#general

Encryption at rest: Customer data is encrypted at rest using AES-256. Customer data is encrypted when on Notion’s internal networks, at rest in Cloud storage, database tables, and backups.

If you are so concerned then after done taking notes just gpg/pgp thats just an overkill. I have similar setup for my personal messaging app

also ^

"Client's concerns are our concern. Customer satisfaction is the key" says my manager. He is a good guy

Anyways, it has been lovely chatting with you folks. Goodnight!

Have you considered a fully offline alternative?

so...you buying?

haven't been out to many in recent months only really mcgoverns in newark and mcsorelys in ny

I was looking into AnyType, didn’t form my opinion on this one quite yet, I still have to test it out.

Opening links is always a thing that makes me concerned

its .pdf file

got it from reddit

Pdf can be malicious

CherryTree works well but may feel a little outdated

Sure. If you're free Tuesday, hanging out with a friend from LPU at a bar

https://tenor.com/view/meme-gif-26179586

I’ll look into it. Cheers

Anytime. I used it for my OSCP studying and exam

(As you can encrypt the data)

yeah i deleted the message

good choice

im having some problems running Print Nightmere with an account without password

Oh thats clever!

What problems?

like a storage server?

Never download files dont open just by the name of it. I am not at my laptop now so i will have to check the headers, strings and capa before i open it. So i will dm you tomorrow.

seems like it didn't work, even becouse password is required in his compilation. I won't go into specifics

its ok

Ah i thought you were asking for help getting the exploit to work

very good choice for 80 bucks tbh

Hi Birb 👋🏻 !

Thanks for understanding 😂 will do tomorrow.

Gave +1 Rep to @hazy sundial (current: #1397 - 2)

i can't since its for OSIRIS CTF and it's kinda long to explain , but yeah im trying figuring it out

Anyways imma head out. Night night fellas. Good chat.

Hi. Sorry your name doesn't ring a bell 😅

Night!

wait a sec , you have OSCP , im going for it. You surely know how to do it 😄

Ah ok

Might does now?

No

he is not a noob lol.

It's a fun exploit

yooooo is there an expert in sql here who can teach me? i cant figure it out

we ll he has OSCP , he is not for sure

Ex-Admin from other server 👀

What is your question?

i know but everytime i run it nothing happen on this ctf , even if ive setup the smb server

surely interesting to understand it

along ago talked to you in here and htb.

Ah, cool 😄 I've forgotten most names from HTB tbh... It's been so long that it was active

Even if he was not Admin , having OSCP means you are not at start for sure

I'll dm lol.

well, they were ex||htb|| admin!

well , just wow

ill go back crying for my OSCP

see you later

Cya.

i have no SIEM bachelor

im going for it after i got JPT work

bachelor will be next step after OSCP

being real, THM's Jr-Pentester path is better.

than eJPT?

for sure

Yes.

but i got a junior penetration tester work

btw, OSCP's prep is made easy by THM.

tbh!

Hmm, PJPT or some other good cert?

choose wtv suits your job.

no 1 yeas and some months as SOC analyst

but i do this alld ay long

just an anxious subj

TFW my first InfoSec experience was OSCP

pen200 study?

SOC = Burn Outs
Me don't like burn outs.

Ye

I wanted to learn hacking so I asked my boss to pay for 3 month access.. 😂

it was hard way? or good learning experiences?

Just too much reading. lol

even before bachelors and any cert?

tbh was simpler than this

yea ig.

Nah, I had been working professionally as a software dev and sys admin for a few years

DevOps too?

I spend something like 4-6 hours on studying every day for two months lol

That's what I mean but usually people don't know what it is so I write sysadmin.. 😂 😂

@hardy mica I got a blog post for you if you wanna read about alternative ways to abuse printnightmare

Birb, The dedication!

https://www.hackingarticles.in/windows-privilege-escalation-printnightmare/

I love the exploit 😂

"Hey, trusted Domain Controller buddy?"
"Yeah?"
"I need you to print a document"
"Ok cool, here are my creds please authenticate and give me the stuff"
"Yep, you good. Thanks."

(Something like that... It's been a few years)

But devops is the cultural and philosophical approach that emphasizes collaboration and automation to improve software development and deployment.
And Sysadmins is a spot inside devops.
Innit?

Yup

In theory it doesn't make sense to have a DevOps team just like it doesn't make sense to have an Agile team

Hmmm interesting...

Whst do you do? We do Agile! Uh.. Ok... What does that mean?
...Uhm. Like scrum n stuff

But companies use the term for teams that do pipelines and automation of releases and testing and hosting and..

aah

It's a bit of a weird field - but pays well

Birb, how to Deal with impostor syndrome?

for other folks.

@shadow loom ^^^

I know of sysadmin, besides of THM, because of a blog from medium, from someone who said he's been happier just doing sysadmin, he was pentester, if I remember it right. He said his experience in cybersec was just horrible as pentester.
But once again, he clarifies in his first blog and second one, it might have been because of the companies he worked for. Since there were other people that didn't feel the same way about the field.

Help people in online communities to remind yourself that you know more than you think lol xD

Companies limiting password length to anything under 48 characters should be fined. "your password is too long"

Not me.

I was talking about @high mulch <<!

😭

Probably because of their database model

I had a hunch. lol

You can use Linux mint for your old laptop which is lightweight, as for which Linux is better that is a preference choice

What do you want to use it for? Just playing around?

Gave +1 Rep to @dark lynx (current: #636 - 6)

Yeah Mint is good I've heard. Ubuntu is a classic too

Ah forgot about Ubuntu great for starting out

I've been pretty much dealing or coping with it just as a hobby, I guess. I started off programming, webapps or website related stuff... couple of basic CLI apps. Then jumped into cybersec stuff... maybe if I get a chance into the field I'd be more than pleased.

But I keep studying/practicing because I like it. I guess that's one of the things that make me cope with burn outs, also having dealt with it when I used to code more often.

If I'm yapping more than usual, is because I'm having beer. 😛

https://ca.news.yahoo.com/ai-writing-much-code-still-195744872.html

If you want to learn Linux Ubuntu is a great start

TLDR.. yes you should still code/programm stuff.

Wondering if I should use pika, timeshift, or learn rsync for full system backup

Been wanting to take the entire os image into a brand new laptop, without having to configure from ground up again

Drivers?

NixOS being a prime example

ahs so you got a bachelor before

https://teejeetech.com/product/aptik/
I've had great experiences with this

already saw it , its the room that is a bit sus

Granted it costs money, but the author is the same person who made timeshift - which is free and has saved me a lot of time, so bought it

Sort of yes, but all the software, path, script I set up long ago which I don't remember much

Thanks I'll look into it

Gave +1 Rep to @shut hawk (current: #14 - 533)

Hmmm didn't know, I never really did a complete backup and restore

I usually just reinstall and reconfigure everything again

Yea

0.d.a.y

@rapid merlin thanks I was considering that

I don't like windows as I use to

So was moving to a Linux with vmware

But I do want to backup my main Linux and my vm containers(since I don't know docker or use it before sad noises)

I find windows a bit headachy sometimes, so I feel your pain. lol

My main laptop has windows 11 mainly for gaming and watching videos and doing simple things

make sense , so you was already well prepared for OSCP

My second laptop configuring it for ctf, programming and breaking stuff xD

I'll probably do the same for my laptop. I have it sitting there, turning it on only for usual updates.
But I have family that uses it for stuff, so they'll probably get lost if they don't see the usual windows GUIs.

Well... Not really. I knew programming and I knew what a socket was

this kinda give me hopes

surely will be "hard 3 months"

Oscp is a whole lot of learning about tools and common techniques to use in different situations

my path was : Soc Analys (i got it with background) , eJPT , THM courses , TCM Security PEH course , Tiber3rius courses

and now going for OSCP next week

You do an nmap and find ports 21, 22, 80, 139, 445 and 3389 open. What do you do and where do you start? That kind of thing, mostly.

first thing i check what is hosted on port 80

then i go for SMB

smb let me think and AD is on the server

we love port 22

hand over your public keys

i mostly can start with responder and then bloodhound

All windows machines have public SMB by default

if i find something i can go with crackmapexec etc.

3389 is good for me too

maybe an rpc client?

port 21 is ftp too

can try an nmap for an anonymous connection

meanwhile ir un nikto on 80

if i find something a dirb or gobuster to enumerate more

then is situational

I check two things first here and take note of one odd thing which may be useful later. FTP and SMB can be scanned and checked really fast and you can maybe get a username that way. Or nothing. But it's fast. And SSH on windows? Hmmm..... Fun

thats very interesting

i usually go for 80 and SMB

After that, since RDP usually never is the way in first, I go to Web

Ooof that's a lot to learn for oscp

Which I'll be taking next year

And that's just the tip of the iceberg.. 😂

https://tenor.com/view/no-the-office-michael-scott-scream-gif-16929305

So a bit off-topic... I find it headache free to just use formats like 01Jan2024, when dealing with teams formed by people from different parts of the world. lol

I just finished the video, lol... So, just get your own router. Gotcha lol
Yeah, I think I have ADHD, I don't like self-diagnosis. But anyways, I was jumping into searching for X then going back in to Z that happened a while back, and going back in to the video, and going few secs back to understand a few things. lol

its a good path tbh

ty man 🙂 @shadow loom

Gave +1 Rep to @shadow loom (current: #529 - 8)

im just afraid to not find everything

https://media.discordapp.net/attachments/827277603353788427/966007590880419911/ezgif-2-5c8025bf76-1.gif

laters

Fuck ISP router's. Any homelaber's or sec people will agree

One of the reasons I got my own equipment

It's not limited to ISP routers lol

https://cybersecuritynews.com/netgear-routers-bypass-authentication/

Oh yah, not a fan of Netgear either. Asus all the way

https://nvd.nist.gov/vuln/detail/CVE-2024-0401

I quit....

Just give me a pen and paper

My router luckily isn't on that list

For now

Oh, just read the versions that are affected, 3.0.0.4 and before for the most post

Was it netgear where backdoors were discovered years ago already?

2014: https://arstechnica.com/information-technology/2014/04/easter-egg-dsl-router-patch-merely-hides-backdoor-instead-of-closing-it/

Hi!

hello

How are you?

Tired 😄

Hby?

Good trying to learn something new

OSINT!

Learn osint!

Whats that?

Sorry for asking

im new on all this

Open source intelligence!

hmm

to summarize it... googling, in depth googling

More to it, but that's the really simplified version

what is it about?

Im really confused..

Finding information on subjects. For example, locations, people, addresses, companies

https://www.sans.org/blog/what-is-open-source-intelligence/

where is the btrfs

Isnt this like doxxing but the good way?

On my OpenSUSE

Nope. I'll answer that with this link:

https://www.hackthebox.com/blog/top-three-osint-myths

Not necessarily to encourage harassment

Ok This is interesting.

Doxxing is just the act of releasing private information about people

neat... how does it compare to ext4 for you???

You can accidentally doxx people

i.e. reading out an email address on stream

or by not turining off steam friend is playing notifications

I Feel like a student

Just from a desktop user POV, I don't see any difference. But I like this Pic

copy on write writing mechanism

COW!

linux people love cows

🐮

https://tenor.com/view/cow-mooo-gif-15482396

seems super easy to do with timeshift

That's not really doxxing

It's usually private information, i.e. someone's full name, address

revealing someones private data
can lead to spammed friend requests
or other nasty stuff on steam

It's not doxxing though

Your username shouldn't contain anything sensitive.

Set DMs to off and don't accept friend requests. You can also change it if need bne

im a lil too much confused.

No it's not doxxing at all.

If your username happens to link to a another account and that account has private information on it; A) that's on you and B) the information on that second account could be used to doxx, but it doesn't mean your username is doxxable information

so then how is an email sensitive data

it should not include anything sensitive in the email address

It's the difference between protected information and sensitive information

A username is not considered under UK law to be protected or sensitive information iirc

No as in, there's a definition in law for protected and sensitive data

And what qualifies

Look at this cute little Japanese coffee drink!

It looks like a coffee cup!

coffee with milk

It depends really.
If my email address is publically accessible, i.e. on my website, and someone got that email address and posted it, it wouldn't be doxxing necessarily.

But if someone got my private email address, it could be considered doxxing, especially if my email address has like my name, dob etc in it

sounds like a your issue if your private email has sensitive name and dob in it

https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/personal-information-what-is-it/what-is-personal-information-a-guide/#:~:text=Personal data only includes information,in combination with other information.

Not really. An email address should be easily rememberable.

If I'm at a business conference I wouldn't want to tell potential employers to contact me at spikemaster1987@jabbamail.com lol

goes to check if that is a real email address

https://m.youtube.com/watch?v=ZSq63Mt2y-8

coolguy6969@yahoo.com

Huh?

There's a quick definition for yous, online identifiers refers to things like IP, MAC address, cookies etc. and it says about psuedonymised data which refers to it having the data associated with a pseudonym rather than further pii

when im older ima study programming bc im nerdy asl

Good choice

Technically yes but you're not doxxing someone if you know they have a pintrest account

A username is only PII if it can be used to get other data, with steam discouraging putting that personal info on your profile it's not pii

https://tenor.com/view/corgi-smirk-dog-gif-6147330867794407822

It's not a data leak either

How is it a data leak that someone reuses a username across multiple platforms? lol

if it's a "personal" data leak , it's doxxing

It's just basic OSINT

If steam had a leak that username might be PII because of the other data they store but it's not pii if it's just the profile name in a screenshot

for a lot of steam users you can see their entire game library.... yes including the smutty ones if you have their username

so you can download their same games and make new friends?

Still doesn't give you any pii from that, you just find out they're a bit spicy haha

ù

I think it's the whole "building up and publishing a profile of collected information" that triggers people, OSINT or not

And what will you do with information that someone plays CSGO?

blackmail

Mhm I'm just trying to make sure that the correct terms are used

stop playing CSGO or i'll tell your mom?

Yeah but you'd have to do osint to get their pii

Which term would be correct though? Profiling?

i think "gaining information" suits better

so I changed the screen on my Redmi 10 phone and after putting everyting back it won t boot up

Blackmail what

"I know you play inappropriate games, I don't know anything about who you are or any of your friends who can also see your game library and probably know about your weird habits but I will publish this information to the world"

just need to specify what kind of inforrmations

it does show the charge animation whenever I plug it in

anyone got a clue why?

maybe he should do his homework instead and you can blackmail him with his parents

and save his life from gaming addiction

Might need to charge for a bit, could be that it wants to recalibrate the battery and charge fully

Heloooo, is black theme coming? My eyes are cooking up

If it's not charged and working in the next hour it could be a bad connection or broken

it got to 50%

blackmail what
shadow knows your personal email address and can tell your friends about your weird name or send you nasty messages

Digital profiling yes

Might need to go to 100 for it to calibrate

And where did you get their personal email address from?>

let s hope it is that

....

about nasty massage you can still block the person. Tell your friends about your weird name? srsly?

otherwise I think is a piece that I might have damaged

Fingerprinting maybe

and the phone won t boot up without it

Let me summarize this.

OSINT is Ethical way, public and legal way of getting information.

Doxing is basically the Black Hat way of looking at it.

thought it was support@tryhackme.com

Can also try going into fastboot and then boot manually through thay

Mmh, I guess... Doxxing is a subset of this kind of profiling but profiling is not necessarily Doxxing

I think fingerprinting is lesser the individual and more their device

OSINT is NOT doxing

I'd argue doxxing is the malicious release of the data acquired and aggregated via osint

wut?

And same can be said with Ethical Hacking

won t work

doxxing can't be related with OSINT

Imagine you live in a conservative country and/or family, religious fundamentalists even, and somebody blackmails you with telling your parents that you play "adult" games on Steam. Easy to see how that would be bad.

I would slightly change your argument and say it is typically malicious

Yeah but I thought there are also less techy definitions for it that are more akin to research

How do you know their family?

before you should get his parents information

Social Media

then , it's a massive spray and pray

Incorrect. Doxxing can come from OSINT

username reuse

Yeah I can agree with that, my reasoning was more from a legal perspective, the idea that if there's no motive behind it, it could be an accident and therefore would likely be treated by law differently but I get that side to and agree

Let me quote HTB's post on doxing vs OSINT:

"So doxxing involves exposing information on targets you aren’t allowed access to. Posting someone’s credit card numbers and government identification numbers in a public forum is both illegal and immoral. It constitutes an information security attack, because confidentiality is a central pillar of the CIA Triad of infosec.

OSINT is finding information that you're allowed to have access to without breaking the law."

People get blackmailed with such things "I'm gonna tell your family and friends" all the time. It's not theory it happens every day.

could point you at all the people who have a twitter username with the same as their steam username

It's not a data leak

Doxxing isn't exclusively information acquired by unlawful access to data

or similar enough that it can be used

There's too many conversations going on I can't remember which is which

how can be related? doxxing is illegal , OSINT it's "everything you are allowed to get"

shadow scatter brain goes brrrrrr

Doxxing is more the release of aggregated of data from multiple sources, lawfully and otherwise

Jabba, need a drink?

give jabba a few cans of monster and they can finally keep up

I'll post it again.

https://www.hackthebox.com/blog/top-three-osint-myths

Just because you reuse a username on social media doesn't mean any data is being leaked or breached.

I think the point they're trying to make is that if you Google my username and publish my discord and twitter account together, it's not a dox

Depends how broad you want to go

yeah but that's not doxxing , we are talking about doxxing in OSINT

If you went from my username to my work email and the full name of my parents then yeah... 😂

No but if I went through your Google reviews, and used that to gauge your home city, got your name if your public profile and released that it would be

Yes absolutely

OSINT is not doxxing

When I speak to other people who do OSINT in their everyday work, they tell me that outsiders think OSINT is doxxing! That’s a terrible myth, because doxxing is a cyber threat and often illegal.

Quoted from HTB link

You'd be getting information that you are arguably not supposed to have

but overall with doxxing , you mean : "sharing personal data that YOU ARE NOT ALLOWED TO DO"

can't be OSINT anyway

It would be completely legal for me to find all that data but the process of aggregating it and leaking it is the doxxing lart

If I use publically available information about you and determine an address/ name/ other PII and publish it, it's doxxing.
Lets say I see a picture of you outside of a house and I track that house down, then I look at the housing information and find the owner's information etc.

If I then go and post that in Discord, that is doxxing.

Agreed

All I said was learn OSINT.... I'm sorry @mossy river

https://tenor.com/view/you-you-did-this-nice-going-your-fault-gif-13598257

It's public information obtained lawfully though, so because it's public, I should have access to it

https://tenor.com/view/sorry-gif-18453366

shadows point here is that usernames can definitely be sensitive data and linking it with all the data points of steam could be as bad or for some people even worse then their email address leakages

No usernames are not sensitive data by any definition

hey guys i know jabba's discord username if you wanna buy just lmk

If you can link two accounts and are in that sort of situation you have an opsec issue

doxman

The whole point of a username is to protect you; it being considered sensitive is obsurd.

then neither are email addresses

If you hear your neighbours yell personal information it's all fine, but if you eavesdrop on purpose it's a felony

If you rely purely on a username for your data protection, you have an opsec jssue

ok , but how can doxxing be related to OSINT? i can't get it. OSINT means that everything you do is allowed to do . What you are talking about is a sort of "enumeration".
Public something that YOU ARE NOT ALLOWED to publish is doxxing

that's an opsec issue not a pii issue

as email addresses are just glorified usernames in todays society

if i make this information public that's my choice

if i don't, that's also my choice

and you are a gossip girl too

The UK government seems to disagree

that it's even worse

I believe the eavesdropping law is very different than you think it is, eavesdropping would refer to bugging or going up to someone's door and listening in, not just being quiet so you can hear every word

https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/personal-information-what-is-it/what-is-personal-data/what-are-identifiers-and-related-factors/

That's exactly what I'm talking about

One is fine because you so happened to come across the information

The other is a felony

But that's the difference between hacking into a server and looking into the profiles for any and all public info

You accidentally discovering that I live in ABC Town is fine, but you trying to find out and publishing that information is not

Not the difference between googling the accounts and listing the reviews the account has made

that's not a great comparison. one has an expectation of privacy, the other is explicitly public info

nope , becouse in the first example you are subject of a random event happening to you. You are not taking action

Osint is completely legal as long as you're not using it to commit a crime

It's the conscious act of obtaining the knowledge that's a problem

(With the intention to publish it)

Both examples involve taking action though

no, it's the fact that you're violating an area that is expected to be private versus not doing that

nope . If i accidentaly listen to my neighbourg im not legally taking any sort of action

You took the context away.

What are online identifiers?

I don't see that article say that usernames are sensitive data, it says it's personal data.

The way I'll put it is, Google Dorking is not illegal, using it to commit a crime isn't illegal, the crime is illegal

Potato tomato?

I think we agree

no we don't

I thought you referred to my examples

yeah but doxxing is not . Doxxing is "publish personal informations without consent"

nono Birb one

Fair enough, you're wrong then

As personal data they are subject to the GDPR. You have to report to government agenices if you leak them for example. Whether that's "sensitive" is semantics, I'd say yes.

And that's what I've been saying it's the publishing not the aggregation of the data

Btw this is the most geek conversation ive ever seen

As long as you've not committed a crime to obtain the data, it's not a crime, releasing that data is

Like, I have information about others because friends. Do I go around posting it to others? "Hey look, X lives here" FUCK NO.

If X doesn't post anything publicly, I ain't posting anything publicly. That's the ethical side.

OSINT is gathering information legally and within bounds, without publicly relasing any data.

with doxxing you are "publishing it too" . Active enumeration of data is illegal too anyway

if i read your mail that's one thing, because there's an expectation of privacy. if i see that fedex is your courier of choice, that's another, cause they drive a truck with a giant logo on it and it's publicly visible with no expecation of privacy

without consent

expectation of privacy is the focus

if you make information public, you're doing so knowing that the public space is by definition not a private space

so sensitive data is the following
Real life name
Real life address
ID numbers for real life stuffs
debatable on phone numbers
debatable on emails

Active enumeration does not involve going onto websites and going through profiles though, that'd be things like interacting with the server itself

@finite basalt perfectly explained

context matters ofc but that's more sensitive PII than usernames

if you are just collecting already PUBLIC informatons without sharing it. You are in the leagal part

And if you used apis to assist in osint it's completely fine as long as you're using the apj within the confines of the terms of service

You are incorrect.

While usernames are considered personal data under GDPR, they are not classified as sensitive data unless they reveal or are linked to more protected categories of information. Reporting requirements for leaks depend on the specific circumstances and the nature of the data involved.

Did you read the article?

https://tenor.com/view/winnie-the-pooh-i-cannot-read-gif-10549564367608169258

Did you read the article?

hello there tryhackme community

ello ello

chat is busy today

that's very difficult to say. You can incurr in some sensitive data anyway

That's what I said, as long as you're not committing crimes to get the data and aren't releasing it, it's completely leg no matter how deep you scour the internet

I'm expecting my home address and full name to be private too, but if you happen to find it by googling long enough (I wish you good luck, but it's not impossible), that doesn't make it OK to publish even if it is freely available. Whether it's illegal everywhere I don't know, I'm not a lawyer, but I'm fairly certain it's not legal in my country

is it considered animal abuse to capture a fly in a pet bottle

i see, thanks for the heads up

Gave +1 Rep to @sand trench (current: #4 - 1773)

Hi

you just moved the goalposts by a whole ass continent

sure , until you have consent or going for public infos and not sharing it , you are in the legal side. You can call OSINT

Doesn't matter if you're not using it to commit any crimes, although, if an API is returning sensitive data to the public then it's time for a responsible disclosure

The what?

Wdym

https://tenor.com/view/mimi-mikey-brown-tabby-cat-kitty-gif-12705457075636275749

That's us law, I'm in the UK

sure , but world is strange sometimes. Anyway i think i just confused the person i was talking with at this point

Also that sounds more like their internal policy

what is this mythical sleepy thingy???

it's also not sensitive information to say "x owns a property at y" -- that information is often publicly available by default with things like tax maps

car

Can you send me the source saying that?

if its public information you can

ehhhh

I read the GDPR. The EU one though, the article I linked referrs to the UK adaption.

What do you think shodan does?

?

7/8 data brokers would disagree

So why link to a source that you didn't read?

That's gdpr and is more for organisations

Also I don't know what that screenshot adds to the conversation lol

If such a service exists, perhaps you're right. I don't think it does in my country (not from address to person, only person to address)

if one direction exists, so does the other

The UK GDPR is identical in text.

Like, let's just use @molten sky for example here.
(I'm not actually doing any of this, this is all hypothetical example)

Say Productivity, I find information about his IRL name, address, phone number, stuff that's public. And I tell him "Hey, X was easy to find, might wanna fix that" privately, if Producitivy is fine with me disclosing that to him, fine, no issues.

But if I turn around, and give that information to say @finite basalt , that's doxxing.

they can disagree as much they want , if the information IS PUBLIC , you are licterally doing RESEARCH. No Active Enumeration , No doxxing . Perfectly in legal terms

Yeah it's gdpr and it applies to organisations for the protection of people's data

I'm confused by your statement then?

yeah no we agree i was responding to jabba's ehhh in hesitation to our stance

Mmmmh not sure...

tbh i don't know what Jabba ehhh means

GDPR is an international law created by the EU iirc

The 1st source I gave was the UK government referring to the UK GDPR. The 2nd one the EU GDPR. They happen to be identical as of today.

https://tenor.com/view/stalking-spying-peaking-peak-hiding-gif-14341063

They're the same legislation

true and coppa is not an european union law... still both kinda apply everywhere

all it takes is a data broker to get the data by querying known names then they sell the inverse searches

It wasn't created by the UK or US, it was adopted by them

If you saw me driving around in my car you could get my name by looking up my license plate, but you can't find my car by just knowing my name

you can in many cases via data brokers doing exactly as mentioned

I'm talking about official registries, not companies selling data

i think we are going a bit too far

the EU has the right to forget

which the usa does not have

or well the right to be forgotten

https://tenor.com/view/popcorn-guy-relaxing-popcorm-popcorn-gif-26404903

typos

The point is that aggregation of data as an individual is not illegal as long as it's done without committing other crimes and isn't used to commit a crime

Me watching chat

GDPR disagrees, it depends on what you're doing with the information but if you get a court case of stalking or harassment and they find a 7TB drive of information you're collecting on people, you're not going to have an easy time

Perhaps in you country... I wouldn't know. It's not possible where I live

Okay? I still don't know how this adds to anything 🤣

Yeah data aggregation isn't a crime but could be used as evidence of another crime

those companies are doing what we're talking about tho, collecting publicly available information, pairing it to individual identifiable people, and making that information publicly available as well

you are talking about a specific case where you already committed another crime. GDPR disagree if you taking data that go under "privacy" , that for sure is not a public data

yeah laws vary widely ofc but generally speaking in most countries data brokerages are pretty well established

But that's referring to an organisation storing data

https://tenor.com/view/eating-popcorn-hi-there-smile-gif-15569360

I think GDPR would make that too big of a nightmare for European countries tbh

Chat is entertaining

You said usernames were not sensitive data. I provided you with a source that disagrees. You went into semantics saying they're only "personal" not "sensitive'. I quoted GDPR showing you that it knows no such thing as "sensitive" data but "personal" data. Since you yourself stated usernames were personal data, all the rules of data collection, information requirements, agency notification in case of leaks etc. apply to usernames.

but in that case you are already an outlaw. This is out of context tbh

configuring bat to use catppuccin color scheme

Nope, they just have to tell you where the datas being kept, what data, who they may sell to and your rights to get a copy or have that data deleted

spy.pet collected Discord messages and they were technically in violation of GDPR. That's just one person collecting discord messages 🤔

wrong ping sorry , chat goes too fast

that are not public

you are licterally doing an Active enumeration of it

If we assume you are correct with your assessment "usernames are considered personal data under GDPR", the rest of the message is as incorrect as it can be.

GDPR only applies to organisations though and refers to backend data storage

I will say, my experience with this is pre GDPR, so that very well could be different now -- idk the first thing about that legislation

The full text of the GDPR has 2 (two) occurances of "sensitive", 596 of "personal data". Everything you've ever heard of regarding the GDPR applies to "personal data". Which usernames are according to you @mossy river

GDPR has absolutely no implications for the aggregation of data or what determines PII when doing osint

It's the European Karen of the Digital Ages. I love it

All I said was "Learn OSINT"

Now there's just an all out war

Completely wrong. GDPR does apply to private individuals.

yeah and they got shutdown hard and would be put on trial for gdpr violations if they were in the EU

If customer service piss you off, just slap a GDPR at them

on top of all the other criminal charges

so its your fault

You just started a DDOS Discord Message Attack

a DDOD

https://tenor.com/view/alvin-and-the-chipmunks-alvin-whoops-my-bad-oops-gif-15512287650458333097

distrituted denial of discord

what have I joined

fun times fun times fun times

Let me end this argument with one sentence from someone in HTB chat:

OSINT==gathering, DOXING==disclosure

That's the data protection act.

The username is personal data if it distinguishes one individual from another regardless of whether it is possible to link the ‘online’ identity with a ‘real world’ named individual.

HAHHAHA you are between geeks , this won't end so fast

DPA 2018 Is the UK implementation of GDPR and specifically states that it only applies to government, businesses and organisations . The only reference to individuals is their data rights, righhts to be forgotten and get a copy of their data

I can send you a list of private individuals who received GDPR fines for things like having CCTV cameras pointed at public streets.

cough cough

That is GDPR in the UK, that is the specific implementation of it

Read the screenshot again

Completely legal unless your a business otherwise ring would have huge issues

And you're not when you're combing through a user's Instagram/ Facebook/ Twitter?

Which every username does. Which is why you had stated yourself that usernames are personal data. To which every GDPR regulation you've ever heard of applies.

No it doesn't.

If that's so in the UK, idk. Not in the EU.

Why not?

I've shown you that the GDPR knows no such category as "sensitive" data.

nope , becouse you are gaining public information. IF you go for Facebook chat , IG dm , etc. You are going for an active enumeration of it.
In that Discord messages there could be tons of personal informations that you are not allowed to see

salutations everyone

im back

You're allowed to film anything you can see from public property or from your private property in the UK, exceptions include through people's windows which could be determined to be a different thing like harassment or something similar

I like bagels

samd

same

wut?

https://www.enforcementtracker.com/ Filter "Controller/Processor" for "Private Individual"

1.NEVER CLICK ON LINKS

What's your favorite type of bagel

https://tenor.com/view/bagel-bagels-cream-cheese-cheez-cheese-gif-6510511771958427450

Everything

Raisin Bagel or Regular Bagel

and Blueberry

blueberry is also good

Everything bagel, jalapeno cream cheese

yeah

opium seed bagel

I can't see any private individuals under the uk

ey @chilly veldt what is a fralla called in english???

You said GDPR applied only to Orgs without specifying you mean UK only.

eating too much of it can taint a drug test.

I like Asiago bagels

I thought that was clear when I sent the DPA and was talking about UK law earlier

fine by shadow

so tasty

Asiago is good too

Gaining discord chat , you are potentially gaining tons of personal informations you are not allowed to see. If i have a specific server with my friends where i shares infos , you can't see that ? right?
Same thing with IG dm or Facebook chat.
But if i go for : Your real name on facebook , it's licterally a public information

the smolish cinnamon buns called gifflar is also a fire snack with coffee

I'd still like to learn from you. You said usernames were "personal data". Then how come GDPR articles like 5 (Principles relating to processing of personal data), 13 (Information to be provided where personal data are collected from the data subject), 19 (Notification obligation regarding rectification or erasure of personal data or restriction of processing), 33 (Notification of a personal data breach to the supervisory authority), 34 (Communication of a personal data breach to the data subject) and several others don't apply to what you yourself claim is "personal data"?

shadow is starting with nosense thing

time to go to bed

awww day I don't know of no coffee... 😦

Fralla?

https://www.privacy-regulation.eu/en/recital-26-GDPR.htm

Identifying a person means determining the identity of an individual using available information. Under GDPR, identification involves recognising or being able to single out an individual from others.

While a username alone might not identify someone, when combined with other data, it could. This is directly stated within retical 26.

type of sandwich thingy

Plz don't creep in my DMs okay thx.

If a username is connected to other categories of data then you have to notify the relevant people. I already said this.

the username itself doesn't mean anything.

Active enumeration is more a pen testing thing and refers to things that directly interface with the server and it's services. By your definition osint is active enumeration which it is not

should be called fralla

Looks like a cinnamon roll

looks tasty

https://tenor.com/view/slideinherdmlike-gif-15502711

no those are sandwiches

An email address alone doesn't say anyhting. You believe a company first collecting and then leaking a list of email addresses is not subject to GDPR regulations? That makes no sense. And it's not true.

No mean no on DMs plz

The GDPR recitcals are not part of the law btw.

indeed , by my definition the first one is not OSINT , is an active enumeration.
Gaining public facebook name is not an active enumeration , it's a passive one

ah ah ah ACHOO https://medium.com/@twistedcircuits/sherlock-the-osint-tool-to-discover-usernames-bdac2d82b431

ok shadow , time to wipidiwoop bed or whatever it is

i'm not even that old and that slide looks like pain

And you're grossly misinterpreting it.

Sandwiches you say, what's in them?

When did I say that? 😆

Joining a telegram chat or whatever would still be osint, same as combing profiles

I'm old and my back is hurting watching that

well anything you want...

also just found what they are called in english: https://en.wikipedia.org/wiki/Bread_roll

yeah , but taking chat and sharing it it's not

Uhuh. Sure, I'm bored of this conversation, you are clearly not going to change your opinion 🙂

so like a folded up calzone maybe type of thing.

Your argument is that none of the whole GDPR stuff applies to usernames since "the username itself doesn't mean anything". That must then also be valid for email addresses alone.

No that's doxxing

we are saying the same thing

That's because it's not a matter of opinion. And neither do you it appears.

Shadow has made me hungry.

Did I say that?>

I said that the username on it's own.

can't... have been lying in bed for nearly 1 hour before decided to go back to pc

You don't word things very well 😭

it always happen then she disappear

this is true

Giflar?

becouse im not a english motherlanguage or whatever it's called

Right I'm going to sleep, I'm up in 5 hours and need to not get roped further into discussion, have a lovely night all 🫡

no fralla... the sandwich thingy which is apparently called bread rolls outside of sweden

I literally quoted you. Yes.

No worries mate, take care

gifflar is just smolish cinnamon buns

Hmmmidk I am drunk

You are taking the context away which makes my argument sound different.

i have C1 , this is the real cringe shit

drinking on a sunday.... shame on bella shame... you should not have hangovers on mondays

I need to eat then go to bed

Wdym c1

Go make same relaxing herbal tea and try again

Hangovers only apply if you get them.

Your argument is that none of the whole GDPR stuff applies to usernames since "the username itself doesn't mean anything".

"While a username alone might not identify someone, when combined with other data, it could."

OSINT Mayhem over?

it's "advanced english title" here

the kettle would wake up the entire house

Ohh ok

Crazy how when you add the context back I say that the GDPR does say that it can be applied to usernames, huh?

I have vacation Monday

Is it a whistling kettle 😮

but i studied for 14 hours and im trying to translate italian into english

Go to bed you

becouse im a lazy fat ass

Lord , Shadow. Go count the sheepts

or like a real pentester

1 sheep
2 sheep
3035 sheep
5527 sheep
1337 sheep

count the vulnerabilities

dimished not over I guess 😂

everyone's having a good time in chat.

21 sheeps
22 sheeps
80 sheeps
445 sheeps

Rex, did you see the vid I sent

still want to talk about bagels though.

tbh i have a major depression black humor , but i can't write it.

Anyway , guys

you know my answer. Not a pizza 😛

good night

Okay it's time for me to sleep 💤

Goodnight Moon

https://tenor.com/view/its-a-pizza-food-official-duck-studios-gif-14077633

You too Sun

ok this was the last bs

good night

It doesn't matter whether the username alone can identify a person. It is nevertheless "personal data" which means aaaall the GDPR rules related to personal data apply. I quoted the most important. Remember "The username is personal data if it distinguishes one individual from another regardless of whether it is possible to link the ‘online’ identity with a ‘real world’ named individual.".
You're misunderstanding the most fundamental part of GDPR which is the definition of personal data
personal data’ means any information relating to an identified or identifiable natural person (‘data subject’);

Important here: It is NOT only then personal data if that very data enables identification of said natural person.

Any information, whether the specific piece of information allows identification or not.

got to Italy eat real pizza and then will talk 😉

is there any real pizza outside of Italy?

there is, but not those monstrosities

Don't wanna stay up for another OSINT conversation?

This argument is going round in circles with context being added, omitted and changed. GDPR defines pii for businesses not individuals now I'm heading off fr fr 🤣 gn

but if jabba is sleeping who is gonna moderate chat from more deep discussions????

https://tenor.com/view/corgi-smirk-dog-gif-6147330867794407822

As we had established, at least in the EU, the GDPR applies to businesses and private individuals alike. It also doesn't know the term "PII".

Well people could sometimes behave so they dont' need moderation

when you'll go to hell , devil 'll be afraid of you

ey this looks neat

https://tenor.com/view/hackerman-gif-22344136

im sending a TGT request to my dog

but he is not responding

https://youtube.com/@an0n_ali?si=kvPVKmx-SMsQnzM4

This guy, even with the robotic voice has blown up recently, but been linking him since he was at 6k subs. I like the guy's vids

Why you should study Malwere Analysis?

hmm if he doesn't say "becouse you are a psyco" , not worth it

Reverse Engineering!

late night command setups

and zoxide set up

lets see how much this helps shadows workflow

Shadow, you know the Swedish gay boat?

???

vasa
????

There's a part boat in Stockholm called Patricia which is like a common gay place

huh okay then

anyways time for shadow to go meep moop to the beep boop for the sleep sloop

Yall what websites are good blog websites.

Send a BGT instead, he'll respond.

Tbh make your own, or if you want publicity then social media or medium

your own

and ngl it's not too difficult

why payment through paypal is not working? or its only me?

@hollow osprey

ty, i'll check it

idk what people from Norway are called but we should start using Narwhals

Norwegians

that makes sense

They are also sometimes called Vikings

If they are ones.

What login manager do you guys prefer most?

hello

let's play an easy KoTH on linux

https://tryhackme.com/games/koth/101174
this is my first KoTh ever!!

Gdm

personally, bitwarden. although i use keeper as well for some things. both good.

just don't use lastpass and you'll be good

for a display manager or website password management?

good question actually lol

oi @molten sky u free atm, need some OSINT help

mid game but will be after probably

okay whats up

not done yet but premoved the rest

where @buoyant tree go

hey

I really enjoy OSint and research, just don't really know how to apply that passion and knowledge.

The simulated games online only go so far : (

hey bro

@gray sonnet integration started

,-,

@viral junco Please don't advertise here

It's pretty easy ngl

guess whos back

https://tenor.com/view/transitions-kinemaster-black-guy-suit-tiktok-gif-25279479

Can you please change your pronouns.

okayyyyyyyy

i want to say what im thinking but my lawyer has advised me not to

for legal reasons this is a joke

That was a quick month

how would one do binex/rev on a apple silicon device since its ARM

doesn't Ghidra support arm?

yeah but how am i supposed to run the binaries

well, on an apple device I suppose

Can anyone explain how student discount work here on THM?

@cold jungle ^

Maybe something like this can work? https://azeria-labs.com/arm-on-x86-qemu-user/

Never tried it though

guys I got a broken laptop

it won t turn on and I don t have the right charger for it

but I want to use some of its components to create a server

just wondering

how do you know if a specific component works

opened it up and everything looks allrgiht

not burned/bended/broken

How long has it been sitting around without a charger?

I’m not sure how to check components but it sounds like if it has no charger and has been like that for a long time I would assume the battery is dead before assuming anything else is broken