🗞️ 📺 🐦 Twitter Whistleblower: Mudge

DISCLAIMER: video covers very recent whistle blower report.

Allegations still require looking into, and are not considered proof of “intent”.

Share the video / article.
Originally posted at BMAC Politictech Blog (posted here early)

TWITTER WHISTLEBLOWER: MUDGE (L0pht / cDc)

VIDEO COVERS:

What do I need to know?

What are the privacy implications?

How many employees have access to sensitive user data?

Were there user privacy compromises (this year) at Twitter?

Was SMS 2FA abused (this year) for mobile phone surveillance?

Who is this ‘Mudge’ guy? Why should we listen to him?

📰 FIND OUT THIS AND MORE.

📺 IN TODAY’S VIDEO:

(watch on 🧅 Tor Friendly, decentralized Peertube by clicking above image)

Watch Inside Post:https://www.youtube.com/embed/xS2jzX7Ace8

🔗 THANKS FOR SHARING (one way to support is sharing links on Social Media, Telegram…)

(below, I share screenshots I put created, underlining key points)

WHISTLEBLOWER REPORT HIGHLIGHTS IMPORTANCE OF ANONYMITY ON SOCIAL MEDIA:

EARLIER 2022 STORIES OF CONCERN

Firehose Data Allows Real-Time Tracking (2022)

Mitto AG Abused SMS 2FA For Mobile Surveillance (2022)

TIP: Use a dedicated email for social media accounts. Don’t use the same email or phone number you have connected to a bank, or “big tech” platform accounts. Every account sharing information can be neatly linked together.

🛡️ Twitter Introduces A New Phone Number Badge

This ‘badge’ will allow users to demonstrate they have a phone number connected to their account.

I see no problem with this, as long as phone numbers stay voluntary. Although it could potentially open certain users up (with this badge) to more likely attacks (earlier bug: phone number reveal).

Given information covered in the above video, requiring a phone number / identification would create a serious safety risk to activists, journalists, lawyers, and others in a sensitive position.

Not only does a phone number tie directly to a user’s identity (more reliably so than other means), it also opens them up to a host of new targeted “spear phishing” attacks.

The whistleblower report states up to 5,000 Twitter employees have access to sensitive user data. And, a Twitter employee was arrested for using their access to spy for the Saudi gov.

A country that executes its own dissidents.

There is no “safe” way for activists to share their phone number (or other personally identifiable information).

Email would make for far more secure form of 2FA, with an added bonus of protecting user identity, personal safety.

Regardless of the whistleblower report, I do hope Twitter remains a success. As long as it remains a place allowing free flows of information.

The only way this remains possible is if anonymous accounts are allowed to stay. As long as they are, I will continue to support Twitter over other mainstream Social Media platforms
(this way your data remains in your hands, depending on practices).

🧅 🔒 Twitter Now Has A Tor Hidden Service Onion Address

This one is a great move by Twitter. Nothing but good things to say about it.

Follow me on Twitter (onion), here.

TAKEAWAY:

We live in a world where power has become increasingly centralized…

🌎 A world where data contractors / monopolies can abuse access, power.

Simply Put: We simply can’t trust our personal data in the hands of strangers. No matter who they may work for.

When one has enough data, especially biometric data, one can use this in combination with AI, media, and various sensory applications / targeted experiences, to engineer future human behavior.

This is the very real future we are looking at. Don’t underestimate the power of data.

It’s why this page exists. Privacy (moreso anonymity) is vital to a free society, where people hold the power.

TIP: By proxying most of your internet data into mixnets, I2P / Tor (and newer options like Lokinet), you can make that data useless (instead of identifying).

Think of Tor as a haystack. Instead of the normal circuit your network packets route, Tor uses multiple layers of mixing / encryption to mix Tor browser client data into

In this world of increase, truly “free speech” cannot exist without the ability for anonymity.

💎 THANKS FOR SUPPORTING / SHARING THIS

Do You Think Twitter Really Fired Mudge For The Reasons They Stated?

NEXT: SHARE YOUR THOUGHTS

💻 How Common: Backdoored 👾 Hardware? History + Recent Cases

Post may be updated with new relevant information.

⭐ 🔗 Share on Telegram, Social Media

(click image below to watch latest on (🧅Tor Friendly) Bitchute)

(Click Above Cover Image To Play Latest Video) [ 🧅 Tor Browser Friendly ]

[ Watch On Peertube ] [ 🧅 Tor Browser Friendly ]

Thanks Latest Coffee Member Faros.

Also thanks to PL, T., G.

(options on frontpage.)

SUMMARY

Covers various (historical + present) backdoors found in hardware (including this week’s latest Asus motherboard UEFI firmware backdoor:”CosmicStrand”).

Important for both indivduals, gov, and small businesses to be familiar with the risk.

It doesn’t mean all ‘backdoors’ (ex: test accounts) are put there for ill intentions. Large networks require remote access, and server management.

It’s nothing new.

Intel AMT Briefing

Many are still unaware (most) computers come with 👾 Intel AMT (active management tech), a proprietary, remote access backdoor (has legitimate purposes, but by definition, acts as backdoor).

There are legitimate purposes, but functions mirror that of a hardware backdoor implant.

Computers with ME, can’t hold power without it: removal by design is very difficult (if not impossible – depending on hardware), remote access hides from PC owner’s purview). If you attempt to remove it completely, your PC will not power on for long.

HAP Bit

‘HAP bit’ (see me_cleaner), once set, partially ‘neuters’ Intel ME. Reportedly a solution for agencies who needed to meet the bar for a “high assurance platform” (HAP bit does not work for all models).

‘Normal’ customers are generally left with no choice in newer Intel with AMT / vPro model computers.

Newer computers are completely dependent on Intel ME co-processor. Remote communication OOB (Out-of-band), being most concerning

Why so few options for Intel models without? It’s worth asking.

Others might not be aware of servers (ie: cloud rental) having 👾 IPMI BMC hardware with remote OOB (out-of-band) access: in truth, this should be expected for large server mgmt – make sure you trust your providers. But it’s still not common knowledge to the average person, so I mention it.

What about 👾 Computrace? Familiar? Aware of Lojack? Computrace is another ‘backdoor’ styled security feature, covered in the video. It looks, acts, and feels like a backdoor for those performing system analysis (as the video shows).

Learn about the above and more, in today’s latest video.

(support original content: options – sharing, reposting links to content is the best way)

Could there be additional persistent undocumented features inside ISP routers?

You could like the idea of a simple, single board computer for routing at home, and at the office.

Avoid ISP routers – many problems over time, new innovations can add attack surface. Find another router (router advice towards bottom).

INFO: ISP’s in USA since 2017 have been legally allowed to sell customer data / identifiers “without explicit consent.” Other countries may vary in their data protection, but (in my option), we should assume abuse of this exists in the data broker industry.

(not all ISP’s reported to do this)

TIP: encryption helps prevent (potential) malicious redirection of personal devices.

DETAILS / MITIGATION EXAMPLE

Blocking hardware related backdoors locally (from local OS) won’t likely result in a plausible solution.

RING LAYERS AND SCOPE

The rings represent layers of privilege. Kernel, at the center (below), has access to everything outside of it. Repeating per ring.

Take Intel Hardware Example Here…

INTEL MGMT ENGINE RING LAYER (-3)

Additional rings add privileges that otherwise wouldn’t have existed, for ME, at Ring -3.

Meaning it has privileges over everything outside of it.

Intel ME runs at highest privileges, completely outside oversight (ie: Windows, Linux).

Learn more on rings on Intel hardware, here.

[and see: Intel MGMT Engine Post]

MITIGATION

In some cases we may be able to mitigate, through a series of creative choices (where possible).

Use information you have on backdoor pathways / communication to mitigate on LAN.

One mentions in this example (see video): AMT requiring either built in Intel AMT capable ethernet, and / or Intel WiFi with OOB / TCP / IP stack. Otherwise an AMT capable device.

Alternative connection methods can become one of those mitigations.

Another option (depending on the backdoor location, access) would be reflashing (where applicable).

Firmware

Open-WRT based firmware (router option).
Libreboot, and Coreboot more open firmware on PC.

More Intel AMT options collected for the community, see: This Post.

Router Advice

I have been asked “what router to get”? Routers play a key role in home / business security. Devices will be guided, (“routed”) by your router. They can (also) be redirected (maliciously) by a router.

Choose carefully.

On the hardware end: if you aren’t DIY, and want something “ready to go”, see hardware reviews, search relevant vulnerabilities.

Sometimes a backdoor is not necessarily placed intentionally. It could be a single rogue employee, or other placement between you and the manufacturer.

Also: Watch out for counterfeit routers.

ex: July 2022: Arrest in scheme to sell Cisco Counterfeit routers – Florida Story

“Cisco Partners Sell Fake Routers To Military” Read Story Here

If you choose to buy a new router, 2 established projects trusted in the FOSS Community are Open-WRT firmware and PF Sense (FreeBSD based). Both provide controls for networking (read reviews; do a bit of vulnerability searching on hardware).

TIP: reputable hardware vendors, with strong FOSS community backing are your safest bet when looking at mass manufactured hardware.

(see if they have a forum; look for reviews inside FOSS community)

Or, you might choose flash one yourself. Either a single board computer, or one supporting
Open-WRT firmware / PF Sense, or other choice.

related: Working on improvements to router related img. Sometimes shared with followers as a “surprise download”, or “thank you” to regular supporters (work in progress).

Share your suggestions, by comment, or email.

Have Backdoor Experiences On Hardware / Software?

Share In The Comments

🔐 Smartphone: “IMSI Catchers” (Thoughts + Mitigation)

Note: restricting to “4G only” may not be right for everyone. If it negatively affects service, you can disable with:

systemctl disable 4g-only.service (if service is affected in your area).

Tips for common, 2G / 3G. 4G cell site simulators exist (active, less common).

Originally shared on bmac June 21st, 2022.

Hey friends, 😀

Today let’s talk a bit about what are commonly referred to universally as: “Stingrays” (popular model), and for Linux phone (Pinephone tested) users, sharing a small service for “4G Only” persistence (every boot): here).

Why? After noticing downgrades, wanted to see if it will affect my service over the long run (good coverage). Opted to try “4G only” for a while.

4G only restricts 2G / 3G and could cause service interruption during moments lacking 4G availability.

Includes tips for Android users. iPhone, not having as many options, does carry a “4G Only app“.

Cell Site Simulators (examples: “Stingrays”, “IMSI Catchers”): False Cell Towers appeal as “strongest signal in the area” for phones in nearby area (ex: 10,000 phones per device in some cases). Once connected, phone location can be tracked, and on lower security (ex: 2G), SMS / calls can be more easily captured)

SUMMARY: most Cell Site Simulators rely on downgrade attacks to cause your phone to connect to the less secure (encryption) 2G services (and other times 3G). We talk about how to mitigate for Linux phones (Pinephone service), Android, and iPhone (briefly).

INTRODUCTION

Video (older) introducing an Android tool for detection and mitigation of “cell site simulators”.

A basic introduction to what these devices are designed to do (mimic cell towers), and what various models may look like (including homemade), from the smallest (fitting in the palm of the hand), to the flying…

Watch Here:https://www.youtube.com/embed/w8reJoOl5fM

RELATED VIDEO: Top 11 Android Privacy Tips

Tracking With Cell Site Simulators

Essentially functioning as false towers.

If You Have A Phone…

it will eventually fall into this surrounding net…

These devices can scoop all phones in the area. Some reportedly handle 10,000 phones in vicinity, at a time.

Common in midst of a protest (examples, further down).

We all deserve the right to privacy in our home, and inside our most personal devices.

Privacy represents the most fundamental Human Rights (no right guaranteed without right to privacy)

Companies producing Cell Site Simulators have:
non-disclosure agreements

SIM CARDS: SILENT SMS + MORE

While we are talking smartphones, it’s best to include SIM cards in the mix.

Did you know your SIM card carries its own microcomputer, runs its own OS and browser, and accepts hidden binary text messages?

You can learn more about this on our video, here:https://www.youtube.com/embed/U4h6YuDxmLo

CELL SITE SIMULATOR MITIGATIONS

Downgrading phones to 2G service makes content easier to intercept (ie: calls and SMS txt, due to weak security in the 2G).

4G Cell Site devices run more expensive (comparing to 2G / 3G), generally offering location tracking.

Previously, price quotes (released a couple years back) marked “Hailstorm” devices for over $450,000.

Ultimately, for both criminal and official purposes, most rely on “downgrade” attacks.

Some may notice 4G blocked during certain areas of protest.

See: here, here, and here as examples where 4G was blocked during protest. Nearly all serious protests deal with this, (possibly) forcing connection to cell site simulators.

VULNERABILITY: SYMPTOMS OF ATTACK (Then Again… There Aren’t Always Signs)

Quicker than normal battery drain (push max battery usage)
High power usage forced on phones (amplification can allow farther operation distances)
Downgraded service to 2G, 3G (from stable 5G, 4G)
Service disruptions (problems sending SMS txt, calls, internet)We should ask ourselves: Why is there no tower provider authentication, to protect our phones from these devices?
If providers desired so, it would be so.

Why Do Downgrade Attacks From 4G To 2G, 3G Happen?

Downgrade attacks occur to move phones to a more ‘receptive’ environment.

4G Cell Site Simulators (pricey)
2G, 3G offers lower security capabilities (ie: receiving calls / SMS txt)

Use To Our Advantage?

Since said false malicious cell spy towers utilize downgrade attacks to force all phones in the area to connect to their malicious cell site simulator…

We can attempt to mitigate downgrade attacks by forcing 4G only (keep in mind not all settings are saved after reboot – that is the idea of trying the 4g-only service for the Pinephone service: it forces 4G/LTE only, each reboot)

ANDROID USERS: SETTING 4G / LTE ONLY

Open Dialpad
Dial: * # * # 4 6 3 6 # * # * (this opens testing window)
Go into “Phone Information”
Set Your Preferred Network Type To LTE Only for 4G only (keep in mind this settings holds until reboot)

iPhone Users: 4G / LTE Only There is a reported 4G only app.

You can also access iPhone service options by following this page.

Pinephone / Linux Phone Users

Today I am writing today to intro a small example “4G Only” Service.

It’s something I wanted on my Pinephone (Linux phone) to prevent downgrade attacks.

Symptoms Of Malicious Intent

Phone jumps from its reliable 4G, down to 2G, or 3G
Phone has service disruption after this connection change
Internet may lose reliability, texts and calls may show issue / stalling

Apps like Android’s “Cell Spy Catcher”: take 24hr to map out all current cell towers (and locations), alerting you to towers which move or behave suspiciously, such as changing tower information, and location (ie: true cell towers are not moving around, changing location 😤)

RELATED STORY: In some areas, attacks could even be of foreign interests, even criminal networks.
See Example: IMSI Catchers found planted on Whitehouse grounds
(said to be of foreign origin – details in article)

Mitigation (For Most Cases / Devices): Force 4G Only.

Sure, settings in the Gnome / Phosh allow you to momentarily selecting 4G only, issue here is, it resets to allow 2g, 3g, 4g on the next boot. This service ensures 4G is the only available service to the modem (during service downgrade attempt).

Setting Up 4g-only Service

The service is simple to setup.

Simply download / clone package from Gitea onion (use torify git clone, or Tor Browser to view and download), and run the install.sh script (using sudo). This moves everything where it belongs, making a new command in our execution path, and enabling the service (by default starting 1st on your next reboot).

If you would like the service to start right away, you can run the command installed:

sudo 4g-only

Or (once running install.sh), you can start the service without reboot by issuing:

sudo systemctl start 4g-only.service

To avoid having to reboot.

What Does It Do?

First detects your current modem location (does change), setting “4G / LTE Only” for that modem, every reboot.

Running:

sudo 4g-only

forces 4g-only from the commandline.

If you need access to 3G as well, there is a single argument:

sudo 4g-only reset

Personally, I recommend 4G-only (not the reset) to prevent connection to these lower services linked to most malicious cell site simulators (note: during downgrade attack you may lose service – but at least you may know why..)

Checking Status Of 4g-only.service

Once installed (after a reboot), you can check the status of 4g-only.service.

sudo systemctl status 4g-only.service

Once you have run the install.sh, you will have 4g only every single boot 100% of the time.

If you need access to 4G + 3G (not recommended for most areas), I added the ability in the systemctl ‘stop’ command of the service.

And so:

sudo systemctl stop 4g-only

Won’t just allow 3G, it keeps 4G preferred.

But for myself, and most people, I do recommend leaving the service as is, allowing 4G Only (not including 3G), if you wish to mitigate downgrade maximally.

If you notice service disruptions on 4g Only, this could be a sign of downgrade attacks. That alone IMHO, can be useful to know.

Will share more options as tested in future (check back).

Hope you find useful. ❤️ 📱 🐧

🙂 Thanks for following this page and spreading the word!

Be sure to share this post everywhere!

Support options ☕ (original tips / writing supported by coffee, crypto, cashApp)

🔑 SSH Part II: Adding Key Auth & Checking Fingerprints (Avoid MITM)

Learning to check SSH fingerprints is a staple for using remote ssh safely. Failure to match fingerprints opens us to potential MiTM.

[ Did you miss ssh writeup Part I? We discuss how default Linux OS hostnames can sometimes give away default password, pitfalls in numerical passwords (changing default passwords should be priority #1).

First we identified the OS by default hostname, then we used a “most common numerical pin number wordlist” to crack the default SSH password in seconds, demonstrating how successful ssh cracking (using Hydra) looks, and offering solutions/advice HERE) ]

INTRODUCTION

Do you accept “new” ssh client key fingerprint prompts without checking them against the server in question’s own key fingerprint?

If you accept ssh key fingerprints (without verification), you may be setting yourself up to be an unwitting victim of a MITM (Man In The Middle Attack).

[This topic is covered in PART II (scroll down for Tutorial]

Additionally in PART II, we swap out weak default password authentication, to a much stronger (passwordless) RSA key authentication login assisted by ssh-keygen (we use to generate strong keys).

After which, we disable the password login option altogether (to prevent brute force attackers), and finally, we restart SSH for all changes to take effect.

As a Bonus, a video covers converting SSH server to a Tor Hidden .onion service, adding additional security/encryption benefits (without need for open ports).

(REFRESHER) PART I:

Part I video is below, covering weak default password examples in real Pinephone operating systems (applying to all Linux / UNIX machines / default logins).

In this scenario, we first scan machines on the LAN (as an attacker would), immediately identifying operating systems by their default hostname. After which we use Hydra (brute force cracker) to run known default username/pin number lists against the SSH server identified OS of our Pinephone.

After demonstrating how easy it can be to identify and crack SSH logins on machines sharing the same connection/LAN, we then go in to tighten up sshd_config settings to prevent future brute force attacks. As well as talk password security.

This video is below:

TUTORIAL (WITH SCREENSHOTS/VIDEO)

PART II:https://www.youtube.com/embed/CZ8BjLjl7EA

Today’s Video continues on from this SSHD Config angle.

As the introductory paragraph details, first we check key fingerprints shown by our ssh client against the server side’s ssh key fingerprint. We must ensure these fingerprints match, otherwise we risk MITM attack. Never accept new fingerprints without verifying.

ADD SSH KEY AUTHENTICATION (NO PASSWORD NEEDED)

(ssh more securely)

Have you ever accepted a fingerprint and wished to start over to be sure?
(to: delete all saved keys for host / server and reconfirm fingerprint?)

REMOVE PREVIOUS KEY FINGERPRINTS (CLIENTSIDE):

ssh-keygen -R HostHere

CHECKING FINGERPRINT (SERVERSIDE):

ssh-keygen -lf /etc/ssh/ssh_host_ecdsa_key.pub

NOTE: THE ABOVE COMMAND IS ECDSA. LATEST AND GREATEST ADVICE IS FOR ED25519. CHECK THIS:

ssh-keygen -lf /etc/ssh/ssh_host_25519_key.pub

NEXT:

Connect (from clientside) to our SSH server to check the fingerprint output. Does it match the above “CHECKING FINGER (SERVERSIDE)” output?

See the screenshot below to watch this comparison in action.

SCREENSHOT CHECKING FINGERPRINT (COMMANDS ABOVE):

IMPORTANT: I felt the need to explain 01:56 — do not accept the key (unless you previously recognize it). This key fingerprint acceptance is to demonstrate the plain ‘password: ‘ prompt itself (fingerprint acceptance required to show). Follow below for fingerprint checking instruction (or follow video after 3min).

TIP #1 FINGERPRINT CHECKING:
Check the server’s fingerprint from a separate network (if working remotely from it), or if you have physical access + a monitor, even better. By using a separate network to check the fingerprint upon connection, you are compartmentalizing both client checks from one another, further verifying fingerprints match from multiple networks.
Running the fingerprint checking locally (serverside) is always the best method (when possible).

TIP #2 FINGERPRINT CHECKING:
write hosts/fingerprints down , post them on your wall/corkboard/office: no risk in having a written list of your machines hostname/ip + correct ssh fingerprints. This can save you from having to check.
Why? You may one day need to login from a new machine without physical access to the server. Having record can help you check without risking the login/accepting fingerprints remotely.

After working on fingerprint checks, we add the key to our server, allowing our client machine to automatically login upon connection.

GENERATE RSA KEY PAIR

ssh-keygen -t rsa -b 4096

PASSWORD-FREE KEY AUTH: MORE SECURE SSH ACCESS

COPY KEY TO SERVER:
ssh-copy-id username@host

SEE SCREENSHOT BELOW FOR ABOVE STEPS IN ACTION

After successfully copying our key, we then connect by ssh to test it, if it lets us in without problem or password, we did it!

TESTING PASSWORD FREE KEY AUTHENTICATION

TIGHTEN UP SSHD_CONFIG (SERVERSIDE)

We add a few more lines to /etc/ssh/sshd_config, ensuring only our machine can login:
(disabling password guessing by relying on our newly minted key alone)

/etc/ssh/sshd_config:
PasswordAuthentication no
ChallengeResponseAuthentication no
UsePAM no

Restarting SSH allows our configuration changes to take effect:

sudo systemctl restart ssh

[Timestamps are found inside the video description]

* BONUS: PART III: Tor SSH .Onion (Hidden Service):

This 3rd (optional) video shows how to setup SSH access as a Tor Hidden Service.

BENEFIT #1: By disabling ssh locally and allowing only the Tor ssh we prevent unknown machines from attempting brute force attacks (if we failed to follow previous videos). The only ssh attempts will be from those you give the onion address to.

BENEFIT #2: Additional layer of end to end encryption between the tor clients on ssh client and server side. Add to this the ssh encryption keys/fingerprints themselves on your client/software side, and you have a much more secure ssh setup.

Comments/Questions Welcome below:

Like content/videos like this? Share it with Linux users (Reddit, Telegram, Discord, IRC).

❤️ If you appreciate content like this and want to ☕ Buy Me a Coffee hit ‘support’ button on:
Home Page

Thoughts, comments and any questions welcome below.

Sysctl: Change Linux Kernel Parameters

Supporter Community Early Look (May 13th): Now Public (For Everyone)

(if interested in seeing posts ahead of time, check out the Supporter Site – Free to follow)

The beginning of this writing breezes through subjects found in the video (below), while providing copy and paste convenience.

Later on I begin to include a few sysctl additions that may help mitigate certain attacks.

If what’s on the page isn’t clear, leave a comment, send a message, or check back later and see if anything is new.

Learn The Basics

Get Started

Howto: List ALL Current Values (You Can Change Any Of These)

sudo sysctl -a

Example Output Of sysctl -a:

(The above shows all possible ‘keys’ or parameters we can manipulate / configure)

Make Above List Easier To Read With ‘less’: sysctl -a | less

Test Single Kernel Parameter

We can make our changes automatically load every boot, by editing configuration file: /etc/sysctl.conf (Pop!_OS, Debian Based), /etc/sysctl.d directory location for Arch/Manjaro + )

BUT… Before modifying sysctl.conf file (or file in /etc/sysctl.d), we could check individually for the variable (verifying existence).

Run:

sysctl vm.swappiness

The above command returns (if it exists) what the value is.

Example:

Note above screenshot returns my case, vm.swappiness = 10

This figure, the ’10’, represents the ‘redline‘ percentage of free memory, before activating swap.

What you say? 🤔 “swap”? Many Linux users have a partition or file aside known as the <swap>.
This “swap space” helps take the burden off your device, when hardware use is more intensive.

As rule of thumb, create swap space roughly the size of total ram.

10% free memory left before swap? 🤔

Sounds low (running out of resources can lead to a crash).

Change this to something higher, to activate swap space before 10% memory.

First, you might want to test out your intended line (changes to 60% free memory for swap).

It’s an easy command:

sudo sysctl -w vm.swappiness=60

Example:

What Does The Above Command Do? This changes the current wait from 10% remaining memory up to 60% memory free (when swap will be activated).

This means my older machine will be able to make use of the benefits of swap, much sooner.

Adding Settings To Sysctl.conf

You can follow the above steps to find changes you might wish to make. Write down the key and value. In our case, we need to add:

vm.swappiness=60
# careful not to use any spaces above

Our next step is adding this new change to /etc/sysctl.conf (on Debian / Pop!_OS), in order to have it start for us every boot.

OPTION #1

One method would be adding out line using VIM or GNU/Nano editors.

If you missed the tutorial on those, VIM + Nano Intro + Learning Tips.

Just as well you could open your favorite GUI editor.

OPTION #2 (Quick Bash Lesson)

We can use a simple line of bash to add each new line easily from the commandline! 🙂

Running the following line will add vm.swappiness=60 to our /etc/sysctl.conf file:

sudo echo ‘vm.swappiness=60’ >> /etc/sysctl.conf

To Make This Tutorial Approachable To Everyone, Let’s Break Down The Command:

How The Command Works:

sudo creates superuser privileges. Anything run after ‘sudo’ will be run as root.
echo sends ‘vm.swappiness=60’ to the standard output – basically meaning echo will print the segment in quotes after to the screen
>> takes the output from previous command (echo) and sends it to the end of the /etc/sysctl.conf file.TIP: If you were to use a single > it would OVERWRITE the file. Using (2) >> APPENDS the end of a file
The filename is at the end here, preceeded by the >> which appends the location after it.

TIP: Experiment using the above information, to create new command combinations. Utilize the ‘>>’ to create new logging features for your scripts.

Adding Additional Changes To Sysctl.conf

Add as many changes as you need to /etc/sysctl.conf. Follow previous steps, replace ‘vm.swappiness=60’ with each new change you wish to add.

Questions / Comments Welcome: It Might Help Someone Else Too.

Our example change activates swap before the previous 10% memory, up to 60% to use swap.

A Few Security / Privacy Related Lines For You To Try! (Desktop – Not Router)

net.ipv4.conf.all.accept_redirects = 0
net.ipv6.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects=0
net.ipv4.conf.all.secure_redirects=0
net.ipv4.conf.default.secure_redirects=0
net.ipv6.conf.default.accept_redirects=0
net.ipv4.conf.all.send_redirects=0
net.ipv4.conf.default.send_redirects=0

TIP: Run Lynis To See If It Offers Changes For /etc/sysctl.conf. See my previous Tutorial on Lynis Security + Hardening Scanner Here.

After Editing File: Load New Settings

Next you can reload your file by issuing:

sudo sysctl -p

Or, optionally, reboot your system to load the sysctl file.

Always a good idea to test out your new options before attempting to load new sysctl options at boot (see above for testing).

I may add more to this, including more details, including at the (public) Gitea Onion..

Thank you for visiting! If you would like to help with coffee/sdcards/small hardware costs for the channel/blog, I’d love that. Either way, I sincerely appreciate Likes, Shares and Comments! Thank you. 🙂

⌚ Pinetime Firmware Upgrade (+ Privacy Friendly Smartwatch? 🤔)

Today, I can feel comfortable recommending Pinetime as a Smartwatch option to those who care about Privacy.

The above sentence may sound a bit odd to read at first. I’m about to explain why I hadn’t been able to explicitly recommended it for privacy (in the past).

Big changes in Pinetime since then.

To those who missed my previous Pinetime first impressions video, I received the open source smartwatch from a family member as a gift.

Mainly, I wanted it to help me track my heartrate goals, and steps during workouts.

Smart devices with data we can ‘own’! It had been at least 10 years since I carried a watch (with smartphones and everything providing time)! And I’m not exactly trusting of most “Smart” devices, especially considering some revelations coming out concerning smartwatch data sharing.

(See This Story As An Example)

In January (when the first video was made), I knew bluetooth was on (all the time – at that time). This wasn’t such a big deal to me personally, I wanted to use it during workouts mainly… but deep down I always desire a way to turn bluetooth off!

The day has come 🤩

Hearing news of a firmware release/update, I decided to upgrade my firmware.

Better yet, why not make a video out of the process?

TODAY’S VIDEO: UPGRADING PINETIME FIRMWARE / FEATUREShttps://www.youtube.com/embed/E5nRuCV1Yas

PREVIOUS “FIRST IMPRESSIONS” VIDEO CAN BE SEEN HERE.

UPDATE

When I started recording this latest video, I was unaware of one thing: the newest firmware I was installing during video recording (1.9.0) offered the ability to disable Bluetooth.

Great News (To Me Anyways)

Of course you need to turn bluetooth back on anytime you wish to pair with a phone / update firmware, but to me, that’s no big deal. It’s not something you need outside those moments.

Everything else I’m using on the phone (heartrate monitor, pong game, step tracker), is self contained in the watch, not requiring bluetooth connection for my purposes.

Turning Off Bluetooth

Swipe screen right
Enter “Gear” Icon Settings
Scroll Down To Bluetooth:

Next Tap “Bluetooth” (Seen Above)
Bringing You To Enable / Disable Bluetooth:

That’s it. It’s now disabled. Make sure to go into these settings to enable it anytime you need to pair or upgrade firmware.

But… Is It Really Disabled? 🤔

Quick Test

Scapy Python Script: Pinetime Setting: Bluetooth On:

And Now, Pinetime Bluetooth Off:
(the grey boxes showing other bluetooth devices, Infinitime not showing up)

No Infinitime Devices seen during sniffing session with Bluetooth Disabled. Off to a good start. 😀

(Greyed out boxes to prevent displaying any local bluetooth identifiers [unrelated to Pinetime but local to me])

Now feel a bit more comfortable wearing it everywhere. And finally can say: it’s more privacy friendly!

Of course if you are paired, bluetooth will be on during that. Don’t forget to re-enable / disable, as needed.

Thanks for reading / watching.

Feel free to leave a comment / question.

Thank you for visiting! If you would like to help with coffee/sdcards/hardware costs for the channel/blog (ex: video rendering killed *hard drive Jun 2022*), I’d love that. Either way, I sincerely appreciate Likes, Shares and Comments! Thank you. 🙂

🔐 PGP + 🧅 Privatebin 💌 Message Tutorial + 🗒️ Tips (❤️ Now Public)

NOTE: Most people don’t need this tutorial – in fact no one truly “needs this”.
But with Human Rights and Journalism under threat, war repressing rights around the world, this tutorial can serve as an example: a “zero trust” communication method, whereby no single point of failure is relied upon.

Does it enhance security/privacy over either PGP, or Tor Hidden Service, or Privatebin alone? Absolutely! We are compartmentalizing and multiplying! 😉
To be completely honest: Most people should not go through the trouble!
Part of my effort to bring unique tutorials to Politictech.

Big Thank You to the ❤️ Supporters (this month):

Greg and Tammy.

Tutorial now public!

First Shared with Supporters days ahead of time
(sometimes weeks ahead as with other tutorial in progress).

If you want to Support this, you can now “buy me a coffee ☕” at the bottom. 3 monthly membership options listed on frontpage “padlock Membership” button.

This displays an idea: combining multiple tools/security/privacy tricks we covered recently (avoiding each single point of failure + trust problem: seen in most encrypted communication)

TODAY WE COMBINE:

PGP Message 3072 bit RSA Encrypted PGP Message Pasted into:
PrivateBin 256bit zk-snark AES Encrypted (Stored on server without host having access)
Hosted As: Tor Hidden Service (RSA end to end encryption in transit – before reaching internet)

(All Videos/posts demonetized. No sponsors steer opinion / advice here. Support below.

❤️ M0NER0: 48qtspi5En44mJZLeiMoHYFEmuJfQYb5DLQxLDr7d1NXc53XaAvoT8PS3wBrhEc3VY1wxu5Rgw6oKBYgahpSAYnpHntbQNM

Head’s Up: If you saw the earlier Privatebin video, this post provides new info/ideas to share + Tip at end.

Previous video introduction to Privatebin’s “zero knowledge AES 256bit Encrypted Pastebin” is shown below (in case you missed it):

Earlier, we covered benefits, and very basic usage of our “zero knowledge” 256bit AES Encrypted Pastebin.

This post gets more creative, mixing what we learned lately. 😉

(click picture below to watch aforementioned video on Peertube… deeper tutorial below this.)

Privatebin Video also available at:

[ Odysee ]

[ Youtube Here and Plays Inside Page Below ]https://www.youtube.com/embed/KDYuAibtcwo

In the above video, we shared a hypothetical situation, where a specific PGP key was shared.

Demonstrating sharing keys in the above video using privatebin pastebin is one option, all while selecting “burn after reading” to ensure only 1 person can possibly read that key.

But the conversation doesn’t have to end there…

If sharing a public key uses Privatebin, we could just as easily be sending encrypted PGP notes inside the passphrase protected AES 256bit Encrypted Private Pastebin.

MORE SECURE THAN PGP ALONE?

For communications opsec (operational security), we take advantage of PGP Tutorials we recently covered, combining this with the ore recently shared “zero knowledge” encrypted pastebin knowledge.

Keep reading for a unique tutorial…

If you missed those, this tutorial requires recommends first learning the GPG / GPA ropes below:

CREATING PGP ENCRYPTED MESSAGES (in 11min):https://www.youtube.com/embed/LOuREpmE92Y

MOVING PGP KEYS TO MULTIPLE MACHINES (OPTIONAL BUT USEFUL):https://www.youtube.com/embed/x_e1aoOuftM

TUTORIAL

ASYMMETRIC + SYMMETRIC CRYPTO (PGP + PRIVATEBIN)

SECURITY TIP: We could share BOTH PGP public key AND the encrypted PGP messages within our AES password protected, “burn after reading” privatebin, for a more secure, compartmentalized situation.

OUR LOCAL KEYRING:

Open GPA —> Windows —> Keyring Manager —> New Key:

Creating temp usage key (set expiration date):

Once this key expires it no longer can be used by anyone else to encrypt new messages. And thus can’t be used to forge messages by you in future, if ever (somehow) compromised – as unlikely as that is.

Example Key Expiry: 2 Weeks

TIP: Setting the key to expire at the end of communication ensures no future messages will be encrypted by this key (in case it somehow became compromised in the future, however unlikely).

TIP: Expired key has no bearing on ability of private key to decrypt message.

We write our message in PGP Clipboard:

☑️ We Have Our Temp Key

Choose: Who Is Our Message To And From?

(You may even write a message to yourself, if you like!)

After Hitting “OK” Our Encrypted Message Is Ready To Cut / Paste Anywhere:

Next: Pasting Into Tor Hidden Service zk-256bit AES Encrypted Pastebin:

(note we selected “burn after reading”, added passphrase and only pasted encrypted message itself)

Next We Hit “Send” To Create Our New 256bit AES Encrypted Message.

Then we right click to copy the password protected encrypted paste onion address:

Benefits:

No Single Point Of Failure Relied Upon.
All requirements must be met to read message sent this way.

“ALL” BE FULFILLED SIMULTANEOUSLY, TO READ OUR MSG:

Control of PGP Keys + associated keys passphrase AND
Burn After Reading: only ONE can view pastebin message AND
AES Encrypted “zero knowledge” (even host can’t read the encrypted PGP ciphertext – as little good that would do for them!) AND
256bit AES Encrypted Pastebin message passphrase further protects the PGP encrypted message itself
Tor Hidden Service providing End-To-End encryption for entire sequence of data
(RSA encryption, .onion making up public key)

As you can see, our message is quite secure! 👍

More than most would ever care to use, or need, but serves as an example: how we can use a little creativity + combinations to further increase the privacy/security of any given message/communication.

On the receipt of Privatebin message, loading the sharable link opens 1 time (“burn after reading” setting), and requires a password to decrypt.

Opening the link in Tor Browser will prompt for password before even displaying the encrypted PGP message, which will then still need to be decrypted in GNU Privacy Assistant / gpg using the correct keys/passphrase:

This post first dedicated/available to Buy Me A Coffee Supporters. Thank you for your Support.

To those who join as monthly coffees membership: thanks for joining! 😊

I release what I can, when in position to do so.

Help me share this.

Advanced Tip: For more insanely private secure messages (unnecessarily so), we could combine: airgap PGP machines, steganography + encryption to embed PGP messages inside images, finally attaching this picture file to AES encrypted zero knowledge pastebin.
This would be far”too much” for most. Security usability has its limits. I find that a bit too far.
Still, decided to share some related concepts as unlikely as it were to be used.
See previous post/video on combining hidden steganography + encryption: Here. (encrypted volume inside video files tutorial)

Coming up we take a look at privacy respecting open source alternatives to the

Social Media giants.

———————————————————————-
💖 🤗 SUPPORT 💎 (If you like to: BTC listed here, Monero directly below)
❤️ M0NER0: 48qtspi5En44mJZLeiMoHYFEmuJfQYb5DLQxLDr7d1NXc53XaAvoT8PS3wBrhEc3VY1wxu5Rgw6oKBYgahpSAYnpHntbQNM
💳 🎁 EXTRAS: Support here for something in return – like your own privacybox: all in one encrypted pastebin + Nextcloud Tor Hidden Service Server/router.
🤑 💵 CASHAPP: $HumanRightsTech
❤️ 🪙 💎 Membership: private Nextcloud Tor Hidden Service “☕ coffee room” chatroom + file share, early/extra access, more
———————————————————————-
📲 FOLLOW: ⏬
✍ 🗒 MASTODON
🐦 TWITTER
📺 🎞 PEERTUBE
📺 🎞 BITCHUTE
📺 🎞 ODYSEE
📺 🎞 YOUTUBE
———————————————————————-

🖇️ LINKS / PUBLIC SERVICE 🔍

❤️ If you ever buy a grand total 6 ☕☕☕☕☕☕ coffees (whether 1 at a time, however, over any period of time, no matter how long ago), or are a ❤️ monthly member of 6+ months, and are interested in one of the supporter image (.img) in “extras“: please do, contact me. I will be happy to oblige.

I came up with the idea to create unique support incentive gifts, specifically designed to offer something “extra” as a gift to offer something in return for supporting this work. Supporting allows for more dedication of time, work, and resources, code and servers.

New 📁 File Upload Option: 🧅🔐 256bit AES Encrypted Pastebin

NEW: FILE UPLOAD/SHARING OPTION ADDED

Today’s post is to share a new feature: file uploads.

Added the option today.

Try It Here (Public For All): 🧅🔐 PASTEBIN (.onion)

(must use Tor Browser to access)

CREATE PASTEBIN NOTE SCREENSHOT + NEW FILE UPLOAD BUTTON

FEATURES:

AES 256bit Encryption
“Zero Knowledge” (notes/files invisible + not readable by server host)
Burn After Reading (readable by 1 person, then self destructs note/file)
Expire Note/File (1 week default, custom time/never expire option)
Password Protect (option)
Encrypted Note/File Sharable QR Code
Formatting: Plaintext or Code or Markdown
Preview Note Feature To Check On Formatting

EXAMPLE PAGE (AFTER HITTING “SEND” TO CREATE NOTE)

EXAMPLE NOTE WITH DOWNLOADABLE FILE ADDED

Hope you find this encrypted note pastebin useful.

USAGE IDEAS INCLUDE:

Share private information to protect Human Rights/Privacy
Sharing credentials for website customers
Sharing personal forms
Sharing other personal information for business and meetings
Share online location for private chatrooms
Share code for collaboration on private projects

For ethical privacy + Human Rights purposes.

❤️ MONERO: 48qtspi5En44mJZLeiMoHYFEmuJfQYb5DLQxLDr7d1NXc53XaAvoT8PS3wBrhEc3VY1wxu5Rgw6oKBYgahpSAYnpHntbQNM

⬇️ Community Pastebin + File Share:

🧅🔐 PASTEBIN (.onion)

(must use Tor Browser to access)

If you ever need the pastebin link, it is always available linked on the Frontpage.

EXTRA: Want to Support the unique Tutorial/Video/Human Rights/privacy scripts work here? And download for your very own “privacybox” server (with fully automated + custom option setup) with:

unique onion/keys generated first login
AES 256bit encrypted zero knowledge pastebin
Nextcloud Tor hidden service server + Maps for satellite earth image viewing
Nextcloud Talk for privacy/anon encrypted chats/internal messaging
Torified wifi router (can turn off/on in the menu shell)
shell style configuration/option menu (for settings and more)
blocking networkwide of intel AMT ports for wifi client devices
daily log scanning + important security events emailed to local user
+ more!If the above described interests you (automated “privacybox“) you can find this supporter custom RPI .img in “Extras” section (monero/btc/options available).This custom image is a way to offer those supporters, something in return.Email if you would like more details/information.

This project is a continuous effort and updates/new features/.img’s are shared with those in this group.

Browse / Search open tutorials by category Here.

RELATED (OUTSIDE) LINK: Privatebin Project

♥️ Thank you for visiting! If you like what I do and want to help with ☕ coffee / sdcards / hardware costs for the channel/blog (ex: video rendering killed *hard drive Jun 2022*), I’d love that. Either way, I sincerely appreciate Likes, Shares and Comments!

Thank you. 🙂

📺 Lynis Scanner: 🔐 Audit + Harden Linux System

📺 Click image below to watch on decentralized, federated Peertube channel:

(Share to help this grow. ❤️ If you appreciate content like this, ☕ Buy Me a Coffee Support button at bottom or frontpage)

[ 📺 Bitchute ]

[ 📺 Peertube ]

[ 📺 Odysee ]

[ 📺 Youtube ]

📺 Watch Right Here:https://www.youtube.com/embed/jMGYtgPvwYI

SCREENSHOTS:

Scan Conclusion/Score:

Example Suggestions:

UPDATED SCREENSHOT (03.08.2022):

After the video, I scanned again, to see the change in score.

What was covered on video brought it from 65, up to 71/100.

We will be covering more hardening in future posts. Be sure to follow if you are interested in joining!

(below are related tutorials I suggest following if you missed them)

🔐 RELATED SECURITY TUTORIALS:

📺 📖 Secure your SSH 🔐 w/key authentication (no password)

📺 📖 Prevent SSH 🔐 Brute force attacks + Demo on weakness of pin numbers

🔒 Checksum Integrity Checking (Debian) + Screenshots

🔒 Checksum Integrity Checking (Debian) Video

🔒 Checksum Integrity Checking (Arch/Manjaro)

Leave a public comment / question at the bottom.

(new monthly coffee Supporter ☕ ❤️ The Coffeeroom 🔐 ☕ Option)

(public secure chat server may be funded in future – currently 2 public servers):
* 🧅🔐 encrypted community (public) pastebin +
* 🧅🔐Gitea Onion community (public) server).

Tell me what you think/like to see on this page and all video channels.

Your question may help someone in the future!

💎 ** Sharing this link moves this content higher in algorithm. **

Thanks for Supporting with 🤲 Shares / Support / Coffee / BTC / XMR

☑️ follow

Options / Public Links below.

Your safety online matters to me. Ask away any questions you might have.

🖇️ LINKS/SERVICES 🔍

———————————————————————-
🧅🔐 GITEA SERVICE (.onion): Books, Code/Scripts, Wiki, more (make a repository)
🧅🔐 PASTEBIN (.onion): options- password protect, zk-256bit, “Burn After Reading” + more (use Tor Browser for .onion’s)
———————————————————————-
💖 🤗 SUPPORT 💎 (Buy me a coffee (if you like), current BTC/M0NER0 Listed Here)
💳 🎁 EXTRAS: (bonus offers / support). Support here offers something in return – like your own privacybox: encrypted pastebin + Nextcloud Tor Hidden Service Server.
🤑 💵 CASHAPP: $HumanRightsTech
✍ 🗒 💎 Politictech Membership ❤️ (monthly supporter option + early/extra access)
🪙 Politictech Main Page: (info + current links/addresses)
———————————————————————-
📲 FOLLOW: ⏬
✍ 🗒 MASTODON
🐦 TWITTER
📺 🎞 PEERTUBE
📺 🎞 BITCHUTE
📺 🎞 ODYSEE
📺 🎞 YOUTUBE
———————————————————————
✉ CONTACT
————————————————————————-
THANK YOU for Sharing
————————————————————————-
If you aren’t registered for Odysee I’d love to see you over there.
Use my invite link: https://odysee.com/$invite/@RTP
————————————————————————–

🔐 Securely Encrypt + Transfer Files + PGP 🔑 Key Backups

I may add more text to this in future edits to add more information/facts/details for everyone. For now, the latest video.

☑️ Thank You For Following! (making an account and comment/follow is FREE)

Share links to these tutorials / videos. Even random video comments helps this work move up in search engine rankings (engagement + backlinks) – thanks for your help. Telegram /Discord another great place to share.

Some unique topics are not searched for naturally + big tech is not interested in promoting real privacy going against their business model.

No, I’m not here selling you a sponsor VPN (that no one can audit). I’m here to bring you privacy tutorials honestly. Things you don’t have to pay for. Something you won’t find shared most places.

❤️ But really, what I appreciate most, is those who take the time to repost these tutorials/videos. Thank you. Other optional Support options on Main Page including extras / membership.

🧅🔐 Public Community Politictech Servers (Tor Browser Access: No Registration Needed)

[ PASTEBIN (.onion) *NEW* ] [ GITEA SERVICE (.onion) ]

MULTIPLE SUBJECTS TODAY

First, we learn how to use symmetric ciphers in gpg to encrypt file backups to securely transfer files on email and any other platform (symmetric cipher keeps encrypted data secret except for those knowing the passphrase)
We learn to backup our PGP keys and transfer them to a new device (securely)
We learn to use scp (ssh file transfer) to transfer files directly using encrypted connection

(click image below to watch on decentralized Peertube channel or watch the embedded Youtube video below it)

Thanks for watching! 🙂

If you missed the other related SSH and PGP guides, see:

💡🔑 Learn to use PGP in 11min + PGP Signature verification guide

💡🔑 Full Guide: Verify PGP Signed Images [ie: Linux Distro] (Screenshots + More)

📺 📖 Secure your SSH 🔐 w/key authentication (no password)

📺 📖 Prevent SSH 🔐 Brute force attacks + Demo on weakness of pin numbers

Comments/questions welcome! Happy to answer questions. Free to register to comment/follow.

💎 ** Sharing links to this moves this content higher in algorithm. **

Thanks for Supporting this with 🤲 Shares / Support options below.

☑️ Thanks for being a follower (it’s FREE!). Followers get only the most interesting posts by email.

Options are below. Thanks for your Support.

Your safety online matters to me. Ask any questions you might have.

🖇️ LINKS/SERVICES 🔍

———————————————————————-
🧅🔐 GITEA SERVICE (.onion): Books, Code/Scripts, Wiki, more (make a repository)
🧅🔐 PASTEBIN (.onion): options- password protect, zk-256bit, “Burn After Reading” + more (use Tor Browser for .onion’s)
———————————————————————-
💖 🤗 SUPPORT 💎 (If you like to)
💳 🎁 EXTRAS: (bonus offers / support). Support here offers something in return – like your own privacybox: encrypted pastebin + Nextcloud Tor Hidden Service Server.
🤑 💵 CASHAPP: $HumanRightsTech
✍ 🗒 💎 Politictech Membership ❤️ (monthly supporter option + early/extra access)
🪙 Politictech Main Page: (info + current links/addresses)
———————————————————————-
📲 FOLLOW: ⏬
✍ 🗒 MASTODON
🐦 TWITTER
📺 🎞 PEERTUBE
📺 🎞 BITCHUTE
📺 🎞 ODYSEE
📺 🎞 YOUTUBE
———————————————————————
✉ CONTACT
————————————————————————-
THANK YOU for Sharing this, Liking, and Subscribing.
————————————————————————-
If you aren’t registered for Odysee I’d love to see you over there.
Use my invite link: https://odysee.com/$invite/@RTP
————————————————————————–