[GPSCC-chat] Heartbleed is real. Do something real.
Cameron L. Spitzer
cls at truffula.us
Wed Apr 9 18:54:25 PDT 2014
I've heard no credible allegations that PC motherboard hardware is
compromised. PCs would be compromised in the OS, which is one of the
arguments for avoiding MSFT Windows for personal use. There are also
credible allegations the NSA (and private and corporate criminals) bugs
PC keyboards.
It's widely suspected that the major router manufacturers have backdoors
in the core routers that handle Internet traffic. It's easier to deploy
that way, compared to setting up a secret room at the telco office with
a fiber splitter, as has been observed in San Francisco. I expect
confirmation of that will eventually come from Snowden's pile.
But if your traffic is encrypted with SSH or correctly implemented SSL,
that doesn't do them much good. That's why it's called a secure tunnel.
One CRT monitor was observable from dozens of yards away. It took
equipment the size of a truck to do it. But a roomful of them would be
so difficult, it would be easier to bug the office some other way.
(Leave a thumb drive with your PC malware on the sidewalk in front of a
bank. There's a 40% chance you'll have access to the bank's internal
network within a day. People are stupid and lazy and curious. They'll
stick it in their desktop to see if there's porn on it. I forgot which
university runs that experiment annually, but I'll bet it's Purdue.)
Observing a modern monitor is much more difficult. Maybe they can do it
on a targeted basis, but It's not practical for a mass surveillance program.
A cell phone puts out short four watt bursts of UHF. Which is why you
shouldn't hold them next to your brain all day. Nothing that emits that
much radiation by accident is allowed in the US or EU market.
Incidental emissions from PCs and network cables is in the low
milliwatts. It's not for safety, it's to avoid interference with
broadcast TV. That's why it's so darned hard to get a PC case back
together, the case has to approximate a Faraday cage for the product to
get past the FCC and TUV.
I wish I didn't understand this intense focus on /surreptitious/
surveillance. The vast majority of surveillance of innocent US
residents is right out in the open. And it isn't just voluntary, we
demand it, we clamor for it! Give me my "free" Gmail! Sell me a phone
that cost $600 to make for $50! Give me a pre-installed computer
operating system that I don't need to know anything about to use! Maybe
there's a dirty movie on this thumb drive I found on the street. But I
do understand it, and it makes me sad. We kvetch about our privacy, but
we readily trade it away for entertainment and small grocery discounts.
Our money ain't where our mouths are.
-Cameron
On 04/09/2014 05:37 PM, John Thielking wrote:
> Cameron,
>
> It is reassuring to know that not all software companies are under the
> thumb of the NSA. However, I also heard that the hardware that we
> commonly use is also compromised, so that no software can overcome the
> built in back doors on those devices. I don't have an exact reference
> for that hardware bit. I heard about it on a recent broadcast of the
> news on rt.com <http://rt.com>. Also, an online book I read on privacy
> for journalists and other sources have said that the emf coming from
> computer monitors and the computers themselves can be monitored
> remotely even if the computer is not connected to the Internet, to
> again compromise privacy. Remember that the tiny radios in cell phones
> can communicate with cell towers up to 20 miles away (which fact some
> are using to discredit claims that cell phones on flight 93 on 9/11
> couldn't have communicated with the ground --- which has since
> modified my position on that point since finding that out). So it
> seems reasonable that an emf source consuming many watts, such as a
> computer, could easily be monitored from at least a quarter mile away
> or more. Any thoughts? Thanks.
>
> Sincerely,
>
> John Thielking
>
>
> On Wed, Apr 9, 2014 at 4:50 PM, Cameron L. Spitzer <cls at truffula.us
> <mailto:cls at truffula.us>> wrote:
>
>
>
> Nobody credible is suggesting the NSA or anybody else has a
> backdoor in Secure Shell Version 2 (SSH) or the ciphers it uses.
> If it were even suspected, there would be a mad race to come up
> with a replacement.
> SSH was developed in Finland because it's the only developed
> nation not subject to the US' "munitions related" export
> controls. That's why the big security software developers all
> have offices there. They learned that lesson from NSA's
> heavy-handed interference with the original Digital Encryption
> Standard and Pretty Good Privacy. If you've been researching the
> history of digital security, you already know about those outrages.
>
> To understand these problems, you have to distinguish /algorithm/
> from /implementation/. There is no "/method/." The strength of
> SSH and its ciphers, and of PGP/GPG, and anything else that uses
> asymmetric encryption, including SSL, comes from the mathematical
> reality that it's astronomically more difficult to factor the
> product of two very large prime numbers than it was to multiply
> those two primes in the first place. The NSA is about as "likely"
> to find a way around that as they are to find a way to travel
> faster than light. That's algorithm. Vulnerabilities like
> Heartbleed come from mistakes in implementation, not from
> weaknesses in the mathematical algorithms themselves. The last
> one we all had to patch (it was in SSH) was due to a mistake where
> a pseudorandom number was more predictable than it should have been.
>
> Heartbleed <http://heartbleed.com/> gives a black eye to the "open
> source fanboys" who've been claiming for years that nothing this
> serious would ever get past the "crowd" of reviewers. "Vulns"
> this bad get stopped in code-review all the time, and one got
> through. But it hardly means "the NSA has a back door in
> everything." ("The NSA has a back door in everything" is a way to
> rationalize your own choices of convenience over security.
> Everybody does it.)
> Nor does it mean the closed source implementations are better.
> Microsoft has its own SSL implementation. It's surely been
> code-reviewed by NSA, and it may even have NSA's backdoor in it.
> Perhaps that's in the pile Snowden handed off to Greenwald, and
> /Der Spiegel/ hasn't got around to revealing it.
>
> By the way, the media are reporting "two thirds of the Web"
> vulnerable. According to Netcraft
> <http://news.netcraft.com/archives/2014/04/08/half-a-million-widely-trusted-websites-vulnerable-to-heartbleed-bug.html>,
> it's 17% of hostnames. Maybe the "two thirds" is because that 17%
> is most of the big names.
>
> -/Cameron/
>
>
>
> On 04/09/2014 03:19 PM, John Thielking wrote:
>> I don't use online banking much, though I do pay bills with a
>> debit card. I may be able to use a real credit card soon instead,
>> though I have yet to actually receive the card that I was
>> notified that was sent to me in the mail. Like I said in another
>> thread, the US govt likely has a backdoor into every encryption
>> /method/ [emphasis added] out there, including RSA's stuff (there
>> was a specific news item on that one) and anyone running HTTPS.
>> My best bet in regards to this is that my Direct Express online
>> access/password only allows me to look at my account balance and
>> transaction history. As far as I know, I can't look up my
>> account number or transfer money by logging in. Good luck.
>>
>> Sincerely,
>>
>> John Thielking
>>
>>
>> On Wed, Apr 9, 2014 at 2:47 PM, Cameron L. Spitzer
>> <cls at truffula.us <mailto:cls at truffula.us>> wrote:
>>
>>
>> Most of the "secure" web sites you use have been *broken for
>> the last two years*. Bruce Schneier says the OpenSSL
>> "Heartbleed" bug disclosed yesterday, on a scale of 1 to 10,
>> is an 11, "catastrophic
>> <https://www.schneier.com/blog/archives/2014/04/heartbleed.html>."
>> I recommend James Fallows' coverage
>> <http://news.google.com/news/url?sr=1&sa=t&ct2=us%2F4_0_g_1_0_a&gid=EPG&bvm=section&usg=AFQjCNEu3o2CQaPZQdOvNQcoeO4LudiYbA&did=3147203463190269418&sig2=WnjE8vYpCP_1I61JMFmwhw&ei=dbdFU7mIBZG0mQKAQg&rt=HOMEPAGE&vm=STANDARD&authuser=0&url=http%3A%2F%2Fwww.theatlantic.com%2Ftechnology%2Farchive%2F2014%2F04%2Fthe-5-things-to-do-about-the-new-heartbleed-bug/360395/>
>> at the Atlantic. Arstechnica
>> <http://arstechnica.com/security/2014/04/critical-crypto-bug-exposes-yahoo-mail-passwords-russian-roulette-style/>
>> is even better, they demonstrate the exploit against
>> yahoo.com <http://yahoo.com>.
>>
>> If you bank online, you need to check your bank's site with
>> something like this <http://filippo.io/Heartbleed/>, and
>> change your password. Change it now, then check the site.
>> If the check fails, check it again later, and change your
>> password /again/ when it passes.
>> The first change neutralizes your password which *was
>> probably stolen* during the last two years. The second
>> neutralizes the new one that was stolen yesterday before your
>> bank fixed its server. Now that the bug is public, you can
>> safely assume *all* unpatched sites are compromised.
>> If you run an HTTPS web server, you need to update it, and
>> then you need to get a new cert. That's what your bank needs
>> to do.
>> If someone else runs an HTTPS web server for you, check it.
>> If it's broken and they don't fix it soon, change providers.
>>
>> Forward as you see fit.
>>
>> -/Cameron/
>>
>>
>>
>> _______________________________________________
>> sosfbay-discuss mailing list
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cagreens.org/pipermail/sosfbay-discuss_lists.cagreens.org/attachments/20140409/152a7e1b/attachment.html>
More information about the sosfbay-discuss
mailing list