Hacker by association? INSIDE JOB!

Elyssa Durant, Ed.M. αδψ
Intelligence Analyst
Black & Berg CyberSecurity, LLC

HATE Highest Anti Terror Effort

Forgive typos! iBLAME iPhone

Faux Security: @JosephKBlack, @ElyssaD, BlackBerg Security, and Shades of Project Viglio | @Krypt3ia

Faux Security: @JosephKBlack, @ElyssaD, BlackBerg Security, and Shades of Project Viglio

Posted by Krypt3ia on 2011/07/13

Blackberg & ElyssaD:

A while back, I ran across ElyssaD and her whack ass site which was scraping my content from Infosecisland. I later read  Jaded Security’s post filling in the gaps that I had given up on in my searches on her digital rats warren of sites and chalked it up to fucktards at play. However, since then, she has failed to remove my content from her sites, her ersatz ‘employer’ Joe Black, has called me out as a supporter of Anonymous and LulzSec, and still, my content is on her frantically moronic sites.

Author Chilleh PenguinPosted on April 25, 2012June 24, 2012Categories UncategorizedTags Anonymous, AntiSec, Aspergers, CIA, COINTELPRO, COUNTER-INTELLIGENCE, CYBERCRIMES, CyberWar, DailyDDoSe™, DURANT, ELyssaD™, FBI, Fraud, HACKING, LulzSec, PsyOpsLeave a comment on Faux Security: @JosephKBlack, @ElyssaD, BlackBerg Security, and Shades of Project Viglio | @Krypt3ia

Softly Softly Catch a Monkey « by @th3j35t3r on SABU || WTG JESTER!

Softly Softly Catch a Monkey

Posted: July 13, 2011 in General, Hacker Tracker, Press Coverage
Tags: 4Chan, anonakomis, AnonOps, Anonymous, assange, blog, hacker, hactivism, Infosec Daily, ISDPodcast, jester, lulz, lulzsec, Matt Shoemaker, nakomis, on3iroi. jarred, podcast, sabu, topiary

Author Chilleh PenguinPosted on April 25, 2012June 24, 2012Categories UncategorizedTags Above The Law, Anonymous, AntiSec, Aspergers, CIA, COINTELPRO, DailyDDoSe™, DATA BREACH, ELyssaD™, FBI, HACKING, INFOSEC, LulzSecLeave a comment on Softly Softly Catch a Monkey « by @th3j35t3r on SABU || WTG JESTER!

BREAKING UPDATE: Suspicious Behavior in Tennessee

Uploaded by elyssadurant on Feb 20, 2012

Most have no tags or temporary tags… But the latest weapon of mass deception are vehicles that have TWO tags from different states!

Specifically Tennessee and Kentucky.

Black Army? Heroes? Hell NO!

Only cowards have to hide behind bullet proof glass and opaque black tinted windows.

Go USA! God bless America!

This is some of the creepiest shit I have ever seen but was unable to upload live footage since my internet suddenly got disconnected.

Garbage Trucks with liquid tanks using hoses and flashlights in back alleys; hiding behind dumpsters; turning off headlights to avoid detection?

THAT’S FUCKING SUSPICIOUS

School busses and taxis parked for hours with strobe lights using GPS 4D technology for surveillance — that is fed to four separate locations and stored on USB!

All utility companies now have sub-contractors rewiring shit without any ID, temporary tags and plates from multiple states… No way to verify identity workers caught on film jumping out of running vehicles and cutting wires at utility poles?

THAT’S FUCKING SUSPICIOUS!
Category:
News & Politics
Tags:
Military USA TN Black
VIPR
TSA

via thepowersthatbeat.blogspot.com

DISCOVERY!

ELyssa Durant (me?) on “THE” watch List???

Protests in Egypt: A Sign of the Times

Why does Egypt matter?

 

Watch closely and reflect on what is happening in Egypt.

I use the internet as my primary source of communications. I have 13 gigs of spyware, malware and other junk that somehow found it’s why onto my hard drive in less than 63 days!

 

I didn’t have broadband until last month! I have no cable television and I can barely get a signal on my TV— not that there is much worth watching— but I would like to see the news and see WTH is going on in the world.

But you grow used to the silence— I did not even own a television until a few months ago.

 

I have had more than a dozen cell phones in less than one year because the damn things keep freezing on me. App Error 200. I shit you not— coincidence? Maybe. But anyone who purchases more than 3 cell phones in one year is automatically placed on the terrorist watch list. Then again, I live in a state where the ACLU is on the watch list!

Sound bizarre? I hope so, cause it certainly does sound “normal” to me!

 

Welcome to my life.

The United States has long had the capability to monitor, jam, and cut communications at will. Without cause or justification.

 

I live in the United States of America. I care what is happening in Egypt because I know it could happen here.

Am I a whistleblower? Yes, I am.
Am I anonymous? Not so much.
Am I a terrorist? Hell, no.

Am I on the watch list? You bet your sweet ass I am!

IN MY COUNTRY?

“First they came for the communists,
and I didn’t speak out because I wasn’t a communist.


Then they came for the trade unionists,
and I didn’t speak out because I wasn’t a trade unionist.


Then they came for the Jews,
and I didn’t speak out because I wasn’t a Jew.


Then they came for me
and there was no one left to speak out for me.”

Friedrich Gustav Emil Martin Niemöller
(14 January 1892 – 6 March 1984)

“Somewhere to run, Nowhere to hide?”
~Cathy O’Brien, The Trance-formation of America

ACCESS DENIED: For Reason of National Security

#USA #TN05 #JAN25 #EGYPT

via thepowersthatbeat.blogspot.com

you bet your sweet ass I am!

^ed

ELyssa Durant © 2012 || The Powers That Beat
All Rights Reserved || DailyDDoSe™ registered @ELyssaD™

ps ALL LINKS CLICKABLE: EVERYTHING YOU NEVER WANTED TO KNOW ABOUT HOMELAND IN-SECURITY AND MORE!

~this is your hometown

 

BREAKING! Open Source Root Hack Discovered || Anti-Sec & LulzSec & Anonymous || HTTPS Everywhere Development @EFF

HTTPS Everywhere Development

Pointers for developers

• License: GPL version 2+
• Source code: Available via Git with
  git clone git://gitweb.torproject.org/https-everywhere.git or browse the source via gitweb, or just unzip the .xpi file.
• Bug tracker: https://trac.torproject.org/projects/tor/report/19 (to submit bugs, make an account or use the anonymous one — “cypherpunks”/”writecode”)
• Mailing lists: The https-everywhere list ( archives) is for discussing the project as a whole; the https-everywhere-rules mailing list ( archives) is for discussing the rulesets and their contents, including patches and git pull requests.
• IRC: #https-everywhere on irc.oftc.net. If you ask a question, be sure to stay in the channel — someone may reply a few hours or a few days later.

A quick HOWTO on working with Git

You may want to also look at the Git Reference, GitHub Help Site and the Tor Project’s Git documentation to fill in the gaps here, but the below should be enough to get the basics of the workflow down.

First, tell git your name:

git config --global user.name "Your Name" git config --global user.email "you@example.com"

Then, get a copy of the ‘origin’ repository:

git clone git://git.torproject.org/https-everywhere.git cd https-everywhere

To create a test XPI, you’ll need a Cygwin environment under Windows, or a Linux or Unix install. Simply run this from the https-everywhere.git toplevel directory:

sh ./makexpi.sh

This should create an xpi file in ./pkg that you can install using a file:// url.

If you want to create new rules to submit to us, we expect them to be in the src/chrome/content/rules directory. That directory also contains a useful script, make-trivial-rule, to create a simple rule for a specified domain. There is also a script called trivial-validate.py, to check all the pending rules for several common errors and oversights. For example, if you wanted to make a rule for the example.com domain, you could run

sh ./make-trivial-rule example.com

inside the pending-rules directory. This would create Example.com.xml, which you could then take a look at and edit based on your knowledge of any specific URLs at example.com that do or don’t work in HTTPS. You could then run

python ../../../../trivial-validate.py

to make sure that your rule is free of common mistakes.

When you want to send us your work, you’ll need to add any new files to the index with git add:

git add ./src/chrome/content/rules/MyRule1.xml git add ./src/chrome/content/rules/MyRule2.xml

You can now commit your changes to the local branch. To make things easier, you should commit each xml file individually:

git commit ./src/chrome/content/rules/MyRule1.xml git commit ./src/chrome/content/rules/MyRule2.xml

Now, you need a place to publish your changes. You can create a free github account here: https://github.com/signup/free. http://help.github.com/ describes the account creation process and some other github-specific things.

Once you have created your account and added your remote in your local checkout, you want to push your branch to your github remote:

git push github my-new-rules:my-new-rules

Now, tell the https-everywhere-rules@eff.org mailing list about your changes and we will merge them in! Alternately, you can use

git format-patch

to create patch files that you can submit to us by e-mail instead of using a remote.

Periodically, you should re-fetch the master repository:

git pull master

Development discussions

If you have questions or comments about https-everywhere development, including about the user of version control, you can discuss them in the #https-everywhere IRC channel on irc.oftc.net. The IRC service at irc.oftc.net is available in an encrypted form via port 6697 if your IRC client supports it. You can also join the https-everywhere mailing list or the rulesets mailing list.

via eff.org

mother fuckers took open source… BLACK & BERG so we meet again?

i signed up for gitweb for #cchaiti

you fuckers ought to be ashamed of yourselves.

die. a slow and painful death.

^ed

How to Deploy HTTPS Correctly | Electronic Frontier Foundation

How to Deploy HTTPS Correctly

Chris Palmer, 15 Nov 2010

Internet technologists have long known that HTTP is insecure, causing many risks to users. The release of Firesheep made one of these risks concrete and obvious to even non-technical folks.

While HTTPS has long existed as a reasonable way to improve web security, web operators have been slow to host their applications with it. In part, this is because correctly and completely hosting an application with HTTPS takes some care.

This article is designed to help web operators get a conceptual handle on how to protect their users with HTTPS. Taking a little bit of care to protect your users is a reasonable thing for web application providers to do, and a good thing for users to demand.

Background

HTTPS provides three security guarantees:

1. Server authentication allows the browser and the user to have some confidence that they are talking to the true application server. Without this guarantee, there can be no guarantee of confidentiality or integrity.
2. Data confidentiality means that eavesdroppers cannot understand the communications between the user’s browser and the web server, because the data is encrypted.
3. Data integrity means that a network attacker cannot damage or alter the content of the communications between the user’s browser and the web server, because they are validated with a cryptographic message authentication code.

HTTP provides no security guarantees, and applications that use it cannot possibly provide users any security. When using a web application hosted via HTTP, people have no way of knowing whether or not they are talking to the true application server, nor can they be sure attackers have not read or modified communications between the user’s computer and the server.

Modes of Attack and Defense

However users connect to the Internet, there are a variety of people who can attack them—whether spying on them, impersonating them, tampering with their communications, or all three of these. The wifi network operator can do this; any ISP in the path between client and server can do it; anyone who can reconfigure the wifi router or another router can do it; and often, anyone else using the same network can do it, too.

Firesheep is a passive network attack: it eavesdrops on the contents of network communications between browser and server, but does not re-route or modify them.

By contrast, other freely-available tools perform active network attacks, in which the attacker does modify the contents of and/or re-route communications. These tools range from serious, such as sslstrip, to silly, like the Upside-Down-Ternet. Although Upside-Down-Ternet is a funny prank, it is technically identical to potentially more damaging attacks such as an attack that injects malicious code or incorrect information into web pages; at the same time, it shows that such attacks are easy enough to be jokes. Free wifi hotspots have been known to inject advertisements dynamically into web pages that users read—indicating that active network attacks are a viable business model. Tools like Cain and Abel enable a range of attacks, including re-routing local network traffic through the attacker’s system. (Also see Arpspoof and dsniff.)

Only a mechanism that provides (at least) authentication, confidentiality, and integrity can defend against the full range of both passive and active attacks. HTTPS is currently our best option for web applications.

However, there are some potential pitfalls that site operators must avoid.

Mixed Content

When hosting an application over HTTPS, there can be no mixed content; that is, all content in the page must be fetched via HTTPS. It is common to see partial HTTPS support on sites, in which the main pages are fetched via HTTPS but some or all of the media elements, stylesheets, and JavaScript in the page are fetched via HTTP.

This is unsafe because although the main page load is protected against active and passive network attack, none of the other resources are. If a page loads some JavaScript or CSS code via HTTP, an attacker can provide a false, malicious code file and take over the page’s DOM once it loads. Then, the user would be back to a situation of having no security. This is why all mainstream browsers warn users about pages that load mixed content. Nor is it safe to reference images via HTTP: What if the attacker swapped the Save Message and Delete Message icons in a webmail app?

You must serve the entire application domain over HTTPS. Redirect HTTP requests with HTTP 301 or 302 responses to the equivalent HTTPS resource.

Some site operators provide only the login page over HTTPS, on the theory that only the user’s password is sensitive. These sites’ users are vulnerable to passive and active attack.

Security and Cookies

As I described in a paper on secure session management for web applications, site operators must scope sensitive cookies (such as cookies used for user authentication) to the secure origin. If a cookie is broadly scoped (with the Domain attribute in the Set-Cookie: header), it may “leak” to other hosts or applications in the same domain—potentially less-secure hosts or applications.

Similarly, the application must set the Secure attribute on the cookie when setting it. This attribute instructs the browser to send the cookie only over secure (HTTPS) transport, never insecure (HTTP).

Use HTTP Strict Transport Security

HTTP Strict Transport Security (HSTS) is an HTTP protocol extension that enables site operators to instruct browsers to expect the site to use HTTPS.

Although not all browsers yet support HSTS, EFF urges those that don’t—we’re looking especially at you, Apple and Microsoft—to follow the lead Google and Mozilla have set by adopting this useful security mechanism. Indeed, ultimately we expect HTTPS (and possibly SPDY) to replace HTTP entirely, the way SSH replaced Telnet and rsh.

We recently enabled HSTS for eff.org. It took less than an hour to set up, and we found a way to do it without forcibly redirecting users to HTTPS, so we can state an unequivocal preference for HTTPS access while still making the site available in HTTP. It worked like a charm and a significant fraction of our users are now automatically accessing our site in HTTPS, perhaps without even knowing it.

Performance Concerns

Many site operators report that they can’t move to HTTPS for performance reasons. However, most people who say this have not actually measured any performance loss, may not have measured performance at all, and have not profiled and optimized their site’s behavior. Usually, sites have latency far higher and/or throughput far lower than necessary even when hosting over HTTP—indicating HTTPS is not the problem.

The crux of the performance problem is usually at the content layer, and also often at the database layer. Web applications are fundamentally I/O-bound, after all. Consider this wisdom from the Gmail developers:

First, we listed every transaction between the web browser and Google’s servers, starting with the moment the “Sign in” button is pressed. To do this, we used a lot of different web development tools, like Httpwatch, WireShark, and Fiddler, plus our own performance measuring systems. […]

We spent hours poring over these traces to see exactly what was happening between the browser and Gmail during the sign-in sequence, and we found that there were between fourteen and twenty-four HTTP requests required to load an inbox and display it. To put these numbers in perspective, a popular network news site’s home page required about a 180 requests to fully load when I checked it yesterday. But when we examined our requests, we realized that we could do better. We decided to attack the problem from several directions at once: reduce the number of overall requests, make more of the requests cacheable by the browser, and reduce the overhead of each request.

We made good progress on every front. We reduced the weight of each request itself by eliminating or narrowing the scope of some of our cookies. We made sure that all our images were cacheable by the browser, and we consolidated small icon images into single meta-images, a technique known as spriting. We combined several requests into a single combined request and response. The result is that it now takes as few as four requests from the click of the “Sign in” button to the display of your inbox.

Google’s Adam Langley provides additional detail:

In order to do this we had to deploy no additional machines and no special hardware. On our production frontend machines, SSL/TLS accounts for less than 1% of the CPU load, less than 10KB of memory per connection and less than 2% of network overhead. Many people believe that SSL takes a lot of CPU time and we hope the above numbers (public for the first time) will help to dispel that. [emphasis in original]

Is it any wonder Gmail performs well, even when using HTTPS exclusively? Site operators can realize incremental improvement by gradually tuning their web applications. I gave a presentation to this effect at Web 2.0 Expo 2009.

Conclusion

HTTPS provides the baseline of safety for web application users, and there is no performance- or cost-based reason to stick with HTTP. Web application providers undermine their business models when, by continuing to use HTTP, they enable a wide range of attackers anywhere on the internet to compromise users’ information.

More to Come

Keep an eye out for Part Two of this whitepaper, which will go into more detail about how site operators can easily and incrementally improve site efficiency, thus enabling the move to HTTPS.

via eff.org

Anonymous Sabu was working for FBI to Trace down other LulzSec hackers | The Hacker News (THN)

Stranded in the Combat Zone

via youtube.com

Friday night I crashed your party
Saturday I said I’m sorry
Sunday came and trashed it out again
I was only having fun
Wasn’t hurting anyone
And we all enjoyed the weekend for a change

I’ve been stranded in the combat zone
I walked through Bedford Stuy alone
Even rode my motorcycle in the rain
And you told me not to drive
But I made it home alive
So you said that only proves that I’m insane

Well, you may be right
I may be crazy
Hey!
But it just might be a lunatic you’re looking for
Turn out the light
Don’t try to save me
Well you may be wrong for all I know
But you may be right

Remember how I found you there
Alone in your electric chair
I told you dirty jokes until you smiled
You were lonely for a man
I said take me as I am
‘Cause you might enjoy some madness for a while

Now think of all the years you tried to
Find someone to satisfy you
I might be as crazy as you say
If I’m crazy then it’s true
That it’s all because of you
And you wouldn’t want me any other way

But you may be right
I may be crazy
Hey!
But it just may be a lunatic you’re looking for
It’s too late to fight
It’s too late to change me
Well you may be wrong for all I know
But you may be right

Hey!

Well you may be right
I may be crazy
Hey!
But it just may be a lunatic you’re looking for
Well turn out the light
I’m gonna watch you take me
Well you may be wrong for all I know
But you may be right

Wrong but you may be right
You may be wrong but you may be right
You may be wrong but you may be right
You may be wrong but you may Hell! be right

HACK3R WARS RAGE ON: Lulz vs. @ELyssaD™ The Greatest Gift, My Deepest Regret: Pepe’s Final Gift: The Gift of Goodbye