Getbig.com: American Bodybuilding, Fitness and Figure
Getbig Main Boards => General Topics => Topic started by: _aj_ on September 05, 2013, 01:20:02 PM
-
http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance
With all this in mind, I have five pieces of advice:
1) Hide in the network. Implement hidden services. Use Tor to anonymize yourself. Yes, the NSA targets Tor users, but it's work for them. The less obvious you are, the safer you are.
2) Encrypt your communications. Use TLS. Use IPsec. Again, while it's true that the NSA targets encrypted connections – and it may have explicit exploits against these protocols – you're much better protected than if you communicate in the clear.
3) Assume that while your computer can be compromised, it would take work and risk on the part of the NSA – so it probably isn't. If you have something really important, use an air gap. Since I started working with the Snowden documents, I bought a new computer that has never been connected to the internet. If I want to transfer a file, I encrypt the file on the secure computer and walk it over to my internet computer, using a USB stick. To decrypt something, I reverse the process. This might not be bulletproof, but it's pretty good.
4) Be suspicious of commercial encryption software, especially from large vendors. My guess is that most encryption products from large US companies have NSA-friendly back doors, and many foreign ones probably do as well. It's prudent to assume that foreign products also have foreign-installed backdoors. Closed-source software is easier for the NSA to backdoor than open-source software. Systems relying on master secrets are vulnerable to the NSA, through either legal or more clandestine means.
5) Try to use public-domain encryption that has to be compatible with other implementations. For example, it's harder for the NSA to backdoor TLS than BitLocker, because any vendor's TLS has to be compatible with every other vendor's TLS, while BitLocker only has to be compatible with itself, giving the NSA a lot more freedom to make changes. And because BitLocker is proprietary, it's far less likely those changes will be discovered. Prefer symmetric cryptography over public-key cryptography. Prefer conventional discrete-log-based systems over elliptic-curve systems; the latter have constants that the NSA influences when they can.
Read the whole thing. 'Tis truly a whole new world.
-
How about getting off of the fucking computer and speaking face to face.
-
Also delete your fucking Facebook account ;D and all social media bullshit
Check this out ;D
-
256bit AES. let me know if they can crack this.
Quantum computer will do the trick... but quantum cryptography is the king.
-
Also delete your fucking Facebook account ;D and all social media bullshit
Check this out ;D
I'm very pissed off after watching this. Thanks for that. >:(
Looks like it's sunglasses and medical mask in public. This shit it outta control and must be stopped.
-
http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance
Read the whole thing. 'Tis truly a whole new world.
Lol at TLS and TOR. didn't you read the memo?lol booth are compromised.
Good bye silk road.
SSL also compromised, I believe STARTTLS still ok.
-
Also delete your fucking Facebook account ;D and all social media bullshit
Check this out ;D
Facebook keeps your sh*t forever.
-
Facebook keeps your sh*t forever.
True , glad I never had an account
-
The Internet keeps your sh*t forever.
Fixed
-
I don't do anything secretive enough to go that far, but it's good to know. I don't care if the NSA wants to see me text my wife or friends because it's usually a stupid message about a huge shit that I took in the morning or "meet you at 5pm" messages. But it's disconcerting to know that EVERYTHING is accessible to them. :-\
When I get the time I'll cover my tracks a bit more to make them have to work harder. Kind of sucks to be treated like a terrorist by default. Even in another country, everyone's being spied on.
-
Lol at TLS and TOR. didn't you read the memo?lol booth are compromised.
Good bye silk road.
SSL also compromised, I believe STARTTLS still ok.
Could you please elaborate on this?
-
Fixed
True that , Google has a record of every single search entered since day one
-
Could you please elaborate on this?
I'm sure all of this has been compromised already but it's probably time consuming and cumbersome with all of the security measures that people take. I never sat back and thought that it was all impervious to infiltration, more of a nuisance than anything. I don't think anyone should ever think that they're completely under the radar.
-
256bit AES. let me know if they can crack this.
Quantum computer will do the trick... but quantum cryptography is the king.
The NSA designed AES. You do the math.
-
The NSA designed AES. You do the math.
Uhm... no it didn't. Although the NSA played a role in the review process of the competition that resulted in an algorithm called Rijndael (developed by people completely unrelated to the agency: two Belgian cryptographers) becoming annointed as a standard called AES (short of “Advanced Encryption Standard” by the way).
It's possible that the NSA has cryptographic techniques that are not widely known that allow it to perform attacks against AES that improve on the attacks that we already know, but unless the attacks are truly revolutionary then, frankly, AES is still secure. Even AES-256 with its slightly weird key schedule.
As to Schneier's suggestion about avoid ECC because of NSA constants, two comments on that. I respect Bruce Schneier tremendously as a cryptographer and security expert. But I disagree with what he's saying here slightly:
Historical evidence suggests that when the NSA made changes to a crypto system by tweaking numbers, the changes strengthened the cipher rather than weakened it. Don't take my word for it, look at the case of DES. After Coppersmith and his team spend weeks cooking up S-boxes for DES, they sent them to NSA which quickly came back with changes (with no reason provided) that were adopted.
It took a long time before the community discovered differential cryptanalysis. But when it did, lo... those NSA changes actually strengthened the algorithm instead of weakening it!
Second, nobody is forcing you to use the particular elliptic curves the NSA recommends. If you are worried that they are specially picked to facilitate some unknown attack, simply use different curves. Elliptic curve cryptography offers tremendous advantages and it seems silly to not leverage it.
No key in the cryptographic community argues that liltic curve cryptography has some fundamental flaw and no key has a serious attack against it. It's true that some curves are better than others, and although it's tempting to suggest that the NSA "chose" the weaker ones for their own purposes, it's more likely that they chose better ones.
Of course, I understand that trusting the NSA isn't in vogue now, and blind trust is silly. So yes, if you're worried about elliptic curves, used discrete log based systems. Not that you know what either of those are.
And that's why Schneier's advice in this instance is not quite as spot on as it usually is. Suggesting the use of air-gapped computers, good physical security, and crypto-suites that must interoperate with others are great, practical suggestions. The discrete log vs ECC distinction, eh, not so much.
Please note that I don't dispute that NSA is years ahead of the community in cryptanalytic and cryptographic techniques, or that they have the ability to decrypt algorithms that we consider secure. But I do not believe they have the ability to decrypt modern ciphers with abandon, rendering all encryption obsolete.
On the issue of decrypting SSL, for example, most connections secured by SSL, even today, are encrypted using the RC4 stream cipher, which has a number of known weaknesses; couple that with exploits like BEAST, and it could make a lot of "secure" traffic insecure. That's a very real issue.
An even bigger issue is idiots who implement "custom" encryption. They hide behind bullshit phrases like "military grade encryption" or "proprietary unbreakable encryption" etc. When it comes to encryption you want open. Not proprietary. The security should rest in the key, not the algorithm.
Now, for whatever it's worth, my suggestions are to:
Prefer open-source solutions; open-source isn't a panacea (as the Debian OpenSSL fiasco will readily prove) the fact that the code is open to review makes it less likely to have hidden functionality or exploits hidden within.
Encrypt your computers using some kind of whole-disk encryption. Bitlocker is very good and easy to use, but if you do use it, use it in conjunction with EFS. TrueCrypt is also excellent. On a Mac, File auto is good but has a history of poor design decision. Linux solutions are pretty good. But anything. Is better than nothing.
Depending on the level of security you need, air-gap your machines; process your most secure data on machines that are not connected to any network and very carefully transfer files across the gap manually only when absolutely necessary.
Don't trust a machine that others have had physical access to. Physical access to your laptop means the laptop is potentially compromised. Depending on your security requirements, this may mean that the laptop goes to the thrash. So be it. Just wipe the disk first.
When traveling internationally, never keep confidential data in a laptop or other electronic device, even if encrypted. They can be searched and copied without a warrant, and you may be going to a country that requires you to divulge your password(s).
If the crypto-products you use have a "duress password" facility, then use it and use it properly. TrueCrypt does (by way of hidden volumes) and it can be great. But read the manual carefully to maximize the protection the duress password affords you.
Lastly, just practice good operational security: pick good passwords, eliminate password reuse and sharing between sites. Watch out for shoulder-surfers. And don't trust the integrity of unencrypted connections routed via wired and especially wireless networks.
If there are specific questions you guys do have, let's get a conversation started. Just ask yourself: can this unknown guy on a body building forum, who I know nothing about, be trusted to dispense security advice? Also, does he even lift?
-
Point. Maybe I was thinking of the SHA ciphers. Hasn't RC4 been completely deprecated in TLS by now?
Also, back about 10 years ago I was working on the crypto for a commercial product. As the IC was one of our biggest customers, we sent our code to the NSA for review, they came back with VERY specific algorithm suggestions for both symmetric and public/private algos. Neither of them were obvious blown ciphers like DES, but were and are still well used.
Not sure if the NSA was suggesting it because they were strong ciphers or if the puzzle guys had cracked them.
I have never used either of them for anything since them.
-
Point. Maybe I was thinking of the SHA ciphers. Hasn't RC4 been completely deprecated in TLS by now?
No, RC4 is still heavily used in SSL encryption because it is quite fast and lightweight. Go to just about any SSL-encrypted site and inspect the connection properties. For example, I just visited gmail.com and I have a TLS 1.2 secured connection, using RC4-128 as the cipher with SHA1 for message authentication. Key exchange was done using Diffie–Hellman on elliptic curves.
Properly used for this purpose, it's still fine, even in the face of Fluher-Martin attacks or even Klein's improved attack. But we will probably transition to something better soon.
Also, back about 10 years ago I was working on the crypto for a commercial product. As the IC was one of our biggest customers, we sent our code to the NSA for review, they came back with VERY specific algorithm suggestions for both symmetric and public/private algos. Neither of them were obvious blown ciphers like DES, but were and are still well used.
Not sure if the NSA was suggesting it because they were strong ciphers or if the puzzle guys had cracked them.
I have never used either of them for anything since them.
Yeah, they do have a habit of returning with "suggestions" without really explaining why their suggestions should be implemented. It's possible (some would say, even likely) that those suggestions strengthen the security of your solution, or it's possible that they weaken it in subtle, heretofore unknown ways. You just can't know, but you may, eventually, find out (as Dan Coppersmith and his team, eventually found out).
The bottom line is that cryptography is a dark art as much as it is a science, and there are some dark wizards that are more powerful than you; ultimately, the best you can do is built as much of a security margin as you can into your system, hope that a vigorous review by others in the community exposes any inherent weaknesses and ensure that those deploying your solution understand the proper way to use it securely and its limitations.
-
Big respect, avxo. No doubt.
-
Uhm... no it didn't. Although the NSA played a role in the review process of the competition that resulted in an algorithm called Rijndael (developed by people completely unrelated to the agency: two Belgian cryptographers) becoming annointed as a standard called AES (short of “Advanced Encryption Standard” by the way).
It's possible that the NSA has cryptographic techniques that are not widely known that allow it to perform attacks against AES that improve on the attacks that we already know, but unless the attacks are truly revolutionary then, frankly, AES is still secure. Even AES-256 with its slightly weird key schedule.
As to Schneier's suggestion about avoid ECC because of NSA constants, two comments on that. I respect Bruce Schneier tremendously as a cryptographer and security expert. But I disagree with what he's saying here slightly:
Historical evidence suggests that when the NSA made changes to a crypto system by tweaking numbers, the changes strengthened the cipher rather than weakened it. Don't take my word for it, look at the case of DES. After Coppersmith and his team spend weeks cooking up S-boxes for DES, they sent them to NSA which quickly came back with changes (with no reason provided) that were adopted.
It took a long time before the community discovered differential cryptanalysis. But when it did, lo... those NSA changes actually strengthened the algorithm instead of weakening it!
Second, nobody is forcing you to use the particular elliptic curves the NSA recommends. If you are worried that they are specially picked to facilitate some unknown attack, simply use different curves. Elliptic curve cryptography offers tremendous advantages and it seems silly to not leverage it.
No key in the cryptographic community argues that liltic curve cryptography has some fundamental flaw and no key has a serious attack against it. It's true that some curves are better than others, and although it's tempting to suggest that the NSA "chose" the weaker ones for their own purposes, it's more likely that they chose better ones.
Of course, I understand that trusting the NSA isn't in vogue now, and blind trust is silly. So yes, if you're worried about elliptic curves, used discrete log based systems. Not that you know what either of those are.
And that's why Schneier's advice in this instance is not quite as spot on as it usually is. Suggesting the use of air-gapped computers, good physical security, and crypto-suites that must interoperate with others are great, practical suggestions. The discrete log vs ECC distinction, eh, not so much.
Please note that I don't dispute that NSA is years ahead of the community in cryptanalytic and cryptographic techniques, or that they have the ability to decrypt algorithms that we consider secure. But I do not believe they have the ability to decrypt modern ciphers with abandon, rendering all encryption obsolete.
On the issue of decrypting SSL, for example, most connections secured by SSL, even today, are encrypted using the RC4 stream cipher, which has a number of known weaknesses; couple that with exploits like BEAST, and it could make a lot of "secure" traffic insecure. That's a very real issue.
An even bigger issue is idiots who implement "custom" encryption. They hide behind bullshit phrases like "military grade encryption" or "proprietary unbreakable encryption" etc. When it comes to encryption you want open. Not proprietary. The security should rest in the key, not the algorithm.
Now, for whatever it's worth, my suggestions are to:
Prefer open-source solutions; open-source isn't a panacea (as the Debian OpenSSL fiasco will readily prove) the fact that the code is open to review makes it less likely to have hidden functionality or exploits hidden within.
Encrypt your computers using some kind of whole-disk encryption. Bitlocker is very good and easy to use, but if you do use it, use it in conjunction with EFS. TrueCrypt is also excellent. On a Mac, File auto is good but has a history of poor design decision. Linux solutions are pretty good. But anything. Is better than nothing.
Depending on the level of security you need, air-gap your machines; process your most secure data on machines that are not connected to any network and very carefully transfer files across the gap manually only when absolutely necessary.
Don't trust a machine that others have had physical access to. Physical access to your laptop means the laptop is potentially compromised. Depending on your security requirements, this may mean that the laptop goes to the thrash. So be it. Just wipe the disk first.
When traveling internationally, never keep confidential data in a laptop or other electronic device, even if encrypted. They can be searched and copied without a warrant, and you may be going to a country that requires you to divulge your password(s).
If the crypto-products you use have a "duress password" facility, then use it and use it properly. TrueCrypt does (by way of hidden volumes) and it can be great. But read the manual carefully to maximize the protection the duress password affords you.
Lastly, just practice good operational security: pick good passwords, eliminate password reuse and sharing between sites. Watch out for shoulder-surfers. And don't trust the integrity of unencrypted connections routed via wired and especially wireless networks.
If there are specific questions you guys do have, let's get a conversation started. Just ask yourself: can this unknown guy on a body building forum, who I know nothing about, be trusted to dispense security advice? Also, does he even lift?
Truecrypt has a backdoor. have you heard about it?
-
Could you please elaborate on this?
Would you like to have the Virginia IP that hacked TOR?
-
Truecrypt has a backdoor. have you heard about it?
No, and I highly doubt it has. 100% of the TrueCrypt source code is open and available to everyone and has been examined by at least two well-known cryptographers who would happily publish papers exposing any backdoor that they discovered. Care to elaborate on this backdoor or at least provide a link that I can look at?
This isn't to say that TrueCrypt doesn't have shortcomings or can't be subverted. It does and it can. But then again, everything can be subverted, and all known attacks utilize vectors that the TrueCrypt security model isn't designed to protect you against.
As I said in my original post, once someone has physical access to your machines then all bets are off and if you are security-conscious you should consider that they own the machine and it can no longer be trusted.
Would you like to have the Virginia IP that hacked TOR?
"hacked" is a bit of a sensationalistic title. Like all media reporting on esotetic subjects, they tend to conflate many different issues and to use big words that don't accurately describe the situation.
The simple fact is that tor isn't designed or meant to provide security, and if you use it as a security provider then you shouldn't be surprised when it breaks.
-
I knew my cipher was compromised when I got "Airborne midget interracial incestuous lesbian lactation fisting? Haha. Oh brother!"
Fucking gubment. >:(
-
Who cares? Let 'em have all the information they want.
-
Who cares? Let 'em have all the information they want.
Yeah, because why shouldn't the government know all your intimate personal details right? It's not like you have anything to hide, so what are you afraid of? It's your patriotic duty.
::)
-
Yeah, because why shouldn't the government know all your intimate personal details right? It's not like you have anything to hide, so what are you afraid of? It's your patriotic duty.
::)
Really, who cares?
-
No, and I highly doubt it has. 100% of the TrueCrypt source code is open and available to everyone and has been examined by at least two well-known cryptographers who would happily publish papers exposing any backdoor that they discovered. Care to elaborate on this backdoor or at least provide a link that I can look at?
This isn't to say that TrueCrypt doesn't have shortcomings or can't be subverted. It does and it can. But then again, everything can be subverted, and all known attacks utilize vectors that the TrueCrypt security model isn't designed to protect you against.
As I said in my original post, once someone has physical access to your machines then all bets are off and if you are security-conscious you should consider that they own the machine and it can no longer be trusted.
"hacked" is a bit of a sensationalistic title. Like all media reporting on esotetic subjects, they tend to conflate many different issues and to use big words that don't accurately describe the situation.
The simple fact is that tor isn't designed or meant to provide security, and if you use it as a security provider then you shouldn't be surprised when it breaks.
What would you call " using a malware to get the MAC address of everybody that had/has visit "lolita"?
Isn't TC has some parts of the code that isn't open?
-
What would you call " using a malware to get the MAC address of everybody that had/has visit "lolita"?
I don't know what "lolita" is, or what possible use a MAC address could be, really, seeing how it never travels across the Internet (what with being a Layer 2 thing). Plus, much more useful "fingerprinting" information leaks out from browsers on a daily basis in the course of casual use; look at https://www.eff.org/deeplinks/2010/05/every-browser-unique-results-fom-panopticlick (https://www.eff.org/deeplinks/2010/05/every-browser-unique-results-fom-panopticlick) for more details.
As for the use of malware by the government (or really, by anyone), I oppose malware on principle. But it's really nothing new. There are some steps you can take to reduce the risk of this, but unfortunately, you cannot guarantee that you won't fall victim to such software.
Isn't TC has some parts of the code that isn't open?
No. The entire source code is available. Don't take my word for it, visit http://www.truecrypt.org/downloads2 (http://www.truecrypt.org/downloads2) and download the source code yourself. You can even build it if you have the right tools. They are, also, freely available.
-
Really, who cares?
I do. And many others like me do. Just because you don't value your privacy and believe that it's OK for the government to have access to everything doesn't make it right.
-
I do. And many others like me do. Just because you don't value your privacy and believe that it's OK for the government to have access to everything doesn't make it right.
Yeah, it doesn't bother me at all.
-
Yeah, it doesn't bother me at all.
That's unfortunate, but not really unexpected.
-
I don't know what "lolita" is, or what possible use a MAC address could be, really, seeing how it never travels across the Internet (what with being a Layer 2 thing). Plus, much more useful "fingerprinting" information leaks out from browsers on a daily basis in the course of casual use; look at https://www.eff.org/deeplinks/2010/05/every-browser-unique-results-fom-panopticlick (https://www.eff.org/deeplinks/2010/05/every-browser-unique-results-fom-panopticlick) for more details.
As for the use of malware by the government (or really, by anyone), I oppose malware on principle. But it's really nothing new. There are some steps you can take to reduce the risk of this, but unfortunately, you cannot guarantee that you won't fall victim to such software.
No. The entire source code is available. Don't take my word for it, visit http://www.truecrypt.org/downloads2 (http://www.truecrypt.org/downloads2) and download the source code yourself. You can even build it if you have the right tools. They are, also, freely available.
They got way more stuff than just a simple MAC address... and by they i mean "feds".
But you haven't answer my question... doing all the malware/mac address think isn't that hacking?
Yeah i know the TC code.
DDG lolita darknet.
-
They got way more stuff than just a simple MAC address... and by they i mean "feds".
But you haven't answer my question... doing all the malware/mac address think isn't that hacking?
Yeah i know the TC code.
DDG lolita darknet.
Ahh, yes. I remember reading a paper about that, in addition to quite extensive coverage on tech sites. The name "lolita" had escaped me.
Now, I'm sure they got quite a lot, but you specifically said MAC addresses, and that's what I responded to.
As for malware, I think I was pretty clear that I am opposed to malware on principle. If you want me to clarify my position even further, I believe that surreptitiously installing any software (and I use "software" here to include things like firmware and microcode) on a machine without the informed consent of the machine's owner, whether it is by exploiting zero-day attacks, publicized attack vectors or by physically manipulating the machine or whathaveyou, constitutes "hacking" in the sense that you use the word.
We can argue legal semantics if you want (i.e. whether getting a warrant makes this more palatable) but ultimately what it boils down to is that it is hacking, at least in my book.
-
Avxo, what are your thoughts on TOR?
-
I don't do anything secretive enough to go that far, but it's good to know. I don't care if the NSA wants to see me text my wife or friends because it's usually a stupid message about a huge shit that I took in the morning or "meet you at 5pm" messages. But it's disconcerting to know that EVERYTHING is accessible to them. :-\
When I get the time I'll cover my tracks a bit more to make them have to work harder. Kind of sucks to be treated like a terrorist by default. Even in another country, everyone's being spied on.
would you open your door and allow a stranger to search through your mail, computer and phone?
-
Avxo, what are your thoughts on TOR?
I find it to be an interesting concept and a neat project. Frankly, I think that, theoretically, the most interesting aspect of Tor is hidden services. I don't personally have much use for it, but I can see situations where it might have appeal.
But I think that in presenting it as an infallible "anonymity" tool, promoters are doing a great disservice. It's true that Tor can afford you some anonymity, but it doesn't anonymize you per se. But I guess it depends on what "anonymity" means to someone and who they seek to be anonymous from.
I find that the protocol has “weaknesses” but use the term somewhat loosely. The most important, in my opinion, being inter-node collusion and the overall poor performance of Tor-routed connections. Right now, someone wishing to subvert Tor who could afford to host four or five servers with decent bandwidth, with some acting as entry nodes and some as exit nodes, could collect a lot of information that could be analyzed to look through the onion so to speak.
My suggestion if you use Tor is to always encrypt data before routing it via Tor; the idea is that you only feed encrypted data into the Tor network; never unencrypted data. At that point collusion can, perhaps, reveal the true end points of a connection, but little else.
Of course, that's not new. My suggestion is to always encrypt data. To not encrypt it borders on criminal, in my opinion.
-
I find it to be an interesting concept and a neat project. Frankly, I think that, theoretically, the most interesting aspect of Tor is hidden services. I don't personally have much use for it, but I can see situations where it might have appeal.
But I think that in presenting it as an infallible "anonymity" tool, promoters are doing a great disservice. It's true that Tor can afford you some anonymity, but it doesn't anonymize you per se. But I guess it depends on what "anonymity" means to someone and who they seek to be anonymous from.
I find that the protocol has “weaknesses” but use the term somewhat loosely. The most important, in my opinion, being inter-node collusion and the overall poor performance of Tor-routed connections. Right now, someone wishing to subvert Tor who could afford to host four or five servers with decent bandwidth, with some acting as entry nodes and some as exit nodes, could collect a lot of information that could be analyzed to look through the onion so to speak.
My suggestion if you use Tor is to always encrypt data before routing it via Tor; the idea is that you only feed encrypted data into the Tor network; never unencrypted data. At that point collusion can, perhaps, reveal the true end points of a connection, but little else.
Of course, that's not new. My suggestion is to always encrypt data. To not encrypt it borders on criminal, in my opinion.
Thanks for the detailed reply.
-
Yeah, it doesn't bother me at all.
Does the thought of political subversion bother you?
-
http://blog.cryptographyengineering.com/2013/09/on-nsa.html