BSidesKharkiv 2018 - Kostiantyn Korsyn PERSONAL CYBER SECURITY

I've heard this from the previous speaker, and I will answer your questions in this presentation. Your questions. Partially yours. Yes, I work at Security Coast and my hobby is the public organization of the Ukrainian Information Security Group. You may have heard about us, we hold the USG.com conference. This year, in October, it will be the 14th. Yes, I will turn the slides over with my voice. Well, then let's do it. There was a name, that cyber security is easy, and what to start with, and what advice would you give? I would give. This is an overview of the main thesis on which we will go. Who needs my mail? This can be heard very often from different people. Who needs my

mail? In this context. Quickly about passwords, about de facto authentication, about the use of operating systems. Here we asked the question. about the novelties about the antivirus, about the backup copy, a little bit about the encryption, about the mobile security, about the physical one, and about the "Don't click sheet" . So, who needs my email? It's a very widespread misconception, as they say. Why? Even if you are not a journalist, a spy, a politician, you have very secret money, very important and critical information, many people think that So, what is it? Some kind of private correspondence? What for? To steal your money, because you can renew access to PitPay, Bitcoin, WebMoney, etc. via your email account. And your personal data, which you are

a student today, someone once took your photo in a storage, and in 10 years you are already a prominent politician. and you are very sorry that your account was unprotected 10 years ago. These are different things: betrayal, friendship, life, and so on. Requirements that can manipulate your Your opinion, maybe you are a student now, and in 10 years you will enter the State Security Council, the Public Council, and your opinion will be important, influence some decisions. And, in fact, using the account for botnets, spam campaigns, phishing, etc. Next, please. This is a typical example of an unimportant account. Your unimportant account has been hacked, and all your contacts have been sent something like this: "Hi, I have bad news, my mother is seriously ill, give me

money and here is the account number." And then you don't know about it, and you meet your friend in a month, and he says: "Well, how is mom there? Is she okay?" "Well, you wrote that she is ill, and I gave you the money." Yes, it's not the first thing that comes to mind. What can mean your account is not important? It's always important, even if you don't consider it important. It's important, really. Next, please. It's about passwords. This is an example of the weakest passwords. One password for all resources, which are possible, e-mail, websites, web-banking, is not possible in any case. Never do that. Especially with such passwords. We will talk about the length and quality of passwords later, maybe

on the next slide. But never use even one of the same long and complex passwords, at least on two accounts, on two resources. Never. Take it as an axiom that does not require proof. Next, please. On April 12, there was such an incident. A famous site of the UAE work. There was a speech that, I don't remember now how it was, actually, they did not use passwords in their internal network, or rather they used them, but not with the algorithms they needed. And actually, every employee of EA's company had access to all passwords of all users. There was a very public discussion, but this was the case when people from the damaged resource reacted very adequately. They didn't

start to "beak" but went to work with the community, admitted their mistake, asked for help and quickly fixed it. They were helped by the community, by the experts. This is a bad example of what happened at the post office last week. When you receive such a message, when you renew your password and you receive such a message, it means that everything is bad. with this resource in terms of keeping the user's passwords. This should never happen, that your password comes to you in plain text. Do not use this resource for the sake of your ability. Next, please. This is a database of weak passwords, well, basically, according to the rating, You can compare it with your password, you

can enter your password and see what it is in the rating. And burn it at the same time. Two or three passwords on the post, websites, web banking - this is better, but still not safe. Next, please. A unique password for each resource is ideal. I do it. I don't have two identical passwords anywhere. And they are of a certain quality. But in this case, it's quite difficult to keep in mind passwords from all the numerous ones. We have several email accounts, some web banking, some post, some website access, social network. A password manager will help us with this. These are the ones I would recommend to use. There are no free ones here. They all cost some money, but

money. That is, people develop a quality product for your money and answer. That is, when something is free of charge, you are a product in this scheme. That's why I'm very suspicious of some very quality but free of charge products. Passphrase is usually used in password managers. A password manager remembers all your passwords that you enter there, but you need a passphrase to enter the password manager itself. That is, it is a huge password, very reliable, but it is the only thing you need to remember. You no longer need to remember other passwords. But it is very important to think thoroughly how to come up with this password phrase. A favorite phrase from a song, some

very unique information that only you know. The brand of the first car, some name, etc. On the next slide, it seems, there is an example. No, not yet. How do phrases form? An ideal password should consist of big and small letters, numbers, special symbols. But to convert a simple word into a a rather reliable password, such tricks are used. Instead of A, it's like a four, B like an eight, and so on, and so on, and so on. S is a dollar or a five, and so on. And what about the length of the password? Less than eight symbols, this is not a password, this is, excuse me, a dog's paw. And less than eight, in no case is an overkill,

on one computer in less than a few hours, an hour, maybe two, and that's it, you've broken your password. And from 8 to 10 is better, that is, with the capabilities of one computer, it can be sorted out somewhere up to one week. And 11-12 You can break it, if you connect it to the same Amazon in a virtual machine in the cloud, it will take a week. 16 is very good, 20 is unreal. So far, the quantum computer has not been found, and when they find the quantum one, it will not help either. But so far, more than 20 symbols are super good. Next, please. This is a bad example. One bank is very famous

in Ukraine, everyone knows it. It gives a screenshot. Okay, no less than 6, maximum 15. The maximum length should not be limited to 15 symbols. It is not recommended I use special symbols in passwords. I absolutely disagree with this, so I showed this screenshot. And I even talked to the head of cybersecurity of this bank. He smiled and said: "We work on this." In fact, this is an outdated, slightly old-fashioned backend. That is, something new needs to be used. But it's wrong. Next, please. Well, this is Kyivstar, I don't know, maybe it's not relevant anymore, but there was once, at one time, that your password came to your mobile phone in plain text, but it shouldn't be like that. Next, please.

The best passwords. Passwords based on a row of three or four words, or more words, if it is limited by your ability to memorize large numbers of passwords. That is, different registers of symbols and numbers of special symbols must be used, as I said, these are special symbols, the letter "M" in the form of straight, inverted letters. Here is an example of a passphrase. Just your personal, something that only you know. Something from your personal life. "On December 12, 2007, I met Oksana. We met at the Saeva cafe. I was playing the saxophone there. Oksana + Saeva = Saxophone. December 13, 2007. 29 characters. Welcome to the club of paranoia." That's it. That's it. If you need to

remember this one thing, you buy a password manager, this one phrase, these symbols, great, you're safe. Practically 99%. Next, please. Another method for passwords. Choose a base that is easy to remember. Good job, in this case. Remembered. It can be translated into these symbols. Instead of G, it's an eight and so on. This "good job" in the direct text or in the changed one, you remember and remember the combination of three special symbols. This is a percent, a zero and a bracket. Now you are putting some algorithm in your head again, that you put these three special symbols either in front, or in the middle, or behind the basis, and you will have a very good password. In fact, that is, here

are the letters, numbers and special symbols. That is, it is not very safe for critical accounts such as banking, or a password manager, but just to remember. That is, it is a compromise between convenience and security. Next, please. Well, actually, everything I've shown here, I've told you, can be considered compromised. Don't use these examples of the quality of living passwords. It's already compromised. That's it. What you said once, even once, is considered compromised. Especially since it was publicly announced. So, use your own, exclusively your own, information according to similar methods. Combine these different methods. and you will be happy. I want to give you a funny example. I was compromised for many years. In 2007 I flew to Seoul and

I didn't have my own laptop at that time, and I needed to get access to my own post office. So I went to the hotel, there was a computer at the reception, I had a post on my internet. I entered the internet, but my password was in Russian letters. I thought it was a very cool password, because I read a fantasy book, and there were two swords, one is Hakai, and the other is Yaskaron. I thought it was such unique information that if you write the names of these two swords with one word, it would be a very cool password. First of all, these are dictionary words, everything that was once published somewhere in some books, it was scanned

somewhere on the Internet, that's all. That is, these are the names that have already been somewhere, and the dictionary is very easy to break. Secondly, in a Korean hotel in Seoul, there was no Russian layout on the keyboard. And this, yes, made me a little embarrassed. And then I remembered that there is such a thing as a screen loop. While I downloaded it, while I installed it, fortunately, the hotel computer allowed me to do it. And I still kept it. But this is a bad example too. Don't do that. Next, please. Two-factor authentication is very simple. You use it everywhere where it is possible, where it is allowed. Here is some additional information on how to use two-factor authentication on different

devices, on different platforms. Especially the last one, I ask you to pay attention to it. To factor out.org This is a list of services that support de facto authentication. Why is SMS as a second factor not desirable? Because it is not reliable and nowadays it is quite easy to get around. This is the simplest and most available method that is currently used very often. But the SIM card can be stolen. to restore the number to another SIM card. Let's say, you may have come across such a situation when some people call you and you call them back. This is how they can replenish some money. But you see the missed calls and call them. That is, you are dialing some

numbers. And then, maybe it doesn't work like that now, who worked often. The criminal calls the operator on your behalf and says: "Call the last three calls." And if the malicious person also called you, you call him back, he sees that you called these three numbers and he clans your card on himself, and through it the card is cloned, the account is restored, the bank is restored, access to the client bank and so on. In addition, $500-$600 is worth the equipment for collecting SMS now, isn't it? Cheaper? Expensive? Well, I say that the overhanging of SMS, as it was on the Maidan, overhanging of SMS is not expensive, really. What are the recommended alternatives to SMS? Instead of

SMS, it's Google Authenticator. Actually, it's free, which Google developed. In a good sense, free. One-time password token. It's a kind of a device, usually for access to the client bank, which generates one-time passwords. There are at least six symbols. It's not perfect, but quite effective. Biometrics. It's a grid, fingerprints, and some other things. Next, operating systems. We have the most spread out Windows, unfortunately. I have been using macOS for many years. So, from the point of view of security, we are talking about security now. Not about the convenience of use, but about security. And here macOS is more well-protected. Without exaggeration, modestly. Because in fact, what is there in the depths There are 5 people in the world who know what is

happening there, what are the backdoors, what are the special services, what countries have what. There is nothing like that. But MacOS was built on FreeBSD for a long time and it kept the main ones, so it is much more protected. I have forgotten such an antivirus, I haven't used it for a long time, but we'll talk about the antivirus later. Linux, Unix, all BSD are used for more professionals. Not for everyone, there are some problems with usability, but the security is quite high. And what about Windows? I want you to consider Windows with administrator rights as an incident of security. In fact, in the vast majority of cases, there is no need to run Windows with administrator rights. Get yourself a

user, Only in some cases, when the program installation requires the administrator's rights, turn on the program and turn off the administrator's rights. Most breakdowns occur precisely because the user uses the administrator's rights. This is an incident of security. Avoid this at all costs. Next, please.

This is also a proof of what to read about the security of operating systems, such guides on Windows and MacOS. The presentation will also be available there on the PDF, you can read it to those who are interested. Next, please. And about the renewal, well, it's simple here. Everything must be constantly renewed. Everything and constantly. But here the problem is different, that the same Windows auto-update, you can turn it on and everything will be, well, almost everything. What is used by Windows itself, you can enable auto-update, it will be updated more or less. But usually, on Windows machines, there is a lot of other software that usually needs to be updated manually. That is, to run, enable, check the

update, and so on. And if there are dozens of such programs, it's quite difficult. Therefore, various such programs are invented that scan your computer for the purpose of new updates for all installed programs. How to do it, well, something needs to be patched, weak passwords, who can tell these programs, how to do it better, and so on. For macOS, there is such a thing as homebrew, but you need to dig deep into the command line, and it's far from everyone, let's say. Although there is such a tool, and it works, but you need to dance a little with the drum around it. Well, that's how it is. Next, please. Oh, about the antivirus. I don't use it, but I think that the effectiveness of the antivirus

is somewhere like a homophonic. Imagine that in your apartment there are no locks in the doors, no alarm, no dogs. You often don't have a house, there are no locks in the doors, there is only a speaker below. That's how much one single antivirus protects you. Even if it is constantly updated, it is updated immediately, not once a day, not once a week. But there are no antiviruses that protect us 100%. The antivirus manufacturers claim some fantastic semantic base, how many samples of viruses they have, how cool they are. In fact, they are not. Antiviruses protect against known, already discovered threats. Some self-propelled, well, once made for a specific target, well, the target of the client, a

virus or some malware, it is not detected, and there are many such cases. A specially developed agent, it is not detected. The antivirus works with what has already burned. Another thing is the antivirus program, which has more rights than you as an administrator. What is it doing in the registry? It is clearly not possible to say. This is the super administrator's right. She searches something, sends something to her server. You cannot control it. The antivirus developer will not tell you this either. Or he will tell you, but it will give you very incomplete information. If you need to check something for viruses, you can send a file or a message to VirusTotal, please. There are 56 or 57 all kinds of antiviruses. And it

works very quickly and also very cheap. There is a paid version if you use it very often and a lot. But one message or a few files, small ones, with a size limitation, are tested very quickly and free of charge. How to choose an antivirus? I recommend this AvaTest.org. It also has very detailed descriptions of the pros and cons of various antivirus manufacturers. Next, backups. Where do we lose our devices the most often? Phones, laptops, tablets. Taxis, restaurants, bars, metro stations. You can be simply stolen somewhere in this city, at home or at work. Special services and reptiloids. Of course, there are some maximum risks. If you are a spy or a very high-ranking politician, or a paranoid person, You

can lose your beloved device even if you used all possible means to save it. But it can be the work of unparalleled force. And the most frequent way to make a backup copy is once a week. And that's mostly because I have warnings on the screen. You have already spent a week, you have not made a spare copy. Shame on you. In fact, it is desirable to do as often as possible, but the practice of life is such that once a week it will be very good. Keep them on external sources of information. If it's a work laptop, you can keep a backup copy at home. If it's a home laptop, you can keep a backup copy at

work. You can physically carry it around. If you have a laptop at home, you can also capture a beautiful backup copy with a flash drive. So, you can physically carry it around. I've already given you the last one, how to keep and protect it. This is also in the ideal world. It happens in everything. If you have a safe, that's very good. If they break your safe and there is a flash drive, they will probably take it, spit it out, swear and go on. Next, please. Coding is also important. I highly recommend checking the type of connection in the browser's directory, HTTPS, that is, encrypted, and checking certificates. Usually, browsers themselves shout that the certificate's term of operation is

over, but it happens. So, in the upper browser's directory, check if it's HTTPS, and if it's two clicks and you've checked it. Chrome, Firefox and Opera have a special plugin called HTTPS and Eurovia. You download it and it automatically checks everything in the first step. Full encryption of the disk. Here's a colleague who reminded me of it. This is a good thing and it is very desirable, especially since it does not require additional costs, because it is free of charge for most operating systems. And the encryption of communication channels PGP, GPG, SMIME, you probably all know that these protocols are used for e-mail. PGP is paid, GPG is free. SMIME is more of an outlook. I don't know about Thunderbird, maybe

it is. I highly recommend using these protocols for email. In fact, there is nothing complicated there, especially now, it's very simple. You don't need special knowledge. As for messengers, someone asked a question. Messengers who use end-to-end encryption are highly recommended. Signal, WhatsApp, iMessage, by the way, iMessage is an iOS built-in function, and they don't really advertise it anywhere, they don't write about it, but in fact, there is a pretty solid encryption algorithm. The same Viber, by the way, and 3M. This is a Swiss messenger, also very reliable. There are also Facebook Messenger secret chats, Google and Telegram. You all know about Telegram. The main problem is that the encryption algorithm is proprietary, developed by the developer. It

is not discussed publicly. Usually, the signal and WhatsApp. They gave the encryption protocol to all the experts in cryptography. They studied it for a long time. Indeed, international experts said: "Okay, very cool protocol, awesome!" Durov did not do this. He said: "I will not tell you what protocol I have. It is very cool, it is very reliable, believe me, it is very reliable, that's it." So, in fact, everything related to Russia, I would avoid at any cost. Next, please. This is just an example of our website. You click on the browser, and how to check it? It is written "https" at the top. And the certificate check is valid until August 23, 2018. Well, that's how it

should look like, the "https" and the certificate. Next. Also, the electronic encryption, the verification materials, where to read everything, how to use it, with instructions, etc. I will not stop here now. Let's move on. Yes, about encryption, VPN. You all know what VPN is. Virtual Private Network. It costs a useful piece of $ 5 per month and higher. And it's very, very useful. Especially if you work in a BSP with some critical data, or confidential, or confidential, or confidential, or you just don't want your provider to see which porn sites you go to. And, of course, Tor Browser is also Tor. Tor. It's Tor. Tor Browser. Everything is cool. There are also methods of calculating the user through

the store browser, through exit nodes, social engineering is used there. But it is a useful and free thing. Add blockers slow down the load of web pages a bit. But you don't see the majority of that flashing advertising and all that. The incognito regime is an illusion of security. Because the incognito mode is when two or more people use the same computer and one person wants to hide from another user of the same computer where they went. And the provider sees everything perfectly, there are no questions. You can be moved not only by the provider, from the site where you go to some website, that is, to your IP address, to your feed and track you. I recommend this

privacytools.io resource, because it's a very interesting thing. It's written about a lot of interesting things. Let's look further at what's there. What VPN providers? There are many VPN providers, and it turns out that there are many among them. There are providers that publicly announce, for example, VPN providers, that they publicly have no possibility and do not transmit information even at the request of law enforcement agencies, even the United States. That is, it is immediately announced and explained why it is impossible, even if they wanted to. This is an example. No, there is a special… well, you can read it and see, it's interesting. It really works. There is nothing, the logs just don't work. Which browsers are better to use in terms of security?

What emails, email clients? For example, the search systems, DuckDuckGo, for example, are not tracked. If Google is tracking us all, you may have already seen that you have googled something, and then Facebook came in, and here the same product is already offering you Facebook. That is, Google is tracking us, and it sometimes annoys us, but DuckDuckGo is not. What messengers to use, what file sharing, etc. Password managers, that is, these are some guides, there are many different options, products, VPNs, browsers, password managers are offered, how to choose between them, under what criteria. Here, everyone, in this resource, all this is explained with examples, etc. Very interesting. It says that Windows 10 is a nightmare for

privacy. I don't know, I haven't checked it. Next, please. Mobile security. iOS vs Android. The same. I can explain why iOS is much more secure than Android. In short. that both the development of the operating system and the updates, and the hardware itself, that is, the phone itself or the tablet, is handled by the same company that we all know and which fully responds to this and your updates in the App Store always came in, updated at least every hour. Android is not like that, it's a free system, which is used by different manufacturers, like MiUtsu, Sony, Nokia, LG, and so on. That's why everything around is collective, everything around is mine, and nobody cares about security, especially

about security updates of Android itself. If we talk about Android, Google, which bought Android in 2005, incorporated it for $330 million, it produces devices and is more responsible for updates of Android security. Don't root your device and don't jailbreak it. Jailbreak is more for iOS. Because this is dangerous from the point of view of security. Use only official stores for updates, for programs. Although there were multiple incidents with Google Play, that there was some malware and some advertising software. Well, there were incidents. And the sub-store is a unit in the whole history, as far as I know. So it's also much safer. But it's still better to install everything from official stores. And, in fact,

unauthorized security updates, well, too. Next, please. Well, physical security, in fact, a personal computer, it must be only personal. I don't know if it's possible, but it may still exist, that one computer is used by several people. Well, this is a horror from the point of view of security, in fact, because one person must use one computer. Not to give a computer that, or some important information, not to let children play, what they are doing, or the dog can dance on the keyboard. Lock screen, the screen is always, even if you go to the toilet, and there is no one in the room, it's just a good habit for a real paranoid, a security guard. Always step back

more than half a meter from the computer and lock it. That's it. It should be a good habit for you. It will definitely not harm you. And if there is a possibility, you can lock the laptop somewhere and go somewhere for an hour. Just in case. An hour or more, a day, a week, you can go to the bus. Tie it to something, to a battery, I don't know. Next.

And don't click shit, don't push cacos. We also get a lot of messages in mail, and some pop-up websites pop up, "pass the test", some crazy ones. Think about it, copy this link, go to VirusTotal, copy it there, let 57 antiviruses check it for the presence of harmful software. It will take a few seconds. If it says "ok", 0 out of 57 antiviruses, then this message is already being opened. But when it's opened, you still have to check what content is there and what is being offered to be pressed. I've already mentioned the check of the HTTPS and SSL certificates. Installing the ban on the flow of wiki on browser settings is also… copying the message is like copying

copy it and insert it into Rostotal. Don't use someone else's flash drives, CDs, DVDs, if someone else uses them. Next, Flash and Java. From the point of view of security, they are dangerous things. Flash, HTML5, YouTube automatically replaces Flash with HTML5. But on many resources, especially on some old websites, it is quite a popular flash and many people use it. Therefore, it is better to ban all these settings in the system in the browser.

to do it like this, on my laptop, that is, to remove the checkbox that Adobe Flash Player and Java. I understand that some programs do not work at all without JavaScript, without Java, but by default, you need to turn them off, again, not from the point of view of usability, but from the point of view of cybersecurity. This is how it looks for me. Next, please. And this is how it should look on Windows. Where is it? Downloads, Adobe Flash Player, off. There is also about Java somewhere, I think. I'm like that. It's very rare on Windows. Next, please. This is how my Safari browser looks like when you see a video on Flash. No, I

won't. Although there are some plugins that automatically convert the flash to HTML5. Next. This is a link where you can listen to detailed explanations of well-known experts from each slide in 40-50 minutes. which explain in technical details why it is like this, and not otherwise. I went through it quickly, somehow more declaratively, especially I didn't explain it. Here you can read it in detail, as much as possible. And the last slide, I think, is a question.

Thank you for the lecture. I have a question. For example, I go to the site and I know that I will use it only once, but it still requires some registration. I enter a temporary email address, And what about the password? Should you bother with it? Or you can use some banal password that you won't use later? If you really need this website, you can't refuse it, but it requires a mandatory registration. I don't think of websites as such. Websites are information platforms where information is shared for public general access. But if it is about a website or social network and it requires or obliges, and you have doubts about the safety of all this, and

most of the websites, even the world famous ones, have this flaw, there is bad security, then use it, make yourself a free account, a one-time one, especially if you went there once. and use a one-time password. You can use a test one-time password, if it's an email. If you're not going to go back there anymore, if you've checked out and found a cool site, then go back and change the password to a powerful one. One more question. How do password managers guarantee password security? If they keep all your passwords in one place, how safe will it be? First of all, it's by hashing, and secondly, It is stored on your computer. There are different password managers, there are in Cloud, in Cloud

Cloud, but you can choose the one that is a password manager, which stores all the information on your computer. Well, I didn't understand the whole question.

Yes, that's how One Passport works. Well, I have One Passport. The question is to think, to read. There is a resource somewhere. How to choose? Search DuckDuckGo, how to choose a password manager. You can even search it in Google. Read it, learn. How do you choose a coffee maker? If you really think it is very important, read some descriptions about it, some advantages and disadvantages. I see another question. Yes, hello, thank you for your report. I have a question. As a specialist who has enough experience, what are the fundamental rules for ensuring your safety? All of these. There are some more, but if I tell them about them, they will stop protecting me. Everything I've told you is compromised, it's all burned out.

Another question about flash drives. You recommended not to use flash drives at all. They are someone else's. Yes, but now the flash drives, especially in student life, are the most common way to transmit information. In fact, no. In fact, there are a lot of public services now, free of charge, where information can be exchanged, and you can put out some free Google Docs, Drive, etc. - They still use the flash drives. - Sometimes they do, but if you have an antivirus, you can set it up in such a way that any flash drive without the operator's command is automatically checked. But this is a risk. If you take this risk for yourself, you take the flash drive in your hand, pull it to the

distance, And you understand that you are now at risk. If you accept it, it's okay, if you don't, think of some other solution. Regarding the Windows update, you recommend updating Windows, but Windows, as you know, follows every step. And as a person who thinks about his safety, I prefer to disconnect services and services that monitor traffic, everything. I recommend that you always choose less than 2 ZOLs. I strongly recommend that you install any updates as soon as possible and send messages to Windows about errors. Send? Yes, send. It will help them to increase security and productivity, etc. I don't know, you need to be a super spy to prevent… What information do you have that the developer of the operating system…

Well, you can't trust anyone, but not so much. I'm a paranoiac, but it's too much even for me. Please.

Yes, I take this risk. I understand that this is my personal private information, I took this risk. Yes, yes, yes. I don't use it anymore, by the way. I would put the combat information. Please, your questions. One question. Let me ask a question quickly. You said that what is happening in Yandere Windows, no one knows, maybe there are 5 people. And they also said that you like macOS the most. Yes, indeed, macOS is written on FreeBSD. The source code that was published. Today, no one has seen the source code of macOS, as well as Windows. Based on what data do you say that macOS does not have backdoors? Well, first of all, I read a lot about this topic in my time. Secondly, I

pay a lot of attention to any information about possible backdoors in Mac OS. But if you worked with Freya, it's quite difficult to hide something. It's easy to check. Every message about backdoors or some hidden macOS functions, I read it, when I read the whole original article, not the translation, reprinting it through 15 editions, then I understand that it's nothing. It is a very private case that there were some patches, some additional software, it somehow conflicted and some researchers in some very specific circumstances discovered, well, it's more academic, professional sources of information. I didn't study it, personally no, because I'm a reverse engineer. And he is a person who wants to ask something for a

long time. He is very strict about all peer-to-peer products. And in many companies, Tor is banal. If you are on corporate network? No, I have… I don't know exactly, but I think it is forbidden in some countries. In Ukraine, Tor is legal. If a person keeps a release or relay node, is it legal or not? I hear for the first time that something is forbidden in Ukraine from the point of view of the Internet. Except for sanctions, but it is also not very legal. Tor is not in Ukraine. No, no, wait, wait. We are talking about using Tor and Tor browser, not about illegal actions on the network. And in terms of using corporate networks, the owner is the owner of the resources,

that is, the owner of the company has the network, the computer you use, and your working time that he pays, that is, he must limit how he will be tempted. And if your company is a research company with cybersecurity, then you will be forced to use a Tor browser, and two VPNs, and a virtual machine, and some other anonymizer. That is, if you are a research company with cybersecurity, You have this "must have", right? If you work in a real estate company and you went through the store to some suspicious website, then maybe there are reasons for the owner to ask: "What is Mendel?" Thank you.