Re: [gentoo-user] Internet security.

[Hinnerk van Bruinehsen <h.v.bruinehsen@fu-berlin.de>]

[-- Attachment #1: Type: text/plain, Size: 6988 bytes --]

On Mon, Sep 09, 2013 at 10:36:09AM +0100, thegeezer wrote:
> There's a lot FUD out there and equally there is some truth.  the NSA "we can
> decrypt everything" statement was really very vague, and can easily be done if
> you have a lot of taps (ala PRISM) and start doing mitm attacks to reduce the
> level of security to something that is crackable.
> for 'compatibility' very many low powered encryption schemes are supported and
> it is these that are the issue.

I think you're right because it'll be much easier to read the data at one
endpoint than to decrypt everything. If big corporations like Google or Cisco
can be forced to cooperate (and they can - that much is fact), it'd be the
likelier way to get your data.
On the other hand e.g. Bruce Schneier warns of ECC because the NSA promoted it
intensively. So there may be some secret that helps to decrypt it in the hands
of the NSA (possible something about the NIST curve definitions that reduce the
effective keylength).
> if you are using ipsec tunnels with aes encryption you can happily ignore
> these.
This would be true if you have an secure endpoint. And I think that nowadays
nothing is secure...
> if you are using mpls networks you can almost guarantee your isp and therefore
> your network is compromised.
> the question really is what do you define as security ?
> if someone was to hit you on the head with a hammer, how long til you willingly
> gave out your passwords ? [1]
> I agree with the lack of faith in certificate CA's and i feel that the reason
> that warnings over ssl are so severe is to spoon feed folks into the owned
> networks. I far more trust the way mozilla do their web of trust [2] but
> equally am aware that trolls live in the crowds.
> while ssh authorized_keys are more secure than passwords, i can't (and am
> hoping someone can point me to) find how to track failed logins as folks
> bruteforce their way in.  yes it's orders of magnitude more difficult but then
> internet speed is now orders of magnitude faster, and OTP are looking more
> sensible every day [3] to me.
> i used to use windows live messenger and right near the end found that if you
> send someone a web link to a file filled with /dev/random called passwords.zip
> you would have some unknown ip connect and download it too.
> who then is doing that and i trust skype and it's peer2peer nonsense even less.
> who even knows you can TLS encrypt SIP ?
> there are many ways of encrypting email but this is not supported from one site
> to another, even TLS support is often lacking, and GPG the contents means that
> some folks you send email to cannot read it -- there is always a trade off
> between usability and security.
> i read in slashdot that there is a question mark over SELinux because it came
> from the NSA [4] but this is nonsense, as it is a means of securing processes
> not network connections.  i find it difficult to believe that a backdoor in a
> locked cupboard in your house can somehow give access through the front door.
This point you get wrong. SELinux implement the LSM API (in fact the LSM API
was tailored to SELinux needs). It has hooks in nearly everything
(file/directory access, process access and also sockets). One of the biggest
concerns at the time of creation of the LSM API was rootkits hooking that
functions. It's definitively a thread. I'm not saying that SELinux contains
a backdoor (I for myself would have hidden it in the LSM part, not in SELinux
because that would enable me to use it even if other LSMs are used). If you
google for "underhanded C contest" you'll see that it's possible to hide
malicious behaviour in plain sight. And if the kernel is compromised all other
defenses mean nothing. (As I said,  I don't want to spread fearbut that is
something to consider imho).
> how far does trust need to be lost [5] before you start fabricating your own
> chips ?   the complexity involved in chip fabs is immense and if bugs can slip
> through, what else can [6]
> ultimately a multi layer security approach is required, and security itself
> needs to be defined.
You need an anchor from which you can establish trust. If there is a hardware
backdoor you'll not be able to fix that problem with software. There is an
excellent paper from Ken Thompson called "Reflections on trusting trust" that
theorizes about the possibility of a trojanized compiler that injects malicous
code and therefore makes code audits pointless. Security sadly is hard..
> i like privacy so i have net curtains, i don't have a 3 foot thick titanium
> door with strengthened hinges.
> if someone looks in my windows, i can see them. either through the window or on
> cctv.
> security itself has to be defined so that risk can be managed.
> so many people buy the biggest lock they can find and forget the hinges. or
> leave the windows open. 
> even then it doesn't help in terms of power failure or leaking water or gas
> mains exploding next door (i.e. the definition of security in the sense of
> safety)
> to some security means RAID, to others security means offsite backup
> i like techniques such as port knocking [7] for reducing the size of the scan
> target
> if you have a cheap virtual server on each continent and put asterisk on each
> one; linked by aes ipsec tunnels with a local sip provider in each one then you
> could probably hide your phone calls quite easily from snoops.  until they saw
> your bank statement and wondered what all these VPS providers and SIP accounts
> were for, and then the authorities if they were tracking you would go after
> those.  why would you do such a thing? perhaps because you cannot trust the
> monopoly provider of a country to screen its equipment [8]
> even things like cookie tracking for advertising purposes - on the lighter side
> what if your kids see the ads for the stuff you are buying them for christmas ?
>   surprise ruined?  where does it stop - its one thing for google to announce
> governments want your search history, and another for advertising companies to
> sell your profile and tracking, essentially ad companies are doing the
> governments snooping job for them.
> ultimately it's down to risk mitigation. do you care if someone is snooping on
> your grocery list? no? using cookie tracking ?  yeah profiling is bad -
> wouldn't want to end up on a terrorist watchlist because of my amusement with
> the zombie apocalypse listmania [9]
> encryption is important because you don't know what other folks in the internet
> cafe are doing [10]
> but where do you draw the line ?
> if you go into a shop do you worry that you are on cctv ?
> <SNIP>

Hi,
you'll find my answers inline due to the length of this mail...

I think in the long term the only way to get security is to control the
agencys. Unless that happens there is not much chance to get reasonable
security...

WKR
Hinnerk

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 490 bytes --]