[gentoo-user] Internet security.

[gentoo-user] Internet security.

[Dale]

Someone found this and sent it to me. 

http://news.yahoo.com/internet-experts-want-security-revamp-nsa-revelations-020838711--sector.html


I'm not to concerned about the political aspect of this but do have to
wonder what this means when we use sites that are supposed to be secure
and use HTTPS.  From reading that, it seems that even URLs with HTTPS
are not secure.  Is it reasonable to expect that even connections
between say me and my bank are not really secure? 

Also, it seems there are people that want to work on fixing this and
leave out any Government workers.  Given my understanding of this, that
could be a very wise move.  From that article, I gather that the tools
used were compromised before it was even finished.  Is there enough
support, enough geeks and nerds basically, to do this sort of work
independently?  I suspect there are enough Linux geeks out there to
handle this and then figure out how to make it work on other OSs.  I use
the words geek and nerd in a complimentary way.  I consider myself a bit
of a geek as well.  :-D

One of many reasons I use Linux is security.  I always felt pretty
secure but if that article is accurate, then the OS really doesn't
matter much when just reaching out and grabbing data between two puters
over the internet.  I may be secure at my keyboard but once it hits the
modem and leaves, it can be grabbed and read if they want to even when
using HTTPS.  Right?

This is not Gentoo specific but as most know, Gentoo is all I use
anyway.  I don't know of any other place to ask that I subscribe too.  I
figure I would get a "no comment" out of the Government types.  ROFL 
Plus, there are some folks on here that know a LOT about this sort of
stuff too. 

Again, I don't want a lot of political stuff on this but more of the
technical side of, is that article accurate, can it be fixed and can we
be secure regardless of OS.  It seems to me that when you break HTTPS,
you got it beat already.

Am I right on this, wrong or somewhere in the middle?

Dale

:-)  :-) 

-- 
I am only responsible for what I said ... Not for what you understood or how you interpreted my words!

Re: [gentoo-user] Internet security.

[Michael Orlitzky]

On 09/08/2013 09:33 PM, Dale wrote:
> Someone found this and sent it to me. 
> 
> http://news.yahoo.com/internet-experts-want-security-revamp-nsa-revelations-020838711--sector.html
> 
> 
> I'm not to concerned about the political aspect of this but do have to
> wonder what this means when we use sites that are supposed to be secure
> and use HTTPS.  From reading that, it seems that even URLs with HTTPS
> are not secure.  Is it reasonable to expect that even connections
> between say me and my bank are not really secure? 
> 

The CA infrastructure was never secure. It exists to transfer money away
from website owners and into the bank accounts of the CAs and browser
makers. Security may be one of their goals, but it's certainly not the
motivating one.

To avoid a tirade here, I've already written about this:

[1]
http://michael.orlitzky.com/articles/in_defense_of_self-signed_certificates.php

[2]
http://michael.orlitzky.com/articles/why_im_against_ca-signed_certificates.php

Warning: they're highly ranty, and mostly preach to the choir in that I
don't give a ton of background.

The tl;dr is, use a 4096-bit self signed certificate combined with
pinning. It's not perfect, but it's as good as it gets unless you plan
to make a trip to each website's datacenter in person.

Re: [gentoo-user] Internet security.

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 1526 bytes --]

On Monday 09 Sep 2013 03:05:57 Michael Orlitzky wrote:
> On 09/08/2013 09:33 PM, Dale wrote:
> > Someone found this and sent it to me.
> > 
> > http://news.yahoo.com/internet-experts-want-security-revamp-nsa-revelatio
> > ns-020838711--sector.html
> > 
> > 
> > I'm not to concerned about the political aspect of this but do have to
> > wonder what this means when we use sites that are supposed to be secure
> > and use HTTPS.  From reading that, it seems that even URLs with HTTPS
> > are not secure.  Is it reasonable to expect that even connections
> > between say me and my bank are not really secure?
> 
> The CA infrastructure was never secure. It exists to transfer money away
> from website owners and into the bank accounts of the CAs and browser
> makers. Security may be one of their goals, but it's certainly not the
> motivating one.
> 
> To avoid a tirade here, I've already written about this:
> 
> [1]
> http://michael.orlitzky.com/articles/in_defense_of_self-signed_certificates
> .php
> 
> [2]
> http://michael.orlitzky.com/articles/why_im_against_ca-signed_certificates.
> php
> 
> Warning: they're highly ranty, and mostly preach to the choir in that I
> don't give a ton of background.
> 
> The tl;dr is, use a 4096-bit self signed certificate combined with
> pinning. It's not perfect, but it's as good as it gets unless you plan
> to make a trip to each website's datacenter in person.

Are you saying that 2048 RSA keys are no good anymore?

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 490 bytes --]

Re: [gentoo-user] Internet security.

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 2884 bytes --]

On Monday 09 Sep 2013 02:33:48 Dale wrote:
> Someone found this and sent it to me.
> 
> http://news.yahoo.com/internet-experts-want-security-revamp-nsa-revelations
> -020838711--sector.html
> 
> 
> I'm not to concerned about the political aspect of this but do have to
> wonder what this means when we use sites that are supposed to be secure
> and use HTTPS.  From reading that, it seems that even URLs with HTTPS
> are not secure.  Is it reasonable to expect that even connections
> between say me and my bank are not really secure?
> 
> Also, it seems there are people that want to work on fixing this and
> leave out any Government workers.  Given my understanding of this, that
> could be a very wise move.  From that article, I gather that the tools
> used were compromised before it was even finished.  Is there enough
> support, enough geeks and nerds basically, to do this sort of work
> independently?  I suspect there are enough Linux geeks out there to
> handle this and then figure out how to make it work on other OSs.  I use
> the words geek and nerd in a complimentary way.  I consider myself a bit
> of a geek as well.  :-D
> 
> One of many reasons I use Linux is security.  I always felt pretty
> secure but if that article is accurate, then the OS really doesn't
> matter much when just reaching out and grabbing data between two puters
> over the internet.  I may be secure at my keyboard but once it hits the
> modem and leaves, it can be grabbed and read if they want to even when
> using HTTPS.  Right?
> 
> This is not Gentoo specific but as most know, Gentoo is all I use
> anyway.  I don't know of any other place to ask that I subscribe too.  I
> figure I would get a "no comment" out of the Government types.  ROFL
> Plus, there are some folks on here that know a LOT about this sort of
> stuff too.
> 
> Again, I don't want a lot of political stuff on this but more of the
> technical side of, is that article accurate, can it be fixed and can we
> be secure regardless of OS.  It seems to me that when you break HTTPS,
> you got it beat already.
> 
> Am I right on this, wrong or somewhere in the middle?
> 
> Dale
> 
> :-)  :-)

As far as I know the NSA has cracked elliptic curve algorithms and earlier SSL 
versions.  Not that you would suspect this from their peddling of it here :-p

  http://www.nsa.gov/business/programs/elliptic_curve.shtml


Latest TLS v1.2 *should* be OK, but with the advent of quantum computing who 
can tell if science fiction decryption capabilities have become reality for 
state actors.  Looking at this, you can see that loads of websites out there 
are not using strong enough encryption, so even if it worked quantum computing 
may be an overkill for many https implementations today:

  https://www.trustworthyinternet.org/ssl-pulse/

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 490 bytes --]

Re: [gentoo-user] Internet security.

[Adam Carter]

[-- Attachment #1: Type: text/plain, Size: 247 bytes --]

>
> [2]
>
> http://michael.orlitzky.com/articles/why_im_against_ca-signed_certificates.php
> .
>

I like to state some of what you say here as "website certificates are only
as trusted as the LEAST trustworthy CA in the trusted certificate store"

[-- Attachment #2: Type: text/html, Size: 571 bytes --]

Re: [gentoo-user] Internet security.

[Pavel Volkov]

[-- Attachment #1: Type: text/plain, Size: 1044 bytes --]

On Mon, Sep 9, 2013 at 6:05 AM, Michael Orlitzky <michael@orlitzky.com>wrote:

> The CA infrastructure was never secure. It exists to transfer money away
> from website owners and into the bank accounts of the CAs and browser
> makers. Security may be one of their goals, but it's certainly not the
> motivating one.
>

Well, at least CAcert doesn't exist for money.


>
> To avoid a tirade here, I've already written about this:
>
> [1]
>
> http://michael.orlitzky.com/articles/in_defense_of_self-signed_certificates.php
>
> [2]
>
> http://michael.orlitzky.com/articles/why_im_against_ca-signed_certificates.php
>
>
I've got a question about Gentoo in this case. If we assume that stage3 is
trusted, does portage check that mirrors are trusted? I'm not sure about
this. But if it does, then distfiles checksums are also checked, so they
are trusted, too. In this case you could trust a running browser. Until
your system becomes compromised in other ways.
This would be OS packaging system problem, not the problem with CA-->user
trust model.

[-- Attachment #2: Type: text/html, Size: 1864 bytes --]

Re: [gentoo-user] Internet security.

[thegeezer]

[-- Attachment #1: Type: text/plain, Size: 7666 bytes --]

There's a lot FUD out there and equally there is some truth.  the NSA
"we can decrypt everything" statement was really very vague, and can
easily be done if you have a lot of taps (ala PRISM) and start doing
mitm attacks to reduce the level of security to something that is
crackable.
for 'compatibility' very many low powered encryption schemes are
supported and it is these that are the issue.
if you are using ipsec tunnels with aes encryption you can happily
ignore these.
if you are using mpls networks you can almost guarantee your isp and
therefore your network is compromised.
the question really is what do you define as security ?
if someone was to hit you on the head with a hammer, how long til you
willingly gave out your passwords ? [1]
I agree with the lack of faith in certificate CA's and i feel that the
reason that warnings over ssl are so severe is to spoon feed folks into
the owned networks. I far more trust the way mozilla do their web of
trust [2] but equally am aware that trolls live in the crowds.
while ssh authorized_keys are more secure than passwords, i can't (and
am hoping someone can point me to) find how to track failed logins as
folks bruteforce their way in.  yes it's orders of magnitude more
difficult but then internet speed is now orders of magnitude faster, and
OTP are looking more sensible every day [3] to me.
i used to use windows live messenger and right near the end found that
if you send someone a web link to a file filled with /dev/random called
passwords.zip you would have some unknown ip connect and download it too.
who then is doing that and i trust skype and it's peer2peer nonsense
even less.
who even knows you can TLS encrypt SIP ?
there are many ways of encrypting email but this is not supported from
one site to another, even TLS support is often lacking, and GPG the
contents means that some folks you send email to cannot read it -- there
is always a trade off between usability and security.
i read in slashdot that there is a question mark over SELinux because it
came from the NSA [4] but this is nonsense, as it is a means of securing
processes not network connections.  i find it difficult to believe that
a backdoor in a locked cupboard in your house can somehow give access
through the front door.
how far does trust need to be lost [5] before you start fabricating your
own chips ?   the complexity involved in chip fabs is immense and if
bugs can slip through, what else can [6]
ultimately a multi layer security approach is required, and security
itself needs to be defined.
i like privacy so i have net curtains, i don't have a 3 foot thick
titanium door with strengthened hinges.
if someone looks in my windows, i can see them. either through the
window or on cctv.
security itself has to be defined so that risk can be managed.
so many people buy the biggest lock they can find and forget the hinges.
or leave the windows open. 
even then it doesn't help in terms of power failure or leaking water or
gas mains exploding next door (i.e. the definition of security in the
sense of safety)
to some security means RAID, to others security means offsite backup
i like techniques such as port knocking [7] for reducing the size of the
scan target
if you have a cheap virtual server on each continent and put asterisk on
each one; linked by aes ipsec tunnels with a local sip provider in each
one then you could probably hide your phone calls quite easily from
snoops.  until they saw your bank statement and wondered what all these
VPS providers and SIP accounts were for, and then the authorities if
they were tracking you would go after those.  why would you do such a
thing? perhaps because you cannot trust the monopoly provider of a
country to screen its equipment [8]
even things like cookie tracking for advertising purposes - on the
lighter side what if your kids see the ads for the stuff you are buying
them for christmas ?  surprise ruined?  where does it stop - its one
thing for google to announce governments want your search history, and
another for advertising companies to sell your profile and tracking,
essentially ad companies are doing the governments snooping job for them.
ultimately it's down to risk mitigation. do you care if someone is
snooping on your grocery list? no? using cookie tracking ?  yeah
profiling is bad - wouldn't want to end up on a terrorist watchlist
because of my amusement with the zombie apocalypse listmania [9]
encryption is important because you don't know what other folks in the
internet cafe are doing [10]
but where do you draw the line ?
if you go into a shop do you worry that you are on cctv ?

ok i'll stop ranting now, my main point is always have multi layered
security - and think about what you are protecting and from whom

[1] http://xkcd.com/538/
[2] https://addons.mozilla.org/en-US/firefox/addon/wot-safe-browsing-tool/
[3] http://blog.tremily.us/posts/OTP/
[4]
http://yro.slashdot.org/story/13/07/02/1241246/nsa-backdoors-in-open-source-and-open-standards-what-are-the-odds
[5] http://cryptome.org/2013/07/intel-bed-nsa.htm
[6] http://www.tomshardware.com/reviews/intel-cpu-history,1986-5.html
[7]
https://wiki.archlinux.org/index.php/Port_Knocking#Port_Knocking_with_iptables_only
[8]
http://www.pcpro.co.uk/news/security/383125/government-admits-slip-ups-in-bt-huawei-deal
[9]
http://www.amazon.co.uk/zombie-apocalypse-essentials/lm/R21TCKA47P0D4E/ref=cm_srch_res_rpli_alt_8
[10]
http://lifehacker.com/5672313/sniff-out-user-credentials-at-wi+fi-hotspots-with-firesheep


On 09/09/2013 02:33 AM, Dale wrote:
> Someone found this and sent it to me. 
>
> http://news.yahoo.com/internet-experts-want-security-revamp-nsa-revelations-020838711--sector.html
>
>
> I'm not to concerned about the political aspect of this but do have to
> wonder what this means when we use sites that are supposed to be secure
> and use HTTPS.  From reading that, it seems that even URLs with HTTPS
> are not secure.  Is it reasonable to expect that even connections
> between say me and my bank are not really secure? 
>
> Also, it seems there are people that want to work on fixing this and
> leave out any Government workers.  Given my understanding of this, that
> could be a very wise move.  From that article, I gather that the tools
> used were compromised before it was even finished.  Is there enough
> support, enough geeks and nerds basically, to do this sort of work
> independently?  I suspect there are enough Linux geeks out there to
> handle this and then figure out how to make it work on other OSs.  I use
> the words geek and nerd in a complimentary way.  I consider myself a bit
> of a geek as well.  :-D
>
> One of many reasons I use Linux is security.  I always felt pretty
> secure but if that article is accurate, then the OS really doesn't
> matter much when just reaching out and grabbing data between two puters
> over the internet.  I may be secure at my keyboard but once it hits the
> modem and leaves, it can be grabbed and read if they want to even when
> using HTTPS.  Right?
>
> This is not Gentoo specific but as most know, Gentoo is all I use
> anyway.  I don't know of any other place to ask that I subscribe too.  I
> figure I would get a "no comment" out of the Government types.  ROFL 
> Plus, there are some folks on here that know a LOT about this sort of
> stuff too. 
>
> Again, I don't want a lot of political stuff on this but more of the
> technical side of, is that article accurate, can it be fixed and can we
> be secure regardless of OS.  It seems to me that when you break HTTPS,
> you got it beat already.
>
> Am I right on this, wrong or somewhere in the middle?
>
> Dale
>
> :-)  :-) 
>


[-- Attachment #2: Type: text/html, Size: 10521 bytes --]

Re: [gentoo-user] Internet security.

[Bruce Hill]

On Mon, Sep 09, 2013 at 10:36:09AM +0100, thegeezer wrote:
> There's a lot FUD out there and equally there is some truth.  the NSA
> "we can decrypt everything" statement was really very vague, and can
> easily be done if you have a lot of taps (ala PRISM) and start doing
> mitm attacks to reduce the level of security to something that is
> crackable.
> for 'compatibility' very many low powered encryption schemes are
> supported and it is these that are the issue.
> if you are using ipsec tunnels with aes encryption you can happily
> ignore these.
> if you are using mpls networks you can almost guarantee your isp and
> therefore your network is compromised.
> the question really is what do you define as security ?
> if someone was to hit you on the head with a hammer, how long til you
> willingly gave out your passwords ? [1]
> I agree with the lack of faith in certificate CA's and i feel that the
> reason that warnings over ssl are so severe is to spoon feed folks into
> the owned networks. I far more trust the way mozilla do their web of
> trust [2] but equally am aware that trolls live in the crowds.
> while ssh authorized_keys are more secure than passwords, i can't (and
> am hoping someone can point me to) find how to track failed logins as
> folks bruteforce their way in.  yes it's orders of magnitude more
> difficult but then internet speed is now orders of magnitude faster, and
> OTP are looking more sensible every day [3] to me.
> i used to use windows live messenger and right near the end found that
> if you send someone a web link to a file filled with /dev/random called
> passwords.zip you would have some unknown ip connect and download it too.
> who then is doing that and i trust skype and it's peer2peer nonsense
> even less.
> who even knows you can TLS encrypt SIP ?
> there are many ways of encrypting email but this is not supported from
> one site to another, even TLS support is often lacking, and GPG the
> contents means that some folks you send email to cannot read it -- there
> is always a trade off between usability and security.
> i read in slashdot that there is a question mark over SELinux because it
> came from the NSA [4] but this is nonsense, as it is a means of securing
> processes not network connections.  i find it difficult to believe that
> a backdoor in a locked cupboard in your house can somehow give access
> through the front door.
> how far does trust need to be lost [5] before you start fabricating your
> own chips ?   the complexity involved in chip fabs is immense and if
> bugs can slip through, what else can [6]
> ultimately a multi layer security approach is required, and security
> itself needs to be defined.
> i like privacy so i have net curtains, i don't have a 3 foot thick
> titanium door with strengthened hinges.
> if someone looks in my windows, i can see them. either through the
> window or on cctv.
> security itself has to be defined so that risk can be managed.
> so many people buy the biggest lock they can find and forget the hinges.
> or leave the windows open. 
> even then it doesn't help in terms of power failure or leaking water or
> gas mains exploding next door (i.e. the definition of security in the
> sense of safety)
> to some security means RAID, to others security means offsite backup
> i like techniques such as port knocking [7] for reducing the size of the
> scan target
> if you have a cheap virtual server on each continent and put asterisk on
> each one; linked by aes ipsec tunnels with a local sip provider in each
> one then you could probably hide your phone calls quite easily from
> snoops.  until they saw your bank statement and wondered what all these
> VPS providers and SIP accounts were for, and then the authorities if
> they were tracking you would go after those.  why would you do such a
> thing? perhaps because you cannot trust the monopoly provider of a
> country to screen its equipment [8]
> even things like cookie tracking for advertising purposes - on the
> lighter side what if your kids see the ads for the stuff you are buying
> them for christmas ?  surprise ruined?  where does it stop - its one
> thing for google to announce governments want your search history, and
> another for advertising companies to sell your profile and tracking,
> essentially ad companies are doing the governments snooping job for them.
> ultimately it's down to risk mitigation. do you care if someone is
> snooping on your grocery list? no? using cookie tracking ?  yeah
> profiling is bad - wouldn't want to end up on a terrorist watchlist
> because of my amusement with the zombie apocalypse listmania [9]
> encryption is important because you don't know what other folks in the
> internet cafe are doing [10]
> but where do you draw the line ?
> if you go into a shop do you worry that you are on cctv ?
> 
> ok i'll stop ranting now, my main point is always have multi layered
> security - and think about what you are protecting and from whom
> 
> [1] http://xkcd.com/538/
> [2] https://addons.mozilla.org/en-US/firefox/addon/wot-safe-browsing-tool/
> [3] http://blog.tremily.us/posts/OTP/
> [4]
> http://yro.slashdot.org/story/13/07/02/1241246/nsa-backdoors-in-open-source-and-open-standards-what-are-the-odds
> [5] http://cryptome.org/2013/07/intel-bed-nsa.htm
> [6] http://www.tomshardware.com/reviews/intel-cpu-history,1986-5.html
> [7]
> https://wiki.archlinux.org/index.php/Port_Knocking#Port_Knocking_with_iptables_only
> [8]
> http://www.pcpro.co.uk/news/security/383125/government-admits-slip-ups-in-bt-huawei-deal
> [9]
> http://www.amazon.co.uk/zombie-apocalypse-essentials/lm/R21TCKA47P0D4E/ref=cm_srch_res_rpli_alt_8
> [10]
> http://lifehacker.com/5672313/sniff-out-user-credentials-at-wi+fi-hotspots-with-firesheep
> 
> 
> On 09/09/2013 02:33 AM, Dale wrote:
> > Someone found this and sent it to me. 
> >
> > http://news.yahoo.com/internet-experts-want-security-revamp-nsa-revelations-020838711--sector.html
> >
> >
> > I'm not to concerned about the political aspect of this but do have to
> > wonder what this means when we use sites that are supposed to be secure
> > and use HTTPS.  From reading that, it seems that even URLs with HTTPS
> > are not secure.  Is it reasonable to expect that even connections
> > between say me and my bank are not really secure? 
> >
> > Also, it seems there are people that want to work on fixing this and
> > leave out any Government workers.  Given my understanding of this, that
> > could be a very wise move.  From that article, I gather that the tools
> > used were compromised before it was even finished.  Is there enough
> > support, enough geeks and nerds basically, to do this sort of work
> > independently?  I suspect there are enough Linux geeks out there to
> > handle this and then figure out how to make it work on other OSs.  I use
> > the words geek and nerd in a complimentary way.  I consider myself a bit
> > of a geek as well.  :-D
> >
> > One of many reasons I use Linux is security.  I always felt pretty
> > secure but if that article is accurate, then the OS really doesn't
> > matter much when just reaching out and grabbing data between two puters
> > over the internet.  I may be secure at my keyboard but once it hits the
> > modem and leaves, it can be grabbed and read if they want to even when
> > using HTTPS.  Right?
> >
> > This is not Gentoo specific but as most know, Gentoo is all I use
> > anyway.  I don't know of any other place to ask that I subscribe too.  I
> > figure I would get a "no comment" out of the Government types.  ROFL 
> > Plus, there are some folks on here that know a LOT about this sort of
> > stuff too. 
> >
> > Again, I don't want a lot of political stuff on this but more of the
> > technical side of, is that article accurate, can it be fixed and can we
> > be secure regardless of OS.  It seems to me that when you break HTTPS,
> > you got it beat already.
> >
> > Am I right on this, wrong or somewhere in the middle?
> >
> > Dale
> >
> > :-)  :-) 
> >
> 

When a top-post is that long did you read it before noticing?

Well, if you opened this email, "All ur base r belong to us!"
-- 
Happy Penguin Computers               >')
126 Fenco Drive                       ( \
Tupelo, MS 38801                       ^^
support@happypenguincomputers.com
662-269-2706 662-205-6424
http://happypenguincomputers.com/

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?

Don't top-post: http://en.wikipedia.org/wiki/Top_post#Top-posting

Re: [gentoo-user] Internet security.

[thegeezer]

[-- Attachment #1: Type: text/plain, Size: 189 bytes --]

> When a top-post is that long did you read it before noticing?
>
> Well, if you opened this email, "All ur base r belong to us!"

:$  oops, was more focussed on my rant than the etiquette

[-- Attachment #2: Type: text/html, Size: 652 bytes --]

Re: [gentoo-user] Internet security.

[Michael Orlitzky]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/09/2013 01:28 AM, Mick wrote:
> 
> Are you saying that 2048 RSA keys are no good anymore?
> 

They're probably fine, but when you're making them yourself, the extra
bits are free. I would assume that the NSA can crack 1024-bit RSA[1],
so why not jump to 4096 so you don't have to do this again in a few years?

The performance overhead is also mostly negligible: the only thing the
public key crypto is used for is to exchange a secret which is then
used to do simpler (and faster) crypto.


[1]
http://blog.erratasec.com/2013/09/tor-is-still-dhe-1024-nsa-crackable.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (GNU/Linux)

iQIcBAEBAgAGBQJSLdBEAAoJEBxJck0inpOiGg4P/1fBRpLoSsNnzjhFGro6vHOr
uf5/xUR8y2M+7sBXsyS6d7uU1GfKcyWW2UnhuMabz6/bLWSmhCeGAZrAw1n1/oqp
DcxvT9Z/SWM/taYCGkMcxAh3pMxCTohS7Dpq1NxjjB2J7+GgITCNfn6b1bxrAjjO
cWCjrAh9ozESiP7AGM2vt2CR9mC0AsWMEoUk5zF0wd0BZq7cCSbcnxV54E784OVz
TXcmhvISHz5cgC5nWTylCgy4BqLp94A7ZjtuvZntTBhAeU9MFWX1FpnrBbbnOwW4
WPCYF3mRJKKapE6IIN2jHp1l0w8oM/EFrMoGYYQkAG393TWaRgDLqGqAJBDpLDwP
+fmeT/xdfn7nyQNV1IwfdeAdcHFPoKw9dcr2kWVYlx8oJQteibSaQmT9L/LLdJfk
5+XgFg2Va6xTx1YsBfRGXc/PIjrQwlJ0rZ2osjKYfE6G1747+sz0fD74rDRoLTrl
j8I4QVuMeOqxdXp9hQv6TNuEHXw9vlbKRlOwT/E7sTHWerK5EXFqgUS8txl3Os+3
2iNgz7v/0AhMrH0evtzn2k88agjXY1UrqUotHuGndJxyc1ZhXZuoJAOSFcgLv/ko
L1Vzl3lOdaj1nF23RMWZoqdaI4BZyBM4zDx7K+0g3e7YadQ/EkD6mof0sVNGpO4a
q6PNGNy9oZaWflDAOHaN
=Ni4r
-----END PGP SIGNATURE-----

Re: [gentoo-user] Internet security.

[Michael Orlitzky]

On 09/09/2013 02:50 AM, Adam Carter wrote:
>     [2]
>     http://michael.orlitzky.com/articles/why_im_against_ca-signed_certificates.php
>     .
> 
> 
> I like to state some of what you say here as "website certificates are
> only as trusted as the LEAST trustworthy CA in the trusted certificate
> store"

Right, and most of them you wouldn't even consider trustworthy a priori.
If the NSA can hack or "persuade" *any* of them, every single website on
the net is compromised.

Here's a list of the ones included with Firefox:

http://www.mozilla.org/projects/security/certs/included/index.html

The ones in the USA, we already know, can be forced to do whatever under
gag order. Of the ones outside the USA, well, I see a couple that belong
to countries where I would be executed for the things I did this weekend.

Re: [gentoo-user] Internet security.

[Michael Orlitzky]

On 09/09/2013 03:19 AM, Pavel Volkov wrote:
> On Mon, Sep 9, 2013 at 6:05 AM, Michael Orlitzky <michael@orlitzky.com
> <mailto:michael@orlitzky.com>> wrote:
> 
>     The CA infrastructure was never secure. It exists to transfer money away
>     from website owners and into the bank accounts of the CAs and browser
>     makers. Security may be one of their goals, but it's certainly not the
>     motivating one.
> 
> 
> Well, at least CAcert doesn't exist for money.
>  

You sort of make my point for me:

  If you want to access a website that uses a SSL certificate signed by
  CAcert, you might get an SSL warning. We are sorry, but currently
  that's still 'normal' as mainstream browsers don't automatically
  include the CAcert Root Certificate yet. [1]

So, CACert certificates don't eliminate the browser warning, which is
the only reason you would ever pay for a certificate in the first place.
But why don't browsers include CACert?

  Traditionally vendors seeking to have their root certificates
  included in browsers (directly or via the underlying OS
  infrastructure like Safari via OS X's Keychain) would have to seek an
  expensive Webtrust audit (~$75,000 up-front plus ~$10,000 per
  year). [2]

They don't pay up! So I wouldn't include CACert in my blanket statement,
but they're not really part of the CA infrastructure and you might as
well use a self-signed cert instead if you're gonna get a warning anyway.


> I've got a question about Gentoo in this case. If we assume that stage3
> is trusted, does portage check that mirrors are trusted?

No. There's a GLEP for some of these issues:

  https://www.gentoo.org/proj/en/glep/glep-0057.html

The relevant part is,

  ...any non-Gentoo controlled rsync mirror can modify executable code;
  as much of this code is per default run as root a malicious mirror
  could compromise hundreds of systems per day - if cloaked well
  enough, such an attack could run for weeks before being noticed.



[1] http://wiki.cacert.org/FAQ/BrowserClients
[2] http://wiki.cacert.org/InclusionStatus

Re: [gentoo-user] Internet security.

[Hinnerk van Bruinehsen]

[-- Attachment #1: Type: text/plain, Size: 6988 bytes --]

On Mon, Sep 09, 2013 at 10:36:09AM +0100, thegeezer wrote:
> There's a lot FUD out there and equally there is some truth.  the NSA "we can
> decrypt everything" statement was really very vague, and can easily be done if
> you have a lot of taps (ala PRISM) and start doing mitm attacks to reduce the
> level of security to something that is crackable.
> for 'compatibility' very many low powered encryption schemes are supported and
> it is these that are the issue.

I think you're right because it'll be much easier to read the data at one
endpoint than to decrypt everything. If big corporations like Google or Cisco
can be forced to cooperate (and they can - that much is fact), it'd be the
likelier way to get your data.
On the other hand e.g. Bruce Schneier warns of ECC because the NSA promoted it
intensively. So there may be some secret that helps to decrypt it in the hands
of the NSA (possible something about the NIST curve definitions that reduce the
effective keylength).
> if you are using ipsec tunnels with aes encryption you can happily ignore
> these.
This would be true if you have an secure endpoint. And I think that nowadays
nothing is secure...
> if you are using mpls networks you can almost guarantee your isp and therefore
> your network is compromised.
> the question really is what do you define as security ?
> if someone was to hit you on the head with a hammer, how long til you willingly
> gave out your passwords ? [1]
> I agree with the lack of faith in certificate CA's and i feel that the reason
> that warnings over ssl are so severe is to spoon feed folks into the owned
> networks. I far more trust the way mozilla do their web of trust [2] but
> equally am aware that trolls live in the crowds.
> while ssh authorized_keys are more secure than passwords, i can't (and am
> hoping someone can point me to) find how to track failed logins as folks
> bruteforce their way in.  yes it's orders of magnitude more difficult but then
> internet speed is now orders of magnitude faster, and OTP are looking more
> sensible every day [3] to me.
> i used to use windows live messenger and right near the end found that if you
> send someone a web link to a file filled with /dev/random called passwords.zip
> you would have some unknown ip connect and download it too.
> who then is doing that and i trust skype and it's peer2peer nonsense even less.
> who even knows you can TLS encrypt SIP ?
> there are many ways of encrypting email but this is not supported from one site
> to another, even TLS support is often lacking, and GPG the contents means that
> some folks you send email to cannot read it -- there is always a trade off
> between usability and security.
> i read in slashdot that there is a question mark over SELinux because it came
> from the NSA [4] but this is nonsense, as it is a means of securing processes
> not network connections.  i find it difficult to believe that a backdoor in a
> locked cupboard in your house can somehow give access through the front door.
This point you get wrong. SELinux implement the LSM API (in fact the LSM API
was tailored to SELinux needs). It has hooks in nearly everything
(file/directory access, process access and also sockets). One of the biggest
concerns at the time of creation of the LSM API was rootkits hooking that
functions. It's definitively a thread. I'm not saying that SELinux contains
a backdoor (I for myself would have hidden it in the LSM part, not in SELinux
because that would enable me to use it even if other LSMs are used). If you
google for "underhanded C contest" you'll see that it's possible to hide
malicious behaviour in plain sight. And if the kernel is compromised all other
defenses mean nothing. (As I said,  I don't want to spread fearbut that is
something to consider imho).
> how far does trust need to be lost [5] before you start fabricating your own
> chips ?   the complexity involved in chip fabs is immense and if bugs can slip
> through, what else can [6]
> ultimately a multi layer security approach is required, and security itself
> needs to be defined.
You need an anchor from which you can establish trust. If there is a hardware
backdoor you'll not be able to fix that problem with software. There is an
excellent paper from Ken Thompson called "Reflections on trusting trust" that
theorizes about the possibility of a trojanized compiler that injects malicous
code and therefore makes code audits pointless. Security sadly is hard..
> i like privacy so i have net curtains, i don't have a 3 foot thick titanium
> door with strengthened hinges.
> if someone looks in my windows, i can see them. either through the window or on
> cctv.
> security itself has to be defined so that risk can be managed.
> so many people buy the biggest lock they can find and forget the hinges. or
> leave the windows open. 
> even then it doesn't help in terms of power failure or leaking water or gas
> mains exploding next door (i.e. the definition of security in the sense of
> safety)
> to some security means RAID, to others security means offsite backup
> i like techniques such as port knocking [7] for reducing the size of the scan
> target
> if you have a cheap virtual server on each continent and put asterisk on each
> one; linked by aes ipsec tunnels with a local sip provider in each one then you
> could probably hide your phone calls quite easily from snoops.  until they saw
> your bank statement and wondered what all these VPS providers and SIP accounts
> were for, and then the authorities if they were tracking you would go after
> those.  why would you do such a thing? perhaps because you cannot trust the
> monopoly provider of a country to screen its equipment [8]
> even things like cookie tracking for advertising purposes - on the lighter side
> what if your kids see the ads for the stuff you are buying them for christmas ?
>   surprise ruined?  where does it stop - its one thing for google to announce
> governments want your search history, and another for advertising companies to
> sell your profile and tracking, essentially ad companies are doing the
> governments snooping job for them.
> ultimately it's down to risk mitigation. do you care if someone is snooping on
> your grocery list? no? using cookie tracking ?  yeah profiling is bad -
> wouldn't want to end up on a terrorist watchlist because of my amusement with
> the zombie apocalypse listmania [9]
> encryption is important because you don't know what other folks in the internet
> cafe are doing [10]
> but where do you draw the line ?
> if you go into a shop do you worry that you are on cctv ?
> <SNIP>

Hi,
you'll find my answers inline due to the length of this mail...

I think in the long term the only way to get security is to control the
agencys. Unless that happens there is not much chance to get reasonable
security...

WKR
Hinnerk

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 490 bytes --]

Re: [gentoo-user] Internet security.

[thegeezer]

>> i read in slashdot that there is a question mark over SELinux because it came
>> from the NSA [4] but this is nonsense, as it is a means of securing processes
>> not network connections.  i find it difficult to believe that a backdoor in a
>> locked cupboard in your house can somehow give access through the front door.
> This point you get wrong. SELinux implement the LSM API (in fact the LSM API
> was tailored to SELinux needs). It has hooks in nearly everything
> (file/directory access, process access and also sockets). One of the biggest
> concerns at the time of creation of the LSM API was rootkits hooking that
> functions. It's definitively a thread. I'm not saying that SELinux contains
> a backdoor (I for myself would have hidden it in the LSM part, not in SELinux
> because that would enable me to use it even if other LSMs are used). If you
> google for "underhanded C contest" you'll see that it's possible to hide
> malicious behaviour in plain sight. And if the kernel is compromised all other
> defenses mean nothing. (As I said,  I don't want to spread fearbut that is
> something to consider imho).
Interesting, I didn't realise LSM provisioned hooks for SELinux -
thought it it was more modular (and less 'shoehorned') than that. 
I need to go read about that some more now

Re: [gentoo-user] Internet security.

[Dale]

Dale wrote:
> Someone found this and sent it to me. 
>
> http://news.yahoo.com/internet-experts-want-security-revamp-nsa-revelations-020838711--sector.html
>
>
> <<<< SNIP>>>>
>
> Am I right on this, wrong or somewhere in the middle?
>
> Dale
>
> :-)  :-) 
>


I got this in my email today. 

https://www.eff.org/deeplinks/2013/08/one-key-rule-them-all-threats-against-service-provider-private-encryption-keys


It seems, I may be wrong on this tho, that some changes are being made. 
While there is a lot of info there, it also seems that each site has one
key and once you have that one key, you can then handle the whole sites
encryption.  Example:  Google, Facebook, a bank, the EFF site or whatever. 

It seems we are back to face to face and even that isn't a sure thing. 

I'm still reading some of the other posts.  It seems this is a mess with
no real sure answer since it all depends on a lot of other things. 
Mostly we don't know for sure what information the spy folks have and
what is compromised and what is not.  < sighs >

Dale

:-)  :-) 

-- 
I am only responsible for what I said ... Not for what you understood or how you interpreted my words!

Re: [gentoo-user] Internet security.

[Hinnerk van Bruinehsen]

[-- Attachment #1: Type: text/plain, Size: 1832 bytes --]

On Mon, Sep 09, 2013 at 04:30:31PM +0100, thegeezer wrote:
> >> i read in slashdot that there is a question mark over SELinux because it came
> >> from the NSA [4] but this is nonsense, as it is a means of securing processes
> >> not network connections.  i find it difficult to believe that a backdoor in a
> >> locked cupboard in your house can somehow give access through the front door.
> > This point you get wrong. SELinux implement the LSM API (in fact the LSM API
> > was tailored to SELinux needs). It has hooks in nearly everything
> > (file/directory access, process access and also sockets). One of the biggest
> > concerns at the time of creation of the LSM API was rootkits hooking that
> > functions. It's definitively a thread. I'm not saying that SELinux contains
> > a backdoor (I for myself would have hidden it in the LSM part, not in SELinux
> > because that would enable me to use it even if other LSMs are used). If you
> > google for "underhanded C contest" you'll see that it's possible to hide
> > malicious behaviour in plain sight. And if the kernel is compromised all other
> > defenses mean nothing. (As I said,  I don't want to spread fearbut that is
> > something to consider imho).
> Interesting, I didn't realise LSM provisioned hooks for SELinux -
> thought it it was more modular (and less 'shoehorned') than that. 
> I need to go read about that some more now


You can start here:

http://www.freetechbooks.com/efiles/selinuxnotebook/The_SELinux_Notebook_The_Foundations_3rd_Edition.pdf

for a general overview (page 64ff has a list of the hooks).
Other than that http://www.kroah.com/linux/talks/ols_2002_lsm_paper/lsm.pdf and
http://www.nsa.gov/research/_files/publications/implementing_selinux.pdf may be
of interest (though both are quite old).

WKR
Hinnerk

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 490 bytes --]

Re: [gentoo-user] Internet security.

[thegeezer]

On 09/09/2013 05:04 PM, Hinnerk van Bruinehsen wrote:
> On Mon, Sep 09, 2013 at 04:30:31PM +0100, thegeezer wrote:
>>
>> Interesting, I didn't realise LSM provisioned hooks for SELinux -
>> thought it it was more modular (and less 'shoehorned') than that. 
>> I need to go read about that some more now
>
> You can start here:
>
> http://www.freetechbooks.com/efiles/selinuxnotebook/The_SELinux_Notebook_The_Foundations_3rd_Edition.pdf
>
> for a general overview (page 64ff has a list of the hooks).
> Other than that http://www.kroah.com/linux/talks/ols_2002_lsm_paper/lsm.pdf and
> http://www.nsa.gov/research/_files/publications/implementing_selinux.pdf may be
> of interest (though both are quite old).
>
> WKR
> Hinnerk
thanks muchly :)

Re: [gentoo-user] Internet security.

[Pavel Volkov]

[-- Attachment #1: Type: text/plain, Size: 670 bytes --]

On Monday 09 September 2013 10:00:25 Michael Orlitzky wrote:
> No. There's a GLEP for some of these issues:
> 
>   https://www.gentoo.org/proj/en/glep/glep-0057.html
> 
> The relevant part is,
> 
>   ...any non-Gentoo controlled rsync mirror can modify executable code;
>   as much of this code is per default run as root a malicious mirror
>   could compromise hundreds of systems per day - if cloaked well
>   enough, such an attack could run for weeks before being noticed.

I noticed there's another GLEP which eliminates the mirror problem: 
http://www.gentoo.org/proj/en/glep/glep-0058.html

It's marked as accepted. I hope they'll implement it in reasonable time.

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 836 bytes --]

Re: [gentoo-user] Internet security.

[Michael Orlitzky]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/09/2013 01:36 PM, Pavel Volkov wrote:
> 
> I noticed there's another GLEP which eliminates the mirror problem:
>  http://www.gentoo.org/proj/en/glep/glep-0058.html
> 
> It's marked as accepted. I hope they'll implement it in reasonable
> time.
> 

This is the latest news; not much there unfortunately:

  http://thread.gmane.org/gmane.linux.gentoo.devel/87099

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (GNU/Linux)

iQIcBAEBAgAGBQJSLgqfAAoJEBxJck0inpOiNCgP/jkRSRr1P1HZbsqNicwyTusQ
CZek3G1Lii31hOZbcauhvdrTL0exmVw9Z2/Mc1c2CxeEa3DhX4WXSxuA2bHo29Ba
v2AFeFDFtS8PYEolb+MvN/AEk/urAxEz4kSVGFBOpin2y4FvjuKoQsFfho4VSaQ5
YxrCBkUKz2wMwQFtC80Kof8hbDpKJjVIJ1BsDbDplaUQl5hV9u4SmCQKBzl7JPzO
v45bdwNjDJcPneVS0N/BByY6zaP+9FcpA27wgkbmwbvGYn3/KWSEKCsaaoifV/kv
xq8BD9ZgRn9uWnoeov3fy8D/CBdZKsIdckD61lgeChmWqJmzPrXQd1hzu5j6uBdx
y+UXE1Jp2b0Eg97ybVhne3kHsSyODJUo+bSTdjr85SNX3dVACQTrGC4WDFWyF6iW
xG8joyT7Ufg6KBYpdM9MRxhYEU3CJg8KPVu4PN+No+q/Y2/e4cmDLBQqroDIDqA0
eQq/alQYXFxuuiq6geWDUCviCjfVauj+yWHKdGThX13rfyD6eyjlzgNSG1dUy5pS
0xmxhoCkpT3hK+o05+Fy66+Ex98n+KL4ImSztcnzT3DbAHbHoxRFL6P/vu2PdvmL
Ys+DGqxJe/lRIzLnMeLf4Lk1ablunD7VJK4c6StvzdEhpzlRal7pPSv9wDNWSQZW
jIUMsw6UJ5wD4dyqmEO4
=SbM7
-----END PGP SIGNATURE-----

Re: [gentoo-user] Internet security.

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 537 bytes --]

On Monday 09 Sep 2013 14:42:28 Michael Orlitzky wrote:
> On 09/09/2013 01:28 AM, Mick wrote:
> > Are you saying that 2048 RSA keys are no good anymore?
> 
> They're probably fine, but when you're making them yourself, the extra
> bits are free. I would assume that the NSA can crack 1024-bit RSA[1],
> so why not jump to 4096 so you don't have to do this again in a few years?

Right, but my router won't work with keys larger than 2048 and its admin GUI 
is controlled with 1024-bit public certificate.

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 490 bytes --]

Re: [gentoo-user] Internet security.

[Michael Orlitzky]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/09/2013 02:07 PM, Mick wrote:
> On Monday 09 Sep 2013 14:42:28 Michael Orlitzky wrote:
>> On 09/09/2013 01:28 AM, Mick wrote:
>>> Are you saying that 2048 RSA keys are no good anymore?
>> 
>> They're probably fine, but when you're making them yourself, the
>> extra bits are free. I would assume that the NSA can crack
>> 1024-bit RSA[1], so why not jump to 4096 so you don't have to do
>> this again in a few years?
> 
> Right, but my router won't work with keys larger than 2048 and its
> admin GUI is controlled with 1024-bit public certificate.
> 

How often do you need to admin the router? Just do it from home (i.e.
on the LAN side).

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.20 (GNU/Linux)

iQIcBAEBAgAGBQJSLiCIAAoJEBxJck0inpOiOxUQAKLD/ZpyhmdbyKYhw8git9A9
omPhNJPrIiRFNiw2uS9RrdRTqNaoAQyzRy8QkyfQK5MxYqSR7Xf3YUFv/fNXiahS
pT3wSi9OVmaJQ7p5yHkmEdPTp30nhg53kFFeZ6h2Qd1BQ9GmzCoq5ajPavLoIreF
DMjpLAsE3fY+1JcMe1qbyqfrAGrfpVrh2h5VdMneIFe2t8/yRQKX5F/z6JWnb8/V
pdHQfFkybnJOiul1aLy/C/wKKyHVcrFvpM8QwhfGuDVY/q9h9gg99QN/5KqtahfJ
jAuzaygTcSHsYfxNzf83ik0O25RR7UJ/dW4YGbK+PCb11RQZ3i/scxkuW3y11DGS
iFMT9bQAP8InqUi8lWawu5fNwJBGlMgbHIYbkzpd/9U2YSQBbjJJgyOczsLcL8cC
S8F9i8LqhRW3w6IczSGq6rt51gFgSVpBNaysJprq95Ei3/ZoAZY/jcpKAZhlV0wS
3xRCkiNBjPcyTHuSV5Z4QzgLB77EtO8fdV6vIBshY5zdX1jXFA8n5jKgb9tmTCKQ
Eu6c1VvmJ4sIS437UgVcMVs7c08rp5qI3BhM1uKVuD/PIuQkaTnT6MZ57+AsvCjc
hQ+tKaDhrnxY1aHkSwimtKKZKTZxmpi6TuMC+kxE9Ytl6/Br5IJhg0QcqZAUY06W
A6X/s6n7XYboLXBiBg4c
=N9w5
-----END PGP SIGNATURE-----

Re: [gentoo-user] Internet security.

[Mick]

[-- Attachment #1: Type: Text/Plain, Size: 927 bytes --]

On Monday 09 Sep 2013 20:24:56 Michael Orlitzky wrote:
> On 09/09/2013 02:07 PM, Mick wrote:
> > On Monday 09 Sep 2013 14:42:28 Michael Orlitzky wrote:
> >> On 09/09/2013 01:28 AM, Mick wrote:
> >>> Are you saying that 2048 RSA keys are no good anymore?
> >> 
> >> They're probably fine, but when you're making them yourself, the
> >> extra bits are free. I would assume that the NSA can crack
> >> 1024-bit RSA[1], so why not jump to 4096 so you don't have to do
> >> this again in a few years?
> > 
> > Right, but my router won't work with keys larger than 2048 and its
> > admin GUI is controlled with 1024-bit public certificate.
> 
> How often do you need to admin the router? Just do it from home (i.e.
> on the LAN side).

Yes, that's how I do it, or I VPN into the LAN from the outside if there is 
some emergency.  However, the VPN SSL keys can't be any larger that 2048-bit.

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 490 bytes --]