In today's "disclaimers that mean nothing"
-
In today's "disclaimers that mean nothing"
-
munin@infosec.exchangereplied to munin@infosec.exchange on last edited by
It's kind of an insult to all our intelligence to put that kind of a disclaimer on a code release.
It runs locally. They control no part of that execution. The code has been released. Any 'checks' will be reverse engineered and removed within ...well, definitely by now.
-
munin@infosec.exchangereplied to munin@infosec.exchange on last edited by
And not to put too fine a point on it, but they -demonstrate- malign usage of it in their little example gif.
-
munin@infosec.exchangereplied to munin@infosec.exchange on last edited by
This was always obviously going to happen given this tech, but I'm disappointed that they would be so callow as to pretense their shit with so banal and -clearly- bullshit disclaimer as that.
Fuckheads.
-
munin@infosec.exchangereplied to munin@infosec.exchange on last edited by
You're gonna do this shit, fucking own it.
"Yes, we released the software that now means authoritative, trustworthy looking men in suits claiming to be federal agents will be scamming your grandma over video chat."
-
munin@infosec.exchangereplied to munin@infosec.exchange on last edited by
So yeah. There is no ethical way to release this tool; its very nature makes unethical usage entirely natural; congratulations for turning us into an even lower trust society you utter fuckheads.
Eat shit.
-
munin@infosec.exchangereplied to munin@infosec.exchange on last edited by
To be clear, the attack method I worked out within literal seconds of seeing the repo:
Grab an FBI agent's picture off of linkedin and use that to make any of the myriad "you're in trouble with the cops" scams immediately Real.
-
munin@infosec.exchangereplied to munin@infosec.exchange on last edited by
If someone learns opsec about this, move on to some other agency, or some other layer of police, or some other country's police - the "your nephew's in trouble overseas" scams would benefit from this big time.
-
munin@infosec.exchangereplied to munin@infosec.exchange on last edited by
The effective countermeasure here is to only trust communications over a prenegotiated secure channel, and to maintain recognition phrases if you need to validate identity over some other channel.
-
munin@infosec.exchangereplied to munin@infosec.exchange on last edited by
which, fuck, now I have to fucking come up with a schema for -that- shit for my loved ones.
-
munin@infosec.exchangereplied to munin@infosec.exchange on last edited by
fucking .....counterespionage fucking bullshit
-
munin@infosec.exchangereplied to munin@infosec.exchange on last edited by
can't be a static kba; those got deprecated years ago for a reason
-
munin@infosec.exchangereplied to munin@infosec.exchange on last edited by
.....might be able to do a simplified diffie-hellman with the major arcana; that's only mod 21 so it should be doable mentally
-
munin@infosec.exchangereplied to munin@infosec.exchange on last edited by
OK so:
your polycule has a keyserver; the keyserver generates one of the major arcana ( a value from 0 to 21 ) every day.
every member of your polycule has one of the major arcana assigned to them randomly as a key ( a value from 0 to 21 )
when you meet over a channel that needs authentication, draw a random major arcana ( choose a random value from 0 to 21 ) and use that value to challenge the other person.
They will take that value, add the polycule daily value and your secret value, and then return the answer mod 21 encoded as a tarot card. You can then verify they know your card value, and they can auth you in the same way.
-
munin@infosec.exchangereplied to munin@infosec.exchange on last edited by
It suffers from a very small keyspace so if you have a particularly large polycule you'll have to find some other way to do this, but it's doable inside your head without needing extraneous equipment.
-
munin@infosec.exchangereplied to munin@infosec.exchange on last edited by
On the plus side you sound like a wizard doing an arcane ritual, so that's just stylish.
And it's pretty easy to carry around the random challenge generator.
-
munin@infosec.exchangereplied to munin@infosec.exchange on last edited by
If you want to encode the -whole- deck and do mod 72 more power to you but that's gonna be really fucking annoying
-
munin@infosec.exchangereplied to munin@infosec.exchange on last edited by
my partner said "you're describing diffie-hellman aren't you?" when I pitched this to them, lol
-
munin@infosec.exchangereplied to munin@infosec.exchange on last edited by
Make sure to hold regular seances with your polycule to manage key rotation.
-
foone@digipres.clubreplied to munin@infosec.exchange on last edited by
@munin what if part of my polycule is allergic to cards?