Encrypted UDP based FTP - UFTP

Encrypted UDP based FTP with multicast

UPDATE: Version 4 of UFTP is now available! The protocol has been heavily altered to support a number of new features:

ºThe ability to send multiple files in a single session
ºAn SSL/TLS derived encryption layer to protect your data
ºMulticast tunneling
ºNAT traversal
ºAggregation of client responses, providing scalability
ºSupport for variable packet sizes, including jumbo frames
ºMore fine grained control of network timing/retransmission parameters

The code has also been completely restructured to be more readable and easier to update/support.

UFTP is an encrypted multicast file transfer program, designed to securely, reliably, and efficiently transfer files to multiple receivers simultaneously. This is useful for distributing large files to a large number of receivers, and is especially useful for data distribution over a satellite link (with two way communication), where the inherent delay makes any TCP based communication highly inefficient. The multicast encryption scheme is based on TLS with extensions to allow multiple receivers to share a common key. UFTP also has the capability to communicate over disjoint networks separated by one or more firewalls (NAT traversal) and without full end-to-end multicast capability (multicast tunneling) through the use of a UFTP proxy server. These proxies also provide scalability by aggregating responses from a group of receivers. UFTP has been used in the production process of The Wall Street Journal to send WSJ pages over satellite to their remote printing plants, and other users have used it to send to over 1000 receivers.


Encrypted UDP based FTP: UFTP Protocol Summary

A UFTP session consists of 3 main phases: The Announce/Register phase, the File Transfer phase, and the Completion/Confirmation phase. The File Transfer phase additionally consists of the File Info phase and the Data Transfer phase for each file sent.

The Announce/Register phase sets up the multicast file transfer session and negotiates all encryption parameters. The server sends out an announcement over a public multicast address which the clients are expected to be listening on. All subsequent messages from the server go over a private multicast address specified in the announcement. Allowed clients send a registration to respond to the announcement. The server will then send either a confirmation message if encryption is disabled, or the encryption keys for the session if encryption is enabled. If the client receives the encryption keys, it sends an acknowledgment back to the server.

Encrypted UDP based FTP UFTP DocumentationThe File Transfer phase starts with the File Info phase for the first file to send. The server sends a message describing the file in question. Besides the name and size of the file, this message describes how the file will be broken down. A file is divided into a number of blocks, and these blocks are grouped into sections. A block is a piece of the file that is sent in a single packet, and a section is a grouping of blocks. The total number of blocks and sections is included in this message.

Continuing the File Transfer phase is the Data Transfer phase for the first file. Data packets, each of which is a block, are sent by the server at a rate specified by the user. Because UDP does not guarantee that packets will arrive in order, each block is numbered so the client can properly reassemble the file. When the server has finished sending all data packets, it sends a message to the clients indicating this.

When a client detects the end of a section or receives an end of file message from the server, and the client has detected one or more missing blocks, the client will send back a message containing a list of NAKs (negative acknowledgments). When the server receives NAKs from one or more clients, it goes back and retransmits any blocks that were NAKed, then continues on sending any untransmitted blocks. When a client has received the entire file, it sends a completion message in response to the server’s end of file message. This continues until all clients have either send a completion message or have timed out after the server sent its end of file message.

The File Info phase and the Data Transfer phase are then repeated for each file to be sent during the session.


The Completion/Confirmation phase shuts down the session between the server and clients. It starts with a message from the server indication the end of the session. The clients then respond with a completion message, and the server responds to each completion with a confirmation message.

Download UFTP

Read More

SCRYPTmail

Goals have been set, and features have been delivered.

We are working very hard on SCRYPTmail. We know private email is not only possible but can also be beautiful and usable. We've delivered excellent features that have made SCRYPTmail a go-to service for end-to-end encrypted email.

By OffensiveSec

To Access SCRYPTmail

Read More

Vuvuzela - Private Messaging System That Hides Metadata

Vuvuzela is a messaging system that protects the privacy of message contents and message metadata. Users communicating through Vuvuzela do not reveal who they are talking to, even in the presence of powerful nation-state adversaries. Our SOSP 2015 paper explains the system, its threat model, performance, limitations, and more. Our SOSP 2015 slides give a more graphical overview of the system. 

Vuvuzela is the first system that provides strong metadata privacy while scaling to millions of users. Previous systems that hide metadata using Tor (such as Pond ) are prone to traffic analysis attacks. Systems that encrypt metadata using techniques like DC-nets and PIR don't scale beyond thousands of users.

Vuvuzela uses efficient cryptography ( NaCl ) to hide as much metadata as possible and adds noise to metadata that can't be encrypted efficiently. This approach provides less privacy than encrypting all of the metadata, but it enables Vuvuzela to support millions of users. Nonetheless, Vuvuzela adds enough noise to thwart adversaries like the NSA and guarantees differential privacy for users' metadata.

Screenshots

A conversation in the Vuvuzela client

In practice, the message latency would be around 20s to 40s, depending on security parameters and the number of users connected to the system.

Noise generated by the Vuvuzela servers

Vuvuzela is unable to encrypt two kinds of metadata: the number of idle users (connected users without a conversation partner) and the number of active users (users engaged in a conversation). Without noise, a sophisticated adversary could use this metadata to learn who is talking to who. However, the Vuvuzela servers generate noise that perturbs this metadata so that it is difficult to exploit.

Usage
Follow these steps to run the Vuvuzela system locally using the provided sample configs.

1. Install Vuvuzela (assuming GOPATH=~/go , requires Go 1.4 or later):
   

   $ go get github.com/davidlazar/vuvuzela/...
   

   The remaining steps assume PATH contains ~/go/bin and that the current working directory is ~/go/src/github.com/davidlazar/vuvuzela .
   
2. Start the last Vuvuzela server:
   

   $ vuvuzela-server -conf confs/local-last.conf
   

3. Start the middle server (in a new shell):
   

   $ vuvuzela-server -conf confs/local-middle.conf
   

4. Start the first server (in a new shell):
   

   $ vuvuzela-server -conf confs/local-first.conf
   

5. Start the entry server (in a new shell):
   

   $ vuvuzela-entry-server -wait 1s
   

6. Run the Vuvuzela client:
   

   $ vuvuzela-client -conf confs/alice.conf
   

The client supports these commands:

• /dial <user> to dial another user
• /talk <user> to start a conversation
• /talk <yourself> to end a conversation

Deployment considerations
This Vuvuzela implementation is not ready for wide-use deployment. In particular, we haven't yet implemented these crucial components:

• Public Key Infrastructure : Vuvuzela assumes the existence of a PKI in which users can privately learn each others public keys. This implementation uses pki.conf as a placeholder until we integrate a real PKI.
  
• CDN to distribute dialing dead drops :Vuvuzela's dialing protocol (used to initiate conversations) uses a lot of server bandwidth. To make dialing practical, Vuvuzela should use a CDN or BitTorrent to distribute the dialing dead drops.
  

There is a lot more interesting work to do. See the issue tracker for more information.

Download Vuvuzela

Read More

CenoCipher - Easy-To-Use, End-To-End Encrypted Communications Tool

CenoCipher is a free, open-source, easy-to-use tool for exchanging secure encrypted communications over the internet. It uses strong cryptography to convert messages and files into encrypted cipher-data, which can then be sent to the recipient via regular email or any other channel available, such as instant messaging or shared cloud storage.

Features at a glance

• Simple for anyone to use. Just type a message, click Encrypt, and go
• Handles messages and file attachments together easily
• End-to-end encryption, performed entirely on the user's machine
• No dependence on any specific intermediary channel. Works with any communication method available
• Uses three strong cryptographic algorithms in combination to triple-protect data
• Optional steganography feature for embedding encrypted data within a Jpeg image
• No installation needed - fully portable application can be run from anywhere
• Unencrypted data is never written to disk - unless requested by the user
• Multiple input/output modes for convenient operation

Technical details

• Open source, written in C++
• AES/Rijndael, Twofish and Serpent ciphers (256-bit keysize variants), cascaded together in CTR mode for triple-encryption of messages and files
• HMAC-SHA-256 for construction of message authentication code
• PBKDF2-HMAC-SHA256 for derivation of separate AES, Twofish and Serpent keys from user-chosen passphrase
• Cryptographically safe pseudo-random number generator ISAAC for production of Initialization Vectors (AES/Twofish/Serpent) and Salts (PBKDF2)

Version History (Change Log)

Version 4.0 (December 05, 2015)

• Drastically overhauled and streamlined interface
• Added multiple input/output modes for cipher-data
• Added user control over unencrypted disk writes
• Added auto-decrypt and open-with support
• Added more entropy to Salt/IV generation

Version 3.0 (June 29, 2015)

• Added Serpent algorithm for cascaded triple-encryption
• Added steganography option for concealing data within Jpeg
• Added conversation mode for convenience
• Improved header obfuscation for higher security
• Increased entropy in generation of separate salt/IVs used by ciphers
• Many other enhancements under the hood

Version 2.1 (December 6, 2014)

• Change cascaded encryption cipher modes from CBC to CTR for extra security
• Improve PBKDF2 rounds determination and conveyance format
• Fix minor bug related to Windows DPI font scaling
• Fix minor bug affecting received filenames when saved by user

Version 2.0 (November 26, 2014)

• Initial open-source release
• Many enhancements to encryption algorithms and hash functions

Version 1.0 (June 10, 2014)

• Original program release (closed source / beta)

Download CenoCipher

Read More

Tor Messenger - Chat over Tor, Easily

Tor Messenger is a cross-platform chat program that aims to be secure by default and sends all of its traffic over Tor. It supports a wide variety of transport networks, including Jabber (XMPP), IRC, Google Talk, Facebook Chat, Twitter, Yahoo, and others; enables Off-the-Record (OTR) Messaging automatically; and has an easy-to-use graphical user interface localized into multiple languages.

What it isn't...

Tor Messenger builds on the networks you are familiar with, so that you can continue communicating in a way your contacts are willing and able to do. This has traditionally been in a client-server model, meaning that your metadata (specifically the relationships between contacts) can be logged by the server. However, your route to the server will be hidden because you are communicating over Tor.

We are also excited about systems like Pond and Ricochet, which try to solve this problem, and would encourage you to look at their designs and use them too.

Why Instantbird?

We considered a number of messaging clients: Pidgin, Adam Langley's xmpp-client, and Instantbird. Instantbird was the pragmatic choice -- its transport protocols are written in a memory-safe language (JavaScript); it has a graphical user interface and already supports many natural languages; and it's a XUL application, which means we can leverage both the code (Tor Launcher) and in-house expertise that the Tor Project has developed working on Tor Browser with Firefox. It also has an active and vibrant software developer community that has been very responsive and understanding of our needs. The main feature it lacked was OTR support, which we have implemented and hope to upstream to the main Instantbird repository for the benefit of all Instantbird (and Thunderbird) users.

Instructions

• On Linux, extract the bundle(s) and then run: ./start-tor-messenger.desktop
• On OS X, copy the Tor Messenger application from the disk image to your local disk before running it.
On all platforms, Tor Messenger sets the profile folder for Firefox/Instantbird to the installation directory.
• Note that as a policy, unencrypted one-to-one conversations are not allowed and your messages will not be transmitted if the person you are talking with does not have an OTR-enabled client. You can disable this option in the preferences to allow unencrypted communication but doing so is not recommended.

Download Tor Messenger:
Linux (32-bit)
Linux (64-bit)
Windows
OS X (Mac)

Read More

Tails 1.7 - The Amnesic Incognito Live System

Tails is a live operating system, that you can start on almost any computer from a DVD, USB stick, or SD card. It aims at preserving your privacy and anonymity, and helps you to:

• use the Internet anonymously and circumvent censorship;
  all connections to the Internet are forced to go through the Tor network;
• leave no trace on the computer you are using unless you ask it explicitly;
• use state-of-the-art cryptographic tools to encrypt your files, emails and instant messaging.  

Tails, The Amnesic Incognito Live System, version 1.7, is out.
This release fixes numerous security issues. All users must upgrade as soon as possible.

New features

• You can now start Tails in offline mode to disable all networking for additional security. Doing so can be useful when working on sensitive documents.
  
• We added Icedove, a rebranded version of the Mozilla Thunderbird email client.
  Icedove is currently a technology preview. It is safe to use in the context of Tails but it will be better integrated in future versions until we remove Claws Mail. Users of Claws Mail should refer to our instructions to migrate their data from Claws Mail to Icedove.
  

Upgrades and changes

• Improve the wording of the first screen of Tails Installer.
  
• Restart Tor automatically if connecting to the Tor network takes too long. (#9516)
  
• Update several firmware packages which might improve hardware compatibility.
  
• Update the Tails signing key which is now valid until 2017.
  
• Update Tor Browser to 5.0.4.
  
• Update Tor to 0.2.7.4.
  

Fixed problems

• Prevent wget from leaking the IP address when using the FTP protocol. (#10364)
  
• Prevent symlink attack on ~/.xsession-errors via tails-debugging-info which could be used by the amnesia user to bypass read permissions on any file. (#10333)
  
• Force synchronization of data on the USB stick at the end of automatic upgrades. This might fix some reliability bugs in automatic upgrades.
  
• Make the "I2P is ready" notification more reliable.
  

Download Tails 1.7

Read More

Whonix v11 - Anonymous Operating System

Whonix is an operating system focused on anonymity, privacy and security. It’s based on the Tor anonymity network, Debian GNU/Linux and security by isolation. DNS leaks are impossible, and not even malware with root privileges can find out the user’s real IP.

Whonix consists of two parts: One solely runs Tor and acts as a gateway, which we call Whonix-Gateway. The other, which we call Whonix-Workstation, is on a completely isolated network. Only connections through Tor are possible.

Whonix for Qubes

https://www.whonix.org/wiki/Qubes

Whonix for KVM

https://www.whonix.org/wiki/KVM

Whonix for VirtualBox

https://www.whonix.org/wiki/VirtualBox

If you want to upgrade existing Whonix version using Whonix’s APT repository

Special instructions required:

https://www.whonix.org/wiki/Upgrading_Whonix_10_to_Whonix_11

Changelog between Whonix 10.0.0.5.5 and Whonix 11.0.0.2.3:

– fixed custom workstation build

– build script: refactoring, use errtrace rather than many traps – https://phabricator.whonix.org/T48

– build script: refactoring, use exit trap to reduce code duplication – https://phabricator.whonix.org/T269

– whonixcheck: warn if whonix-gateway / whonix-workstation package is not installed – https://phabricator.whonix.org/T264

– whonixcheck: warn if there is low entropy – https://phabricator.whonix.org/T202

– build, anon-apt-sources-list, anon-shared-build-apt-sources-tpo, whonix-repository: changed release codename from wheezy to jessie – https://phabricator.whonix.org/T270

– grub-enable-apparmor: Refactoring. Simplified for Debian jessie. Thanks to the new `/etc/default/grub.d` configuration folder, the `grub-enable-apparmor` has been greatly simplified. No longer need to config-package-dev divert `/etc/default/grub`.

– genmkfile: if debuild not available, recommend installation of the devscripts package

– build script: added fakeroot to whonix_build_script_build_dependency (required for verifiable builds)

– genmkfile: if debuild not available, recommend installation of the devscripts package

– genmkfile: fix, do not set automatically make_use_gain_root_command to true if fakeroot is not installed

– genmkfile: run dpkg-checkbuilddeps before lintian to show better hint if build dependencies are missing

– build script: build-steps.d/1200_create-debian-packages: commented out get_extra_packages, no longer need to download packages from testing

– build script: refactoring, created separate help step, help-steps/git_sanity_test

– whonixcheck: verbose output for check_tor_socks_port_reachability

– all packages: packaging, bumped Standards-Version from 3.9.4 to 3.9.6 for jessie support

– lintian warning copyright fix

– tb-updater: show “highest version number is not necessarily the best one” message also on first run if no Tor Browser is installed yet – https://phabricator.whonix.org/T283

– build script: No longer install acpi-support-base by default on jessie, because systemd now implements that functionality. – https://phabricator.whonix.org/T284

– whonixcheck: added link to Whonix Build Version documentation https://www.whonix.org/wiki/Whonixcheck#Whonix_Build_Version – https://phabricator.whonix.org/T276

– build script: Fix commit 287bdcf6ddee007ba579e3ee9a1997edc8188581 ‘”makefile: added –pedantic to default DEBUILD_LINTIAN_OPTS because we are going to fix the last remaining “missing upstream changelog” warning’ – added –pedantic help-steps/variables.

– all packages: added debian/source/lintian-overrides with debian-watch-may-check-gpg-signature to fix lintian warning – https://phabricator.whonix.org/T277

– whonix-setup-wizard, anon-gw-anonyminizer-config, whonixcheck, whonix-ws-start-menu-additions, whonix-host-firewall: added ‘Keywords=’ to ‘.desktop’ files to fix lintian warning ‘desktop-entry-lacks-keywords-entry’ – https://phabricator.whonix.org/T281

– anon-shared-helper scripts: replaced dependency ‘python-support (>= 0.90)’ with dh-python to fix lintian warning

– control-port-filter-python: packaging, use debhelper with python2 to fix lintian warning

– modify apt-get parameters during build to prevent need to remove apt-listchanges – https://phabricator.whonix.org/T282

– build-script: refactoring, moved variables DEBIAN_FRONTEND DEBIAN_PRIORITY DEBCONF_NOWARNINGS APT_LISTCHANGES_FRONTEND from help-steps/variables to buildconfig.d/30_apt_opts

– genmkfile: hint “Is the build dependency genmkfile installed?” if genmkfile is not installed

– genmkfile: hint ‘dpkg-parsechangelog not found. Do you have the “build-essential” package installed?’ if dpkg-parsechangelog is not available

– sdwdate: removed dependency on ruby1.9.1-dev to fix lintian warning ‘E: sdwdate: depends-on-obsolete-package depends: ruby1.9.1-dev’

– whonixcheck: show diagnostic message on whonixcheck Whonix News gpg verification failure by default

– build script: Fix building Whonix on Whonix, fix if `lsb_release –short –i` returns ‘Whonix’. Temp hack ‘export whonix_build_on_operating_system=”debian”‘ no longer required. Thanks to @nrgaway for the bug report and the analysis. – https://phabricator.whonix.org/T278

– tb-updater: tbbversion_installed parser fix

– anon-meta-packages: removed dependency on libupower-glib1 which is no longer available in Debian jessie (which has been replaced by upower, that already gets installed)

– anon-base-files, whonix-developer-meta-files: implemented WHONIX_BUILD_QUBES=true environment variable support – https://phabricator.whonix.org/T298

– anon-meta-packages: whonix-gateway and whonix-workstation package no longer depend on anon-shared-build-fix-grub because it has been made a weak dependency for better physical isolation and Qubes support

– code simplification, removed support for environment variable ANON_BUILD_INSTALL_TO_ROOT=true because anon-shared-build-fix-grub now gets only installed on required platforms

– implemented build parameter ‘–unsafe-io true’, that speeds up builds, that uses ‘-o Dpkg::Options::=–force-unsafe-io’, eatmydata and ignores ‘sync’. – Thanks to @nrgaway for the suggestion!  – https://phabricator.whonix.org/T295

– implemented $apt_misc_opts – https://phabricator.whonix.org/T295

– whonixcheck: new –verbose debug feature, showing output of systemd-detect-virt

– vbox-disable-timesync: more robust implementation that is compatible with systemd – https://phabricator.whonix.org/T106

– timesync: compatibility with systemd – https://phabricator.whonix.org/T106

– whonixcheck, msgdispatcher: ported to systemd – https://phabricator.whonix.org/T106

– qubes-whonix: skip rads on Qubes – https://phabricator.whonix.org/T306

– systemd unit files: workaround/fix, removed spaces from ‘WantedBy = ‘, likely bug in ‘deb-systemd-helper’ that prevents enabling the service by default – https://phabricator.whonix.org/T316

– created a hellodaemon package, useful for Debian systemd packaging debugging – not part of Whonix – https://github.com/adrelanos/hellodaemon

– whonixcheck: debian/control: fix, added to ‘Build-Depends:’ ‘ruby-ronn (>= 0.7.3)’

– disable torsocks warning spam – https://phabricator.whonix.org/T317

– whonix-libvirt: fixed CI builds

– whonix-libvirt: added driver name=’qemu’ – Thanks to HulaHoop! – https://github.com/Whonix/whonix-libvirt/pull/20 https://github.com/Whonix/whonix-libvirt/pull/19 https://github.com/Whonix/whonix-libvirt/pull/18

– anon-meta-packages: added obfs4proxy to anon-gateway-packages-recommended – https://phabricator.whonix.org/T323

– anon-meta-packages: added apt-transport-tor to anon-shared-packages-recommended – https://phabricator.whonix.org/T92

– whonix-gw-network-conf, whonix-ws-network-conf: Removed ‘pre-up /usr/bin/whonix_firewall’, because /etc/network/if-pre-up.d to load the firewall, because of a Debian upstream bug interface comes up even if a script in /etc/network/if-pre-up.d/ fails http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700811 was fixed. – https://phabricator.whonix.org/T68

whonix-gw-firewall, whonix-ws-firewall, whonix-host-firewall: Made package more standalone. Requiring ‘pre-up /usr/bin/whonix_firewall’ in /etc/network/interfaces is no longer necessary. Added etc/network/if-pre-up.d/30_whonix_firewall to load the firewall, because of a Debian upstream bug ‘interface comes up even if a script in /etc/network/if-pre-up.d/ fails’ http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700811 was fixed. – https://phabricator.whonix.org/T68

– whonixsetup, whonix-setup-wizard: fix ‘Tor fails after reload related to torrc DisableNetwork setting issue’ by only restarting Tor, no longer trying to reload Tor – https://phabricator.whonix.org/T320

– rads: Improved implementation. When there is enough RAM… On ‘enter’: instantly start login manager. On ‘ctrl + c’: instantly abort and do not start login manager. On ‘timeout’: start login manager. Thanks to ‘dh_systemd_start –no-start’ we can now use ‘StandardInput=tty’ and ‘read’ instead of ‘systemd-ask-password’. Now we could even implement an interactive menu at boot (that allows to configure wait time and/or disabling rads). – https://phabricator.whonix.org/T57

– whonixcheck: abolished random wait by default – https://phabricator.whonix.org/T299

– anon-ws-disable-stacked-tor: fixed ‘insserv: script tor.anondist-orig: service tor already provided!’ warning during upgrades – https://phabricator.whonix.org/T303

– anon-ws-disable-stacked-tor: systemd compatibility – https://phabricator.whonix.org/T303

– anon-base-files: no longer ‘set -o pipefail’ in /usr/lib/pre.bsh. config-package-dev doesn’t like ‘set -o pipefail’ – http://mailman.mit.edu/pipermail/config-package-dev/2015-May/000041.html – https://phabricator.whonix.org/T329

– upstream bug report: spaces in Tor’s systemd unit file causes issues – https://trac.torproject.org/projects/tor/ticket/16162

– upstream bug report: Tor dies on reload when swichting to ‘DisableNetwork 0’ when using ‘DnsPort 127.0.0.1:53’ – https://trac.torproject.org/projects/tor/ticket/16161

build script: fix, support ‘–verifiable false’ (was ‘–verifiable minimal’ while build documentation said ‘false’)

– uwt: multi user fix – https://www.whonix.org/forum/index.php/topic,1267

– Qubes: WiFi Realtek RTL8191SEvB Issue and Solution – https://groups.google.com/forum/#!topic/qubes-users/kMGTSwP72aU

– whonix-setup-wizard API proposal: https://www.whonix.org/wiki/Dev/whonixsetup

Download Whonix v11

Read More

I2P - The Invisible Internet Project

I2P is an anonymous network, exposing a simple layer that applications can use to anonymously and securely send messages to each other. The network itself is strictly message based (a la IP), but there is a library available to allow reliable streaming communication on top of it (a la TCP). All communication is end to end encrypted (in total there are four layers of encryption used when sending a message), and even the end points ("destinations") are cryptographic identifiers (essentially a pair of public keys).

How does it work?

To anonymize the messages sent, each client application has their I2P "router" build a few inbound and outbound "tunnels" - a sequence of peers that pass messages in one direction (to and from the client, respectively). In turn, when a client wants to send a message to another client, the client passes that message out one of their outbound tunnels targeting one of the other client's inbound tunnels, eventually reaching the destination. Every participant in the network chooses the length of these tunnels, and in doing so, makes a tradeoff between anonymity, latency, and throughput according to their own needs. The result is that the number of peers relaying each end to end message is the absolute minimum necessary to meet both the sender's and the receiver's threat model.

The first time a client wants to contact another client, they make a query against the fully distributed "network database" - a custom structured distributed hash table (DHT) based off the Kademlia algorithm. This is done to find the other client's inbound tunnels efficiently, but subsequent messages between them usually includes that data so no further network database lookups are required.

What can you do with it?

Within the I2P network, applications are not restricted in how they can communicate - those that typically use UDP can make use of the base I2P functionality, and those that typically use TCP can use the TCP-like streaming library. We have a generic TCP/I2P bridge application ("I2PTunnel") that enables people to forward TCP streams into the I2P network as well as to receive streams out of the network and forward them towards a specific TCP/IP address.

I2PTunnel is currently used to let people run their own anonymous website ("eepsite") by running a normal webserver and pointing an I2PTunnel 'server' at it, which people can access anonymously over I2P with a normal web browser by running an I2PTunnel HTTP proxy ("eepproxy"). In addition, we use the same technique to run an anonymous IRC network (where the IRC server is hosted anonymously, and standard IRC clients use an I2PTunnel to contact it). There are other application development efforts going on as well, such as one to build an optimized swarming file transfer application (a la BitTorrent), a distributed data store (a la Freenet / MNet), and a blogging system (a fully distributed LiveJournal), but those are not ready for use yet.

I2P is not inherently an "outproxy" network - the client you send a message to is the cryptographic identifier, not some IP address, so the message must be addressed to someone running I2P. However, it is possible for that client to be an outproxy, allowing you to anonymously make use of their Internet connection. To demonstrate this, the "eepproxy" will accept normal non-I2P URLs (e.g. "http://www.i2p.net") and forward them to a specific destination that runs a squid HTTP proxy, allowing simple anonymous browsing of the normal web. Simple outproxies like that are not viable in the long run for several reasons (including the cost of running one as well as the anonymity and security issues they introduce), but in certain circumstances the technique could be appropriate.

The I2P development team is an open group, welcome to all who are interested in getting involved, and all of the code is open source. The core I2P SDK and the current router implementation is done in Java (currently working with both sun and kaffe, gcj support planned for later), and there is a simple socket based API for accessing the network from other languages (with a C library available, and both Python and Perl in development). The network is actively being developed and has not yet reached the 1.0 release, but the current roadmap describes our schedule.

Download I2P

Read More

Sem privacidade no windows 10? O mesmo ocorria com o win 7 e 8

Nenhum plano para Instalar o Windows 10 devido o da Microsoft com a Mineração de Dados controversos e invasões de privacidade dentro do Sistema Operacional?

Bem, o Windows 7 e Windows 8 os Usuários  devem Estar preocupados Com o Windows 10 e sua espionagem.

Recentemente a Microsoft vem fazendo atualizações  Recentes para o Windows 7 e Windows 8 Computadores e efetivamente introduzir os mesmo para Recolha de Dados e de Comportamento do Usuário Recursos de Controle utilizados no Windows 10.

Soluções como atualizações Novas, O Sistema Operacional de forma indiscriminada está fazendo upload de Dados para os Servidores da Microsoft, que pode ser uma das principais preocupações de privacidade para muitos usuários.

Atualizações preocupantes

Como atualizações em questão são:

KB3068708 - Esta Atualização introduz o Diagnóstico e Telemetria Serviço de monitoramento de Dispositivos existentes.

KB3022345 (substituído POR KB3068708) - Esta Atualização adiciona o Serviço de Rastreamento e telemetria Diagnostics dos Dispositivos de mercado.

KB3075249 - Esta Atualização adiciona Pontos de telemetria para o recurso (UAC) User Account Control, a Fim de recolher Dados Sobre elevações Que Vem de Baixos níveis de Integridade.

KB3080149 - Este Pacote Atualiza o Diagnóstico e Telemetria Serviço de monitoramento de Dispositivos existentes.

Essas atualizações Recentes divulgadas para Instalar o "Diagnóstico e Serviço de Rastreamento de telemetria", Que É o Componente Mais controverso do Sistema Operacional Mais Recente da Microsoft.

Uma vez instalado, o Serviço de Rastreamento de telemetria e diaguinosticos começa imediatamente  a enviar para os servidores da Microsoft, mesmo se você desmarcar todas as opções de privacidade ele envia assim mesmo.

Estas quatro atualizações ignora como as configurações dos usuarios são armazenadas no windows 7 e windows 8 e, Como observado Por gHacks, imediatamente comeca a trocar os seus Dados com os seguintes Domínios:



vortex-win.data.microsoft.com

settings-win.data.microsoft.com


Como parar a espionagem no windows 7, 8 e 10?

A grande questão é os usuários que se sentem desconfortáveis ​​com essas Mudanças e: Como faço para dete-los?

A Melhor Maneira de impedir que o Windows 7, 8 e 10 pare de fazer os monitoramentos é impedindo algumas atualizações recentes.

Ao contrario de fazer as atualizações para windows 10, 8 e 7 você pode optar por não fazer.

No entanto, se as atualizações já estiverem sido instaladas no sistema, você pode remove-los completamente do seu sistema, e não ira reinstala-los automáticamente sem uma sua Permissão.

Vá em Painel de Controle> Exibir atualizações instaladas> Remover Todas As Quatro atualizações.

Se quiser remover essas atualizações de forma mais rapida é só, abrir o CMD como Administrador do sistema e seguir com os seguintes comandos:

CÓDIGO

wusa / uninstall / kb: 3068708 / quiet / norestart

wusa / uninstall / kb: 3022345 / quiet / norestart

wusa / uninstall / kb: 3075249 / quiet / norestart

wusa / uninstall / kb: 3080149 / quiet / norestart

Uma vez feito isso, se caso aparecer de novo as atualizações você pode escolher  a opção "Ocultar Atualização" para se certificar que essas atualizações não serão reinstalados no caso de você reiniciar o sistema.

Fonte: The Hackers News | Traduzido por Offensive Sec

Offensive Sec

Read More

Microsoft – Análise de Tráfego do Windows 10 – Para quais servidores ele envia suas informações

A primeira Análise de Tráfego do Windows 10, quais serviços do novo sistema da Microsoft enviam informações e para onde esses serviços estão enviando as informações!

Windows 10 age mais como um terminal de um sistema operacional – por causa da extensão da integração “nuvem”, uma grande parte das funções do sistema operacional são quase dependente de servidores remotos (da Microsoft). A quantidade de informações coletadas, mesmo com as configurações de privacidade estritos, é bastante alarmante.
As informações transmitidas.

Todo o texto digitado no teclado é armazenado em arquivos temporários, e enviados (uma vez a cada 30 minutos) para:

         oca.telemetry.microsoft.com.nsatc.net

        pre.footprintpredict.com

        reports.wes.df.telemetry.microsoft.com 

Não há um propósito claro para isso, considerando que não há nenhuma autocorrect / previsão em qualquer lugar do OS (Há autocorrect em determinados campos de texto, mas o suposto propósito para transmitir estas teclas é melhorar autocorrect através de dispositivos. Se um keylog completo é necessária para isso (em oposição a apenas correções) é questionável. Além disso, esta parece ainda ocorrer mesmo se o usuário não está conectado a uma conta Microsoft, eliminando o benefício “através de dispositivos”. Talvez haja um dicionário global de autocorreção que os benefícios todos os usuários, mas as implicações de privacidade de um un-disableable always-on keylogger superam esses benefícios potenciais.). 

 As implicações disso são significativos: porque este é um keylogger no nível do sistema operacional, todos os dados que você está tentando transmitir com segurança agora está sentado em algum servidor MS. Isso inclui senhas e chats criptografados. Isto também inclui o teclado na tela, por isso não há maneira de se autenticar em um site sem MS também recebendo sua senha.

As implicações disso são significativos: porque este é um keylogger no nível do sistema operacional, todos os dados que você está tentando transmitir com segurança agora está sentado em algum servidor MS. Isso inclui senhas e chats criptografados. Isto também inclui o teclado na tela, por isso não há maneira de se autenticar em um site sem MS também recebendo sua senha.

Telemetria envia informações uma vez a cada 5 minutos, para:

vortex.data.microsoft.com
vortex-win.data.microsoft.com
telecommand.telemetry.microsoft.com
telecommand.telemetry.microsoft.com.nsatc.net
oca.telemetry.microsoft.com
oca.telemetry.microsoft.com.nsatc.net
sqm.telemetry.microsoft.com
sqm.telemetry.microsoft.com.nsatc.net

Você pode pensar que “telemetria” tem a ver com o uso de OS ou similar … torna-se ele de telemetria sobre o usuário. Por exemplo, digitar um número de telefone em qualquer lugar no navegador da Borda transmite para os servidores acima.

Em outro exemplo, digitar o nome de qualquer filme popular em sua busca de arquivos local inicia um processo de telemetria que indexa todos os arquivos de mídia em seu computador e transmite-os para:

df.telemetry.microsoft.com
reports.wes.df.telemetry.microsoft.com
cs1.wpc.v0cdn.net
vortex-sandbox.data.microsoft.com
pre.footprintpredict.com

É difícil imaginar qualquer propósito para este que não sejam os motivos óbvios de repressão à pirataria.

Motivo: os Termos de Uso do Windows 10 permite à Microsoft monitorar seus HD´s em busca de software e hardware falsos (ou piratas) e enviar estas informações a terceiros – como o MarkMonitor, empresa que ganha dinheiro denunciando pirataria aos fabricantes em geral. Uau! Varrer seus disco e enviar dados a quem pagar à Microsoft por isso? A NSA conseguiu O MELHOR aliado!

Esta medida pode até ser positiva num primeiro momento (não aceito nem recomendo softwares piratas), mas a questão aqui é a varredura de SEU disco para fins de lucro – uma total invasão de SUA privacidade, já que neste processo nada garante que seus arquivos (dados, não programas!) não sejam também “escaneados”.

Quando uma webcam está habilitado primeiro, ~ 35MB de dados são imediatamente transmitidos para:

oca.telemetry.microsoft.com
oca.telemetry.microsoft.com.nsatc.net
vortex-sandbox.data.microsoft.com
i1.services.social.microsoft.com
i1.services.social.microsoft.com.nsatc.net
Tudo o que é dito em um microfone activado é imediatamente transmitida para:
oca.telemetry.microsoft.com
oca.telemetry.microsoft.com.nsatc.net
vortex-sandbox.data.microsoft.com
pre.footprintpredict.com
i1.services.social.microsoft.com
i1.services.social.microsoft.com.nsatc.net
telemetry.appex.bing.net
telemetry.urs.microsoft.com
cs1.wpc.v0cdn.net
statsfe1.ws.microsoft.com

Se isso não fosse ruim o suficiente, esse comportamento ainda ocorrer após Cortana é totalmente deficientes físicos / desinstalado. Especula-se que o objetivo desta função para construir um enorme banco de dados de voz, em seguida, amarre essas vozes para identidades, e, eventualmente, ser capaz de identificar qualquer pessoa por sua voz, quer se trate de um microfone em um lugar público ou uma escuta em um telefone público.

Curiosamente, se Cortana é ativada, a voz é primeiro transcrito para texto, em seguida, a transcrição é enviado para:

pre.footprintpredict.com
reports.wes.df.telemetry.microsoft.com
df.telemetry.microsoft.com

Se o Windows não é utilizado para ~ 15 minutos, um grande volume de tráfego começa a ser transmitida a vários servidores. Esta pode ser a dados de áudio-primas, em vez de apenas amostras.

Preocupações adicionais

Enquanto o reflexo inicial pode ser a de bloquear todos os servidores acima via HOSTS, ao que parece isso não vai funcionar: Microsoft tem tomado o cuidado para codificar determinados IPs, o que significa que não há nenhuma pesquisa de DNS e nenhuma consulta HOSTS.

Como bloquear os hosts para onde a Microsoft envia as informações pessoais:

Abrir o Notepad como Administrador…

No Notepad você vai abrir o arquivo “c:\windows\system32\drivers\etc\hosts”

Você deve editar o seu arquivo Hosts dessa maneira:

No entanto, se os servidores acima são bloqueadas através de HOSTS, e o sistema Windows 10 vai fingir ser prejudicado por erros jogando continuamente nos logs de erros de sistema relatando que não conseguiu conectar com os servidores. À exceção de um aumento de erros, bloquear esses endereços no nosso arquivo HOSTS não afetou o volume, frequência, ou taxa de dados a serem transmitidos.



Nota: Irei atualizar este post conforme novas possibilidades forem sendo descobertas.

Fonte: localghost | arstechnica

Offensive Sec

Read More