Syst(em)

Privacysteps.org

i[a]sy.st (Leet) — Tue, 25 Nov 2025 18:00:35 +0100

What?

Privacysteps is my new project whose goal is to educate on all levels of privacy and security protective measures. Its difference from other similar sites is a more “gamified” and simplified aspect with checkboxes, personal statistics, and case studies.

Why?

I found that someone wanting to learn about the steps to protect their privacy only had two choices. Either the very simple guides telling you to install a VPN, pay for an encrypted mail service, and block trackers. The other choice is to read long guides of hundreds of pages that are amazing but require too much effort to be understood by most non-technical people or those with a simpler threat model.

I got this idea when a investigative bookwriter close to me showed me his setup. He had one online computer for research and one offline for compiling this research and writting his books. While a good setup, he also had many other lower level security holes that would nullify those efforts. This is when I found that I had no ressources to recommend to him for his threat level and technicality.

When?

The website is already online but the actual content is still being actively worked on. I encourage you to try it now and give any feedback but don’t expect it to be complete. If you have some free time and like the idea you can also contribute by sending content, suggestions, or error reports.

Private?

The exact database scheme for a user contains only the randomly generetaed account id, time of registration and font settings. You can also opt to not use an account at all and have your progress stored only in your browser. The site also has no tracking and can be fully used with javascript disabled.

Where?

privacysteps.org
privstxt6wumq2kelpqjzbky7inyzqu5i4jbc65ixnznb7z5bgsaheid.onion

May updates

i[a]sy.st (Leet) — Tue, 20 May 2025 13:37:00 +0100

I have been working on a few updates for this website in the last months and as most of those will not get into the rss feed I thought it would be a good idea to write a blog post about them.

New blog post

I have written a new blog post about my server. It is ment to be updated over time and is just at it’s initial phase right now. You can find it here.

New gallery page

I have added a new page to display some of the favorite pictures I took. I just uploaded some recent images I had on disk for now. While a lot more functional with javascript the page also works with javascript disabled. You can see it’s first iteration here.

New recipes page

I have added a page to display some of my favorite recipes. It is still very early in it’s development and I cannot guarantee that I will have the motivation to keep it updated. For now it’s also only in French as I don’t have the patience to translate the rare recipes I already have in markdown. You can find it here.

New uses page

The “uses” page seems to be the new trend so I made one here.

PS

All of those more experimental pages that do not mandate their own header link are listed under the links page.

My home server

i[a]sy.st (Leet) — Mon, 19 May 2025 14:20:00 +0100

While most choices made for this server makes sense to me it is important to note that I already had some of the hardware like the motherboard or some disks. That's in part why I use an AMD cpu while it is recommended to use an Intel cpu for my kind of needs.

Hardware

Disks:
- 2 * Seagate IronWolf Pro 4 To HDD (ST4000NE001)
- 1 * Seagate BarraCuda 4 To HDD (ST4000DMZ04)
- 2 * Crucial BX500 SATA 1To SSD (CT1000BX500SSD101)
- YIWENTEC H0101 SATA cable
- M2 to SATA adapter
Noctua NH-U12S redux
Ryzen 5 5600G
Corsair RM650 ATX
Fractal Design Node 304
ASRock B450 ITX
ULANSeN Dual 2.5G pci low profile

Software

The OS is Proxmox and everything described bellow is ran on it’s own KVM virtual machine. In the future I might make this section more precise and list every docker container and service I run but for now I’m too lazy to do it.

Proxmox
- Run on both SSD’s in a zfs mirror
OpnSense
- Every VM containing public facing services is ran through an OpnSense VLAN.
Unraid
- Run off of a usb key passed trought by proxmox to the VM directly.
- Passtrought of all of the HDD’s and 250 Gb of SSD for cache
3 * Ubuntu Docker VM’s
- 1 for reverse proxy / logs aggregation / security services
- 1 for publicly hosted services (monero node, dns, …)
- 1 for private services
Windows 11 VM
Ubuntu VM

Street photography, a privacy nightmare ?

i[a]sy.st (Leet) — Sat, 12 Apr 2025 11:00:55 +0100

Introduction

So I have been into photography for quite some time now, and with a majority of my days spent in cities, I couldn't miss the subject of street photography. To make it simple for the unaware, street photography is the photography of life in an urban setting, from people to architecture. However, in the street photography sphere, a big part of the photographers do not see architecture as street photography. Most seem to define street photography as the photography of people in the streets. Being a privacy advocate, I, of course, have issues with this idea of street photography. I decided to make this post not only to expose the issues I have with it but also what the solutions could be, with the goal being to open a discussion around this subject. So please email me to discuss this post when you are done reading it and if you have anything to add.

Expectation of privacy in public ?

One of the main arguments brought up is that there is no expectation of privacy in public because it is legal, so taking pictures of people without their knowledge or against their will is okay. While from a legal standpoint I'm sure this makes total sense, from a moral one I don't think it does. I also think that hiding a lack of ability to discuss the issue behind a legal standpoint is too easy and not really productive. Even though in the modern age most people don't care that much about their privacy, I am sure a lot would not like to have a picture of them taken without their knowledge. This can be seen as more and more people getting into street photography post on forums complaining about their photography 'subjects' being mad at them when seen.

Taking advantage of specific moments or peoples

First, I think there is a time and place where this is for sure not adequate. For example, I see a lot of pictures of people in their most vulnerable state. Imagine this: you are in the street, you receive a phone call, you learn that you lost someone close to you, you cry, 2 days later you find out on social media that a photographer took a picture of you crying in the streets and it has 4 gazillion views. I can understand the importance of emotions in photographs, but I do not think the mental impact on the involuntary subject is worth the picture. I also think some people are at risk by having a picture of them taken and therefore shouldn't be photographed. By that I mean children (just go on random websites where photos are uploaded online and see the views on kids in swimsuits...), protesters or people at the beach for instance.

Posting those pictures online

There are two different levels of street photography privacy issues. While we have discussed some issues with taking photographs of people, the biggest issue I have is with those pictures being posted online.

Photographing protests

When following forums and content creators in the photography space, most seem to think that taking pictures of people's faces at protests and posting them online is fine. While I am sure that sometimes it adds character to an image, I also think that endangering someone's security, private life, and privacy for views on the internet is obviously wrong. I also see a lot of photographers saying that protesters should have just worn a mask if they wanted their face to not be seen. To that I would respond that in most countries it is illegal to protest with a mask. TLDR: Do not make the job of the surveillance police for free please.

Yes but I cannot wait for everyone to get out of the background?

Was not sure how to name this part, but basically I wanted to talk about pictures you take of a place. You cannot expect to take a picture of the Eiffel Tower without any faces showing up. This is why I think that if someone is in the background of a photo and not in an inadequate situation, it is okay to take the picture. Even then, I would prefer for a picture of myself in the background not to be posted online, but I would not be mad about it because, sadly, people HAVE to post pictures online nowadays.

Buuut, there are cameras everywhere?

Sadly there are. However, I like to believe that most security personnel do not like to capture and publish what the cameras see and that most cameras are not accessible online. This is also a reason the difference between taking pictures and posting them online is very important.

Uploading to the cloud

Even if the photos are not posted online, most photographers will backup their pictures into the cloud of their favorite phone or computer maker corporation without any kind of client-side encryption. This means that pictures of you could be used to profile you, your movements, your interests, and train AIs without any way for you to know.

But journalism

This argument is the only one I can't really find any counter argument to. The most famous pictures have what I warned against before. Some have kids, some protests, some vulnerable moments, some death, and some all of those. Those pictures without those elements would not mean anything and for sure would not have had the same effects on the world. Also, for those pictures to become what they became and have the impact they had, they had to be shared in public, so not posting them online is not really an option. When I think of that, I think of the "Napalm Girl" picture. This picture is everything I do not want in a picture: a suffering and naked child. However, it is also what makes this picture what it is. I don't think most of the photographs I see online that are against the points I made before are anywhere near journalism, and most are for sure just for the views, for shocking's sake, or rage bait. However, I don't think limiting photojournalism to people with an accreditation should be done either. That's why I don't have anything to say against this argument; I think it is valid, just not applicable for most of the photographers I have an issue with.

How to do it morally (from my point of view)

I understand that asking someone before taking a photograph of them can lose the moment and character of a picture. However, I do think that at least, after taking the picture, the subject should be let known of the picture and asked if they are okay with it or if they prefer you to remove it. I know a lot of people might not do this because of a fear of being confronted but as I said before, if you can't handle someone being mad or creeped out that you took a picture of them without asking first, maybe you shouldn't be doing street photography. Also, in most cases, I think the main problem is not really taking the picture (as long as those are adequate photos). The main issue is posting those pictures online for everyone (including AI and social media companies) to see. In some cases, for example during a protest, I would also blur or remove people's faces (warning: the blur has to be done right for it to serve a real purpose, do your own research). I don't think the face is the subject of a protest photograph most of the time anyway. Plus, this might even add some character to your images.

Discuss…

This post was made in an attempt to write down my chain of thoughts and change this post as my position does. I also hope to develop my thinking with your help. If you have anything to add or something you are in disagreement with, please email me (I can quote you on this post).

How to secure a laptop at an hardware level

i[a]sy.st (Leet) — Tue, 25 Mar 2025 13:37:00 +0100

Introduction

So, I was waiting for Stalker 2 to download (154 GB, btw—WTF!) while ADHD kicked in, and I had a new idea. I had an old laptop lying around that I wanted to do something with. This is when I got the idea of trying to make it as private and secure as possible. I already have some experience with privacy-focused operating systems, having used both Qubes OS and Tails. Now, I wanted to explore what I could do at the hardware level to upgrade my old laptop security. The goal of this post is to create a simple guide on how to set up a cheap and old laptop that could be thrown out without fear in the most secure way possible. However, this is still an entry-level guide. There is no need to flash a new BIOS or solder anything. The goal is to keep it simple. I plan on doing a more advanced and detailed guide later on, but this one has been sitting in my draft folder for too long. In this guide, we’ll mostly go from one hardware component to the next, thinking about what we can do to improve security at each step.

💡 Disconnect the battery first

Removing the disk

So when thinking about the disks I think there is three choices: - Security: Remove the disk entirely from the laptop and operate the OS from an external disk or USB drive. - Deniability: Keep the disk in the laptop but install only random, non-sensitive files and programs. Avoid using it for your "secure" operating system. - Simplicity: Use the integrated disk as the main operating system disk while using full disk encryption. For my specific use case and threat level, I chose to remove the disk entirely for two key reasons: 1) If I want a disposable laptop, I don’t want to have to reinstall the disk setup every time (as in Setup 2 or 3). 2) I do not want to take any chances with logs or data being saved on the disk (as in Setup 2). 3) My laptop as most laptops only has space for SSDs and files on SSDs are notoriously hard to fully erase. This means that we will need to use an operating system installed on an external USB, disk, or SD card. But first, if this is your only computer, you might want to install your operating system of choice on the external disk. For that I would recommend tails official guide guide: [here](https://tails.net/install/index.en.html) or qubes [here](https://www.qubes-os.org/doc/installation-guide/). See the later chapter "OS choice" for which OS I chose and why. Certain laptops might have the disk soldered to the motherboard in which case this is out of the scope of this simple tutorial as I don't have any such laptops to experiment with. If that is not the case then you probably just have to open the back of your laptop and remove the disk. How it looks will depend on the type of disk there is inside. For me there was only a 2.5 disk that was easelly removed.

Removing the camera and microphone

Most laptops have the microphone and webcam wired together. In my case, I just had to remove the screen bezel by slipping something between the screen and the back of the laptop. After that, I found myself lucky because the mic and webcam could be disconnected with a simple ribbon cable removed on the top of the screen. If yours is not like that you could either try to find the cable on the motherboard to disconnect it or straight up cut it. As an alternative, if you want a simpler way to do it you might be able to disable both the webcam and the mic in your bios. In my most modern laptop I do have this as an option. This is not that bad as an alternative because one would need to have access to your bios to be able to reactivate the mic and webcam which seems pretty secure to me. Also, if you remove your mic you might want to also remove/disconnect your speakers. Those could technically be used as microphones. This is if you have an extreme threat level, for most peoples I don't think this should be a threat.

OS choice

Here I have two main choices I would consider if your goals are security and privacy: - Tails -> Ideal when you want to leave no trace after use - Qubes OS -> Easier to use for complicated tasks and ideal if you want to keep your configuration, apps, and files after a reboot. However, Qubes OS requires a laptop with a significant amount of RAM (at least 16GB) due to its use of virtual machines. While RAM is cheap nowadays, your old laptop CPU might not support adding a lot of RAM. If you choose Qubes OS, you might want to consider using one of those expensive, purpose-built laptops from brands like Purism, NovaCustom, or System76, which often come with Intel ME disabled. For a more detailed breakdown of these two operating systems, I would advise doing your own research, as they are quite opposites in how they work, the objectives they pursue, and the threat models they serve.

Anti-Tempering

I will explore here some methods that can be used to protect your laptop from being opened or at least warn you if it happens. This can prevent unauthorized modifications or backdoors from being installed on your laptop while it is away. The most common method that even [some](https://novacustom.com/fr/anti-sabotage-pour-les-ordinateurs-portables/) laptop manufacturers now provide as an option is to paint the screws of your laptop with glitter. Each glitter pattern is completely unique and cannot be reproduced making it a simple and trustable visual indicator of compromise. However, the downside of this method is that it makes opening the laptop more difficult in the future. To make hardware modifications and routine hardware checks easier, you might want to try a different approach. I believe a better way to do it is to follow mullvad recommendation, [here](https://mullvad.net/fr/help/how-tamper-protect-laptop), which involves putting stickers over the screws then painting the borders of those stickers with glitter. This approach makes tampering with your laptop easier to detect while still allowing for easier access when needed. After applying the glitter, you should take high-definition, top-down photos of each screw. These photos should then be cryptographically signed. This allows you to compare the original images with the current state of the screws to check for any signs of tampering. You can do it visually or use a tool such as [mine](https://github.com/j3/Glitter-Tampering-Detection) (warning: github link). Doing this could have, as an example, protected Snowden and Wikileaks conversations from being monitored by the CIA (probably), here is an article about it [CryptoPhone implant](https://www.cryptomuseum.com/crypto/gsmk/ip19/implant.htm).

Wifi and Bluetooth

For more advanced threat levels, I would also recommend removing the Wi-Fi and Bluetooth cards from your laptop and using only Ethernet, with or without an external router. Bluetooth is a significant source of vulnerabilities. While Wi-Fi vs. Ethernet can be more of a sigint consideration, it’s worth noting that Wi-Fi MAC addresses can and often are spoofed by operating systems. In contrast, I believe it is much more difficult to change the identifiers of an Ethernet card.

Kill-Switch

If you are using Tails, you will only need a lanyard for this step. If you are using a disk with Qubes OS, you might need both a lanyard and a USB key. Simply plug your USB key into your computer and attach it to the lanyard. If you are running Linux, you can easily create a small script (or use one from GitHub) that will shut down your computer and encrypt the persistence when the peripheral is removed. The lanyard ensures that if you are forcibly separated from your computer, the disk will automatically shut down, keeping your disks encrypted at rest and/or losing persistence in the case of Tails.

Darknetlive.com full archive (.md)

i[a]sy.st (Leet) — Tue, 19 Nov 2024 13:00:37 +0100

The 26th of febryary 2024 the darknet market Incognito Market exit scammed and extorted its vendors. Not long after, it's admin Lin Rui-siang AKA Pharoah got arrested [article](https://archive.is/VLOTx) because of his terrible opsec. I don't care that much about this story (as funny as it is) however, the problem is that Pharoah also bought and took control of darknetlive before his downfall.

Darknetlive was an awesome ressource with a lot of articles and history about the darknet (730 articles to be exact). When the exit scam occured I knew darknetlive would probably not survive so I made this archive.

The way the files are named is page_x_clicked_y.md, x being the page number and y being the number of the article on said page (there was 1-5 articles per page). Each file contains the title of the article, some metadata about the article (time to read, publish daten tags and ammount of words) and it’s content.

As of now I am pretty certain darknetlive will not come back up anytime soon so I uploaded the link to the archive here: link.

Decrypting Proton Privacy Policy

i[a]sy.st (Leet) — Tue, 27 Aug 2024 13:00:37 +0100

Introduction

If you read some of my posts on this website you might have seen that I like Proton. However, every now and then, there is a new controversy about Proton handing out data to feds. My take on that is that peoples should be more careful of their opsec and try to understand why Proton need some data unencrypted and which.

However, to be fair, Proton are also not really been open about this, they have a Privacy Policy for each of their services with walls of text. That’s why I wanted in this article to present the metadata they collect in a simpler way.

PS: For this article we will concentrate on a “basic” Proton account meaning not using any insecure extra features like easy-switch, referral, chat support, scribe, in order to keep it simple.

Proton Account

Email adress	Verification Email	Verification Phone number	IP
anon@pm.me or anon@gmail.com	verifemail@gmail.com	+1 3370000	Depends (read bellow)

They state in their privacy policy that both the email or phone number used for verification or account recovery are stored hashed. Hashing is a one way encryption that if given the same parameters and same text always gives the same result. This mean that it can be brute forced by feds. Proton has also already been found giving those out as the result of a court order. To make it clear I left them in clear text on the table.

By default, IP logs are not kept. However, they might be in those cases:

Combat abuse and fraud (this is extremely vague)
Are engaged in activities that breach our terms and conditions (extremely vague too, is this malicious at this point ?)
If you enable authentication logging for your Account
If you voluntarily participate in Proton’s advanced security program
If they receive a court order they will turn on IP logging on your account

Proton Mail:

About an email

sender and recipient email addresses	IP of sending server	attachment names	message subject	message sent and received times
jane.doe@pm.me to anon@pm.me	8.8.8.8	pdf for John Doe.pdf	Hi John Doe, I hope no one found your real name yet:):):)	2024-04-20 07:13:37 and 2024-01-69 07:15:35

This is a lot of informations that can be used but this is also pretty much the minimum of informations they need unencrypted in order to be able to process an email with the implementation of PGP.

PS: Email cotent, if sent unencrypted to a Proton Mail address is processed unencrypted by Proton Mail (to encrypt it but also to check for spam). They claim to never store it on disk but this is a limitation of email that has to be known. It also seems that Proton is sending some email metadata to spamhaus for spam detection which mean that some informations about your emails is sent to spamhaus (a Company that can be hated for a lot of reasons).

About an email account

number of messages sent	amount of storage space used	total number of messages	last login time
135	2.56gb	1265	2024-04-20 01:33:07

Proton Drive

About a file

size of the encrypted file	file/folder creation and modification times	permissions	username of uploader
2.6gb	2024-04-20 01:33:07	Edit	jane.doe@pm.me

About a shared file

size of the encrypted file	file/folder creation and modification times	permissions	username of uploader	last access time	number of times accessed	creator
2.6gb		Edit	jane.doe@pm.me	2024-04-20 01:33:07	13	jane.doe@pm.me

Proton Calendar

About an event

event start and end time	time zone	repetition rule	event creation	last event update	event status
2024-04-20 01:33:07 to 2024-04-20 02:33:07	Europe/Zurich	Repeat Weekly	2024-04-10 13:33:07	2024-04-11 14:09:00	active

Proton VPN

There is not much information on what is collected. If we trust their privacy policy it means that they keep no log of any action. However, payment and account data are still collected (see bellow).

Proton Pass

About an entry

Everything seems to be encrypted except alias email adresses. It means that by a hack or court order a bad actor could get all the emails on every website you registered to (and link those easelly because the default alias generation add the website URL at the start).

Proton Wallet

All of your TXIDS, wallets, exchange rates for transactions and even notes you wrote are saved unencrypted. You are also limited on the number of wallets you can create with a limit of two wallets and 4 adresses. It is also stated in their privacy policy that they may use the data they have (everything) to track fraud at their discretion (do they check the txids with chain analysis firms ? this is not clear but not denied). There is no Privacy in any way there.

PS: There is external services to buy, sell and exchange crypto on Proton Wallet. If you want privacy I would advise against using those and check on orangefren, trocador or kycnot.me for kyc-free options.

Payment

Proton Mail always had a problem of payment methods. You cannot pay in Monero or any other Privacy Coin for that matter. Even their bitcoin payment option (which is not private in any way if not made using mixers, coinjoins, etc) is managed by a third party.

If you pay with credit card then your payment information will be sent to a third party but not your account information (this might work with a txid only ? Not clear on how your transaction and account are linked). The last 4 digits of your credit card are saved.

IOS and Android apps

Analytics and statistics using external services (“e.g. fabric.io”).
Crash reporting via Play Store app statistics, App Store app statistics, or self-hosted (Sentry). It is not stated in the Privacy Policy but you should be able to deactivate both the analytics and crash reporting on the app settings page.

Others considerations

Backups from all of Proton services are kept for up to 30 days.
I wouldn’t expect the fact that they only accept Swiss court orders to protect anyone, they seem to not be to hard to get (Proton transparency page)
Proton employ a local installation of self-developed analytics tools. Analytics are anonymized whenever possible and stored locally. This is very much not clear on what they collect, when and how.
They use external CDN(s) (like https://cloudinary.com for their landing page). Those might collect your informations too.
Simple Login and Proton Pass are not hosted on Proton owned servers and infrastructure but rather on some rented/owned servers on external data-centers.

Conclusion

Most of the data collected by Proton is data that needs to be collected in order for their services to work. However, there is also a lot of data that,for a privacy service, should not be collected (like billing, recovery / verification email and number and ips).

Wallet, their last product, seems to offer no benefit and even be a really bad way to use bitcoin as it will link your crypto payments, transactions and balance to your other accounts (email, pass, drive, etc).

I am moving...

i[a]sy.st (Leet) — Tue, 09 Jul 2024 11:00:55 +0100

Alert !!!

The domain for this website has been changed to sy.st. For now, the old domain redirects to this one, so you shouldn't even notice it. However, I may take the old domain down soon. Therefore, I recommend changing the domain on your favorite RSS reader if you still want to read my rants.

Why ?

Why sy.st ?

Syst = system; that sounds cool, right ? I also always liked short domains. To fully use this domain I might make some services I have been hosting for myself publicly accessible like privacy frontend proxies, dns, tor nodes, …

Why .st ?

.st is the gtld of Sao Tome. It is just like every other gtld, except it is operated by Bahnhof. Bahnhof is an hosting provider and one of the largest isp in Sweden. They have hosted Wikileaks and The Pirate Bay in the past and have a reputation for protecting their customers against free speech and privacy issues in multiple instances (see their Wikipedia page). While it may seem like an unusual way to choose a tld, that’s just how my mind works.

Full archive of a discord about forensics for LE and spyware companies

i[a]sy.st (Leet) — Thu, 04 Jul 2024 14:20:00 +0100

So, about a month ago, I was browsing Twitter, Xitter, or whatever, and I saw the Graphene OS account discussing a Discord server named DFIR that they had been on before being banned. This Discord server only accepts members who are active law enforcement personnel, forensic students, or representatives of forensic products (such as Cellebrite and similar spyware companies). Naturally, when something is restricted, I want to see it. After searching more of Graphene OS's tweets about the server, I discovered that due to the way they set up their permissions, you could access the Discord server's content without joining it. Instead, you could use Discord's discovery feature.

Unable to read the messages at the time, I had to find a way to archive the server without being able to join it. I was able to do so by using a little JavaScript code on the browser. This post exists to share the data I obtained so you can maybe learn some interesting techniques and countermeasures from it (educationnal purpose only). Here is the data unformatted, available in .xlsx format, organized by categories and channels.

Link

PS: My GPT lawyer advised me to make it clear that this data was publicly accessible and that I’m nowhere near the US.

Privacy and security implications of using a custom domain for email

i[a]sy.st (Leet) — Thu, 04 Jul 2024 13:37:00 +0100

Introduction

Continuing my series of posts on email privacy and security, I wanted to discuss the second piece of advice offered by many people: having a custom domain for personal email. I will focus only on using a domain for everyday email or as an alias domain. Spoiler: I do believe custom domains have their applications for business or branding purposes (such as I have with my blog domain).

Privacy

Correlation

To begin, if you've ever done even a little bit of OSINT, you know that you can search for all accounts linked to a specific email address. This is one of the primary reasons why you might choose to use email aliases for every different website on which you register an account.

However, while you can search for a specific email address on those websites, you can also most of the time search by domain (examples of such sites include the biggest ones including dehashed, leakcheck, snusbase, etc.). This means that if you are the only one using a particular domain, even if you are using it for aliases, you are linking all of your accounts through the data point of your domain.

KYC

The second privacy concern is that if you do not want your domain to be locked (which you obviously don't want if you are using this domain for your accounts), you will need to comply with ICANN registration terms. The main issue here is that you will have to complete a KYC and give all of your personal informations in order to register your domain. You could input fake informations but you would take the risk of having your domain locked.

This issue can be addressed by using certain services like njal.la that register domains for you (which is what I use for this site), but you are still trusting one more intermediary than if you used your email provider’s domain. Nowadays, most registrars also offer WHOIS privacy services for free. However, as with every website, there is always a risk of a data breach, so I wouldn’t trust them with my personal information.

Security

First, if your domain gets stolen, it is unlikely that you will get it back, and if you do, your registrar may not be very secure (because anyone could make a fake id and get your domain). On the other hand, your email provider has their domain registered by their company and has access to every lawyer and public attention they would need to get their domain back in a matter of minutes.

Secondly, even if you set an alert for your domain’s expiration, you might forget and lose your domain. However, this is not really an issue if you are organized (this is an issue for me).

Using a custom domain can make you appear like a business or a serious person, which might be beneficial, but it could also make you seem strange and get your accounts locked on some services.

Domain prices changes, and the biggest problem is that once you have paid for a domain and used it for your accounts, you will likely need to keep it indefinitely if you want to keep your old accounts secure. Because someone could social engineer and get access to your account using an old email address it was registered on. So, if one day you can’t afford it, or forget about it, you might give someone access to all of your accounts.

Conclusion

My conclusion, like most of my posts (I know I am a little bit negative on this blog), is that this is not the best solution if you want to increase your privacy and/or security. However, using a custom domain might be convenient because if your email provider shuts down, you can easily move to another one. But if you choose an email provider with a good track record, this shouldn't be a significant concern. Custom domains are also useful for creating more professional-looking email addresses.

As always, I am more than happy to discuss my thoughts with anyone. If you have any arguments that I may have missed (which I’m sure there are plenty, as I wrote this in under 15 minutes after reading another Reddit post), I would appreciate hearing them. Thanks for reading:)

My 1 year experience of using GrapheneOS

i[a]sy.st (Leet) — Sat, 06 Apr 2024 10:00:10 +0100

PS: I first made this script in the hope of making a video out of it to attract the interest of more peoples into phone privacy and GrapheneOS. However, due to a lack of time and motivation I don’t think I will be making this video anytime soon so I decided to publish it here.

What is graphene OS ?

Graphene OS is a fork of AOSP (android) focused on privacy and security. It was originally started by Daniel Micay in 2014 and is now being developed by the community and thanks do donations.

Why did I install Graphene OS ?

I have been in the cybersecurity field for a long time and this is what made me realize how important Privacy and Security really are. I would consider myself a quite paranoid individual and this is why, when I needed to change my phone, I decided to buy a Pixel 6 and use Graphene OS.

Installing Graphene OS

The biggest caveat with graphene OS is that it can only be installed on pixel phones due to the security requirements and OEM unlocking needs of Graphene OS being only accessible on the Pixel devices. Also, as Graphene OS devs follows google security updates preferably a modern pixel (they still do updates for older phones for now).

However, when you do have your pixel phone in your possession it is really easy to install graphene OS. Just go to their web installer, click on the buttons you are asked to click and you should be set in under half an hour.

Post-install + Software

Now that you have installed graphene OS you will be granted with a surprisingly clean and unblotted home page by modern standards. It can even be a little bit disruptive at first.

That’s why we will be installing some essentials right away. However, I first have to explain how Google Play Services works in Graphene OS. Graphene OS trait google apps as normal apps so you can manage the permissions and uninstall Google Play Services, Google Store, etc and they not installed by default.

Without Google Play Services, you might not receive notifications, be able to install the Play Store, etc. However, most of the problems can be addressed utilizing certain apps.

After every installation of graphene OS my essential apps are:

Aurora store to use the app store without any google account.
Fdroid to download Open Source apps that for the majority do not need google play services for notifications
Proton suite to replace email, calendar, drive and photos backup apps.
Signal + Threema to replace SMS
Read You for rss feeds
Obsidian for note taking
Syncthing to backup files to my server

Positives

We talked briefly about what benefits could graphene OS offer but I wanted to give some of the ones I prefer that might speak more to you.

First and foremost, Graphene OS goes a long way to reduce the attack surface of your mobile device with features such as improved sandobxing, storage scopes, PIN scrambling, …

Secondly, GrapheneOS also permit much more privacy by removing all of google services and applications by default. It also permit to manage app permissions much more in depth with the Network and individual Storage Scopes permissions for example.

As a consequence of removing all of this bloat, Graphene OS appears quite boring and empty to the user which is quite refreshing to see on a smartphone nowadays.

It can also be installed really easelly via a web browser without even using adb or any other tool and if you ever have a problem or encounter a bug you can count on the GrapheneOS community to help you.

To see a detailed list of all of the features of GrapheneOS you can go on the GrapheneOS website to the features page.

Negatives

But to be fair, Graphene OS also has some negatives. The first one being that it needs to be installed on a Pixel device which limits your choice of phone however the pixel is a really capable device that excluding the more premium phones is often seen as the best android phone for it's price to performance ratio.

The second thing that might be a problem for some is the lack of SafetyNet support. This means that google pay and some banking apps will not work on Graphene OS. I do not use google pay and never had any issues with the banking apps I use.

Keeping a backup of your phone can also be a difficult task on Graphene OS. I save most of the data I need (photos and documents) on Proton Drive so this is fine for me. However; I still need to connect my phone to my computer to do a Backup every few months.

Using Graphene OS you also lack most of the features of a Pixel device running on a stock OS like all of the new Ai stuff. I see this as a positive.

To end with the negatives there is also some small bugs from time to time but Graphene OS developers are usually fast at fixing these so you shouldn’t run into many of them and if you do, it shouldn’t be critical ones.

More ressources

Privacy and security implications of selfhosting your emails

i[a]sy.st (Leet) — Sat, 18 Nov 2023 11:00:55 +0100

Introduction

Every time you see someone in search of a way to gain privacy mooving their emails from google to somewhere else and asking where they should moove there is two kind of responses. First, there is the peoples that will give privacy respecting email services like ProtonMail, TutaNota, Skiff... Then, there is the peoples that will just say that you cannot trust these services and that the only good way is to selfhost your mail server. I will try to explain why I think this second category is wrong in most if not all situations.

Security implication of selfhosting your email

The security implications of selfhosting your email server are already reminded under every reddit post of someone talking about it so i will not go too far into that but here are the main arguments.

The first point is that it is not easy to do, even with the new all in packages like mailinabox you still need some understanding of what you are doing. Then, even if this works, if you forget some basic configuration of your domain or to update your server you risk being the source of some spam emails and having to restart everything from nothing having to get a new ip and domain.

The second is that if you are using said packages and not installing everything by yourself it is hard to maintain. You need to check your domain reputation, your ip reputation, that everything is up to date and well configured…

There is also no E2E encryption by default, so if you want to encrypt your emails you also need to use PGP with everyone. While it is pretty much the same with “privacy respecting” email services there is still E2E enryption protocols between their users and as more and more peoples are using proton in the community it is easier. These services also have enryption at rest using your PGP key which I haven’t seen offered in any email selfhosting solution.

Privacy implication of selfhosting your email

The point that is always made agaisnt services like proton is that "they gave an ip to authorities". The thing is you can't selfhost your email server at home (most isp block the ports needed) and it add some security concerns. You will need to host your mail server or at least relay on an hosting provider which mean you are trusting an hosting provider more that these privacy oriented services that are encitivized to do the best they can to keep their reputation.

Maybe you are telling yourself “yes but I can encrypt my disks”. Without even talking about cold boot attacks (because it’s not like you will keep your email server offline) the problem is that every email going in and out of your server is directly connected to your server. It mean that you are unique on the network and can be easelly wiretaped. More than your mail being wiretaped in mean that every connection made to your server would be too, including yourself fetching your mails.

Privacy implication of using a “privacy respecting” email provider

The first one is that you cannot be sure that they do what they say. What if proton was really an honeypot and that the NSA is behind it like it has already been the case with Crypto AG ? What if they are not but a certain offer make them change ? You dont know and will not until it's too late.

The second one is metadata, on the internet every packet needs some informations to go from point a to point b. This is the case for you emails with the header not being hidden when using PGP but also for your IP adress being sent to the server on your access. While proton always had (as far as I can remember) a Transparency page stating that they would give out everything they could (pretty much only IP adresses and recovery informations) to a Swiss Court legal request it maybe was not as clear as people would have liked which make a lot of people loose trust in Proton.

The thing is, every point I made here is also true for selfhosting your own email server if not even more true. Getting your IP adress is easier because you are unique on the network. Getting your email metadata is even easier it just needs an access to your physical server or router.

Conclusion

To conclude, if you are an individual looking for more privacy for your emails there is so much you can do but it will never be perfect. You should always refer to your threat model to see what is better for you but if you don't need an email server for more than sending and recieving a few emails I don't see any benefit to selfhosting your email server.

Is Countermail the most secure email service ?

i[a]sy.st (Leet) — Wed, 15 Nov 2023 13:00:37 +0100

Introduction

CounterMail is yet another "encrypted" and "anonymous" email provider. Countermail may be the oldest service of its kind still active, with a domain registered in May 2008 and the service ready in May 2010. However, they are less well-known than their competitors, possibly due to their invite-only registrations, which limit their user base.

Countermail inbox page.

Claims

They seem to be based in Sweden, but neither the company nor its members are disclosed on their website. The webmail platform is Roundcube (open source), and encryption/decryption occurs client-side using OpenPGP.js. While their main website is behind Cloudflare, the login and webmail are not; the proxy used is hosted at "Adminor" in Sweden. They do not provide a Tor link and require JavaScript for client-side decryption, similar to most services of this type. To register, you need an invite code, and unlike Tuta/Tutanota, there is no wait time, and no phone number is required as it is the case with ProtonMail.

They claim to only provide email metadata to Swedish authorities after reviewing the requests with their lawyers which is also the claimed to be the case with ProtonMail and Tuta/Tutanota. According to their assertions, the metadata shared in this case would only include email recipients and subjects, which is standard since this information cannot be encrypted with PGP as it needs to be known to the mail server. Additionally, they assert that they do not store nor have the capability to log client IP addresses.

Cons

There are multiple issues with CounterMail, but the main concern for me is trust. The company and its employees remain hidden, raising questions about who would take accountability in case something goes wrong. There is also a clear lack of communication and updates, the only blog posts are some changelogs with only minor improvements.

There are also privacy issues; they lack a Tor domain (which seems unusual for a service of this type), and they do not accept Monero. Unfortunately, the limited acceptance of Monero is a common issue, with Tuta/Tutanota being the only email service that supports Monero through a proxy seller.

CounterMail also doesn’t have any open-source clients. The issue goes further as they don’t even have any client. Even their password manager named SafeBox needs to be accessed in the account settings. Not that I would have used it anyway as it lacks many modern functions.

Safebox password manager hidden in the settings.

They also don’t have their own data centers nor even their own IP addresses, which could pose issues as they have less control over their infrastructure compared to, for example, ProtonMail or Tuta/Tutanota.

The last issues may not be problematic for the majority of people but could be viewed as concerns for others. Firstly, this is an invite-only service, which might seem unusual for a privacy-focused service to limit access in such a way (though they are not the only ones, and I understand the desire to control access). Secondly, they are relatively expensive, with a price slightly higher than ProtonMail Plus despite offering a lot less functionalities and updates. They also do not offer any free-plan (there is only a 7 day free trial).

Conclusion

I'm a firm believer that competition is always a good thing, and every service serves its own purpose. However, it appears that CounterMail is a good service with good intentions but it has failed to adapt and keep up with the market. The issue is that it seems like something that may have been revolutionary years ago but now, with the plethora of options available, appears a little outdated. However, to be fair, even though they lack many features and I wish they had more control over their infrastructure, they still offer many good security features that other email services do not. I also appreciate that they have remained online for this long, which give me some confidence in their service.

To really conclude, I think that the only matter is that you can’t see the server code nor config for all of the services of this type. So you need to trust someone and this choice is personnal. I can understand why someone would trust countermail more than for example ProtonMail but I don’t.

Best "Offshore" hosting providers

i[a]sy.st (Leet) — Tue, 24 Oct 2023 13:00:37 +0200

Introduction

After many years of interest in self-proclaimed "offshore", "resilient", "privacy" and "free speech" hosting providers and some disappointments along the way, I figured out I should conduct some final tests and publish my findings and research. This article is meant to help people who don't have the technical knowledge or the time to research such hosts for their projects but need them.

If you want to skip my rambling you can go directy to the results here.

Philosphy

If you are reading this, you have probably already thought about the question "What should or shouldn't be on the internet?" The things most people would not accept are Terrorism, Child Pornography, incitement of violence, far-right websites, etc. Most of them are debatable, but I think we can all agree that Terrorism and Child Pornography should be disallowed.

I will not even talk about how some governments use the word “Terrorism” to ban and surveil activists. Just think about a far-left or right association with some members who engage in “violent” actions (attacking opposing groups, puncturing tires, etc.) which can be seen as terrorism as their goal are to create fear. Should the people who have done these actions be named terrorists? Should the websites of these associations be removed from the internet?

And now, the content: Should the videos of the Christchurch or Annecy terrorist attacks be deleted from the internet? These attacks were labeled as terrorist attacks, but if someone wants to see them or their manifestos, it is not as if it will make them terrorists, right? Should all the content about these attacks be deleted so we can ‘forget’ and not learn anything?

We can also use the example of the Christchurch terrorist attack to raise another question. Who should govern the internet? New Zealand banned the attack video and started contacting websites hosting the video to require its deletion. New Zealand’s police have no right to declare this content illegal in other territories, but it hasn’t deterred them from contacting the providers and administrators of websites hosted abroad. When this is New Zealand, you may get lucky, and your hosting provider may not require you to do anything. But now, imagine the same from the US? The US successfully prosecuted The Pirate Bay administrators in Sweden for a small bit of text called magnets while what they were doing was totally okay in Sweden. The hosting provider of TPB was also prosecuted, so with this example, we can imagine why most hosting providers will not bother to defend the laws of their land for their customers.

I may have raised more questions than answers, but my point is that hosting providers should not act as judges and executioners when it comes to what content is allowed on the internet. I think that a good hosting provider should let the benefit of the doubt to his client in the case that an infration is not clear (of course if this is some public Al Qaida recruitement website or a forum to distribute CSAM it is different). Furthermore, I believe that the law should protect these providers, especially in Europe, rather than prosecute them.

Results

As stated in the introduction, this article was created to assist people with limited knowledge of the discussed topics. If you only want the raw information, here is a comparison I have made for each hosting provider (the requirements for each category are listed below):

Providers	free speech	“hate” speech	Countries	Cryptocurrency	NO-KYC	Pornography	Abortion	Communism	Tor Exit Allowed	Not WHMCS
Banhof	✔️		SE	❌		✔️	✔️	✔️		✔️
Prq.se	✔️	✔️	SE	✔️	✔️	✔️	✔️	✔️		✔️
⭐Nicevps	✔️	✔️	CH, NL	✔️ (XMR accepted)	✔️ (no email)	✔️	✔️	✔️	✔️	✔️
FlokiNET	❌	❌	RO, IS, NL, FI	✔️ (XMR accepted)	✔️	✔️(but not in all locations)	✔️	✔️		❌
⭐Privex	✔️	✔️	NL, SE, FI, US	✔️ (XMR accepted)	✔️	✔️(but not in all locations)	✔️	✔️	✔️	✔️
BuyVM	✔️	✔️	US, LU	✔️ (XMR accepted)	❌ (kyc requiered on non crypto payments)	✔️	✔️	✔️	✔️	❌
1984.is		❌	IS	✔️ (XMR accepted)	✔️	❌	✔️	✔️	❌	✔️
Cockbox	✔️	✔️	RO	✔️ (XMR accepted)	✔️	✔️	✔️	✔️	✔️	✔️
⭐ URDN	✔️		UA	✔️ (XMR accepted)	✔️	❌	✔️	✔️	✔️	✔️
Hostlick	✔️	✔️	NL	✔️	❌ (don’t even accept VPN)	✔️	✔️	✔️	❌	❌
Shinjiru	✔️	✔️	MY, BG, NL, …	✔️	✔️		✔️	✔️		❌
⭐Svea	✔️	✔️	SE	✔️ (XMR accepted)	✔️	✔️	✔️	✔️	✔️	✔️
⭐Keff	✔️	✔️	SE	✔️ (XMR accepted)	✔️	✔️	✔️	✔️	✔️	✔️

Requierements

So first, I made a list of requirements I had to label an “offshore” hosting provider as a good one.

“Free speech” content:
- The hosting provider shouldn’t censor the customer because they don’t think the same way as the customer does.
“Hate speech” content:
- Hosting providers should accept to host any content labeled as ‘hate speech’ (Nazi, racist, offensive speech).
Countries:
- This one is not really a criterion as all of these hosts are in countries that respect, to some extent, freedom. You may still want to choose a different hosting country for your domain name and CDN to be more resilient and one not too far from your user base for low latency.
Cryptocurrency:
- The hosting provider should accept popular cryptocurrencies. It is better if they accept XMR (it should be the norm for a so-called ‘anonymous’ provider).
NO-KYC:
- The host shouldn’t require/verify any PII or KYC data (address, name, phone…). The best would be to not even ask for an email or a username.
Pornographic:
- The host should accept pornographic content (half of the internet is porn, so anyone will probably end up with some on their site if there is user-generated content).
Abortion:
- The host should accept to host content promoting abortion up to the point of birth.
Communism:
- The host should accept to host content promoting communist ideologies.
Tor Exit Allowed:
- The host should accept to host Tor exit nodes (I find this a good indicator of whether they are really fighting for privacy or just doing marketing).
Not WHMCS:
- WHMCS is a CMS for hosting providers that requires PII on every signup, doesn’t natively support 2FA, has proprietary code and plugins. If a hosting provider doesn’t have its own panels, I don’t think they are really fighting for the privacy, security, and sovereignty of their services and clients.
Bonus: Should give a second chance
- The hosting provider should try to find a way to resolve issues with the customer before ending their contract."

Conclusions

Top 3 5 hosting providers with their issues:

NiceVPS
- Email requiered and not cheap.
Privex
- Email requiered and pretty bad panel but good prices.
URDN
- Need to contact them via telegram or mail.
Svea
- Need to contact them via telegram or mail.
Keff
- Need to contact them via telegram or mail.

How a secure and resilient website should be hosted

i[a]sy.st (Leet) — Sat, 25 Mar 2023 18:00:35 +0100

Introduction

Hello, following my last article on the opsec of the breached funder pompompurin who lead to his arrest and the fake news about it I wanted to do a new one on how a website may host itself for resiliency and security.

For that I have two pretty simple setups that I can think of with one of them being more easy to implement and probably a lot more stable while not being as secure as the second one.

WAF -> RPROXY 1 -> RPROXY 2 -> VPN -> BACKEND

So this first setup is pretty simple. First, for the waf I think the two main possible choices would be cloudflare or ddos-guard. For security and resiliency I would use ddos-guard but cloudflare also have a lot of others features and configurations option while being free which may make it a better choice for a smaller less important forum.

Then, the second and third protections would be reverse proxies, they are useful for multiple reasons. First, if you use cloudflare even if they do not suspend sites following legal orders they do forward all the account records they have linked to your domain. It mean that they would have all of the dns records on your account and so have the ip of your server. It may seems pretty obvious but I have seen a lot of websites thinking an “offshore host” behind cloudflare is sufficient. These reverse proxy would also protect any dmca/abuse forwarded by cloudflare to the website hosting provider (which would be the reverse proxy in this case). These two reverse proxies would have to be on two different hosts known for their respect to privacy and ignorance of most things (like nicevps.net, svea.net, privex.io, buyvm.net, etc).

Then, after the waf and the two reverse proxies as a measure to protect the server in the occasion of the backend ip leaking we would have a reputable vpn on the backend server itself. For that we would need a vpn with port forwarding possibilities (I would use ovpn.net, ivpn.net or mullvad.net). This would shield your server in case the 3 proxies that there is before are somewhat compromised. It would also permits to hide the backend ip in other cases like if your server ip was leaking cause of a vulnerability in your website.

This is also important to know that for this setup to work you would have at any stage of your setup to make web ports only be accessible by the service before it. This would look like RPROXY 1 only allow WAF ips to contact him on port 80 and 443, RPROXY 2 allow only RPROXY 1 ips and your backend server only allow connections from RPROXY 2 ip. If you do not do that your backend ip will end up on indexing websites like censys.io or shodan.io wich is something you do not want to happen.

I never tried to add that to the chain but I’m pretty sure to obscure the traffic coming in and off of your different proxies you could have multiple “fake” servers behind where you would send a copy of the packets you send to the next server on the chain, it would not be that helpful unless you have a lot of servers but I wanted to mention it.

To conclude, this setup is pretty bulletproof but still rest on the normal internet. What I mean by that is that if your adversary is the fbi like for breached they could just subpoena every step of your setup and end up finding your backend. It shouldn’t arrive without you noticing anything if you choose good hosts, countries to host and VPNs but still, this is technically not bulletproof.

WAF -> Clearnet PROXY -> tor

You probably heard of Tor2web proxies haven't you ? These proxies which are most of the time setup to perform mitm attacks are proxies which permit for example to enter something like dreadytofatroptsdj6io7l3xptbet6onoyno2yv7jicoxknyazubrad.onion.sy.st and basically to visit tor domains on the clearnet.

Now, the idea of this setup would be to host your website securely on tor (I will not explain how to do it here as there is already some good articles on that) and to setup your clearnet domain only to proxy the requests to your tor website by installing a Tor2web like proxy on your proxies servers.

I haven’t much experience with this setup but I have still done some tests using this setup in the past and everything worked fine for days without me noticing any issues.

Now, I must also talk about the principal problem that this setup imply. The biggest problem is that it would be pretty instable, websites on tor are already instable but add a proxy before that which tor haven’t been designed for and you get something experimental. Add to that a forum software which have probably been made for far more simples environments and you get something which would probably not work for a forum.

However, I find this setup interesting as even if it is not really useful for a forum where user need to stay logged in and where you do not want connections to time out while doing a post it may be useful for other sites. Pretty much any site which haven’t any user generated content and which doesn’t need a good uptime could benefit from this setup. Imagine for that your small torrent tracker, your private forum, your blog that everyone want down, your leak that you want to share on the Clearnet securely (but it would better not be to big with tor speeds), etc.

Conclusion

To conclude, the first setup would probably be fine if setup and monitored well. If more security is needed nothing prevent you from adding more proxies on different countries to the setup to try to play on local laws. The second setup however, is more what I would consider a proof of concept and at this point you would probably be better of just educating your users on how to use tor and host your website there.

Thanks for reading all of that and I hope you learnt something today, if you have questions or corrections about what I wrote do not hesitate to send me an email to the email address bellow.

FUD news in cybersecurity and pompompurin arrest

i[a]sy.st (Leet) — Thu, 23 Mar 2023 11:00:55 +0100

Introduction

Everyone who has some interests in cybersecurity should know that there is a lot of news sites in the cybersecurity space that are just reposting each others content without any research except on how they could turn the news into the biggest news possible. I will discuss here the two most prevalent fake news about the pompompurim arrest with evidence in an effort on how not to fall into such fake news.

Pompompurin arrest

Pompompurin was the funder of the now defunct forum breached. Pompompurin founded breached right after the arrest of omnipotent, the funder of raidforums. Breached gained in popularity pretty fast spurred by the good reputation of pompompurin on raidforums and how semblable the forum was to raidforums.

From what I saw and from talking to him, I can say that pompompurin was really doing everything he could to satisfy peoples and to make the best out of breached. However, breached was still a forum made mostly for trading illicit products and services, and what had to happen happened and pompompurin got arrested and then the other admin Baphonet decided it was better to close the forum.

Criminal case

The media problem

Intelx

So there is one news that was on 99% if not all articles I read. This news was that if pompompurin was arrested it was in fact cause of intelx.io, an osint and search service founded by Peter Kleissner. The history starts before breached came to life, Pompompurin had attacked intelx by indexing most of their subscription only viewable indexed files and leaking them to the public. He, with other community members also doxed Peter Kleissner and published personal information on him and his family. At the time pompompurin told that if he was doing that it was cause intelx was also indexing all of his doxbin-like paste site skidbin.net without asking permission.

Peter Kleissner also has an history of doxing in public and sharing information to law enforcement even on childrens attacking his service. This is why when pompompurin created a new account on intelx and started doing indexing the results Peter Kleissner leaked all of his account information and logs on intelx twitter and telegram and shared them with authorities. It was found that the ip used to register on intelx was a residential ip.

This is now that the problem start, when pompompurin got arrested Peter Kleissner went to twitter and told the public that it was the information he provided to the fbi that permitted pompompurin arrest. Media outlets not verifying information as always went on to write that if pompompurin has been arrested it was cause of a revolutionary osint service that helped law enforcement, intelx.

Now, what is the problem you may ask ? This ip was a residential ip so pompompurin must have forgotten to turn on his 7 proxychain right ? No. It was in fact a residential ip proxy sold by the service nsocks which mean that it was not in fact his residential ip but just an exit proxy he used.

Source: https://twitter.com/kayte

Hydramarket

Here is another community/service pompompurin had flighted with. Hydramarket is a forum that also tried replacing raidforums but unlike breached it was founded on lies. Hydramarket funder usurped omnipotent (the now arrested raidforums funder) and lied about raidforums staff being members of his forum. He also made the forum with the only goal to make money by selling VIP subscriptions for people to access the leaked databases downloads which contains only already leaked databases. Hydramarket only power when breached was alive were ddos attacks as it is hard and costly for breached, a forum with a big infrastructure, in different countries and with not cheap hosts to handle these attacks.

When pompompurin was arrested, in intelx fashion, hydramarket went to telegram and told everyone that they were the ones that got the fbi on breached servers by sending them the backend ip of breached database server.

The problem ? Same as the one mentioned above, media outlets haven’t verified any information as if the leaked ip was really the one of breached and haven’t even verified the history of Hydramarket lying. Here is an example of a french article on the subject published by zataz.com, a media funded by Damien Bancal and known for writing dubious articles.

Direct link: https://www.zataz.com/dans-les-petits-secrets-de-la-fin-du-forum-pirate-breached/

Archive: https://archive.is/syzXS

Conclusion

To conclude, we see more and more peoples trying to educate themselves into cybersecurity for themselves but also to work on this beautiful field that is computer science. The problem however, is that if you do not know where to search and are not able to be critic towards the articles you read by fear of being in these "scarry" communities you loose most of the information and learn mostly fud.

So my advice would be to get into these communities, even if you are fully against what they do it will make you understand how they work in the real world and not only in the headlines.

Edit made on the 24/03/2022

As planed, the trial for pompompurin was today. The trial just gave us more element as how pompompurin was arrested and as expected nor intelx nor hydramarket were the cause of his arrest.

The cause of his arrest was just a bunch of stupid OPSEC mistakes:

When he messaged omnipotent, the old raidforums owner, about a leaked database which did not contain his personal email (which it should have if the database was real as he had an account). To prove his point he just sent out his personal email to omnipotent.

When he connected to raidforums with multiple mobile ips associated with his phone.

He connected with VPNS to his personal google account at the same time as for his criminals activities.

He accessed breached on a home residential ip linked to his father name (probably his home).

And probably a lot more that I didn’t bother to include here. If you are interested to know more you should definitely read the section “Attribution of Conor Fitzpatrick as “pompompurin”” of the pompompurin affidavit.

https://sy.st/doc/gov.uscourts.vaed.535542.2.0.pdf

Adding to the conclusion

What we can learn from that ? It is important to maintain a good OPSEC since the creation of your online identity and not when it is too late. You should practice your OPSEC like if your life was depending on it, because it might. You should also never trust anyone with your data and security on the internet even if they seems to be hardened OPSEC masters on the outside.

First

i[a]sy.st (Leet) — Thu, 17 Mar 2022 22:44:54 +0100

First post and probably the last.