<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix"><br>
<br>
I've heard no credible allegations that PC motherboard hardware is
compromised. PCs would be compromised in the OS, which is one of
the arguments for avoiding MSFT Windows for personal use. There
are also credible allegations the NSA (and private and corporate
criminals) bugs PC keyboards.<br>
It's widely suspected that the major router manufacturers have
backdoors in the core routers that handle Internet traffic. It's
easier to deploy that way, compared to setting up a secret room at
the telco office with a fiber splitter, as has been observed in
San Francisco. I expect confirmation of that will eventually come
from Snowden's pile.<br>
But if your traffic is encrypted with SSH or correctly implemented
SSL, that doesn't do them much good. That's why it's called a
secure tunnel.<br>
<br>
One CRT monitor was observable from dozens of yards away. It took
equipment the size of a truck to do it. But a roomful of them
would be so difficult, it would be easier to bug the office some
other way. (Leave a thumb drive with your PC malware on the
sidewalk in front of a bank. There's a 40% chance you'll have
access to the bank's internal network within a day. People are
stupid and lazy and curious. They'll stick it in their desktop to
see if there's porn on it. I forgot which university runs that
experiment annually, but I'll bet it's Purdue.) Observing a
modern monitor is much more difficult. Maybe they can do it on a
targeted basis, but It's not practical for a mass surveillance
program.<br>
<br>
A cell phone puts out short four watt bursts of UHF. Which is why
you shouldn't hold them next to your brain all day. Nothing that
emits that much radiation by accident is allowed in the US or EU
market. Incidental emissions from PCs and network cables is in
the low milliwatts. It's not for safety, it's to avoid
interference with broadcast TV. That's why it's so darned hard to
get a PC case back together, the case has to approximate a Faraday
cage for the product to get past the FCC and TUV.<br>
<br>
I wish I didn't understand this intense focus on <i>surreptitious</i>
surveillance. The vast majority of surveillance of innocent US
residents is right out in the open. And it isn't just voluntary,
we demand it, we clamor for it! Give me my "free" Gmail! Sell
me a phone that cost $600 to make for $50! Give me a
pre-installed computer operating system that I don't need to know
anything about to use! Maybe there's a dirty movie on this thumb
drive I found on the street. But I do understand it, and it makes
me sad. We kvetch about our privacy, but we readily trade it away
for entertainment and small grocery discounts. Our money ain't
where our mouths are.<br>
<br>
-Cameron<br>
<br>
<br>
<br>
<br>
On 04/09/2014 05:37 PM, John Thielking wrote:<br>
</div>
<blockquote
cite="mid:CAMxmhMf8u4m068+o8Y3j9ZA-Kn63pWZ7GrgjJjJJThuNdTOQnw@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>
<div>Cameron,<br>
<br>
</div>
It is reassuring to know that not all software companies are
under the thumb of the NSA. However, I also heard that the
hardware that we commonly use is also compromised, so that
no software can overcome the built in back doors on those
devices. I don't have an exact reference for that hardware
bit. I heard about it on a recent broadcast of the news on <a
moz-do-not-send="true" href="http://rt.com">rt.com</a>.
Also, an online book I read on privacy for journalists and
other sources have said that the emf coming from computer
monitors and the computers themselves can be monitored
remotely even if the computer is not connected to the
Internet, to again compromise privacy. Remember that the
tiny radios in cell phones can communicate with cell towers
up to 20 miles away (which fact some are using to discredit
claims that cell phones on flight 93 on 9/11 couldn't have
communicated with the ground --- which has since modified my
position on that point since finding that out). So it seems
reasonable that an emf source consuming many watts, such as
a computer, could easily be monitored from at least a
quarter mile away or more. Any thoughts? Thanks.<br>
<br>
</div>
Sincerely,<br>
<br>
</div>
John Thielking<br>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Wed, Apr 9, 2014 at 4:50 PM, Cameron
L. Spitzer <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:cls@truffula.us" target="_blank">cls@truffula.us</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div><br>
<br>
Nobody credible is suggesting the NSA or anybody else
has a backdoor in Secure Shell Version 2 (SSH) or the
ciphers it uses. If it were even suspected, there would
be a mad race to come up with a replacement.<br>
SSH was developed in Finland because it's the only
developed nation not subject to the US' "munitions
related" export controls. That's why the big security
software developers all have offices there. They
learned that lesson from NSA's heavy-handed interference
with the original Digital Encryption Standard and Pretty
Good Privacy. If you've been researching the history of
digital security, you already know about those outrages.<br>
<br>
To understand these problems, you have to distinguish <i>algorithm</i>
from <i>implementation</i>. There is no "<i>method</i>."
The strength of SSH and its ciphers, and of PGP/GPG, and
anything else that uses asymmetric encryption, including
SSL, comes from the mathematical reality that it's
astronomically more difficult to factor the product of
two very large prime numbers than it was to multiply
those two primes in the first place. The NSA is about
as "likely" to find a way around that as they are to
find a way to travel faster than light. That's
algorithm. Vulnerabilities like Heartbleed come from
mistakes in implementation, not from weaknesses in the
mathematical algorithms themselves. The last one we all
had to patch (it was in SSH) was due to a mistake where
a pseudorandom number was more predictable than it
should have been.<br>
<br>
<a moz-do-not-send="true" href="http://heartbleed.com/"
target="_blank">Heartbleed</a> gives a black eye to
the "open source fanboys" who've been claiming for years
that nothing this serious would ever get past the
"crowd" of reviewers. "Vulns" this bad get stopped in
code-review all the time, and one got through. But it
hardly means "the NSA has a back door in everything."
("The NSA has a back door in everything" is a way to
rationalize your own choices of convenience over
security. Everybody does it.)<br>
Nor does it mean the closed source implementations are
better. Microsoft has its own SSL implementation. It's
surely been code-reviewed by NSA, and it may even have
NSA's backdoor in it. Perhaps that's in the pile
Snowden handed off to Greenwald, and <i>Der Spiegel</i>
hasn't got around to revealing it.<br>
<br>
By the way, the media are reporting "two thirds of the
Web" vulnerable. <a moz-do-not-send="true"
href="http://news.netcraft.com/archives/2014/04/08/half-a-million-widely-trusted-websites-vulnerable-to-heartbleed-bug.html"
target="_blank">According to Netcraft</a>, it's 17% of
hostnames. Maybe the "two thirds" is because that 17%
is most of the big names.<br>
<br>
-<i>Cameron</i><br>
<br>
<br>
<br>
On 04/09/2014 03:19 PM, John Thielking wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">I don't use online banking much, though I
do pay bills with a debit card. I may be able to use a
real credit card soon instead, though I have yet to
actually receive the card that I was notified that was
sent to me in the mail. Like I said in another thread,
the US govt likely has a backdoor into every
encryption <i>method</i> [emphasis added] out there,
including RSA's stuff (there was a specific news item
on that one) and anyone running HTTPS. My best bet in
regards to this is that my Direct Express online
access/password only allows me to look at my account
balance and transaction history. As far as I know, I
can't look up my account number or transfer money by
logging in. Good luck.<br clear="none">
<br clear="none">
Sincerely,<br clear="none">
<br clear="none">
John Thielking</div>
<div class="">
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Wed, Apr 9, 2014 at 2:47
PM, Cameron L. Spitzer <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:cls@truffula.us" target="_blank">cls@truffula.us</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0
0 .8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div><br>
Most of the "secure" web sites you use have
been <b>broken for the last two years</b>.
Bruce Schneier says the OpenSSL "Heartbleed"
bug disclosed yesterday, on a scale of 1 to
10, is an 11, "<a moz-do-not-send="true"
href="https://www.schneier.com/blog/archives/2014/04/heartbleed.html"
target="_blank">catastrophic</a>." I
recommend James Fallows' <a
moz-do-not-send="true"
href="http://news.google.com/news/url?sr=1&sa=t&ct2=us%2F4_0_g_1_0_a&gid=EPG&bvm=section&usg=AFQjCNEu3o2CQaPZQdOvNQcoeO4LudiYbA&did=3147203463190269418&sig2=WnjE8vYpCP_1I61JMFmwhw&ei=dbdFU7mIBZG0mQKAQg&rt=HOMEPAGE&vm=STANDARD&authuser=0&url=http%3A%2F%2Fwww.theatlantic.com%2Ftechnology%2Farchive%2F2014%2F04%2Fthe-5-things-to-do-about-the-new-heartbleed-bug/360395/"
target="_blank">coverage</a> at the
Atlantic. <a moz-do-not-send="true"
href="http://arstechnica.com/security/2014/04/critical-crypto-bug-exposes-yahoo-mail-passwords-russian-roulette-style/"
target="_blank">Arstechnica</a> is even
better, they demonstrate the exploit against
<a moz-do-not-send="true"
href="http://yahoo.com" target="_blank">yahoo.com</a>.<br>
<br>
If you bank online, you need to check your
bank's site with something like <a
moz-do-not-send="true"
href="http://filippo.io/Heartbleed/"
target="_blank">this</a>, and change your
password. Change it now, then check the
site. If the check fails, check it again
later, and change your password <i>again</i>
when it passes.<br>
The first change neutralizes your password
which <b>was probably stolen</b> during the
last two years. The second neutralizes the
new one that was stolen yesterday before
your bank fixed its server. Now that the
bug is public, you can safely assume <b>all</b>
unpatched sites are compromised.<br>
If you run an HTTPS web server, you need to
update it, and then you need to get a new
cert. That's what your bank needs to do.<br>
If someone else runs an HTTPS web server for
you, check it. If it's broken and they
don't fix it soon, change providers.<br>
<br>
Forward as you see fit.<span><font
color="#888888"><br>
<br>
-<i>Cameron</i><br>
<br>
<br>
</font></span></div>
</div>
<br>
_______________________________________________<br>
sosfbay-discuss mailing list<br>
<br>
</blockquote>
</div>
</div>
</div>
</blockquote>
</div>
</blockquote>
</div>
</div>
</blockquote>
<br>
</body>
</html>