[ale] The NSA has compromised httpd, ssh, TLS/SSL, and secure chat

Tony Carter tcarter at entrusion.com
Fri Sep 6 11:30:03 EDT 2013


In other words, we're screwed..

BTW, pfSense is based on FreeBSD. not Linux.

-Tony


On Fri, Sep 6, 2013 at 10:43 AM, JD <jdp at algoloma.com> wrote:

> On 09/06/2013 10:06 AM, Charles Shapiro wrote:
> > But not gpg, according to the NYT (
> >
> http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?hp&_r=0
> > ).  My read of the article is that most of the compromises involve
> getting
> > access to keys through vendors, rather than compromises of the actual
> > algorithms, although there are some hints that the NSA has tried to
> subvert
> > standards as well.
> >
> > Moral of the story:  Use FOSS, don't trust any service providers.
> >
> >
>
> Article from Bruce Schnieir of "Applied Cryptography" fame.
>
> http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance
>  He literally "wrote the book."
>
> Don't trust anything based on DNS.
> Don't trust anything based on commercial certificates.
> Don't trust any network using radio (cell, wifi, wi-max).
> Avoid proprietary software for security stuff.
>
> Don't trust TOR completely. It is extremely inconvenient to use it in a
> secure
> way. A tiny config or use error can remove the anonymous aspects.
>
> Assume your router has been hacked. I think the probably applies to almost
> all
> commercial routers and perhaps dd-wrt, openwrt, smoothwall, untangle,
> anything
> based on linux. For some reason I think pfSense is less likely to be
> hacked -
> but I don't have any proof at all - call it a feeling.
>
> Don't trust the VPN running on your router. The keys may have been stolen.
> Bruce says to use IPSec. I've always thought that OpenVPN w/TLS was safer,
> guess
> not.  IPSec is built-into IPv6.
>
> If your router(s) have been hacked, that means we need to be using
> encryption on
> our LANs too.  Key-based ssh for everything, though it appears that
> openssl may
> not be completely safe either.
>
> Assume any smartphone platform has been hacked. Put it on a guest
> wifi-network
> in businesses and home.
>
> Assume any Apple or Microsoft platform has been hacked.  Whole Disk
> Encryption
> with non-secure settings has been cracked by non-government organizations.
> Google "Tom Kopchak".
>
> Linux platforms may have been hacked too, can't tell, but with all the
> Linux
> servers, it is definitely an important target. OpenBSD?
>
> If you offer services on any network, enable port-knocking. Don't just
> leave a
> service running.
>
> Protect your ssh/gpg/openSSL keys more than you protect your wallet.
>
> Cracking the math is hard, so governments try to avoid that. Social and
> side-hacks available from poor configs or bad implementations seem to be
> plentiful.
>
> Sadly, I fear my paranoia is not high enough as we learn more and more.
> None of
> this means any individual, company, network has been compromised, but if
> they
> can automate the data gathering, wouldn't they?
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20130906/80ab9305/attachment-0001.html>


More information about the Ale mailing list