1 |
There's a lot FUD out there and equally there is some truth. the NSA |
2 |
"we can decrypt everything" statement was really very vague, and can |
3 |
easily be done if you have a lot of taps (ala PRISM) and start doing |
4 |
mitm attacks to reduce the level of security to something that is |
5 |
crackable. |
6 |
for 'compatibility' very many low powered encryption schemes are |
7 |
supported and it is these that are the issue. |
8 |
if you are using ipsec tunnels with aes encryption you can happily |
9 |
ignore these. |
10 |
if you are using mpls networks you can almost guarantee your isp and |
11 |
therefore your network is compromised. |
12 |
the question really is what do you define as security ? |
13 |
if someone was to hit you on the head with a hammer, how long til you |
14 |
willingly gave out your passwords ? [1] |
15 |
I agree with the lack of faith in certificate CA's and i feel that the |
16 |
reason that warnings over ssl are so severe is to spoon feed folks into |
17 |
the owned networks. I far more trust the way mozilla do their web of |
18 |
trust [2] but equally am aware that trolls live in the crowds. |
19 |
while ssh authorized_keys are more secure than passwords, i can't (and |
20 |
am hoping someone can point me to) find how to track failed logins as |
21 |
folks bruteforce their way in. yes it's orders of magnitude more |
22 |
difficult but then internet speed is now orders of magnitude faster, and |
23 |
OTP are looking more sensible every day [3] to me. |
24 |
i used to use windows live messenger and right near the end found that |
25 |
if you send someone a web link to a file filled with /dev/random called |
26 |
passwords.zip you would have some unknown ip connect and download it too. |
27 |
who then is doing that and i trust skype and it's peer2peer nonsense |
28 |
even less. |
29 |
who even knows you can TLS encrypt SIP ? |
30 |
there are many ways of encrypting email but this is not supported from |
31 |
one site to another, even TLS support is often lacking, and GPG the |
32 |
contents means that some folks you send email to cannot read it -- there |
33 |
is always a trade off between usability and security. |
34 |
i read in slashdot that there is a question mark over SELinux because it |
35 |
came from the NSA [4] but this is nonsense, as it is a means of securing |
36 |
processes not network connections. i find it difficult to believe that |
37 |
a backdoor in a locked cupboard in your house can somehow give access |
38 |
through the front door. |
39 |
how far does trust need to be lost [5] before you start fabricating your |
40 |
own chips ? the complexity involved in chip fabs is immense and if |
41 |
bugs can slip through, what else can [6] |
42 |
ultimately a multi layer security approach is required, and security |
43 |
itself needs to be defined. |
44 |
i like privacy so i have net curtains, i don't have a 3 foot thick |
45 |
titanium door with strengthened hinges. |
46 |
if someone looks in my windows, i can see them. either through the |
47 |
window or on cctv. |
48 |
security itself has to be defined so that risk can be managed. |
49 |
so many people buy the biggest lock they can find and forget the hinges. |
50 |
or leave the windows open. |
51 |
even then it doesn't help in terms of power failure or leaking water or |
52 |
gas mains exploding next door (i.e. the definition of security in the |
53 |
sense of safety) |
54 |
to some security means RAID, to others security means offsite backup |
55 |
i like techniques such as port knocking [7] for reducing the size of the |
56 |
scan target |
57 |
if you have a cheap virtual server on each continent and put asterisk on |
58 |
each one; linked by aes ipsec tunnels with a local sip provider in each |
59 |
one then you could probably hide your phone calls quite easily from |
60 |
snoops. until they saw your bank statement and wondered what all these |
61 |
VPS providers and SIP accounts were for, and then the authorities if |
62 |
they were tracking you would go after those. why would you do such a |
63 |
thing? perhaps because you cannot trust the monopoly provider of a |
64 |
country to screen its equipment [8] |
65 |
even things like cookie tracking for advertising purposes - on the |
66 |
lighter side what if your kids see the ads for the stuff you are buying |
67 |
them for christmas ? surprise ruined? where does it stop - its one |
68 |
thing for google to announce governments want your search history, and |
69 |
another for advertising companies to sell your profile and tracking, |
70 |
essentially ad companies are doing the governments snooping job for them. |
71 |
ultimately it's down to risk mitigation. do you care if someone is |
72 |
snooping on your grocery list? no? using cookie tracking ? yeah |
73 |
profiling is bad - wouldn't want to end up on a terrorist watchlist |
74 |
because of my amusement with the zombie apocalypse listmania [9] |
75 |
encryption is important because you don't know what other folks in the |
76 |
internet cafe are doing [10] |
77 |
but where do you draw the line ? |
78 |
if you go into a shop do you worry that you are on cctv ? |
79 |
|
80 |
ok i'll stop ranting now, my main point is always have multi layered |
81 |
security - and think about what you are protecting and from whom |
82 |
|
83 |
[1] http://xkcd.com/538/ |
84 |
[2] https://addons.mozilla.org/en-US/firefox/addon/wot-safe-browsing-tool/ |
85 |
[3] http://blog.tremily.us/posts/OTP/ |
86 |
[4] |
87 |
http://yro.slashdot.org/story/13/07/02/1241246/nsa-backdoors-in-open-source-and-open-standards-what-are-the-odds |
88 |
[5] http://cryptome.org/2013/07/intel-bed-nsa.htm |
89 |
[6] http://www.tomshardware.com/reviews/intel-cpu-history,1986-5.html |
90 |
[7] |
91 |
https://wiki.archlinux.org/index.php/Port_Knocking#Port_Knocking_with_iptables_only |
92 |
[8] |
93 |
http://www.pcpro.co.uk/news/security/383125/government-admits-slip-ups-in-bt-huawei-deal |
94 |
[9] |
95 |
http://www.amazon.co.uk/zombie-apocalypse-essentials/lm/R21TCKA47P0D4E/ref=cm_srch_res_rpli_alt_8 |
96 |
[10] |
97 |
http://lifehacker.com/5672313/sniff-out-user-credentials-at-wi+fi-hotspots-with-firesheep |
98 |
|
99 |
|
100 |
On 09/09/2013 02:33 AM, Dale wrote: |
101 |
> Someone found this and sent it to me. |
102 |
> |
103 |
> http://news.yahoo.com/internet-experts-want-security-revamp-nsa-revelations-020838711--sector.html |
104 |
> |
105 |
> |
106 |
> I'm not to concerned about the political aspect of this but do have to |
107 |
> wonder what this means when we use sites that are supposed to be secure |
108 |
> and use HTTPS. From reading that, it seems that even URLs with HTTPS |
109 |
> are not secure. Is it reasonable to expect that even connections |
110 |
> between say me and my bank are not really secure? |
111 |
> |
112 |
> Also, it seems there are people that want to work on fixing this and |
113 |
> leave out any Government workers. Given my understanding of this, that |
114 |
> could be a very wise move. From that article, I gather that the tools |
115 |
> used were compromised before it was even finished. Is there enough |
116 |
> support, enough geeks and nerds basically, to do this sort of work |
117 |
> independently? I suspect there are enough Linux geeks out there to |
118 |
> handle this and then figure out how to make it work on other OSs. I use |
119 |
> the words geek and nerd in a complimentary way. I consider myself a bit |
120 |
> of a geek as well. :-D |
121 |
> |
122 |
> One of many reasons I use Linux is security. I always felt pretty |
123 |
> secure but if that article is accurate, then the OS really doesn't |
124 |
> matter much when just reaching out and grabbing data between two puters |
125 |
> over the internet. I may be secure at my keyboard but once it hits the |
126 |
> modem and leaves, it can be grabbed and read if they want to even when |
127 |
> using HTTPS. Right? |
128 |
> |
129 |
> This is not Gentoo specific but as most know, Gentoo is all I use |
130 |
> anyway. I don't know of any other place to ask that I subscribe too. I |
131 |
> figure I would get a "no comment" out of the Government types. ROFL |
132 |
> Plus, there are some folks on here that know a LOT about this sort of |
133 |
> stuff too. |
134 |
> |
135 |
> Again, I don't want a lot of political stuff on this but more of the |
136 |
> technical side of, is that article accurate, can it be fixed and can we |
137 |
> be secure regardless of OS. It seems to me that when you break HTTPS, |
138 |
> you got it beat already. |
139 |
> |
140 |
> Am I right on this, wrong or somewhere in the middle? |
141 |
> |
142 |
> Dale |
143 |
> |
144 |
> :-) :-) |
145 |
> |