DigitalReplica The impact of security, privacy and technology on our daily lives

Privacy from corporate data gathering

Corporate data gathering of consumers private information has exploded over the last few years. The new normal seems to require registration to use any website, device or app. The company almost always wants your name and email, and some require address, phone number and credit card as well. After you provide that information your usage is tracked and data mined for corporate profits. Online privacy is becoming scarce (if not non-existent).

This article offers a practical guide to opt out of this pervasive data gathering by setting up an alternate online identity. Companies get something to track. You get to use their awesome service and you get to preserve at least some of your privacy.

Purism Librem 13 Laptop Review

As a security and privacy advocate wanting a new laptop, much time and research was needed to settle on what I wanted. I bought a Purism Librem 13 running Qubes OS. While this is definitely not the setup for everyone, it is worth considering if you’re worried about privacy and have any kind of Linux experience.

So this is a review of the Librem 13 running Qubes with a bundle of setup notes and impressions.

OpenLDAP for LDAP Plain Text Password Capture

How to set up a malicious ldap server to capture credentials on a pentest.

I recently tested an application using LDAP to connect to Active Directory to perform queries. The app had valid AD credentials and I wanted to steal them. I couldn’t grab the credentials directly, but I could change some of the app configuration, including the IP address of the LDAP server to connect to. That led to “Let’s set up a malicious LDAP server to capture credentials!”

There is no metasploit capture ldap module :-( and I didn’t have the time to write one. OpenLDAP does support unencrypted, plaintext authentication, but the instructions for setting that up are non-existent. So I documented as I went to make this post.

All testing was done using Kali Linux, so it’s easy to add to a pentest setup.

Using the Pocket Internet Privacy Shield

In my previous post, I described how to install a Pocket Internet Privacy Shield. It uses a cheap TP-Link pocket router, OpenWRT and a privacy VPN to protect your privacy on untrusted networks like hotels and coffee shops.

I had no idea the post would be as long as it was. I didn’t want people to have to scroll to the bottom just to read how to use the thing. So here’s the post on how to use the thing.

tplink running openwrt tplink running openwrt

Pocket Internet Privacy Shield

When I travel, the thought of using the Internet in hotels and such leaves me feeling gross and paranoid that someone can see what I’m doing. As a penetration tester who hacks people this way, and seeing how awful some hotel Internet setups are, I feel pretty justified in my paranoia.

So I wanted to make a hardware-based device that was cheap, easy to use and effective at protecting my privacy in not-quite-trustworthy networks. Here’s what I made with step-by-step instructions on making your own.

tplink running openwrt