| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: jftucker at gmail.com (James Tucker) Subject: Insecurity in Finnish parlament (computers) The only charge appropriate for this case would be what is informally known as a 'gag order' and will require that you disprove under a court of law all statements made by Mr Jansson. In fact, you will have to prove that Mr Jansson's comments are causing you loss of revenue or damaging the overall reputation of your organisation through false claims. Having read the list Markus compiled I can say this. Items 1 to 9 on the list would suggest physical access to a device, this is likely to have been contradictory to law. The settings described would require interaction to discover and this may be deemed breaking and entering / trespassing / disclosure of government property. I am not familiar with Finish law; speak to a lawyer not a mailing list. It is also possible, that he has had only limited access to one particular device, this would not be conclusive and may not be a true representation of the state of affairs of all devices owned by the Finnish government. Item 10 negates the likelihood of physical access, this would contradict the above and would seem to make the story inconsistent. A good lawyer may be able to get you a gag order now. Item 11 again strongly suggests that physical access was gained and extensive use of one of these computers has occurred. Item 12 describes a well known problem, however this cannot be fixed by the users of the system. Item 9 would suggest that a lack of encryption on the data provider should be less of an issue. Furthermore item 12 describes a scenario which simply is not realistic. Whilst the encryption algorithms in use may be crackable in near real time on a modern computer, dissection of the modulation scheme and isolation of a single device is most certainly NOT possible with a single laptop. Most likely there are no civilians in Finland with the resources to actually carry out the attack described. This is the start of his sensationalist reporting based upon a lack of proper knowledge in the subject area. Item 13 has more implications than have been considered and would require more than a little insider knowledge to pull off the attack. In terms of civilian liability this method of attack is absolutely absurd. It would require co-ordination from several places and a significant knowledge of existing infrastructure surrounding that geographical location. Such hard work is rarely necessary, as it would make more sense to just knock out the government worker and steal their laptop. With a good getaway plan this would take far less time, and not cost hundreds of thousands of dollars. We are discussing government security here, but if there is something occurring that would concern the NSA or MI5/6 then encrypting your GSM comms will be the least of your security concerns. Most real attacks with any backing do not need to be performed remotely (although the resources to do so are almost certainly available). And now for a few comments after reading the rest of Mark's site. Firstly it would appear that Mark is a common sensationalist. Having taken part in quite unscientific objections with members of Greenpeace for a start. There is no need to get into this debate here, but an educated scientist does not make the same decisions, and this lack of education or research in subject area is common with many others of his comments on different technologies. Tetra security for example is claimed to be useless on his site, but once again his lack of understanding of Radio Frequency eavesdropping shows a clear lack of knowledge in this area. Another clear example of his sensationalist attitude without proper understanding or thought is in his discussion of SSH security, where he claims that authentication keys are useless because they cannot be known trusted during the first connection instance (or maybe he just hasn't realised you should save the keys during a build??). The suggested 'improvement' is already widely used. Why would you print such a thing? Furthermore there is a clear lack of knowledge of the process of key exchange for user authentication. Markus, a suggestion, use the technologies you judge before you judge them. Do some programming, actually LEARN something instead of reading what other sensationalists have to say. Don't just believe what you read, take it into _consideration_ and learn the necessary to make an _educated_ decision. Common reports of Man in the Middle attacks being possible are not understood either. As shown by the idiosyncratic inclusion of a key fingerprint on the same page as his PGP key links (for added security!?). If someone wanted to sit in the middle, would they not change both the key and the fingerprint reported? More sensationalism which has been well discussed in the past and does not agree with Mr Jansson: "European Union has considered that Echelon is severe threat to safety and privacy in the EU region and has suggested that strong encryption from "open sources" should be used to counter it. "Open source", because NSA has planted several back doors to encryption systems around the world. Remember, that Echelon doest just spy on companies. It spies everyone. Everything that moves in bit-format. Just think about it: Big Brother IS watching. Every email you send, every message you post, every page you visit?they will know about it! Scary. Horrible. And, reality. Again, welcome to the digital age!" Do some calculations as to the bit analysis you are talking about. There are so many 'bits' that you simply could not filter all of them using standard electronics. 1) not fast enough, 2) the warehouses supposedly running echelon are not big enough to house the processing, 3) the buildings do not draw enough power and show no evidence of a generator inside, 4) i have not repeated the calculation myself, but it has been stated, by the EU report no less, that to analyse all of the data you would require more atoms than are present in the area used by echelon equipment. This leaves one final possibility -quantum processing. This is unlikely as again it would produce evidence of its existence. Furthermore such processing ability if available would not be restricted to use in communications monitoring. oh, and 5) tapping the data, the number of data circuits leaving these countries is sufficiently high that there simply could not be enough bandwidth entering the analysis buildings. This leaves 6) A decentralised virus which can infect many architectures and hide quite happily operating outside of normal conditions in order to not be visible. The requirements for such a thing (e.g. its ability to run on preprogrammed DSP's) and the required size and intelligence is simply not possible. This is not to say that communications don't get monitored, it is just to say that the report of 'everything you say is being watched' is quite simply false. One final point for the amusement of those who also like to think. If Echelon exists and is monitoring all communications in and out of all major countries in the world then we are looking at exabytes per second or greater data transfer. At this rate, you do not currently hold an encryption which could be deemed 'safe' against a brute force attack at this speed.You would be better off using human based scrambling / obfuscation than attracting attention by using digital encryption. It is for this reason that trade craft professionals are taught deception before ciphers. Some more amusement, while the old arguments pop back into my head (It is Christmas after all...). OK, they don't have physical tapping devices attached to every cable or router or switch on the planet, and certainly not in every data centre. Instead satellites are used and they have a technology to 'pick up' the data comms from there. Ionic transfer making up thought in the brain is far slower than any modern electronics. The size of each effective 'bit' (taken to be a single synapse voltage peak (not really equiv to a bit, but we're talking electronic induction here and it would be enough)). There would be no point in monitoring your communications infrastructure, as it would make entirely more sense just to read the minds of every person. What does this mean for the scared believer of Echelons pervasiveness? You should wear a lead hat all the time, in fact, you will need to wear a heat insulated, eddy current destroying, randomly charged lead plate (i say plate, it should be several metres thick). They have spies on the ground too, so you best not talk to anyone, they might be listening. You could move out of your country and live out in the sea on a boat, but the satellites can still see you and the submarines will be after you. In fact they are so worried about their security that if you did so, you would probably be sunk, so you best not do that. Climb to the top of a mountain and stay in the clouds, follow thunderstorms where the disturbance will be too high for their monitoring equipment. You'll have to do something about grounding yourself, but you can't because you can't get to ground without being spotted; so you need to add a rubber cover around your lead plated internally powered hover ship. Good luck in trying to evade them. Oh and of course, there's the problem that they know what you are thinking now, so they know what you will do (including the full design of your marvelous vessel). In fact I really can't think of what you could do to get away from 'Big Brother', maybe we should all just commit suicide? Or maybe its just deception, maybe no one cares what most individuals think. Maybe they do conform to their own privacy laws (fundamentally being patriots, not school bullies). Maybe it's Boxing day and we shouldn't care; me I'm going to walk my dogs and see my family, enjoy some socialising (and maybe a stiff drink or three); otherwise "what the hell are you fighting for?" Sensationalism only too commonly becomes a way of life for some people, if you enjoy it then keep it up. That is what your freedom is about. What you might want to do is provide substantial evidence though, in order to not end up in lawsuits. Remember too that the people who create the technologies which you deem useless have probably spent a large portion of their life getting them to that point of development. They will not receive slander/libel pleasantly and any comments which are untrue will be quite simply hurtful. Be kind to the designers, please stop slating things until you can be certain.
Powered by blists - more mailing lists