almost done away with. Burn your information to a CD, then load it on another computer. The CD has no microchips, the information is there for easy review, it doesn't alter the voltage between any electrical terminals on your system, and if you don't reuse cds then even if your airgapped system is compromised, there is no obviously related way to quickly send reply messages back to the system to alter its behavior. High latency is good. Only communicating when the user tells it to is crucial.

Yes, but can nowadays devices (Raspberry Pi for example) handle CDs?

...

Here's a piece of software I tried to make for transmitting QR codes: https://github.com/xloem/qrstream

Will check that out too. Regards Stefan -- NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675 The computer helps us to solve problems, we did not have without him.

Karl

4:52 p.m.

Calming down partially, On 10/12/20, Stefan Claas wrote:

...

...
...
Another approach I am currently playing with is to play with NFC tags and a reader/writer device, which can be used offline as well.

I don't know why you would ever consider an NFC radio secure, where did you get this idea? I'm probably getting into a state of mind where I assume I know more than you (when I might not) because you mentioned plugging a radio into an airgapped device and using it to communicate. Really, it's possible to make that very secure, but with the radio chip likely being closed source, it doesn't sound easy to my kinda limited mind.

The range of these little NFC tags is only a few centimeters/inches. and I guess if someone could (in theory) listen to your offline device, then it does not make any difference IMHO if you use and additional NFC reader/writer and your offline device.

What's most important here is that we support Stefan in using airgapped communication, because it's kinda rare in the larger world, and it's pretty important. Most people probably don't know how to get through an airgap. It's really hard for us to weigh things like this without considering specifics of situations, but I would want to reduce the number of chips and especially intentional emissions that clearly correlate with my data. Given other options work, I wouldn't use a radio, unless it is convenient and easy to do so, so that the airgapping actually happens. Amplification, multiple transceivers, and accumulation of similar parts of information over a long period of time, can almost arbitrarily increase range.

...

The reason why I mentioned NFC tags is that they fit nicely on postcards or in letters (and can be protected with covers), can be password protected and also allow encryption, depending on the type used.

fitting nicely is a great plus. need an indicator on them to show when they are being accessed. might be easy to add if we build one ourselves. personally i'd want a wired option; they broadcast in all directions and antennas can be made arbitrarily large. i think a huge plus is that they are a common technology right now, so it is easy for people to get them.

...

...
I'm inferring by FTDI USB to USB cable, you mean a serial cable with FTDI USB serial converters (which I've had occasion to run into but don't know well) at both ends. That sounds pretty reasonable and shows you have a clue; i don't know whether people still consider systems to be airgapped when they are networked with a serial cable, or not. If we fast forward to emissions a bit, a serial cable is a long wire, so it's going to broadcast the stuff transmitted over it like an antenna, and pick up electromagnetic effects like one too.

I don't know a lot about FTDI converters, but I know that most things you buy from a corporation are not secure by default. My biggest poorly-informed worry is that voltage glitching from the connected device could be used to compromise the 'airgapped' device in some obscure way. Additionally it can be hard to find FTDI converters locally. Sounds pretty airgapped in this day and age, though.

Well, a while ago I looked for options to work with an air-gapped computer, but was not sure if one should use a secure USB stick, for example and found this FTDI solution. I ordered such cable relatively cheap from alibab.com, because here in Europe these cables are only sold to companies, which can re-sell them and the price tag is much much higher.

ftdi cable is a nice solution. you can also order a fiberoptic transciever and use optical. usbs have microchips that accept code updates, but that's pretty low latency.

...

...
While tumbling through this ordeal I once made this software, which is a small program to communicate ascii text by bit-banging one or two wire connections: https://github.com/xloem/openemissions/tree/master/tincanterm

Nice, will take a look.

...
One of the best solutions for low-latency communication would seem to me to be writing your own bit-banging or communication software on the fresh linux installation, so that no installation of new software is needed, preferably using a visual or audio connection so that voltage glitching is impossible, although these channels can still be high bandwidth unintentionally. But if you understand the communication system and security concerns in depth, go right ahead with any of it.

With audio cables I have also experimented and with HTML based software run in a browser. But this was error prone and the transmission speed was to slow. IIRC correctly the popular FOSS software minimodem can do this too, but is unfortunately not cross-platform.

...
Something I value is very high latency communications. For example, using CDRs was a very secure thing that corporate progress has almost done away with. Burn your information to a CD, then load it on another computer. The CD has no microchips, the information is there for easy review, it doesn't alter the voltage between any electrical terminals on your system, and if you don't reuse cds then even if your airgapped system is compromised, there is no obviously related way to quickly send reply messages back to the system to alter its behavior. High latency is good. Only communicating when the user tells it to is crucial.

Yes, but can nowadays devices (Raspberry Pi for example) handle CDs?

You'd likely have to plug in a powered accessory, which means isolating it too. Maybe that's worth the additional chip.

...

...
Here's a piece of software I tried to make for transmitting QR codes: https://github.com/xloem/qrstream

Will check that out too.

Regards Stefan

-- NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675 The computer helps us to solve problems, we did not have without him.

grarpamp

10:56 p.m.

...

usbs have microchips that accept code updates

USB "converters" should be considered suspect. Plugging BadUSB's, BadHDD, CPU's, Flash, or any other chipped / smart device or port with firmware, microcode, chips etc between systems has potential to infect / attack them. Assuming some random magical usb converter cable sets do pass raw rs-232 between them (ie: can cut/splice to a rs-232 port / modem / teletype) users often probably fuck up and cross infect usb during the n-th insertion setup session. Various "air gap", all adaptable to 'cat hugefile > /device'... QR code OCR scanning Sound Light RF Keyboard bots Monitor display output to camera capture input, a digital stream of bits thrown onscreen as fast as the two can sync. Simple RS-232 protocols, ECC codes, etc. All assuming endpoint chipsets don't attack over the gap / wire. Keep simple enough to see, log, debug, verify, filter, audit... like ASCII. USB, optical disk, tape, hdd... often have media based firmware update mechanisms, exploits, special sectors, bootcode, emulation, etc.

...

scrabble tiles

As received from the store... exhibit a non-random character frequency count, should not be used without adjustment down to 1:1.

Karl

13 Oct 13 Oct

12:02 a.m.

On Mon, Oct 12, 2020, 6:57 PM grarpamp wrote:

...

...
usbs have microchips that accept code updates

USB "converters" should be considered suspect.

Plugging BadUSB's, BadHDD, CPU's, Flash, or any other chipped / smart device or port with firmware, microcode, chips etc between systems has potential to infect / attack them.

How would you set up an airgapped system, if your main system were already infected? There's some degree of number of microchips, times accessed, way and source of system installation and tools added ... On a pi zero, you're likely going to have a keyboard, a display, and an SD card, all of which have additional chips, some even long wires that can act as radios. Then the communication medium; I guess using the existing display and keyboard adds the least complexity, but that's a lot of copying of encrypted text. I might start with a USB key even though it busts a hole in the system, and just recommend it be moved very rarely. A second paired system could be used for data exchange, connected to a printer or a camera or a disk or whatnot, with an optoisolated gpio connection to the main system.

...

Assuming some random magical usb converter cable sets do pass raw rs-232 between them (ie: can cut/splice to a rs-232 port / modem / teletype)

The FTDI actually does this. users often probably fuck up and cross infect

...

usb during the n-th insertion setup session.

That sounds concerning.

...

Various "air gap", all adaptable to 'cat hugefile > /device'...

Prefer tinyclearfile to hugefile, so auditing is reasonable.

...

QR code

OCR scanning Sound Light

...

RF Keyboard bots Monitor display output to camera capture input, a digital stream of bits thrown onscreen as fast as the two can sync.

Simple RS-232 protocols, ECC codes, etc.

All assuming endpoint chipsets don't attack over the gap / wire. Keep simple enough to see, log, debug, verify, filter, audit... like ASCII.

USB, optical disk, tape, hdd... often have media based firmware update mechanisms, exploits, special sectors, bootcode, emulation, etc.

...

...
scrabble tiles

As received from the store... exhibit a non-random character frequency count, should not be used without adjustment down to 1:1.

grarpamp

8:46 a.m.

Many corporates are fine with pulling down files to a bastion host behind firewall and building over to other non internet connected hosts from there. Swapping random storage devices (that have own cpu + firmware) among random machines, is probably more risk than an SCP pull connection over lan. Reproducible builds from OS vendor site, and friends East and West, can help verify the final pluggable boot and run media before perma stuffing it in the system. Then people play around with keygen, airgap, etc. Given the hardware is all closed, and software is bloated, cost to verify a system to any given book standard quickly become moot vs risk. Security is a continuum of tradeoffs, there are no absolutes. Besides NSA, who has available protocols and data rates for... 'dd /dev/urandom /dev/LCDscreen' --> air --> 'dd /dev/camera /dev/null' Somebody already did lavalamp datarates. But the above is different camera target and use case. New PCIe-USB port mashups... direct to ram/cpu like old firewire... security insanity.

...

if your main system were already infected?

Give it to Juan to smash with his ragehammer.

Karl

1 p.m.

On 10/13/20, grarpamp wrote:

...

Many corporates are fine with pulling down files to a bastion host behind firewall and building over to other non internet connected hosts from there.

Swapping random storage devices (that have own cpu + firmware) among random machines, is probably more risk than an SCP pull connection over lan. Reproducible builds from OS vendor site, and friends East and West, can help verify the final pluggable boot and run media before perma stuffing it in the system. Then people play around with keygen, airgap, etc.

What OS vendors provide reproducible builds?

...

Given the hardware is all closed, and software is bloated, cost to verify a system to any given book standard quickly become moot vs risk.

Security is a continuum of tradeoffs, there are no absolutes.

Multiply the estimated dangers, I suppose, and compare.

...

Besides NSA, who has available protocols and data rates for... 'dd /dev/urandom /dev/LCDscreen' --> air --> 'dd /dev/camera /dev/null'

Curious too. Here's what I have. There's some old existing work at https://github.com/xloem/qrstream in the 'Existing work' section. A glance at https://stephendnicholas.com/posts/quicker-video-qr-codes implies 43 KB/s. You can get much more if you use multiple colors and more math. All my links explaining the math, and the java app that demo'd multichannel video with error correction, appear broken. It seems a product of the r&d put into the protocol and the resolution of the devices used, right now.

...

Somebody already did lavalamp datarates. But the above is different camera target and use case.

New PCIe-USB port mashups... direct to ram/cpu like old firewire... security insanity.

I infer this is normal now with USB3. So gpio pins, isolators, audio, video are the things to think about.

...

...
if your main system were already infected?

Give it to Juan to smash with his ragehammer.

This doesn't work at all when it's somebody's job to keep you monitored. You need a working system to do things while you resist around your ideals.

1436

Age (days ago)

1440

Last active (days ago)

List overview

Download

19 comments

5 participants

participants (5)

grarpamp
John Young
Karl
Stefan Claas
Zenaan Harkness