<div dir="ltr"><span style="font-family:arial,sans-serif;font-size:13px">>> Linux platforms may have been hacked too, can't tell, but with all the Linux</span><br style="font-family:arial,sans-serif;font-size:13px">
<span style="font-family:arial,sans-serif;font-size:13px">servers, it is definitely an important target. OpenBSD?</span><br><div><span style="font-family:arial,sans-serif;font-size:13px"><br>If your platform uses SELinux, yes.<br>
<br></span><a href="http://www.nsa.gov/research/selinux/">http://www.nsa.gov/research/selinux/</a><br><span style="font-family:arial,sans-serif;font-size:13px"><br> </span></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">
On Fri, Sep 6, 2013 at 10:43 AM, JD <span dir="ltr"><<a href="mailto:jdp@algoloma.com" target="_blank">jdp@algoloma.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
On 09/06/2013 10:06 AM, Charles Shapiro wrote:<br>
> But not gpg, according to the NYT (<br>
> <a href="http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?hp&_r=0" target="_blank">http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?hp&_r=0</a><br>
> ). My read of the article is that most of the compromises involve getting<br>
> access to keys through vendors, rather than compromises of the actual<br>
> algorithms, although there are some hints that the NSA has tried to subvert<br>
> standards as well.<br>
><br>
> Moral of the story: Use FOSS, don't trust any service providers.<br>
><br>
><br>
<br>
Article from Bruce Schnieir of "Applied Cryptography" fame.<br>
<a href="http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance" target="_blank">http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance</a><br>
He literally "wrote the book."<br>
<br>
Don't trust anything based on DNS.<br>
Don't trust anything based on commercial certificates.<br>
Don't trust any network using radio (cell, wifi, wi-max).<br>
Avoid proprietary software for security stuff.<br>
<br>
Don't trust TOR completely. It is extremely inconvenient to use it in a secure<br>
way. A tiny config or use error can remove the anonymous aspects.<br>
<br>
Assume your router has been hacked. I think the probably applies to almost all<br>
commercial routers and perhaps dd-wrt, openwrt, smoothwall, untangle, anything<br>
based on linux. For some reason I think pfSense is less likely to be hacked -<br>
but I don't have any proof at all - call it a feeling.<br>
<br>
Don't trust the VPN running on your router. The keys may have been stolen.<br>
Bruce says to use IPSec. I've always thought that OpenVPN w/TLS was safer, guess<br>
not. IPSec is built-into IPv6.<br>
<br>
If your router(s) have been hacked, that means we need to be using encryption on<br>
our LANs too. Key-based ssh for everything, though it appears that openssl may<br>
not be completely safe either.<br>
<br>
Assume any smartphone platform has been hacked. Put it on a guest wifi-network<br>
in businesses and home.<br>
<br>
Assume any Apple or Microsoft platform has been hacked. Whole Disk Encryption<br>
with non-secure settings has been cracked by non-government organizations.<br>
Google "Tom Kopchak".<br>
<br>
Linux platforms may have been hacked too, can't tell, but with all the Linux<br>
servers, it is definitely an important target. OpenBSD?<br>
<br>
If you offer services on any network, enable port-knocking. Don't just leave a<br>
service running.<br>
<br>
Protect your ssh/gpg/openSSL keys more than you protect your wallet.<br>
<br>
Cracking the math is hard, so governments try to avoid that. Social and<br>
side-hacks available from poor configs or bad implementations seem to be plentiful.<br>
<br>
Sadly, I fear my paranoia is not high enough as we learn more and more. None of<br>
this means any individual, company, network has been compromised, but if they<br>
can automate the data gathering, wouldn't they?<br>
<br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
</blockquote></div><br></div>