From: toddtowles at brookshires.com (Todd Towles)
Subject: Insecurity in Finnish parlament (computers)

The NSA has bigger fish to worry about than Finland. =) Sorry

> -----Original Message-----
> From: full-disclosure-bounces@...ts.netsys.com 
> [mailto:full-disclosure-bounces@...ts.netsys.com] On Behalf 
> Of Markus Jansson
> Sent: Sunday, December 26, 2004 10:17 AM
> To: James Tucker
> Cc: full-disclosure@...ts.netsys.com
> Subject: Re: [Full-Disclosure] Insecurity in Finnish 
> parlament (computers)
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Sun, 26 Dec 2004 06:34:24 -0800 James Tucker 
> <jftucker@...il.com> wrote:
> >The only charge appropriate for this case would be what is 
> informally 
> >known as a 'gag order' and will require that you disprove 
> under a court 
> >of law all statements made by Mr Jansson. In fact, you will have to 
> >prove that Mr Jansson's comments are causing you loss of revenue or 
> >damaging the overall reputation of your organisation through false 
> >claims.
> 
> Heh, I dont believe there are such laws here in Finland. If 
> we where talking about private enterprise or individual 
> person, it would be possible if its clear that Im lying and 
> causing great damage.
> 
> 
> >Items 1 to 9 on the list would suggest physical access to a device, 
> >this is likely to have been contradictory to law.
> 
> Perhaps, if you think that *I* got access by using illegal means.
> Then, ofcourse, someone would have to prove that and if they 
> dont, well...
> 
> 
> >It is also possible, that he has had only limited access to one 
> >particular device, this would not be conclusive and may not 
> be a true 
> >representation of the state of affairs of all devices owned by the 
> >Finnish government.
> 
> It is unlikely that all the computers have the same security 
> holes for many reason, but I have gotten confirmations from 
> several computers/users that atleast most of the issues I 
> have described exist in most, if not all, computers.
> 
> 
> >Item 10 negates the likelihood of physical access, this would 
> >contradict the above and would seem to make the story inconsistent.
> 
> Maybe I didnt (if I did infact myself) have means to access 
> everything in those computers...  ;)
> 
> 
> >Item 12 describes a well known problem, however this cannot 
> be fixed by 
> >the users of the system.
> 
> Oh yes, they could and should move from TeliaSonera to Elisa 
> for example, that uses secure COMP-128-3 and A5/3. Its been 
> years and years since this security hole was shown first so 
> they have had plenty of time, but they just dont give a drek 
> (both in TeliaSonera and in our parlament).
> 
> 
> >Furthermore item 12 describes a scenario which simply is not 
> realistic. 
> >Whilst the encryption algorithms in use may be crackable in 
> near real 
> >time on a modern computer,
> 
> A5/1 is crackable IN REAL TIME.
> http://www.gsm-security.net/faq/gsm-a3-a8-comp128-broken-
> security.shtml
> http://cryptome.org/gsm-crack-bbk.pdf
> http://www.gsm-security.net/faq/gsm-a5-broken-security.shtml
> 
> 
> >dissection of the modulation scheme and isolation of a 
> single device is 
> >most certainly NOT possible with a single laptop.
> 
> Ofcourse you need few additional tools for that, but the 
> point is, that the security of the system is broken.
> 
> 
> >Most likely there are no civilians in Finland with the resources to 
> >actually carry out the attack described.
> 
> Some civilians do have. However, Finnish people are so 
> uninterested in politics that they really would bother. ;)  
> But other goverments and intelligence agencies would surely 
> be interested and willing to wiretap and listen.
> 
> 
> >Item 13 has more implications than have been considered and would 
> >require more than a little insider knowledge to pull off the attack.
> 
> Perhaps. The issue is, that it can be done and they should 
> protect themselfes against it.
> 
> 
> >In terms of civilian liability this method of attack is absolutely 
> >absurd. It would require co-ordination from several places and a 
> >significant knowledge of existing infrastructure surrounding that 
> >geographical location.
> 
> That sort of information is easily obtained. No co-ordination 
> is really required, just put up a false GSM base station next 
> to our parlament building with a strong enought signal and voila!
> 
> 
> >Such hard work is rarely necessary, as it would make more 
> sense to just 
> >knock out the government worker and steal their laptop With a good 
> >getaway plan this would take far less time, and not cost hundreds of 
> >thousands of dollars.
> 
> True, that attack is more potential especially since the 
> laptop HDD:s are not encrypted (as they should).
> 
> 
> >We are discussing government security here, but if there is 
> something 
> >occurring that would concern the NSA or MI5/6 then 
> encrypting your GSM 
> >comms will be the least of your security concerns.
> 
> I was under the impression that NSA etc. spy for their living 
> anything they can. I bet members of parlaments and their 
> assistants are very good targets.
> 
> 
> >Firstly it would appear that Mark is a common sensationalist.
> 
> Argumentum ad hominem. Red herring.
> 
> 
> >Having taken part in quite unscientific objections with members of 
> >Greenpeace for a start.
> 
> Argumentum ad hominem. Red herring.
> 
> 
> >Tetra security for example is
> >claimed to be useless on his site, but once again his lack of 
> >understanding of Radio Frequency eavesdropping shows a clear lack of 
> >knowledge in this area.
> 
> Red herring.
> Useless blahblahblah. Please clarify. Give proper arguments. 
> As I sayed, TETRA might be backdoored for NSA as sayed by EU, 
> and TEA algorithms are not open and tested for security, so 
> there is no point on trusting them. Please tell me what is 
> incorrect in those two arguments of mine.
> 
> 
> >Another clear example of his sensationalist attitude without proper 
> >understanding or thought is in his discussion of SSH 
> security, where he 
> >claims that authentication keys are useless because they cannot be 
> >known trusted during the first connection instance (or maybe he just 
> >hasn't realised you should save the keys during a build??).
> 
> Argumentum ad hominem. Red herring.
> Dont try to put words into my mouth. I clearly say in my 
> pages:"Unless you can receive the publickey or the 
> fingerprint of the publickey used in some secure manner." And 
> this is absolutely true.
> 
> 
> >Common reports of Man in the Middle attacks being possible are not 
> >understood either.
> 
> Red herring.
> Not only possible but very real and easy to do.
> 
> 
> >As shown by the idiosyncratic inclusion of a key fingerprint on the 
> >same page as his PGP key links (for added security!?). If someone 
> >wanted to sit in the middle, would they not change both the 
> key and the 
> >fingerprint reported?
> 
> Argumentum ad hominem. Red herring.
> My key is available from various locations, and so is the fingerprint.
> 
> 
> >There are so many 'bits' that you simply could not filter 
> all of them 
> >using standard electronics.
> 
> Red herring.
> Actually it sayes in my Finnish pages "they might know about 
> it", just translation error.
> 
> 
> >What you might want to do is provide substantial evidence though, in 
> >order to not end up in lawsuits.
> 
> Contact members of our parlament or their assistants and ask them.
> I have.
> 
> 
> Markus Jansson
> Turku
> http://www.markusjansson.net
> -----BEGIN PGP SIGNATURE-----
> Note: This signature can be verified at 
> https://www.hushtools.com/verify
> Version: Hush 2.4
> 
> wkYEARECAAYFAkHO5O8ACgkQp4wnv3Na2tox5gCguVzXFJkwpVspnbyQf1BdjSUWfWcA
> nisJBbqDg/d5IuApeiG0RVYc8qiL
> =YEVR
> -----END PGP SIGNATURE-----
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 

Powered by blists - more mailing lists