Techie, Programming,Hacking, Infosec,ITGuru,Hacks, Technology, Geek-You're in the right place
Wednesday, 28 August 2013
Road To A Programming Life #Programming
OK, you see some cool app or even watch some code snippet and friends are bragging about that cool trick they can do. So at the end of it all, you decide to embark onto programming.
You grab an ebook or a video series for that specific programming language you finally chose. You tiresomely go through that ebook/video series till the end.
NOW WHAT?
This might be the beginning of your great career in programming or the beginning of the exciting adventures of your hobby, but NOW WHAT........
Languages don't matter. Yes, the programming language you learn and use doesn't matter, so don't get sucked up in the religion surrounding programming languages as that will only blind you to their true purpose of being your tool for doing interesting things. What really matters is what you do with them(programming languages).
As some old programmer put it:
"Programming as an intellectual activity is the only art form that allows you to create interactive art. You can create projects that other people can play with and you can talk to them indirectly. No other art form is quite this interactive. Movies flow to the audience in one direction. Paintings don’t move. Code goes both ways."
The new found knowledge (programming) opens up a lot of doors in your mind and people may despise you for easily dissecting there logic in arguments/discussions, but don't be moved by the community's thoughts. This world needs more people who know how things work and love figuring it out.
Back to topic......
By now you most probably have grasped the rules of that particular programming language and the syntax hasn't settled in yet. You most probably are disappointed that you still can't bend your knowledge to code that cool App you so desired.
Relax cos this journey might last a life time.
Firstly, you now should stock up a few more book for programming, how to design algorithms, how to design user interfaces and principles of software engineering.
Secondly, i think its high time you started looking at some code by other people which might give you an insight as to when and how to use the different language syntax. Play around with the code, break up thing and repair them till you fill you can code it in a dream. And always remember that a lot of code is out there that might help with your problem. It's better to first exhaust your contact and google before diving in code from scratch.
Thirdly. Maybe you might have heard already about that, and you most probably have been told to think of your own project and code it. This might not be easy for some people, so its better you start out by imitating already present software that interests you in the field you take your programming like networking.During these small projects, like those done by forum members, garner a lot of help n support from the people who did it. Clone those tools by your own hands, learn and get familiar with the libraries used to code it.
The more coding you do, the more bad code you will write so those small projects are really key to your future. Anyway, i think its time you get involved in some big, huge projects like the EVILFPS project (though its currently suspended) and there alot of FOSS projects out there like the open-office and gnome desktop environment. I don't think its time yet to join the Linux kernel development.
Now that you are apart of a big project, you are going to need more skills other than programming. You are gonna need to learn about software testing, project management, product management n marketing.The more you understand about the entire software development process, the closer you will come to being a well-rounded developer, architect or executive.
In programming for big projects, you meet a lot of people (maybe not physically) like-minded as you, so make friends with as many of them and you will be surprised what that coding guru can sacrifice for you. Just try to be cool with everybody and they will be cool to you. Also find a mentor that will always be there to answer those stupid obvious questions that are bugging you. Black painting on a paper won't do it all and some google queries have no algorithmic formulations (not easy to formulate). Let him/her be the star that guided the "three wise men to Jesus' birth place". You will leap over a lot of roadblocks through help from others.
I smack you with two statements *Giggling*, "Words on paper can't answer it all." And "The more coding you do, the more bad code you will write." So motivate yourself, code to your fill. Good Luck.
--What's Hacking, Where to begin with Hacking-- #Hacking
What is hacking:
What do you think of when you hear the term hacker? Most of you guys will probably think of criminal geeks who are butt hurt about something and then decide to take revenge or “hacking” groups like Anonymous. In that case you are wrong. Those people have nothing in common with real hacking and they are using their knowledge for bad things. The correct term for people like Anonymous would be Cracker(lookup the definition if you don’t know why they are called that). The right definition of hacking is “Hacking is the practice of modifying the features of a system, in order to accomplish a goal outside of the creator's original purpose.” - www.whatishacking.org.The word hacker originates back from the fifties or the sixties. One of the places that’s commonly known for have started the hacking culture is MIT. Students from Tech Model Railroad Club joined together to create new ways of controlling and building model trains. A great improvement of the train or the system was simply called a hack. It then moved on to phone lines and later on into computers. The reason why it moved on into the phone lines was simply that there wasn’t anything else to hack.
A guy who got very famous for hacking telephones and telephone lines (also called phreaking) is John “Captain Crunch” Draper. The reason why he’s called Captain Crunch was because of a famous hack he did back in the early seventies. From the american breakfast cereal Cap’n Crunch he got a whistle which could make a sound at 2600Hz. Since AT&T’s system was running by tones he could cheat the phone system to dial up pretty much everyone for free. He later on created The Blue Box which made it easier for him to cheat the phone lines. In 1972 he got convicted for cheating the phone company for money and ended up in prison for a short amount of time. According to The Wall Street in 1978 he hand wrote the first word processor for the Apple II computer called EasyWriter. He apparently should have hand written it in prison on paper and then later typed it into a computer. Hacking was also the reason why personal computers was created by guys like Steve Wozniak. Steve Wozniak created a terminal which enabled him to play chess but at the same to lure around on ARPAnet. He then short after joined hacker groups which introduced him to microprocessors. He have later on made great contributions to the development of the microprocessor.
The precursor to Usenet newsgroup and e-mails, the boards with names such as Sherwood Forest and Catch-22 become the venue of choice for phreaks and hacker to talk, trade tips and share stolen credit card information and stolen computer passwords. Hacking groups begin to form and some of the first well known were Legion of Doom from the United States and Chaos Computer Club from Germany.
In 1983 the movie WarGames came out and changed the public view on hacking. Hacking went from being something underground and unnoticed to something big. The movie was about a boy who want’s to crack into a game company’s computer system to play a game but instead end up starting a military catastrophe.
The same year 6 teenagers known as the 414 gang get’s arrested for hacking into 60 computers. It was first in 1986 it was made a crime to break into computer systems.
The Morris worm:
In 1988 Robert T. Morris, Jr. created a self-replicating computer worm which he launches on ARP
Kevin Mitnick:
As early as the age of 12 he social engineered himself to free bus drives. He’s today known as one of the best social engineers through time. Kevin Mitnick is captured by federal agents and charged with stealing 20,000 credit card numbers.
I will encourage you to read his biography. It gives you a true sight into his journey to establish himself as one of the greatest social engineers of all time.
The book can be found--HERE
Hacking today:
What is hacking today? Hacking has grown far bigger than anyone could have expected. In the beginning is was about optimizing model trains but today it’s a whole lifestyle. We see “hackers” in the news almost everyday and the business is just getting bigger. If you ask a random person on the street what their view of a hacker is they will probably reply with something like “It’s a person who breaks into systems” but that’s wrong. A true hacker is much more than that and can never be dragged down into something as small as that description.
We need to educate the normal citizen to not be afraid of the computer.
This video has been posted before but it explains exactly what I’m trying to say.
http://www.youtube.com/watch?v=dU1xS07N-FA
I have shorten this article a lot. I decided to cut most of it off but if you need some specific info on the subject matter feel free to contact me. I have read a lot of books and a lot of articles about this topic and will most likely be able to answer your question. If asked and I found the time I will maybe write a larger article about this subject but it will not be on the nearest future. Also please bear over with me about the grammatical errors I wrote this in the middle of the night and I will do my best to find them when I get the time. Feel free to give me contructive feedback.
Where to begin with hacking
So here is my opinion about how they should get around starting.
There are three types of hackers:
White Hats:
The White Hat hacker has dedicated himself to fight malware and help others with their computer problems. He is a person you can trust, and he will most likely end up in a good paying job as a computer programmer or a security consultant. He will most certainly not end up in jail.
Grey Hats:
The Grey Hat hacker are in between white Hats and Black Hats. He will most likely commit pranks at people that he thinks is harmless, but it can also be illegal. He can at one time be helpful and help you with a computer problem, but at the same time infect you with his own virus. There is a chance that the grey hat will end up in prison.
Black Hats:
The Black hat hacker also known as a cracker is the one who deface websites, steal private information and such illegal activity. It is very time consuming to become a black hat. It can be very hard for them to get a job because of the illegal activity. If law enforcements gets you, you can expect jail time.
So where to start?
You should know the answer to these questions before you start your hacking career.
- Which type of hacker do you want to be (white hat, grey hat or black hat)?
- Which type of hacking do you want to work with (website hacking, system exploits, pentesting etc.)?
- What is your end-goal?
You should meet these requirements to become a successful hacker.
- You shall be patient.
- You shall dedicate a lot of time to hacking. You will never stop learning, since hacking is a lifestyle.
- You should have a computer (I expect you to have one since you are reading this).
- You shall be interested in how the different computer systems works, and how to control them.
Now that you have an idea of what kind of hacker, you want to be we will look closer into the different topics you can work with as a hacker.
Website Hacking:
You properly already guessed it, but website hacking is about hacking websites. You use your skills to find exploits and vulnerabilities in websites and web applications. Almost all major hacking stories in the news are about websites and databases that have been hacked. Once you have enough experience in website security you will be amazed about how easy it is to find vulnerabilities in websites. However, it will take a lot of effort and time to reach that level of skills. You will need to know a large amount of server-side languages and website construction languages like PHP, HTML, JavaScript, SQL, ASP, ASP.NET and Perl. This was just some of the languages you should know about. I will recommend you to take JavaScript, SQL and PHP very serious since it is in those languages you will find the most vulnerabilities.
Pen testing and Forensics:
Pen testing and forensics can earn you big money. It is these guys the company’s call when they have been hacked. They are experts in operating systems, wireless connections and exploiting computers. This way will take A LOT of time and effort since there is so much you should know about. You shall know about how the different operating systems works, which exploit there is to them, how to exploit them, routers, encryption, malware etc. the list is almost endless.
Code exploiting:
Not many people know about this. This will require you to be a complete expert at programming. You shall be at least as good at these programming languages as your main language like English. This kind of hacking is taking a lot of time, and will require you to be patient. Do not get me wrong, every company that releases software like Symantec, Google, Microsoft, Adobe, and Oracle have hackers with these skills employed to check their software for vulnerabilities. Sadly, they cannot find every security hole and therefore some very smart black hat hackers are able to find them, and exploit them before the companies get the vulnerability patched. You should know the most popular languages like C++, Java and C etc.
Computer security:
The work these people do looks a lot like the pentesters. These people is able to detect and analyze new viruses and malware. They are working for companies like Symantec, KasperSky and Avira etc. Some of them are also working on labs that tests AV’s and new viruses. They are experts in how viruses works and how they infect systems.
You should now have an idea on where to start and in which direction you want to go. If you found any errors or typos feel free to contact me, and I will look into it. I will be updating this thread recently and add more details. I will soon add a dictionary, which explains the most basic hacking terms. I have put a lot of effort in this tutorial and my goal with this tutorial is to give computer-interested people an idea of where they should start.
To the so-called “noobs”, who reads this:
I hope I have inspired you to begin at hacking. I hope that I have cleared things up a little bit, so it does not seem so messy anymore. If you have any questions or something you did not understand, I would gladly explain it to you again. Welcome to the hacker’s world, a new world will open up for you and you will never regret that you chose to become a hacker.
Please read other article about what hacking is to get a better understanding.
Saturday, 24 August 2013
Top 10 Open Sources Tools For Web Developers #Programming #WebDevelopers
1. Aptana Studio
• It supports latest Web technologies like HTML5 , CSS3, JavaScript, Ruby on Rails, PHP, Python with information about the level of supports for each element major Web Browsers.
• Syntax highlighting, auto- completion of code.
• Git integration
• Inbuilt deployment wizard to help pubils your Web application.
• Integrated debugger - the most important component of an IDE, lets you set breakpoint, variables and control execution.
• Build- in terminal to access OS commands.
2. Komodo Edit
• Also supports Cloud-based projects
• It uses the Mozilaa code-base, along with Scintilla. Also have a Firefox type extention system for finding and installing add-ons.
• Suppots python, Perl, PHP, Ruby, HTML5, CSS3, JavaScripts, SQL, Tcl, XML.
• Syntax highlighting, auto- completion of code and call tips.
• Has added supports Node.js, CoffeeScripts, LESS, SCSS, EJS and epMojo.
• Has a inbulit FTP clients lets you access remotly hosted files without having to create a project or download an entire directory tree. If Firefox is your browser of choice, you would feel right at home with Komodo.(Cyber Elite)
3. NetBeans
• It started as an IDE for Java programming, but now you can create professional desktop, enterprise, Web, and mobile application with java as well as C/C++, PHP, JavaScript, Groovy and Ruby.
• Is also know for its great Debugging.
4. Drupal
• Is just as Wordpress and Joomla. It lacks high-quality themes like those available for the others two CMS, but it is unique in its own way, and preferred for its good technique design and mantainability.
• Getting static pages on a Drupal site is easier than in Wordpress and Joomla.
• The Drupal module for social media integration is easier to work with than its counterpart for Wordpress or Joomla.
• Ubercart, the e-commerce tools for Drupal is excellent. You might have a trouble working with the e-commerce tools for WordPress or Joomla.
• Drupal, being old has grown a lot and has a large community base, so you'll not be alone.Community support is very good in my experience.
5. MySQL
• Is the most powerful and popular database and hardly needs introduction.
• However, its enterprise version is not free, but compared to other enterprise solution, it is still the best choice for its price and the supprot is awesome.
• The free version of MySQL servers as the foundation for the CMS and various other software.
• You can administer the database using the command-line utility mysql , with dozens of command for effective managment.
• You acn integrate it with the PHP, Java and other programmming languages to make an effective application.(Cyber Elite)
• You can use MySQL, Workbench which is a GUI tool for integration of database design, administration and maintenance into a single IDE for the MySQL database system.
6. Apache Web Server
• Popular WebServer since April 1996 and hosts nearly 60% of Web domains.
• Though devloped for UNIX -like OS's it also runs on Windos, Mac OS X and others.
• Common languages interface support PHP, Perl, Tcl and Python.
• Virtual hosting allows one Apache installation to server many differnt websites.
• Supports password authentication and digital certification authentication.(Cyber Elite)
• As its source code is available, you can modify it according to your needs, if you know what you are doing.
• Other features include Secure Sockets Layers, Transport layer Security support, a URL re-writer and custom log files.
7. Apache Tomcat
• As stated by its website, Apache TomCat is an open Source software implementation of the Java Script and Java Server Page technologies.
• TomCat should not be confused with the Apache Server. TomCat is a Web conatiner that servers Web pages written in Java, while Apache is an HTTP server written in C.
• I have used it with Eclipse IDE, and I can vouch for the fact tha it is pure plug-and-play; no hard-and-fast configuration is needed.
8. Inkscape
• Inkscape is a vector- based graphics application, and by far the most popular open source options for a graphics tools if you aim to decorate your Website.
• The programe supports the standard Scalable Vector Graphics (SVG) file format, as well as many others.
• It imports files from many formats, including .jpg .png .tif and others, and exports to numerous vector-basd formats and .png.
• Dont compare it with its proprietary counterparts, as they are more powerful but among free tools Inkscape is the Best and is being developed further.
9. FileZilla
• Fre and Open source FTP, FTPS and SFTP clients. Also available as a server if you want to make file available to others, but this works only for Windows.
• Create in January 2001 by Tim Klosse as a class project, Filezilla has gone on to become the fifth most important popular download of all time from SourceForge.net
• Supprots FTP,FTP over SSL/TLS(FTPS) and SSH File Transfer Protocol (SFTP) (Cyber Elite)
• Being Cross Platform it runs on Windows , Linux, *BSD , Mac OS X and more.
• Supports resume and transfer of files larger than 4 GB.
• IPv6 support.
• Configurable transfer speed limits.
• Network configuration wizard.
• HTTP/1.1 ,SOCKS5 and FTP-Proxy supports.
• Synchronised directory browsing.
• But, your IDE lacks an in-builts FTP client for deploying websites.
10. XAMPP
• If you want to install a full LAMP or WAMP stack, it's hard to configure them all and get the site live. XAMMP has changed this, with a simple easy-to-install Apache distribution conataining MySQL, PHP, Pearl for quickly setting up a devlopment envirnoment locally.
• XAMMP is supported on multiple OS : Windows , Linux, Solaris , Mac OS X
• It is designed with the Web devlopers in mind, giving you the power and flexibility of a test Web Server without the hassle of setting up a dedicated box running a special server operating system, just for site testing.
• When it comes to throwing a server out into the wild, however proper hardened security is a must and operating system designed specifically for server should be used for public facing production sites, instead of XAMPP.So. the simple advice is to give XAMPP to stay confine in an internal LAN
P/S-Just click on the Open Source name to begin downloading
-----Thanks For Visiting----
Friday, 23 August 2013
The Art of Anonymity #Infosec #Hacking #Anonymity #Proxy #Security
In This Tutorial
- Browser Security
- Local Net Security
- Encryption/Logs
- Virtualization Software/liveUSB
- IP Address
What You Will Need
- A brain
- A computer
- The ability to read
- Wireshark (not absolutely necessary)
- Linux. There's already plenty of Windows tutorials out there.
- No Jews Allowed...
- Ok fine Jews
::Let's Get Started!
First of all, I realize that there are already a few anonymity tutorials in our wonderful Anonymity section. However, I realized today that they are incredibly generic and are practically duplicates of the hundreds of other generic tutorials out there littering the net. So, I decided to write one that is a little bit more inclusive. I would also like to add that there is not one tutorial out there that will provide you with absolutely all the information you will need to be 100% anonymous. In fact, I don't think that you even can be 100% anonymous. Keep that in mind, and always be paranoid.
Browser Security
Chaining 35 proxies won't do you any good if you overlook other aspects of being anonymous. As far as I'm concerned there's a few keys points to browser security.
User Agent:
If you don't already know what this is then you should probably come back to this tutorial later in life. But just in case:
"The term was coined in the early days of the Internet when users needed tool to help navigate the Internet. Back then, the Internet was (an actually still is) completely text-based, and to navigate the text, text commands needed to be typed into a keyboard. Soon tools were developed to be the users 'agent', acting on the user's behalf so that the user didn't have to understand the cryptic commands in order to retrieve information. Today, nearly everyone uses a web browser as their user agent." - http://whatsmyuseragent.com/WhatsAUserAgent
Obviously this can be indentifying, specially if you have a rather unique one. In older versions of Firefox you were able to go into the about:config and permanently edit your user agent. I don't think you can do that now. So instead, I would recommend getting an add-on to take care of this. There are plenty of them, but my favorite one is Override User Agent because it seems to have the most choices. Everything from Safari to Opera to Internet Explorer to Mozilla to Mobile user agents. Shit, you can even make it appear as though you are a Google Bot. Too easy.
You can do this in most major browsers and it will almost always come in the form of an add-on.
Something that was brought to my attention by proxx is that a network admin could potentially discover that you are being dishonest about your user agent via the TTL values of the packets. TTL stands for 'Time to Live' and is responsible for limiting the number of hops of a packet. This prevents the packets from floating around for eternity to explain it in a mundane way. So, an example would be that you are using a Windows user agent and spoofed it to be a Linux user agent. It would be possible for the net admin to analyze the TTL value and determine that it was changed and when.
A link provided by proxx might help to explain some of this: http://www.binbert.com/blog/2009/12/default-time-to-live-ttl-values/
It would be a safe bet to keep your windows user agents windows, and your linux user agents linux. You can easily spoof the TTL values in linux, perhaps using iptables.
Referer Url:
This one seems to be rather overlooked. This is an HTTP header field that can be used to track your path from page to page. This one is also a simple fix. At least in Firefox. All you have to do is, once again, go to the about:config and search for network.http.sendRefererHeader. Once you've found it just set it to a value of 0. That takes care of that. You can also use the add on RefControl.
In Chrome you can check this out:
https://chrome.google.com/webstore/detail/referer-control/hnkcfpcejkafcihlgbojoidoihckciin?hl=en
If you are using Internet Explorer then..... Well then you should just go away.
Cookies:
Cookies are used to track your web activities. Don't think that just because you are using Tor you are safe from this. As usual there is a plethora of add-ons that you can use. You can also set your browser to not accept cookies from sites, however, you may find that you won't be able to access certain sites if you do this. At least make sure that you remove cookies when you are done with you session. This can be done in Firefox > Prefs > Privacy > Show Cookies > Remove All Cookies. Obviously that's for firefox. In Chrome I think it's something like, Chrome > Tools > Clear Browsing Data. For Opera it would be Settings > Preferences > Advanced > Cookies.
For those of you who don't know there is such a thing as long-term cookies. Otherwise known as LSO's(Local Shared Objects). These are flash cookies. As far as I know they aren't removed when you do the cookie removing steps I mentioned above. You can handle these by getting the add-on called BetterPrivacy.
I hope I don't have to tell you guys to clear your history or use Private Browsing. Oh! and one more note that I'm not going to make a title for. Be aware of the Desktop and Web Browser extensions you are using. For example, weather monitoring extensions could be very bad because they may transmit zip codes or address information to get local weather reports. Many people overlook this. Hiding your IP won't matter if you overlook this.
Other good add-ons:
Adblock Plus - Can be used for Firefox, Chrome, Opera and Android
HTTPS Everywhere - Encrypts your communications with over 1000 websites. Unless you're taters I'm sure most of you are already using this.
Ghostery - See what's tracking you on a site to site basis. Block them if you wish
TrackMeNot - I really like this one. This one spoofs your searches. For example, currently it looks like I'm browsing for: dogs
When instead I might be browsing: How to be a terrorist
No Script - Oh come on.
Startpage:
Also, for those of you who don't like Google for obvious reasons, check out Startpage. It sends your searches to their own server before actually sending it out to the web to help hide who's searching. It's alot like Ixquick except that it yields better results. They don't log your IP.
- Local Net Security
- Encryption/Logs
- Virtualization Software/liveUSB
- IP Address
What You Will Need
- A brain
- A computer
- The ability to read
- Wireshark (not absolutely necessary)
- Linux. There's already plenty of Windows tutorials out there.
- No Jews Allowed...
- Ok fine Jews
::Let's Get Started!
First of all, I realize that there are already a few anonymity tutorials in our wonderful Anonymity section. However, I realized today that they are incredibly generic and are practically duplicates of the hundreds of other generic tutorials out there littering the net. So, I decided to write one that is a little bit more inclusive. I would also like to add that there is not one tutorial out there that will provide you with absolutely all the information you will need to be 100% anonymous. In fact, I don't think that you even can be 100% anonymous. Keep that in mind, and always be paranoid.
Browser Security
Chaining 35 proxies won't do you any good if you overlook other aspects of being anonymous. As far as I'm concerned there's a few keys points to browser security.
User Agent:
If you don't already know what this is then you should probably come back to this tutorial later in life. But just in case:
"The term was coined in the early days of the Internet when users needed tool to help navigate the Internet. Back then, the Internet was (an actually still is) completely text-based, and to navigate the text, text commands needed to be typed into a keyboard. Soon tools were developed to be the users 'agent', acting on the user's behalf so that the user didn't have to understand the cryptic commands in order to retrieve information. Today, nearly everyone uses a web browser as their user agent." - http://whatsmyuseragent.com/WhatsAUserAgent
Obviously this can be indentifying, specially if you have a rather unique one. In older versions of Firefox you were able to go into the about:config and permanently edit your user agent. I don't think you can do that now. So instead, I would recommend getting an add-on to take care of this. There are plenty of them, but my favorite one is Override User Agent because it seems to have the most choices. Everything from Safari to Opera to Internet Explorer to Mozilla to Mobile user agents. Shit, you can even make it appear as though you are a Google Bot. Too easy.
You can do this in most major browsers and it will almost always come in the form of an add-on.
Something that was brought to my attention by proxx is that a network admin could potentially discover that you are being dishonest about your user agent via the TTL values of the packets. TTL stands for 'Time to Live' and is responsible for limiting the number of hops of a packet. This prevents the packets from floating around for eternity to explain it in a mundane way. So, an example would be that you are using a Windows user agent and spoofed it to be a Linux user agent. It would be possible for the net admin to analyze the TTL value and determine that it was changed and when.
A link provided by proxx might help to explain some of this: http://www.binbert.com/blog/2009/12/default-time-to-live-ttl-values/
It would be a safe bet to keep your windows user agents windows, and your linux user agents linux. You can easily spoof the TTL values in linux, perhaps using iptables.
Referer Url:
This one seems to be rather overlooked. This is an HTTP header field that can be used to track your path from page to page. This one is also a simple fix. At least in Firefox. All you have to do is, once again, go to the about:config and search for network.http.sendRefererHeader. Once you've found it just set it to a value of 0. That takes care of that. You can also use the add on RefControl.
In Chrome you can check this out:
https://chrome.google.com/webstore/detail/referer-control/hnkcfpcejkafcihlgbojoidoihckciin?hl=en
If you are using Internet Explorer then..... Well then you should just go away.
Cookies:
Cookies are used to track your web activities. Don't think that just because you are using Tor you are safe from this. As usual there is a plethora of add-ons that you can use. You can also set your browser to not accept cookies from sites, however, you may find that you won't be able to access certain sites if you do this. At least make sure that you remove cookies when you are done with you session. This can be done in Firefox > Prefs > Privacy > Show Cookies > Remove All Cookies. Obviously that's for firefox. In Chrome I think it's something like, Chrome > Tools > Clear Browsing Data. For Opera it would be Settings > Preferences > Advanced > Cookies.
For those of you who don't know there is such a thing as long-term cookies. Otherwise known as LSO's(Local Shared Objects). These are flash cookies. As far as I know they aren't removed when you do the cookie removing steps I mentioned above. You can handle these by getting the add-on called BetterPrivacy.
I hope I don't have to tell you guys to clear your history or use Private Browsing. Oh! and one more note that I'm not going to make a title for. Be aware of the Desktop and Web Browser extensions you are using. For example, weather monitoring extensions could be very bad because they may transmit zip codes or address information to get local weather reports. Many people overlook this. Hiding your IP won't matter if you overlook this.
Other good add-ons:
Adblock Plus - Can be used for Firefox, Chrome, Opera and Android
HTTPS Everywhere - Encrypts your communications with over 1000 websites. Unless you're taters I'm sure most of you are already using this.
Ghostery - See what's tracking you on a site to site basis. Block them if you wish
TrackMeNot - I really like this one. This one spoofs your searches. For example, currently it looks like I'm browsing for: dogs
When instead I might be browsing: How to be a terrorist
No Script - Oh come on.
Startpage:
Also, for those of you who don't like Google for obvious reasons, check out Startpage. It sends your searches to their own server before actually sending it out to the web to help hide who's searching. It's alot like Ixquick except that it yields better results. They don't log your IP.
Local Net Security
If you aren't worried about your local network identifying your machine then I wouldn't worry about this section. Still, it's good to know.
MAC Address:
Your MAC address is a 48bit hardware identifying address which is part of your network card. Everyone has one and they are all unique. Again, this doesn't cross router boundaries so there are many situations when spoofing this doesn't matter. There are a few ways to spoof this. This first way being manually. The basic syntax for this is:
ip link set wlan0 down < to bring down the interface temporarily, otherwise it won't work
ip link set wlan0 hw ether ff:ff:ff:ff:ff:ff < don't use that one idiot
Snayler reminded me that in Debian based systems you can run:
ifconfig wlan0 down <to bring down the interface
ifconfig wlan0 hw ether ff:ff:ff:ff:ff:ff
Then you have to reconfigure the interface. Simply running ip link set wlan0 up(or ifconfig wlan0 up) won't work.
The easier way is just to do this with macchanger.
If you aren't worried about your local network identifying your machine then I wouldn't worry about this section. Still, it's good to know.
MAC Address:
Your MAC address is a 48bit hardware identifying address which is part of your network card. Everyone has one and they are all unique. Again, this doesn't cross router boundaries so there are many situations when spoofing this doesn't matter. There are a few ways to spoof this. This first way being manually. The basic syntax for this is:
ip link set wlan0 down < to bring down the interface temporarily, otherwise it won't work
ip link set wlan0 hw ether ff:ff:ff:ff:ff:ff < don't use that one idiot
Snayler reminded me that in Debian based systems you can run:
ifconfig wlan0 down <to bring down the interface
ifconfig wlan0 hw ether ff:ff:ff:ff:ff:ff
Then you have to reconfigure the interface. Simply running ip link set wlan0 up(or ifconfig wlan0 up) won't work.
The easier way is just to do this with macchanger.
Code:
macchanger
--help
Code: Usage: macchanger [options] device
-h, --help Print this help
-V, --version Print version and exit
-s, --show Print the MAC address and exit
-e, --endding Don't change the vendor bytes
-a, --another Set random vendor MAC of the same kind
-A Set random vendor MAC of any kind
-r, --random Set fully random MAC
-l, --list[=keyword] Print known vendors
-m, --mac=XX:XX:XX:XX:XX:XX Set the MAC XX:XX:XX:XX:XX:XX
Code: Usage: macchanger [options] device
-h, --help Print this help
-V, --version Print version and exit
-s, --show Print the MAC address and exit
-e, --endding Don't change the vendor bytes
-a, --another Set random vendor MAC of the same kind
-A Set random vendor MAC of any kind
-r, --random Set fully random MAC
-l, --list[=keyword] Print known vendors
-m, --mac=XX:XX:XX:XX:XX:XX Set the MAC XX:XX:XX:XX:XX:XX
Generally I prefer to do macchanger -r wlan0. Don't forget to run ip link set wlan0 down first. If you want to run this at startup you could write a little bash script and symlink it.
Code:
ln
-s /etc/init.d/script.sh /etc/rcX.d/K10script.sh
For those systemd users I created a tutorial not too long ago on exactly how to do this here.
DHCP:
Many people are aware of the MAC address and that spoofing it might be a good idea. Not everyone considers this though. You dhcp client will often transmit some information when requesting an IP address. Much of the time this only includes your hostname and MAC address(which you now know how to spoof). Unless your hostname is:
twinkletits@hackingboxDumbassvilleOregon123herpderpLane
Then you should be fine.
Unfortunately, at least in the case of dhcpcd for you Gentoo and Arch users, it transmits a hell of alot more. It will transmit your hostname, dhcpcd version, kernel, OS and architecture. This is known as your vendor class id. Which is obviously very identifying. This can be taken care of by editing your /etc/dhcpcd.conf file.
So, for example instead of having your actual hostname and vendorclass id be transmitted you can change it to whatever you want. Now, here's where you might want Wireshark. Set your filter to bootp and send out a DHCP request.
Take a look at this DHCP Request packet.
Notice where it's highlighted and it says Vendor Class ID. That is extremely identifying information. As you can see I'm using Arch linux with Genuine Intel. You now know my exact kernel and dhcp version. Underneath you can see that my hostname is machine. However, when I append these lines to the bottom of /etc/dhcpcd.conf:
Code:
hostname
imatransvestite
vendorclassid isc-dhclient-V3.1.3:Linux-2.6.32-45-generic-ubuntu:x86
vendorclassid isc-dhclient-V3.1.3:Linux-2.6.32-45-generic-ubuntu:x86
And now we send out another dhcp request.
Take a look at my vendor class id and hostname now. Be aware there are alot of local services that may transmit your user and hostname. TCP ident lookups, FTP logins, perhaps telnet are examples. Generally it's a good idea to not have a unique or identifying user and hostname.
Encryption/Logs
NOTE: This information up to the Paranoid Encryption category is largely taken from the Arch Wiki. However, it is not copy/paste.
There are a few kinds of encryption.
Stacked Encryption:
This is a when an encrypted filesystem is stacked on top of an existing filesystem. This causes all files written to the encrypted folder to be done so "on the fly" before being written to disk.
- eCryptfs
- EncFS
Block Device Encryption:
This, on the contrary, is written below the filesystem layer to make sure that everything written to a certain block device is encrypted.
- dm-crypt + LUKS
- Truecrypt
Example Encryption Schemes:
1. Simple Data Encryption -
Would include an encrypted folder in /home. Might be encrypted in EncFS or truecrypt.
2. Simple Data Encryption(external device) -
Would include an entire external device encrypted with Truecrypt.
3. Partial System Encryption -
Would include the home directories encrypted, perhaps with eCryptfs. SWAP and /tmp separate partitions encrypted with dm-crypt + LUKS.
4. System Encryption -
If using Truecrypt you can't do this in Linux.
5. Paranoid System Encryption -
A rather clever idea. The entire hard drive is encrypted with dm-crypt + LUKS, and the /boot partition is on a separate USB stick. You would have to be freshly installing to do this because I highly doubt that any of you set up your /boot partition to be on a separate USB stick. This way, you can't even boot the OS without the USB.
Be sure that anything sensitive you may have you NEVER put in an unencrypted area. I recommend always having at least an encrypted folder, if not an entire device, on an external drive. That way it is entirely off of your computer. I you accidentally happen to save something in an unencrypted area, don't think that deleting it is good enough. Every *nix should have a built in shredding command.
man shred
Code:
NAME
shred - overwrite a file to hide its contents, and optionally delete it
SYNOPSIS
shred [OPTION]... FILE...
DESCRIPTION
Overwrite the specified FILE(s) repeatedly, in order to make it harder
Usage: shred [OPTION]... FILE...
Overwrite the specified FILE(s) repeatedly, in order to make it harder
for even very expensive hardware probing to recover the data.
Mandatory arguments to long options are mandatory for short options too.
-f, --force change permissions to allow writing if necessary
-n, --iterations=N overwrite N times instead of the default (3)
--random-source=FILE get random bytes from FILE
-s, --size=N shred this many bytes (suffixes like K, M, G accepted)
-u, --remove truncate and remove file after overwriting
-v, --verbose show progress
-x, --exact do not round file sizes up to the next full block;
this is the default for non-regular files
-z, --zero add a final overwrite with zeros to hide shredding
--help display this help and exit
--version output version information and exit
shred - overwrite a file to hide its contents, and optionally delete it
SYNOPSIS
shred [OPTION]... FILE...
DESCRIPTION
Overwrite the specified FILE(s) repeatedly, in order to make it harder
Usage: shred [OPTION]... FILE...
Overwrite the specified FILE(s) repeatedly, in order to make it harder
for even very expensive hardware probing to recover the data.
Mandatory arguments to long options are mandatory for short options too.
-f, --force change permissions to allow writing if necessary
-n, --iterations=N overwrite N times instead of the default (3)
--random-source=FILE get random bytes from FILE
-s, --size=N shred this many bytes (suffixes like K, M, G accepted)
-u, --remove truncate and remove file after overwriting
-v, --verbose show progress
-x, --exact do not round file sizes up to the next full block;
this is the default for non-regular files
-z, --zero add a final overwrite with zeros to hide shredding
--help display this help and exit
--version output version information and exit
I would recommend at least using the u and z flags. If you want to shred the contents of an entire directory you can run this command:
'find -type f -execdir shred -uvz '{}' \;'
Logs:
Logs can let someone know what you have been doing on your system. Some common places for logs and temporary data in Linux are:
/tmp
/var/tmp
/var/logs
/home (hidden files and folders)
I would be careful about what you go doing in these directories. Destroying certain files could do serious damage to your operating system. Something else I would watch out for is your swap partition. Data could be saved here if you happen to use swap. This data could be retrieved even though you may not be aware of it. If you have the RAM I would recommend not even making a swap partition. Alternatively, you could mount your RAM and swap as /tmpfs and they will be cleared at shutdown. You can easily do this in your /etc/fstab. Certain *nixes already have this as default.
If you are thorough(paranoid) enough, you could always write a bash script to run in place of your shutdown command. I don't know how many of you use the terminal to shutdown but if you don't you could always edit whatever shutdown button you use to run your script.
Here's an example script:
Code:
#!
/bin/bash
# Truncate all files in /var/log
find /var/log -type f exec sh -c '> "{}"' \;
# Clear any other log files you deem necessary
cat /dev/null > ~/.cache/config/openbox/openbox.log
cat /dev/null > blahblah.txt
shutdown -h now
# Truncate all files in /var/log
find /var/log -type f exec sh -c '> "{}"' \;
# Clear any other log files you deem necessary
cat /dev/null > ~/.cache/config/openbox/openbox.log
cat /dev/null > blahblah.txt
shutdown -h now
Then you can set your script to an alias:
Code:
alias
shutdown='/path/to/bash/script/shutdown.sh'
And add that to your ~/.bashrc. This way all you have to do is open a terminal and run 'shutdown' and you clear all your logs before shutdown. Simple.
Virtualization Software/liveUSB
To be quite honest, I wouldn't worry TOO much about logs. A better idea is to just not do anything illegal on your main OS. There are alternatives.
Virtualbox/VMware:
A good idea is to install some anonymity based OS(or any OS for that matter) in a virtualization software of your choosing. Doing this keeps alot of sensitive information such as logs and whatnot off of your main OS. Think of it as keeping all your dirty underwear in one tiny basket. I'm not going to teach you how to create a virtual machine here because, it's fucking easy. What I will say is that if you are going to do this you should do it the right way. My recommendation is to follow these steps:
1. Encrypt an external device. Preferably not a USB. You'll probably need something with more room.
2. Before you create the virtual machine, plug in your external and unlock it(since you encrypted it).
3. Set the path of the virtual machine in your settings to the path of the encrypted device. Doing so will make it so that the only way to access your virtual machine is if the device is plugged in and unlocked.
4. For extra security use a couple of keyfiles. Use a few jpegs or mp3 files on yet another external device. That is, if you're paranoid enough . Some good operating systems for doing this might be:
- Virtus (although it runs on Ubuntu 11.10 so maybe not)
- Whonix
Whonix is built specifically for Virtualization software. You can not install this on your actual computer. Due to the way it's built DNS leaks are impossible.
liveUSB:
Using virtualization software is good practice. However, it IS still on your actual computer. Yet a safer way would be to create a liveUSB. You can do this with UNetbootin, LinuxLive USB Creater(LiLi) or the dd command.
dd if=/path/to/iso of=/dev/sdX
Create it with no persistence. What is persistence you ask? Persistence is when any settings or modifications you make on a liveUSB stay, or, persist every time you start up the liveOS.
The downside to creating a USB with no persistence is that everytime you decide to boot it up, any settings you may wish to have(such as many of the settings I mentioned in the tut so far) will have to be done every single time. However, the upsides I think outweigh the downsides. Basically, a liveUSB with no persistence is like booting into a fresh install of an operating system every time. So on those warm summer days where you feel like talking a relaxing walk to the public library, sitting down with a cool drink, and hacking the gibson, you can! Just pop in your liveUSB and hack away! Ok, don't really do that. But you get my point. This way when you are done you just yank the thing out and the next time you boot it up it will be like nothing ever happened on the liveUSB. If you are going to do anything really serious, this is a good option. Good operating systems for this might be:
- Privatix
- Liberte
- Tails
Really though you can use any operating system you want. These are just some examples of anonymity based operating systems.
IP address
Ok ok fine. I'll talk about hiding your IP. I'm not going to go quite as in depth as I may have with the other sections of this tutorial because this is only one part of being anonymous that people get too hung up on. Not that it's not important. People seem to think this is all you have to do to be anonymous though, and they are wrong. But, it wouldn't be a complete anonymity tutorial without this part now would it?
Proxies:
Wikipedia says: "In computer networks, a proxy server is a server (a computer system or an application) that acts as an intermediary for requests from clients seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource available from a different server and the proxy server evaluates the request as a way to simplify and control its complexity. Today, most proxies are web proxies, facilitating access to content on the World Wide Web."
Ah yes. Proxies. Some of them log, and some of them don't, but how the hell do we know which ones do and don't? Hard to tell really. There are a few main different kinds of proxies.
- Transparent Proxies: Simply put, a transparent proxy is no good for doing anything illegal. You Ip address is logged and shown. Although these may have the advantage of being a bit faster.
- Anonymous Proxies: These hide your IP address. One downside is that anything you may connect to can probably tell that you are using a proxy. Which may cause problems for you in many cases.
- Elite Proxies: These hide your IP and may hide the fact that you are using a proxy at all. Which can be beneficial. These often times will be the slowest.
WARNING: Never assume that any proxy is not logging. Even if they say they aren't.
A good thing to look at is the country it is in. You should never use a proxy that is in the same country as you. If you've done something worth trying to track you down for, LE won't have any trouble doing so if you used a proxy in your country. What you want to do is figure out which countries have the best privacy laws. Or which ones have the worst so you can avoid them. As far as I know, Sweden has very good privacy laws. China or North Korea however, have shitty ones. The US isn't really the best for internet privacy either. So choose wisely.
Another thing to look at is the different kinds of protocols a proxy may use. Two of the most important ones are HTTP Proxies and SOCKS Proxies. People end up using HTTP proxies by default much of the time.
SOCKS Proxies are lower-level then HTTP Proxies. SOCKS uses a network handshake to send information about a connection. The SOCKS proxy then opens a connection, perhaps through a firewall. HTTP Proxies are transported over TCP and forwards an HTTP request through and HTTP server.
Some SOCKS Servers include:
- Dante
- ss5
- Nylon
- sSocks
A simple Google search will yield you some up to the minute proxy lists.
VPNs:
Wikipedia says: "A virtual private network (VPN) extends a private network and the resources contained in the network across public networks like the Internet. It enables a host computer to send and receive data across shared or public networks as if it were a private network with all the functionality, security and management policies of the private network.[1] This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two."
There's a major difference between proxies and VPNs. That difference is anonymity vs. privacy. The best way I can explain this is that anonymity means that someone is sticking his dick in all of the birthday cakes, whereas privacy means that Timmy is in the room with all the birthday cakes, but no one knows what he's doing in there. Keep in mind:
proxy == anonymous(more or less)
VPN == private(Virtual PRIVATE Network)
Generally you can guess that the paid VPN's are going to be more reliable than the free ones, given that you aren't an idiot who paid for it with your personal credit card and your real name. Again, be aware of where the VPNs are located. So if you are in the US, maybe don't use openVPN for anything illegal. Their headquarters are located in California.
Tor:
I refuse to talk about Tor.
Proxy Chaining:
All I can say here is proxychains. It's a very useful tool and it's easy to use. With this tool you can chain proxy to proxy, proxy to VPN, proxy to VPN to Tor(if you want), proxy to proxy to proxy to proxy to proxy to VPN to proxy. But let's not get to excessive.
You will need to take a look at /etc/proxychains.conf. There isn't a manpage for it, all the directions you need are located in the config file. Basically what you do is add whatever proxies or VPNs you may want(make sure to note the IP and the port number) and you add them after this part:
Code:
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks4 127.0.0.1 9050
# add proxy here ...
# meanwile
# defaults set to "tor"
socks4 127.0.0.1 9050
The proxies you add should be in this format:
Code:
type
host port
So for example:
Code:
socks4
198.10.23.100 80
Then you run the proxychains program.
Code:
proxyresolv
targethost.com
Other Techniques:
Evidentally one of the best ways to remain anonymous is to code your own proxy server, say a SOCKS server, and use other people's personal machines as proxies. This way you can be absolutely sure that they don't log. Or you can also look into 3proxy which was posted by ande quite awhile back. There is also Botnet proxies if you feel like coding yourself a botnet if that's your thing. This is outside the scope of this tutorial however.
Check Yourself Sites
http://whatsmyuseragent.com/
http://www.whatsmyip.org/
http://www.dnsleaktest.com/
Anonymous Emailing
- SilentSender
- Send Anonymous Email
- GuerrillaMail
- DeadFake
- Mailinator
- Melt Mail
Final Notes
This tutorial was inspired by all of the generic, useless, copy/paste anonymity tutorials out there. You know which ones I'm talking about. The ones that say:
"Here's a link to CyberGhost and what VPN's are, here's a proxy list, use Truecrypt, make sure to clean up with CCleaner, watch out for Viruses, here's some links to antiviruses. Full anonymous!"
To all those tutorials out there, thank you for motivating me to write this. This one's for you.
As I've said before, there is no one tutorial out there that will make you completely anonymous. Being completely anonymous is next to impossible. You can take as many precautions as you want but if the NSA is looking for you it doesn't matter how secure your Truecrypt password is and how many keyfiles you have. If you are important enough they won't really need to crack your password. They'll just beat it out of you. Besides many of the techniques I've outlined, being anonymous is common sense. Don't link you real email with you hacker identity. Don't talk about crimes you've commited. Use SSL with IRC. If you are going to do anything really serious, don't do it from home. Don't do it from your personal computer. Best of luck to all of you. Hope you gained something from this tutorial
This tutorial was inspired by all of the generic, useless, copy/paste anonymity tutorials out there. You know which ones I'm talking about. The ones that say:
"Here's a link to CyberGhost and what VPN's are, here's a proxy list, use Truecrypt, make sure to clean up with CCleaner, watch out for Viruses, here's some links to antiviruses. Full anonymous!"
To all those tutorials out there, thank you for motivating me to write this. This one's for you.
As I've said before, there is no one tutorial out there that will make you completely anonymous. Being completely anonymous is next to impossible. You can take as many precautions as you want but if the NSA is looking for you it doesn't matter how secure your Truecrypt password is and how many keyfiles you have. If you are important enough they won't really need to crack your password. They'll just beat it out of you. Besides many of the techniques I've outlined, being anonymous is common sense. Don't link you real email with you hacker identity. Don't talk about crimes you've commited. Use SSL with IRC. If you are going to do anything really serious, don't do it from home. Don't do it from your personal computer. Best of luck to all of you. Hope you gained something from this tutorial
------Credit goes to--- -----LUCID----
Subscribe to:
Posts (Atom)