Re: Security?

To: debian-user <debian-user@lists.debian.org>
Subject: Re: Security?
From: Joel Rees <joel.rees@gmail.com>
Date: Mon, 9 Sep 2013 12:20:44 +0900
Message-id: <[🔎] CAAr43iM7S2rgVyY+jdfvQNX54zS9CDq8vCh-06ducf0LEAKhbA@mail.gmail.com>
In-reply-to: <[🔎] CAH_OBifc+FTnobZTuZ=0QKe+KLQe+BFfOG1yp-C7YPLV47GHxw@mail.gmail.com>
References: <[🔎] de7cc3548197dd8f3c4fbfaff4871435.squirrel@mail.vcn.bc.ca> <[🔎] CAAr43iMip3_pe-PcnKbtfanrd_mXkRWvZu9wnRwxTj8FugdFrQ@mail.gmail.com> <[🔎] CAH_OBifc+FTnobZTuZ=0QKe+KLQe+BFfOG1yp-C7YPLV47GHxw@mail.gmail.com>

On Mon, Sep 9, 2013 at 9:53 AM, shawn wilson <ag4ve.us@gmail.com> wrote:
>
> On Sun, Sep 8, 2013 at 8:20 PM, Joel Rees <joel.rees@gmail.com> wrote:
>>
>> On Mon, Sep 9, 2013 at 3:27 AM,  <latinfo@vcn.bc.ca> wrote:
>> > Hello list.
>> > What do you think about it?
>> >
>> > https://www.schneier.com/blog/archives/2013/09/the_nsa_is_brea.html
>>
>>    "Those that didn't know about it were gobsmacked."
>>
>> If any of that surprises you, you haven't been paying attention.
>>
> If you even vaguely understand te math behind hashing and pki, you're
> amazed.

Why?

They aren't saying that they are beating the primes. They're saying
they're sugaring them and finessing them.

Erk. Non-technical terms there.

Some big primes are easier to beat that others. If you get constants
that push towards the easy ones into the standards, you've made your
job a lot easier.  Like putting sugar in the other guy's tank at the
race track. And, of course, it's usually going to be easiest of all to
just go brow-beat a few people at the big ISP until someone vulnerable
gives in and spills the secret passwords.

Which pretty much sums up all the biggest breakthroughs they've had.

The rest is just wasting taxpayer money on more hardware, and more
hardware is what brings the algorithms poisoned by weak constants into
hitting range some of the time.

> That quote was talking about foreign intelligence analysts that were
> being read into the program (I didn't read Schneier, but from other articles
> with the same quote). I assume that was referring to people that know a
> thing or two about how this stuff works.

Funny, I'd assume it was not. People who understand are interested,
and people who are interested understood what the news articles meant
ten and twenty years ago as this played out. The only people who were
gobsmacked were the ones who weren't paying attention.

> I'd *love* to know w

Give it a study. It's not as hard as it looks. Just takes a lot of
computing power.

>> But keep your nose clean. Don't be a target.
>>
> And here I thought this was a technical list? Counselor, I keep having
> sexual thoughts about my mom, help? Rediculous.

Sexual thoughts about your mom aren't going to make you a target.
Putting a webcom in your mom's bedroom and publishing it to your blog
is going to raise flags. Do I need to explain further?

>> Anything that must be private, keep it off the internet.
>>
> So, you're recommending that all business stop?

If you have a business and you have been putting your customers'
credit card numbers in a VB database app exposed to the web, yeah, you
should pull out the plug and get that off the web until you can at
least set up appropriate firewalls and VPN as necessary. The  you need
to find better solutions, because you can assume that the NSA has a
backdoor to your system today, and that backdoor could easily fall
into the hands of someone unscrupulous tomorrow.

>> Develop a good relationship with God, by whatever name you call That
>> Ultimate Entity, because that's going to be your only help in the end.
>>
> Unless your God can calculate primes and do long devision faster than my
> God, I fail to see how either has any room in any discussion of this nature.

There is one ultimate reality, and it knows all the prime factors of
all the keys. If your god is not that ultimate reality, get a better
God.

> As per some semi-sane thoughts on the issue, I think most of it is
> impressive.

If you understand what they've done and are still impressed, you are
easily impressed by things that don't matter in the end.

> The database of private keys is totally awesome (ie, I wish I
> had it)

What good, ultimately, would it do you?

> - I want to make malware that Windows thinks is a keyboard driver,

That's not that hard to do. What would be your purpose?

> ok create a cert (burn the private one as they'll change it ASAP after)

If you have the keys to make the cert, all you're doing is proving you
can follow a recipe.

> and
> plunder.

What good does this do you? Do you live in a country with a repressive
government where such a thing would help overthrow the corrupt
government? Do you plan on using it to take down the NSA?

I assume that you understand that stealing money is just postponing
your problems, and that stealing people's pictures of themselves in
compromising situations is just setting yourself up to get in trouble.
Using other people's data is a good way to make yourself a target.

> This femtocell, VPN solution, iPhone sync, vehicle sync (or
> automation), etc has a pre-generated key and I want to control it - lets go.

You and whose army? The minute you use that to even do a little
harmless mischief, you've made yourself a target.

> They mentioned that those keys were obtained sometimes by breaking into
> companies. I've got a minor issue with that as it makes our argument that
> China is being evil by hacking American businesses a bit less richus since
> we're obviously doing it.

Minor issue? You speak as if you are a US citizen and you speak of
what is essentially burning your country's Constitution on the floor
of the NSA as a minor issue?

> I've got *serious* issue with the NSA weakening crypto standards.

If you say this, why do you say that what they did is so impressive?
Finesse a few company people with personal vulnerabilities and get a
huge machine financed with empty promises to politicians scared of
being voted out of office more than anything else from "9/11", and the
rest is just watching the numbers grind.

> This is
> like writing about the hand of God in a study about evolution

red herring

> - I don't care
> what you believe - don't tarnish scientific research with shit. And here,
> don't tarnish crypto research with shit - I don't care about your end goal -
> it shouldn't be worth getting in the way of science for.

If you don't understand that there is a reality outside of yourself,
you're going to have a hard time understanding why what the NSA is
doing here is wrong.

And you're going to have a hard time understanding how to protect
yourself from what they are doing.

I don't care if you call that God or Ultimate Reality or The Ultimate
Entity or just plain reality.

You have to understand that there is something real outside yourself
before you can properly analyze what to protect in your system and
how.

--
Joel Rees

Reply to:

Follow-Ups:
- Re: Security?
  - From: Chris Bannister <cbannister@slingshot.co.nz>

References:
- Security?
  - From: latinfo@vcn.bc.ca
- Re: Security?
  - From: Joel Rees <joel.rees@gmail.com>
- Re: Security?
  - From: shawn wilson <ag4ve.us@gmail.com>

Prev by Date: Re: synaptic - stuck
Next by Date: Reg: gcc option for printing large number (large double)
Previous by thread: Re: Security?
Next by thread: Re: Security?
Index(es):
- Date
- Thread