| 1 |
There's a lot FUD out there and equally there is some truth. the NSA |
| 2 |
"we can decrypt everything" statement was really very vague, and can |
| 3 |
easily be done if you have a lot of taps (ala PRISM) and start doing |
| 4 |
mitm attacks to reduce the level of security to something that is |
| 5 |
crackable. |
| 6 |
for 'compatibility' very many low powered encryption schemes are |
| 7 |
supported and it is these that are the issue. |
| 8 |
if you are using ipsec tunnels with aes encryption you can happily |
| 9 |
ignore these. |
| 10 |
if you are using mpls networks you can almost guarantee your isp and |
| 11 |
therefore your network is compromised. |
| 12 |
the question really is what do you define as security ? |
| 13 |
if someone was to hit you on the head with a hammer, how long til you |
| 14 |
willingly gave out your passwords ? [1] |
| 15 |
I agree with the lack of faith in certificate CA's and i feel that the |
| 16 |
reason that warnings over ssl are so severe is to spoon feed folks into |
| 17 |
the owned networks. I far more trust the way mozilla do their web of |
| 18 |
trust [2] but equally am aware that trolls live in the crowds. |
| 19 |
while ssh authorized_keys are more secure than passwords, i can't (and |
| 20 |
am hoping someone can point me to) find how to track failed logins as |
| 21 |
folks bruteforce their way in. yes it's orders of magnitude more |
| 22 |
difficult but then internet speed is now orders of magnitude faster, and |
| 23 |
OTP are looking more sensible every day [3] to me. |
| 24 |
i used to use windows live messenger and right near the end found that |
| 25 |
if you send someone a web link to a file filled with /dev/random called |
| 26 |
passwords.zip you would have some unknown ip connect and download it too. |
| 27 |
who then is doing that and i trust skype and it's peer2peer nonsense |
| 28 |
even less. |
| 29 |
who even knows you can TLS encrypt SIP ? |
| 30 |
there are many ways of encrypting email but this is not supported from |
| 31 |
one site to another, even TLS support is often lacking, and GPG the |
| 32 |
contents means that some folks you send email to cannot read it -- there |
| 33 |
is always a trade off between usability and security. |
| 34 |
i read in slashdot that there is a question mark over SELinux because it |
| 35 |
came from the NSA [4] but this is nonsense, as it is a means of securing |
| 36 |
processes not network connections. i find it difficult to believe that |
| 37 |
a backdoor in a locked cupboard in your house can somehow give access |
| 38 |
through the front door. |
| 39 |
how far does trust need to be lost [5] before you start fabricating your |
| 40 |
own chips ? the complexity involved in chip fabs is immense and if |
| 41 |
bugs can slip through, what else can [6] |
| 42 |
ultimately a multi layer security approach is required, and security |
| 43 |
itself needs to be defined. |
| 44 |
i like privacy so i have net curtains, i don't have a 3 foot thick |
| 45 |
titanium door with strengthened hinges. |
| 46 |
if someone looks in my windows, i can see them. either through the |
| 47 |
window or on cctv. |
| 48 |
security itself has to be defined so that risk can be managed. |
| 49 |
so many people buy the biggest lock they can find and forget the hinges. |
| 50 |
or leave the windows open. |
| 51 |
even then it doesn't help in terms of power failure or leaking water or |
| 52 |
gas mains exploding next door (i.e. the definition of security in the |
| 53 |
sense of safety) |
| 54 |
to some security means RAID, to others security means offsite backup |
| 55 |
i like techniques such as port knocking [7] for reducing the size of the |
| 56 |
scan target |
| 57 |
if you have a cheap virtual server on each continent and put asterisk on |
| 58 |
each one; linked by aes ipsec tunnels with a local sip provider in each |
| 59 |
one then you could probably hide your phone calls quite easily from |
| 60 |
snoops. until they saw your bank statement and wondered what all these |
| 61 |
VPS providers and SIP accounts were for, and then the authorities if |
| 62 |
they were tracking you would go after those. why would you do such a |
| 63 |
thing? perhaps because you cannot trust the monopoly provider of a |
| 64 |
country to screen its equipment [8] |
| 65 |
even things like cookie tracking for advertising purposes - on the |
| 66 |
lighter side what if your kids see the ads for the stuff you are buying |
| 67 |
them for christmas ? surprise ruined? where does it stop - its one |
| 68 |
thing for google to announce governments want your search history, and |
| 69 |
another for advertising companies to sell your profile and tracking, |
| 70 |
essentially ad companies are doing the governments snooping job for them. |
| 71 |
ultimately it's down to risk mitigation. do you care if someone is |
| 72 |
snooping on your grocery list? no? using cookie tracking ? yeah |
| 73 |
profiling is bad - wouldn't want to end up on a terrorist watchlist |
| 74 |
because of my amusement with the zombie apocalypse listmania [9] |
| 75 |
encryption is important because you don't know what other folks in the |
| 76 |
internet cafe are doing [10] |
| 77 |
but where do you draw the line ? |
| 78 |
if you go into a shop do you worry that you are on cctv ? |
| 79 |
|
| 80 |
ok i'll stop ranting now, my main point is always have multi layered |
| 81 |
security - and think about what you are protecting and from whom |
| 82 |
|
| 83 |
[1] http://xkcd.com/538/ |
| 84 |
[2] https://addons.mozilla.org/en-US/firefox/addon/wot-safe-browsing-tool/ |
| 85 |
[3] http://blog.tremily.us/posts/OTP/ |
| 86 |
[4] |
| 87 |
http://yro.slashdot.org/story/13/07/02/1241246/nsa-backdoors-in-open-source-and-open-standards-what-are-the-odds |
| 88 |
[5] http://cryptome.org/2013/07/intel-bed-nsa.htm |
| 89 |
[6] http://www.tomshardware.com/reviews/intel-cpu-history,1986-5.html |
| 90 |
[7] |
| 91 |
https://wiki.archlinux.org/index.php/Port_Knocking#Port_Knocking_with_iptables_only |
| 92 |
[8] |
| 93 |
http://www.pcpro.co.uk/news/security/383125/government-admits-slip-ups-in-bt-huawei-deal |
| 94 |
[9] |
| 95 |
http://www.amazon.co.uk/zombie-apocalypse-essentials/lm/R21TCKA47P0D4E/ref=cm_srch_res_rpli_alt_8 |
| 96 |
[10] |
| 97 |
http://lifehacker.com/5672313/sniff-out-user-credentials-at-wi+fi-hotspots-with-firesheep |
| 98 |
|
| 99 |
|
| 100 |
On 09/09/2013 02:33 AM, Dale wrote: |
| 101 |
> Someone found this and sent it to me. |
| 102 |
> |
| 103 |
> http://news.yahoo.com/internet-experts-want-security-revamp-nsa-revelations-020838711--sector.html |
| 104 |
> |
| 105 |
> |
| 106 |
> I'm not to concerned about the political aspect of this but do have to |
| 107 |
> wonder what this means when we use sites that are supposed to be secure |
| 108 |
> and use HTTPS. From reading that, it seems that even URLs with HTTPS |
| 109 |
> are not secure. Is it reasonable to expect that even connections |
| 110 |
> between say me and my bank are not really secure? |
| 111 |
> |
| 112 |
> Also, it seems there are people that want to work on fixing this and |
| 113 |
> leave out any Government workers. Given my understanding of this, that |
| 114 |
> could be a very wise move. From that article, I gather that the tools |
| 115 |
> used were compromised before it was even finished. Is there enough |
| 116 |
> support, enough geeks and nerds basically, to do this sort of work |
| 117 |
> independently? I suspect there are enough Linux geeks out there to |
| 118 |
> handle this and then figure out how to make it work on other OSs. I use |
| 119 |
> the words geek and nerd in a complimentary way. I consider myself a bit |
| 120 |
> of a geek as well. :-D |
| 121 |
> |
| 122 |
> One of many reasons I use Linux is security. I always felt pretty |
| 123 |
> secure but if that article is accurate, then the OS really doesn't |
| 124 |
> matter much when just reaching out and grabbing data between two puters |
| 125 |
> over the internet. I may be secure at my keyboard but once it hits the |
| 126 |
> modem and leaves, it can be grabbed and read if they want to even when |
| 127 |
> using HTTPS. Right? |
| 128 |
> |
| 129 |
> This is not Gentoo specific but as most know, Gentoo is all I use |
| 130 |
> anyway. I don't know of any other place to ask that I subscribe too. I |
| 131 |
> figure I would get a "no comment" out of the Government types. ROFL |
| 132 |
> Plus, there are some folks on here that know a LOT about this sort of |
| 133 |
> stuff too. |
| 134 |
> |
| 135 |
> Again, I don't want a lot of political stuff on this but more of the |
| 136 |
> technical side of, is that article accurate, can it be fixed and can we |
| 137 |
> be secure regardless of OS. It seems to me that when you break HTTPS, |
| 138 |
> you got it beat already. |
| 139 |
> |
| 140 |
> Am I right on this, wrong or somewhere in the middle? |
| 141 |
> |
| 142 |
> Dale |
| 143 |
> |
| 144 |
> :-) :-) |
| 145 |
> |
Archives