A CLI file sharing utility that serves data over the Veilid network in a BitTorrent-like fashion. The data is available as long as the share is running.
Audiocat is a command-line utility for Linux that reads and writes encrypted data across peer-to-peer or broadcast audio connections, using minimodem and gpg.
It is a powerful tool that can be combined with any audio infrastructure (like PSTN, cellular network, internet, radio, walkie-talkies) to provide a secure communication channel through an audio tunnel.
The audio interfaces behave like data-diodes, each allowing unidirectional data transmission only, thus preventing data-leaks and malware-injection.
This enables an "enhanced"-end-to-end encryption (E-E2EE) which notably increases security and privacy, especially when the end devices are completely offline (air-gapped-system), thus providing an effective barrier against "legal or illegal" client-side-scanning!
tinc is a Virtual Private Network (VPN) daemon that uses tunnelling and encryption to create a secure private network between hosts on the Internet. tinc is Free Software and licensed under the GNU General Public License version 2 or later. Because the VPN appears to the IP level network code as a normal network device, there is no need to adapt any existing software. This allows VPN sites to share information with each other over the Internet without exposing any information to others. In addition, tinc offers encryption, authentication, compression, automatic mesh routing, NAT traversal, and network bridging. Supports IPv6, too.
Git: https://www.tinc-vpn.org/git/browse?p=tinc
In the AUR.
A tool for testing for certificate validation vulnerabilities of TLS connections made by a client device or an application. This could also be useful if you're trying to reverse engineer the API a mobile app uses.
An end-to-end encrypted collaborative office suite. Multiple users can work on the same document at the same time. Everything is encrypted end-to-end, including on disk. There's a full suite of applications: A rich text editor, spreadsheet, IDE, kanban, presentation slide editor, whiteboard, and buildable forms. Use theirs or stand up your own instance.
Reticulum is the cryptography-based networking stack for building local and wide-area networks with readily available hardware. It can operate even with very high latency and extremely low bandwidth. Reticulum allows you to build wide-area networks with off-the-shelf tools, and offers end-to-end encryption and connectivity, initiator anonymity, autoconfiguring cryptographically backed multi-hop transport, efficient addressing, unforgeable delivery acknowledgements and more.
The vision of Reticulum is to allow anyone to be their own network operator, and to make it cheap and easy to cover vast areas with a myriad of independent, inter-connectable and autonomous networks. Reticulum is not one network. It is a tool for building thousands of networks. Networks without kill-switches, surveillance, censorship and control. Networks that can freely interoperate, associate and disassociate with each other, and require no central oversight. Networks for human beings. Networks for the people.
Reticulum is a complete networking stack, and does not rely on IP or higher layers, but it is possible to use IP as the underlying carrier for Reticulum. It is therefore trivial to tunnel Reticulum over the Internet or private IP networks. Having no dependencies on traditional networking stacks frees up overhead that has been used to implement a networking stack built directly on cryptographic principles, allowing resilience and stable functionality, even in open and trustless networks. No kernel modules or drivers are required. Reticulum runs completely in userland and can run on practically any system that runs Python 3.
Golem is a demonstration of how to distribute content over ActivityPub securely over peer to peer networks.
The problems this demo is trying to address are:
By encrypting the file and splitting it into chunks distributed through the network and only sharing the decryption key with the intended recipient, and by using a URI scheme that captures the appropriate information, we can accomplish all the above. Golem uses the magenc extension of the magnet URI scheme to accomplish the above.
This site focuses on the security of routers. This includes both configuration changes to make a router more secure, and, picking a router that is more secure out of the box.
After some huge router flaws, affecting millions of routers, caught my attention, I started following the topic more closely. As a Defensive Computing guy, I eventually realized that I needed to upgrade my own router security and get more up to speed on the topic. After all, if a router gets infected with malware, or re-configured in a malicious way, most people would never know. There is no anti-virus software for routers.
RACE is an open source project aimed at developing technologies to provide metadata-anonymous, secure, and resilient messaging for users around the world. RACE provides anonymity by routing messages through an overlay network of volunteer servers using cryptographic algorithms that prevent a malicious subset of these servers from determining who is messaging whom. RACE uses specialized networking protocols to prevent connections between individual members of the network from being detected or blocked. RACE is built to run in a dockerized linux environment and on Android devices.
This document defines the FediE2EE-PKD (Fediverse End-to-End Encryption Public Key Directory), which consists of ActivityPub-enabled directory server software, a protocol for communicating with the directory server, and integration with a transparent, append-only data structure (e.g., based on Merkle trees).
CryFS encrypts your files, so you can safely store them anywhere. It works well together with cloud services like Dropbox, iCloud, OneDrive and others. Easy to setup and works with a lot of cloud storage providers. It runs in the background - you won't notice it when accessing your files in your daily workflow. Your data only leaves your computer in encrypted form. File contents, metadata and directory structure are all secure from someone who hacked your cloud. Released under LGPL.
Can be used locally but that's not its primary use case.
Two directories: A basedir that holds the encrypted files, and a mountdir which you interact with. The basedir is what gets stored remotely, synced, or whatever. Note: Not safe for concurrent access!
Files are split into equal size blocks, encrypted individually. Metadata and directory structures are also represented as those blocks for obfuscation. Block cipher used, random key generated, key encrypted with passphrase.
In Apt, Pacman, Homebrew, Nix repositories.
Default encryption algorithm: XChaCha20-Poly1305, scrypt for key derivation.
Github: https://github.com/cryfs/cryfs
Poezio is a free console XMPP client (the protocol on which the Jabber IM network is built). Its goal is to let you connect very easily (no account creation needed) to the network and join various chatrooms, immediately. It tries to look like the most famous IRC clients (weechat, irssi, etc). Many commands are identical and you won't be lost if you already know these clients. Configuration can be made in a configuration file or directly from the client. You'll find the light, fast, geeky and anonymous spirit of IRC while using a powerful, standard and open protocol.
Says it can even be used without an account. Maybe link-layer chat via mDNS?
The first messaging platform operating without user identifiers of any kind - 100% private by design! iOS, Android and desktop apps! The channel through which you share the link does not have to be secure - it is enough that you can confirm who sent you the message and that your SimpleX connection is established.
SimpleX is a client-server network with a unique network topology that uses redundant, disposable message relay nodes to asynchronously pass messages via unidirectional (simplex) message queues, providing recipient and sender anonymity.
Unlike P2P networks, all messages are passed through one or several server nodes, that do not even need to have persistence. In fact, the current SMP server implementation uses in-memory message storage, persisting only the queue records. SimpleX provides better metadata protection than P2P designs, as no global participant identifiers are used to deliver messages, and avoids the problems of P2P networks.
Unlike federated networks, the server nodes do not have records of the users, do not communicate with each other and do not store messages after they are delivered to the recipients. There is no way to discover the full list of servers participating in SimpleX network. This design avoids the problem of metadata visibility that all federated networks have and better protects from the network-wide attacks.
This is a free communication tool that is designed for simplicity, privacy, and security. All interaction between you and your online peers is encrypted. There is no record of your conversation once you all leave.
Serverless, decentralized, ephemeral. Peer to peer whenever possible. Explicitly designed to be self-hostable. Public and private rooms. Audio and video chat. File transfer.
The purpose of the cable wire protocol is to facilitate the members of a group chat to exchange cryptographically signed documents with each other, such as chat messages, spread across various user-defined channels.
A list of public attacks on BitLocker. Any public attack with the potential to attack BitLocker but where the exact method is still not public (like baton drop) is out of scope.
Most of the attacks are for where the VMK is sealed by TPM only, which is the default setting, and is what automatic BitLocker uses alongside recovery key escrow to a Microsoft account.
Crack legacy zip encryption with Biham and Kocher's known plaintext attack.
A ZIP archive may contain many entries whose content can be compressed and/or encrypted. In particular, entries can be encrypted with a password-based symmetric encryption algorithm referred to as traditional PKWARE encryption, legacy encryption or ZipCrypto. This algorithm generates a pseudo-random stream of bytes (keystream) which is XORed to the entry's content (plaintext) to produce encrypted data (ciphertext). The generator's state, made of three 32-bits integers, is initialized using the password and then continuously updated with plaintext as encryption goes on. This encryption algorithm is vulnerable to known plaintext attacks as shown by Eli Biham and Paul C. Kocher in the research paper A known plaintext attack on the PKZIP stream cipher. Given ciphertext and 12 or more bytes of the corresponding plaintext, the internal state of the keystream generator can be recovered. This internal state is enough to decipher ciphertext entirely as well as other entries which were encrypted with the same password. It can also be used to bruteforce the password with a complexity of nl-6 where n is the size of the character set and l is the length of the password.
A software (and optionally, hardware) project for automating the creation of offsite backups on flash drives. The idea is that you have a large-ish flash drive on your keyring; when you take your keys out of your pocket, plug the flash drive into the device. The specific use case is a hanging key holder with a RasPi inside of it. The files in the backup script are automatically encrypted and copied onto the flash drive. That way, if anything happens while you're out and about you have the latest and greatest copies of the files already with you.
Many common and unusual algorithms, implemented in Python as learning exercises. If you want to get a sense of what, say, data structures or fuzzy logic would look like in Python, this is a good place to start.
Yopass is a project for sharing secrets in a quick and secure manner*. The sole purpose of Yopass is to minimize the amount of passwords floating around in ticket management systems, Slack messages and emails. The message is encrypted/decrypted locally in the browser and then sent to yopass without the decryption key which is only visible once during encryption, yopass then returns a one-time URL with specified expiry date.
There is no perfect way of sharing secrets online and there is a trade off in every implementation. Yopass is designed to be as simple and "dumb" as possible without compromising on security. There's no mapping between the generated UUID and the user that submitted the encrypted message. It's always best send all the context except password over another channel.
Messages can only be viewed once. Message can self-destruct automatically. No accounts or registration is required.
Has CLI functionality built in.
Uses memcached or redis as its back-end.
Public instance: https://yopass.se/