[ale] The NSA has compromised httpd, ssh, TLS/SSL, and secure chat

Jim Kinney jim.kinney at gmail.com
Fri Sep 6 12:25:41 EDT 2013


But since the code is GPL and has been available for public scrutiny for 10
years, selinux is just as backdoor compromised as openssh and gnupg.

Selinux is not encryption. It's ACLs on steroids.

NSA started the selinux process but does not participate any more.
On Sep 6, 2013 10:59 AM, "Adrya Stembridge" <adrya.stembridge at gmail.com>
wrote:

> >> Linux platforms may have been hacked too, can't tell, but with all the
> Linux
> servers, it is definitely an important target. OpenBSD?
>
> If your platform uses SELinux, yes.
>
> http://www.nsa.gov/research/selinux/
>
>
>
>
> On Fri, Sep 6, 2013 at 10:43 AM, JD <jdp at algoloma.com> wrote:
>
>> On 09/06/2013 10:06 AM, Charles Shapiro wrote:
>> > But not gpg, according to the NYT (
>> >
>> http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?hp&_r=0
>> > ).  My read of the article is that most of the compromises involve
>> getting
>> > access to keys through vendors, rather than compromises of the actual
>> > algorithms, although there are some hints that the NSA has tried to
>> subvert
>> > standards as well.
>> >
>> > Moral of the story:  Use FOSS, don't trust any service providers.
>> >
>> >
>>
>> Article from Bruce Schnieir of "Applied Cryptography" fame.
>>
>> http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance
>>  He literally "wrote the book."
>>
>> Don't trust anything based on DNS.
>> Don't trust anything based on commercial certificates.
>> Don't trust any network using radio (cell, wifi, wi-max).
>> Avoid proprietary software for security stuff.
>>
>> Don't trust TOR completely. It is extremely inconvenient to use it in a
>> secure
>> way. A tiny config or use error can remove the anonymous aspects.
>>
>> Assume your router has been hacked. I think the probably applies to
>> almost all
>> commercial routers and perhaps dd-wrt, openwrt, smoothwall, untangle,
>> anything
>> based on linux. For some reason I think pfSense is less likely to be
>> hacked -
>> but I don't have any proof at all - call it a feeling.
>>
>> Don't trust the VPN running on your router. The keys may have been stolen.
>> Bruce says to use IPSec. I've always thought that OpenVPN w/TLS was
>> safer, guess
>> not.  IPSec is built-into IPv6.
>>
>> If your router(s) have been hacked, that means we need to be using
>> encryption on
>> our LANs too.  Key-based ssh for everything, though it appears that
>> openssl may
>> not be completely safe either.
>>
>> Assume any smartphone platform has been hacked. Put it on a guest
>> wifi-network
>> in businesses and home.
>>
>> Assume any Apple or Microsoft platform has been hacked.  Whole Disk
>> Encryption
>> with non-secure settings has been cracked by non-government organizations.
>> Google "Tom Kopchak".
>>
>> Linux platforms may have been hacked too, can't tell, but with all the
>> Linux
>> servers, it is definitely an important target. OpenBSD?
>>
>> If you offer services on any network, enable port-knocking. Don't just
>> leave a
>> service running.
>>
>> Protect your ssh/gpg/openSSL keys more than you protect your wallet.
>>
>> Cracking the math is hard, so governments try to avoid that. Social and
>> side-hacks available from poor configs or bad implementations seem to be
>> plentiful.
>>
>> Sadly, I fear my paranoia is not high enough as we learn more and more.
>> None of
>> this means any individual, company, network has been compromised, but if
>> they
>> can automate the data gathering, wouldn't they?
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20130906/2d4ad5b8/attachment.html>


More information about the Ale mailing list