I'm sure that, like me, you were asked to put your USB drive in an unknown device... and then the doubt: What happened to my poor dongle, behind the scene? Stealing my files? Encrypting them? Or just installing a malware? With USBvalve you can spot this out in seconds: built on super cheap off-the-shelf hardware you can quickly test any USB file system activity and understand what is going on before it's too late!
With USBvalve you can have an immediate feedback about what happen to the drive; the screen will show you if the fake filesystem built on the device is accessed, read or written.
Since 2014, Operation Safe Escape has been working with survivors of domestic violence, stalking, and harassment to help them find safety and freedom.
Operation Safe Escape is a 501c3 nonprofit organization, founded in 2016 with a single goal: to make sure that every person impacted by domestic violence has the resources, information, and confidence that they need to leave their abuser and stay safe once they do. We are an organization of security and safety professionals, volunteering our time and expertise to help people stay safe and live their best lives. And we do it all for free. We don’t change you to help you protect yourselves or your clients. We don’t change the people that come to us for help. We don’t make a profit, we’re just here because we want to help. We have experts in computer and mobile device security, forensics, physical security, tech support, OPSEC, OSINT, and online privacy.
We’ve participated in over 3,000 successful escapes, and we’re a trauma informed / survivor-centric organization. Every one of our volunteers have thorough background checks; safety and trust is paramount to us. We have over 100 volunteers with backgrounds in law enforcement, military, technology, advocacy, and other relevant skills that we can provide to your organization. No matter how skilled or knowledgeable the abuser or stalker is, we’re stronger when we all work together.
Privastead is a privacy-preserving home security camera solution that uses end-to-end encryption. It has three key benefits: End-to-end encryption using the OpenMLS implementation of the Messaging Layer Security (MLS) protocol. Software-only solution that works with existing IP cameras with minimal trust assumptions about the IP camera. Rust implementation (camera hub, MLS code for the mobile app, and untrusted server).
The Privastead camera solution has three components: A camera hub, which runs on a local machine and directly interacts with IP camera(s). A mobile app that allows one to receive event notifications (e.g., motion) as well as livestream the camera remotely. An untrusted server that relays (encrypted) messages between the hub and the app. In addition, Privastead uses the Google Firebase Cloud Messaging (FCM) for notifications. Similar to the server, FCM is untrusted.
Another modern C compiler. It has a heap system that is a cross between an automatically-free-system and a reference-counted GC, and includes a collection library and a string library. In debug mode, we add as many memory-safe features as possible to the C language. It actively tries to detect memory leaks; it also makes the claim that it has no memory leaks, seeing as how it's self-hosted (which means that it can compile itself).
Requires clang, make, autoconf, valgrind, gdb, lldb, musl-dev (alpine linux), and pcre-dev.
Supports Linux, MacOS (Darwin), iSH (iPhone), termux (Android) userland (Android), and Raspberry Pi.
The syntax is almost the same as C language. It may not be POSIX compliant. If you do not #include <neo-c.h>, you can use it as a normal C compiler.
I recently needed to go on holiday, and was staying in a hotel with WiFi. Out of an abundance of paranoia, I decided to try setup a “router” that could sit between my devices and the hotel network.
Requires a USB wifi NIC in addition because the Pi has only one wireless interface.
I don't know why they needed to name a travel router this, but whatever.
EFF’s Street-Level Surveillance project shines a light on the surveillance technologies that law enforcement agencies routinely deploy in our communities. These resources are designed for advocacy organizations, journalists, defense attorneys, policymakers, and members of the public who often are not getting the straight story from police representatives or the vendors marketing this equipment.
Whether it’s phone-based location tracking, ubiquitous video recording, biometric data collection, or police access to people’s smart devices, law enforcement agencies follow closely behind their counterparts in the military and intelligence services in acquiring privacy-invasive technologies and getting access to consumer data. Just as analog surveillance historically has been used as a tool for oppression, we must understand the threat posed by emerging technologies to successfully defend civil liberties and civil rights in the digital age.
Imports vulnerability data from your continual monitoring and scanning infrastructure and does all the legwork of documenting, finding references, mapping to CVEs, and so forth.
Faraday aggregates and normalizes the data you load, allowing exploring it into different visualizations that are useful to managers and analysts alike.
Uses Postgres as its back-end.
This is a playground (and dump) of stuff I made, modified, researched, or found for the Flipper Zero.
There's a lot of everything in here, from customized apps, BadUSB scripts, hardware specs for modders, GPIO interface shenanagains and interface pinouts, hardware troubleshooting, sound and music stuff, and sub-GHz captures and dissections for just about everything. It's an impressive collection.
Hummusec's port of Samy's magspoof software to the Flipper Zero firmware platform.
This is for anyone who seeks to enhance their digital hygiene and security in light of anticipated or existing threats, but it is especially designed for women, Black, indigenous, and people of color, trans people, and everyone else whose existing oppressions are made worse by digital violence. It details best security practices for social media, email, online gaming, website hosting, and protecting privacy of personal information online, as well as the documentation and reporting of harassment, and caring for yourself emotionally during an online attack. You don’t need any specialized knowledge to use this guide – just basic computer and internet skills.
The authors of the guide have all been targets of cyber attacks ourselves; we’ve written the guide we needed when the attacks on us began. We’re all based in the USA, but we’ve done our best to make it useful no matter where you live.
Threat Modeling is the process of building and analyzing representations of a system to highlight concerns about security characteristics.
Threat Modeling is a pro-active and iterative approach for identifying security issues and reducing risk. The output of a threat modeling exercise is a list of threats - or even better - risks, that further inform decisions in the continued operation of the system. This process can be performed prior to any code written or infrastructure deployed. This makes it very efficient in identifying potential threats, vulnerabilities and risks.
Large data-hungry corporations dominate the digital world but with little, or no respect for your privacy. Migrating to open-source applications with a strong emphasis on security will help stop corporations, governments, and hackers from logging, storing or selling your personal data.
Yopass is a project for sharing secrets in a quick and secure manner*. The sole purpose of Yopass is to minimize the amount of passwords floating around in ticket management systems, Slack messages and emails. The message is encrypted/decrypted locally in the browser and then sent to yopass without the decryption key which is only visible once during encryption, yopass then returns a one-time URL with specified expiry date.
There is no perfect way of sharing secrets online and there is a trade off in every implementation. Yopass is designed to be as simple and "dumb" as possible without compromising on security. There's no mapping between the generated UUID and the user that submitted the encrypted message. It's always best send all the context except password over another channel.
Messages can only be viewed once. Message can self-destruct automatically. No accounts or registration is required.
Has CLI functionality built in.
Uses memcached or redis as its back-end.
Public instance: https://yopass.se/
CORS (Cross-Origin Resource Sharing) is hard. It's hard because it's part of how browsers fetch stuff, and that's a set of behaviours that started with the very first web browser over thirty years ago. Since then, it's been a constant source of development; adding features, improving defaults, and papering over past mistakes without breaking too much of the web.
Anyway, I figured I'd write down pretty much everything I know about CORS, and to make things interactive, I built an exciting new app.
A password manager/generator that takes a master password, a URL, a username, and optionally a serial number (for when you have to change passwords) and (re)generates the password for you. Requires no database or third party storage - the right password is always generated for you. Desktop versions, browser plugins, and a cli tool.
No notepad feature, so no storing your 2fa recovery codes there.
The number of IMSI-catchers (rogue cell towers) has been steadily increasing in use by hackers and governments around the world. Rogue cell towers, which can be as small as your home router, pose a large security risk to anyone with a phone. If in range, your phone will automatically connect to the rogue tower with no indication to you that anything has happened. At that point, your information passes through the rogue tower and can leak sensitive information about you and your device. Currently, there are no easy ways to protect your phone from connecting to a rogue tower (aside from some Android apps which are phone specific and require root access).
This project demonstrates how you can create a rogue cell tower detector using a Raspberry Pi and a SIM 900 module. The detector can identify rogue towers and triangulate their location. The demonstration uses a SIM 900 GSM module to fingerprint each cell tower and determine the signal strength of each tower relative to the detector.
Tools, scripts and tips useful during Penetration Testing engagements.
The mission of the CVE Program is to identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. There is one CVE Record for each vulnerability in the catalog. The vulnerabilities are discovered then assigned and published by organizations from around the world that have partnered with the CVE Program. Partners publish CVE Records to communicate consistent descriptions of vulnerabilities. Information technology and cybersecurity professionals use CVE Records to ensure they are discussing the same issue, and to coordinate their efforts to prioritize and address the vulnerabilities.
The CSRC provides a searchable database of resources on the topic of counter-surveillance, with a focus on targeted surveillance against people who have things to hide. We want to help anarchists and other rebels acquire a practical understanding of the surveillance threats they may face in their struggles and in their lives. We prefer resources written by friends and understandable without prior technical knowledge.
A curated checklist of tips to protect your digital security and privacy.