Re: news from my hacked box
> Yes could be, he has a "social engineering" approach to people. He places > people and > himself on the same level of machines. Then he searches vulnerability on > persons. > He makes extensive use of corruption to take advantage on his personal war. > From this > point of view also a vpn provider could be very vulnerable because as many > people know > vpn providers are not big rich companies. You would use a VPN to escape the claws of your own government, but not the claws of some corrupt individual in your country. Therefore I see no reason, why you would use a VPN, and its required software to use it would just increase your attack surface. > About authorities it would be my next step when I'll find proofs of what I'm > saying. > Because as you saw the first thing they think it will be "this guy is > paranoid". That's the great benefit of virtual machines with snap shoting: unless the "evil hackers" can not only control your running system, but can also break through the boundaries set by your virtual machine, you have reasonable ways to collect evidence. Just create snaps whenever your system feels strange, and you can inspect these snapshots at a later, more convenient moment. You can also perform comparisons between snap shots. > Yes I thought to try to use vm on linux, but you know the linux kernel is > hole with some > code around. Yes, they say all kinds of nasty stuff about linux, but overall it works well, and the vast majority of public facing servers run linux. Your best bet will probably be some kind of variety of systems: linux, windows, freebsd, maybe throw some openbsd into the pool. if "evil hackers" have to check your system first, and probably throw some non-working exploits at it before breaking through, then you have a good chance of catching them in the act. make your setup as unpredictable as you can, and "they" will leave undeniable traces. Once you have these traces, you can probably learn more about the hacker's methods and develop a strategy to get rid of them for good. PS: It would probably attract more helpful talent here, if people had reason to assume, that your efforts serve some common goal and are not some private quest for free security consulting. Care to share, why you think your computers are under attack?
Re: news from my hacked box
> > change target. Then a victim that describe a situation outside of this > > schema most > > probably will be classified as a paranoid or a troll. > > Do you have reason to believe, that this evil person has control over your > hardware > deliveries? Do you have some procurement process in place, which guarantees, > that this > person can not intercept and xompromise such a shipment? To which extent > would you > trust authorities to protect you? > Yes could be, he has a "social engineering" approach to people. He places people and himself on the same level of machines. Then he searches vulnerability on persons. He makes extensive use of corruption to take advantage on his personal war. From this point of view also a vpn provider could be very vulnerable because as many people know vpn providers are not big rich companies. Also often they operate in a grey area where users are hackers, p2p downloader and so on. Then if someone offer them something like $5000 to log the traffic of someone most probably they accept. From this point of view "security" is a word with a really wide meaning. And in addition to this he uses the typical techniques of social engineering to manipulate people. I use the word "he" but it's clear that is an organization. But now we are off topic. About authorities it would be my next step when I'll find proofs of what I'm saying. Because as you saw the first thing they think it will be "this guy is paranoid". Or they'll tell me: "of course! you have to clean cookies and cache on your edge!" > Once this is done: what is your attack surface? What are the applications > facing the > big bad internet? I haven't server, I just use chrome+unveil, ping, sometimes speedtest-cli. I think I can exclude all the usb device as media infection. I don't know if the dhclient could have some bug... what remain is the vpn decryption with aes256 and a 4096 key and decrypt https. I also tried without success wireguard as vpn software with chacha20 as algorithm that someone say to be more robust/fast than aes256gcm. I think we can exclude decrypt openvpn/wireguard but I'm not so skilled to be sure. What remain is also something installed in some chip with the firmware. And yes, of course I run openvpn as root. Do you have to run public facing services? Is there a way to restrict > the level of "public"? DO you have to run applications which connect to > random servers > on the internet? Have you thought about running these in a virtual machine > with snap > shoting enabled, which allows you to return to a known safe state? Yes I thought to try to use vm on linux, but you know the linux kernel is hole with some code around. As I know the openbsd vmm doesn't support graphic, isn'it ?
Re: news from my hacked box
> yes exactly, I know who is the attacker and he has really great of resources > and power. > Most probably he is responsible of the death of a guy in my country. > Many people have preconceived ideas about security and about the attackers. > Many people think that an hacker is pushed by money or some kind of interest > and > attack just people that he doesn't know. If the attacker fail with a target > he just > change target. Then a victim that describe a situation outside of this schema > most > probably will be classified as a paranoid or a troll. Do you have reason to believe, that this evil person has control over your hardware deliveries? Do you have some procurement process in place, which guarantees, that this person can not intercept and xompromise such a shipment? To which extent would you trust authorities to protect you? Once this is done: what is your attack surface? What are the applications facing the big bad internet? Do you have to run public facing services? Is there a way to restrict the level of "public"? DO you have to run applications which connect to random servers on the internet? Have you thought about running these in a virtual machine with snap shoting enabled, which allows you to return to a known safe state?
Re: news from my hacked box
> "Cord" claims, that people with great resources are out there to get his boxes > hacked. Obviously I can not verify his claim. > yes exactly, I know who is the attacker and he has really great of resources and power. Most probably he is responsible of the death of a guy in my country. Many people have preconceived ideas about security and about the attackers. Many people think that an hacker is pushed by money or some kind of interest and attack just people that he doesn't know. If the attacker fail with a target he just change target. Then a victim that describe a situation outside of this schema most probably will be classified as a paranoid or a troll. But the truth is pretty different, an attacker could be anyone that has enough resources and can be pushed by many reasons, hate, jealousy or other. The attacker could be someone that doesn't know anything about security but he has enough money to pay someone. The complexity of the attack depends of how much money he has and of the target.
Re: news from my hacked box
> security, like OpenBSD works on. Anyone that says anything can be hacked > without > qualification, loses any respect from me, atleast for that moment. Even > browsers "qualification" is very relative word... there are perfect unknown around internet that are high qualified guys. > > To the OP. I apologise if you are not but to me I thought you are/were a > Troll. > If not then I would consider what you posted from the point of view of a > Vulcan. Someone should consider the idea of create a pattern to recognize a troll. And I don't understand you say that my post looks from Vulcan.. also what have done the NSA looks come from Vulcan but certainly it's true. > Did you even consider pxeboot as a vector, if installing from a cafe? HW bios > defaults are often atrocious, unlike OpenBSD defaults! I'm very skeptic about pxe because is disabled on my bios and also the attacker couldn't predict the cafe where I'd go. I chosen the cafe randomly in a big city. > p.s. A web browser that is rarely exploitable is perfectly possible. It would > require some breaking re-design and likely removal if not severe limitations > on > js, for a start though. I'm guessing wasm will not go the right way to fix js. > Perhaps infosec could chime in on improving was but then they would be hurting > their own income streams!! Annoying! Now I'm running an iso from a usb stick and it seems ok but the most thing I miss on openbsd is tool or documentation for forensics analysis. For example now I could mount the disk and make some checking on the kernel, if there are something that it should not stay there, or "alien" (from Vulcan) kernel module installed. I think also would be very useful some driver to dump the ram and analyze it from tools like volatily. It seems that something is moving for freebsd: https://github.com/volatilityfoundation/volatility/blob/freebsd_support/FreeBSD-Support-README.md I think this depends of the idea that openbsd is absolutely secure and it's like a peripheral firewall that defend only the perimeter of a net. Then because openbsd is unbeatable then there aren't any forensic instruments. My idea is that secure means also check the integrity of what is installed.
Re: news from my hacked box
On 2020-04-08 18:02, Rudolf Leitgeb wrote: > A public facing server with ftp, http, smtp and sshd would have had to be > patched > in regular intervals to remain reasonably secure. False, even though you have lowered the bar from "anything/everything is hackable". httpd and libressl have done quite well despite talking over http to anyone and dealing with crappy interfaces like ASN.1 for TLS. You missed the point. If your interface requires authentication first, like ssh then that is good, it has a good record. If your interface requires auth in a simple format and is a very simple interface after that fact. Then you will find examples of devices and services that have never been hacked, even without the layers of defence of sshd, though you are free to have some of them! ergo the mantra of anything is hackable is bullshit, largely spread by pen testers and fuzzers. There isn't much to fuzz when auth of a simple key is required up front. Most hacks occur by inside users not remote and that is a whole other matter but that does not mean that anything is hackable. "everything is hackable" is FUD
Re: news from my hacked box
> OpenSMTPD does not listen to the internet, by default and even if you do set > it > to, it only affected certain configurations. A server, which does not listen to the outside is pretty useless, don't you think? I did not bring up opensmtp, because it is particularly bad, quite to the contrary: even in very hardened systems bugs happen. You can patch these bugs and have a reasonable secure system, but it's an ongoing effort, not something you do just once. > How the heck sshd has such as good security record, considering all that it > does, interface wise, is rather astounding. I guess a remotely critical bug > may > be found there one day, but it does not affect my point! sshd has a good security record on openbsd, but even with sshd there were problems on other platforms, not caused by the core sshd or the openbsd team, but nonetheless a real issue. Closely related to openssh was openssl, which had a gaping hole that became known just a few years ago. I was not so much shocked about the fact, that there was a security hole in openssl, but how really stupid and unnecessary this whole issue was, what a stupid feature actually caused this bug to be deployed on so many platforms. Again, this is nothing specific to OpenBSD, but let's not delude outselves, that one can rollout some server and leave it as it is for years to come. > If your project, like most could; has made sane design choices for simple > interfaces then it certainly can be made very secure, remotely unhackable is > easier than you think for a modest project. A public facing server with ftp, http, smtp and sshd would have had to be patched in regular intervals to remain reasonably secure. Add a content management service to this configuration, and these "regular intervals" turn into very frequent occurrances. This is valid for low profile stuff, though. If you are something high profile, like a bank, it's a constant and ongoing effort to deal with hackers of all flavors. Cheers, Rudi
Re: news from my hacked box
On 2020-04-08 12:08, Rudolf Leitgeb wrote: >> I believe that is false too. > You're kidding, yes? Did you somehow miss the opensmtp hole? > > https://poolp.org/posts/2020-01-30/opensmtpd-advisory-dissected/ OpenSMTPD does not listen to the internet, by default and even if you do set it to, it only affected certain configurations. Is it hard to write a secure mail server, sure. Look at exims bugs. If your project, like most could; has made sane design choices for simple interfaces then it certainly can be made very secure, remotely unhackable is easier than you think for a modest project. You cannot take the easy road though. How the heck sshd has such as good security record, considering all that it does, interface wise, is rather astounding. I guess a remotely critical bug may be found there one day, but it does not affect my point!
Re: news from my hacked box
> True if you consider physical attacks and for most hardware, otherwise mostly > false. Anything can be hacked is also one of my biggest annoyances as a mantra > from "infosec", that gets more money than it deserves in comparison to real > security, like OpenBSD works on. We know from Snowden, that supply chain attacks are a common thing. If someone can modify the hardware sent to certain people on your list, then operating system security is no longer the most pressing concern. "Cord" claims, that people with great resources are out there to get his boxes hacked. Obviously I can not verify his claim. And I stand by my statement: ordering a computer and setting it up with a secure operating system is insufficient to maintain control over your server. I do concur with your assessment, that 99% of concerned people are way to unimportant to attract any government attacks. These 99% certainly include me. Attacking a server always comes with a risk of discovery, therefore I do not believe, that these agencies conduct mass hacks of random servers. > > Even OpenBSD had a remote root hole just a few weeks ago. > I believe that is false too. You're kidding, yes? Did you somehow miss the opensmtp hole? https://poolp.org/posts/2020-01-30/opensmtpd-advisory-dissected/ Cheers, Rudi
Re: news from my hacked box
On 2020-04-07 18:21, Rudolf Leitgeb wrote: > You have no chance defending your desktop against each and every attacker, no > matter > which operating system you have running. True if you consider physical attacks and for most hardware, otherwise mostly false. Anything can be hacked is also one of my biggest annoyances as a mantra from "infosec", that gets more money than it deserves in comparison to real security, like OpenBSD works on. Anyone that says anything can be hacked without qualification, loses any respect from me, atleast for that moment. Even browsers take some skill/time to hack and a modern browser is anakin to putting the Death Star exhaust port in the hangar of a Mon Calamari Cruiser. Even OpenBSD had a remote root hole just > a few weeks ago. I believe that is false too. To the OP. I apologise if you are not but to me I thought you are/were a Troll. If not then I would consider what you posted from the point of view of a Vulcan. Did you even consider pxeboot as a vector, if installing from a cafe? HW bios defaults are often atrocious, unlike OpenBSD defaults! p.s. A web browser that is rarely exploitable is perfectly possible. It would require some breaking re-design and likely removal if not severe limitations on js, for a start though. I'm guessing wasm will not go the right way to fix js. Perhaps infosec could chime in on improving was but then they would be hurting their own income streams!! Annoying!
Re: news from my hacked box
> I understand you perfectly but there are some points I want highlight: > Then there is a huge number of hacked site and hackaed desktop out there. > Many people > didn't know that their pc or phone is not under their control anymore. > The new frontier of hacking is espionage. None want be discovered. Hacking for espionage is not exactly a new trend. > 2) Sometime the old schema to pull out evidence of hacking are not valid > anymore. > For example if you are Edward Snowden all that little and subjective things > that are not > important for a common person become very important because the context is > very > different. You have no chance defending your desktop against each and every attacker, no matter which operating system you have running. Even OpenBSD had a remote root hole just a few weeks ago. Even if your operating system is impeccable, the code running on your mother board and your network card is probably anything but. It's no wonder, that professional services still rely on air gaps to protect their most valuable assets against compromise. Note: professional crypto services deploy their algos on dedicated hardware, not on random personal computer systems. Low security means, that stuff runs on an FPGA, high security stuff runs on discrete logic. Going to a professional crypto outfit still doesn't buy you much, if that crypto outfit turns out to be owned and controlled by a government agency. To make a long story short: there is no such thing as a system, which is secure out of the box. If you think, that your system is actively exploited, revert it back to a known, secure state, wait for the exploit to hit you again, and have a network sniffer ready to figure out, how the exploit works. PS: Since you referred to Edward Snowden: the exploits published by him and later by wikileaks were not really breathtakingly innovative. Do not expect to find a completely new attack procedure in your investigation, whatever turns up. PPS: Like others, I have seen quite a few computer systems with "evil viruses", that turned out to have faulty memory or a failing hard disk. I expect you ran a complete offline check of your hardware before you started suspecting foul play. Yes?
Re: news from my hacked box
> > "Theo de Raadt" dera...@openbsd.org wrote: > > > Cord openbs...@protonmail.com wrote: > > > > > You are free to believe or not to believe, but you are not free to insult > > > me. > > > Is that clear ? > > > > Or what.. you'll throw your tinfoil hat at them? > > Haven't you yet been diagnosed w/ ODD? :) > > Cord: you're prolly being overly paranoid, and your assertions are > somewhat vague. Many people here have trouble dealing w/ that, me > included. Thus: please excuse us if we cannot give you the answers > you seek. What mecan say is that some of the problems you > identified are a natural consequence of the unreliability of IP. > I understand you perfectly but there are some points I want highlight: 1) the old times of webdeface or hackers that want show the insecurity of software or website are past. today the vast majority of hacking world is submerged. None want leave trace or leave evidences. Then there is a huge number of hacked site and hackaed desktop out there. Many people didn't know that their pc or phone is not under their control anymore. The new frontier of hacking is espionage. None want be discovered. 2) Sometime the old schema to pull out evidence of hacking are not valid anymore. For example if you are Edward Snowden all that little and subjective things that are not important for a common person become very important because the context is very different. If you are an important entrepreneur and you see that the projects you're working and that are in your pc now are exactly the same that are producting your competitor, then you become very suspicious. If this happens many times you're absolutely sure that your projects were been exfiltrated from your pc. BUT THERE ARE NOT EVIDENCES. And for privacy reason you don't want explain yourself and you become vague. Of course those are just examples. Now, in my opinion, because you (not you, but who reply to email like mine) don't know who I am and you can't contextualize, the best choice you have is just reply the best way you can. Without judgement. If you don't know, you don't reply. 3) Today security is a huge business, times are very changed. If someone find a remote kernel bug in openbsd what does he do ? Does He write a message to dera...@openbsd.org or run away to sell it in the dark web for $50,000 ? If someone find a remote bug in the linux kernel, does he send an email to the full disclosure mailing list or sell it to any government espionage agency ? Times are changed, many bug are still there, you don't know and many people have huge interests to not discover it. The same concept is valid also for new vector attack, new exploiting technique, new hiding technology, new code manipulation and so on. Money and power means do not disclosure, keep it secret. > No reason to be a jerk, though. > Without a doubt > HTH, >
Re: news from my hacked box
> Cord openbs...@protonmail.com wrote: > > > You are free to believe or not to believe, but you are not free to insult > > me. > > Is that clear ? > > Or what.. you'll throw your tinfoil hat at them? of course, my hat is deadly!
Re: news from my hacked box
> > I found something that in my opinion are nearly evidences.
>
> What exactly are trying to prove here?
>
> > For those who doesn't know my story please read past messages:
> > https://marc.info/?a=15535526152=1=2
>
> I think I know you from before. You're the guy claiming to be hacked
> over and over again, right?
>
I'm the guy you find at the link, I'm not other guy. I use only this email for
the openbsd misc ml.
> > Well, as I said previously my laptop was been hacked then I bought a new
> > laptop because my suspicious are that the uefi or other firmware was been
> > hacked (I reinstalled openbsd various
> > iwm0 with vpn download: 0,46 mbit/s upload: 0,55 mbit/s
> > iwm0 without vpn download: 0,50 mbit/s upload: 2,53 mbit/s
> > urtwn0 with vpn download: 20,88 mbit/s upload: 8,49 mbit/s
> > urtwn0: without vpn download: 24,83 mbit/s upload 9,27 mbit/s
>
> What exactly is strange here? Two different cards behave differently.
>
The bandwidth of 0,50 mbit is not normal. I have one router and I'm the only
user.
Then or the driver is crap (I don't think so) or the card is broken (I tried a
live linux and it works well) or there some configuration that limit the
bandwidth.
> > iwm0: round-trip min/avg/max/std-dev = 18.761/6372.615/72372.495/14987.007
> > ms
> > urtwn0: round-trip min/avg/max/std-dev = 24.068/36.489/878.218/48.120 ms
>
> The thing I find funny is that you insist on being spied on or somehow
> hacked, you act tin-foil paranoid to the point of changing your laptop
> because of some unexplained behavior, yet you use Speedtest.net and
> CloudFlare DNS. Are you trolling or delusional?
>
The thing I find funny is that in world full to the brim of vulnerabilities,
the NSA that intercept entire country,
vulnerability on the bios/uefi,
and rootkit (this video is five years old
https://www.youtube.com/watch?v=sNYsfUNegEA and this one that is a firmware
worm that infect thunderbolt device which infect and other laptop
https://www.youtube.com/watch?v=Jsdqom01XzY)
or nic firmware rootkit (https://cryptome.org/2014/02/nic-ssh-rootkit.htm),
vulnerability on cpu, or on the GSM protocols
(https://www.youtube.com/watch?v=-wu_pO5Z7Pk) ,
openbsd developer paid to insert backdoor on ipsec stack
(https://lwn.net/Articles/419865/),
vendor, like apple, that pay until $1 milion for a remote kernel exploit,
government that make cyber warfare and spies whitehouse candidate,
Encryption algorithm that are bugged since 1995 and are removed only in 2015
(https://en.wikipedia.org/wiki/RC4#Security)
and so on.. I can continue
And you say I'm paranoid ?
LOL I say you are living in some kind of fantasy world!
enjoy https://www.youtube.com/watch?v=1i8XVQ2pswg
> > As I know the traffic shaping is configured by pf with pf.conf, the
> > following is my pf.conf (I'm sorry I'm not a genius of pf):
> > ---/etc/pf.conf
> > if="urtwn0"
> > #if="iwm0"
om
> > block drop in on ! lo0 proto tcp to port 6000:6010
> > block drop out log proto {tcp udp} user _pbuild
> > block log quick on $if
> >
>
> Neither am I, but aren't there supposed to be some rules that pass
> traffic inbound to your interface?
>
LOL
> > Other strange things that happens on my laptop are the following:
> >
> > 1. sometimes my openvpn (2 times on 5) fail authentication even I use a
> > saved file authentication data and pass it the data with --auth-user-pass
> > /my/path/pass
> > Then in my opinion it's impossible fails the authentication.
> >
>
> Not really. OpenVPN is a temperamental piece of software that doesn't
> like firewalls very much. In edge cases, it likes to fail, especially if
> you use UDP
>
I don't use UDP
> > 2. sometimes KeePassXC fails authentication on random site. If I copy the
> > password and paste it by hand it works.
>
> Both autotype and browser plugins are dependent on so many different
> technologies to work like they should. Like before, it's easy for things
> to go wrong in edge cases.
>
never happens in recent 10 years.
> > 3. and of course there are people that can spy me and modify suggested
> > videos on youtube. Please do not comment this because I know it's very
> > subjective.
>
> Same as before. Tinfoil hat paranoia yet you still use YouTube?
>
What is tinfoil ? and what's wrong in youtube ?
> > As I said previously in my opinion there is 0day on how is implemented the
> > tcp/ip stack in the kernel.
> > And the vulnerability can be exploited by a mitm attack from the home
> > router.
> > Thank you Cord.
>
> And the proof is where? You are providing sparse information, impossible
> PF configuration files, and anecdotal "evidence" that can be easily
> attributed to user error. Instead of trying to explore how programs
> you're using work, you blame OpenBSD. The only thing you make evident is
> your lack of analytical approach to problem solving and ignorance of the
> mailing list rules. Where is dmesg output? What HW are you using? What
> browser? What router?
>
> Please take
Re: news from my hacked box
On Thu, Apr 02, 2020 at 10:26:36PM +0200, Kristjan Komlosi wrote: > The thing I find funny is that you insist on being spied on or somehow > hacked, you act tin-foil paranoid to the point of changing your laptop > because of some unexplained behavior, yet you use Speedtest.net and > CloudFlare DNS. Are you trolling or delusional? Looks like a troll and a longer he get fed, the longer he keeps going. -- Henri Järvinen
Re: news from my hacked box
On 4/1/20 10:25 PM, Cord wrote:
> Hi,
> I found something that in my opinion are nearly evidences.
What exactly are trying to prove here?
> For those who doesn't know my story please read past messages:
> https://marc.info/?a=15535526152=1=2
I think I know you from before. You're the guy claiming to be hacked
over and over again, right?
> Well, as I said previously my laptop was been hacked then I bought a new
> laptop because my suspicious are that the uefi or other firmware was been
> hacked (I reinstalled openbsd various times)
> The old laptop had a wifi usb dongle to connect to the wifi router.
> Now the new laptop has a wifi chip that works properly on opnebsd.
> The inner IF is iwm0.
> And I discovered differences on wifi performance between the on board IF and
> the old usb dongle.
> Of course the tests were been made from exactly the same physical place.
> The following are the results (I used speedtest-cli):
> iwm0 with vpn download: 0,46 mbit/s upload: 0,55 mbit/s
> iwm0 without vpn download: 0,50 mbit/s upload: 2,53 mbit/s
> urtwn0 with vpn download: 20,88 mbit/s upload: 8,49 mbit/s
> urtwn0: without vpn download: 24,83 mbit/s upload 9,27 mbit/s
What exactly is strange here? Two different cards behave differently.
> The following are the results pinging 8.8.8.8 with -c 500:
> 500 packets transmitted, 500 packets received, 0.0% packet loss
> iwm0: round-trip min/avg/max/std-dev = 18.761/6372.615/72372.495/14987.007 ms
> urtwn0: round-trip min/avg/max/std-dev = 24.068/36.489/878.218/48.120 ms
>
The thing I find funny is that you insist on being spied on or somehow
hacked, you act tin-foil paranoid to the point of changing your laptop
because of some unexplained behavior, yet you use Speedtest.net and
CloudFlare DNS. Are you trolling or delusional?
> As I know the traffic shaping is configured by pf with pf.conf, the following
> is my pf.conf (I'm sorry I'm not a genius of pf):
> ---/etc/pf.conf
> if="urtwn0"
> #if="iwm0"
> dns="{8.8.8.8}"
> myvpn="{x.x.x.x, x.x.x.x, x.x.x.x, x.x.x.x, x.x.x.x}"
> weird="{239.255.255.250, 224.0.0.1}"
> pany="{udp, tcp}"
> set skip on tun0
> set skip on lo
> set block-policy drop
> set loginterface $if
> block quick inet6
> block quick on $if from any to $weird
> pass quick proto icmp
> pass out quick on $if proto $pany from $if to $dns
> pass out quick on $if proto udp from $if to $myvpn
> pass out quick on $if proto tcp from $if to my01-other-vpn.com
> pass out quick on $if proto tcp from $if to my02-other-vpn.com
> pass out quick on $if proto tcp from $if to my03-other-vpn.com
> block drop in on ! lo0 proto tcp to port 6000:6010
> block drop out log proto {tcp udp} user _pbuild
> block log quick on $if
> --
Neither am I, but aren't there supposed to be some rules that pass
traffic inbound to your interface?
> Other strange things that happens on my laptop are the following:
> 1) sometimes my openvpn (2 times on 5) fail authentication even I use a saved
> file authentication data and pass it the data with --auth-user-pass
> /my/path/pass
> Then in my opinion it's impossible fails the authentication.
Not really. OpenVPN is a temperamental piece of software that doesn't
like firewalls very much. In edge cases, it likes to fail, especially if
you use UDP.
> 2) sometimes KeePassXC fails authentication on random site. If I copy the
> password and paste it by hand it works.
Both autotype and browser plugins are dependent on so many different
technologies to work like they should. Like before, it's easy for things
to go wrong in edge cases.
> 3) and of course there are people that can spy me and modify suggested videos
> on youtube. Please do not comment this because I know it's very subjective.
Same as before. Tinfoil hat paranoia yet you still use YouTube?
>
> As I said previously in my opinion there is 0day on how is implemented the
> tcp/ip stack in the kernel.
> And the vulnerability can be exploited by a mitm attack from the home router.
> Thank you Cord.
And the proof is where? You are providing sparse information, impossible
PF configuration files, and anecdotal "evidence" that can be easily
attributed to user error. Instead of trying to explore how programs
you're using work, you blame OpenBSD. The only thing you make evident is
your lack of analytical approach to problem solving and ignorance of the
mailing list rules. Where is dmesg output? What HW are you using? What
browser? What router?
Please take the list seriously or go away.
RE: news from my hacked box
Haai, "Theo de Raadt" wrote: > Cord wrote: > >> You are free to believe or not to believe, but you are not free to insult me. >> Is that clear ? > > Or what.. you'll throw your tinfoil hat at them? Haven't you yet been diagnosed w/ ODD? :) Cord: you're prolly being overly paranoid, and your assertions are somewhat vague. Many people here have trouble dealing w/ that, me included. Thus: please excuse us if we cannot give you the answers you seek. What mecan say is that some of the problems you identified are a natural consequence of the unreliability of IP. No reason to be a jerk, though. HTH, --zeurkous. -- Friggin' Machines!
Re: news from my hacked box
You are free to believe or not to believe, but you are not free to insult me.
Is that clear ?
Sent with ProtonMail Secure Email.
‐‐‐ Original Message ‐‐‐
On Thursday 2 April 2020 03:01, Anders Andersson wrote:
> On Wed, Apr 1, 2020 at 10:29 PM Cord openbs...@protonmail.com wrote:
>
> > Hi,
> > I found something that in my opinion are nearly evidences.
> > For those who doesn't know my story please read past messages:
> > https://marc.info/?a=15535526152=1=2
> > Well, as I said previously my laptop was been hacked then I bought a new
> > laptop because my suspicious are that the uefi or other firmware was been
> > hacked (I reinstalled openbsd various times)
> > The old laptop had a wifi usb dongle to connect to the wifi router.
> > Now the new laptop has a wifi chip that works properly on opnebsd.
> > The inner IF is iwm0.
> > And I discovered differences on wifi performance between the on board IF
> > and the old usb dongle.
> > Of course the tests were been made from exactly the same physical place.
> > The following are the results (I used speedtest-cli):
> > iwm0 with vpn download: 0,46 mbit/s upload: 0,55 mbit/s
> > iwm0 without vpn download: 0,50 mbit/s upload: 2,53 mbit/s
> > urtwn0 with vpn download: 20,88 mbit/s upload: 8,49 mbit/s
> > urtwn0: without vpn download: 24,83 mbit/s upload 9,27 mbit/s
> > The following are the results pinging 8.8.8.8 with -c 500:
> > 500 packets transmitted, 500 packets received, 0.0% packet loss
> > iwm0: round-trip min/avg/max/std-dev = 18.761/6372.615/72372.495/14987.007
> > ms
> > urtwn0: round-trip min/avg/max/std-dev = 24.068/36.489/878.218/48.120 ms
> >
> > As I know the traffic shaping is configured by pf with pf.conf, the
> > following is my pf.conf (I'm sorry I'm not a genius of pf):
> > ---/etc/pf.conf
> > if="urtwn0"
> > #if="iwm0"
> > dns="{8.8.8.8}"
> > myvpn="{x.x.x.x, x.x.x.x, x.x.x.x, x.x.x.x, x.x.x.x}"
> > weird="{239.255.255.250, 224.0.0.1}"
> > pany="{udp, tcp}"
> > set skip on tun0
> > set skip on lo
> > set block-policy drop
> > set loginterface $if
> > block quick inet6
> > block quick on $if from any to $weird
> > pass quick proto icmp
> > pass out quick on $if proto $pany from $if to $dns
> > pass out quick on $if proto udp from $if to $myvpn
> > pass out quick on $if proto tcp from $if to my01-other-vpn.com
> > pass out quick on $if proto tcp from $if to my02-other-vpn.com
> > pass out quick on $if proto tcp from $if to my03-other-vpn.com
> > block drop in on ! lo0 proto tcp to port 6000:6010
> > block drop out log proto {tcp udp} user _pbuild
> > block log quick on $if
> >
> > --
> >
> > Other strange things that happens on my laptop are the following:
> >
> > 1. sometimes my openvpn (2 times on 5) fail authentication even I use a
> > saved file authentication data and pass it the data with --auth-user-pass
> > /my/path/pass
> > Then in my opinion it's impossible fails the authentication.
> >
> > 2. sometimes KeePassXC fails authentication on random site. If I copy the
> > password and paste it by hand it works.
> > 3. and of course there are people that can spy me and modify suggested
> > videos on youtube. Please do not comment this because I know it's very
> > subjective.
> >
> > As I said previously in my opinion there is 0day on how is implemented the
> > tcp/ip stack in the kernel.
> > And the vulnerability can be exploited by a mitm attack from the home
> > router.
> > Thank you Cord.
>
> Hello Cord, and thank you for the interesting messages.
>
> Just a thought: Do you have any wall paintings, and have you noticed
> something different about them since you got hacked?
>
> You see, I once talked to a man at the local library who was looking
> for literature about computer viruses and he mentioned that the virus
> had somehow spread out from the USB ports in his computer onto his
> paintings, which had now become dull and grey. His family told him
> that he was imagining things and refused to help him, that's why he
> was at the library to search for information.
>
> If your computer has been hacked, maybe it is by the same virus.
>
> Kind regards,
>
Re: news from my hacked box
Cord wrote: > You are free to believe or not to believe, but you are not free to insult me. > Is that clear ? Or what.. you'll throw your tinfoil hat at them?
Re: news from my hacked box
On Wed, Apr 1, 2020 at 10:29 PM Cord wrote:
>
> Hi,
> I found something that in my opinion are nearly evidences.
> For those who doesn't know my story please read past messages:
> https://marc.info/?a=15535526152=1=2
> Well, as I said previously my laptop was been hacked then I bought a new
> laptop because my suspicious are that the uefi or other firmware was been
> hacked (I reinstalled openbsd various times)
> The old laptop had a wifi usb dongle to connect to the wifi router.
> Now the new laptop has a wifi chip that works properly on opnebsd.
> The inner IF is iwm0.
> And I discovered differences on wifi performance between the on board IF and
> the old usb dongle.
> Of course the tests were been made from exactly the same physical place.
> The following are the results (I used speedtest-cli):
> iwm0 with vpn download: 0,46 mbit/s upload: 0,55 mbit/s
> iwm0 without vpn download: 0,50 mbit/s upload: 2,53 mbit/s
> urtwn0 with vpn download: 20,88 mbit/s upload: 8,49 mbit/s
> urtwn0: without vpn download: 24,83 mbit/s upload 9,27 mbit/s
>
> The following are the results pinging 8.8.8.8 with -c 500:
> 500 packets transmitted, 500 packets received, 0.0% packet loss
> iwm0: round-trip min/avg/max/std-dev = 18.761/6372.615/72372.495/14987.007 ms
> urtwn0: round-trip min/avg/max/std-dev = 24.068/36.489/878.218/48.120 ms
>
> As I know the traffic shaping is configured by pf with pf.conf, the following
> is my pf.conf (I'm sorry I'm not a genius of pf):
> ---/etc/pf.conf
> if="urtwn0"
> #if="iwm0"
> dns="{8.8.8.8}"
> myvpn="{x.x.x.x, x.x.x.x, x.x.x.x, x.x.x.x, x.x.x.x}"
> weird="{239.255.255.250, 224.0.0.1}"
> pany="{udp, tcp}"
> set skip on tun0
> set skip on lo
> set block-policy drop
> set loginterface $if
> block quick inet6
> block quick on $if from any to $weird
> pass quick proto icmp
> pass out quick on $if proto $pany from $if to $dns
> pass out quick on $if proto udp from $if to $myvpn
> pass out quick on $if proto tcp from $if to my01-other-vpn.com
> pass out quick on $if proto tcp from $if to my02-other-vpn.com
> pass out quick on $if proto tcp from $if to my03-other-vpn.com
> block drop in on ! lo0 proto tcp to port 6000:6010
> block drop out log proto {tcp udp} user _pbuild
> block log quick on $if
> --
>
> Other strange things that happens on my laptop are the following:
> 1) sometimes my openvpn (2 times on 5) fail authentication even I use a saved
> file authentication data and pass it the data with --auth-user-pass
> /my/path/pass
> Then in my opinion it's impossible fails the authentication.
> 2) sometimes KeePassXC fails authentication on random site. If I copy the
> password and paste it by hand it works.
> 3) and of course there are people that can spy me and modify suggested videos
> on youtube. Please do not comment this because I know it's very subjective.
>
> As I said previously in my opinion there is 0day on how is implemented the
> tcp/ip stack in the kernel.
> And the vulnerability can be exploited by a mitm attack from the home router.
> Thank you Cord.
Hello Cord, and thank you for the interesting messages.
Just a thought: Do you have any wall paintings, and have you noticed
something different about them since you got hacked?
You see, I once talked to a man at the local library who was looking
for literature about computer viruses and he mentioned that the virus
had somehow spread out from the USB ports in his computer onto his
paintings, which had now become dull and grey. His family told him
that he was imagining things and refused to help him, that's why he
was at the library to search for information.
If your computer has been hacked, maybe it is by the same virus.
Kind regards,
Anders
news from my hacked box
Hi,
I found something that in my opinion are nearly evidences.
For those who doesn't know my story please read past messages:
https://marc.info/?a=15535526152=1=2
Well, as I said previously my laptop was been hacked then I bought a new laptop
because my suspicious are that the uefi or other firmware was been hacked (I
reinstalled openbsd various times)
The old laptop had a wifi usb dongle to connect to the wifi router.
Now the new laptop has a wifi chip that works properly on opnebsd.
The inner IF is iwm0.
And I discovered differences on wifi performance between the on board IF and
the old usb dongle.
Of course the tests were been made from exactly the same physical place.
The following are the results (I used speedtest-cli):
iwm0 with vpn download: 0,46 mbit/s upload: 0,55 mbit/s
iwm0 without vpn download: 0,50 mbit/s upload: 2,53 mbit/s
urtwn0 with vpn download: 20,88 mbit/s upload: 8,49 mbit/s
urtwn0: without vpn download: 24,83 mbit/s upload 9,27 mbit/s
The following are the results pinging 8.8.8.8 with -c 500:
500 packets transmitted, 500 packets received, 0.0% packet loss
iwm0: round-trip min/avg/max/std-dev = 18.761/6372.615/72372.495/14987.007 ms
urtwn0: round-trip min/avg/max/std-dev = 24.068/36.489/878.218/48.120 ms
As I know the traffic shaping is configured by pf with pf.conf, the following
is my pf.conf (I'm sorry I'm not a genius of pf):
---/etc/pf.conf
if="urtwn0"
#if="iwm0"
dns="{8.8.8.8}"
myvpn="{x.x.x.x, x.x.x.x, x.x.x.x, x.x.x.x, x.x.x.x}"
weird="{239.255.255.250, 224.0.0.1}"
pany="{udp, tcp}"
set skip on tun0
set skip on lo
set block-policy drop
set loginterface $if
block quick inet6
block quick on $if from any to $weird
pass quick proto icmp
pass out quick on $if proto $pany from $if to $dns
pass out quick on $if proto udp from $if to $myvpn
pass out quick on $if proto tcp from $if to my01-other-vpn.com
pass out quick on $if proto tcp from $if to my02-other-vpn.com
pass out quick on $if proto tcp from $if to my03-other-vpn.com
block drop in on ! lo0 proto tcp to port 6000:6010
block drop out log proto {tcp udp} user _pbuild
block log quick on $if
--
Other strange things that happens on my laptop are the following:
1) sometimes my openvpn (2 times on 5) fail authentication even I use a saved
file authentication data and pass it the data with --auth-user-pass
/my/path/pass
Then in my opinion it's impossible fails the authentication.
2) sometimes KeePassXC fails authentication on random site. If I copy the
password and paste it by hand it works.
3) and of course there are people that can spy me and modify suggested videos
on youtube. Please do not comment this because I know it's very subjective.
As I said previously in my opinion there is 0day on how is implemented the
tcp/ip stack in the kernel.
And the vulnerability can be exploited by a mitm attack from the home router.
Thank you Cord.
