#archiveteam-ot 2019-05-26,Sun

↑back Search

Time Nickname Message
00:08 🔗 BlueMax has joined #archiveteam-ot
01:29 🔗 icedice has joined #archiveteam-ot
01:33 🔗 icedice So I did a system restore with a two day old restore point and I still have Windows updates that I installed earlier today and a software I uninstalled yesterday is not back. To me it looks like nothing happened or did Windows 10 do it's job right?
01:50 🔗 DogsRNice has quit IRC (Quit: Leaving)
03:46 🔗 icedice has quit IRC (Quit: Leaving)
03:48 🔗 odemg has quit IRC (Ping timeout: 265 seconds)
03:55 🔗 kyonko has quit IRC (Read error: Connection reset by peer)
04:00 🔗 odemg has joined #archiveteam-ot
04:00 🔗 odemg has quit IRC (Connection closed)
04:50 🔗 dhyan_nat has joined #archiveteam-ot
05:19 🔗 Mateon1 has quit IRC (Ping timeout: 360 seconds)
05:19 🔗 Mateon1 has joined #archiveteam-ot
06:06 🔗 Zerote has joined #archiveteam-ot
06:31 🔗 Fusl has quit IRC (Excess Flood)
06:32 🔗 Fusl has joined #archiveteam-ot
07:13 🔗 Zerote has quit IRC (Ping timeout: 604 seconds)
07:26 🔗 Zerote has joined #archiveteam-ot
08:42 🔗 Elections is now known as vidsandwe
09:16 🔗 schbirid has joined #archiveteam-ot
09:18 🔗 Despatche has quit IRC (Quit: Read error: Connection reset by deer)
10:13 🔗 BlueMax has quit IRC (Quit: Leaving)
11:22 🔗 icedice has joined #archiveteam-ot
11:26 🔗 icedice So I chatted with some Windows expert on Discord and he recommends that I wipe and reinstall everything, including the non-system drives that I use for file storage that are not fully backed up since there's no way to tell if Windows Firewall blocked the whole malware attack and if the malware only targets the system or also goes after non-system stuff. He also told me not to connect my external backup HDD to the computer before everything has
11:26 🔗 icedice been wiped.
11:27 🔗 icedice What if I put a Linux distro on a USB, boot into it, and use that to back up the stuff from the other drives that aren't backed up to my external HDD? That would eliminate the risk of the external HDD possibly being infected by the system. The only remaining risk would be if any files have been maliciously changed and that could be checked on all of the already backed up files - i.e. the majority of files - using a file diff utility. If there
11:27 🔗 icedice are no changes on them there shouldn't be any changes on any of the newer files either.
11:29 🔗 Kaz boot to liveusb, mount your drives, copy the stuff you want, burn everything down
11:30 🔗 icedice Yeah
11:30 🔗 icedice Any Linux distro you recommend specifically?
11:31 🔗 icedice Linux can handle NTSF file transfers without errors, right?
11:31 🔗 Kaz ubuntu/debian are pretty idiotproof and have a big enough community that everything you run into will have a solution online
11:31 🔗 Kaz yeah it can do NTFS fine, can't remember if it's native or you need to install some extra stuff
11:32 🔗 icedice There's a native thing, but there's some third party package that does it better iirc
11:34 🔗 kiska I think its auto installed the package ntfs-3g I think...
11:35 🔗 kiska But yeah ubuntu/debian is pretty good for doing data recovery
11:35 🔗 icedice NTFS-3g
11:35 🔗 icedice ^ That's the one
11:35 🔗 kiska Oh hey I was right xD
11:36 🔗 icedice Should I go for Lubuntu or Xubuntu or can Ubuntu or Debian be run from a USB?
11:37 🔗 icedice Also would any USB 3 work well enough or should I get one with higher transfer speeds so that the liveusb runs well?
11:37 🔗 Kaz ubuntu will wori live
11:37 🔗 Kaz work*
11:39 🔗 icedice Ok
11:39 🔗 icedice Should I worry about exe and msi files on the non-system drives possibly being infected?
11:44 🔗 ivan why do you think you ran malware?
11:53 🔗 icedice ivan: I ran into malvertising on an out of date browser that might have run on admin privileges at the time while not having the May Windows updates installed and Windows Firewall popped up and the browser crashed.
11:55 🔗 icedice My restore point from two days ago seems to not work either (yeah, I am aware now that system restore is not a way to combat malware, but if it's not Windows 10 messing up with the system restore it might be the malware that messed it up
11:58 🔗 ivan wtf would you run a browser with admin privileges
12:00 🔗 ivan Event Log may have something around the time your browser crashed
12:00 🔗 ivan I guess you can also look in Windows Firewall for suspicious rules
12:01 🔗 icedice It was GetFLV, which is a video downloader that basically a browser
12:01 🔗 ivan youtube-dl?
12:01 🔗 icedice It has no adblocker and is always out of date
12:01 🔗 icedice GetFLV is for more hard to get stuff
12:02 🔗 ivan do you remember which thing prompted for firewall?
12:02 🔗 icedice Anyway, GetFLV is unknown to Windows 10, so that's what gave me the UAC prompt, which I filled in my password in by reflex
12:03 🔗 icedice I tried starting GetFLV later and looked at it in Taskmanager
12:03 🔗 icedice The username column was blank, it said neither admin nor my non-admin username
12:04 🔗 icedice So maybe it wasn't running on admin privileges? I don't know.
12:05 🔗 ivan if you run Task Manager without elevation you don't get to see most information about elevated processes
12:06 🔗 ivan UAC elevation typically doesn't change user, just admin privileges
12:06 🔗 ivan maybe you were changing user since you were typing a password though, dunno
12:06 🔗 icedice Ok
12:07 🔗 icedice I'll ask on the Microsoft Discord if going through the UAC prompt on not well-known software that doesn't require admin privileges launches it with admin privileges
12:08 🔗 icedice If so that would be pretty stupid, but hey, it's Microsoft, so anything is possible
12:08 🔗 ivan programs have to request elevation for the elevation thing to show up
12:10 🔗 icedice It didn't request elevation
12:10 🔗 icedice It was just Windows 10 basically going "idk, I haven't seen this stuff before. sure you want to run it?"
12:11 🔗 ivan oh, that's not elevation
12:11 🔗 icedice SWEET BABY JESUS
12:11 🔗 icedice That's good
12:15 🔗 ivan if you clicked through that said "changes to your device" I think that's elevated https://static1.squarespace.com/static/5065b792c4aac831ab26e463/t/58b43f1c03596e617b3e829e/1488207654767/
12:15 🔗 ivan also UAC still isn't a real security boundary afaik
12:15 🔗 icedice Nope, that wasn't it
12:16 🔗 icedice https://www.ghacks.net/2017/02/23/non-admin-accounts-mitigate-94-of-critical-windows-vulnerabilities/
12:18 🔗 icedice Hmm, not sure
12:18 🔗 icedice I'll reinstall GetFLV, run it, and screenshot the UAC prompt
13:10 🔗 icedice ivan: It looked like this: https://trendblog.net/wp-content/uploads/2017/06/15b_consentpromptbehavioruser_value_1.png
13:11 🔗 icedice https://trendblog.net/user-account-control-windows/
13:11 🔗 icedice "Prompt for credentials on the secure desktop. When an operation requires elevated privileges, you are prompted on the secure (dimmed) desktop to enter the user name and password for an administrator-level user."
13:11 🔗 icedice Well shit
14:24 🔗 schbirid surely there are escalation bugs?
14:24 🔗 schbirid burn that system
15:13 🔗 Zerote has quit IRC (Read error: Operation timed out)
15:30 🔗 icedice Yeah
15:44 🔗 icedice schbirid: Should I just burn the system or also the non-system drives that are used for file storage?
15:50 🔗 Despatche has joined #archiveteam-ot
15:57 🔗 Zerote has joined #archiveteam-ot
15:59 🔗 Fusl "chatted with some Windows expert on Discord and he recommends that I wipe and reinstall everything, including the non-system drives that I use for file storage"
15:59 🔗 Fusl sounds like a Windows noob that sells itself as expert
16:00 🔗 Fusl reinstalling windows is essentially just masking the problem and delaying everything further back by a few weeks until things are set back to where they have been at which point you're running into the same issues again.
16:02 🔗 Fusl i would agree on reinstalling windows if it fucked with your drivers so much where you can't easily pick them out of the system library or if you had an issue at one point where bad data was written to the disk that's now causing windows to keep printing error messages about random things
16:06 🔗 ealgase reinstalling windows is masking the problem because the fundamental problem *is windows*
16:18 🔗 icedice Fusl: Another user said that the Windows expert "is a huge nerd", so I guess he goes for then nuclear option when it comes to security. He is apparently also a moderator of the Discord server and a Windows Insider (i.e. unpaid bug tester)
16:19 🔗 Kaz every microsoft client is an unpaid bug tester
16:19 🔗 Fusl ^
16:19 🔗 Kaz some even pay for the privilege
16:19 🔗 icedice True lol
16:20 🔗 icedice ealgase: Yeah, Windows is problematic, but it should be fine as long as I wise up from now on.
16:20 🔗 Fusl what makes a windows expert a windows expert is to take a full memory dump of the entire kernel runtime, decompile that and look through it to figure out what the problem is
16:20 🔗 Fusl not "reinstall windows"
16:20 🔗 Kaz no Fusl, u just have to be a discord mod
16:21 🔗 icedice Yeah, I guess he was overreacting
16:21 🔗 Kaz the amount of MS MVP's that I've heard talking absolute shit is astounding
16:21 🔗 Fusl heck, even windows itself already comes with a lot of debugging tools itself but apparently "windows experts who are discord mods and huge nerds" don't know about that
16:22 🔗 icedice So you think it's safe to keep the non-system drives as they are now as long as I reinstall Windows 10?
16:22 🔗 Fusl icedice: none of your dependencies that windows relies on are on your non-system drives so yes, keeping them around won't harm anything
16:23 🔗 icedice He did have me look through Event Viewer, but I couldn't see anything there that would have been useful
16:23 🔗 icedice Yeah I figured
16:23 🔗 Fusl lol event viewer
16:23 🔗 Fusl dump the logbuffer from the disk and look through that
16:23 🔗 Fusl event viewer is trash
16:23 🔗 Fusl also
16:23 🔗 icedice I doubt that the malware appended malicious code to any of my non-system files
16:24 🔗 Fusl https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer
16:24 🔗 Fusl https://www.resplendence.com/latencymon
16:24 🔗 Fusl https://www.resplendence.com/downloads
16:24 🔗 Fusl get sanit, afrz and wss
16:24 🔗 Fusl oh and mmon
16:25 🔗 Fusl resplendence tools for figuring out why windows is running slow or lagging
16:25 🔗 Fusl process explorer as an advanced task manager replacement
16:26 🔗 Fusl and that's your getting started on basic windows slowness debugging
16:27 🔗 Fusl_ sets mode: +o Fusl
16:30 🔗 icedice Ok, thanks
16:30 🔗 icedice Windows hasn't gotten slower for me since the malware incident though
16:32 🔗 icedice I had two USBs connected to the computer when the malware tried to get into the computer. I can plug those into other computers without worry, right?
16:33 🔗 icedice "let me put it this way, if a virus can bounce from one side of the world to the other over secure HTTPS and still infect you then in can most certainly jump from one local disk to the other"
16:33 🔗 Fusl as long as you have autorun disabled, which is the default, yes
16:33 🔗 icedice ^ that same guy
16:33 🔗 icedice Ok
16:34 🔗 icedice Is it possible that they could have been infected though?
16:34 🔗 Fusl that's certainly possible and i would not trust any applications installed on those disks
16:34 🔗 Fusl but files like as text files, pictures, etc. dont have an executable part
16:35 🔗 Fusl docx for example not so much because you can attach macros inside the docx that run when you open the file
16:43 🔗 icedice Does malware usually mess with non-system exe, msi, and dll files?
16:43 🔗 ealgase depends on the malware
16:43 🔗 ealgase sometimes it does, sometimes it doesn't
17:01 🔗 Dallas has joined #archiveteam-ot
17:03 🔗 schbirid uh fusl, if you go paranoid, then media files are a very worthy target for deploying further exploits
17:04 🔗 schbirid i doubt that it makes any sense to worry about that though
17:04 🔗 schbirid you should have backups of your media anyways
17:04 🔗 Fusl schbirid: you can very well add 0day exploits to media files but the attack surface is negligible
17:04 🔗 schbirid just compare hashes then
17:06 🔗 godane has quit IRC (Quit: Leaving.)
17:13 🔗 wp494 has quit IRC (Ping timeout: 615 seconds)
17:13 🔗 schbirid has quit IRC (Remote host closed the connection)
17:13 🔗 wp494 has joined #archiveteam-ot
17:23 🔗 godane has joined #archiveteam-ot
17:28 🔗 icedice schibirid: Yeah, I just remembered that I have a bunch of setups backed up on my external HDD
17:29 🔗 icedice So I can compare a few exe and msi files with HashCheck
17:30 🔗 icedice And for the majority of the files I can just have FreeFileSync look through them
17:30 🔗 icedice If the filesizes or last modified dates have changed on any of those hundreds of thousands of files FreeFileSync will let me know
17:31 🔗 icedice And if nothing fishy comes up I'll assume that the binary files that I haven't backed up yet haven't been affected by the malware
17:32 🔗 Fusl and for the future: always do backups. do encrypted backups on permanently detached drives and only connect and map the crypt device when you do another round of backups
17:32 🔗 icedice I have a backup
17:32 🔗 icedice It's just a few months old and hundreds of GB out of date
17:33 🔗 icedice Which is on me, I've been too worried about some other stuff to think of it
17:33 🔗 icedice I don't have that HDD encrypted though
17:33 🔗 icedice I figured there wasn't anything sensitive on it and I might forget the password
17:34 🔗 icedice The drive is only plugged in when I sync files though, so that's something I did right
17:35 🔗 Fusl for full paranoia and bonus points, have a NAS that does periodic snapshots of the filesystem and present the windows only the most recent writable state of that filesystem through NFS or SMB
17:35 🔗 icedice Does full drive encryption protect against ransomware btw?
17:36 🔗 Fusl yeah it does until you map the crypt drive and present it as decrypted drive to windows
17:37 🔗 icedice Ok, then I'll get another external HDD, encrypt it, transfer the files over from the first external HDD, and encrypt the first external HDD
17:37 🔗 icedice I was running out of space on the backup drive anyway
17:40 🔗 icedice Hmm
17:41 🔗 icedice There wouldn't be any ransomware protection in that though now that I think about it
17:41 🔗 icedice I still have to decrypt the drive to have it displayed in Windows
17:47 🔗 Kaz rotate your backup media
17:47 🔗 Kaz use different media types
17:50 🔗 icedice Different media types?
17:50 🔗 icedice I thought external HDDs were good enough?
17:50 🔗 icedice I can't afford SSDs at that size
17:50 🔗 icedice And I'm not sure what other media can hold that much data
17:51 🔗 icedice Well, maybe tape drives and Blu-rays, but that's even more expensive and inconvenient at that
17:52 🔗 Kaz online backup, offline backup (external HDDs) etc
17:57 🔗 icedice Right, online backup
17:57 🔗 icedice I guess I should get TransIP STACK
17:57 🔗 icedice https://www.transip.nl/stack/
18:29 🔗 Fusl https://wasabi.com is what i use for backups
18:29 🔗 Fusl as well as a server with lots of storage in an undisclosed location
18:29 🔗 Fusl only reachable through tor because paranoia
18:32 🔗 icedice Wasabi would cost me at least $29
18:33 🔗 icedice And it's in the US, so I might as well just email the NSA and ask if I can back up my stuff on their servers for free since that's where it would end up anyway lol
18:35 🔗 icedice Im might look into cheap dedicated servers and large VPS servers in the EU
18:35 🔗 icedice However, I'm a bit afraid of messing something up and bricking the server/VPS
18:36 🔗 icedice with all the data still on it
18:42 🔗 DogsRNice has joined #archiveteam-ot
19:05 🔗 Zerote_ has joined #archiveteam-ot
19:09 🔗 Zerote has quit IRC (Read error: Operation timed out)
19:22 🔗 Zerote__ has joined #archiveteam-ot
19:22 🔗 Zerote_ has quit IRC (Read error: Connection reset by peer)
19:40 🔗 JAA Is the Amsterdam location still not ready for Wasabi?
19:41 🔗 JAA Fusl: Backing up any significant amount of data through Tor sounds like a nightmare.
19:41 🔗 Fusl it's not with sequential streams
19:42 🔗 JAA Hmm yeah, I guess that makes sense.
19:47 🔗 Fusl and 100 mbit/s is my upload limit anyway
20:42 🔗 icedice JAA: Doesn't matter if it's hosted in Europe. As long as an American corporation has access to the data the US government sees it as US jurisdiction
20:43 🔗 icedice Not sure if there have been any developments in the Microsoft and Google court cases US government access to data hosted overseas, but the US is really eager to take a good peek at that data.
20:43 🔗 JAA Of course, but that's not the only reason why one might prefer a European location.
20:44 🔗 icedice Yeah, it's cheaper as well
20:44 🔗 icedice And copyright is less of an issue as long as you stay away from Germany
20:46 🔗 JAA Why would you ever store anything unencrypted on untrusted storage anyway?
20:46 🔗 Kaz ^^
20:47 🔗 JAA (In fact, why would you ever store anything unencrypted anywhere?)
20:51 🔗 Fusl ^
20:54 🔗 icedice Well, true
20:54 🔗 Fusl also re NL https://wasabi-support.zendesk.com/hc/en-us/articles/360023999491-Access-to-Wasabi-s-eu-central-1-region
20:54 🔗 icedice I just meant that you might as well pick Netherlands or France instead of Germany if copyright is the main worry
20:55 🔗 icedice If privacy is the worry then skip France, and aim for the Netherlands
20:56 🔗 icedice What do you use for encryption? LUKS?
20:56 🔗 icedice I figured I'd go with VeraCrypt once I get a new external HDD
20:57 🔗 JAA I use LUKS, yeah.
20:59 🔗 icedice Fusl: https://vc.gg/blog/announcing-the-iron-dong-hidden-service-backup-system.html
20:59 🔗 JAA Ah neat regarding Amsterdam. Missed that announcement somehow. It was planned for end of 2018 I think, then just silently delayed without any announcement. Guess I might have to take a look at them again.
21:00 🔗 icedice ^ The operator of cock.li had a similar idea as you btw
21:00 🔗 icedice * like yours
21:01 🔗 icedice Are there any cheap Dutch hosting providers other than Leaseweb btw?
21:02 🔗 Fusl icedice: aye, although the difference is that mine is not a VPS but an actual storage with 480TB of raw capacity so me driving there is a must
21:03 🔗 JAA Depends on your definition of "cheap" and how much you're willing to endure also.
21:03 🔗 JAA And well, what you're looking for exactly.
21:03 🔗 Fusl also, NFOrce is what i use for my NL host
21:04 🔗 icedice Fusl: You know, if you want your storage location to be undisclosed, saying that it's within driving distance might not be the brightest idea lol
21:04 🔗 Fusl icedice: its not within driving distance ;)
21:05 🔗 icedice Oh, that's some real dedication then
21:05 🔗 icedice Yeah, I've heard that NFOrce is good
21:05 🔗 icedice They seem pretty chill
21:05 🔗 Fusl also, its not a single server but multiple in different continents
21:07 🔗 Kaz nice, maximum rto
21:09 🔗 icedice JAA: Anything that's like 15€/month or less would be nice
21:10 🔗 icedice But I know that's not very common
21:10 🔗 icedice OVH, Hetzner, OneProvider, Online.net, Scaleway
21:10 🔗 icedice Well, Scaleway is VPS I guess
21:11 🔗 icedice And none of them are Dutch
21:14 🔗 JAA €15/month for what?
21:15 🔗 dhyan_nat has quit IRC (Read error: Operation timed out)
21:18 🔗 icedice A dedicated server preferably
21:18 🔗 icedice Or a really large VPS
21:24 🔗 icedice has quit IRC (Quit: Leaving)
21:28 🔗 icedice has joined #archiveteam-ot
23:00 🔗 Shen has quit IRC (Quit: wheeee)
23:10 🔗 Shen has joined #archiveteam-ot
23:10 🔗 icedice2 has joined #archiveteam-ot
23:14 🔗 icedice has quit IRC (Ping timeout: 252 seconds)
23:22 🔗 Odd0002_ has joined #archiveteam-ot
23:28 🔗 Odd0002 has quit IRC (Read error: Operation timed out)
23:28 🔗 Odd0002_ is now known as Odd0002
23:39 🔗 JH88 has joined #archiveteam-ot
23:47 🔗 BlueMax has joined #archiveteam-ot

irclogger-viewer