On ProtonMail’s “Human Verification”

Posted in General Articles on April 12th, 2017 by kyREcon

Howdy,

Recently, I noticed that protonmail treats users that attempt to use their service via tor a bit differently.

So if you are ready and/or willing to laugh or cry a bit about it, then keep on reading.

Let’s go…

First of all protonmail owners are happy to talk a lot about privacy and security, which is a good thing. They even offer a Tor hidden service!


 

 

 

 

 

 

They even mention that protonmail “does not require any personally identifiable information to register”.


 

 

 

 

 

However, how true is all that about privacy and anonymity?

So in case you actually attempt to signup for a new account on protonmail, via tor, this is what happens:


 

 

 

 

 

 

 

 

Wait a minute!!!

Isn’t Tor’s purpose to offer anonymity and privacy to the user?!?!

Are you actually telling to the users to connect via Tor for which you also provide a URL and then you are asking them to give you their mobile number and/or their credit card information?!?!?

Didn’t you say that you don’t require any personal information to register?!?!

This makes no sense…this makes no fucking sense!!!

To make things clear, asking for a mobile number and/or credit card information has nothing to do with “Human Verification”.

This is clearly an “Identification” of the person that attempts to signup to their service…using Tor…for which they also provide a URL…for which process they were supposed not to ask any personal information.

After having a conversation over twitter with @bartcbutler (Protonmail’s CTO), it seems that they still believe that promoting privacy via Tor and then asking someone to provide personal information it makes sense.

Their excuse is that they do that to fight spammers and people creating multiple accounts, which could cause to make the whole service suffer.

But…do they do this for users that don’t attempt to signup via Tor?

No they don’t!!!

 

 

 

 

 

 

 

 

 

 

 

 

So, let me get this straight…if that makes any sense.

When I asked them what is the point of allowing people to signup via Tor and also offering a Tor URL if they assume that Tor users are spammers, @bartcbutler  said that they don’t assume anything like that.

Apparently, though this is not the case, again!

If it was the case, then why not always ask for personal information?

Can’t spammers create multiple accounts without using Tor?

Well…the difference is that it makes it easier to identify people that create an account without using Tor.

Because that’s the difference. That’s the only difference.

So clearly, this doesn’t make any sense and definitely it’s not for fighting spammers.

Nothing from what they claim and say adds up, and for me protonmail is definitely not an option anymore.

What I mean is, if you see shit on one side of the cake, what do you do:

a. You clean that part up and eat the rest of the cake.

b. You throw away the whole fucking cake!

 

The choice is yours.

Take care,
kyREcon

 

 

 

Share
Tags:

Time to fight back and remind to everyone…

Posted in General Articles on November 16th, 2016 by kyREcon

Lately, I have been constantly attacked on twitter at a personal level by these two guys: @harmj0y and @christruncer.
They are both co-authors of veil. Unfortunately it seems that other people like @mattifestation joined them. Why matti?

This made me realize two things.

Either people don’t know the backstory of what is going on and/or these people have their own crew of supporters that will keep coming back against me, whatever happens.
Personally, I don’t like any of the two.

For that reason it’s about time to remind to people who these people are, how they keep attacking me at a personal level and how they attacked my project Shellter with lies. Remember, these people have no limits. They had even published their lies, yes they even made a youtube video, but we will go back to that.

Good thing is, I kept this video, because I knew they would come back to me.

First of all, I want to make clear that I accept that I am not the guy that always uses kind words, however this is lights of years away from attacking someone personally.

A few days ago, I posted on my @shellterproject account a tweet saying that “Shellter eats for breakfast veil, backdoor factory, and any other tool in this category.”

Now, if you are a co-author of any of those tools and you see a personal insult there, just because I am saying that my tool performs better, then something doesn’t fit.

I believe that anyone with some common sense can understand that something is totally wrong with these people.

If you think I am wrong, and your tool performs better than mine, then please come to me with your tests and results and give me the time to analyze them and give you some results back.

Instead of trying to defend their work at a technical level, these people started throwing insults at me at a personal level.

Here they are:

christruncer

 

 

 

harmj0y

 

 

 

 

 

 

 

 

Again, these people unable to keep the discussion at a technical level and defend their tool veil by those means, they started attacking me at a personal level.

It seems that for them, if someone makes something better, then they have to make him look like he is a bad guy. That’s their only way of defending their work, by making people look bad through the power they have on social media.

I am not an angel, but my comments much or little harsh, were not personal. I have the right to say my tool ‘tastes’ better than yours. If you think I am wrong, then please prove me wrong, but whatever the outcome is, trying to make this personal is what really is unacceptable.

Now The backstory!

This is were everything begun: July 23 2015.

That day, with the help of @midnite_runr, the author of backdoor factory, these people created a youtube video showing a vulnerability in Shellter that didn’t exist in order to defame my project.

Now you tell me how low that is, and yet these people count thousands of followers on twitter.

Yes these people did that to me!

Here is the video they created:

What these sad people did, was to give to Shellter to execute a binary that they previously infected with a reverse connection stager, and then they used that to throw lies and defame my project.

Yes, these people did that to me, all of them together as a team: @harmj0y, @christruncer, and @midnite_runr

All of them together, created, published, and/or fully endorsed this framing of my project, trying to embarass me.

Little did they know!

To make things clear Shellter’s tracer acts as a debugger that executes and logs the execution flow of an application.

This is fully documented, and it’s not a secret. It’s how this tool gets all the necessary information to achieve dynamic PE infection. So basically it acts like a debugger, it executes programs.

Well maybe, these people don’t know what a debugger is, but I don’t believe that, if you know what I mean.

Obviously, I had immediately realised what these people were doing so I had put all the details of their supposed vulnerability in this very blog.

Then, I did the mistake to decide to give them a break from complete embarassement. I contacted one of them and tried to make peace, mostly to protect them from their own actions.

Now I regret about that, and I hardly regret about anything!

I regret about it, because they don’t deserve it and because these people are so good at forgetting and completely ignoring their own actions that now they came back attacking me just because I said that my tool performs better with AV evasion.

If you are one of their followers, this is what these people are: Shameless!

Take care,
kyREcon

Share
Tags: , ,

Getting a job in cybersecurity

Posted in General Articles on November 5th, 2015 by kyREcon

I see a lot of young people that want to get a job in cybersecurity, and whenever possible I am trying to talk with them in order to understand what makes them  to want to get into this industry. Is it passion for IT security or is it just the growing salaries in this market? Unfortunately, it seems that getting a job into this area is becoming a trend while there is no real motivation for knowledge.
It really makes me sad when I see a person in his early 20s to only think about money. On the other hand, I also appreciate the fact that not everyone wants the same things from life, and for that reason I am not judging anyone. What is however important in any case, is how you get there. Putting things in the right order is the best way to go. These are just personal points of view. I am not trying to tell anyone what is right or wrong. I am only expressing my opinions, and you can agree or disagree. :)
The following are some of the things I hear quite often from people that come straight of the university. Read more »

Share

The HackingTeam and the Infosick White Angels

Posted in General Articles on July 13th, 2015 by kyREcon

What have we really learned from the recent data leak regarding the operations of the so called HackingTeam?

Did we learn that there are some companies/people out there selling exploits?

Was it that the infosec industry is full of white angels that would never do so?

Maybe it was the fact that our industry is not so open-minded as we think?

Let’s see…

There are companies and individuals selling exploits. WOW, what a fucking surprise!!!
Sorry for disturbing your sweet dreams. Reality check! If you didn’t know, then you are reading the wrong article. I suggest you continue
reading –>here <–.
If you did know that shit happens, you may be interested in reading the rest of it.

Deamonizing the phrase “selling exploits” is like saying manufacturing cars is evil.
Just because some people will misuse either of them, doesn’t mean that both are necessarily bad.
Is it that bad to sell an exploit that might help the authorities to breach into a terrostists organization?
Is it more bad than driving drunk or high? Oh yes, you never do that!!!

Let’s now go back to those loud infosick people that started sharing lists, and putting labels on people that worked for the HackingTeam.
They even started saying to blacklist all those people from working again in IT. Shame on you!!!
You are not a judge, and you certainly won’t decide for anyone’s life. If you don’t like someone and his actions, you are free to say so.
However, organizing a witch hunting belongs to another era, and I wasn’t expecting to see people going down to that level.
Again, if you did that, shame on you!!!

So selling an exploit is evil. All white angels came out and said that out loud.
I am not really surprised. People do try to get attention by someone else’s failures. Sad creatures!
What these angels never said to us, is what they would have done if they had the skills to build an exploit that someone would happily
buy for $30k or more. I am pretty sure they would never sell that evil thing, because they are nice people!!!
I can understand people with the skills for doing so, that never did, to go out and critisize these actions. However, looking at the mass
shouting under the cross, it is really sad…,and at times even funny.

Now, I know people will come and say that I have connections with the HackingTeam and that I am trying to defend them. I am sorry to
disappoint you, but you are wrong!
They will pay for their mistakes when the time comes, but won’t be you who will decide how and when.
It makes me feel sick being part of a community that is ready at any time to blacklist and label people.
Today it’s them. Tomorrow it might be you, for whatever reason that might be.
At the end of the day, that’s just my opinion, and you don’t have to like it.

Just out of curiosity. Before wearing your superhero mask going out on tweeter saving the world with your (mostly) useless tweets,
did you ever consider what might be the real motivation behind this breach?
How do you know this was done for ethical reasons? How can you be so sure that someone didn’t get paid just to take them out of the game?
I am pretty sure this never occured to you. Surprise! Yeh, I know…shit happens. I don’t imply that I know what really happened, so don’t
pretend you do know that all this happened for a good reason. Just saying…

Apparently HackingTeam, did a lot of mistakes. They fucked up. However, I am pretty sure not all of their actions were evil, and if they were only time will tell.

Finally, I want to send my respects to all of them that handled things responsibly. That is, by sharing the information without judging the
people behind it. To those that spent some time analyzing the leaked data, extracting the exploits and helping the affected vendors to fix
those vulnerabilities, I have to say congrats! That’s what should be all about.

Don’t judge someone just because they sin differently than you.

kyREcon

Share

Angry Spy-Birds

Posted in General Articles on March 22nd, 2012 by kyREcon

I recently decided to “upgrade” myself by buying a new cool mobile phone, and get rid of the old msgs-and-calls capable only one.

Yesterday, I decided to download the famous angry birds game, it’s free so why not?!?

Well, money-free doesn’t really mean spy-on-me-free right?
This is not something new of course. This is how Facebook, youtube and other social sharing websites work for the last few years.
Oh come on, don’t tell me you really believe that only you and your friends have access to all that information you post about yourself uh??!

Anyway, back to the angry-birds download.
Unfortunately, by installing angry birds and for sure many other games you actually give the permission to someone to spy on you 24/7.
A part from the fact that the application will be able to send and receive information regarding where you are, it can also view the information about the wi-fi state and other networks, communicate with the internet (of course) and in addition, it can also access the phone features of the device, including phone number,serial number, whether a call is active and WTF?!? the number that call is connected to…

I don’t understand why an application such as angry birds requires all this, unless the WWF does some kind of research on those birds…

The following picture shows an instance of all this:

Angry_Spy_Birds

However, if anyone for any reason believes that I am wrong, please let me know and I will be more than happy to delete this post.
Till then, enjoy your Angry Spy-Birds application…

Cheers,
kyREcon

Share