Category Archives: General Articles

On ProtonMail’s “Human Verification”

Howdy,

Recently, I noticed that protonmail treats users that attempt to use their service via tor a bit differently.

So if you are ready and/or willing to laugh or cry a bit about it, then keep on reading.

Let’s go…

First of all protonmail owners are happy to talk a lot about privacy and security, which is a good thing. They even offer a Tor hidden service!


 

 

 

They even mention that protonmail “does not require any personally identifiable information to register”.


 

 

However, how true is all that about privacy and anonymity?

So in case you actually attempt to signup for a new account on protonmail, via tor, this is what happens:


 

 

 

 

Wait a minute!!!

Isn’t Tor’s purpose to offer anonymity and privacy to the user?!?!

Are you actually telling to the users to connect via Tor for which you also provide a URL and then you are asking them to give you their mobile number and/or their credit card information?!?!?

Didn’t you say that you don’t require any personal information to register?!?!

This makes no sense…this makes no fucking sense!!!

To make things clear, asking for a mobile number and/or credit card information has nothing to do with “Human Verification”.

This is clearly an “Identification” of the person that attempts to signup to their service…using Tor…for which they also provide a URL…for which process they were supposed not to ask any personal information.

After having a conversation over twitter with @bartcbutler (Protonmail’s CTO), it seems that they still believe that promoting privacy via Tor and then asking someone to provide personal information makes total sense to them.

Their excuse is that they do that to fight spammers and people creating multiple accounts, which could cause to make the whole service suffer.

But…do they do this for users that don’t attempt to signup via Tor?

No they don’t!!!

 

 

 

 

 

 

 

So, let me get this straight…if that makes any sense.

When I asked them what is the point of allowing people to signup via Tor and also offering a Tor URL if they assume that Tor users are spammers, @bartcbutler  said that they don’t assume anything like that.

Apparently, though this is not the case, again!

If it was the case, then why not always ask for personal information?

Can’t spammers create multiple accounts without using Tor?

Well…the difference is that it makes it easier to identify people that create an account without using Tor.

Because that’s the difference. That’s the only difference.

So clearly, this doesn’t make any sense and definitely it’s not for fighting spammers.

Nothing from what they claim and say adds up, and for me protonmail is definitely not an option anymore.

If you see shit on one side of the cake:

a. You clean that part up and eat the rest of the cake.
b. You throw away the whole fucking cake.

The choice is yours.

Take care,
kyREcon

Getting a job in cybersecurity

I see a lot of young people that want to get a job in cybersecurity, and whenever possible I am trying to talk with them in order to understand what makes them  to want to get into this industry. Is it passion for IT security or is it just the growing salaries in this market? Unfortunately, it seems that getting a job into this area is becoming a trend while there is no real motivation for knowledge.
It really makes me sad when I see a person in his early 20s to only think about money. On the other hand, I also appreciate the fact that not everyone wants the same things from life, and for that reason I am not judging anyone. What is however important in any case, is how you get there. Putting things in the right order is the best way to go. These are just personal points of view. I am not trying to tell anyone what is right or wrong. I am only expressing my opinions, and you can agree or disagree. :)
The following are some of the things I hear quite often from people that come straight of the university. Continue reading Getting a job in cybersecurity

The HackingTeam and the Infosick White Angels

What have we really learned from the recent data leak regarding the operations of the so called HackingTeam?

Did we learn that there are some companies/people out there selling exploits?

Was it that the infosec industry is full of white angels that would never do so?

Maybe it was the fact that our industry is not so open-minded as we think?

Let’s see…

There are companies and individuals selling exploits. WOW, what a fucking surprise!!!
Sorry for disturbing your sweet dreams. Reality check! If you didn’t know, then you are reading the wrong article. I suggest you continue
reading –>here <–.
If you did know that shit happens, you may be interested in reading the rest of it.

Deamonizing the phrase “selling exploits” is like saying manufacturing cars is evil.
Just because some people will misuse either of them, doesn’t mean that both are necessarily bad.
Is it that bad to sell an exploit that might help the authorities to breach into a terrostists organization?
Is it more bad than driving drunk or high? Oh yes, you never do that!!!

Let’s now go back to those loud infosick people that started sharing lists, and putting labels on people that worked for the HackingTeam.
They even started saying to blacklist all those people from working again in IT. Shame on you!!!
You are not a judge, and you certainly won’t decide for anyone’s life. If you don’t like someone and his actions, you are free to say so.
However, organizing a witch hunting belongs to another era, and I wasn’t expecting to see people going down to that level.
Again, if you did that, shame on you!!!

So selling an exploit is evil. All white angels came out and said that out loud.
I am not really surprised. People do try to get attention by someone else’s failures. Sad creatures!
What these angels never said to us, is what they would have done if they had the skills to build an exploit that someone would happily
buy for $30k or more. I am pretty sure they would never sell that evil thing, because they are nice people!!!
I can understand people with the skills for doing so, that never did, to go out and critisize these actions. However, looking at the mass
shouting under the cross, it is really sad…,and at times even funny.

Now, I know people will come and say that I have connections with the HackingTeam and that I am trying to defend them. I am sorry to
disappoint you, but you are wrong!
They will pay for their mistakes when the time comes, but won’t be you who will decide how and when.
It makes me feel sick being part of a community that is ready at any time to blacklist and label people.
Today it’s them. Tomorrow it might be you, for whatever reason that might be.
At the end of the day, that’s just my opinion, and you don’t have to like it.

Just out of curiosity. Before wearing your superhero mask going out on tweeter saving the world with your (mostly) useless tweets,
did you ever consider what might be the real motivation behind this breach?
How do you know this was done for ethical reasons? How can you be so sure that someone didn’t get paid just to take them out of the game?
I am pretty sure this never occured to you. Surprise! Yeh, I know…shit happens. I don’t imply that I know what really happened, so don’t
pretend you do know that all this happened for a good reason. Just saying…

Apparently HackingTeam, did a lot of mistakes. They fucked up. However, I am pretty sure not all of their actions were evil, and if they were only time will tell.

Finally, I want to send my respects to all of them that handled things responsibly. That is, by sharing the information without judging the
people behind it. To those that spent some time analyzing the leaked data, extracting the exploits and helping the affected vendors to fix
those vulnerabilities, I have to say congrats! That’s what should be all about.

Don’t judge someone just because they sin differently than you.

kyREcon

Anti-Piracy For Everyone…

Nowadays, there are lots of discussions regarding software availability. There are people that scream against the commercialization and others that believe that it is needed.

Well, demanding to have any type of software for free and/or open source is at least pointless. Let’s don’t forget that employees in companies that do software development, are not robots. They have families and they must earn money to support them.

Furthermore, paying for a software is not necessarily bad. Money is a good motivation to work harder and produce better results. If everything was free, then why bother?

On the other hand, what it should be free, is the idea and an example of it so that a single developer could study it and use it for his own purposes. Of course you don’t need to provide all the details, just the idea and a proof that it works.

Anyway, this is one of those discussions that will never end since every person has its own point of views for everything.

However, what it should be free too, is anti-piracy! Yes, make anti-piracy available for everyone. Think about single developers. Do you really think that every single developer has the money to go through all the available commercial software protections or even more that he has the knowledge to code his own custom software protection?

The A.R.F Project has been inspired through all these thoughts. Those who claim that they crack software in order to force companies to make software free are either liars or incompetents.

Nobody cracks for that reason! People crack software protections for knowledge, for fun, for fame, and unfortunately some of them for profit. Do you really think that Mr. Cracker from the other side of our planet gives a damn if you can have an application for free or not?  Trust me, he doesn’t! If he decides to crack your software is for personal satisfaction so that in the end he will be able to say “Yeah, eat that bitch”.

In any case, the purpose of this blog is not to give an answer if software should be free or not, but to give the possibility to everyone to have an understanding of many anti-reversing tricks and how they can be implemented so that everyone will have a chance against software piracy.

Of course, developing a custom software protection is not easy, but through The A.R.F Project it can be easier and that’s what I really wish to accomplish. I hope that in the days to come, many people will be helped and even inspired through articles of this blog in order to create their own custom software protections.

Cheers,

kyREcon