<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<style type="text/css" id="owaParaStyle" style="display: none; ">P {margin-top:0;margin-bottom:0;}</style>
</head>
<body dir="ltr" fpstyle="1" aria-label="Message body" tabindex="0" style="">
<div name="divtagdefaultwrapper" id="divtagdefaultwrapper" style="font-family: Calibri,Arial,Helvetica,sans-serif; font-size: 12pt; color: #000000; margin: 0">
Also lest it came off that way, I didn't mean my original message as a knock against you or your opinions. You're super smart and probably much more well versed in terms of network/computer security than I will ever be.<br>
<div><br>
<br>
<div name="divtagdefaultwrapper" style="font-family:Calibri,Arial,Helvetica,sans-serif; font-size:; margin:0">
<div style="font-family:Tahoma; font-size:13px">Paul Mooring
<div>Operations Engineer</div>
<div>www.opscode.com</div>
</div>
</div>
</div>
<br>
<div style="color: rgb(40, 40, 40); ">
<hr tabindex="-1" style="display:inline-block; width:98%">
<div id="divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> plug-discuss-bounces@lists.phxlinux.org on behalf of Lisa Kachold<br>
<b>Sent:</b> Wednesday, June 26, 2013 2:41 PM<br>
<b>To:</b> Main PLUG discussion list<br>
<b>Subject:</b> Re: Times to move to Linux</font>
<div> </div>
</div>
<div><br>
Paul,
<div><br>
<div class="gmail_quote">On Wed, Jun 26, 2013 at 2:22 PM, Paul Mooring <span dir="ltr">
<<a href="mailto:paul@opscode.com" target="_blank">paul@opscode.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex; border-left:1px #ccc solid; padding-left:1ex">
<div dir="ltr">
<div name="divtagdefaultwrapper" style="font-size:12pt; margin:0; font-family:Calibri,Arial,Helvetica,sans-serif">
Lisa,
<div><br>
</div>
<div>I think I mostly agree with you here. If you're opening random pdf files ect. than you can be easily compromised for sure, my point was more along the lines of it's not all that easy for people to just "get in" although there's a litany of attack vectors
that could be used to exploit a system they all involve some sort of attack vector. I mostly just get tired of the "OMG the NSA is in my box!" mindset that tends to circumvent discussion of actual real life issues. Specifically in light of recent events
I'm much less concerned with the somewhat far fetched idea that the government is is intercepting and decrypted my encrypted traffic on the wire and much more concerned with the fact that my telco is just handing over all my conversations without even protesting.</div>
</div>
</div>
</blockquote>
<div><br>
</div>
<div>I completely agree. </div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex; border-left:1px #ccc solid; padding-left:1ex">
<div dir="ltr">
<div name="divtagdefaultwrapper" style="font-size:12pt; margin:0; font-family:Calibri,Arial,Helvetica,sans-serif">
<div>
<div class="im"><br>
<div><br>
<br>
<div name="divtagdefaultwrapper">
<div style="font-family:Tahoma; font-size:13px">Paul Mooring
<div>Operations Engineer</div>
<div><a href="http://www.opscode.com" target="_blank">www.opscode.com</a></div>
</div>
</div>
</div>
<br>
</div>
<div style="color:rgb(40,40,40)">
<hr style="display:inline-block; width:98%">
<div dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b>
<a href="mailto:plug-discuss-bounces@lists.phxlinux.org" target="_blank">plug-discuss-bounces@lists.phxlinux.org</a> on behalf of Lisa Kachold<br>
<b>Sent:</b> Wednesday, June 26, 2013 2:01 PM
<div class="im"><br>
<b>To:</b> Main PLUG discussion list<br>
<b>Subject:</b> Re: Times to move to Linux</div>
</font>
<div> </div>
</div>
<div>
<div class="h5">
<div>OMG Paul,<br>
<br>
<div class="gmail_quote">On Wed, Jun 26, 2013 at 9:19 AM, Paul Mooring <span dir="ltr">
<<a href="mailto:paul@opscode.com" target="_blank">paul@opscode.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex; border-left:1px #ccc solid; padding-left:1ex">
Matt,<br>
<br>
There couldn't be a saner point to add to this conversation. I'm frequently surprised at how even people who understand computers and networking treat security as some sort of dark magic. If you have a fully patched Linux desktop with no externally listening
services, no one (not even the NSA) can get in without going to extreme lengths. </blockquote>
<div><br>
</div>
<div>Wait, let me send you a PDF file; since you are sure to be running a browser from her, or better yet, point you to a nice javascript plugin, like
<a href="http://beefproject.com/" target="_blank">BEef?</a></div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex; border-left:1px #ccc solid; padding-left:1ex">
People are so frightened by the PRISM controversy that they aren't acknowledging that it's great insight into how the government really does gather data, they ask for it while holding a really big gun. There was no crazy backdoors or complex exploits involved,
they just told companies that had data to give it to them and the companies complied. The lesson we should be learning from this is that data you put on the Internet is not private, ever.<br>
</blockquote>
<div><br>
</div>
<div>Well said Paul. It reminds me of the quote "A completely secure server is one buried in concrete 30 feet down."<br>
</div>
<div><br>
</div>
<div>Hopefully, that is including all TCP/IP services because the linux kernel can be
<a href="http://resources.infosecinstitute.com/intro-to-fuzzing/" title="http://resources.infosecinstitute.com/intro-to-fuzzing/
Cmd+Click to follow link" target="_blank">
trivially fuzzed.</a> </div>
<div><br>
</div>
<div>Even with encryption and pgp keys (all forms of <a href="http://it-clowns.com/c/files/drawer/crypt.ppt" title="http://it-clowns.com/c/files/drawer/crypt.ppt
Cmd+Click to follow link" target="_blank">
encryption</a> have been broken) all our information is available.</div>
<div><br>
</div>
<div>Even on our internal networks, our SSH and HTTPS sessions are easy hijack and intercept without VPN/VLAN (and someone even with). </div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex; border-left:1px #ccc solid; padding-left:1ex">
<br>
Paul Mooring<br>
Operations Engineer<br>
<a href="http://www.opscode.com" target="_blank">www.opscode.com</a><br>
<br>
</blockquote>
<div>Also see my comments below: </div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex; border-left:1px #ccc solid; padding-left:1ex">
<br>
<div>
<div><br>
From: Lisa Kachold<br>
> It's trivial to send you a PDF or Javascript Browser Exploitation BEef<br>
> hook and walk through your systems<br>
<br>
How do NoScript and using evince/kpdf instead of Acrobrat Reader affect those<br>
trivial exploits?<br>
</div>
</div>
</blockquote>
<div> </div>
<div>Noscript stops the BEef from hooking.</div>
<div>You open a PDF with exploits or shellcode and your still owned. </div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex; border-left:1px #ccc solid; padding-left:1ex">
<div>
<div><br>
> agents that can be delivered via email (Kaseya or LivePerson) and J2EE<br>
> exploits that can be launched easily = opening you wide.<br>
<br>
Of course, if you're using a mail client that executes things found in<br>
attachments, you'll get pwn3d quickly. Are there any mail clients that do<br>
those things in this day and age? </div>
</div>
</blockquote>
<div><br>
</div>
<div>Microsoft Outlook is the only one I can think of, other than the versions in Blackberry phones made to use the same type of email "view panes".</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex; border-left:1px #ccc solid; padding-left:1ex">
<div>
<div>I thought they'd even partially fixed<br>
</div>
</div>
</blockquote>
<div>Not completely!</div>
<div> </div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex; border-left:1px #ccc solid; padding-left:1ex">
<div>
<div>Outhouse in that respect. J2EE? Who has all the components of J2EE installed<br>
(besides Java developers)? In the last 5 years, I've seen exactly 2 Java<br>
applets in the wild. Client-side Java is *uncommon* in the modern WWW AFAICT;<br>
the things people used to use Java for have been taken over by Flash/JS.<br>
</div>
</div>
</blockquote>
<div><br>
</div>
<div>That's due to browser security = but you can still easily GET a J2EE virus/infection (in all manner of ways from Win7 to SAP to linux/Mac). </div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex; border-left:1px #ccc solid; padding-left:1ex">
<div>
<div><br>
> Surveillance technology continues from all your expenditures, all your<br>
> travel (license plate readers), and your phone behaviors, and can include<br>
> remote viewing (without camera technology you would recognize).<br>
<br>
I can see how it'd be easy to track credit card transactions (bank records)<br>
and car movements (via traffic cameras). Could you explain "remote viewing<br>
without camera technology" more clearly?<br>
</div>
</div>
</blockquote>
<div><br>
</div>
<div>It's a common tool that allows military to see inside of buildings. ARGUS uses it:</div>
<div><br>
</div>
<div><a href="http://motherboard.vice.com/blog/pretty-soon-drones-will-be-able-to-see-inside-your-bedroom" target="_blank">http://motherboard.vice.com/blog/pretty-soon-drones-will-be-able-to-see-inside-your-bedroom</a> </div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex; border-left:1px #ccc solid; padding-left:1ex">
<div>
<div><br>
--<br>
Matt G / Dances With Crows<br>
The Crow202 Blog: <a href="http://crow202.org/wordpress/" target="_blank">http://crow202.org/wordpress/</a><br>
There is no Darkness in Eternity/But only Light too dim for us to see<br>
<br>
---------------------------------------------------<br>
PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">
PLUG-discuss@lists.phxlinux.org</a><br>
To subscribe, unsubscribe, or to change your mail settings:<br>
<a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" target="_blank">http://lists.phxlinux.org/mailman/listinfo/plug-discuss</a><br>
---------------------------------------------------<br>
PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org" target="_blank">
PLUG-discuss@lists.phxlinux.org</a><br>
To subscribe, unsubscribe, or to change your mail settings:<br>
<a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" target="_blank">http://lists.phxlinux.org/mailman/listinfo/plug-discuss</a><br>
</div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div><br>
</div>
<a href="tel:%28503%29%20754-4452" value="+15037544452" target="_blank">(503) 754-4452</a> Android<br>
<a href="tel:%28623%29%20239-3392" value="+16232393392" target="_blank">(623) 239-3392</a> Skype<br>
<a href="tel:%28623%29%20688-3392" value="+16236883392" target="_blank">(623) 688-3392</a> Google Voice<br>
**<br>
<a href="http://it-clowns.com/d/" target="_blank">it-clowns.com</a><br>
Chief Clown<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<br>
---------------------------------------------------<br>
PLUG-discuss mailing list - <a href="mailto:PLUG-discuss@lists.phxlinux.org">PLUG-discuss@lists.phxlinux.org</a><br>
To subscribe, unsubscribe, or to change your mail settings:<br>
<a href="http://lists.phxlinux.org/mailman/listinfo/plug-discuss" target="_blank">http://lists.phxlinux.org/mailman/listinfo/plug-discuss</a><br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div><br>
</div>
(503) 754-4452 Android<br>
(623) 239-3392 Skype<br>
(623) 688-3392 Google Voice<br>
**<br>
<a href="http://it-clowns.com/d/" target="_blank">it-clowns.com</a><br>
Chief Clown<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</div>
</div>
</div>
</div>
</body>
</html>