1 |
On Mon, Sep 09, 2013 at 10:36:09AM +0100, thegeezer wrote: |
2 |
> There's a lot FUD out there and equally there is some truth. the NSA |
3 |
> "we can decrypt everything" statement was really very vague, and can |
4 |
> easily be done if you have a lot of taps (ala PRISM) and start doing |
5 |
> mitm attacks to reduce the level of security to something that is |
6 |
> crackable. |
7 |
> for 'compatibility' very many low powered encryption schemes are |
8 |
> supported and it is these that are the issue. |
9 |
> if you are using ipsec tunnels with aes encryption you can happily |
10 |
> ignore these. |
11 |
> if you are using mpls networks you can almost guarantee your isp and |
12 |
> therefore your network is compromised. |
13 |
> the question really is what do you define as security ? |
14 |
> if someone was to hit you on the head with a hammer, how long til you |
15 |
> willingly gave out your passwords ? [1] |
16 |
> I agree with the lack of faith in certificate CA's and i feel that the |
17 |
> reason that warnings over ssl are so severe is to spoon feed folks into |
18 |
> the owned networks. I far more trust the way mozilla do their web of |
19 |
> trust [2] but equally am aware that trolls live in the crowds. |
20 |
> while ssh authorized_keys are more secure than passwords, i can't (and |
21 |
> am hoping someone can point me to) find how to track failed logins as |
22 |
> folks bruteforce their way in. yes it's orders of magnitude more |
23 |
> difficult but then internet speed is now orders of magnitude faster, and |
24 |
> OTP are looking more sensible every day [3] to me. |
25 |
> i used to use windows live messenger and right near the end found that |
26 |
> if you send someone a web link to a file filled with /dev/random called |
27 |
> passwords.zip you would have some unknown ip connect and download it too. |
28 |
> who then is doing that and i trust skype and it's peer2peer nonsense |
29 |
> even less. |
30 |
> who even knows you can TLS encrypt SIP ? |
31 |
> there are many ways of encrypting email but this is not supported from |
32 |
> one site to another, even TLS support is often lacking, and GPG the |
33 |
> contents means that some folks you send email to cannot read it -- there |
34 |
> is always a trade off between usability and security. |
35 |
> i read in slashdot that there is a question mark over SELinux because it |
36 |
> came from the NSA [4] but this is nonsense, as it is a means of securing |
37 |
> processes not network connections. i find it difficult to believe that |
38 |
> a backdoor in a locked cupboard in your house can somehow give access |
39 |
> through the front door. |
40 |
> how far does trust need to be lost [5] before you start fabricating your |
41 |
> own chips ? the complexity involved in chip fabs is immense and if |
42 |
> bugs can slip through, what else can [6] |
43 |
> ultimately a multi layer security approach is required, and security |
44 |
> itself needs to be defined. |
45 |
> i like privacy so i have net curtains, i don't have a 3 foot thick |
46 |
> titanium door with strengthened hinges. |
47 |
> if someone looks in my windows, i can see them. either through the |
48 |
> window or on cctv. |
49 |
> security itself has to be defined so that risk can be managed. |
50 |
> so many people buy the biggest lock they can find and forget the hinges. |
51 |
> or leave the windows open. |
52 |
> even then it doesn't help in terms of power failure or leaking water or |
53 |
> gas mains exploding next door (i.e. the definition of security in the |
54 |
> sense of safety) |
55 |
> to some security means RAID, to others security means offsite backup |
56 |
> i like techniques such as port knocking [7] for reducing the size of the |
57 |
> scan target |
58 |
> if you have a cheap virtual server on each continent and put asterisk on |
59 |
> each one; linked by aes ipsec tunnels with a local sip provider in each |
60 |
> one then you could probably hide your phone calls quite easily from |
61 |
> snoops. until they saw your bank statement and wondered what all these |
62 |
> VPS providers and SIP accounts were for, and then the authorities if |
63 |
> they were tracking you would go after those. why would you do such a |
64 |
> thing? perhaps because you cannot trust the monopoly provider of a |
65 |
> country to screen its equipment [8] |
66 |
> even things like cookie tracking for advertising purposes - on the |
67 |
> lighter side what if your kids see the ads for the stuff you are buying |
68 |
> them for christmas ? surprise ruined? where does it stop - its one |
69 |
> thing for google to announce governments want your search history, and |
70 |
> another for advertising companies to sell your profile and tracking, |
71 |
> essentially ad companies are doing the governments snooping job for them. |
72 |
> ultimately it's down to risk mitigation. do you care if someone is |
73 |
> snooping on your grocery list? no? using cookie tracking ? yeah |
74 |
> profiling is bad - wouldn't want to end up on a terrorist watchlist |
75 |
> because of my amusement with the zombie apocalypse listmania [9] |
76 |
> encryption is important because you don't know what other folks in the |
77 |
> internet cafe are doing [10] |
78 |
> but where do you draw the line ? |
79 |
> if you go into a shop do you worry that you are on cctv ? |
80 |
> |
81 |
> ok i'll stop ranting now, my main point is always have multi layered |
82 |
> security - and think about what you are protecting and from whom |
83 |
> |
84 |
> [1] http://xkcd.com/538/ |
85 |
> [2] https://addons.mozilla.org/en-US/firefox/addon/wot-safe-browsing-tool/ |
86 |
> [3] http://blog.tremily.us/posts/OTP/ |
87 |
> [4] |
88 |
> http://yro.slashdot.org/story/13/07/02/1241246/nsa-backdoors-in-open-source-and-open-standards-what-are-the-odds |
89 |
> [5] http://cryptome.org/2013/07/intel-bed-nsa.htm |
90 |
> [6] http://www.tomshardware.com/reviews/intel-cpu-history,1986-5.html |
91 |
> [7] |
92 |
> https://wiki.archlinux.org/index.php/Port_Knocking#Port_Knocking_with_iptables_only |
93 |
> [8] |
94 |
> http://www.pcpro.co.uk/news/security/383125/government-admits-slip-ups-in-bt-huawei-deal |
95 |
> [9] |
96 |
> http://www.amazon.co.uk/zombie-apocalypse-essentials/lm/R21TCKA47P0D4E/ref=cm_srch_res_rpli_alt_8 |
97 |
> [10] |
98 |
> http://lifehacker.com/5672313/sniff-out-user-credentials-at-wi+fi-hotspots-with-firesheep |
99 |
> |
100 |
> |
101 |
> On 09/09/2013 02:33 AM, Dale wrote: |
102 |
> > Someone found this and sent it to me. |
103 |
> > |
104 |
> > http://news.yahoo.com/internet-experts-want-security-revamp-nsa-revelations-020838711--sector.html |
105 |
> > |
106 |
> > |
107 |
> > I'm not to concerned about the political aspect of this but do have to |
108 |
> > wonder what this means when we use sites that are supposed to be secure |
109 |
> > and use HTTPS. From reading that, it seems that even URLs with HTTPS |
110 |
> > are not secure. Is it reasonable to expect that even connections |
111 |
> > between say me and my bank are not really secure? |
112 |
> > |
113 |
> > Also, it seems there are people that want to work on fixing this and |
114 |
> > leave out any Government workers. Given my understanding of this, that |
115 |
> > could be a very wise move. From that article, I gather that the tools |
116 |
> > used were compromised before it was even finished. Is there enough |
117 |
> > support, enough geeks and nerds basically, to do this sort of work |
118 |
> > independently? I suspect there are enough Linux geeks out there to |
119 |
> > handle this and then figure out how to make it work on other OSs. I use |
120 |
> > the words geek and nerd in a complimentary way. I consider myself a bit |
121 |
> > of a geek as well. :-D |
122 |
> > |
123 |
> > One of many reasons I use Linux is security. I always felt pretty |
124 |
> > secure but if that article is accurate, then the OS really doesn't |
125 |
> > matter much when just reaching out and grabbing data between two puters |
126 |
> > over the internet. I may be secure at my keyboard but once it hits the |
127 |
> > modem and leaves, it can be grabbed and read if they want to even when |
128 |
> > using HTTPS. Right? |
129 |
> > |
130 |
> > This is not Gentoo specific but as most know, Gentoo is all I use |
131 |
> > anyway. I don't know of any other place to ask that I subscribe too. I |
132 |
> > figure I would get a "no comment" out of the Government types. ROFL |
133 |
> > Plus, there are some folks on here that know a LOT about this sort of |
134 |
> > stuff too. |
135 |
> > |
136 |
> > Again, I don't want a lot of political stuff on this but more of the |
137 |
> > technical side of, is that article accurate, can it be fixed and can we |
138 |
> > be secure regardless of OS. It seems to me that when you break HTTPS, |
139 |
> > you got it beat already. |
140 |
> > |
141 |
> > Am I right on this, wrong or somewhere in the middle? |
142 |
> > |
143 |
> > Dale |
144 |
> > |
145 |
> > :-) :-) |
146 |
> > |
147 |
> |
148 |
|
149 |
When a top-post is that long did you read it before noticing? |
150 |
|
151 |
Well, if you opened this email, "All ur base r belong to us!" |
152 |
-- |
153 |
Happy Penguin Computers >') |
154 |
126 Fenco Drive ( \ |
155 |
Tupelo, MS 38801 ^^ |
156 |
support@×××××××××××××××××××××.com |
157 |
662-269-2706 662-205-6424 |
158 |
http://happypenguincomputers.com/ |
159 |
|
160 |
A: Because it messes up the order in which people normally read text. |
161 |
Q: Why is top-posting such a bad thing? |
162 |
A: Top-posting. |
163 |
Q: What is the most annoying thing in e-mail? |
164 |
|
165 |
Don't top-post: http://en.wikipedia.org/wiki/Top_post#Top-posting |