Linux File Encyrption Using GPG

Encryption is a dangerous munition, or at least it was according to US export regulations between the second world war and the twenty first century. Though ridiculous as it may sound today, strong encryption is under attack once again by the US government, with the likes of ISIS and Boko Haram as the frightening face of the new anti-encryption campaign. To be fair, the US government isn't attacking all encryption, rather they're attacking encryption that works. What they're seeking is a world in which encryption is broken in a very specific and controlled way, such that government agencies can get access to the encrypted data while still locking out other adversaries. This, of course, is fundamentally stupid.
As a response to such an absurd policy direction, I'm writing this guide to show you a reliable way to encrypt files. While the proposals of the US government aren't directed so much at file encryption as they are for encryption of messages, these are things that I've written about several times before. Thus, I thought I'd pivot slightly with this guide and focus on encrypting other kinds of data reliably. This will be the first of a two-part series on file encryption focusing on encrypting data with GPG. Later we will focus on Tomb file encryption.

GPG? Isn't That For Email?

GPG is an encryption toolset that is best known for encrypting email, and while it is magnificent in this regard (usability aside), it's also equally capable at encrypting files. Moreover, GPG is also usually associated with asymmetric encryption, that is encryption using separate public and private keys, but it also has the capability to encrypt files symmetrically using a password. Today we'll learn how to encrypt files using the symmetric side of GPG, though there are definitely legitimate use cases for each.

But why would we use GPG for file encryption?

There are several pros and cons to using GPG for file encryption. The benefits are that it is usually installed by default on just about any Linux distribution, and it's rock-solid reliable. The cons are that it doesn't hide file size, and can be (in some regard) hard to use at first for beginners. It also doesn't work on directories on its own, requiring another utility called tar, though this is also installed by default on just about every distribution.

Step 1: Preparing The Data

(If you are only encrypting one file, skip this step)
Typically when we want to encrypt data it involves more than one file, and because of this we need to first aggregate all the different files we want to encrypt into one clump. For this we use a classic tool called Tar. Tar (Tape ARchive) essentially takes multiple files and welds them together, and also provides the ability to apply compression in the process, such as GZIP and XZ, to reduce the file-size. We always want to compress our files before encrypting them, otherwise the data will be too random (as compression relies on patterns).
Here is an example that will create an archive called archive.tar.xz using three text files, with XZ compression being applied in the process.

tar -cJf archive.tar.xz file-1.txt file-2.txt file-3.txt

The -c flag is what signals tar to create an archive, the -J flag signals the use of XZ compression on the data, and the -f flag signals the file you want to create and must always be the last flag used. XZ compression will result in very small file-sizes, but can be slow. If you wish to use gzip compression instead, which will be much faster but will result in larger file-sizes, then use the -z flag instead of -J, and label your file archive.tar.gz instead of archive.tar.xz.

Step 2: GPG Encryption

Now that the data has been aggregated to only one file, we can use GPG to encrypt it. First, however, we may want to change the default encryption algorithm that GPG uses. To do this, we must edit the gpg.conf file and add a line at the end.

nano ~/.gnupg/gpg.conf

Now simply type the following in at the very end of the file, then save and exit (CTRL+X, Y, then Enter)

cipher-algo AES256 

What this does is set the default algorithm to be AES-256, which is a gold-standard for symmetric encryption.
With this finally set, and with the data aggregated into a single file, we can start encrypting our files!

gpg -c archive.tar.xz

Here, the -c flag tells GPG to use symmetric encryption, which means you'll have to input a password. Make sure that the password is strong. I strongly recommend using Diceware, as it allows you to use incredibly strong passwords that are easy to remember. The file that GPG will output will be named archive.tar.xz.gpg, in other words it will be the original filename with '.gpg' tagged onto the end.

Step 3: Cleaning Up

The file ending in '.gpg' will be the encrypted file that you can send or upload online without worrying (assuming you used a strong password). If, however, you don't want any trace of the original files on your computer, you'll need to do a bit of cleanup. I've already written a quick guide on secure file deletion, so give that a read for a more in depth explanation. Nevertheless, the command you'll want to use to securely erase the unenecrypted data from your disk is the shred command.

shred -u archive.tar.xz file-1.txt file-2.txt file-3.txt

What this does is overwrites the data on the disk for all of our original, unenecrypted files. The -u flag will signal shred to then remove the files after overwriting them. If everything goes well, you now have a GPG encrypted archive of your encrypted files.

Step 4: Decryption

Decrypting the files takes about as long as encrypting them. First, you'll want to use GPG to decrypt the archive, then tar to uncompress and unpack it.

gpg -d archive.tar.xz.gpg
tar -xf archive.tar.xz

Here, the -d flag tells GPG to decrypt the data. This will leave you with the compressed archive, archive.tar.xz, which the second command will decompress and unpack, leaving you with your original data.

And You're Done

That may seem like quite a bit of work, but after getting the hang of it, which doesn't take long, it is actually a very quick process. I personally use this method for when I work with data on Tails, as it allows me to encrypt and decrypt data without having to install any other software, and without having to go online.
But what are your favourite methods for file encryption? Leave a comment down below.

Using Tor Browser for I2P

While I2P is a fantastic network, there is definitely one thing it lacks when compared to Tor: a purpose-built browser. While Tor users are given the gift of the Tor Browser, I2P users are forced to scavenge for a browser and add-ons that fit their security and anonymity needs. Fortunately, with just a few tweaks the Tor Browser can be configured to work with both Tor and I2P. This tutorial will cover exactly how to do just that.

Why The Tor Browser?

If you don’t already know, the Tor browser isn’t just a standard version of Firefox. Instead, it is a custom-built browser based on Firefox ESR (Extended Support Release), the more mature and stable version of Firefox without the flashy bells and whistles. The Tor Project team makes a range of changes to the browser that range from removing identifiers that would otherwise give the browser a unique fingerprint (you can test your browser’s fingerprint here), to ensuring that there isn’t any evidence of your browsing session left on your computer after the browser is closed. As well, the Tor Project adds a few add-ons to the browser that help increase privacy, security, and anonymity, such as NoScript, HTTPS-Everywhere, as well as the Tor Button. All in all, this same setup that makes the Tor Browser perfect for Tor makes it equally suitable for I2P.

Adding I2P Support To The Tor Browser

Assuming that you have already installed I2P, the first step to setting up this I2P browser is to download the Tor Browser, extract it, and run it (no installation is necessary). If you don’t have I2P installed yet, stop now and go to the I2P website to download and install it first.
Next, the way that we will configure the browser to work with I2P is through the use of an add-on called FoxyProxy. Using the Tor Browser, navigate to the FoxyProxy page on Mozilla’s website and install the add-on. After doing so, you will be prompted to restart the browser to complete the installation.
After restarting, download this configuration file for FoxyProxy. I’ve mirrored it here to make it accessible, but originally it was the product of KillYourTV. With that downloaded, press CTRL+SHIFT+A, and open the preferences for FoxyProxy. Go to File > Import Settings, on the Preferences panel and import the configuration file that you just downloaded.
This may cause the browser to crash, but after re-opening it FoxyProxy will have a complete rule-set for how it handles traffic such that any requests to either the clearnet (techno-jargon for the regular internet) or to Tor hidden services will travel through the Tor network, but any requests to a domain ending in .i2p will travel through the I2P network. In other words, you are ready to browse I2P.

Security Considerations

While you could start browsing right now, there is one last optional modification you may wish to make. Click the onion on the top left of the Tor Browser and select Privacy and Security Settings.... This will allow you to adjust the security slider. For the utmost security and anonymity on both Tor and I2P, set the security slider to the maximum level, which disables a number of features in favour of security at the cost of usability, such as Javascript. Alternatively, select whichever setting you are most comfortable with (I find Medium-High to be a good compromise).

Another quick security consideration to be aware of is that with this setup you are relying on both the anonymity of Tor and I2P. If either is broken, you are at risk of being deanonymized, which could be of little consequence, or of life-altering consequence. If your threat model is towards the latter, this configuration may not be for you. Instead, a dedicated browser that only connects to I2P (not Tor) will be the more secure choice. However, that is outside the scope of this tutorial.

Android Privacy and Security Guide 2016

Smartphones are now at the epicenter of many modern privacy debates. Whether it be the 59 US police agencies spying on phones with Stingray devices, corporations like Symphony boasting about their extensive analytics (tracking) capabilities, or consumer companions like ShopAdvisor trying to coax you into swiping your credit card based on your spatial location in retail outlets, there is certainly no shortage of actors trying to pry crumbs of data from our smartphones.
Some of these tracking mechanisms are impossible to avoid, short of turning off your phone or stashing it into a faraday bag, simply because of the technology's architecture. Yet, there remain a number of steps that can be taken to reduce the amount of private information that is being siphoned off your smartphone.

The Basics

The most important aspects of Android privacy are also, perhaps, the most important. Fortunately, they're also very simple behavioral adjustments that anyone can make. For example, always read what permissions an app requests before installing the app. Does a calculator really need access to your microphone, files, and hardware identifiers? Probably not, so look for a different one. If you are on the most recent version of Android then you will have some more control over which permissions apps can have, so make sure to use it. Also, don't install porn apps. Really, just don't. They're essentially malware waiting to be installed.
Another simple change is to add a lock screen with a pin to your phone. Surprisingly, one in three Android users don't use lock screen pins, leaving their phones vulnerable to anyone who wants to pick it up and peruse through it. If you're one of those one-in-three, then drop everything and add one now.

Signal

In a Twitter poll that I sent out when writing this guide, installing Signal was the clear number one choice for Android privacy in 2016. Designed by Moxie Marlinspike's Open Whisper Systems, Signal is a combination of what were previously two separate apps: TextSecure and Redphone. Cryptographer Matt Green once described the quality of Redphone's code by saying, "I literally discovered a line of drool running down my face". Its newer, younger brother is hardly different.
What Signal provides is strongly encrypted text messaging and calling, each of which has what is known as Perfect Forward Secrecy, or PFS. PFS essentially means that if someone, say the NSA, somehow obtains your encryption keys, all your previous conversations will remain secure. Contrast this with systems such as PGP, where stolen keys means exposing every conversation ever encrypted with those keys, and we instantly see how important PFS is in modern cryptography. Additionally, not only does Signal keep your conversations confidential, but it also allows you to authenticate who you're having that conversation with, and does so easily using a simple QR code. All of this is done with almost zero friction, meaning that there's no technical gobbledegook or hoops you have to jump through to obtain privacy; Signal does it all for you. Of course, all of this encryption will only work with other Signal users, so make sure to get your friends off of WhatsApp and on to Signal. If they refuse, however, don't worry, Signal will still send them messages, they just won't be encrypted.
Between its immaculate code quality, the strength of its cryptography, and the ease of use, it's not only me recommending it, it's Edward Snowden.

Full Disk Encryption

Historically, fully encrypting your Android device wasn't always the smoothest process. Today, however, full disk encryption (FDE) on Android is a fairly easy process, and most phones are fast enough that the encryption overhead is barely noticeable.
The benefits of FDE for mobile phones are many, with the most immediate benefit being that all of your data are protected if your phone is lost or stolen. This isn't the same as a lock screen. While a lock screen will inhibit a thief from using the phone, it won't protect all your photos, videos, files, messages, and keys from being easily lifted off the device. This is where FDE kicks in, as so long as you use a strong password, a thief will have no access to any of your personal data.
While every phone is different, the usual way to encrypt an Android device is to first back up important data, and plug the phone into a charger. Next, go to the Settings menu, then Security, and then scroll down and look for "Encrypt Phone". This will take a while, and during the process you don't want to disturb the phone at all, but the end result will be a far more secure device.

Orbot & Orfox (Tor)

If you don't know about the benefits of Tor, then I'd highly recommend reading my Tor vs VPN article. If, on the other hand, you know all about the wonderful magic that is Tor, you know why having it on Android would be a huge benefit to privacy. Not only does it stop snoopers on public WiFi from sniffing your traffic, but it provides you anonymity when browsing the web. Fortunately, Android has two apps that will allow you to carry Tor with you everywhere you go. These are Orbot, which connects you to the Tor network, and Orfox, which is a modified version of Firefox similar to the regular Tor Browser. Unlike Tor on the desktop, however, Orbot allows you to create a VPN connection on the device and route all the traffic from all your apps through Tor, providing what is commonly called 'transparent torrification'. You may want to use this option cautiously, however, as some apps may send things like hardware identifiers unencrypted, meaning that Tor exit relays could deanonymize you and steal important and confidential data. If in doubt, stick to Orfox.

A Secured Firefox

The main problems with running Orbot on Android are the extra battery drain, and the data overhead that results from using Tor. As of 2012, this overhead was around 160MB per month in terms of just keeping Orbot connected 24/7, nevermind the 38% extra data consumption on web traffic. For those with small phone plans, running Orbot/Orfox only when the anonymity of Tor is really needed might be the best option. For casual browsing, installing Firefox along with a few privacy-preserving add-ons is a more affordable alternative to constantly running Orbot.
Given the limited horsepower of most mobile phones, keeping mobile browsers lightweight is a higher priority than on the desktop. Therefore, I'd recommend installing a limited number of add-ons. Personally, I only deploy two: uBlock Origin and HTTPS-Everywhere.
uBlock Origin is an extremely lightweight adblocker with a number of ad/tracking block-lists to choose from. The reason installing an adblocker is so important is that not only does it block most tracking scripts, such as Google Analytics, but it also blocks the increasing amount of malware that is being embedded into advertisements. The result is that by simply loading a webpage with ads on it, you risk being infected. Thus, I'd recommend putting an adblocker on whatever browser you use, whether you believe in online advertising or not.
After installing uBlock Origin make sure to go to 'about:addons', and tap on uBlock Origin. From here, you can access the Dashboard, which will allow you to do a bit of customization, including turning on more block-lists by going to the '3rd party filters' tab. I'd recommend turning on all the Malware domain lists, as well as all the MultiPurpose lists at a bare minimum.
The second add-on, HTTPS-Everywhere, requires much less setup. Simply install the add-on, and you're done. What it will do for you is make sure that whenever a website offers encryption (https), your browser will use it. It also prevents you from being downgraded from an encrypted site to the unencrypted version, which often happens when links throughout the site point to the unencrypted (http) alternative. If you're unsure of why you'd want to encrypt your web traffic, then give my HTTPS-Everywhere tutorial a read.

All in all, if you start regulating the apps you install, add a pin to your lockscreen, install Signal, Orbot/Orfox, and a few Firefox addons, you may not have perfect Android privacy, but you'll at least be out of the ditch.

How to Securely Delete Files on Windows

 We've all woken up in the morning and gone to our computer to find a folder created last night after a few drinks, containing 17 years of our tax documents, 47 naked photos, a government leak we were going to send to Julian Assange, and 672 emails to a prostitute named Lynda in New York. Well, maybe not, nevertheless secure file deletion is incredibly important. Whether you are trying to delete financial documents, embarrassing photos, or anything else that you don't want someone to find out about, simply hitting the "delete" button doesn't cut it. These days much of our data is stored on laptops, USB flash drives, or portable hard drives, all of which are easily stolen. In fact, if you ever decide to sell any of these devices without properly deleting your files, the buyer could recover the files you thought you had deleted and read them. Secure file deletion goes far beyond a simple delete button, and this tutorial will explain it all!

Why Isn't Just Pressing "Delete" Enough?

Most modern operating systems don't actually "delete" files. Instead, they mark them as deleted. This is because of how modern storage works. When you create a file the operating system creates a 'pointer' to that file so that it can be accessed faster. Similarly, when you delete a file, the operating system merely removes that pointer. This is because of the massive speed reduction that would occur if it were to delete the file itself. To actually delete a file it needs to be overwritten. Think of how long it takes to transfer a large file, such as a movie, from one device to another. The speed it takes to do this is limited usually by the "write speed" of your hard drive. Deleting the file would take the same amount of time, as real file deletion is merely a function of writing over top of the deleted file and is limited by the same write speed. This is why Windows, Linux, and Mac operating systems usually just delete the pointer instead of the file itself.
Simply deleting the pointer, however, leaves the file on the hard disk until it is overwritten. This means that you, or someone else with access to your computer, can go back and recover that file. Of course, that is a security disaster if you just had your device full of what you thought were 'deleted' financial documents stolen. It's like taking the name off the folder in a file cabinet, instead of burning the file itself. Of course, there is a solution for this: overwriting.

Secure File Deletion, Myths and Reality

Overwriting a file with random data is what is done to actually delete a file. This is the method used by most 'file shredders', which often do this anywhere from 1, to 35+ times. It's the same idea as using a permanent marker to black out text on a piece of paper; the more times you write over it, the harder it is to read. This idea exploded in 1996 when a man named Peter Gutmann presented a paper showing how simply overwriting something once isn't secure, and instead proposed a method which overwrites files 35 times. This has become the standard of many secure file deletion programs. In fact, you'll probably notice it with the programs I'm going to tell you about later. With modern hard drives, however, its necessity is a myth.

When Gutmann presented the paper, his ideas were based more on theory than on practice. Furthermore, they were based on previous hard drive technology. Recent research, however, has shown that Gutmann's idea that a file needs to be overwritten 35 times to be actually secure (a mentality that has also been accepted by the security industry) doesn't apply anymore. At the Fourth International Conference on Information Systems Security, researchers showed that overwriting a file even a few times with current hard drives caused the file to be unrecoverable. The paper can be found here assuming you have access to the library. Another paper from Stony Brook University cites government deletion standards for top secret documents calling for no more than three overwrites. So to save your hard drive some unneeded work, and to save yourself some time, when using the programs I'm about to describe, don't bother with more than three overwrites.

Windows users have a plethora of options to securely delete files. I'm going to focus on two of them today. The first option is a simple tool called Moo0 File Shredder ; an exceptionally strange name for a tool which seems to just work. There are many other programs with extensive feature-sets, however I frequently find myself just going back to Moo0 because of its straight up utilitarian simplicity. It gives you four options: Shred Once, Extra Careful, Into Ashes, and Vaporize. Usually Shred Once should be sufficient. If you have a document that you really want gone, however, go with Extra Careful (or Vaporize if you want to be a paranoid android and have the time, but it's mostly unnecessary). To securely delete a file with Moo0, just drag it from your file explorer to the "Drop Box" on the left. It's that simple. 

The next Windows option is CCleaner . Ccleaner doesn't just wipe one file specifically, instead it can be used to either wipe all of your temporary files, such as cookies and browser history, or to wipe your "free space". The first option causes the 'Cleaner' tool (a tool you may already use) to overwrite all the files that it cleans instead of just deleting them. To enable this just go into the options menu, then go to settings and select "Secure File Deletion". Again, a one or three pass overwrite is probably sufficient. The second feature of Ccleaner is a bit more interesting. What it does is take all the free space on your drive and overwrite it. This means that all the files which you may have simply marked as deleted in the past will be removed. This is a good option to clean up your computer after a history of insecure use. To do this, go into the tools menu, and go down to the drive wiper. Here, select "free space only", and then select the drive you wish to clean up. Then just hit 'wipe' and Ccleaner will do its work. 

Cracking Openssh

Openssh is one of the biggest ssh systems on the net
this vuln works on all version of openssh on all linux , unix and *bsd systems .
tested on: Freebsd , Centos , Debian(7 n 8) ,Netbsd(in virtual box) , ubuntu and kali
this lets u bruteforce an openssh ssh login , so instead of getting 3 tries u get unlimited tries.
what u need:
1:tor socks
2:one vpn or http proxy
3:an multi threaded ssh cracker with proxy support(like hydra)
4:a target (take someone u dont like or just open a virtual box )
first if u dont got the program 'usewithtor' install it ,
get a wordlist from packetstorm (https://packetstormsecurity.com/Crackers/wordlists)
open 2 terminals and an ssh cracker (use a multithreaded one ) im going to use hydra cuz its fast and got proxy support config hydra with 25 threads, port 22, target ip  , http-proxy and a wordlist.
in the second terminal we are going to use tor to connect to the targets ssh and hold the connection like this:
root@1337desi:~# usewithtor ssh -lroot -oKbdInteractiveDevices=`perl -e 'print "pam," x 10000'` targetip
root@TARGETIP's password:
extras: enum some user to have a bigger attack surface
start the ssh cracker and let it do the work and u should get root

Credit Cards tracks & magnetic strips

There are actually up to three tracks on a card.
Track 1 was designed for airline use. It contains your name and usually your account number. This is the track that is used when the ATM greets you by name. There are some glitches in how things are ordered so occasionally you do get "Greetings Bill Smith Dr." but such is life. This track is also used with the new airline auto check in (PSA, American, etc)
Track 3 is the "OFF-LINE" ATM track. It contains security information as your daily limit, limit left, last access, account number, and expiration date. (And usually anything I describe in track 2). The ATM itself could have the ability to rewrite this track to update information.
Track 2 is the main operational track for online use. The first thing on track to is the PRIMARY ACCOUNT NUMBER (PAN). This is pretty standard for all cards, though no guarantee.
Example of Track1: B4888603170607238^Head/Potato^050510100000000001203191805191000000
Example of Track2: 4888603170607238=05051011203191805191

Usually only track1 and track2 are needed to exploit the ATM card.
Let us examine track1.
Take the Credit Card account number from Track 2 in this example it
is:4888603170607238 and add the letter "B" in the front of the number like
this B4888603170607238 then add the cardholder name YOU want to show on the
card B4888603170607238^Head/Potato^(Last name first/First Name)next add the
expiry date and service code (expiry date is YYMM in this case 0505,and in
this case the 3 digit service code is 101 so add 0505101 ,
B4888603170607238^Head/Potato^0505101
No add 10 zero's after service code:
B4888603170607238^Head/Potato^05051010000000000
Next add the remaining numbers from Track2 (after the service code)
B4888603170607238^Head/Potato^050510100000000001203191805191
and then add six zero's (6) zero's
B4888603170607238^Head/Potato^050510100000000001203191805191000000 this is
your Track 1
Track 1:B4888603170607238^Head/Potato^050510100000000001203191805191000000

REMEMEBER THIS IS ONLY FOR VISA AND MASTER CARD(16digits) , AMEX HAS 14
DIGITS, this doesn't work for Amex

FORMAT FOR TRACK2
CC NUMBER: YYMM (SERVICE CODE)(PVV)/(CVV)
Here is the Fleet's credit track2 dump:
4305500092327108=040110110000426
we see card number, an expiration date, 1011 - service code, 0000 is the place for pvn (but it is absent!), and at least 426 is the cvv (do not mix with cvv2)
Now let's take a look on MBNA's track2 dump:
4264294318344118=04021010000044500000
here we see the same - no pvn's and other verification information -just a cvv.

As clearly shown above it is possible to generate track1 from track2 using the method shown above. However track2 gen software automates the process.