scriptjunkie @sj@social.scriptjunkie.us

When plastic surgeons seek a meaningful break from their profitable yet banal jobs, some aid missions to economically stressed nations, fixing cleft palates and other deformities for free. If you had a paid 6mo to do anything meaningful with infosec skills, what would it be?

Today in security

This is where we're headed.
https://fedi.absturztau.be/notice/ABNibyvag8Ii20RO76

Great mindmap for AD exploitation
https://twitter.com/M4yFly/status/1437453135883157504

Some days you just gotta stir the pot.

*/me walks away slowly, whistling innocently*

Do not use centralized messengers. I cannot emphasize this hard enough. Do not ever install or use a non-metadata-secure messenger.
https://twitter.com/scriptjunkie1/status/1435062403264360450

This is all very alpha-quality proof of concept and not polished or reliable or audited or secure against many threat models, but it could be if refined enough. I hope it inspires people to embed censorship and metadata security everywhere. Let me know if you want the full code

This is self-contained in an html and a javascript file and can be saved on your device, even last I checked, iDevices, and with a URL change make its websocket and WebRTC connections without depending on the same JS running on the server or any app store's permissions.

A final issue with web based crypto like ProtonMail or secure chat apps on centrally managed app stores is that authorities could (and do) compel backdoors to be inserted in the Javascript or app to steal all your messages, or could (and do) block the app from being available.

Another big issue with secure chat apps is the fact that for those in greatest danger, like dissidents in oppressive regimes, even having one on your device is suspicious and may be enough to be persecuted. Visiting a mortgage calculator site though is far less suspicious.

Inspired by Adam Langley's pond, every few seconds it sends the exact same size encrypted data chunks to peers. Receiving or sending a message should have no impact on the metadata seen by a passive adversary.

Tor and I2P do this on a very large scale. But if you're really paranoid, adversaries with extensive global surveillance might be able to track data in those kinds of systems being sent from one node and forwarded by others. So this uses scheduled & dummy or padded transmissions

But you know that ProtonMail trouble? Even seeing metadata like IP addresses, who's talking to who, is invasive and dangerous. So it uses a websocket with the server and negotiates WebRTC data connections with peers to create an onion-routing peer-to-peer metadata-hiding network

Oh and there's a little chat box at the bottom. Lots of sites have chat. But this one runs a rust-compiled WASM binary that implements P-256 ECDH and ECDSA, and AES-GCM-SIV, generating an asymmetric keypair and saving it in your browser's local storage for end-to-end encryption.

Every mortgage calculator I could find couldn't answer most relevant questions. Is it better to put more down or invest the money? When is buying points worth it? Do mortgages affect your taxes? Are VA fees justified? So I put together https://realratecalculator.com/ to quickly find out.