OpenBSD and the FBI

[Jordan Aberle]

It's good to have topics like these that invoke thought.

My 2cents:

I try to apply moderation in every way in my life, too much of
something isn't a good thing.  I think this idea applies to security
as well.  I'm not saying just moderate security, I think we all know
here encryption, in the end can be cracked.  If you invoke a high
amount of encryption (mixing encryption algorithms) the system will
take a significant performance hit.  This of course can be
counterproductive.  I've ran a mixture of unix and linux boxes that
host shell accounts for irc and the like.  These types of boxes tend
to attract the script kiddie types.

I have found the best approach is having multiple different forms of
security set at a moderate level, if one type of security fails there
are fallbacks.  By having multiple security mechanisms an attacker has
to make sure he takes care of all the different variables instead of
just one rock solid variable.  This takes considerably more time and a
chance an attacker will miss something.

In fact, I have caught a few people by purposely leaving something
obviously vulnerable.  They are able to get to a certain point but not
able to gain enough power to modify monitoring tools or log files.
This is a good way to get the bad eggs off of the box.

Jordan


On Mon, Dec 20, 2010 at 6:39 PM, gm5729 <gm5729 at gmail.com> wrote:
> Okay I have been pondering on most of this thread the past few days.
>
> Then going back and reading the news reports and other URLS that were provided.
>
> On the encryption side, let's make enemies now. Truecrypt is a PITA
> and very, very, very easily can damage encrypted data with the design
> of their open and plausible denialbility containers. The best
> mathematics teachers I had didn't obfuscate what the principles,
> concepts and abstractions of mathematics were. The presented it in a
> very simple manner of fact which actually lit a fire to want to learn
> more. I believe through my own personal tests/use that obfuscates
> encryption to the point that one wrong move and you lose the kitty.
>
> Now, for the second topic. Yes, I see a gross misunderstanding about
> pass phrases -- and entropy they need to create. Some of this is
> caused by developers themselves not allowing enough freedom of
> characters to be used in their programs. I had a key for example that
> was close to 300bits of entropy for a website. Firefox and Chromium
> were just about brought to their knees, much less my DSL connection
> having a cow or shutting down. Multiple that in your cache times just
> a measly 5-10 tabs and down comes your box. LOL. The "iron key" type
> usb keys that have buttons on them and AES encryption with salts plus
> add a time lock of some sort are sufficient for light weight travel.
> For a full on server or desktop experience it just doesn't work. I
> found a few applications that help increase entropy at a daemon level
> but are random enough to provide /dev/random the entropy it needs. One
> app is actually user and peripheral level exempt which would be great
> for headless servers it is called haveged. The other application which
> I did not try because I was looking for the type I first mentioned
> actually works on the noise of your sound card -- this idea was from
> whoever mentioned about tv cards. This application is called
> randomsound and is also a daemon. For example my:
>
> sudo cat /proc/sys/kernel/random/entropy_avail levels were < 60 when I
> did a pre-install check. Now my entropy_avail levels jump from 133 to
> 4000 every poll I make with the command above. You can see how if you
> are using encryption this will make for faster and stronger key
> enc/dec., and maybe someone can clarify but it would enable stronger
> and more secure connections of all sorts with any encryption.
>
> I was intrigued though by Ms. Lisa's "challenge" so to say that no
> matter what OS anyone is using pwn'g someones box is possible and or
> getting contents remotely from someones hard drives thorough their
> browsers is quite easily established. I would like some clarification
> if you not mind please.  I know about Java and Java Script issues from
> TOR use. Flash and Active X don't do any better at leaking "private"
> data. I use the word private laughing all the way to the bank. This
> country has never had privacy. If you have ever done any sort of
> family trees or genealogy you understand what I am saying. Perception
> is reality. What has changed is technology, how fast it can spread and
> amount of data in the smallest state possible that is available.
>
> --
> gk
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>