OpenBSD and the FBI

Lisa Kachold lisakachold at obnosis.com
Mon Dec 20 19:25:09 MST 2010 

Hi!

Please come to any of our PLUG Hackfests and we can demonstrate?

I believe in that specific example, I was using the UTF8 inclusion into a
jpeg/gif or png.

And you trust me, so you go ahead a open it.

But there are a great number of other ways, since we allow HTML mail and
attachments of all kinds.

Over an above that, I can direct you to a page of my own that includes BEef
type triangulated exploits, or installs a LivePerson or Kayseya plugin into
your browser (which the feds do trivially without a spike in your RAM).

The only browser that was not accessible as of 2010 was Chrome, but sadly
that is no longer true.  The DHS can watch, as if they had a LogMeIn
application installed, EVERYTHING you do.

We all take all kinds of risks, ssh is the most glaring, but there are many
of us who allow remote management of our "routers" <grin>....  and use a
trivial password as well.  Almost every Netgear, LinkSys and others can not
only be DNS exploited but brute forced, buffer overflowed and trivially
pwnd.

See you at the Hackfest first and third Wednesday of January!

On Mon, Dec 20, 2010 at 6:39 PM, gm5729 <gm5729 at gmail.com> wrote:

> Okay I have been pondering on most of this thread the past few days.
>
> Then going back and reading the news reports and other URLS that were
> provided.
>
> On the encryption side, let's make enemies now. Truecrypt is a PITA
> and very, very, very easily can damage encrypted data with the design
> of their open and plausible denialbility containers. The best
> mathematics teachers I had didn't obfuscate what the principles,
> concepts and abstractions of mathematics were. The presented it in a
> very simple manner of fact which actually lit a fire to want to learn
> more. I believe through my own personal tests/use that obfuscates
> encryption to the point that one wrong move and you lose the kitty.
>
> Now, for the second topic. Yes, I see a gross misunderstanding about
> pass phrases -- and entropy they need to create. Some of this is
> caused by developers themselves not allowing enough freedom of
> characters to be used in their programs. I had a key for example that
> was close to 300bits of entropy for a website. Firefox and Chromium
> were just about brought to their knees, much less my DSL connection
> having a cow or shutting down. Multiple that in your cache times just
> a measly 5-10 tabs and down comes your box. LOL. The "iron key" type
> usb keys that have buttons on them and AES encryption with salts plus
> add a time lock of some sort are sufficient for light weight travel.
> For a full on server or desktop experience it just doesn't work. I
> found a few applications that help increase entropy at a daemon level
> but are random enough to provide /dev/random the entropy it needs. One
> app is actually user and peripheral level exempt which would be great
> for headless servers it is called haveged. The other application which
> I did not try because I was looking for the type I first mentioned
> actually works on the noise of your sound card -- this idea was from
> whoever mentioned about tv cards. This application is called
> randomsound and is also a daemon. For example my:
>
> sudo cat /proc/sys/kernel/random/entropy_avail levels were < 60 when I
> did a pre-install check. Now my entropy_avail levels jump from 133 to
> 4000 every poll I make with the command above. You can see how if you
> are using encryption this will make for faster and stronger key
> enc/dec., and maybe someone can clarify but it would enable stronger
> and more secure connections of all sorts with any encryption.
>
> I was intrigued though by Ms. Lisa's "challenge" so to say that no
> matter what OS anyone is using pwn'g someones box is possible and or
> getting contents remotely from someones hard drives thorough their
> browsers is quite easily established. I would like some clarification
> if you not mind please.  I know about Java and Java Script issues from
> TOR use. Flash and Active X don't do any better at leaking "private"
> data. I use the word private laughing all the way to the bank. This
> country has never had privacy. If you have ever done any sort of
> family trees or genealogy you understand what I am saying. Perception
> is reality. What has changed is technology, how fast it can spread and
> amount of data in the smallest state possible that is available.
>
> --
> gk
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>



-- 

(503) 754-4452
(623) 688-3392

 http://www.obnosis.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20101220/679e31e4/attachment.html>

More information about the PLUG-discuss mailing list