[ale] The NSA has compromised httpd, ssh, TLS/SSL, and secure chat

Ron Frazier (ALE) atllinuxenthinfo at techstarship.com
Sat Sep 7 11:18:04 EDT 2013


Hi all,

I scanned over that article.  It's both interesting and frightening.  I 
found the summary section, quoted below, to be most interesting.

<quote on>

The moral is obvious. You can't trust code that you did not totally 
create yourself. (Especially code from companies that employ people like 
me.) No amount of source-level verification or scrutiny will protect you 
from using untrusted code. In demonstrating the possibility of this kind 
of attack, I picked on the C compiler. I could have picked on any 
program-handling program such as an assembler, a loader, or even 
hardware microcode. As the level of program gets lower, these bugs will 
be harder and harder to detect. A well installed microcode bug will be 
almost impossible to detect.

After trying to convince you that I cannot be trusted, I wish to 
moralize. I would like to criticize the press in its handling of the 
"hackers," the 414 gang, the Dalton gang, etc. The acts performed by 
these kids are vandalism at best and probably trespass and theft at 
worst. It is only the inadequacy of the criminal code that saves the 
hackers from very serious prosecution. The companies that are vulnerable 
to this activity (and most large companies are very vulnerable) are 
pressing hard to update the criminal code. Unauthorized access to 
computer systems is already a serious crime in a few states and is 
currently being addressed in many more state legislatures as well as 
Congress.

There is an explosive situation brewing. On the one hand, the press, 
television, and movies make heroes of vandals by calling them whiz kids. 
On the other hand, the acts performed by these kids will soon be 
punishable by years in prison.

I have watched kids testifying before Congress. It is clear that they 
are completely unaware of the seriousness of their acts. There is 
obviously a cultural gap. The act of breaking into a computer system has 
to have the same social stigma as breaking into a neighbor's house. It 
should not matter that the neighbor's door is unlocked. The press must 
learn that misguided use of a computer is no more amazing than drunk 
driving of an automobile.

</quote off>

Remembering what we learned in kindergarten, or preferably before 
kindergarten, would help: you don't violate another person's body, 
space, property, rights; because it's wrong, because you hurt the other 
party in some way, and / or cost them money, or just scare them.  You 
don't violate their computer or their car either, whether or not you 
can.  If you do violate those things, you're subject to get punished.  
We, as a culture, have to resume teaching our children basic values of 
right and wrong and hold them to those standards before they get to the 
criminal level.  I especially like the last paragraph of the quote.

I listened to the audio book of Kevin Mitnick's Ghost In The Wires.  It 
was a truly scary tale of what a malicious cracker can do.  It was 
fascinating from a technological point of view.  It was scary from a 
social point of view.  While he's since turned over a new leaf and is 
apparently a white hat, perhaps as long as he gets paid to be, he did 
much harm on the way from being a black hat to becoming a white hat.  
Some may mention that he restrained himself and didn't, for example, 
steal millions of credit card numbers, even when he could.  That's all 
well and good, but he still hurt people, and companies; and that's 
wrong.  This activity is not the type of thing that should be glamorized 
or idolized.  It should be condemned.

And yes, the companies that are vulnerable to attack SHOULD do security 
audits and tighten up their defenses.

Ron


On 9/7/2013 10:26 AM, Boris Borisov wrote:
> http://cm.bell-labs.com/who/ken/trust.html
>
> This story really makes your head spinning ...
>
>
> On Fri, Sep 6, 2013 at 5:17 PM, Jim Kinney <jim.kinney at gmail.com 
> <mailto:jim.kinney at gmail.com>> wrote:
>
>     I think the Intel compiler will make the kernel but it's closed
>     source.
>     It's not in RedHat's best interest to ship a trojaned compiler but
>     I don't know who does 3rd party checks of their binary. This
>     underscores the need to not use binary blobs in kernel code.
>
>     On Sep 6, 2013 3:33 PM, "Michael B. Trausch" <mbt at naunetcorp.com
>     <mailto:mbt at naunetcorp.com>> wrote:
>
>         On 09/06/2013 12:25 PM, Jim Kinney wrote:
>>         NSA started the selinux process but does not participate any
>>         more.
>
>         I'd make a crack about checking out the compiler, but we have
>         more than one.... no, wait, wait, just one compiler that can
>         compile Linux.  Hrm...
>
>         http://cm.bell-labs.com/who/ken/trust.html
>
>             — Mike
>
>         -- 
>         Naunet Corporation Logo 	Michael B. Trausch
>
>         President, *Naunet Corporation*
>         ☎ (678) 287-0693 x130 <tel:%28678%29%20287-0693%20x130> or
>         (888) 494-5810 x130 <tel:%28888%29%20494-5810%20x130>
>         FAX: (678) 783-7843 <tel:%28678%29%20783-7843>
>
>
>


-- 

(PS - If you email me and don't get a quick response, you might want to
call on the phone.  I get about 300 emails per day from alternate energy
mailing lists and such.  I don't always see new email messages very quickly.)

Ron Frazier
770-205-9422 (O)   Leave a message.
linuxdude AT techstarship.com
Litecoin: LZzAJu9rZEWzALxDhAHnWLRvybVAVgwTh3
Bitcoin: 15s3aLVsxm8EuQvT8gUDw3RWqvuY9hPGUU

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20130907/dca0f44a/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 1701 bytes
Desc: not available
URL: <http://mail.ale.org/pipermail/ale/attachments/20130907/dca0f44a/attachment.png>


More information about the Ale mailing list