From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 5D1BE1381F3 for ; Mon, 9 Sep 2013 09:36:24 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id B31EAE0A92; Mon, 9 Sep 2013 09:36:17 +0000 (UTC) Received: from uberouter3.guranga.net (unknown [78.25.223.226]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 6EBFBE0A10 for ; Mon, 9 Sep 2013 09:36:16 +0000 (UTC) Received: from [192.168.151.100] (unknown [192.168.151.100]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by uberouter3.guranga.net (Postfix) with ESMTPSA id C8D0E82337 for ; Mon, 9 Sep 2013 10:36:14 +0100 (BST) Message-ID: <522D9689.6080309@thegeezer.net> Date: Mon, 09 Sep 2013 10:36:09 +0100 From: thegeezer User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130804 Thunderbird/17.0.8 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Internet security. References: <522D257C.5060902@gmail.com> In-Reply-To: <522D257C.5060902@gmail.com> Content-Type: multipart/alternative; boundary="------------090706060100050501020509" X-Archives-Salt: 66f3a048-e74c-4925-9dd6-2eb1155d0f7a X-Archives-Hash: f813502129601f0dcb63b23add087fa0 This is a multi-part message in MIME format. --------------090706060100050501020509 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit There's a lot FUD out there and equally there is some truth. the NSA "we can decrypt everything" statement was really very vague, and can easily be done if you have a lot of taps (ala PRISM) and start doing mitm attacks to reduce the level of security to something that is crackable. for 'compatibility' very many low powered encryption schemes are supported and it is these that are the issue. if you are using ipsec tunnels with aes encryption you can happily ignore these. if you are using mpls networks you can almost guarantee your isp and therefore your network is compromised. the question really is what do you define as security ? if someone was to hit you on the head with a hammer, how long til you willingly gave out your passwords ? [1] I agree with the lack of faith in certificate CA's and i feel that the reason that warnings over ssl are so severe is to spoon feed folks into the owned networks. I far more trust the way mozilla do their web of trust [2] but equally am aware that trolls live in the crowds. while ssh authorized_keys are more secure than passwords, i can't (and am hoping someone can point me to) find how to track failed logins as folks bruteforce their way in. yes it's orders of magnitude more difficult but then internet speed is now orders of magnitude faster, and OTP are looking more sensible every day [3] to me. i used to use windows live messenger and right near the end found that if you send someone a web link to a file filled with /dev/random called passwords.zip you would have some unknown ip connect and download it too. who then is doing that and i trust skype and it's peer2peer nonsense even less. who even knows you can TLS encrypt SIP ? there are many ways of encrypting email but this is not supported from one site to another, even TLS support is often lacking, and GPG the contents means that some folks you send email to cannot read it -- there is always a trade off between usability and security. i read in slashdot that there is a question mark over SELinux because it came from the NSA [4] but this is nonsense, as it is a means of securing processes not network connections. i find it difficult to believe that a backdoor in a locked cupboard in your house can somehow give access through the front door. how far does trust need to be lost [5] before you start fabricating your own chips ? the complexity involved in chip fabs is immense and if bugs can slip through, what else can [6] ultimately a multi layer security approach is required, and security itself needs to be defined. i like privacy so i have net curtains, i don't have a 3 foot thick titanium door with strengthened hinges. if someone looks in my windows, i can see them. either through the window or on cctv. security itself has to be defined so that risk can be managed. so many people buy the biggest lock they can find and forget the hinges. or leave the windows open. even then it doesn't help in terms of power failure or leaking water or gas mains exploding next door (i.e. the definition of security in the sense of safety) to some security means RAID, to others security means offsite backup i like techniques such as port knocking [7] for reducing the size of the scan target if you have a cheap virtual server on each continent and put asterisk on each one; linked by aes ipsec tunnels with a local sip provider in each one then you could probably hide your phone calls quite easily from snoops. until they saw your bank statement and wondered what all these VPS providers and SIP accounts were for, and then the authorities if they were tracking you would go after those. why would you do such a thing? perhaps because you cannot trust the monopoly provider of a country to screen its equipment [8] even things like cookie tracking for advertising purposes - on the lighter side what if your kids see the ads for the stuff you are buying them for christmas ? surprise ruined? where does it stop - its one thing for google to announce governments want your search history, and another for advertising companies to sell your profile and tracking, essentially ad companies are doing the governments snooping job for them. ultimately it's down to risk mitigation. do you care if someone is snooping on your grocery list? no? using cookie tracking ? yeah profiling is bad - wouldn't want to end up on a terrorist watchlist because of my amusement with the zombie apocalypse listmania [9] encryption is important because you don't know what other folks in the internet cafe are doing [10] but where do you draw the line ? if you go into a shop do you worry that you are on cctv ? ok i'll stop ranting now, my main point is always have multi layered security - and think about what you are protecting and from whom [1] http://xkcd.com/538/ [2] https://addons.mozilla.org/en-US/firefox/addon/wot-safe-browsing-tool/ [3] http://blog.tremily.us/posts/OTP/ [4] http://yro.slashdot.org/story/13/07/02/1241246/nsa-backdoors-in-open-source-and-open-standards-what-are-the-odds [5] http://cryptome.org/2013/07/intel-bed-nsa.htm [6] http://www.tomshardware.com/reviews/intel-cpu-history,1986-5.html [7] https://wiki.archlinux.org/index.php/Port_Knocking#Port_Knocking_with_iptables_only [8] http://www.pcpro.co.uk/news/security/383125/government-admits-slip-ups-in-bt-huawei-deal [9] http://www.amazon.co.uk/zombie-apocalypse-essentials/lm/R21TCKA47P0D4E/ref=cm_srch_res_rpli_alt_8 [10] http://lifehacker.com/5672313/sniff-out-user-credentials-at-wi+fi-hotspots-with-firesheep On 09/09/2013 02:33 AM, Dale wrote: > Someone found this and sent it to me. > > http://news.yahoo.com/internet-experts-want-security-revamp-nsa-revelations-020838711--sector.html > > > I'm not to concerned about the political aspect of this but do have to > wonder what this means when we use sites that are supposed to be secure > and use HTTPS. From reading that, it seems that even URLs with HTTPS > are not secure. Is it reasonable to expect that even connections > between say me and my bank are not really secure? > > Also, it seems there are people that want to work on fixing this and > leave out any Government workers. Given my understanding of this, that > could be a very wise move. From that article, I gather that the tools > used were compromised before it was even finished. Is there enough > support, enough geeks and nerds basically, to do this sort of work > independently? I suspect there are enough Linux geeks out there to > handle this and then figure out how to make it work on other OSs. I use > the words geek and nerd in a complimentary way. I consider myself a bit > of a geek as well. :-D > > One of many reasons I use Linux is security. I always felt pretty > secure but if that article is accurate, then the OS really doesn't > matter much when just reaching out and grabbing data between two puters > over the internet. I may be secure at my keyboard but once it hits the > modem and leaves, it can be grabbed and read if they want to even when > using HTTPS. Right? > > This is not Gentoo specific but as most know, Gentoo is all I use > anyway. I don't know of any other place to ask that I subscribe too. I > figure I would get a "no comment" out of the Government types. ROFL > Plus, there are some folks on here that know a LOT about this sort of > stuff too. > > Again, I don't want a lot of political stuff on this but more of the > technical side of, is that article accurate, can it be fixed and can we > be secure regardless of OS. It seems to me that when you break HTTPS, > you got it beat already. > > Am I right on this, wrong or somewhere in the middle? > > Dale > > :-) :-) > --------------090706060100050501020509 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: 8bit
There's a lot FUD out there and equally there is some truth.  the NSA "we can decrypt everything" statement was really very vague, and can easily be done if you have a lot of taps (ala PRISM) and start doing mitm attacks to reduce the level of security to something that is crackable.
for 'compatibility' very many low powered encryption schemes are supported and it is these that are the issue.
if you are using ipsec tunnels with aes encryption you can happily ignore these.
if you are using mpls networks you can almost guarantee your isp and therefore your network is compromised.
the question really is what do you define as security ?
if someone was to hit you on the head with a hammer, how long til you willingly gave out your passwords ? [1]
I agree with the lack of faith in certificate CA's and i feel that the reason that warnings over ssl are so severe is to spoon feed folks into the owned networks. I far more trust the way mozilla do their web of trust [2] but equally am aware that trolls live in the crowds.
while ssh authorized_keys are more secure than passwords, i can't (and am hoping someone can point me to) find how to track failed logins as folks bruteforce their way in.  yes it's orders of magnitude more difficult but then internet speed is now orders of magnitude faster, and OTP are looking more sensible every day [3] to me.
i used to use windows live messenger and right near the end found that if you send someone a web link to a file filled with /dev/random called passwords.zip you would have some unknown ip connect and download it too.
who then is doing that and i trust skype and it's peer2peer nonsense even less.
who even knows you can TLS encrypt SIP ?
there are many ways of encrypting email but this is not supported from one site to another, even TLS support is often lacking, and GPG the contents means that some folks you send email to cannot read it -- there is always a trade off between usability and security.
i read in slashdot that there is a question mark over SELinux because it came from the NSA [4] but this is nonsense, as it is a means of securing processes not network connections.  i find it difficult to believe that a backdoor in a locked cupboard in your house can somehow give access through the front door.
how far does trust need to be lost [5] before you start fabricating your own chips ?   the complexity involved in chip fabs is immense and if bugs can slip through, what else can [6]
ultimately a multi layer security approach is required, and security itself needs to be defined.
i like privacy so i have net curtains, i don't have a 3 foot thick titanium door with strengthened hinges.
if someone looks in my windows, i can see them. either through the window or on cctv.
security itself has to be defined so that risk can be managed.
so many people buy the biggest lock they can find and forget the hinges. or leave the windows open. 
even then it doesn't help in terms of power failure or leaking water or gas mains exploding next door (i.e. the definition of security in the sense of safety)
to some security means RAID, to others security means offsite backup
i like techniques such as port knocking [7] for reducing the size of the scan target
if you have a cheap virtual server on each continent and put asterisk on each one; linked by aes ipsec tunnels with a local sip provider in each one then you could probably hide your phone calls quite easily from snoops.  until they saw your bank statement and wondered what all these VPS providers and SIP accounts were for, and then the authorities if they were tracking you would go after those.  why would you do such a thing? perhaps because you cannot trust the monopoly provider of a country to screen its equipment [8]
even things like cookie tracking for advertising purposes - on the lighter side what if your kids see the ads for the stuff you are buying them for christmas ?  surprise ruined?  where does it stop - its one thing for google to announce governments want your search history, and another for advertising companies to sell your profile and tracking, essentially ad companies are doing the governments snooping job for them.
ultimately it's down to risk mitigation. do you care if someone is snooping on your grocery list? no? using cookie tracking ?  yeah profiling is bad - wouldn't want to end up on a terrorist watchlist because of my amusement with the zombie apocalypse listmania [9]
encryption is important because you don't know what other folks in the internet cafe are doing [10]
but where do you draw the line ?
if you go into a shop do you worry that you are on cctv ?

ok i'll stop ranting now, my main point is always have multi layered security - and think about what you are protecting and from whom

[1] http://xkcd.com/538/
[2] https://addons.mozilla.org/en-US/firefox/addon/wot-safe-browsing-tool/
[3] http://blog.tremily.us/posts/OTP/
[4] http://yro.slashdot.org/story/13/07/02/1241246/nsa-backdoors-in-open-source-and-open-standards-what-are-the-odds
[5] http://cryptome.org/2013/07/intel-bed-nsa.htm
[6] http://www.tomshardware.com/reviews/intel-cpu-history,1986-5.html
[7] https://wiki.archlinux.org/index.php/Port_Knocking#Port_Knocking_with_iptables_only
[8] http://www.pcpro.co.uk/news/security/383125/government-admits-slip-ups-in-bt-huawei-deal
[9] http://www.amazon.co.uk/zombie-apocalypse-essentials/lm/R21TCKA47P0D4E/ref=cm_srch_res_rpli_alt_8
[10] http://lifehacker.com/5672313/sniff-out-user-credentials-at-wi+fi-hotspots-with-firesheep


On 09/09/2013 02:33 AM, Dale wrote:
Someone found this and sent it to me. 

http://news.yahoo.com/internet-experts-want-security-revamp-nsa-revelations-020838711--sector.html


I'm not to concerned about the political aspect of this but do have to
wonder what this means when we use sites that are supposed to be secure
and use HTTPS.  From reading that, it seems that even URLs with HTTPS
are not secure.  Is it reasonable to expect that even connections
between say me and my bank are not really secure? 

Also, it seems there are people that want to work on fixing this and
leave out any Government workers.  Given my understanding of this, that
could be a very wise move.  From that article, I gather that the tools
used were compromised before it was even finished.  Is there enough
support, enough geeks and nerds basically, to do this sort of work
independently?  I suspect there are enough Linux geeks out there to
handle this and then figure out how to make it work on other OSs.  I use
the words geek and nerd in a complimentary way.  I consider myself a bit
of a geek as well.  :-D

One of many reasons I use Linux is security.  I always felt pretty
secure but if that article is accurate, then the OS really doesn't
matter much when just reaching out and grabbing data between two puters
over the internet.  I may be secure at my keyboard but once it hits the
modem and leaves, it can be grabbed and read if they want to even when
using HTTPS.  Right?

This is not Gentoo specific but as most know, Gentoo is all I use
anyway.  I don't know of any other place to ask that I subscribe too.  I
figure I would get a "no comment" out of the Government types.  ROFL 
Plus, there are some folks on here that know a LOT about this sort of
stuff too. 

Again, I don't want a lot of political stuff on this but more of the
technical side of, is that article accurate, can it be fixed and can we
be secure regardless of OS.  It seems to me that when you break HTTPS,
you got it beat already.

Am I right on this, wrong or somewhere in the middle?

Dale

:-)  :-)

--------------090706060100050501020509--