how to secure my computer - Security

This is a discussion on how to secure my computer - Security ; -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 responder wrote: [...] > The documents, which the EFF filed under a temporary seal last Wednesday, > purportedly detail how AT&T diverts internet traffic to the National > Security Agency via a secret room ...

+ Reply to Thread
Page 2 of 2 FirstFirst 1 2
Results 21 to 31 of 31

Thread: how to secure my computer

  1. Re: how to secure my computer

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: RIPEMD160

    responder wrote:
    [...]
    > The documents, which the EFF filed under a temporary seal last Wednesday,
    > purportedly detail how AT&T diverts internet traffic to the National
    > Security Agency via a secret room in San Francisco and allege that such
    > rooms exist in other AT&T switching centers.

    [...]
    > Mark Klein, a former technician who worked for AT&T for 22 years, provided
    > three technical documents, totaling 140 pages, to the EFF and to The New
    > York Times, which first reported last December that the Bush
    > administration was eavesdropping on citizens' phone calls without
    > obtaining warrants.
    >
    > Klein issued a detailed public statement last week, saying he came forward
    > because he believes the government's extrajudicial spying extended beyond
    > wiretapping of phone calls between Americans and a party with suspected
    > ties to terrorists, and included wholesale monitoring of the nation's
    > internet communications.


    I think that this is nothing new. For more on this topic have a look at:

    http://en.wikipedia.org/wiki/ECHELON
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.1 (GNU/Linux)

    iQIVAwUBRD+Ab9qtd8S+cgRiAQOJpw//QgPU/Cf+FdQxWuFYWu3A9mAYFy0zLun+
    OO9eipefj8OU7r34q1QBEaqC0xd96KLmSj31WGkNnEV5+j4IXF cyfokcWAlZpH+e
    IC3xX5GNaJCJrTaRFb2sXSiM+xr1oja1coZmaOcEI0AOBVNOlH HJAasjle0q0Awy
    dcR1vFIeKbimxSPqf4lHlOp6j0e2JsMzzj6TtMUQy9CWvfaacq r89u4FQXWa5uUm
    7ADGl7pADMe9zuNvoR6P5BxsX4PS3io4tmh6Rei891N60Oe1lu WhuJblxVsPsszU
    mHFvWfuSqh8034hjlsyWFGrIi+NRBeQpXu+++wR2bI62tNguAU u5ykpT3bOJTh6l
    /O8KJfjVs5lc9kZsXkVaL0SbdXQIc5/OVlu7ZxlfEVgA9A9g0BO18b2QnR6RE2tH
    y3GwmZGHwCnVqZ2mE2FR7OheukNJwKrTGGkEXNJeRlijawS5e6 soQ/Yog6yFc3eD
    aA6abC3k+/fgIP70/EotfA6QtCZxT8jevBFQzTJdhYWotIZTtP9uMqWJD+AjxxBI
    iqqK6uLAzdM+jhUt8DJHqCFEqzcjIr+UY9Lv9KIe4srnLQkacc 8IyEFvf3F0pX5V
    I2kLy4f3acv8R2hMPrDyTGX46LInkaw5+QNqEQTRs5IWgicAtI 6PrjxsTPPRJRT3
    S8J0Up2d9Bc=
    =6zn/
    -----END PGP SIGNATURE-----

  2. Re: how to secure my computer

    Matthias Kirchhart wrote:

    >responder wrote:
    >[...]
    >> The documents, which the EFF filed under a temporary seal last
    >> Wednesday,
    >> purportedly detail how AT&T diverts internet traffic to the National
    >> Security Agency via a secret room in San Francisco and allege that such
    >> rooms exist in other AT&T switching centers.

    >[...]
    >> Mark Klein, a former technician who worked for AT&T for 22 years,
    >> provided three technical documents, totaling 140 pages, to the EFF and
    >> to The New York Times, which first reported last December that the Bush
    >> administration was eavesdropping on citizens' phone calls without
    >> obtaining warrants.
    >>
    >> Klein issued a detailed public statement last week, saying he came
    >> forward because he believes the government's extrajudicial spying
    >> extended beyond wiretapping of phone calls between Americans and a

    > party
    >> with suspected ties to terrorists, and included wholesale monitoring of
    >> the nation's internet communications.


    > I think that this is nothing new. For more on this topic have a look at:


    ECHELON has been widely acknowledged to have been eavesdropping *outside
    of* the US. US Courts and US Congress have variously and repeatedly
    required specific oversight and specific authorization for any similar
    Executive activities *within the US*. Until this point in time there has
    always been at least a pretense that the powers of the Government and
    particularly the Executive were constrained by the will and whatever sense
    of fairness of the Electorate, and by the US Constitution, the
    Institutions of Government and a system of "checks and balances". We are
    now seeing (at least) two critical differences.

    1. The Executive is now (apparently) claiming *exclusive authority* to act
    in these previously prohibited ways unfettered by _any_ further
    constraints from the US Congress _or_ US Courts. Importantly, the
    Executive now seems to want to claim the right to conceal its acts from
    the public *and from other Institutions of Government*, acts which until
    now have always been considered prohibited.

    2. An entirely new generation of vastly more powerful monitoring equipment
    is being installed within the Continental US with the clear intention of
    long-term eavesdropping on communications *within* the US. This new
    equipment far exceeds even ECHELON. With no possible realistic
    expectation of effective long-term concealment of existence of these
    facilities or their purposes, the Executive appears to have presented us
    with a "fait acomplis", or as he might say "Mission Accomplished".

    The unfolding Perjury/Obstruction case surrounding I. Lewis "Scooter"
    Libby serves to amplify concerns about these above developments. There
    "appear to be" credible bases for questions that have already been raised,
    concerning whether the Executive and his administration have already
    misused their access to secret information. The "appearance" is that
    he/they (may have) misused secret information for personal or political
    purposes and to the detriment of private US citizens who were not
    themselves accused or suspected of any wrongdoing.

    Taken individually any of these facts or appearances could be extremely
    troubling. Taken together they present worldwide implications.

    http://en.wikipedia.org/wiki/ECHELON

    This is an excellent article and source. Thank you for linking it. Thank
    you for writing.

    As this thread was originally about computer security, we should try to
    avoid going OT, which you did not do. Thanks again.

    --
    colloquy_no_9 {at-sign} spam-mailingaddress.org
    eliminate the spam-



  3. Re: how to secure my computer

    http://www.wired.com/news/technology/0,70650-0.html
    --
    colloquy_no_9 {at-sign} spam-mailingaddress.org
    eliminate the spam-


  4. Re: how to secure my computer

    http://www.dailykos.com/storyonly/2006/4/8/14724/28476
    http://narus.com/products/index.html

    --
    colloquy_no_9 {at-sign} spam-mailingaddress.org
    eliminate the spam-


  5. Re: how to secure my computer

    Matthias Kirchhart (06-04-10 12:30:48):

    > > What makes you think that it isn't 100% secure?

    >
    > That's simple: nothing is 100 % secure.


    I didn't ask, because I believe it is. I asked, because the OP wrote
    that he's uncertain, and I wanted to know, if his uncertainty is
    reasonable.


    > > First: Drop all proprietary products, including their protocols.
    > > For example, use IRC or some other free standard protocol for live
    > > conversations, instead of MSN. You can encrypt everything in IRC as
    > > well as in MSN, and there are ways to guarantee authenticity. Use
    > > GnuPG instead of PGP, because PGP is constantly losing trustfulness,
    > > and it's not free. GnuPG is a free alternative.

    >
    > Where is the sense in that? If you use encryption properly it doesn't
    > matter which protocol you use to transmit your data. Changing the
    > protocol would just mean a lot of work. Where is the problem in MSN
    > anyway? Just because it was developed by Microsoft it doesn't mean it
    > is bad.


    It's simple: By supporting proprietary protocols, you make writing free
    alternative clients harder. You wouldn't use Microsoft extensions, when
    writing a homepage, would you? And that's the same thing. The other
    reason: Proprietary protocols get changed often. See the ICQ (OSCAR)
    protocol, as the worst case example. I guess, most people will agree
    that following standards is the better way.


    > > Next, don't do things you don't understand.

    >
    > That's always a good thing


    Unfortunately one, which many people don't consider.


    > > To the threats on the internet, look that you have recent software
    > > versions, so they don't possibly have some ancient security problem.
    > > Keep your system up to date. That doesn't include the kernel,
    > > unless some security problem is found, which affects you. You might
    > > also be interested in various kernel patches. I use the
    > > 'grsecurity' patch.

    >
    > That's right, but if really want to secure your system that won't be
    > enough. Bare in mind that security is a process and not a state that
    > you can achieve. You always have to analyse your system and think
    > about steps to further improve its security. Updates can only be one
    > of those steps.


    That were the most basic items. Sure, that's not enough to be able to
    claim to have a secure system. For me this includes the stuff you
    listed as well as cryptographic techniques. One thing, which is very
    important: Your system is not secure, if you need to disclose things.
    My security system consists of:
    * offsite backups
    * encrypted hard-disks and swap
    * fully hand-written configurations
    * security add-ons
    * programs with a clean security history


    > Further steps to improve security could be:
    > - - data backups


    That's not enough. Your must check the integrity of your system, before
    doing backups. And you must guarantee that nobody could tamper with
    your backups.


    > - - not to safe data on the computer but on a CD and cut off the
    > internet connection while working with them.


    Unfeasable in most configurations, as in mine. And remember that CDs
    can be stolen. So offsite-backups are in fact the same thing, but much
    easier.


    > - - configure a firewall


    Theoretically a secure system doesn't need a firewall (in terms of
    'packet filter', I guess you meant that). But it wouldn't hurt, too.


    > - - put a NAT-Router between your system and the internet to hide your
    > PC to the outside world.


    That's actually the same as configuring a packet filter properly. Just
    more expensive and harder to maintain.


    Regards.

  6. Re: how to secure my computer

    "Barton L. Phillips" (06-04-10 19:21:21):

    > > In Linux there are several ways in which you can encrypt your data.
    > > I have an encrypted hard-disk (via dm-crypt), encrypted email
    > > traffic (via GnuPG) and of course encrypted remote shell sessions
    > > (via OpenSSH). To keep it short, I encrypt everything, where
    > > encryption is appropriate.

    >
    > When I was in the military I noticed that everything transmitted from
    > my Air Base was first encrypted. I mean everything from the dinning
    > hall menu to the laundry list. I asked some of our crypto guys why
    > they wasted time encrypting such worthless junk. Their answer was a
    > revelation: If you encrypt only sensitive information then the enemy
    > only has to work on the encrypted stuff, but if you encrypt everything
    > the enemy has to spend enormous amounts of them decrypting junk. It is
    > the needle in the haystack theory. If you have millions of billions of
    > bytes of funk it will be pretty hard to find that 16 digit credit card
    > number in the noise.


    If this level of communication secrecy and authenticity would be
    required, then I would use other methods. When I talk with people not
    much related to me in IRC, then I don't see the point in encrypting
    that. I still do it, but it's pointless. It's not even secure. The
    server administrators can still decrypt the traffic, as well as the evil
    MITM.


    > But then again you have to be pretty paranoid -- but for this group?


    I am. =)

    Since this group deals with security, paranoid points of view are not
    fully inappropriate. It depends on who you would like to defend
    against. Personally I like defending against every attacker, if
    possible.


    Regards.

  7. Re: how to secure my computer

    Rick Moen (06-04-10 16:15:57):

    > > To the threats on the internet, look that you have recent software
    > > versions, so they don't possibly have some ancient security problem.
    > > Keep your system up to date. That doesn't include the kernel,
    > > unless some security problem is found, which affects you. You might
    > > also be interested in various kernel patches. I use the
    > > 'grsecurity' patch.

    >
    > I considered the grsecurity patch quite effective, in its day. My
    > understanding, though, is that their kernel support has always been
    > more than a little bit behind, sometimes more than others. (At least,
    > friends who used to track grsecurity had been regretfully lamenting
    > that they might need to abandon it.)
    >
    > At the moment, I see that they have a patchset for 2.6.14.6 (and
    > 2.4.32) -- but the head kernel version at the same time is 2.6.15.6.
    > Hmm, that actually looks pretty close to current!


    Yes, they are always a bit behind. But that's no problem, unless there
    is a feature in a newer kernel, which you need. And don't worry: If
    there is a security problem in the kernel, then they provide an updated
    version pretty fast.

    The developers take a bit more time to work on it, and that's not
    necessarily bad. I don't remember any security problems with the patch
    itself up to now.


    > (Please understand that I'm trying to assess the situation on the fly,
    > while writing this post.) Hmm, it still looks pretty well maintained,
    > well thought out, and "tasty", to me. PaX alone would seem to make it
    > worth the trouble.


    Yes, it doesn't only provide security, but even beauty. I like it
    hiding processes not owned by the user requesting the process list. In
    my opinion, that would be security by obscurity, so I wouldn't use it
    for security purposes. It's just beautiful, because it makes my 'ps'
    output much smaller.


    > Out of curiosity, have you encountered any drawbacks worth mentioning?


    Yes. You cannot use every PaX feature in every configuration. Some of
    them are incompatible with XFree86 and Xorg, and MySQL has problems with
    some others.


    Regards.

  8. Re: how to secure my computer

    Ertugrul Soeylemez wrote:
    > Rick Moen (06-04-10 16:15:57):
    > > (Please understand that I'm trying to assess the situation on the fly,
    > > while writing this post.) Hmm, it still looks pretty well maintained,
    > > well thought out, and "tasty", to me. PaX alone would seem to make it
    > > worth the trouble.

    >
    > Yes, it doesn't only provide security, but even beauty. I like it
    > hiding processes not owned by the user requesting the process list.


    Hm. Is this really PaX that allows one to hide user processes?
    IIRC, one can disable PaX but still have this feature present
    by enabling appropriate settings in "Filesystem Protections"
    (Allow special group, GID for special group).

    > In
    > my opinion, that would be security by obscurity, so I wouldn't use it
    > for security purposes. It's just beautiful, because it makes my 'ps'
    > output much smaller.


    I agree with the point. IMHO, the feature also "improves" privacy
    on multi-user machines since users who don't belong to the
    "special group" can see only their own processes.

    Regards,
    Mikhail


  9. Re: how to secure my computer

    "Mikhail Zotov" (06-04-17 20:46:11):

    > > Yes, it doesn't only provide security, but even beauty. I like it
    > > hiding processes not owned by the user requesting the process list.

    >
    > Hm. Is this really PaX that allows one to hide user processes? IIRC,
    > one can disable PaX but still have this feature present by enabling
    > appropriate settings in "Filesystem Protections" (Allow special group,
    > GID for special group).


    No, that's not a PaX feature, but a grsecurity feature. Remember that
    PaX is packaged with grsecurity, but otherwise completely unrelated. So
    yes, you can disable PaX and still get this feature.


    > > In my opinion, that would be security by obscurity, so I wouldn't
    > > use it for security purposes. It's just beautiful, because it makes
    > > my 'ps' output much smaller.

    >
    > I agree with the point. IMHO, the feature also "improves" privacy on
    > multi-user machines since users who don't belong to the "special
    > group" can see only their own processes.


    Well, there are other means of detecting 'well known' running processes,
    e.g. '/tmp/' or '/var/run/', or even side channel attacks.


    Regards.

  10. Re: how to secure my computer

    Ertugrul Soeylemez wrote:
    > "Mikhail Zotov" (06-04-17 20:46:11):
    > > Ertugrul Soeylemez wrote:
    > > > In my opinion, that would be security by obscurity, so I wouldn't
    > > > use it for security purposes. It's just beautiful, because it makes
    > > > my 'ps' output much smaller.

    > >
    > > I agree with the point. IMHO, the feature also "improves" privacy on
    > > multi-user machines since users who don't belong to the "special
    > > group" can see only their own processes.

    >
    > Well, there are other means of detecting 'well known' running processes,
    > e.g. '/tmp/' or '/var/run/', or even side channel attacks.


    Yep, you are right again. :-)

    --
    Mikhail


+ Reply to Thread
Page 2 of 2 FirstFirst 1 2