[ale] The NSA has compromised httpd, ssh, TLS/SSL, and secure chat

Adrya Stembridge adrya.stembridge at gmail.com
Fri Sep 6 11:58:56 EDT 2013


I've always operated under the assumption that everything I do on my
computer (and by extension, online) is compromised.   If you need something
secure, do it on paper or better yet learn ASL, meet at night during a
rainstorm (leave all electronic devices at home) and communicate silently
under an umbrella.


On Fri, Sep 6, 2013 at 11:30 AM, Tony Carter <tcarter at entrusion.com> wrote:

> In other words, we're screwed..
>
> BTW, pfSense is based on FreeBSD. not Linux.
>
> -Tony
>
>
> On Fri, Sep 6, 2013 at 10:43 AM, JD <jdp at algoloma.com> wrote:
>
>> On 09/06/2013 10:06 AM, Charles Shapiro wrote:
>> > But not gpg, according to the NYT (
>> >
>> http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?hp&_r=0
>> > ).  My read of the article is that most of the compromises involve
>> getting
>> > access to keys through vendors, rather than compromises of the actual
>> > algorithms, although there are some hints that the NSA has tried to
>> subvert
>> > standards as well.
>> >
>> > Moral of the story:  Use FOSS, don't trust any service providers.
>> >
>> >
>>
>> Article from Bruce Schnieir of "Applied Cryptography" fame.
>>
>> http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance
>>  He literally "wrote the book."
>>
>> Don't trust anything based on DNS.
>> Don't trust anything based on commercial certificates.
>> Don't trust any network using radio (cell, wifi, wi-max).
>> Avoid proprietary software for security stuff.
>>
>> Don't trust TOR completely. It is extremely inconvenient to use it in a
>> secure
>> way. A tiny config or use error can remove the anonymous aspects.
>>
>> Assume your router has been hacked. I think the probably applies to
>> almost all
>> commercial routers and perhaps dd-wrt, openwrt, smoothwall, untangle,
>> anything
>> based on linux. For some reason I think pfSense is less likely to be
>> hacked -
>> but I don't have any proof at all - call it a feeling.
>>
>> Don't trust the VPN running on your router. The keys may have been stolen.
>> Bruce says to use IPSec. I've always thought that OpenVPN w/TLS was
>> safer, guess
>> not.  IPSec is built-into IPv6.
>>
>> If your router(s) have been hacked, that means we need to be using
>> encryption on
>> our LANs too.  Key-based ssh for everything, though it appears that
>> openssl may
>> not be completely safe either.
>>
>> Assume any smartphone platform has been hacked. Put it on a guest
>> wifi-network
>> in businesses and home.
>>
>> Assume any Apple or Microsoft platform has been hacked.  Whole Disk
>> Encryption
>> with non-secure settings has been cracked by non-government organizations.
>> Google "Tom Kopchak".
>>
>> Linux platforms may have been hacked too, can't tell, but with all the
>> Linux
>> servers, it is definitely an important target. OpenBSD?
>>
>> If you offer services on any network, enable port-knocking. Don't just
>> leave a
>> service running.
>>
>> Protect your ssh/gpg/openSSL keys more than you protect your wallet.
>>
>> Cracking the math is hard, so governments try to avoid that. Social and
>> side-hacks available from poor configs or bad implementations seem to be
>> plentiful.
>>
>> Sadly, I fear my paranoia is not high enough as we learn more and more.
>> None of
>> this means any individual, company, network has been compromised, but if
>> they
>> can automate the data gathering, wouldn't they?
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20130906/9188b43a/attachment.html>


More information about the Ale mailing list