[00:08] *** BlueMax has joined #archiveteam-ot [01:29] *** icedice has joined #archiveteam-ot [01:33] So I did a system restore with a two day old restore point and I still have Windows updates that I installed earlier today and a software I uninstalled yesterday is not back. To me it looks like nothing happened or did Windows 10 do it's job right? [01:50] *** DogsRNice has quit IRC (Quit: Leaving) [03:46] *** icedice has quit IRC (Quit: Leaving) [03:48] *** odemg has quit IRC (Ping timeout: 265 seconds) [03:55] *** kyonko has quit IRC (Read error: Connection reset by peer) [04:00] *** odemg has joined #archiveteam-ot [04:00] *** odemg has quit IRC (Connection closed) [04:50] *** dhyan_nat has joined #archiveteam-ot [05:19] *** Mateon1 has quit IRC (Ping timeout: 360 seconds) [05:19] *** Mateon1 has joined #archiveteam-ot [06:06] *** Zerote has joined #archiveteam-ot [06:31] *** Fusl has quit IRC (Excess Flood) [06:32] *** Fusl has joined #archiveteam-ot [07:13] *** Zerote has quit IRC (Ping timeout: 604 seconds) [07:26] *** Zerote has joined #archiveteam-ot [08:42] *** Elections is now known as vidsandwe [09:16] *** schbirid has joined #archiveteam-ot [09:18] *** Despatche has quit IRC (Quit: Read error: Connection reset by deer) [10:13] *** BlueMax has quit IRC (Quit: Leaving) [11:22] *** icedice has joined #archiveteam-ot [11:26] So I chatted with some Windows expert on Discord and he recommends that I wipe and reinstall everything, including the non-system drives that I use for file storage that are not fully backed up since there's no way to tell if Windows Firewall blocked the whole malware attack and if the malware only targets the system or also goes after non-system stuff. He also told me not to connect my external backup HDD to the computer before everything has [11:26] been wiped. [11:27] What if I put a Linux distro on a USB, boot into it, and use that to back up the stuff from the other drives that aren't backed up to my external HDD? That would eliminate the risk of the external HDD possibly being infected by the system. The only remaining risk would be if any files have been maliciously changed and that could be checked on all of the already backed up files - i.e. the majority of files - using a file diff utility. If there [11:27] are no changes on them there shouldn't be any changes on any of the newer files either. [11:29] boot to liveusb, mount your drives, copy the stuff you want, burn everything down [11:30] Yeah [11:30] Any Linux distro you recommend specifically? [11:31] Linux can handle NTSF file transfers without errors, right? [11:31] ubuntu/debian are pretty idiotproof and have a big enough community that everything you run into will have a solution online [11:31] yeah it can do NTFS fine, can't remember if it's native or you need to install some extra stuff [11:32] There's a native thing, but there's some third party package that does it better iirc [11:34] I think its auto installed the package ntfs-3g I think... [11:35] But yeah ubuntu/debian is pretty good for doing data recovery [11:35] NTFS-3g [11:35] ^ That's the one [11:35] Oh hey I was right xD [11:36] Should I go for Lubuntu or Xubuntu or can Ubuntu or Debian be run from a USB? [11:37] Also would any USB 3 work well enough or should I get one with higher transfer speeds so that the liveusb runs well? [11:37] ubuntu will wori live [11:37] work* [11:39] Ok [11:39] Should I worry about exe and msi files on the non-system drives possibly being infected? [11:44] why do you think you ran malware? [11:53] ivan: I ran into malvertising on an out of date browser that might have run on admin privileges at the time while not having the May Windows updates installed and Windows Firewall popped up and the browser crashed. [11:55] My restore point from two days ago seems to not work either (yeah, I am aware now that system restore is not a way to combat malware, but if it's not Windows 10 messing up with the system restore it might be the malware that messed it up [11:58] wtf would you run a browser with admin privileges [12:00] Event Log may have something around the time your browser crashed [12:00] I guess you can also look in Windows Firewall for suspicious rules [12:01] It was GetFLV, which is a video downloader that basically a browser [12:01] youtube-dl? [12:01] It has no adblocker and is always out of date [12:01] GetFLV is for more hard to get stuff [12:02] do you remember which thing prompted for firewall? [12:02] Anyway, GetFLV is unknown to Windows 10, so that's what gave me the UAC prompt, which I filled in my password in by reflex [12:03] I tried starting GetFLV later and looked at it in Taskmanager [12:03] The username column was blank, it said neither admin nor my non-admin username [12:04] So maybe it wasn't running on admin privileges? I don't know. [12:05] if you run Task Manager without elevation you don't get to see most information about elevated processes [12:06] UAC elevation typically doesn't change user, just admin privileges [12:06] maybe you were changing user since you were typing a password though, dunno [12:06] Ok [12:07] I'll ask on the Microsoft Discord if going through the UAC prompt on not well-known software that doesn't require admin privileges launches it with admin privileges [12:08] If so that would be pretty stupid, but hey, it's Microsoft, so anything is possible [12:08] programs have to request elevation for the elevation thing to show up [12:10] It didn't request elevation [12:10] It was just Windows 10 basically going "idk, I haven't seen this stuff before. sure you want to run it?" [12:11] oh, that's not elevation [12:11] SWEET BABY JESUS [12:11] That's good [12:15] if you clicked through that said "changes to your device" I think that's elevated https://static1.squarespace.com/static/5065b792c4aac831ab26e463/t/58b43f1c03596e617b3e829e/1488207654767/ [12:15] also UAC still isn't a real security boundary afaik [12:15] Nope, that wasn't it [12:16] https://www.ghacks.net/2017/02/23/non-admin-accounts-mitigate-94-of-critical-windows-vulnerabilities/ [12:18] Hmm, not sure [12:18] I'll reinstall GetFLV, run it, and screenshot the UAC prompt [13:10] ivan: It looked like this: https://trendblog.net/wp-content/uploads/2017/06/15b_consentpromptbehavioruser_value_1.png [13:11] https://trendblog.net/user-account-control-windows/ [13:11] "Prompt for credentials on the secure desktop. When an operation requires elevated privileges, you are prompted on the secure (dimmed) desktop to enter the user name and password for an administrator-level user." [13:11] Well shit [14:24] surely there are escalation bugs? [14:24] burn that system [15:13] *** Zerote has quit IRC (Read error: Operation timed out) [15:30] Yeah [15:44] schbirid: Should I just burn the system or also the non-system drives that are used for file storage? [15:50] *** Despatche has joined #archiveteam-ot [15:57] *** Zerote has joined #archiveteam-ot [15:59] "chatted with some Windows expert on Discord and he recommends that I wipe and reinstall everything, including the non-system drives that I use for file storage" [15:59] sounds like a Windows noob that sells itself as expert [16:00] reinstalling windows is essentially just masking the problem and delaying everything further back by a few weeks until things are set back to where they have been at which point you're running into the same issues again. [16:02] i would agree on reinstalling windows if it fucked with your drivers so much where you can't easily pick them out of the system library or if you had an issue at one point where bad data was written to the disk that's now causing windows to keep printing error messages about random things [16:06] reinstalling windows is masking the problem because the fundamental problem *is windows* [16:18] Fusl: Another user said that the Windows expert "is a huge nerd", so I guess he goes for then nuclear option when it comes to security. He is apparently also a moderator of the Discord server and a Windows Insider (i.e. unpaid bug tester) [16:19] every microsoft client is an unpaid bug tester [16:19] ^ [16:19] some even pay for the privilege [16:19] True lol [16:20] ealgase: Yeah, Windows is problematic, but it should be fine as long as I wise up from now on. [16:20] what makes a windows expert a windows expert is to take a full memory dump of the entire kernel runtime, decompile that and look through it to figure out what the problem is [16:20] not "reinstall windows" [16:20] no Fusl, u just have to be a discord mod [16:21] Yeah, I guess he was overreacting [16:21] the amount of MS MVP's that I've heard talking absolute shit is astounding [16:21] heck, even windows itself already comes with a lot of debugging tools itself but apparently "windows experts who are discord mods and huge nerds" don't know about that [16:22] So you think it's safe to keep the non-system drives as they are now as long as I reinstall Windows 10? [16:22] icedice: none of your dependencies that windows relies on are on your non-system drives so yes, keeping them around won't harm anything [16:23] He did have me look through Event Viewer, but I couldn't see anything there that would have been useful [16:23] Yeah I figured [16:23] lol event viewer [16:23] dump the logbuffer from the disk and look through that [16:23] event viewer is trash [16:23] also [16:23] I doubt that the malware appended malicious code to any of my non-system files [16:24] https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer [16:24] https://www.resplendence.com/latencymon [16:24] https://www.resplendence.com/downloads [16:24] get sanit, afrz and wss [16:24] oh and mmon [16:25] resplendence tools for figuring out why windows is running slow or lagging [16:25] process explorer as an advanced task manager replacement [16:26] and that's your getting started on basic windows slowness debugging [16:27] *** Fusl_ sets mode: +o Fusl [16:30] Ok, thanks [16:30] Windows hasn't gotten slower for me since the malware incident though [16:32] I had two USBs connected to the computer when the malware tried to get into the computer. I can plug those into other computers without worry, right? [16:33] "let me put it this way, if a virus can bounce from one side of the world to the other over secure HTTPS and still infect you then in can most certainly jump from one local disk to the other" [16:33] as long as you have autorun disabled, which is the default, yes [16:33] ^ that same guy [16:33] Ok [16:34] Is it possible that they could have been infected though? [16:34] that's certainly possible and i would not trust any applications installed on those disks [16:34] but files like as text files, pictures, etc. dont have an executable part [16:35] docx for example not so much because you can attach macros inside the docx that run when you open the file [16:43] Does malware usually mess with non-system exe, msi, and dll files? [16:43] depends on the malware [16:43] sometimes it does, sometimes it doesn't [17:01] *** Dallas has joined #archiveteam-ot [17:03] uh fusl, if you go paranoid, then media files are a very worthy target for deploying further exploits [17:04] i doubt that it makes any sense to worry about that though [17:04] you should have backups of your media anyways [17:04] schbirid: you can very well add 0day exploits to media files but the attack surface is negligible [17:04] just compare hashes then [17:06] *** godane has quit IRC (Quit: Leaving.) [17:13] *** wp494 has quit IRC (Ping timeout: 615 seconds) [17:13] *** schbirid has quit IRC (Remote host closed the connection) [17:13] *** wp494 has joined #archiveteam-ot [17:23] *** godane has joined #archiveteam-ot [17:28] schibirid: Yeah, I just remembered that I have a bunch of setups backed up on my external HDD [17:29] So I can compare a few exe and msi files with HashCheck [17:30] And for the majority of the files I can just have FreeFileSync look through them [17:30] If the filesizes or last modified dates have changed on any of those hundreds of thousands of files FreeFileSync will let me know [17:31] And if nothing fishy comes up I'll assume that the binary files that I haven't backed up yet haven't been affected by the malware [17:32] and for the future: always do backups. do encrypted backups on permanently detached drives and only connect and map the crypt device when you do another round of backups [17:32] I have a backup [17:32] It's just a few months old and hundreds of GB out of date [17:33] Which is on me, I've been too worried about some other stuff to think of it [17:33] I don't have that HDD encrypted though [17:33] I figured there wasn't anything sensitive on it and I might forget the password [17:34] The drive is only plugged in when I sync files though, so that's something I did right [17:35] for full paranoia and bonus points, have a NAS that does periodic snapshots of the filesystem and present the windows only the most recent writable state of that filesystem through NFS or SMB [17:35] Does full drive encryption protect against ransomware btw? [17:36] yeah it does until you map the crypt drive and present it as decrypted drive to windows [17:37] Ok, then I'll get another external HDD, encrypt it, transfer the files over from the first external HDD, and encrypt the first external HDD [17:37] I was running out of space on the backup drive anyway [17:40] Hmm [17:41] There wouldn't be any ransomware protection in that though now that I think about it [17:41] I still have to decrypt the drive to have it displayed in Windows [17:47] rotate your backup media [17:47] use different media types [17:50] Different media types? [17:50] I thought external HDDs were good enough? [17:50] I can't afford SSDs at that size [17:50] And I'm not sure what other media can hold that much data [17:51] Well, maybe tape drives and Blu-rays, but that's even more expensive and inconvenient at that [17:52] online backup, offline backup (external HDDs) etc [17:57] Right, online backup [17:57] I guess I should get TransIP STACK [17:57] https://www.transip.nl/stack/ [18:29] https://wasabi.com is what i use for backups [18:29] as well as a server with lots of storage in an undisclosed location [18:29] only reachable through tor because paranoia [18:32] Wasabi would cost me at least $29 [18:33] And it's in the US, so I might as well just email the NSA and ask if I can back up my stuff on their servers for free since that's where it would end up anyway lol [18:35] Im might look into cheap dedicated servers and large VPS servers in the EU [18:35] However, I'm a bit afraid of messing something up and bricking the server/VPS [18:36] with all the data still on it [18:42] *** DogsRNice has joined #archiveteam-ot [19:05] *** Zerote_ has joined #archiveteam-ot [19:09] *** Zerote has quit IRC (Read error: Operation timed out) [19:22] *** Zerote__ has joined #archiveteam-ot [19:22] *** Zerote_ has quit IRC (Read error: Connection reset by peer) [19:40] Is the Amsterdam location still not ready for Wasabi? [19:41] Fusl: Backing up any significant amount of data through Tor sounds like a nightmare. [19:41] it's not with sequential streams [19:42] Hmm yeah, I guess that makes sense. [19:47] and 100 mbit/s is my upload limit anyway [20:42] JAA: Doesn't matter if it's hosted in Europe. As long as an American corporation has access to the data the US government sees it as US jurisdiction [20:43] Not sure if there have been any developments in the Microsoft and Google court cases US government access to data hosted overseas, but the US is really eager to take a good peek at that data. [20:43] Of course, but that's not the only reason why one might prefer a European location. [20:44] Yeah, it's cheaper as well [20:44] And copyright is less of an issue as long as you stay away from Germany [20:46] Why would you ever store anything unencrypted on untrusted storage anyway? [20:46] ^^ [20:47] (In fact, why would you ever store anything unencrypted anywhere?) [20:51] ^ [20:54] Well, true [20:54] also re NL https://wasabi-support.zendesk.com/hc/en-us/articles/360023999491-Access-to-Wasabi-s-eu-central-1-region [20:54] I just meant that you might as well pick Netherlands or France instead of Germany if copyright is the main worry [20:55] If privacy is the worry then skip France, and aim for the Netherlands [20:56] What do you use for encryption? LUKS? [20:56] I figured I'd go with VeraCrypt once I get a new external HDD [20:57] I use LUKS, yeah. [20:59] Fusl: https://vc.gg/blog/announcing-the-iron-dong-hidden-service-backup-system.html [20:59] Ah neat regarding Amsterdam. Missed that announcement somehow. It was planned for end of 2018 I think, then just silently delayed without any announcement. Guess I might have to take a look at them again. [21:00] ^ The operator of cock.li had a similar idea as you btw [21:00] * like yours [21:01] Are there any cheap Dutch hosting providers other than Leaseweb btw? [21:02] icedice: aye, although the difference is that mine is not a VPS but an actual storage with 480TB of raw capacity so me driving there is a must [21:03] Depends on your definition of "cheap" and how much you're willing to endure also. [21:03] And well, what you're looking for exactly. [21:03] also, NFOrce is what i use for my NL host [21:04] Fusl: You know, if you want your storage location to be undisclosed, saying that it's within driving distance might not be the brightest idea lol [21:04] icedice: its not within driving distance ;) [21:05] Oh, that's some real dedication then [21:05] Yeah, I've heard that NFOrce is good [21:05] They seem pretty chill [21:05] also, its not a single server but multiple in different continents [21:07] nice, maximum rto [21:09] JAA: Anything that's like 15€/month or less would be nice [21:10] But I know that's not very common [21:10] OVH, Hetzner, OneProvider, Online.net, Scaleway [21:10] Well, Scaleway is VPS I guess [21:11] And none of them are Dutch [21:14] €15/month for what? [21:15] *** dhyan_nat has quit IRC (Read error: Operation timed out) [21:18] A dedicated server preferably [21:18] Or a really large VPS [21:24] *** icedice has quit IRC (Quit: Leaving) [21:28] *** icedice has joined #archiveteam-ot [23:00] *** Shen has quit IRC (Quit: wheeee) [23:10] *** Shen has joined #archiveteam-ot [23:10] *** icedice2 has joined #archiveteam-ot [23:14] *** icedice has quit IRC (Ping timeout: 252 seconds) [23:22] *** Odd0002_ has joined #archiveteam-ot [23:28] *** Odd0002 has quit IRC (Read error: Operation timed out) [23:28] *** Odd0002_ is now known as Odd0002 [23:39] *** JH88 has joined #archiveteam-ot [23:47] *** BlueMax has joined #archiveteam-ot