OpenBSD and the FBI
keith smith
klsmith2020 at yahoo.com
Mon Dec 20 19:48:52 MST 2010
Maybe the Amish really have it right.
------------------------
Keith Smith
--- On Mon, 12/20/10, Lisa Kachold <lisakachold at obnosis.com> wrote:
From: Lisa Kachold <lisakachold at obnosis.com>
Subject: Re: OpenBSD and the FBI
To: "Main PLUG discussion list" <plug-discuss at lists.plug.phoenix.az.us>
Date: Monday, December 20, 2010, 7:25 PM
Hi!
Please come to any of our PLUG Hackfests and we can demonstrate?
I believe in that specific example, I was using the UTF8 inclusion into a jpeg/gif or png.
And you trust me, so you go ahead a open it.
But there are a great number of other ways, since we allow HTML mail and attachments of all kinds.
Over an above that, I can direct you to a page of my own that includes BEef type triangulated exploits, or installs a LivePerson or Kayseya plugin into your browser (which the feds do trivially without a spike in your RAM).
The only browser that was not accessible as of 2010 was Chrome, but sadly that is no longer true. The DHS can watch, as if they had a LogMeIn application installed, EVERYTHING you do.
We all take all kinds of risks, ssh is the most glaring, but there are many of us who allow remote management of our "routers" <grin>.... and use a trivial password as well. Almost every Netgear, LinkSys and others can not only be DNS exploited but brute forced, buffer overflowed and trivially pwnd.
See you at the Hackfest first and third Wednesday of January!
On Mon, Dec 20, 2010 at 6:39 PM, gm5729 <gm5729 at gmail.com> wrote:
Okay I have been pondering on most of this thread the past few days.
Then going back and reading the news reports and other URLS that were provided.
On the encryption side, let's make enemies now. Truecrypt is a PITA
and very, very, very easily can damage encrypted data with the design
of their open and plausible denialbility containers. The best
mathematics teachers I had didn't obfuscate what the principles,
concepts and abstractions of mathematics were. The presented it in a
very simple manner of fact which actually lit a fire to want to learn
more. I believe through my own personal tests/use that obfuscates
encryption to the point that one wrong move and you lose the kitty.
Now, for the second topic. Yes, I see a gross misunderstanding about
pass phrases -- and entropy they need to create. Some of this is
caused by developers themselves not allowing enough freedom of
characters to be used in their programs. I had a key for example that
was close to 300bits of entropy for a website. Firefox and Chromium
were just about brought to their knees, much less my DSL connection
having a cow or shutting down. Multiple that in your cache times just
a measly 5-10 tabs and down comes your box. LOL. The "iron key" type
usb keys that have buttons on them and AES encryption with salts plus
add a time lock of some sort are sufficient for light weight travel.
For a full on server or desktop experience it just doesn't work. I
found a few applications that help increase entropy at a daemon level
but are random enough to provide /dev/random the entropy it needs. One
app is actually user and peripheral level exempt which would be great
for headless servers it is called haveged. The other application which
I did not try because I was looking for the type I first mentioned
actually works on the noise of your sound card -- this idea was from
whoever mentioned about tv cards. This application is called
randomsound and is also a daemon. For example my:
sudo cat /proc/sys/kernel/random/entropy_avail levels were < 60 when I
did a pre-install check. Now my entropy_avail levels jump from 133 to
4000 every poll I make with the command above. You can see how if you
are using encryption this will make for faster and stronger key
enc/dec., and maybe someone can clarify but it would enable stronger
and more secure connections of all sorts with any encryption.
I was intrigued though by Ms. Lisa's "challenge" so to say that no
matter what OS anyone is using pwn'g someones box is possible and or
getting contents remotely from someones hard drives thorough their
browsers is quite easily established. I would like some clarification
if you not mind please. I know about Java and Java Script issues from
TOR use. Flash and Active X don't do any better at leaking "private"
data. I use the word private laughing all the way to the bank. This
country has never had privacy. If you have ever done any sort of
family trees or genealogy you understand what I am saying. Perception
is reality. What has changed is technology, how fast it can spread and
amount of data in the smallest state possible that is available.
--
gk
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
--
(503) 754-4452
(623) 688-3392
http://www.obnosis.com
-----Inline Attachment Follows-----
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20101220/598953f6/attachment.html>
More information about the PLUG-discuss
mailing list