I work in cyber security & this field is so huge and understaffed (and ultimately, like bankers, UN NEEDED!) Hacking is a buzzword these days, though the term is barely understood except in the vaguest ways.

DARPA created the current internet (with it's inherent security flaws) and we have been scrambling to secure it ever since.


As I perused the web today I ran across an article that quoted John Mcafee thus: JOHN McAFEE: My new company will make the cloud 'completely obsolete' (http://www.businessinsider.com/john-mcafee-mgt-capital-going-to-make-the-cloud-completely-obsolete-2016-9)

I thought that was a pretty bold claim, I had to check that out...

Turns out it's all based on one thing, Demonsaw.

Intro to Deamonsaw:
kfyokykPEsE

In depth Defcon talk:
fMfQQoHHLBA


I'm going to keep looking into this, but it seems like a crazy good example of a "solution" to a lot of the problems I face doing my job. (and we collectively face from the likes of NSA/FBI/random hackers)

For you file sharing types, or people who want secure chat (mods, whistle blowers?) this is the answer... I cannot think of a way to attack this type of contextual based cryptology... it's litterally agame changer.
s

Mind-blowing TargeT - very well done !!!!

(I use triple encryption 3 separate 128 bit encryptions - works as far as I can tell - a freebie program I wrote)

Would it still be possible to identify the users?

Maybe by hacking the encryption?

Or by gaining access to the hardware or software on which it runs?

Doesn't have the company all the data to identify the users if they wanted to or couldn't you gather the data in some way?

How will this generate income for the developers?

New version of demonsaw:


wRdloFufDVQ

Johnny :)

Would it still be possible to identify the users?

Maybe by hacking the encryption?

Or by gaining access to the hardware or software on which it runs?

I can't think of a way to attack this that would get you more than a small part of what ever is being transferred, the connections are tunneled via HTTP or HTTPS, the traffic adheres to HTTP protocols so it's very hard to pick out this traffic from general http/s traffic.. it's not peer to peer, so there's no reverse connection really.. it's a very interesting method.


Doesn't have the company all the data to identify the users if they wanted to or couldn't you gather the data in some way?

There is no "company" this is just software, there's no central anything in this model.. you can get the software from any source and use it to create secure connections



How will this generate income for the developers?

I don't think it was meant to do that. I don't see a way that could be done anyway.

Hi TargeT.

Off topic but if I may ask reference this:
I work in cyber security

Whats it like as a job? Not interested in the money aspect rather whether it is interesting?
I have done many many different jobs and now have the old feeling of wanting a change! I'm not completely new to computers as at one point I learnt how to code PhP and create MySql databases so as to develop my own software, which I did (and a few companies actually use it still.......didn't make any money as I gave it away) but got bored of looking at a screen....but I did enjoy finding why my code didn't function correctly first time! I like finding out why?
Have been working for the last couple of years as a carpenter (I seem to go from brain to body then back to brain as job choices) and was considering internet security as my next 'thing' to learn?
This thread and its contents 'looks' interesting so I just wondered what its like....as said Im not interested in the 'money' side.......just is it interesting and challenging?

ta mate

From my current very limited knowledge regarding this:
Would it still be possible to identify the users?

Well Demonsaw website states:
Demonsaw uses routers to handle all data and communications so that clients never have direct contact, preventing clients from identifying clients. That said, the machines running the routers can see the IP addresses, but it is very difficult to correlate a client to an IP, using a private group will prevent anyone from correlating your IP with a client on the network.

So wouldn't this be a starting point of interception? I know it states that it is very difficult to correlate a client to an IP but as a first point of knowledge....?

Would file transfer in this case Targe, (soft G, my nickname for you), be limited by the ISP upload speed of the person you are connected to. Or am I missing the point?

Hey this software coud be really useful for the Avalon Libary!!!
As a side note did anyone else notice the title of the files used in the demo video? And I quote "Welcome to Planet Urf" !?!?!

:focus:

considering internet security as my next 'thing' to learn?This thread and its contents 'looks' interesting so I just wondered what its like....as said Im not interested in the 'money' side.......just is it interesting and challenging?

ta mate

If you like learning it's a good field, if you pay attention you won't ever have the same problem twice. But there is a LOT of learning to do.

When I'm not investigating an incident I'm managing software distribution (mostly security patches) and scanning for vulnerabilities; more often than not I'll be studying for a certification test (certifications are the bread and butter of any IT worker, security especially).

I'm in front of a computer up to 10+ hours a day often.. it's definitely not a physical job

I like the systems I work on & find it interesting.. Investigating incidents is fun too, it's like detective work & putting a timeline together of events is oddly satisfying.


I don't know that it's a field you could just "jump into" you need to have some pretty broad understandings and a wide base of knowledge to be good at it.. but the information is all "out there" & you could easily self educate if your motivated.



Would file transfer in this case be limited by the ISP upload speed of the person you are connected to. Or am I missing the point?

and by your own connection speed, yes both those would be limiters.





So wouldn't this be a starting point of interception? I know it states that it is very difficult to correlate a client to an IP but as a first point of knowledge....?

Well the cool thing about it is.. you can just set up a "router" when you want to to file transfers, then take it down after...

these type of "intermittent" connections are very very hard to find and exploit because it's not a static target like the "rest" of the internet generally is.

This is a big part of the security feature of this software.. you can set up a router, you and who ever you are trying to connect with will know what your going to name it and when it will be available (say, based on a conversation or email) you can have your secure chat session, or transfer a file, or maybe a phone call etc.. then when you're done take the router back down.

That makes it very very hard to attack.

you can use any device you want as a router, as long as it has a network connection.

Ok do not think I wish to sit at a computer for 10+ hours a day....fair play to you though

This:

you can use any device you want as a router, as long as it has a network connection.

So would this mean that I could use a 'sleeping' persons smart phone ( no one seems to turn their phone off ) as a router, then remove the knowledge that it had been used?

Ok do not think I wish to sit at a computer for 10+ hours a day....fair play to you though

This:

you can use any device you want as a router, as long as it has a network connection.

So would this mean that I could use a 'sleeping' persons smart phone ( no one seems to turn their phone off ) as a router, then remove the knowledge that it had been used?

Well, if you had access to their phone and could run the app... then yeah.

Well, if you had access to their phone and could run the app... then yeah.

I take it that I wouldn't require physical access....I could be elsewhere and still create a connection, if I wished to?

Well, if you had access to their phone and could run the app... then yeah.

I take it that I wouldn't require physical access....I could be elsewhere and still create a connection, if I wished to?

that's my favorite way of doing things ;)

For you file sharing types, or people who want secure chat (mods, whistle blowers?) this is the answer... I cannot think of a way to attack this type of contextual based cryptology... it's litterally agame changer.
s
I don't see how this could be useful for secure chat ... can you explain more of that?

Eijah's defcon.org talk (your second posted video) was given in Jan 2015 ... In it he says he's open to looking into open sourcing it. Today (Sep 2016) I notice on their website, https://www.demonsaw.com, that they only have compiled binary images available to download, for Windows, OS X, Ubuntu, Debian, Raspbian, and Android.

No open source that I can see, so

perhaps unusable on my main system (Arch-based Manjaro with OpenRC),
definitely unusable on iPhone or Apple table iOS,
I can't examine the source myself (I acually do at times choose from alternatives by looking at the source code, for example when I preferred riofs over s3fs in my Avalon Library infrastructure),
I can't recompile for whatever Linux-like system I'm interested in, and
independent security audits can't be done (essential for trust past a certain point, in my view.)
I like Eijah's attitude. And I like what I am guessing is the architecture of Demonsaw. But that's a guess too. And I don't see how it's relevant to my interests at present. If it were open sourced, that would potentially change.

I have started playing with this and it looks very interesting. I started a thread at https://decodeit.org/index.php/topic,846.0.html where we are trying to sort stuff out.
Here are some things I do know:

Version 3.x, only available for Debian 8.5 and some Windoze version, is much better/easier to understand.
Security is distributed in such a way that it is virtually impossible to compromise anything.
While McAfee is doing something with it, there is no plan to monitize the software.

I don't see how this could be useful for secure chat ... can you explain more of that?

From their website:

Demonsaw uses multiple layers of asymmetric and symmetric encryption. All keys are created at runtime and never shared.

Social Crypto makes security easy by leveraging shared knowledge (websites and files) to derive strong encryption keys.

Trust yourself and to hell with the rest.
http://demonsaw.com/

its like a VPN, but with one time keys used for the connections, tunneled over HTTP/HTTPS (and, since it follows HTTP/s protocols it looks exactly like http traffic..it's not obvious like an SSL tunnel), the keys are never the same, and the connection is hard to even find...
It's exactly what I would hate to go up against as a penetration tester.

this guy sorta does an ok job of explaining it (and he says rooter... haha rooter!)
Fr1lwBAyj_g


I like Eijah's attitude. And I like what I am guessing is the architecture of Demonsaw. But that's a guess too. And I don't see how it's relevant to my interests at present. If it were open sourced, that would potentially change.

he wrote all the code, to go open source just takes time I assume, so unless there's some hidden money agenda I don't know why he wouldn't do it.. I'd feel much more comfortable when it is open source.

he wrote all the code, to go open source just takes time I assume, so unless there's some hidden money agenda I don't know why he wouldn't do it.. I'd feel much more comfortable when it is open source.
Going open source is trivial: add a comment with a copyright notice and a statement of license terms under which you allow others to use the software, such as the GNU General Public License (GPL) ... then upload the source to a public server where others can see it.

See for examples of such a comment http://pauljackson.us/x.c and http://pauljackson.us/sendpatchset.py, two tiny tools that I wrote. (Hmmm ... I might have to upgrade my Linode server ... I've finally put enough stuff on it to get it overloaded and slow.)

For projects of any potentially large usage, such as Demonsaw, one should probably choose a server such as github.com, that makes it easier for others to make and share changes and track versions.

(I probably spent more time making the above post, than I did open sourcing x.c or sendpatchset.py.)

I have tried DemonShaw. It is as user friendly as any other secure solution and yet would not provide security to all those who are careless about security. Which is majority of the people out there.

As an example, all I need to know what you are posting through DemonShaw is by installing a keylogger or a screen grabber. If you are using Windows OS or any mainstream OS, there is no escaping tracking, surveillance.

I have been looking towards finding/creating an operating system (based in linux) which runs off a USB Drive and also secure. Thus far I have not found one that works across all my computers. (I have one Windows, One Mac and NO OS Intel System)

Between 2005-2009 I was working with a company that was planning to develop an alternative to the Internet called NetAlter and I was negotiating the funding for this but never happened as the financial markets crashed in 2008 and so did the project. It involved developing a browser which when installed on any computer or even a chip would enable secure and private communication just like the Internet without requiring a server in between.

That was something I thought was fantastic idea but unfortunately did not take off and let me develop my own secure technologies around the current internet.