From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 93C3A1381F3 for ; Mon, 9 Sep 2013 11:09:03 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 7BC71E0A97; Mon, 9 Sep 2013 11:08:57 +0000 (UTC) Received: from mout.perfora.net (mout.perfora.net [74.208.4.195]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 59D78E0960 for ; Mon, 9 Sep 2013 11:08:56 +0000 (UTC) Received: from localhost (66-208-231-133.ubr01a.rte20201.pa.hfc.comcastbusiness.net [66.208.231.133]) by mrelay.perfora.net (node=mrus3) with ESMTP (Nemesis) id 0LwacZ-1W2GVe12jP-017Yz3; Mon, 09 Sep 2013 07:08:54 -0400 Date: Mon, 9 Sep 2013 06:08:52 -0500 From: Bruce Hill To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Internet security. Message-ID: <20130909110852.GE22115@server> References: <522D257C.5060902@gmail.com> <522D9689.6080309@thegeezer.net> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <522D9689.6080309@thegeezer.net> User-Agent: Mutt/1.5.21 (2010-09-15) X-Provags-ID: V02:K0:VQ4sZ2KTSKr9YNabO9Y020QuEfGOGaLnAL4MYNWRFLg oJXgRB3s551abVfiNlfXCeuKe9YNEPKXSlv5BmB9uwWEcmXD9Q kkTfL7Cxd+bhfHG7QQV5jMaByjOCVBxG6aQIiaDag68bbUTOPP ZWUoNcwKHIUw/hvrXi8H/sNfowcgwEXupU4phdJXpbuGsNP4Ts 1eue3kOPLKPxIaFO74ZDX6WjntipOcVaL7R8QI5LBUPOWxOZws 9Jp6F4gUf6Lmas/YFbYNRLvrAbZAcIrjZSiRmI8F7xuHvXxWxB BKQetoOv2POZOcE/TcqzGglKvGIo7Q6+VjgebRzd4/p1dpNyzH TVWpevi58UrRkChs+8SNgz3eO86V5Y5vsmBWmQ0JO X-Archives-Salt: 28f99b87-bd78-43a1-abd0-5e366a87bc7b X-Archives-Hash: 5672b1eb66b412d47dccd9993a27cc11 On Mon, Sep 09, 2013 at 10:36:09AM +0100, thegeezer wrote: > There's a lot FUD out there and equally there is some truth. the NSA > "we can decrypt everything" statement was really very vague, and can > easily be done if you have a lot of taps (ala PRISM) and start doing > mitm attacks to reduce the level of security to something that is > crackable. > for 'compatibility' very many low powered encryption schemes are > supported and it is these that are the issue. > if you are using ipsec tunnels with aes encryption you can happily > ignore these. > if you are using mpls networks you can almost guarantee your isp and > therefore your network is compromised. > the question really is what do you define as security ? > if someone was to hit you on the head with a hammer, how long til you > willingly gave out your passwords ? [1] > I agree with the lack of faith in certificate CA's and i feel that the > reason that warnings over ssl are so severe is to spoon feed folks into > the owned networks. I far more trust the way mozilla do their web of > trust [2] but equally am aware that trolls live in the crowds. > while ssh authorized_keys are more secure than passwords, i can't (and > am hoping someone can point me to) find how to track failed logins as > folks bruteforce their way in. yes it's orders of magnitude more > difficult but then internet speed is now orders of magnitude faster, and > OTP are looking more sensible every day [3] to me. > i used to use windows live messenger and right near the end found that > if you send someone a web link to a file filled with /dev/random called > passwords.zip you would have some unknown ip connect and download it too. > who then is doing that and i trust skype and it's peer2peer nonsense > even less. > who even knows you can TLS encrypt SIP ? > there are many ways of encrypting email but this is not supported from > one site to another, even TLS support is often lacking, and GPG the > contents means that some folks you send email to cannot read it -- there > is always a trade off between usability and security. > i read in slashdot that there is a question mark over SELinux because it > came from the NSA [4] but this is nonsense, as it is a means of securing > processes not network connections. i find it difficult to believe that > a backdoor in a locked cupboard in your house can somehow give access > through the front door. > how far does trust need to be lost [5] before you start fabricating your > own chips ? the complexity involved in chip fabs is immense and if > bugs can slip through, what else can [6] > ultimately a multi layer security approach is required, and security > itself needs to be defined. > i like privacy so i have net curtains, i don't have a 3 foot thick > titanium door with strengthened hinges. > if someone looks in my windows, i can see them. either through the > window or on cctv. > security itself has to be defined so that risk can be managed. > so many people buy the biggest lock they can find and forget the hinges. > or leave the windows open. > even then it doesn't help in terms of power failure or leaking water or > gas mains exploding next door (i.e. the definition of security in the > sense of safety) > to some security means RAID, to others security means offsite backup > i like techniques such as port knocking [7] for reducing the size of the > scan target > if you have a cheap virtual server on each continent and put asterisk on > each one; linked by aes ipsec tunnels with a local sip provider in each > one then you could probably hide your phone calls quite easily from > snoops. until they saw your bank statement and wondered what all these > VPS providers and SIP accounts were for, and then the authorities if > they were tracking you would go after those. why would you do such a > thing? perhaps because you cannot trust the monopoly provider of a > country to screen its equipment [8] > even things like cookie tracking for advertising purposes - on the > lighter side what if your kids see the ads for the stuff you are buying > them for christmas ? surprise ruined? where does it stop - its one > thing for google to announce governments want your search history, and > another for advertising companies to sell your profile and tracking, > essentially ad companies are doing the governments snooping job for them. > ultimately it's down to risk mitigation. do you care if someone is > snooping on your grocery list? no? using cookie tracking ? yeah > profiling is bad - wouldn't want to end up on a terrorist watchlist > because of my amusement with the zombie apocalypse listmania [9] > encryption is important because you don't know what other folks in the > internet cafe are doing [10] > but where do you draw the line ? > if you go into a shop do you worry that you are on cctv ? > > ok i'll stop ranting now, my main point is always have multi layered > security - and think about what you are protecting and from whom > > [1] http://xkcd.com/538/ > [2] https://addons.mozilla.org/en-US/firefox/addon/wot-safe-browsing-tool/ > [3] http://blog.tremily.us/posts/OTP/ > [4] > http://yro.slashdot.org/story/13/07/02/1241246/nsa-backdoors-in-open-source-and-open-standards-what-are-the-odds > [5] http://cryptome.org/2013/07/intel-bed-nsa.htm > [6] http://www.tomshardware.com/reviews/intel-cpu-history,1986-5.html > [7] > https://wiki.archlinux.org/index.php/Port_Knocking#Port_Knocking_with_iptables_only > [8] > http://www.pcpro.co.uk/news/security/383125/government-admits-slip-ups-in-bt-huawei-deal > [9] > http://www.amazon.co.uk/zombie-apocalypse-essentials/lm/R21TCKA47P0D4E/ref=cm_srch_res_rpli_alt_8 > [10] > http://lifehacker.com/5672313/sniff-out-user-credentials-at-wi+fi-hotspots-with-firesheep > > > On 09/09/2013 02:33 AM, Dale wrote: > > Someone found this and sent it to me. > > > > http://news.yahoo.com/internet-experts-want-security-revamp-nsa-revelations-020838711--sector.html > > > > > > I'm not to concerned about the political aspect of this but do have to > > wonder what this means when we use sites that are supposed to be secure > > and use HTTPS. From reading that, it seems that even URLs with HTTPS > > are not secure. Is it reasonable to expect that even connections > > between say me and my bank are not really secure? > > > > Also, it seems there are people that want to work on fixing this and > > leave out any Government workers. Given my understanding of this, that > > could be a very wise move. From that article, I gather that the tools > > used were compromised before it was even finished. Is there enough > > support, enough geeks and nerds basically, to do this sort of work > > independently? I suspect there are enough Linux geeks out there to > > handle this and then figure out how to make it work on other OSs. I use > > the words geek and nerd in a complimentary way. I consider myself a bit > > of a geek as well. :-D > > > > One of many reasons I use Linux is security. I always felt pretty > > secure but if that article is accurate, then the OS really doesn't > > matter much when just reaching out and grabbing data between two puters > > over the internet. I may be secure at my keyboard but once it hits the > > modem and leaves, it can be grabbed and read if they want to even when > > using HTTPS. Right? > > > > This is not Gentoo specific but as most know, Gentoo is all I use > > anyway. I don't know of any other place to ask that I subscribe too. I > > figure I would get a "no comment" out of the Government types. ROFL > > Plus, there are some folks on here that know a LOT about this sort of > > stuff too. > > > > Again, I don't want a lot of political stuff on this but more of the > > technical side of, is that article accurate, can it be fixed and can we > > be secure regardless of OS. It seems to me that when you break HTTPS, > > you got it beat already. > > > > Am I right on this, wrong or somewhere in the middle? > > > > Dale > > > > :-) :-) > > > When a top-post is that long did you read it before noticing? Well, if you opened this email, "All ur base r belong to us!" -- Happy Penguin Computers >') 126 Fenco Drive ( \ Tupelo, MS 38801 ^^ support@happypenguincomputers.com 662-269-2706 662-205-6424 http://happypenguincomputers.com/ A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? Don't top-post: http://en.wikipedia.org/wiki/Top_post#Top-posting