1 |
On Saturday 11 Jun 2016 21:48:49 Dale wrote: |
2 |
> Mick wrote: |
3 |
> > On Saturday 11 Jun 2016 17:57:11 Dale wrote: |
4 |
> >> Howdy, |
5 |
> >> |
6 |
> >> I ran up on a video website that had some info on it. I found it |
7 |
> >> interesting and was curious about what it said and another question I |
8 |
> >> been wondering about. It mentioned using a VPN so that the NSA, my ISP |
9 |
> >> and others couldn't "see" what was going on. |
10 |
> > |
11 |
> > I don't think there is any VPN service offered for a fee to the public |
12 |
> > that |
13 |
> > hasn't been compromised by the NSA, with or without the cooperation of its |
14 |
> > owners (unless it is based outside the USA). |
15 |
> > |
16 |
> > At a basic level a VPN tunnel is no different to functionality than SSH. |
17 |
> > Like SSH both ends (local & remote peers) must be able to negotiate a |
18 |
> > connection over the VPN tunnel. High(er) grade ciphers, PFS and SSL |
19 |
> > certificates create a more secure tunnel than otherwise would be the |
20 |
> > case. |
21 |
> |
22 |
> After the Snowden thing, I read a article that talked about how the NSA |
23 |
> could monitor https data and decrypt it basically, live. In other |
24 |
> words, they didn't have to spend time breaking it because they already |
25 |
> knew how to break it with some sort of backdoor method. I don't recall |
26 |
> where the article was just that it was a site I've seen mentioned a fair |
27 |
> amount when it comes to geeky/nerdy stuff. In other words, not some |
28 |
> site just looking to stir the pot. |
29 |
|
30 |
Yes, the NSA has used supercomputers to precalculate large primes for at least |
31 |
up to 1024bit DHE, as used by many VPN and SSL connections. |
32 |
|
33 |
|
34 |
> >> So, my first question, |
35 |
> >> does that work and does it require the site on the other end to have it |
36 |
> >> set up as well? |
37 |
> > |
38 |
> > BOTH sites must be able to negotiate a tunnel, using the same ciphers. |
39 |
> > IKE |
40 |
> > VPNs are more fiddly to set up and troubleshoot than SSH. |
41 |
> > |
42 |
> >> Bonus question, is it easy to use on any site if it |
43 |
> >> doesn't require the other end to use it? |
44 |
> > |
45 |
> > The way public these public VPN services work is by acting as a proxy |
46 |
> > server forwarding your connection ownard to your intended website, |
47 |
> > without revealing your local IP address. As long as the connection to |
48 |
> > the intended website is also encrypted, e.g. over https, then your |
49 |
> > connection remains both anonymous and secure. |
50 |
> |
51 |
> This explains some of what I read on the link Dutch posted. Since https |
52 |
> seems to have already been broken, well, there goes that. |
53 |
|
54 |
Only some of it is broken, depending on the configuration of the particular |
55 |
webserver and the browser. Banks in particular used to configure their web |
56 |
servers to the lowest common denominator (mostly for their customers' MSIE |
57 |
compatibility) and until the Snowden revelations came out many banks were |
58 |
still using RC4 SSL ciphers. |
59 |
|
60 |
|
61 |
> >> I'm thinking of using this for |
62 |
> >> my banking/financial sites as well if it is a good idea. |
63 |
> > |
64 |
> > Good idea if you are out and about a lot, using unsecured public WiFi for |
65 |
> > this purpose. Depending how you can configured your Linksys you could |
66 |
> > use your own local network for the same purpose, i.e. as a SOCKS5 server. |
67 |
> |
68 |
> I only access my bank and such from my desktop. I don't have a laptop |
69 |
> or one of those smart phones either. I wouldn't mind a laptop but not |
70 |
> interested in a smart phone. That said, I've been notified by me cell |
71 |
> phone folks that I have to get a newer phone before they do their tower |
72 |
> upgrade. If I don't, my phone won't work any more. I have a old |
73 |
> Motorola Razr thingy. Hey, it makes/receives calls and does a decent |
74 |
> text. It works. I also don't butt dial since it is a flip phone. lol |
75 |
|
76 |
When you get yourself a smart phone you should be able to use its VPN client |
77 |
to connect to your home's LAN and the bounce off to the Internet from there. |
78 |
Or you can wait until you get back home and browse the Internet using a normal |
79 |
size screen. :p |
80 |
|
81 |
|
82 |
> >> This is something I been wondering about and I've seen a few posts here |
83 |
> >> that bump around the edges of this question. As most here know, I use |
84 |
> >> Gentoo. It's a older install but I keep it up to date. I sit behind a |
85 |
> >> DSL modem, a older Westell one, and a Linksys router, the old blue nosed |
86 |
> >> one. Neither modem or router has wireless stuff included. Is that |
87 |
> >> hardware and my Gentoo install pretty secure for most hackers? In other |
88 |
> >> words, since I don't keep the formula to run car/truck engines on water |
89 |
> >> here, would this stop most since there is nothing worth stealing here? |
90 |
> > |
91 |
> > You haven't given this much thought ... How would all these hackers who |
92 |
> > want to steal the secret of running car engines on water, know that you |
93 |
> > have nothing worth stealing in your secret lab? |
94 |
> |
95 |
> Well, I'm sure a lot can be told by the fact that I'm on a basic home |
96 |
> DSL account. I'm not on J. B. Blows secret services network. Now if I |
97 |
> had a super fast connection that had something interesting in the name, |
98 |
> then I could see someone peeking around and thinking, let's go break |
99 |
> into this network because he has some neat stuff to steal. Basically, |
100 |
> I'm not NSA.gov. ;-) Although, it would be odd but funny to read about |
101 |
> the NSA being hacked since they are the ones nosing into everyone else's |
102 |
> stuff. o_O |
103 |
|
104 |
Malicious hackers and state-actors scan all networks for victims. You may |
105 |
have no data of interest, but many hackers wouldn't mind adding your PC to |
106 |
their herd of botnets. |
107 |
|
108 |
|
109 |
> >> I'm not interested in a NSA based hardened install here, just reasonably |
110 |
> >> secure. |
111 |
> >> |
112 |
> >> Basically, I'm just wanting to make sure I'm reasonably secure here. |
113 |
> >> |
114 |
> >> Dale |
115 |
> >> |
116 |
> >> :-) :-) |
117 |
> > |
118 |
> > I guess you are reasonably secure, if by secure you mean protecting your |
119 |
> > LAN from unwanted penetration and you have a firewall configured on the |
120 |
> > Linksys, your PC's are NAT'ed and finally you have a firewall configured |
121 |
> > on your Gentoo PCs. However, being secure is a relative term and in your |
122 |
> > case ill defined. |
123 |
> There is a website somewhere out there that scans to see if a puter can |
124 |
> be seen or not. I've ran it before and it always gives me a clean bill |
125 |
> of health. Basically, the only port it sees is the one it is using to |
126 |
> do the test. Sort of hard to break into something they can't see but |
127 |
> I'm sure there is some hacker out there somewhere that could get around |
128 |
> that too. |
129 |
|
130 |
Security by obscurity, which is what the GRC 'Shields Up' port scan website |
131 |
proposes, offers no security at all. Don't get me wrong, S Gibson has set up |
132 |
a really good marketing enterprise at grc.com and made tons of money by |
133 |
spreading FUD. In the days of MSWindows 98 when ports and shared folders were |
134 |
inadvertently left open to the Internet with no firewalls in-between, port |
135 |
stealth was one desperate measure to increase security. However, the fact a |
136 |
port may not respond to a probe does not mean in any way that the port is not |
137 |
vulnerable to attack. Thankfully, I don't think many of us are using |
138 |
MSWindows 98 directly connected to the Internet these days. ;-) |
139 |
|
140 |
|
141 |
> I'm not going to dream about being as secure as a bank or |
142 |
> something. It's not reasonable to think I could do that. |
143 |
|
144 |
Hmm ... I wouldn't be that sure. Gentoo well configured is pretty secure and |
145 |
does not use RC4 ciphers or allows the connections to be degraded to lower |
146 |
strength ciphers like some banks do. In addition, I hope you have not |
147 |
outsourced responsibility for your own network's security to some underpaid |
148 |
drone in a 3rd world country, as your bank probably has. |
149 |
|
150 |
|
151 |
> I just want |
152 |
> to be reasonably secure given what I can reasonably do. I've had folks |
153 |
> tell me that DSL is more secure than cable service. I've also read that |
154 |
> having a router added into the mix also helps, since it is one more step |
155 |
> they have to make. Hopefully that is enough. |
156 |
|
157 |
OK, we're back into discussions that may have held true back in 1998 .... |
158 |
Cable modems operated as a node exposing local users connections to each |
159 |
other. You used to be able to connect to a neighbour's MSWindows 98 PC and |
160 |
browse his files. These days cable nodes implement DOCSIS 3.0 or 3.1 spec. |
161 |
which includes encryption between CMTS and modem. In addition, most modern |
162 |
cable modems also offer NAT routing. So the security of consumer LANs is the |
163 |
same with your typical DSL router. |
164 |
|
165 |
|
166 |
> I've been running Linux for over a decade. So far, I've never had |
167 |
> anyone hack into anything here. |
168 |
|
169 |
How would *you* know? ;-) |
170 |
|
171 |
> I use Lastpass to handle my passwords |
172 |
> and use a pretty secure master password. I just try to do the things I |
173 |
> can to make it at least difficult. If someone wants to go to the |
174 |
> trouble to break in to find out that I'm subscribed on a bunch of Linux |
175 |
> mailing lists, well, they deserve what they get. ROFL |
176 |
> |
177 |
> Thanks. |
178 |
> |
179 |
> Dale |
180 |
> |
181 |
> :-) :-) |
182 |
|
183 |
-- |
184 |
Regards, |
185 |
Mick |