[ale] The NSA has compromised httpd, ssh, TLS/SSL, and secure chat

JD jdp at algoloma.com
Fri Sep 6 10:43:09 EDT 2013


On 09/06/2013 10:06 AM, Charles Shapiro wrote:
> But not gpg, according to the NYT (
> http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?hp&_r=0
> ).  My read of the article is that most of the compromises involve getting
> access to keys through vendors, rather than compromises of the actual
> algorithms, although there are some hints that the NSA has tried to subvert
> standards as well. 
> 
> Moral of the story:  Use FOSS, don't trust any service providers.
> 
> 

Article from Bruce Schnieir of "Applied Cryptography" fame.
http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance
 He literally "wrote the book."

Don't trust anything based on DNS.
Don't trust anything based on commercial certificates.
Don't trust any network using radio (cell, wifi, wi-max).
Avoid proprietary software for security stuff.

Don't trust TOR completely. It is extremely inconvenient to use it in a secure
way. A tiny config or use error can remove the anonymous aspects.

Assume your router has been hacked. I think the probably applies to almost all
commercial routers and perhaps dd-wrt, openwrt, smoothwall, untangle, anything
based on linux. For some reason I think pfSense is less likely to be hacked -
but I don't have any proof at all - call it a feeling.

Don't trust the VPN running on your router. The keys may have been stolen.
Bruce says to use IPSec. I've always thought that OpenVPN w/TLS was safer, guess
not.  IPSec is built-into IPv6.

If your router(s) have been hacked, that means we need to be using encryption on
our LANs too.  Key-based ssh for everything, though it appears that openssl may
not be completely safe either.

Assume any smartphone platform has been hacked. Put it on a guest wifi-network
in businesses and home.

Assume any Apple or Microsoft platform has been hacked.  Whole Disk Encryption
with non-secure settings has been cracked by non-government organizations.
Google "Tom Kopchak".

Linux platforms may have been hacked too, can't tell, but with all the Linux
servers, it is definitely an important target. OpenBSD?

If you offer services on any network, enable port-knocking. Don't just leave a
service running.

Protect your ssh/gpg/openSSL keys more than you protect your wallet.

Cracking the math is hard, so governments try to avoid that. Social and
side-hacks available from poor configs or bad implementations seem to be plentiful.

Sadly, I fear my paranoia is not high enough as we learn more and more. None of
this means any individual, company, network has been compromised, but if they
can automate the data gathering, wouldn't they?



More information about the Ale mailing list