Developer Comments:

”This algorithm was presented at the ForenSecure 2017 conference on cybersecurity and forensics. The experts attending were not particularly happy after the talk, for their job of trying to detect hidden data had suddenly become quite a bit harder. One year later, I realized the general public might want to check out what it can do, hence this addon.”

PassLok stego is based on the F5 algorithm by Andreas Westfeld (2001), which is described at https://www2.htw-dresden.de/~westfeld/publikationen/21370289.pdf, which is extended to PNG images as well. In addition, PassLok does some simple tricks to preserve the DCT AC coefficient histogram almost perfectly, making it even harder to detect than F5.

Features

UnixPorn at its core

PwNixOS places a strong emphasis on delivering a top-notch graphical experience by providing a visually appealing and productivity-focused interface.

Hacking Tools

PwNixOS offers a wide array of tools and utilities out of the box to support your hacking endeavors. From advanced network analysis and penetration testing tools to powerful scripting languages and development environments, PwNixOS equips you with the necessary arsenal to explore and manipulate computer systems to your heart's content.

Package Management with Nix

One of the standout features of NixOS is its unique package management system called Nix. With Nix, you can easily install, update, and manage software packages on your system. What makes Nix special is its ability to provide isolated and reproducible environments for each package, ensuring that software installations do not interfere with one another. This allows for painless experimentation and easy rollback to previous configurations.

Declarative Configuration

NixOS follows a declarative approach to system configuration. Instead of making changes directly to the system, you define the desired state of your system in a configuration file or flake (like this one). This configuration specifies all the packages, services, and settings you want, providing a clear and reproducible blueprint for your system. This declarative nature simplifies system administration, enables easy replication of configurations across multiple machines, and facilitates version control of your system setup.

Custom packages

This flake has custom hacking tools that are uploaded to the NUR. The purpose of these tools is to fill in the gaps that exist today in the official repositories and create a full arsenal of tools, with well-known tools such as BloodHound and lesser-known tools such as psudohash.

Features

UnixPorn at its core

PwNixOS places a strong emphasis on delivering a top-notch graphical experience by providing a visually appealing and productivity-focused interface.

Hacking Tools

PwNixOS offers a wide array of tools and utilities out of the box to support your hacking endeavors. From advanced network analysis and penetration testing tools to powerful scripting languages and development environments, PwNixOS equips you with the necessary arsenal to explore and manipulate computer systems to your heart's content.

Package Management with Nix

One of the standout features of NixOS is its unique package management system called Nix. With Nix, you can easily install, update, and manage software packages on your system. What makes Nix special is its ability to provide isolated and reproducible environments for each package, ensuring that software installations do not interfere with one another. This allows for painless experimentation and easy rollback to previous configurations.

Declarative Configuration

NixOS follows a declarative approach to system configuration. Instead of making changes directly to the system, you define the desired state of your system in a configuration file or flake (like this one). This configuration specifies all the packages, services, and settings you want, providing a clear and reproducible blueprint for your system. This declarative nature simplifies system administration, enables easy replication of configurations across multiple machines, and facilitates version control of your system setup.

Custom packages

This flake has custom hacking tools that are uploaded to the NUR. The purpose of these tools is to fill in the gaps that exist today in the official repositories and create a full arsenal of tools, with well-known tools such as BloodHound and lesser-known tools such as psudohash.

The moderator/host of this instance has a great podcast about infosec.

Episode 18: Mastodon & Cyber-success w/ @rebootkid - Recorded on December 30, 2022

Edgar Cervantes / Android Authority

TL;DR

• Code within the official Reddit app suggests that the company is working on a Contributor program.

• Redditors in the US could earn real money for the gold and karma that their posts and comments receive.

• This will likely be subject to minimum withdrawal thresholds.

Reddit has been in the news recently for its API changes that killed popular Reddit apps and the subreddit protests that followed the announcement. The company believes the official Reddit app is all you need for a great community experience. We say the Reddit app is good for giving us a sneak peek at what the company is working on. In the near future, Reddit could introduce a Contributor program that will reward community contributors with real-world money.

An APK teardown helps predict features that may arrive on a service in the future based on work-in-progress code. However, it is possible that such predicted features may not make it to a public release.

Reddit v2023.27.0 for Android includes code that suggests that the online community platform is looking for ways to incentivize the community to be more proactive. Similar to how other platforms reward creators, Reddit could be exploring ways that would let community members convert the gold and karma they have received from other community members into real-world money that they can cash out. Check out the references below.

Code

Fake internet points are finally worth something! Now redditors can earn real money for their contributions to the Reddit community, based on the karma and gold they've been given. How it works:

• Redditors give gold to posts, comments, or other contributions they think are really worth something.
• Eligible contributors that earn enough karma and gold can cash out their earnings for real money.
• Contributors apply to the program to see if they're eligible.
• Top contributors make top dollar. The more karma and gold contributors earn, the more money they can receive. The code suggests that the program will initially have two tiers: Contributor and Top Contributor. Top Contributors will have better rates.

Further, from what we can discern, the payout could use Reddit gold as a currency, while the karma accumulated could be used to improve the rate of exchange for Reddit gold into real-world money (possibly USD). Note that the community itself passes around Reddit gold and karma to each other. Reddit gold is purchased with real-world money, while karma is a net figure of upvotes and downvotes on comments and posts.

Before you get too excited, the program appears to have some constraints around eligibility:

Code

Not just anyone can be a contributor. To join and stay in the program, contributors need to meet a few requirements:

• Be over 18 and live in the U.S.
• Only Safe for Work contributions qualify
• Earn xx gold and karma each month
• Provide verification information. You must have at least 10 gold and 100 karma to begin verification.
• NSFW accounts aren't eligible for the Contributors Program With a threshold of 10 gold and 100 karma for verification, the bare minimum is set at a high enough point to not be easy to game. Contributors will have to further earn an unspecified number of gold and karma each month to be eligible for payouts within the program.

Here is what could be the necessary information needed for verification:

Code

Provide the following information to get verified for the program and start earning:

• Email
• Personal Information
• Tax and bank account information The verification appears to be powered by Persona and Stripe.

Code

Once you hit the payment threshold, you'll automatically be paid out via your Stripe account.

• Approximate calculation before fees. Exchange rate and payment thresholds are subject to change. The payout threshold is not mentioned within the code, and neither is the monthly gold and karma requirement for being part of the contributor program.

Curiously, unlike the creator programs of other social platforms, Reddit’s purported Contributor Program will be routing community-purchased gold and karma back into the community. We could not locate any mentions of Contributors receiving any part of ad or subscription revenue from the platform, which is usually how the creator programs of other platforms work. In effect, the community would be incentivizing the community.

Do you think Reddit's contributor program is a good idea?

Note that the program, so far, does not explicitly mention any community moderators within its ambit, and no incentives have been carved out for them. However, since Reddit has not made any official announcements, things could change by the time the program goes live.

We’ve reached out to Reddit for comments and more information. We’ll update the article when we hear back from them.

Crypto Anarchy: Encryption, digital money, anonymous networks, digital pseudonyms, zero knowledge, reputations, information markets, black markets, collapse of governments.

Stablecoins are a tough puzzle to solve. This algo-stablecoin has been functioning without issue for more than 2 years now.

This seems to be one of the only serious, open source, decentralized attempts at liquid democracy in the cryptoverse.

What does the community think are the strengths and weaknesses of the way that the Cardano Foundation implemented this?

#RISC-V WILL STOP HACKERS DEAD FROM GETTING INTO YOUR COMPUTER

by: Brian Benchoff

The greatest hardware hacks of all time were simply the result of finding software keys in memory. The AACS encryption debacle — the 09 F9 key that allowed us to decrypt HD DVDs — was the result of encryption keys just sitting in main memory, where it could be read by any other program. DeCSS, the hack that gave us all access to DVDs was again the result of encryption keys sitting out in the open.

Because encryption doesn’t work if your keys are just sitting out in the open, system designers have come up with ingenious solutions to prevent evil hackers form accessing these keys. One of the best solutions is the hardware enclave, a tiny bit of silicon that protects keys and other bits of information. Apple has an entire line of chips, Intel has hardware extensions, and all of these are black box solutions. They do work, but we have no idea if there are any vulnerabilities. If you can’t study it, it’s just an article of faith that these hardware enclaves will keep working.

Now, there might be another option. RISC-V researchers are busy creating an Open Source hardware enclave. This is an Open Source project to build secure hardware enclaves to store cryptographic keys and other secret information, and they’re doing it in a way that can be accessed and studied. Trust but verify, yes, and that’s why this is the most innovative hardware development in the last decade.

WHAT IS AN ENCLAVE?

Although as a somewhat new technology, processor enclaves have been around for ages. The first one to reach the public consciousness would be the Secure Enclave Processor (SEP) found in the iPhone 5S. This generation of iPhone introduced several important technological advancements, including Touch ID, the innovative and revolutionary M7 motion coprocessor, and the SEP security coprocessor itself. The iPhone 5S was a technological milestone, and the new at the time SEP stored fingerprint data and cryptographic keys beyond the reach of the actual SOC found in the iPhone.

The iPhone 5S SEP was designed to perform secure services for the rest of the SOC, primarily relating to the Touch ID functionality. Apple’s revolutionary use of a secure enclave processor was extended with the 2016 release of the Touch Bar MacBook Pro and the use of the Apple T1 chip. The T1 chip was again used for TouchID functionality, and demonstrates that Apple is the king of vertical integration.

But Apple isn’t the only company working on secure enclaves for their computing products. Intel has developed the SGX extension which allows for hardware-assisted security enclaves. These enclaves give developers the ability to hide cryptographic keys and the components for digital rights management inside a hardware-protected bit of silicon. AMD, too, has hardware enclaves with the Secure Encrypted Virtualization (SEV). ARM has Trusted Execution environments. While the Intel, AMD, and ARM enclaves are bits of silicon on other bits of silicon — distinct from Apple’s approach of putting a hardware enclave on an entirely new chip — the idea remains the same. You want to put secure stuff in secure environments, and enclaves allow you to do that.

Unfortunately, these hardware enclaves are black boxes, and while they do provide a small attack surface, there are problems. AMD’s SEV is already known to have serious security weaknesses, and it is believed SEV does not offer protection from malicious hypervisors, only from accidental hypervisor vulnerabilities. Intel’s Management engine, while not explicitly a hardware enclave, has been shown to be vulnerable to attack. The problem is that these hardware enclaves are black boxes, and security through obscurity does not work at all.

THE OPEN SOURCE SOLUTION

At last week’s RISC-V Summit (December 2018), researchers at UC Berkeley released their plans for the Keystone Enclave, an Open Source secure enclave based on the RISC-V (PDF). Keystone is a project to build a Trusted Execution Environment (TEE) with secure hardware enclaves based on the RISC-V architecture, the same architecture that’s going into completely Open Source microcontrollers and (soon) Systems on a Chip.

The goals of the Keystone project are to build a chain of trust, starting from a silicon Root of Trust stored in tamper-proof hardware. this leads to a Zeroth-stage bootloader and a tamper-proof platform key store. Defining a hardware Root of Trust (RoT) is exceptionally difficult; you can always decapsulate silicon, you can always perform some sort of analysis on a chip to extract keys, and if your supply chain isn’t managed well, you have no idea if the chip you’re basing your RoT on is actually the chip in your computer. However, by using RISC-V and its Open Source HDL, this RoT can at least be studied, unlike the black box solutions from Intel, AMD, and ARM vendors.

The current plans for Keystone include memory isolation, an open framework for building on top of this security enclave, and a minimal but Open Source solution for a security enclave.

Right now, the Keystone Enclave is testable on various platforms, including QEMU, FireSim, and on real hardware with the SiFive Unleashed. There’s still much work to do, from formal verification to building out the software stack, libraries, and adding hardware extensions.

This is a game changer for security. Silicon vendors and designers have been shoehorning in hardware enclaves into processors for nearly a decade now, and Apple has gone so far as to create their own enclave chips. All of these solutions are black boxes, and there is no third-party verification that these designs are inherently correct. The RISC-V project is different, and the Keystone Enclave is the best chance we have for creating a truly Open hardware enclave that can be studied and verified independently.

When quantum computers become powerful enough, they could theoretically crack the encryption algorithms that keep us safe. The race is on to find new ones.

By Tammy Xu

Tech Review Explains: Let our writers untangle the complex, messy world of technology to help you understand what's coming next. You can read more here.

Cryptographic algorithms are what keep us safe online, protecting our privacy and securing the transfer of information.

But many experts fear that quantum computers could one day break these algorithms, leaving us open to attack from hackers and fraudsters. And those quantum computers may be ready sooner than many people think.

That’s why there is serious work underway to design new types of algorithms that are resistant to even the most powerful quantum computer we can imagine.

What do these algorithms even do? Cryptographic algorithms turn readable data into a secret, unreadable form so it can be safely shared on the open internet. They are used to secure all types of digital communication, like traffic on websites and the content of emails, and they are necessary for basic privacy, trust, and security on the web. There are several types of standard cryptographic algorithms widely used today, including symmetric-key and public-key algorithms.

Symmetric-key encryption is what people usually think of as encryption. It allows data and messages to be scrambled using a “key” so they are indecipherable to anyone without the key. It’s commonly used for securing sensitive data stored in databases or hard drives. Even data breaches that compromise databases full of sensitive user information aren’t as bad if the underlying data is encrypted—hackers may get the encrypted data, but there’s still no way to read it.

Public-key algorithms are important too. They help get around the fundamental drawback of symmetric-key encryption, which is that you need a secure way to share symmetric keys in the first place. Public-key algorithms use a set of two keys, one that is privately kept by the recipient and one that is made public.

Anyone can use the receiver’s public key to scramble data, which only the receiver can unscramble using the private key. This method can be used to transfer symmetric keys and can even be used in reverse for digital signatures—because private keys are unique to the receiver, receivers can use them to validate their identity.

Why do these algorithms need to be quantum resistant? Cryptographic algorithms are able to keep data secret because they are mathematically intensive to break. It would take a modern computer trillions of years to break just one set of encryption keys using brute force.

But in the 1990s, before quantum computers were ever seriously talked about, mathematician Peter Shor discovered that the way a theoretical quantum computer would work happened to line up particularly well with cracking the kind of math used in public-key encryption.

Although no quantum computer existed at the time, other mathematicians were able to confirm that Shor’s Algorithm, as it became known, could theoretically be used by such computers to break public-key encryption. Now it’s widely accepted that once a working quantum computer with enough processing power is built, the algorithms we rely on today for public-key encryption will be easily breakable. The National Institute of Standards and Technology (NIST) predicts that quantum computers that can do this may be ready in just 10 to 20 years.

Luckily, symmetric-key encryption methods are not in danger because they work very differently and can be secured by simply increasing the size of the keys they use—that is, unless mathematicians can come up with a way for quantum computers to break those as well. But even increasing the key size can’t protect existing public-key encryption algorithms from quantum computers. New algorithms are needed.

What are the repercussions if quantum computers break encryption we currently use? Yeah, it’s bad. If public-key encryption were suddenly broken without a replacement, digital security would be severely compromised. For example, websites use public-key encryption to maintain secure internet connections, so sending sensitive information through websites would no longer be safe. Cryptocurrencies also depend on public-key encryption to secure their underlying blockchain technology, so the data on their ledgers would no longer be trustworthy.

There is also concern that hackers and nation-states might be hoarding highly sensitive government or intelligence data—data they can’t currently decipher—in order to decrypt it later once quantum computers become available.

How is work on quantum-resistant algorithms progressing? In the US, NIST has been looking for new algorithms that can withstand attacks from quantum computers. The agency started taking public submissions in 2016, and so far these have been narrowed down to four finalists and three backup algorithms. These new algorithms use techniques that can withstand attacks from quantum computers using Shor’s Algorithm.

Project lead Dustin Moody says NIST is on schedule to complete standardization of the four finalists in 2024, which involves creating guidelines to ensure that the new algorithms are used correctly and securely. Standardization of the remaining three algorithms is expected in 2028.

The work of vetting candidates for the new standard falls mostly to mathematicians and cryptographers from universities and research institutions. They submit proposals for post-quantum cryptographic schemes and look for ways to attack them, sharing their findings by publishing papers and building on each other’s different methods of attack.

In this way, they slowly weed out candidates that are successfully attacked or shown to have weaknesses in their algorithm. A similar process was used to create the standards we currently use for encryption.

However, there are no guarantees that a new type of clever quantum attack, or perhaps even conventional attack, won’t someday be discovered that can break these new algorithms.

“It’s impossible to prove that you can’t break it—the nonexistence of a mathematical algorithm is hard to impossible to prove,” says cryptographer Thomas Decru. But “if something stands the test of time in the world of cryptography, the trust grows.”