| 1 |
On Mon, Sep 09, 2013 at 10:36:09AM +0100, thegeezer wrote: |
| 2 |
> There's a lot FUD out there and equally there is some truth. the NSA |
| 3 |
> "we can decrypt everything" statement was really very vague, and can |
| 4 |
> easily be done if you have a lot of taps (ala PRISM) and start doing |
| 5 |
> mitm attacks to reduce the level of security to something that is |
| 6 |
> crackable. |
| 7 |
> for 'compatibility' very many low powered encryption schemes are |
| 8 |
> supported and it is these that are the issue. |
| 9 |
> if you are using ipsec tunnels with aes encryption you can happily |
| 10 |
> ignore these. |
| 11 |
> if you are using mpls networks you can almost guarantee your isp and |
| 12 |
> therefore your network is compromised. |
| 13 |
> the question really is what do you define as security ? |
| 14 |
> if someone was to hit you on the head with a hammer, how long til you |
| 15 |
> willingly gave out your passwords ? [1] |
| 16 |
> I agree with the lack of faith in certificate CA's and i feel that the |
| 17 |
> reason that warnings over ssl are so severe is to spoon feed folks into |
| 18 |
> the owned networks. I far more trust the way mozilla do their web of |
| 19 |
> trust [2] but equally am aware that trolls live in the crowds. |
| 20 |
> while ssh authorized_keys are more secure than passwords, i can't (and |
| 21 |
> am hoping someone can point me to) find how to track failed logins as |
| 22 |
> folks bruteforce their way in. yes it's orders of magnitude more |
| 23 |
> difficult but then internet speed is now orders of magnitude faster, and |
| 24 |
> OTP are looking more sensible every day [3] to me. |
| 25 |
> i used to use windows live messenger and right near the end found that |
| 26 |
> if you send someone a web link to a file filled with /dev/random called |
| 27 |
> passwords.zip you would have some unknown ip connect and download it too. |
| 28 |
> who then is doing that and i trust skype and it's peer2peer nonsense |
| 29 |
> even less. |
| 30 |
> who even knows you can TLS encrypt SIP ? |
| 31 |
> there are many ways of encrypting email but this is not supported from |
| 32 |
> one site to another, even TLS support is often lacking, and GPG the |
| 33 |
> contents means that some folks you send email to cannot read it -- there |
| 34 |
> is always a trade off between usability and security. |
| 35 |
> i read in slashdot that there is a question mark over SELinux because it |
| 36 |
> came from the NSA [4] but this is nonsense, as it is a means of securing |
| 37 |
> processes not network connections. i find it difficult to believe that |
| 38 |
> a backdoor in a locked cupboard in your house can somehow give access |
| 39 |
> through the front door. |
| 40 |
> how far does trust need to be lost [5] before you start fabricating your |
| 41 |
> own chips ? the complexity involved in chip fabs is immense and if |
| 42 |
> bugs can slip through, what else can [6] |
| 43 |
> ultimately a multi layer security approach is required, and security |
| 44 |
> itself needs to be defined. |
| 45 |
> i like privacy so i have net curtains, i don't have a 3 foot thick |
| 46 |
> titanium door with strengthened hinges. |
| 47 |
> if someone looks in my windows, i can see them. either through the |
| 48 |
> window or on cctv. |
| 49 |
> security itself has to be defined so that risk can be managed. |
| 50 |
> so many people buy the biggest lock they can find and forget the hinges. |
| 51 |
> or leave the windows open. |
| 52 |
> even then it doesn't help in terms of power failure or leaking water or |
| 53 |
> gas mains exploding next door (i.e. the definition of security in the |
| 54 |
> sense of safety) |
| 55 |
> to some security means RAID, to others security means offsite backup |
| 56 |
> i like techniques such as port knocking [7] for reducing the size of the |
| 57 |
> scan target |
| 58 |
> if you have a cheap virtual server on each continent and put asterisk on |
| 59 |
> each one; linked by aes ipsec tunnels with a local sip provider in each |
| 60 |
> one then you could probably hide your phone calls quite easily from |
| 61 |
> snoops. until they saw your bank statement and wondered what all these |
| 62 |
> VPS providers and SIP accounts were for, and then the authorities if |
| 63 |
> they were tracking you would go after those. why would you do such a |
| 64 |
> thing? perhaps because you cannot trust the monopoly provider of a |
| 65 |
> country to screen its equipment [8] |
| 66 |
> even things like cookie tracking for advertising purposes - on the |
| 67 |
> lighter side what if your kids see the ads for the stuff you are buying |
| 68 |
> them for christmas ? surprise ruined? where does it stop - its one |
| 69 |
> thing for google to announce governments want your search history, and |
| 70 |
> another for advertising companies to sell your profile and tracking, |
| 71 |
> essentially ad companies are doing the governments snooping job for them. |
| 72 |
> ultimately it's down to risk mitigation. do you care if someone is |
| 73 |
> snooping on your grocery list? no? using cookie tracking ? yeah |
| 74 |
> profiling is bad - wouldn't want to end up on a terrorist watchlist |
| 75 |
> because of my amusement with the zombie apocalypse listmania [9] |
| 76 |
> encryption is important because you don't know what other folks in the |
| 77 |
> internet cafe are doing [10] |
| 78 |
> but where do you draw the line ? |
| 79 |
> if you go into a shop do you worry that you are on cctv ? |
| 80 |
> |
| 81 |
> ok i'll stop ranting now, my main point is always have multi layered |
| 82 |
> security - and think about what you are protecting and from whom |
| 83 |
> |
| 84 |
> [1] http://xkcd.com/538/ |
| 85 |
> [2] https://addons.mozilla.org/en-US/firefox/addon/wot-safe-browsing-tool/ |
| 86 |
> [3] http://blog.tremily.us/posts/OTP/ |
| 87 |
> [4] |
| 88 |
> http://yro.slashdot.org/story/13/07/02/1241246/nsa-backdoors-in-open-source-and-open-standards-what-are-the-odds |
| 89 |
> [5] http://cryptome.org/2013/07/intel-bed-nsa.htm |
| 90 |
> [6] http://www.tomshardware.com/reviews/intel-cpu-history,1986-5.html |
| 91 |
> [7] |
| 92 |
> https://wiki.archlinux.org/index.php/Port_Knocking#Port_Knocking_with_iptables_only |
| 93 |
> [8] |
| 94 |
> http://www.pcpro.co.uk/news/security/383125/government-admits-slip-ups-in-bt-huawei-deal |
| 95 |
> [9] |
| 96 |
> http://www.amazon.co.uk/zombie-apocalypse-essentials/lm/R21TCKA47P0D4E/ref=cm_srch_res_rpli_alt_8 |
| 97 |
> [10] |
| 98 |
> http://lifehacker.com/5672313/sniff-out-user-credentials-at-wi+fi-hotspots-with-firesheep |
| 99 |
> |
| 100 |
> |
| 101 |
> On 09/09/2013 02:33 AM, Dale wrote: |
| 102 |
> > Someone found this and sent it to me. |
| 103 |
> > |
| 104 |
> > http://news.yahoo.com/internet-experts-want-security-revamp-nsa-revelations-020838711--sector.html |
| 105 |
> > |
| 106 |
> > |
| 107 |
> > I'm not to concerned about the political aspect of this but do have to |
| 108 |
> > wonder what this means when we use sites that are supposed to be secure |
| 109 |
> > and use HTTPS. From reading that, it seems that even URLs with HTTPS |
| 110 |
> > are not secure. Is it reasonable to expect that even connections |
| 111 |
> > between say me and my bank are not really secure? |
| 112 |
> > |
| 113 |
> > Also, it seems there are people that want to work on fixing this and |
| 114 |
> > leave out any Government workers. Given my understanding of this, that |
| 115 |
> > could be a very wise move. From that article, I gather that the tools |
| 116 |
> > used were compromised before it was even finished. Is there enough |
| 117 |
> > support, enough geeks and nerds basically, to do this sort of work |
| 118 |
> > independently? I suspect there are enough Linux geeks out there to |
| 119 |
> > handle this and then figure out how to make it work on other OSs. I use |
| 120 |
> > the words geek and nerd in a complimentary way. I consider myself a bit |
| 121 |
> > of a geek as well. :-D |
| 122 |
> > |
| 123 |
> > One of many reasons I use Linux is security. I always felt pretty |
| 124 |
> > secure but if that article is accurate, then the OS really doesn't |
| 125 |
> > matter much when just reaching out and grabbing data between two puters |
| 126 |
> > over the internet. I may be secure at my keyboard but once it hits the |
| 127 |
> > modem and leaves, it can be grabbed and read if they want to even when |
| 128 |
> > using HTTPS. Right? |
| 129 |
> > |
| 130 |
> > This is not Gentoo specific but as most know, Gentoo is all I use |
| 131 |
> > anyway. I don't know of any other place to ask that I subscribe too. I |
| 132 |
> > figure I would get a "no comment" out of the Government types. ROFL |
| 133 |
> > Plus, there are some folks on here that know a LOT about this sort of |
| 134 |
> > stuff too. |
| 135 |
> > |
| 136 |
> > Again, I don't want a lot of political stuff on this but more of the |
| 137 |
> > technical side of, is that article accurate, can it be fixed and can we |
| 138 |
> > be secure regardless of OS. It seems to me that when you break HTTPS, |
| 139 |
> > you got it beat already. |
| 140 |
> > |
| 141 |
> > Am I right on this, wrong or somewhere in the middle? |
| 142 |
> > |
| 143 |
> > Dale |
| 144 |
> > |
| 145 |
> > :-) :-) |
| 146 |
> > |
| 147 |
> |
| 148 |
|
| 149 |
When a top-post is that long did you read it before noticing? |
| 150 |
|
| 151 |
Well, if you opened this email, "All ur base r belong to us!" |
| 152 |
-- |
| 153 |
Happy Penguin Computers >') |
| 154 |
126 Fenco Drive ( \ |
| 155 |
Tupelo, MS 38801 ^^ |
| 156 |
support@×××××××××××××××××××××.com |
| 157 |
662-269-2706 662-205-6424 |
| 158 |
http://happypenguincomputers.com/ |
| 159 |
|
| 160 |
A: Because it messes up the order in which people normally read text. |
| 161 |
Q: Why is top-posting such a bad thing? |
| 162 |
A: Top-posting. |
| 163 |
Q: What is the most annoying thing in e-mail? |
| 164 |
|
| 165 |
Don't top-post: http://en.wikipedia.org/wiki/Top_post#Top-posting |
Archives