<div dir="ltr">I've always operated under the assumption that everything I do on my computer (and by extension, online) is compromised. If you need something secure, do it on paper or better yet learn ASL, meet at night during a rainstorm (leave all electronic devices at home) and communicate silently under an umbrella. </div>
<div class="gmail_extra"><br><br><div class="gmail_quote">On Fri, Sep 6, 2013 at 11:30 AM, Tony Carter <span dir="ltr"><<a href="mailto:tcarter@entrusion.com" target="_blank">tcarter@entrusion.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">In other words, we're screwed..<div><br></div><div>BTW, pfSense is based on FreeBSD. not Linux.<span class="HOEnZb"><font color="#888888"><br>
<div><font color="#666666" face="Lucida Sans Unicode, Lucida Grande, Arial, Tahoma, Verdana"><span style="font-size:12px"><br>
</span></font></div></font></span><div><span class="HOEnZb"><font color="#888888"><font color="#666666" face="Lucida Sans Unicode, Lucida Grande, Arial, Tahoma, Verdana"><span style="font-size:12px">-Tony<br></span></font></font></span><div class="gmail_extra">
<br><br><div class="gmail_quote"><div class="im">
On Fri, Sep 6, 2013 at 10:43 AM, JD <span dir="ltr"><<a href="mailto:jdp@algoloma.com" target="_blank">jdp@algoloma.com</a>></span> wrote:<br></div><div><div class="h5"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div><div>On 09/06/2013 10:06 AM, Charles Shapiro wrote:<br>
> But not gpg, according to the NYT (<br>
> <a href="http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?hp&_r=0" target="_blank">http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?hp&_r=0</a><br>
> ). My read of the article is that most of the compromises involve getting<br>
> access to keys through vendors, rather than compromises of the actual<br>
> algorithms, although there are some hints that the NSA has tried to subvert<br>
> standards as well.<br>
><br>
> Moral of the story: Use FOSS, don't trust any service providers.<br>
><br>
><br>
<br>
</div></div>Article from Bruce Schnieir of "Applied Cryptography" fame.<br>
<a href="http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance" target="_blank">http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance</a><br>
He literally "wrote the book."<br>
<br>
Don't trust anything based on DNS.<br>
Don't trust anything based on commercial certificates.<br>
Don't trust any network using radio (cell, wifi, wi-max).<br>
Avoid proprietary software for security stuff.<br>
<br>
Don't trust TOR completely. It is extremely inconvenient to use it in a secure<br>
way. A tiny config or use error can remove the anonymous aspects.<br>
<br>
Assume your router has been hacked. I think the probably applies to almost all<br>
commercial routers and perhaps dd-wrt, openwrt, smoothwall, untangle, anything<br>
based on linux. For some reason I think pfSense is less likely to be hacked -<br>
but I don't have any proof at all - call it a feeling.<br>
<br>
Don't trust the VPN running on your router. The keys may have been stolen.<br>
Bruce says to use IPSec. I've always thought that OpenVPN w/TLS was safer, guess<br>
not. IPSec is built-into IPv6.<br>
<br>
If your router(s) have been hacked, that means we need to be using encryption on<br>
our LANs too. Key-based ssh for everything, though it appears that openssl may<br>
not be completely safe either.<br>
<br>
Assume any smartphone platform has been hacked. Put it on a guest wifi-network<br>
in businesses and home.<br>
<br>
Assume any Apple or Microsoft platform has been hacked. Whole Disk Encryption<br>
with non-secure settings has been cracked by non-government organizations.<br>
Google "Tom Kopchak".<br>
<br>
Linux platforms may have been hacked too, can't tell, but with all the Linux<br>
servers, it is definitely an important target. OpenBSD?<br>
<br>
If you offer services on any network, enable port-knocking. Don't just leave a<br>
service running.<br>
<br>
Protect your ssh/gpg/openSSL keys more than you protect your wallet.<br>
<br>
Cracking the math is hard, so governments try to avoid that. Social and<br>
side-hacks available from poor configs or bad implementations seem to be plentiful.<br>
<br>
Sadly, I fear my paranoia is not high enough as we learn more and more. None of<br>
this means any individual, company, network has been compromised, but if they<br>
can automate the data gathering, wouldn't they?<br>
<br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org" target="_blank">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
</blockquote></div></div></div><br></div></div></div></div>
<br>_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
<br></blockquote></div><br></div>