|
Latest from [i]The Guardian[/i]:
[url=m.guardian.co.uk/world/2013/jul/11/microsoft-nsa-collaboration-user-data]Revealed: how Microsoft handed the NSA access to encrypted messages[/url] [quote]The documents show that: • Microsoft helped the NSA to circumvent its encryption to address concerns that the agency would be unable to intercept web chats on the new Outlook.com portal; • The agency already had pre-encryption stage access to email on Outlook.com, including Hotmail; • The company worked with the FBI this year to allow the NSA easier access via Prism to its cloud storage service SkyDrive, which now has more than 250 million users worldwide; • Microsoft also worked with the FBI's Data Intercept Unit to "understand" potential issues with a feature in Outlook.com that allows users to create email aliases; • Skype, which was bought by Microsoft in October 2011, worked with intelligence agencies last year to allow Prism to collect video of conversations as well as audio; • Material collected through Prism is routinely shared with the FBI and CIA, with one NSA document describing the program as a "team sport". The latest NSA revelations further expose the tensions between Silicon Valley and the Obama administration. All the major tech firms are lobbying the government to allow them to disclose more fully the extent and nature of their co-operation with the NSA to meet their customers' privacy concerns. Privately, tech executives are at pains to distance themselves from claims of collaboration and teamwork given by the NSA documents, and insist the process is driven by legal compulsion.[/quote] Right, "they were legally compelled" ... and none of them put up more than a token legal fight. [url=http://www.reuters.com/article/2013/07/11/us-hackers-feds-idUSBRE96A08120130711?feedType=RSS&feedName=domesticNews]Hackers ask Feds to stay away from convention to defuse tension over Snowden[/url]: [i]BOSTON (Reuters) - The annual Def Con hacking convention has asked the federal government to stay away this year for the first time in its 21-year history, saying Edward Snowden's revelations have made some in the community uncomfortable about having feds there.[/i] [quote]Last year, four-star General Keith Alexander, head of the National Security Agency, was a keynote speaker at the event, which is the world's largest annual hacking conference. The audience was respectful, gave modest applause and also asked about secret government snooping. Alexander adamantly denied that the NSA has dossiers on millions of Americans, as some former employees had suggested before the Snowden case. "The people who would say we are doing that should know better," Alexander said. "That is absolute nonsense." Alexander is scheduled to speak in Las Vegas on July 31 at Black Hat, a smaller, two-day hacking conference that was also founded by [Def Con founder Jeff] Moss. It costs about $2,000 to attend and attracts a more corporate crowd than Def Con, which charges $180. Moss said that he believes Alexander will still speak at Black Hat and that his call for a "time out" only applies to Def Con. Officials with the National Security Agency and Department of Homeland Security could not be reached for comment late on Wednesday. The Feds have previously always been welcome at the event. Moss says he invited them the first year because he figured they would come anyway. They politely declined, then showed up incognito, he said. And they have attended every year since. "We created an environment where the Feds felt they could come and it wasn't hostile," Moss said in an interview a year ago. "We could ask them questions and they wanted to ask the hackers about new techniques." Some Feds have even worked among the motley crew of Def Con volunteers who run the conference and walk around wearing T-Shirts that identify them as "goons." [u]It has also become a fertile ground for recruiting. The U.S. military, intelligence agencies and law enforcement typically compete with corporations to find new talent at Def Con.[/u][/quote] |
[QUOTE=ewmayer;346002]@Chalsall: OK, you mentioned having done reasonable due diligence. Couple of questions for you:
1. Which Linux distrib did you add the SE layer to, and which aspects of the SEL mandatory access control add-on subsystem did (or do) you use? 2. How many source lines of SEL have you personally examined, and what fraction of the total is that? Please provide a link to the source branch in question. [/QUOTE] @ewmayer... To answer your questions (without releasing sensitive information)... 1. Many instances of CentOS. A few of Fedora. These all had SELinux enabled by default -- various software providers recommending disabling it to "make their software work". 2. None. 2.1. I take a different approach to examining code; I test and record how the code reacts when being carefully monitored from within a virtual machine. |
[QUOTE=chalsall;346068]2.1. I take a different approach to examining code; I test and record how the code reacts when being carefully monitored from within a virtual machine.[/QUOTE]
So basically you are testing the software to see if any "phone home" attempts are made? Is there more to it than monitoring for anomalous comms activity? |
[QUOTE=ewmayer;346132]So basically you are testing the software to see if any "phone home" attempts are made?[/QUOTE]
That's the start of it. CPU usage and file access also comes into play. [QUOTE=ewmayer;346132]Is there more to it than monitoring for anomalous comms activity?[/QUOTE] Yes. |
One thing I have not seen discussed in this ongoing conversation is the following:
Given the apparent level of co-option of Big Tech and Big IT by Big Brother, can keygen certificates issued by the major certificate authorities be trusted to not be compromised? For us non-crypto-experts, [url=http://en.wikipedia.org/wiki/Public-key_cryptography#Description]Wikipedia explains[/url]: [quote]A central problem with the use of public-key cryptography is confidence/proof that a particular public key is authentic, in that it is correct and belongs to the person or entity claimed, and has not been tampered with or replaced by a malicious third party. The usual approach to this problem is to use a public-key infrastructure (PKI), in which one or more third parties – known as certificate authorities – certify ownership of key pairs. PGP, in addition to being a certificate authority structure, has used a scheme generally called the "web of trust", which decentralizes such authentication of public keys by a central mechanism, and substitutes individual endorsements of the link between user and public key. To date, no fully satisfactory solution to this "public key authentication problem" has been found.[/quote] PGP appears to be safest in this respect. |
[QUOTE=ewmayer;346137]One thing I have not seen discussed in this ongoing conversation is the following:
Given the apparent level of co-option of Big Tech and Big IT by Big Brother, can keygen certificates issued by the major certificate authorities be trusted to not be compromised? For us non-crypto-experts, [url=http://en.wikipedia.org/wiki/Public-key_cryptography#Description]Wikipedia explains[/url]: PGP appears to be safest in this respect.[/QUOTE]There are those who disagree, quite rightly in my view. The reason is that terms such as "safer" do not mean very much in the absence of a specified threat model. Remember the golden rule. There have been many, many incompetent users of PGP in the more than 20 years of its existence. It is arguable that I am one of them. I never got around to revoking my first key pair, for instance. A search for keyID 0xCE766B1F should find it on the key server. It was created in 1992. |
[QUOTE=ewmayer;346137]PGP appears to be safest in this respect.[/QUOTE]
Or, perhaps, GPG... 0xa88f9deccb95259c... Really need to update this. And xilman beats me by nine years.... |
[QUOTE=ewmayer;346137]One thing I have not seen discussed in this ongoing conversation is the following:
Given the apparent level of co-option of Big Tech and Big IT by Big Brother, can keygen certificates issued by the major certificate authorities be trusted to not be compromised? For us non-crypto-experts, [URL="http://en.wikipedia.org/wiki/Public-key_cryptography#Description"]Wikipedia explains[/URL]: PGP appears to be safest in this respect.[/QUOTE] If you get an authority to issue you with a certificate, you can of course choose how you generate and manage the private key, you only have to send them the public one. My Firefox browser lists the "Staat der Nederlanden" as a certification authority, so if our intelligence services wanted to forge a certificate, it would be very easy. One of the big problems with certificates is revocation: most browsers are capable of consulting the revocation lists but the option is usually turned off by default, presumably so that the certification authorities don't need to spend money on servers that can handle lots of traffic. And if you want to check for revocation every time you rely on a certificate, then that rather defeats the whole object of using public key crypto anyway... |
[QUOTE=Nick;346144]If you get an authority to issue you with a certificate, you can of course choose how you generate and manage the private key, you only have to send them the public one.[/QUOTE]
Just putting this out there for consideration... When you download (for example) [URL="https://www.centos.org/"]CentOS[/URL], you'll be presented with many sources for downloading, all of which include files containing the MD5, SHA1 and SHA256 checksums of the ISO images. These should be sane before being used. During an "YUM" update, you will be asked to agree to accept the public key of the publisher. Double check this key, and then accept. (As a quick aside, please RIP S. Vidal. You did really good work which will be remembered by many for a very long time.) |
[QUOTE=Batalov;344488]"[URL="http://www.imdb.com/title/tt0387131/"]The constant gardener[/URL]" is conveniently on, in the regularly scheduled programming...[/QUOTE]
Something else which John le Carré predicted in 2006 in his novel "The Mission Song" is now happening: British citizens with dual nationality who are suspected of having links to terrorism are suddenly losing their British citizenship: [QUOTE]Under the terms of a piece of the 2006 Immigration, Asylum and Nationality Act, and a previous piece of legislation dating to 1981, May [the UK Home Secretary] has the power to deprive dual nationals of their British citizenship if she is "satisfied that deprivation is conducive to the public good". The Home Office is extraordinarily sensitive about its use of the power, but it is known that Theresa May has deprived at least 17 people of their British citizenship. This power can be applied only to dual nationals, and those who lose their citizenship can appeal. The government appears usually to wait until the individual has left the country before moving them to deprive them of their citizenship, however, and appeals are heard at the highly secretive special immigration appeals commission (SIAC), where the government can submit evidence that cannot be seen or challenged by the appellant. The Home Office is extraordinarily sensitive about the manner in which this power is being used. It has responded to Freedom of Information Act requests about May's increased use of this power with delays and appeals; some information requested by the Guardian in June 2011 has still not been handed over. What is known is that at least 17 people have been deprived of their British citizenship at a stroke of May's pen. In most cases, if not all, the home secretary has taken action on the recommendation of MI5. In each case, a warning notice was sent to the British home of the target, and the deprivation order signed a day or two later. [/QUOTE] Source: [URL]http://www.guardian.co.uk/world/2013/jul/14/obama-secret-kill-list-disposition-matrix[/URL] |
[url=www.reuters.com/article/2013/07/15/us-verizon-hacking-idUSBRE96E06X20130715?feedType=RSS&feedName=domesticNews]Researchers hack Verizon device, turn it into mobile spy station[/url]: [i]NEW YORK (Reuters) - Two security experts said they have figured out how to spy on Verizon Wireless mobile phone customers by hacking into devices the U.S. carrier sells to boost wireless signals indoors.[/i]
|
| All times are UTC. The time now is 21:09. |
Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.