OpenBSD and the FBI

keith smith klsmith2020 at yahoo.com
Mon Dec 20 19:48:52 MST 2010 

Maybe the Amish really have it right.

------------------------

Keith Smith

--- On Mon, 12/20/10, Lisa Kachold <lisakachold at obnosis.com> wrote:

From: Lisa Kachold <lisakachold at obnosis.com>
Subject: Re: OpenBSD and the FBI
To: "Main PLUG discussion list" <plug-discuss at lists.plug.phoenix.az.us>
Date: Monday, December 20, 2010, 7:25 PM

Hi!

Please come to any of our PLUG Hackfests and we can demonstrate?

I believe in that specific example, I was using the UTF8 inclusion into a jpeg/gif or png.

And you trust me, so you go ahead a open it.


But there are a great number of other ways, since we allow HTML mail and attachments of all kinds.

Over an above that, I can direct you to a page of my own that includes BEef type triangulated exploits, or installs a LivePerson or Kayseya plugin into your browser (which the feds do trivially without a spike in your RAM).  


The only browser that was not accessible as of 2010 was Chrome, but sadly that is no longer true.  The DHS can watch, as if they had a LogMeIn application installed, EVERYTHING you do.

We all take all kinds of risks, ssh is the most glaring, but there are many of us who allow remote management of our "routers" <grin>....  and use a trivial password as well.  Almost every Netgear, LinkSys and others can not only be DNS exploited but brute forced, buffer overflowed and trivially pwnd.


See you at the Hackfest first and third Wednesday of January!

On Mon, Dec 20, 2010 at 6:39 PM, gm5729 <gm5729 at gmail.com> wrote:

Okay I have been pondering on most of this thread the past few days.



Then going back and reading the news reports and other URLS that were provided.



On the encryption side, let's make enemies now. Truecrypt is a PITA

and very, very, very easily can damage encrypted data with the design

of their open and plausible denialbility containers. The best

mathematics teachers I had didn't obfuscate what the principles,

concepts and abstractions of mathematics were. The presented it in a

very simple manner of fact which actually lit a fire to want to learn

more. I believe through my own personal tests/use that obfuscates

encryption to the point that one wrong move and you lose the kitty.



Now, for the second topic. Yes, I see a gross misunderstanding about

pass phrases -- and entropy they need to create. Some of this is

caused by developers themselves not allowing enough freedom of

characters to be used in their programs. I had a key for example that

was close to 300bits of entropy for a website. Firefox and Chromium

were just about brought to their knees, much less my DSL connection

having a cow or shutting down. Multiple that in your cache times just

a measly 5-10 tabs and down comes your box. LOL. The "iron key" type

usb keys that have buttons on them and AES encryption with salts plus

add a time lock of some sort are sufficient for light weight travel.

For a full on server or desktop experience it just doesn't work. I

found a few applications that help increase entropy at a daemon level

but are random enough to provide /dev/random the entropy it needs. One

app is actually user and peripheral level exempt which would be great

for headless servers it is called haveged. The other application which

I did not try because I was looking for the type I first mentioned

actually works on the noise of your sound card -- this idea was from

whoever mentioned about tv cards. This application is called

randomsound and is also a daemon. For example my:



sudo cat /proc/sys/kernel/random/entropy_avail levels were < 60 when I

did a pre-install check. Now my entropy_avail levels jump from 133 to

4000 every poll I make with the command above. You can see how if you

are using encryption this will make for faster and stronger key

enc/dec., and maybe someone can clarify but it would enable stronger

and more secure connections of all sorts with any encryption.



I was intrigued though by Ms. Lisa's "challenge" so to say that no

matter what OS anyone is using pwn'g someones box is possible and or

getting contents remotely from someones hard drives thorough their

browsers is quite easily established. I would like some clarification

if you not mind please.  I know about Java and Java Script issues from

TOR use. Flash and Active X don't do any better at leaking "private"

data. I use the word private laughing all the way to the bank. This

country has never had privacy. If you have ever done any sort of

family trees or genealogy you understand what I am saying. Perception

is reality. What has changed is technology, how fast it can spread and

amount of data in the smallest state possible that is available.



--

gk

---------------------------------------------------

PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us

To subscribe, unsubscribe, or to change your mail settings:

http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss




-- 

(503) 754-4452
(623) 688-3392

 http://www.obnosis.com



















-----Inline Attachment Follows-----

---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss


      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20101220/598953f6/attachment.html>

More information about the PLUG-discuss mailing list