[ale] The NSA has compromised httpd, ssh, TLS/SSL, and secure chat

LinuxGnome lnxgnome at gmail.com
Sat Sep 7 13:15:20 EDT 2013


ASL = Adrya Stembridge Lingo?

On 09/06/2013 11:58 AM, Adrya Stembridge wrote:
> I've always operated under the assumption that everything I do on my computer (and by extension, online) is compromised.   If you need something secure, do it on paper or better yet learn ASL, meet at night during a rainstorm (leave all electronic devices at home) and communicate silently under an umbrella.  
> 
> 
> On Fri, Sep 6, 2013 at 11:30 AM, Tony Carter <tcarter at entrusion.com <mailto:tcarter at entrusion.com>> wrote:
> 
>     In other words, we're screwed..
> 
>     BTW, pfSense is based on FreeBSD. not Linux.
> 
>     -Tony
> 
> 
>     On Fri, Sep 6, 2013 at 10:43 AM, JD <jdp at algoloma.com <mailto:jdp at algoloma.com>> wrote:
> 
>         On 09/06/2013 10:06 AM, Charles Shapiro wrote:
>         > But not gpg, according to the NYT (
>         > http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?hp&_r=0
>         > ).  My read of the article is that most of the compromises involve getting
>         > access to keys through vendors, rather than compromises of the actual
>         > algorithms, although there are some hints that the NSA has tried to subvert
>         > standards as well.
>         >
>         > Moral of the story:  Use FOSS, don't trust any service providers.
>         >
>         >
> 
>         Article from Bruce Schnieir of "Applied Cryptography" fame.
>         http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance
>          He literally "wrote the book."
> 
>         Don't trust anything based on DNS.
>         Don't trust anything based on commercial certificates.
>         Don't trust any network using radio (cell, wifi, wi-max).
>         Avoid proprietary software for security stuff.
> 
>         Don't trust TOR completely. It is extremely inconvenient to use it in a secure
>         way. A tiny config or use error can remove the anonymous aspects.
> 
>         Assume your router has been hacked. I think the probably applies to almost all
>         commercial routers and perhaps dd-wrt, openwrt, smoothwall, untangle, anything
>         based on linux. For some reason I think pfSense is less likely to be hacked -
>         but I don't have any proof at all - call it a feeling.
> 
>         Don't trust the VPN running on your router. The keys may have been stolen.
>         Bruce says to use IPSec. I've always thought that OpenVPN w/TLS was safer, guess
>         not.  IPSec is built-into IPv6.
> 
>         If your router(s) have been hacked, that means we need to be using encryption on
>         our LANs too.  Key-based ssh for everything, though it appears that openssl may
>         not be completely safe either.
> 
>         Assume any smartphone platform has been hacked. Put it on a guest wifi-network
>         in businesses and home.
> 
>         Assume any Apple or Microsoft platform has been hacked.  Whole Disk Encryption
>         with non-secure settings has been cracked by non-government organizations.
>         Google "Tom Kopchak".
> 
>         Linux platforms may have been hacked too, can't tell, but with all the Linux
>         servers, it is definitely an important target. OpenBSD?
> 
>         If you offer services on any network, enable port-knocking. Don't just leave a
>         service running.
> 
>         Protect your ssh/gpg/openSSL keys more than you protect your wallet.
> 
>         Cracking the math is hard, so governments try to avoid that. Social and
>         side-hacks available from poor configs or bad implementations seem to be plentiful.
> 
>         Sadly, I fear my paranoia is not high enough as we learn more and more. None of
>         this means any individual, company, network has been compromised, but if they
>         can automate the data gathering, wouldn't they?
> 
>         _______________________________________________
>         Ale mailing list
>         Ale at ale.org <mailto:Ale at ale.org>
>         http://mail.ale.org/mailman/listinfo/ale
>         See JOBS, ANNOUNCE and SCHOOLS lists at
>         http://mail.ale.org/mailman/listinfo
> 
> 
> 
>     _______________________________________________
>     Ale mailing list
>     Ale at ale.org <mailto:Ale at ale.org>
>     http://mail.ale.org/mailman/listinfo/ale
>     See JOBS, ANNOUNCE and SCHOOLS lists at
>     http://mail.ale.org/mailman/listinfo
> 
> 
> 
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
> 



More information about the Ale mailing list