Paul, On Wed, Jun 26, 2013 at 2:22 PM, Paul Mooring wrote: > Lisa, > > I think I mostly agree with you here. If you're opening random pdf > files ect. than you can be easily compromised for sure, my point was more > along the lines of it's not all that easy for people to just "get in" > although there's a litany of attack vectors that could be used to exploit a > system they all involve some sort of attack vector. I mostly just get > tired of the "OMG the NSA is in my box!" mindset that tends to circumvent > discussion of actual real life issues. Specifically in light of recent > events I'm much less concerned with the somewhat far fetched idea that the > government is is intercepting and decrypted my encrypted traffic on the > wire and much more concerned with the fact that my telco is just handing > over all my conversations without even protesting. > I completely agree. > > > > Paul Mooring > Operations Engineer > www.opscode.com > > ------------------------------ > *From:* plug-discuss-bounces@lists.phxlinux.org on behalf of Lisa Kachold > *Sent:* Wednesday, June 26, 2013 2:01 PM > > *To:* Main PLUG discussion list > *Subject:* Re: Times to move to Linux > > OMG Paul, > > On Wed, Jun 26, 2013 at 9:19 AM, Paul Mooring wrote: > >> Matt, >> >> There couldn't be a saner point to add to this conversation. I'm >> frequently surprised at how even people who understand computers and >> networking treat security as some sort of dark magic. If you have a fully >> patched Linux desktop with no externally listening services, no one (not >> even the NSA) can get in without going to extreme lengths. > > > Wait, let me send you a PDF file; since you are sure to be running a > browser from her, or better yet, point you to a nice javascript plugin, > like BEef? > > >> People are so frightened by the PRISM controversy that they aren't >> acknowledging that it's great insight into how the government really does >> gather data, they ask for it while holding a really big gun. There was no >> crazy backdoors or complex exploits involved, they just told companies that >> had data to give it to them and the companies complied. The lesson we >> should be learning from this is that data you put on the Internet is not >> private, ever. >> > > Well said Paul. It reminds me of the quote "A completely secure server > is one buried in concrete 30 feet down." > > Hopefully, that is including all TCP/IP services because the linux > kernel can be trivially fuzzed. > > > Even with encryption and pgp keys (all forms of encryptionhave been broken) all our information is available. > > Even on our internal networks, our SSH and HTTPS sessions are easy > hijack and intercept without VPN/VLAN (and someone even with). > >> >> Paul Mooring >> Operations Engineer >> www.opscode.com >> >> Also see my comments below: > >> >> >> From: Lisa Kachold >> > It's trivial to send you a PDF or Javascript Browser Exploitation BEef >> > hook and walk through your systems >> >> How do NoScript and using evince/kpdf instead of Acrobrat Reader affect >> those >> trivial exploits? >> > > Noscript stops the BEef from hooking. > You open a PDF with exploits or shellcode and your still owned. > >> >> > agents that can be delivered via email (Kaseya or LivePerson) and J2EE >> > exploits that can be launched easily = opening you wide. >> >> Of course, if you're using a mail client that executes things found in >> attachments, you'll get pwn3d quickly. Are there any mail clients that do >> those things in this day and age? >> > > Microsoft Outlook is the only one I can think of, other than the > versions in Blackberry phones made to use the same type of email "view > panes". > > >> I thought they'd even partially fixed >> > Not completely! > > >> Outhouse in that respect. J2EE? Who has all the components of J2EE >> installed >> (besides Java developers)? In the last 5 years, I've seen exactly 2 Java >> applets in the wild. Client-side Java is *uncommon* in the modern WWW >> AFAICT; >> the things people used to use Java for have been taken over by Flash/JS. >> > > That's due to browser security = but you can still easily GET a J2EE > virus/infection (in all manner of ways from Win7 to SAP to linux/Mac). > >> >> > Surveillance technology continues from all your expenditures, all your >> > travel (license plate readers), and your phone behaviors, and can >> include >> > remote viewing (without camera technology you would recognize). >> >> I can see how it'd be easy to track credit card transactions (bank >> records) >> and car movements (via traffic cameras). Could you explain "remote >> viewing >> without camera technology" more clearly? >> > > It's a common tool that allows military to see inside of buildings. > ARGUS uses it: > > > http://motherboard.vice.com/blog/pretty-soon-drones-will-be-able-to-see-inside-your-bedroom > > >> >> -- >> Matt G / Dances With Crows >> The Crow202 Blog: http://crow202.org/wordpress/ >> There is no Darkness in Eternity/But only Light too dim for us to see >> >> --------------------------------------------------- >> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org >> To subscribe, unsubscribe, or to change your mail settings: >> http://lists.phxlinux.org/mailman/listinfo/plug-discuss >> --------------------------------------------------- >> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org >> To subscribe, unsubscribe, or to change your mail settings: >> http://lists.phxlinux.org/mailman/listinfo/plug-discuss >> > > > > -- > > (503) 754-4452 Android > (623) 239-3392 Skype > (623) 688-3392 Google Voice > ** > it-clowns.com > Chief Clown > > > > > > > > > > > > > > > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org > To subscribe, unsubscribe, or to change your mail settings: > http://lists.phxlinux.org/mailman/listinfo/plug-discuss > -- (503) 754-4452 Android (623) 239-3392 Skype (623) 688-3392 Google Voice ** it-clowns.com Chief Clown