[GPSCC-chat] Heartbleed is real. Do something real.

John Thielking peacemovies at gmail.com
Wed Apr 9 20:19:44 PDT 2014 

Thanks for a very interesting conversation Cameron. I guess if TV monitors
can not be radio-surveillanced from more than a few feet away and without a
truckload of equipment, then  my Flash Mob inside a mall idea (see the
thread Can Flash Mobs and Olive Drab Clubs Defeat The NSA?) may work better
if the mall in question just happens to not have their security system
connected to the Internet so that the protestors can't be individually
tracked in real time by the NSA.  Probably also the random CCTV security
systems throughout San Jose are not likely to be tipping off the NSA in
real time to my location. And at the very least the electronic watches that
people may have on are also likely secure from remote sensing.  Thanks for
the reality check.  I still don't trust my keyboard or my Windows XP to not
compromise https though.  When I buy my next computer, it will probably
still run windows, but it definitely won't be a laptop with a built in
camera and microphone....

John Thielking



On Wed, Apr 9, 2014 at 6:54 PM, Cameron L. Spitzer <cls at truffula.us> wrote:

>
>
> I've heard no credible allegations that PC motherboard hardware is
> compromised.  PCs would be compromised in the OS, which is one of the
> arguments for avoiding MSFT Windows for personal use.  There are also
> credible allegations the NSA (and private and corporate criminals) bugs PC
> keyboards.
> It's widely suspected that the major router manufacturers have backdoors
> in the core routers that handle Internet traffic.  It's easier to deploy
> that way, compared to setting up a secret room at the telco office with a
> fiber splitter, as has been observed in San Francisco.  I expect
> confirmation of that will eventually come from Snowden's pile.
> But if your traffic is encrypted with SSH or correctly implemented SSL,
> that doesn't do them much good.  That's why it's called a secure tunnel.
>
> One CRT monitor was observable from dozens of yards away.  It took
> equipment the size of a truck to do it.  But a roomful of them would be so
> difficult, it would be easier to bug the office some other way.  (Leave a
> thumb drive with your PC malware on the sidewalk in front of a bank.
> There's a 40% chance you'll have access to the bank's internal network
> within a day.  People are stupid and lazy and curious.  They'll stick it in
> their desktop to see if there's porn on it.  I forgot which university runs
> that experiment annually, but I'll bet it's Purdue.)  Observing a modern
> monitor is much more difficult.  Maybe they can do it on a targeted basis,
> but It's not practical for a mass surveillance program.
>
> A cell phone puts out short four watt bursts of UHF.  Which is why you
> shouldn't hold them next to your brain all day.  Nothing that emits that
> much radiation by accident is allowed in the US or EU market.  Incidental
> emissions from PCs and network cables is in the low milliwatts.  It's not
> for safety, it's to avoid interference with broadcast TV.  That's why it's
> so darned hard to get a PC case back together, the case has to approximate
> a Faraday cage for the product to get past the FCC and TUV.
>
> I wish I didn't understand this intense focus on *surreptitious*surveillance.  The vast majority of surveillance of innocent US residents
> is right out in the open.  And it isn't just voluntary, we demand it, we
> clamor for it!   Give me my "free" Gmail!  Sell me a phone that cost $600
> to make for $50!  Give me a pre-installed computer operating system that I
> don't need to know anything about to use!  Maybe there's a dirty movie on
> this thumb drive I found on the street.  But I do understand it, and it
> makes me sad.  We kvetch about our privacy, but we readily trade it away
> for entertainment and small grocery discounts.  Our money ain't where our
> mouths are.
>
> -Cameron
>
>
>
>
>
> On 04/09/2014 05:37 PM, John Thielking wrote:
>
>   Cameron,
>
>  It is reassuring to know that not all software companies are under the
> thumb of the NSA. However, I also heard that the hardware that we commonly
> use is also compromised, so that no software can overcome the built in back
> doors on those devices.  I don't have an exact reference for that hardware
> bit. I heard about it on a recent broadcast of the news on rt.com. Also,
> an online book I read on privacy for journalists and other sources have
> said that the emf coming from computer monitors and the computers
> themselves can be monitored remotely even if the computer is not connected
> to the Internet, to again compromise privacy. Remember that the tiny radios
> in cell phones can communicate with cell towers up to 20 miles away (which
> fact some are using to discredit claims that cell phones on flight 93 on
> 9/11 couldn't have communicated with the ground --- which has since
> modified my position on that point since finding that out). So it seems
> reasonable that an emf source consuming many watts, such as a computer,
> could easily be monitored from at least a quarter mile away or more.  Any
> thoughts?  Thanks.
>
>  Sincerely,
>
>  John Thielking
>
>
> On Wed, Apr 9, 2014 at 4:50 PM, Cameron L. Spitzer <cls at truffula.us>wrote:
>
>>
>>
>> Nobody credible is suggesting the NSA or anybody else has a backdoor in
>> Secure Shell Version 2 (SSH) or the ciphers it uses.  If it were even
>> suspected, there would be a mad race to come up with a replacement.
>> SSH was developed in Finland because it's the only developed nation not
>> subject to the US' "munitions related" export controls.  That's why the big
>> security software developers all have offices there.  They learned that
>> lesson from NSA's heavy-handed interference with the original Digital
>> Encryption Standard and Pretty Good Privacy.  If you've been researching
>> the history of digital security, you already know about those outrages.
>>
>> To understand these problems, you have to distinguish *algorithm* from
>> *implementation*.  There is no "*method*."  The strength of SSH and its
>> ciphers, and of PGP/GPG, and anything else that uses asymmetric encryption,
>> including SSL, comes from the mathematical reality that it's astronomically
>> more difficult to factor the product of two very large prime numbers than
>> it was to multiply those two primes in the first place.  The NSA is about
>> as "likely" to find a way around that as they are to find a way to travel
>> faster than light.  That's algorithm.  Vulnerabilities like Heartbleed come
>> from mistakes in implementation, not from weaknesses in the mathematical
>> algorithms themselves.  The last one we all had to patch (it was in SSH)
>> was due to a mistake where a pseudorandom number was more predictable than
>> it should have been.
>>
>> Heartbleed <http://heartbleed.com/> gives a black eye to the "open
>> source fanboys" who've been claiming for years that nothing this serious
>> would ever get past the "crowd" of reviewers.  "Vulns" this bad get stopped
>> in code-review all the time, and one got through.  But it hardly means "the
>> NSA has a back door in everything."  ("The NSA has a back door in
>> everything" is a way to rationalize your own choices of convenience over
>> security.  Everybody does it.)
>> Nor does it mean the closed source implementations are better.  Microsoft
>> has its own SSL implementation.  It's surely been code-reviewed by NSA, and
>> it may even have NSA's backdoor in it.  Perhaps that's in the pile Snowden
>> handed off to Greenwald, and *Der Spiegel* hasn't got around to
>> revealing it.
>>
>> By the way, the media are reporting "two thirds of the Web" vulnerable.  According
>> to Netcraft<http://news.netcraft.com/archives/2014/04/08/half-a-million-widely-trusted-websites-vulnerable-to-heartbleed-bug.html>,
>> it's 17% of hostnames.  Maybe the "two thirds" is because that 17% is most
>> of the big names.
>>
>> -*Cameron*
>>
>>
>>
>> On 04/09/2014 03:19 PM, John Thielking wrote:
>>
>> I don't use online banking much, though I do pay bills with a debit card.
>> I may be able to use a real credit card soon instead, though I have yet to
>> actually receive the card that I was notified that was sent to me in the
>> mail. Like I said in another thread, the US govt likely has a backdoor into
>> every encryption *method* [emphasis added] out there, including RSA's
>> stuff (there was a specific news item on that one) and anyone running
>> HTTPS. My best bet in regards to this is that my Direct Express online
>> access/password only allows me to look at my account balance and
>> transaction history.  As far as I know, I can't look up my account number
>> or transfer money by logging in. Good luck.
>>
>> Sincerely,
>>
>> John Thielking
>>
>>
>> On Wed, Apr 9, 2014 at 2:47 PM, Cameron L. Spitzer <cls at truffula.us>wrote:
>>
>>>
>>> Most of the "secure" web sites you use have been *broken for the last
>>> two years*.  Bruce Schneier says the OpenSSL "Heartbleed" bug disclosed
>>> yesterday, on a scale of 1 to 10, is an 11, "catastrophic<https://www.schneier.com/blog/archives/2014/04/heartbleed.html>."
>>> I recommend James Fallows' coverage<http://news.google.com/news/url?sr=1&sa=t&ct2=us%2F4_0_g_1_0_a&gid=EPG&bvm=section&usg=AFQjCNEu3o2CQaPZQdOvNQcoeO4LudiYbA&did=3147203463190269418&sig2=WnjE8vYpCP_1I61JMFmwhw&ei=dbdFU7mIBZG0mQKAQg&rt=HOMEPAGE&vm=STANDARD&authuser=0&url=http%3A%2F%2Fwww.theatlantic.com%2Ftechnology%2Farchive%2F2014%2F04%2Fthe-5-things-to-do-about-the-new-heartbleed-bug/360395/>at the Atlantic.
>>> Arstechnica<http://arstechnica.com/security/2014/04/critical-crypto-bug-exposes-yahoo-mail-passwords-russian-roulette-style/>is even better, they demonstrate the exploit against
>>> yahoo.com.
>>>
>>> If you bank online, you need to check your bank's site with something
>>> like this <http://filippo.io/Heartbleed/>, and change your password.
>>> Change it now, then check the site.  If the check fails, check it again
>>> later, and change your password *again* when it passes.
>>> The first change neutralizes your password which *was probably stolen*during the last two years.  The second neutralizes the new one that was
>>> stolen yesterday before your bank fixed its server.  Now that the bug is
>>> public, you can safely assume *all* unpatched sites are compromised.
>>> If you run an HTTPS web server, you need to update it, and then you need
>>> to get a new cert.  That's what your bank needs to do.
>>> If someone else runs an HTTPS web server for you, check it.  If it's
>>> broken and they don't fix it soon, change providers.
>>>
>>> Forward as you see fit.
>>>
>>> -*Cameron*
>>>
>>>
>>>
>>> _______________________________________________
>>> sosfbay-discuss mailing list
>>>
>>>
>
> _______________________________________________
> sosfbay-discuss mailing list
> sosfbay-discuss at cagreens.org
> http://lists.cagreens.org/cgi-bin/mailman/listinfo/sosfbay-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cagreens.org/pipermail/sosfbay-discuss_lists.cagreens.org/attachments/20140409/2e63b933/attachment.html>

More information about the sosfbay-discuss mailing list