LibreSec

Baltimore Prepared Me For Social Engineering

There are people in the hood that will attempt to finesse & hustle you in all sorts of ways if you aren't wise.

You can get hustled out of dice games, other street games, etc.

Maybe there's someone that's jealous / doesn't like you and they want to "line you up" (set you up to be robbed). One way they may do that is by sending an attractive female to come talk to you (if you're a man). If you're dumb enough to trust her, then she may send over some of the intel she gathered on you (where you live, what you got, what you're doing), to people that will eventually come & rob you.

Some females will just rob you outright. You need to be aware of who you're dealing with.

Other people may pretend to offer you "help" and "resources", but really they're trying to make you dependent on them. They will seem very nice, be well-spoken, and perhaps even lie to you and say that they are a pastor, nurse, teacher, etc. (some trusted profession). Their goal is to leave you indebted to them in some way. Once you are - they will collect, one way or the other (with the threat of violence behind it).

Some people will lie to police and say that you sell drugs or set you up to catch a case as part of their plea agreement (i.e., turning in other "dealers" for a 'lighter sentence'). Some people will rob you & then help you look for your missing stuff, all the while pretending to be a concerned friend.

All of these people I described in this message could be your own family members.

Police obviously can't be trusted in the City. They will hurt you. They aren't like police in other cities. There aren't "bad apples" and "good guys", the whole force is corrupt. I've watched them stand outside of their cars and monitor people selling dope & other drugs in full view like nothing was happening because they either work for those peoples' plugs/connects or those people work under them (by "watched", I mean, I was physically present to witness this while someone was asking me if I wanted "2 for 20s" on my way to the gas station). If you think that statement is bullshit, then that shows the gap between our experiences.

This is one of the few cities on planet earth where the presence of police (multiple squad cars), will not make you feel any safer. The city can be very quiet but it is ominously dangerous and you need to be careful about who you talk to and who you tell what to.

Very Similar to Social Engineering Attacks, Right?

Right. But there are not many people from Baltimore in IT, is there? Someone from a good town / environment / background that never grew up around those characters may not think twice when they get a phone call from "Bob" in the "IT department" who just wants to "check out a couple things" or "make sure a bug is fixed".

Someone like me is programmed not to trust people like that.

If you aren't able to communicate effectively with other human beings, then you're not a visionary.

The idea that someone can be totally deficient in all social areas yet still somehow possess "genius" is a fantasy. There is no 'trade off' between having aptitude in the field of IT and being a socio-normative individual.

This idea that it is acceptable to possess one skill set and not the other is one perpetrated by the lack of diversity in computers and IT, in general (as well as "hacker" culture). If you're someone that prides yourself on your technical prowess, make sure that your social skills fall somewhere close.

This will help you on a lot of levels - security included. Again, this is why diversity is important.

Being From Baltimore Helps

That's where I'm from. Not Silicon Valley. Baltimore is one of the T20 most dangerous cities in mankind (not the U.S. / North America, I mean all of mankind).

My experiences have desensitized me to a considerable amount in this world. I'm not the paragon or archetypal example for how one should behave / interact, but my mentality, philosophy, drive, & intellect is indicative of the positive impact of diversity.

How: I Always Valued Security

Visit Baltimore sometime when you get a chance (just kidding). If you do happen to find yourself there, you'll notice that most of the stores close when it gets dark (this adjusts for the winter / summer seasons). The stores that do remain open are only gas stations (some), and they never allow you inside.

Instead, there's bulletproof glass that's several inches thick that stands between you and the clerk at the store. This is to protect themselves from being shot. You can usually tell whether this glass actually works or not by the spider-marks and fractures in the glass left over from the times when someone did attempt to fire a bullet at the glass (for some reason).

If you rent in Baltimore City, your #1 priority is security. That means a door that's double-bolted. With a thick lock. And likely more than one entrance (with a deadbolt on it) that you must go through before getting to your room.

Calling Police isn't an Option

They will not come help you. They allow people to sell drugs out there and some of them do so themselves. The entire city / police force is corrupt. Don't think about calling someone's corporal / sergeant / boss or taking down badge #'s, there's nobody for you to report that to - you will only put yourself in harm's way doing so.

So learning to take care of yourself is critical out there (however you decide to do that). Sometimes you need to walk through certain areas w your hand in your pocket with your keys or wallet clutched a certain way (with a certain walk) so it appears as though you *could* have a firearm. This will help make people think twice if you have to walk home alone because if you get jumped, you will be jumped with a piece (gun).

Whonix recently sent this into their Telegram chat. Appears that they no longer have a TG chat anymore; they want to relegate all user feedback to their forums (solely) for some reason.

Asinine, Autistic Decision

This is why a lot of good projects fail. You have developers that don't possess the necessary social skills & acumen to handle the social aspect of managing their communities, yet feel as though they must take on that mantle anyway (for some reason).

Of course, when that inevitably falls apart they elect to make an anti-social decision like what Whonix did (why? we may never know).

Proud to say that Librehash was one of the last contributors in Whonix before they made their Telegram channel "read-only". Had to inform a ton of users in there about the pitfalls of Monero as a protocol (fixable, but pessimistic on whether these issues actually ever will be fixed).

Not sure what pressured Patrick (lead maintainer) to close down the chat altogether, but this is a piss poor decision and likely one that marks the beginning of the end for Whonix.

Hopefully someone with common sense can fork this project* and delegate responsibilities for upkeep of different facets of the project to those competent enough to handle them. There's more to computers than just code & numbers. All of this is social - interactions, motivations, etc.

If you don't have someone at the helm / project's 'face' that can present it in a way that makes it palatable for general audiences, then nobody is going to use it. Doesn't matter how good your idea is. Scorning the masses for being "normies" that are unwilling to wade through all of your personality disorders & autism to get through to what you're "really providing" is choosing to remain in a veil of hubris manifested by the ignorant belief that you're such a special cupcake that people must suspend their sensitivities for your sake and yours alone.

Adapt (socially) or die like every other geek with a "good idea" that was hailed a 'genius' at everything except for holding a decent conversation with another human being.

Benefit of Blockchain in This Setup

1. The anchoring of data provides us with an immutable SOA (nothing can exist without being tracked back to an anchor on some blockchain on the network) ; the most important thing is to find that SOA (this also represents DID identities as well).

DID will be akin to a MAC address in a typical setup of internet devices (or I guess computing devices in general) ; except in this case that MAC address will be referencing an identity - which is essentially like the same as 'hardware' on this network (in this context; perhaps that was not as good of an analogy, but its the best one that I have to explain the pseudo-permanence of these DID entities).

There may be some issues with anonymity, but ultimately there always will be. question whether there's any true utility in the sole goal of one seeking to be anonymous just for the sake of being anonymous (due to the fear of unconfirmed unknowns demasking the identity of a given individual for the sake of doing so despite the fact that there are probably objectively more interesting and relevant 'targets' for whomever is suspected of engaging in such de-anonymizing actions) [of course, there is some level of legitimate paranoia that comes from those that are in situations where they have reason to believe that the monitoring of their communications could lead to their imminent compromise (i.e., Snowden as he was defecting))

This protocol works much in the same way as the DNS protocol that was described above, except there's going to be a slight tweak (not really) to allot for the cache nodes on the protocol.

What I failed to mention in that brick of text above is that services like Cloudflare (which were those original "runners" that we were talking about), are so popular because they cache the response that they receive fro those upstream DNS servers .

So when you're done looking up google.com, they remember the "answer" that was given for that query and they store that in their database backend.

Now, the next time that someone is querying for 'google.com', the recursive resolver should be able to provide a "response" almost immediately since they saved the answer to that question.

This is why there's a TTL (time-to-live) in the DNS zones for various domain records (you may not have ever paid it mind before if you've bought a domain in your lifetime).

That TTL essentially tells those recursive servers (and any other servers on the internet) how long they should consider that saved answer to be good for before they need to "refresh" that request to ensure that the answer hasn't changed (these servers are also contacted if there has been a change in the request.

Dangers Here

If there is a *false request* being made to that cached data or someone manages to alter that saved answer somehow, then that's called a cache poisoning attack.

Through a multitude of ways, an attacker can convince an upstream recursive DNS resolver (like Cloudflare or Google DNS) that the answer to a given query has changed when it, in fact, hasn't.

This is why DNSSEC is touted as such an important measure for domains to adopt - because when there is DNSSEC, that stipulates that changes being made to a given domain's "answer" be accompanied with a cryptographic signature that validates with the public key that was also included in the original resource records (for the 'SOA' file ; the 'Start of Authority' / Genesis / Head Honcho #1 Source)

This is pretty effective - although it relies on security of said keys as well as a properly propagated record reflecting the inclusion of said keys. In addition, if the user leaves it up to the registrar to manage said keys, then they are only as secure as that registrar's management of said keys (GoDaddy's 3+ breaches this year exemplifies what this means in a 'real-world' sense).

GMPLS and MPLS

GMPLS is the generalized version of the MPLS protocol (essentially it is for routing based on static information imbued on the protocol) ; this could be useful in routing to certain content that's on the network so that we can distribute the load to different nodes along the way based on the authority that they have for a given portion of the URI that's going to be referenced (this is going to be parallel to the DNS lookup structure)

For DNS:

A) First the recursive resolver is contacted (like Cloudflare)

B) They then route that request through (if its not cached already - to the authoritative upstream nameservers for the TLD based on the information that's already widely available via the root DNS zones on the internet)

C) Those TLD authority servers can then tell you where the specific URI that's being queried is stored at (i.e., GoDaddy / Google Domains / etc.)

D) At that point you have reached the authoritative DNS server

What matters here is the result that you're given (the actual IP address) ; without that information, you're not going to be able to route the request itself (i.e., your browser needs to know where google.com is first before the actual request can be put in to receive / give information / communicate with google.com)