Slashdot Mirror
Just How Paranoid Are You?
An anonymous reader writes "We all understand the need for security in a corporate environment. Personal computers, however, typically don't have nearly the amount of sensitive information (or it's at least less damaging if found). How far do you go to protect your computer? I recently went overboard on securing my information (at least as secure as Windows XP can be). I have a hardware firewall (GTA GB500), 30 character password, and all remotely personal information stored on a 256bit AES encrypted volume. How far do you go to protect your information against 'Big Brother' or even your family/friends?"
The most critical item any computer security professional will tell you to take care of: Physical access. If you have a concern, this is your first line of defense and in fact, most top secret installations have considerable resources dedicated to physical access. Next down the line in terms of security risk will be issues related to physical access that again most top secret installations have resolved by disallowing any removable media in or around secured systems. After that comes any issues of network security because your greatest security risk is internal access.
You should not be carrying any sensitive work related items or data home, but if you have personal stuff (or a home business with IT critical information) you wish to secure, short of establishing a computer "vault" with limited access in your home (actually had one once for a project I was working on), you need to start with a secure OS. This does not mean Windows, unless you can afford a "hardened" version and are skilled at management. In fact, I would say from your question that all of the things you are already doing are the absolute minimum if you are using Windows. If you are truly this paranoid and keep sensitive info on your personal computer, and you obviously have a connection to the Internet, it should also mean, physically removing the Internet connection from your computer at times when you do not need it. Multi-casting OS capable machines like certain flavors *NIX are helpful here, so you dont have to deal with Windows network wizard every time you connect back up (if you use certain settings for your network). Wireless should be a no-no as well. IF you are really (read pathologically or are doing something quite illegal) paranoid, you could also build a Faraday cage around your room and charge it to reduce risk of TEMPEST related probes, but again if this is a concern, someone simply breaking in (again access) is often easier and cheaper.
When you are actually connected to the Internet, a hardware firewall is an absolute necessity. Network address translation will help limit some attacks. And aside from all the other things you are doing (strong passwords, encryption etc....), I would strongly urge you to constantly pay attention to your logs. Your most important data will be gleaned from the logs in terms of who is attacking, their strategies for attacking, when and where.
Visit Jonesblog and say hello.
Like I'm going to discuss that here on Slashdot! You know who might be reading.
Why go all the trouble when you can, like me, just don't use the internet? Most family members won't even be bothered to turn on the computer if they know it doesn't have 'net access :)
Seriously though, if you have read this story, you can see that "He didn't worry that she would walk down the hall and find him reading her words. ''Impossible, because my computer didn't face the door, and it would have taken a split second to shut it off, literally,'' he said. ''Nobody could catch me, nobody. I'm too good. I'm too good with computers, trust me. I set up that PC so that when I shut the computer off everything was erased. So there was no trackable record on those PC's."
In the end he was caught by his own action. So no amount of software/hardware protection can protect you from humanware error. If there's anything incriminating or damaging, it won't be sitting only in your computer anyway.
Rock that crushes, Paper & Scissors that don't matter.
I have OpenBSD on my firewall and main work machine. Encrypted partitions too. GPG everything. My Windows 2000 game machine is locked tight and on a DMZ without IE being used. My monitor is wrapped in tinfoil, naturally, with a small cutout just large enough to have a 640x480 window viewable. I wrapped my mouse in tinfoil but that made it hard to use so I cut a hole in the bottom which allowed the light to hit the desk surface. Problem there was the desk was wrapped in tinfoil, too. So I made my own mousepad because I don't trust the ones made by The Man. It's made from a dead rabbit I found on the street. I flattened it out and dehydrated it. When I need a random number I pinch some fur and pull. however many strands of fur I get in that pull is the random number I use. Of course I need a new mousepad every few weeks as I never reuse the same tuft of fur twice. Never trust the PRNG in any OS, even OpenBSD. Theo is watching. Speaking of that, the other day I was installing OpenBSD 3.6 on a new machine and then I realized... CDs are a form of RFID tag. The unique bit patterns on them can be detected from space. So I wrap my CDs in tinfoil when not in use. Speaking of tinfoil, I find it best to buy the cheapest stuff from dollar stores. They don't usually use the UPC barcoding at those places. Just "$1.. $1.. $1..". Barcode readers don't use OpenBSD but I think Theo is trying to get in there. Speaking of barcodes, the other day I pulled a package of gum from my pocket and the person I was with said "Ohh... Spearmint!" I ran away. He obviously has a remote UPC scanner and knew that I had spearmint gum. He says the wrapper was in plain site but I think that's just an excuse.
Trolling is a art,
You must have the most impressive pr0n collection known to mankind!
-- Your mother uses Emacs.
very crazy
After all, doesn't everyone have my best interests at heart? Why, just the other day, a nice Nigerian man sent me an e-mail about a wonderful offer, and I don't even know him!
Hellooooo, Mr. Government Man!
Don't be a looter...and yes, I know that it's spelled with an "A" instead of an "E".
I just wear my tin-foil hat and everything seems to be in order...
I'm not so paranoid - simply very frustrated at the need for 9 different passwords to do my job - and they must be changed every 30 days - I always forget them so I keep them on a post it note on my monitor.
I don't think 'Big Brother' should be your primary concern, but rather your little brother and his ability to single handedly invite all kinds of unwanted goodies onto your machine.
I didn't go far at all. I just run OS X.
Crushing my karma one post at a time.
...my computer in aluminum foil, doesn't mean they're not really out to get me!
If you're really trying to keep things secure, ensure your encryption isn't made by microsoft. Their encrypted folders use AES (IIRC) but since they're open and decrypted when you're logged on the protection is compromised.
So beyond a hardware firewall, not using credit cards on the net and banking through https, I don't do shit.
My computer is encased in Carbonite, and it is stored in a file cabinet in the basement with a sign on the door "Beware of Leopard". The password? I tore it to bits, put bacon grease on it, and fed it to the dog. However, these measures are not enough for security: the machine itself happens to be one of those cardboard replica PCs you find on furniture in the back of "Staples". No WAY you gonna hack this sucker!
Don't blame Durga. I voted for Centauri.
I lock the door to my house when I leave home
did you forget to take your meds?
You can't be that paranoid if you go telling everyone who reads
There's no way my friends or family will ever figure that out.
Bastille Linux of course!
If I was not concerned about security, I would use Windows XP
that I'm not going to tell people on slashdot what I do.
Now, how about posting some torrents here, so we can all admire your l33t security models and stuff.
An Indian-American Hindu committed to non-violent thought/speech/action alarmed by the global explosion of radical Islam
Rename allMyPron.zip to mssys.dat
I require that the user have physical access to the fingerprint reader under my keyboard.
My data is locked up? Hell yeah!
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
Is there any point in trying to protect against BIG Brother really? I mean, if they WANT to get in, they could just storm your house and take away your PC. If the want they could slience you too. So why go so over the top?
Another idea is to make sure any sensitive infomation doesn't have any means of escape, hell build a machine with no network, and no floppy drive or cd writer. Take out the usb slots too, then maybe a passer by wont be able to access it.
30char password? Whats the point? I mean you can still brute force it, and even without doing this, theres still methods such as removing the hdd drive, mounting it under anther computer and 99% time, you got instant access to everything.
People need to learn, senstive data is only protected in ONE place, inside our minds.
Keep it there and no one can snoop it.
- http://www.milkme.co.uk
"
I have OpenBSD on my firewall and main work machine. "
It's not the same box is it?
dmiessler.com -- grep understanding knowledge
who wan't to know???
I just don't keep personal information on my system for long. I format and re-install everything about once a month. Everything I collect on the 300Gb of space that I have gets burned to dvd's and cd's. I can go from a completely formatted system to my personal setup in a little more than an hour.
a h/w firewall (openbsd), im running debian sid, to login i need a keychain + p/w. I use loop-aes to encrypt everything including the root partition. I run all services (that is apache and sshd) in jailed environments, im subscribed to bugtraq and lkml to know about the issues that could arise, i got my kernel patched with grsec+pax. I run my system most of the time as a non-priviledged user. Hm. I may be a bit average in paranoidness, but i learnt a lot while making this system work like this.
It takes a man to suffer ignorance and smile
Be yourself no matter what they say
Ah. Quite ingeneous. The "smell of putrefaction" defense to keep intruders out.
I run only knoppix Live CD, and I incinerate my RAM after I am done just to be sure there's nothing left on that RamDisk. Kingston loves me now!
but I'm far to paranoid to describe my security methods in public like this.
For anything that has "sensitive information" (for us, that means individual tax and financial info), it doesn't go on any networked machine. All updates are transfered via floppy/USB. Files don't leave the machine. We don't bother with encryption simply because if someone is going to break in, they are probably going to steal the computer and don't care what is on it. Not to mention that it isn't worth it (to us) to secure what is on there beyond what we already do. Our main concern is making sure we don't get wiped out by a virus or a hard drive that dies.
Fly me to the moon Let me sing among those stars Let me see what spring is like On jupiter and mars
At my college we sit behind a huge firewall and I used to use a personal one past that. However Once I realized that anyone with my level of access (domain, I work for the tech dept) could get to my files, I just gave up. I need to start Linux up anyway.
This is another way of starting a sig with this and ending it with that.
Rather then spend all this time running around securing my information, which no one really cares about now, I spend my time getting rich and powerful. That way, later on, I won't have to run around securing my information, rather my minions will run around punishing those who try to steal it. At the end of the day, its probably not worth your time, you're just not that important. And if you are that important its a better use of your time to get a real expert to do it. (Note: Some out there probably are real experts, but not many.)
Thanks for letting us know you have a 30 character password. That'll be much easier to crack than having to deal with 1 - 29 and 31 - infinity length password.
-- There is no sig line, only Zuul.
Security against 'Big Brother' is a myth, especially given that it is very easy for authorities all over the world to label someone a "terrorist", or a "person of interest", and lock him/her up for years without any oversight.
S
I just don't use Windows or Internet Explorer, problem solved.[/sarcasm]
I'm offline, permanently. Try and hack that.
Things you can say to your dog that you can't say to a girl: "How about a nice bone?"
Just because your paranoid doesnt mean someone isnt after you!
I keep a bunch of nerds surrounding my house for security. I feed them doritos and keep them motivated by issuing fake Duke Nukem Forever press releases. When I see them becoming too docile, I toss Windows Magazine at them to get them all riled up.
I always save my last mod point to mod up a good troll. You people are too serious.
I run Windows ME with no antivirus, no backup, no encryption, no firewall, no nothing. All that stuff is for wussies. I do use a BIOS password that you must type in before every boot. If I leave my computer while it is running, I have a screen saver that requires a password. This arrangement has worked well for 5+ years.
Well?
Actually, I err on the safe side just because. I use bios passwords and user passwords, have a hardware and software firewall.....on my computers at home....which DON'T have internet access!
Okay, so they will again...one day....please God....
______________
Huh?
- Home server(s) on a DMZ - Ntop on the router/fw to keep track of network usage - Filter outbound connections, too - Mixture of *BSD and Linux on network and server equipment. - Peerguardian when using P2P software. - Up to date virus scan. - Don't use IE or Outlook Express.
I'm sorry if I haven't offended anyone
I focus on good physical security, for the most part.
Over the network, I have disallowed older clients from connecting (NTLMv2 only) and require encrypted sessions over the network. I've disallowed anonymous users to enumerate shares and SIDs, and don't have a guest account open. Result: Basically, only someone with a local credential can access my machine over the network (for SMB) and any services that run, authenticate to the same database (RDP, etc.)
Locally, I rely on the fact that I'm overly paranoid about locking my workstation. If I'm more than 6 feet away from the console, it's locked. Only one individual besides myself has an account on my personal machine. All my important files are assigned to my own user account, and access-restricted from making modifications on them.
I'm less concerned about the other person who legitimately uses my machine from snooping around, than I am a random college kid who's bored.
BIOS Password, 13 Digit Password on XP Pro box, Virtual PC, Running FreeBSD 5.3 for all Internet related activity, hardware firewall, ... just your normal everyday kind of paranoid...
I don't think having a whole hard drive volume encrypted is necessary for most people. After all, I don't really care if people end up stealing my HalfLife 2 saved games from me.
/^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,4}$/i
I'm running SuSe 9.2 (good functionality, not exactly stable for me) and I keep a 12.0 gig crypto filesystem on my 20.0 gig drive.
The passphrase is sort of English, not shared at all with anyone, and I can do most of my work without mounting that stuff at all. When mounted the partition is a attached to
Physical security is a huge issue that most computer nerds ignore - its not nearly as sexy as configuring a firewall - all discipline and no play, so to speak.
I am very easy to get along with, but I don't have time to waste being nice to people who are being stupid. -Theo
I keep my internet firewall and all public daemons up to date, but behind my network things are sorta left to when I get around to fixing them. For example, most of my sshd's are out of date, except the one that faces the internet. I use GnuPG with the Enigmail plugin for my signing my e-mail. That's about it for any encryption I use. I don't have any sensitive data and it's not worth the CPU time or hassle to use an encrypted loopback partition. I've been thinking about it for its geek factor, but, eh, whatever.
Cthulhu Saves.
Who wants to know?
1.Dont connect to Internet.
2.Dont store sensitive/Important Info in harddisk.
Rather,Store it in removable media and place it in a safe location.
(Iam sure this physical safe location is better than the "safe" ways of saving it on comp anyday)
Why does yahoo do this
I need to adjust my tinfoil hat before I can allow myself to answer that question.
Mr. Ashcroft. I assume that your submission to Slashdot was quantum encrypted as well. ;-)
I'm not tense. I'm just terribly, terribly, alert.
"I have a hardware firewall (GTA GB500), 30 character password, and all remotely personal information stored on a 256bit AES encrypted volume. How far do you go to protect your information against 'Big Brother' or even your family/friends?""
:)
I just crack your system and store my stuff there.
I'm an alien in New York.
Cute reference...
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
im not paranoid, i just feel safer in this tin hat... 2+2=4!
The only things I really consider private on my computer are financial information. Receipts, credit card numbers etc. So yes I do go to some trouble protecting that, but for the most part I couldn't care less if my information was read illegally. There's just nothing of consequence there.
If someone actually compromised and trashed my PC on the other hand, I'd lose time in rebuilding it. HoweverI do back up my information regularly, so that's no issue either except being annoyed at the loss of time. (If someone made subtle changes to the information I'd still have older backups, so it would be painful but not unrecoverable).
If you truely need a private information store, it may be worth buying a PC that isn't net connected and that is physically secured. For the average person unless you're doing something illegal or have sensitive work material at home (arguably not a good idea anyway), why would you need a super-unbreakable encrypted PC?
These posts express my own personal views, not those of my employer
Many people prattle on and on about hardware firewalls when trying to justify expensive Cisco gear. Really, all of these network firewalls are just hardware which run software. If you mean that the software is embedded, that's a better way of saying it.
But then I have to ask... why the need to qualify your firewall by labeling it a "hardware" firewall? Is there something wrong with "software" firewalls? What about all the businesses using OpenBSD's pf or Linux's ipchains as opposed to paying the Cisco tax? Are they less secure? Are they to be considered amateur because they are not using fancy (or even mediocre) appliances?
I keep a few sensitive files encrypted with an off-the-shelf program. I also have my porn in zip files that are encrypted, just so my gf or family doesn't accidentally stumble onto them. A decent firewall, AV, anti-spyware. Prevent IE and Firefox from caching passwords, no history or cache. Once in a while I wipe the free space, but that's about it.
-- If god wanted me to have a sig, he'd have given me a sense of humor.
"and all remotely personal information stored on a 256bit AES encrypted volume."
Windows will leave temp files all over the place and your pagefile could have any data that was kept in RAM. The superparanoid run Linux w/ an encrypted root partition and Windows inside a VM from an encrypted disk image.
but the single most important piece of advice I give to non-technical users is really simple: don't use IE! (or Outlook if you can avoid it)
TODO: 753) write sig.
Whilst I am all for the layered approach, even on a home machine, I find it hard to understand why people need large partitions protected with AES encryption.
If this was corporate data for example, it could be used in a smaller 'portable' encrypted container, I constantly see questions on Security type sites with people asking how to do full HD encryption, or encryption of very large drives.
Maybe its just me being suspicious, but realistically why do people need hundred gig+ encrypted containers unless it is for pr0n, warez or something even worse!
> How far do you go to protect your computer?
I protect my Computer with my life, and the life of all five of my clones, as any Troubleshooter would.
What are you, some kind of commie pinko mutant traitor? Paranoia is treason! Paranoia is fun! Happiness is mandatory! I'm happ*ZOT*
Cool article. Thanks Tim.
Billy
You obviously never tuned in to "Art Bell" that night he revealed that all UPC codes have been embedded with RFID for years now.
Don't blame Durga. I voted for Centauri.
...as my other 8 personalities. And half as schizo.
I made an end run on this whole problem. With some carefully executed electro shock therapy, I erased all of my personal information from my own brain!
Just try your evil identity theft tricks now!
Sometimes my arms bend back.
I disconnected mine from the internet, put it in a block of cement and then I sit on my front porch with a shotgun looking for any virus that may come along.
I don't buy/pay stuff online at all.
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
Actually the above post illustrates a problem- giving highly technical advice to the masses. The above post is imformative, but I don't think it addresses the correct audience. What do you do for a family that does not include a security professional in the household? "Don't let your children's friends have unlimited access to the computer" might be more appropriate
Never thought of effecting security by relocating my home server to the no-man's-land in the middle of the Korean peninsula. I think you may be on to something. No one would ever think to check there!
Don't blame Durga. I voted for Centauri.
At home, I am not nearly as worried about "Big Brother" as I am my actual big brother. Therefore my first line of defense is a "No Big Brothers Allowed" sign on my bedroom door, with some skulls-and-crossbones for added effect.
Ut Tensio, Sic Vis
"How far do you go to protect your information against 'Big Brother' or even your family/friends?"
The obvious one would be not to respond to every security-related question with a bunch of details about all the levels of encryption and different passwords you use, just to show how technical and paranoid you are.
It's just a big video file dammit, I don't even know what this marutuku thing is...
Slashdot poll: when do you reveal your password
[ ] When a cute researcher asks for it
[ ] When offered a free pen for doing so
[ ] When slashdot asks about my 3l337 cracker defenses
[ ] At every dinner-party opportunity
[ ] All of the above
I'm so paranoid that not only do I have my stuff on an AES 256-bit encrypted filesystem, when I type in the password I use an on-screen keyboard so that if anyone hooks up a keyboard sniffer, they won't get my passphrase.
/. this is just like email a hackers mailing list with "Hack me!"
For FREE NO ADS! 1GB/20GB PHP MySQL With a Control Panel Hosting
I'm probably far less paranoid than most of the Slashdot crowd. Anything that contains sensitive information (read: finances) gets stored on a CD in my fire safe. Everything past that is a simple attempt to prevent having to restore files or rebuild my system. I have a hardware firewall, but mostly just avoid doing stuff online that could be risky. I make online purchases, but use an actual credit card with a low limit. That's it.
I really don't think Big Brother is watching me (I'm not that interesting), but if they are, I don't really care. They'd find out what they want to know no matter how hard I try locking my stuff down.
You have enemies? Good. That means you've stood up for something, sometime in your life. --Winston Churchill
I had weak security on my desktops at home. I would share out a lot of folders since I bouce around like 3 PC's (and a Mac) when doing stuff for work or just roaming around wirelessly with my laptop.
That is, until the other week. I live in a suburban area with a fairly big lawn. I have wireless on and some weak security on the wireless router since I figured nobody lived close enough to my house that was computer literate. Security through geography.
Then I noticed someone had accessed some files; a computer name that wasn't any of mine or anyone else in the house. I wasn't happy. I found out a neighbor someone reached my wireless router from across the street and accessed some files (didn't check to see if they browsed the internet on my dime).
Since then, I've been more security-aware. I still have wireless on (for the convenience) but have a white-list set up and 128bit encryption.
I shared fewer folders, and kicked it up a notch; explicitly saying which user's could access the files.
I turned on File Valut (or whatever) on my PowerBook just in case.
I'm not that tight security wise, but my neighbor ain't getting through now.
As for the regular stuff to watch out for: I constantly scan for viruses and run ad-aware for spy ware. I sit behind my router's firewall and a software firewall of some sort (either the OS's or 3rd party for my work laptop).
My installation has two networks. One connected to the external network, (Internet), the other, which has sensitive information, is "NEVER" connected to the external network and is completely isolated. Routine back-ups are performed on a daily basis and the resulting back-up media is stored in a safe, "No Physical Access"! I rest easy and sleep well!
I keep ultra sensitive information on small pieces of paper and sticky notes stuffed into various jacket, pants, shirt pockets.
Any would-be attacker will be thwarted by the perfect randomness of my dressing style, and the fact that many of these papers will be securely encrypted in the washing machine.
oid7 67^%z55 5^s55 7s6 556 ? __9d9s7+~!! *&# @,x*&7dfhhfh ... *D7s8d6zxkh d76d 67s5.
=-= *ds76
FLR
And just why are you asking, eh?
The NSA: The only part of the US government that actually listens.
Physical access is a concern. But I work from home and have my servers here (my business is currently home-based). So simple things like locking doors etc.
The first question is how you identify what threats you are protecting yourself from. My list includes viruses, script kiddiez, and the occasional person who has moderate resources and wants to break into my network. I am not too worried about tempest probes because the it would take a lot of time to get enough information off my systes this way to be of use, but I am more concerned about vandalism and damage.
So here are my mechanisms:
1) Keep door locked when not at home.
2) Hardware firewall on old Acer Advantage. Kernel does not support loadable kernel modules (which makes it a pain to change a network card, as the kernel must be recompiled). Firewall runs IPTables and logs most denied traffic.
3) Daily and monthly reports of firewall activity are sent to my inbox via cron and FWReport. FWReport leans towards false-positives, bit it gives you an idea of what "may" be happening.
4) Remote access requires SSH and public key authentication. Remote access is not possible via password.
5) Email servers run Qmail.
6) Most servers are jailed.
7) Most logs are set to "append only"
8) Servers run minimal configurations with a minimum of extensions. For example, Apache does not run any modules not currently required.
9) Windows is not generally allowed on the network.
LedgerSMB: Open source Accounting/ERP
I don't even bother with passwords on most of my machines, not even for root.
Did you remember to ground the tinfoil? If left ungrounded, it will act as an antenna instead of a shield allowing your data to escape.
...if they're really after you.
I pile my old computer hardware into a wall around the house, and from time to time pour gasoline and light it on fire. A hadware firewall. The neighbors don't appreciate it, but it gives me a lot of security
I use cash for my purchases.
Except, auto-drafts and internet purchases.
Hmm.. maybe I am not that paranoid after all.
...which is why I type any personal information in pig-latin, and I always wear a ski mask whenever I surf the internets.
Turns out bad sex is better than no sex. I'll have to be more grateful for what I get with the next girlfriend.
...this is just a trick post to lure me out.
tasks(723) drafts(105) languages(484) examples(29106)
Paranoia Quotes
... ?
I was walking home one night and a guy hammering on a roof called me a paranoid little weirdo. In morse code. -Emo Phillips
No matter how paranoid I get, it's never enough to keep up.
The question is not whether I'm paranoid, it's whether I'm paranoid enough.
The truly paraniod are rarely conned.
Doesn't matter if I'm paranoid - they're still after me.
I sincerely believe people talk about me. Mine would be a pretty meaningless existance if they didn't.
Why are some people terrified of "black helicopters" and don't even notice that they are being monitored almost constantly by the whole network of obvious surveilance cameras, credit cards, ATMs, EZpass, company ID/access cards, magazine subscriptions, SSNs, taxes, fees, video rentals, Internet firewall recording, 'cookies',
Paranoia: the belief that someone cares.
Paranoia is the belief in a hidden order behind the visible.
When everyone is out to get you, paranoia is only good thinking.
"Paranoia is knowing all the facts." - Woody Allen
"Paranoia is just another word for longevity." - Laurell K. Hamilton, The Laughing Corpse
"Perfect paranoia is perfect awareness."
"Paranoia is reality seen on a finer scale." - Philo Gant, Strange Days
"The issue is not whether you are paranoid, the issue is whether you are paranoid enough." - Max, Strange Days
"Why are you so paranoid, Mulder?"
"Oh, I don't know. Maybe it's because I find it hard to trust anybody." - Scully & Mulder, The X-Files, "Ascension"
Paranoia strikes deep / Into your life it will creep / It starts when you're / always afraid. You step out / of line, the man come and / take you away.
"I don't agonize over decisions as much these days. The criteria of what's important to me is clear. The insecurity that you feel, and the paranoia that you feel, have been around for a long time -- you know it's a liar because it's been lying to you all along -- every time you start something new. You get used to it, and you sort of go, 'Oh, you're showing up again, well f*** you.'" - John Cusack
Freedom is just a hallucination created by a pathological lack of paranoia.
Paranoia doesn't mean the whole world really isn't out to get you.
If you ever wanted to know what a person with acute paranoia looks like, just keep watching.
I have the power to channel my imagination into ever-soaring levels of suspicion and paranoia.
Paranoia is heightened awareness.
Paranoia is a social disease--you get it from screwing other people.
"Paranoia is the delusion that your enemies are organized." - Arthur D. Hlavaty.
"This is the Nineties, Bubba, and there is no such thing as Paranoia. It's all true." - Hunter S Thompson
"There are two kinds of paranoia: Total, and insufficient. I am both, because if you think you are sufficiently paranoid, you're not." - Guildenstern, Rosencrantz and Guildenstern are Dead
"The truly paranoid are clever enough to not *act* paranoid." - Q, Star Trek: The Next Generation
"When everyone _is_ out to get to you, being paranoid isn't going to help." - Q, Star Trek: The Next Generation
"When did you get so paranoid?"
"When they started plotting against me." - The Paper
"Paranoia is only the leading edge of the discovery that everything in the world is connected." - `The Illuminatus Trilogy'
When you've been through everything I have, paranoia is merely a precaution!
Paranoia is not the belief that everybody's out to get you -- they are. Paranoia is the belief that everybody's conspiring to get you.
The greater the concentration of power, the greater the paranoia it generates about its need to destroy everything outside itself.
I love this job. Nothing like paranoia and neurosis. Who needs a Coke habit? I've got journalism!!
There's something inherently American about paranoia. Given the i
Can we get a "-1 Wrong" moderation option?
I recently went overboard on securing my information (at least as secure as Windows XP can be). I have a hardware firewall (GTA GB500), 30 character password, and all remotely personal information stored on a 256bit AES encrypted volume.
and after all this if you still get 0wnzed, what are you gonna do? Do the authors of your encryption software know what they're doing (I'm assuming it's either closed source, since it's Windows, or maybe BestCrypt, if they're still in business)? Also, are you still using Internet Explorer?
...Its XP
How far will you go to protect your pr0n collection from your wife's prying, suspicious eyes? :)
I just make sure that viruses and low-level hackers cant get in.
:)
:)
:p
I use Free AVG 7.0 with linksys hardware router, basic configuration.
I live alone so password protecting is less of an issue. I use the same damn password for everything. I've been using it for years literally!!!
But its not an easy password so that kinda makes up. Its not even a word or taken from my birth date... its just a sequence of alphas I created and it stayed thru the years.
I guess I'm the average joe who's just asking for trouble but I think that if a serious hacker wants in, he ain't gonna be stopped by a password so why should I start having different passwords, changing them every week or so...just to forget that one important password more than three time and get my account locked out
Now...at work its a different story, I have highly sensitive data and I take every precaution to protect it. First, I'm behind a corporate firewall and boy are they making strict.... But I'm also encrypting my data for those folders I want nobody to mess up with, new random password every 3 weeks with a small database that keeps a listing of the past passwords so i can refer to it if need be. Of course that database is protected by a password that only I have and is different than my home password
I guess it really depends on how bad you want to keep others from touching your computer or getting in....
Why do you think only "corporate" (which seem to be big iron since you contrast it to "personal computers") have sensitive data?
What about doctors? Lawyers? Accountants? Schools? Bookstores? etc.
If you've been paying attention to the news you'll know that every so often somebody buys a used computer disk and finds the results of STD tests (including AIDS) for tens of thousands of people. Or the name, address and credit card information for thousands of customers.
The loss of this information may not cause the DJIA to drop 10%, but it can be devastating to the people involved. But security is often lax since it's "only" a PC and it never occurs to these people that their computers may be stolen precisely because of the confidential information on the disk.
Even home users can face a difficult situation if they take their work home. They have a duty to protect that information... then they work on those files on virus-ridden systems. Today's viruses seem to focus on spam and stealing credit card numbers, but it's not hard to imagine more sophisticated attackers looking for other information.
For every complex problem there is an answer that is clear, simple, and wrong. -- H L Mencken
>I have a hardware firewall (GTA GB500), 30 character password, and all remotely personal information stored on a 256bit AES encrypted volume.
Call me ignorant but wouldn't one simple phishing/keylogging software to get your password and its all for nothing?
You would have to get the software on your machine first, but there are loads of way it could be done (even on linux and especially if its hooked up to the Internet) but its well worth the trouble for a person.
The surprise isn't how often we make bad choices; the surprise is how seldom they defeat us.
I took a class on Digital Forensics taught by a person who has worked with law enforcement as a forensic specialist and when we covered the topic of FS encryption he mentioned how Microsoft was going to make it harder to get into the boxes when they introduced new encrypted file systems. Then he went on to say that law enforcement was working with Microsoft and coming up with efficient ways to get around this encryption for forensic purposes. I was thinking "WTF I'm absolutely never going to trust Windows to encrypt anything." Not that I probably would have anyways, but still.
256-bit AES?
That's nothing.
Try a removable HD with a small thermite "charge" inside ignited on removal from the drive bay. Instant HD slush.
Off-site secure storage, of course, but the second the black-ops guys storm the house that HD is gone.
I don't have any personal information on my computer. Sure, I have a hardware firewall (hackable) and a password with upper and lower case, numbers, and symbols in it (hackable). No bank account numbers, I never check the box [] remember my password for email, maybe my last name is on there, and I don't use IE. People can't steal what does not exist.
hack a day
I used to advise people, "If you want to do anything illegal, immoral, embarrassing, or secret, don't even think of doing it on or with a computer, or even in the same room as a computer. Even the most competent computer experts screw up their security frequently."
So, how far would I go? If I cared enough about security I'd abstain.
Honest. But, living on a college campus (and breaking into other people's Windows shares across the network, heh heh) made me think about security. Now I have a DSL connection, and my main desktop PC runs Windows. I have:
1)Firewalls: hardware (old PC running IPCOP) and software (the one that came with SP2, and the one built into OS X on the laptop).
2)Passwords: all are 19 characters, as random as I can remember.
3)Spyware: Firefox, Ad-Aware, Spybot on Windows, and use the Mac for all e-mail.
4)Wireless: 128-bit WEP and no SSID broadcast.
5)Physical security: I got into the habit of locking the computer if I was leaving it for any amount of time. And I don't ever leave my laptop alone in public.
Beyond all that, if someone wants my data, I don't see much else I can do. My porn isn't that good.
Give a man fire, and you warm him for the night. Set a man on fire, and you warm him for the rest of his life.
I have a question pertaining to all of this. What options are there available for hard disk encryption? Can it be done just as well in software as with hardware (as an inline IDE device that physically encrypts the data)?
I use Linux, so there's probably some options available to me. How do you gain access to the disk? I assume the boot partition must be non-encrypted, and asks you for the passphrase to gain access to the encrypted root partition?
Does anybody have more info on hd-encryption?
-Jesse
Nothing says "unprofessional job" like wrinkles in your duct tape.
Anyone without a strong root password is likely to have a strong root password provided for them by an "outside consultant". :-)
Life is short: void the warranty.
I know one person (my boss) who has a firewall running on localhost.
Paranoid? Just because you are, it doesn't mean that they aren't after you.
When politicians are involved, everyone loses.
Personally, I never go near the things.
I have a modified login procedure which allows non-printable ASCII characters, including backspace, delete, cursor keys, etc. It also has provision for receiving inputs from mouse - such as button clicks and presses, movement in specific direction. Besides, it also checks for joystick inputs - such as button presses, movement, flicks, etc. I am in process of incorporating biometric inputs - sensing and checking finger prints, and sensing body weight from a sensor attached to the chair I am sitting on. Also, before I forget, the printer and scanner should be attached, and turned on - and also printer should be out of paper. :)
My hard drives are covered with thermite packs set to ignite every day at 1:57pm unless the code is entered. If they capture me, and I cant enter the code, my PC will self-destruct. My case is pressurized; any change in pressure will set off the thermite. My computer room is an access-controlled area patrolled by ninjas and attack dogs. The floor is pressure sensitive and there are cameras. The only possible weak point is the oversized ventilator shaft that goes directly over the room.
But nobody knows about that.
Anything this long on venom and short on substance should be moderated "Troll" or "Flamebait", even if you happen to not like the guy getting ripped.
If I let go of it--BOOM! No more sensitive data.
For the bad guys, I use my own laptop at work and at home with a very restrictive fire-wall (ssh and dhcp when required, period). I use ssh for any remote things, and I keep all critical stuff (passwd, bank related numbers and codes, etc.) in a file encrypted with gpg and decrypted on the fly in emacs, never saved in clear. My xautolock locks after 2 min of inactivity. I recently installed a 802.11g network at home and use WPA-PSK.
For the bad luck, I burn my (small) CVS repository on CD twice every day and ssh-copy it once a week (in an encrypted form) to a former professional account I have access to (legally) which is 800km from my home and itself heavily backuped by a very competent staff.
I could add that I am an systematic office-locker. Do I qualify for "paranoid" ?
--
Go Debian!
I keep my data on a proprietary system of my own devising - the gibbon/pigeonhole arrangement:
Deep inside my personal mountain lair is my own manually operated paperbased datacentre housing a colony of approximately 6,000 intricately trained gibbons who perform the day to day roles of system administration and data archiving.
When I access my partitions from windows in the comfort of my home, I'm not browsing local hard drives, oh no. I have had one of my gibbons integrate his brain into the windows kernel so that he is at one with my filesystems. I call him Ook. When I read/write to the partitions, Ook interprets the commands and passes them on to a waiting messenger gibbon, using a custom developed encrypted adaptation of the gibbon language, unintelligible to other gibbons in case big brother trains some gibbons of his own and infiltrates my workforce.
Anyway, the messenger gibbons (who are hand picked in a rigorous training scheme for their incredible memories) scamper off to my mountain datacentre, passing through retinal, palm, and voice identification scans, before entering a 128bit hexadecimal password (case sensitive) into a keyboard that is not QWERTY in format, but is made up of blocks in the ground which must be jumped on to enter each character. The blocks aren't labelled as such, but are cryptically imprinted with pictorial representations of the alphanumeric characters they represent (eg: picture of toast, rhymes with ghost, ghosts are scary, scary rhymes with hairy, hairy has five letres, thereforce that block represents the number 5, see?).
So anyhow, once the messenger gibbon enters the secure area of my datacentre, he passes the message on to one of the worker gibbons, light in build and superb gymnasts, who moves to the appropriate pigeon hole in a 2D array laid out on a rock wall measuring more or less 1km square in surface area. Each 5cm^2 pigeon hole houses a piece of paper, on which is written a 32bit binary word. The worker gibbons are trained to encrypt and decrypt the binary strings, as the binary is not regular binary, but is instead shuffled according to a complex mathematical hashing algorithm. Once the gibbon has decrypted and either memorised or modified and re-encrypted the binary, he scampers back to the messenger gibbon and using a proprietary gibbon dance, reports either a fail or a sucess in the operation, along with any data requested for a read operation.
This all comes back up the chain to Ook, who has windows tell me that everything is fine.
I'm sure you can't deny that it's as secure as all get out, and it's pretty much transparent apart from the half hour access times, which makes playing counter strike quite the bitch, but for your everyday Word and Email, it's perfect.
Please take the little blue tablet, x1 PO QD: http://www.zyprexa.com/index.jsp
Does anyone out there have experience with a system that locks up the computer as soon as the authorized user leaves? I found this system that uses a transmitter with a 2 meter range. http://www.emtigroup.com/cproducts.html
I go through the usual routine of a dedicated firewall and running reasonably secure operating systems (BSD), but I don't have that much stuff I consider super-private on my computers. I've been meaning to set up Kerberos one of these days for fun, but I don't really need all that much security.
The private stuff stays on paper, and is hand-written.
The -very- private stuff stays in my head.
Who wants to know?
Well, there's spam egg sausage and spam, that's not got much spam in it.
I'm more parianoid outside of my house.
For my computer security, "Ohh no, they can steal my secret doom3 save games."
Whereas outside, I get tracked with cameras and can get robbed by strung out junkies.
I don't even SURF the web. I have a "friend" post all my replies for me. MUHAHAHAHA...
This type of discussion really worries me for "single owner" systems.
You have setup a system that will keep people away from the data unless you and only you try to access this. What happens if something happens to you. Your family might need your account numbers if you die, have a stroke, etc.
If you are protecting your child porn stash, then maybe this is the best solution. For things like credit card numbers, on-line banking, etc. you should "escrow" your passwords somewhere so that others can get to them if needed. This could be as simple as a printout of your passwords/accounts in your safe deposit box to having information kept by your lawyer.
Remember that bad things can happen beyond just hackers trying to get data.
And I am not just trolling for karma. My wife just had a friend die suddenly and one of the first questions from the family was "how do we get his laptops password". My anser was, "it depends, if he really secured it well, you are pretty much out of luck".
> all remotely personal information stored on a 256bit AES encrypted volume
Unless you run swapless in Windows or only edit these documents with programs that have the secure memory bit set under Linux, this isn't buying you anywhere near as much security as you might think.
Must-not-watch TV!
"Paranoia is a malfunction of the ability to reason. I can reason, therefore I am not paranoid..."
....or am i
/me places tinfoil over entire body , double layered around the head(s).
fcuk!
Who are the threats? {family, boss, cybercrooks, burglars, fire}
What is the threat? Discovery, use or loss?
What is the cheapest/easiest precaution?
Multiple user accounts, removeable media, doorlocks, backups and selective crypto are all I bother with.
When the feds finally apprehended Mitnick, they never got the data off his drive, but they did keep him for 4.5 years without trial or even a bail hearing.
It didn't take them that long because they had a strong case.
Unable to build a case against him, they simply stalled endlessly and trusted our bloated justice system to overlook the obviously overboard effort to force him to take a plea bargain.
When it comes down to it, privacy of your data may not be the determining factor, whatever your business is. People who are determined enough can find a way to make your life miserable whether or not your precious data is hidden from their eyes, as happened with Mitnick.
If you feel you have data worth hiding, best to divorce it from your daily life as best you can.
At home... Severe iptables setup to limit access to my Linux box. Even then, all shell or X access is via SSH. I use RSA Keys or Kerberos for authentication. All daemons run chrooted if possible, and I only use the Good Stuff: OpenSSH, Postfix, Apache, etc... all current builds.
My windows boxes are DMZ'd out, and I religiously keep up on all patches. No Internet Explorer, just Firefox. I do have IIS installed on a dev box, but it's locked down and has no Internet access. Pretty solid Group Policies to enforce security settings. My wireless setup uses MAC filtering, 802.11g with WPA for privacy and 802.1x RADIUS authentication using EAP-TLS. Back in the 802.11b days, I'd use WEP and an IPSec VPN to get to the network. Private stuff (email archives, billing info and pr0n) are kept on an EFS encrypted volume. I've looked into RubberHose, but I think that's going a bit too far, even for me. I used to use SmartCards for logons, but the wife kept forgetting her PIN and it was getting expensive when she kept burning out the chip after so many bad login attempts.
I suppose the next thing would be to replace my CRT monitor with an LCD to minimize TEMPEST, and get a couple of buckets of that Airshield paint to block my cellphone and wireless transmissions.
And almost all of it is not because I'm paranoid (which I am), but because I can.
What happens when you get a bad sector in an encrypted container? Would more data be lost than if the data weren't encrypted?
Well, an openbsd boxen acting as firewall. NAT:ed machines includes a win32 machine and a freebsd machine. When on IRC i naturally use an ssl encrypted server. ;)
I encrypt my mails when its an option.
Oh, and I ALWAYS keep my curtains closed, those satelites are anoying
I use AES encryped XFS partitions for my /home and data partition - swap too, as passwords can get swapped there. 26 character letters, numbers, symbols password. My machine usually has a 30 day uptime average, so I have to type it once a month - no biggy.
My normal passwords are about 8 characters long, and alphanumeric with case differences.
I namp my machine to make sure I don't have weird open ports from half-failed attempts to get something working at 04:00.
My obsession with emerge sync && emerge -uD world keeps my machine up to date (and as vulnerability-free as practical).
My windows machines have nothing at all useful on them, but are still behind the router (shorewall on Gentoo) so they're protected (security isn't the reason for that, a cable modem is.)
All my bank accounts have the same PW and on my computers each root account is the same PW and user account has the same PW. They get changed every 90 days or so.
And, DUH, I use scp, ssh, ssl imap, ssl smtp, etc. always, and VPN when connecting to the office.
To be honest, the biggest security problem I have is accidentally typing my user password into office chat because the monitor just fell asleep, it didn't go into screen saver.
You will get hacked if you have something interesting (corps) or if you have weak security (automagic exploits(Windows)). You likely only have the people you make angry on WoW or your friends to worry about elsewise.
I haven't posted in so long, my sig is out of date.
Good topic. I wish there were more serious posts so the rest of us could gleam some knowledge from the replies instead of the geeks trying to be funny.
We had a couple people leave work recently and they had some data in the computer that we needed to get ahold of. Since my company requires passwords and restrictive permissions on all Windows systems my team was worried that we might never get the docs off the systems.
A co-worker got out the Knoppix security tools distribution ( http://www.knoppix-std.org/ ) CD and was able to bypass the Windows passwords very easily. And it read the hard drive ignoring windows permissions.
If someone wanted a secure system. The Knoppix STD CD could be a good tool to use. Try and see if you or a trusted friend could get in to your PC.
- Bruzer (trying to be constructive)
"Tempt not a desperate man" - Willy S.
My password's set to my dog's name.
My dog's name is currently 4$ter*Zf1, but I change it every 90 days.
bp
You people are rank amateurs when it comes to paranoia.
Here are some simple policies I practice: /think/ that you /might/ just run a web server.
/does not/ imply encrypt.
1. Unless currently being used, the computer remains at an "off" state.
2. Change your passwords often - how often is up to you, but be reasonable. I suggest 30 to 60 days for medium/low security, and 7 days for higher security. Remember, however, that any password can be breeched - it's just a matter of time.
3. Segregate your network (if you have one) into zones. For Instance - You should not put your wireless access point straight off your network, instead, come off of your firewall in a new "wireless" zone. Terminate all wireless connection into your firewall via ipsec. Do not rely on WEP/WPA.
4. Block all outbound and inbound ports on your firewall, until you need them. I.E, don't just open up port 80 because you
5. Virus scanner.
6. Password protect
Anyway, these are just some basic concepts that are OS independent, and if your average user followed some of these guidelines, we'd all be in a better position.
http://www.accelerateglobalwarming.com
I wear a tin-foil hat.
I believe paranoi is a VIRTUE! being a sys admin i dont give Internet access even to my boss,he is a real cool dude,does all his mailing from my linux box.
"Anyone without a strong root password is likely to have a strong root password provided for them by an 'outside consultant'" That would be funnier if it didn't follow:"Yes, of course it's the right cable [le0: NO CARRIER]" "Outside consultants" usually don't care about machines with no network access- even if they can break in and get it.
- Internet: Fully closed firewall (not even ssh).
- WLAN: only through VPN. Everybody can get an IP from my AP, but they'll only find one UDP port open (running openvpn). No internet access, no nothing.
from the inside, everything is allowed, the idea is that an intruder cannot get inside in the first place.
As a firewall I use fiaif (using 4 zones: INT, EXT, WLAN, VPN).
"It's too bad that stupidity isn't painful." - Anton LaVey
Just use GNU/Linux like I do. Problem solved.
LinuxP2P.com - The GNU/Linux File-Sharing Portal
Paranoid or careful?
http://www.forescout.com/activescout.html
Draw your own conclusions.
~hylas
As far as I can tell there is no way to prevent physical access to your computer short of never letting it out of your sight. If some one has access to your computer ALL passwords are instantly irrelevant. Some one can always install key logging hardward in your keyboard. If they do that without your knowledge you have just given up all of your passwords.
Yeah, gotta watch out for the family and friends. I personally sleep with my wallet under the pillow.
A sticky note that reads "Don't Touch"
gently taped over a thumb tack.
Taught several college roommates the meaning of "Read the damn sticky!"
Being Smart:
Being paranoid is making your system as close as unusable as possible because of all the security turned off. This is like living in a fortres with Steal walls, doors, and bars over the windows and every type of lock possible. Going to crazy could lead to a false sience of security. As well as making yourself more of a target for people who see all the security setup and figure if it is that tight something good must be inside. If you are that afraid of hackers turn your computer off unplug it and put in a safe you are probably better off that way.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
This is why I always use prosthetics for my hernia tests.
I kep all my Pr0n on an unmounted filesystem so the girlfriend can't find it when she uses the computer :)
Nuts I say! NUTS!
I run a FreeBSD based DSL router/firewall. I set it forward every port from 2000 on up to my Windows box. Since all of the insecure native Windows ports are below 2000, this works quite well to keep the tardmuffins out.
Of course, the services I run that use the higer ports may have vulns some day.....but
toadlife.kicks-ass.net ---hack me (no wait...please don't!)
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
Of course, that's not the only blunder. A cracker under the name "The Cheshire Catalyst" broke into a network service they were demonstrating, and started piping songs onto the computer screen in the TV studio.
These security breaches got the kind of publicity few crackers could ever hope to achieve today. A live television audience of maybe 7-8 million, and next to zero chance that the camera is going to pull away?
One important lesson I learned, over these incidents, is that security is rarely accidental. Nor is it something you can consider seperately from the rest of the design. Designing something to be consistant and uniform means that errors will stick out like a sore thumb. In terms of security, or reliability, elegence is everything.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Not possible. He could be connected thru a hundred or so infected/trojaned machines (Windows most likely) and this will only lead you on a wild goose chase as the Windows users likely don't even know their machines are being used in this manner. Don't even bother.
I am waiting for an in-warranty replacement of my laptop's hard drive, that makes noise and doesn't work too well, and I thought that just in case someone wants to steal my data, I might as well hit it a couple of times with a screwdriver. Now the thing doesn't even turn on, so I'm safe (but I doubt that the technician that is coming tomorrow knows how to access a reiserfs partition...)
How well does your personal security stand up to big brother when his visits you and gets to put you in "stress positions" for hours and you are going insane or wasting away?
Somehow, I don't think very long.
For anyone out there who does not have a root password on their machine, I am pleased to annouce my new 'Computer Lockdown Service'. In today's crazy InterWeb age, you never can be too carefull when it comes to computer security.
Send me your IP address and a check or moneyorder for $49.00 and I'll take care of the rest.
Thanks, Have a nice day!
My sig can beat up your sig.
"There is more to life than black dick, but it took me almost five years to find that out."
Slashdotters: You are all a bunch of faggots.
Do you hear me, you repulsive faggots? NO DIGG.
30 character password
... [later:] bamm, fracking puter lands on the sidewalk.
Now, that;s not paranoid, just plain stupid. Just imagine, early in the morning, quickly checking mail before tumbling out the door going to work, and I mistype 1 character: bamm, type again, mistype 1 character again: bamm, type again,
Why would someone do such a thing to oneself, being sane to a very minimal extent ? Buy a darn iris scanner, or fingerprint authentication stuff, whatever floats your boat. But 30 chars to type just to get into your spyware-house ? Get a life.
Regarding the main question, i.e. being paranoid: one can efficiently and effectively protect even a Windows PC without becoming, well, posessed.
I am putting myself to the fullest possible use, which is all I can think that any conscious entity can ever hope to do.
... But am I paranoid enough?
what have you heard?
How do you know it doesn't have a backdoor? How do you know your PC doesn't secretly "phone home" one day? You could never be sure about that, since you don't have the source-code to your OS! How can you call yourself a paranoid when you're using XP? Real paranoids don't use commercial software... real paranoids write their own OS!
"I have a hardware firewall (GTA GB500), 30 character password, and all remotely personal information stored on a 256bit AES encrypted volume. How far do you go to protect your information against 'Big Brother' or even your family/friends?"
You call that security? I have my computer rigged up to some C4, that's set to detonate you type in and incorrect password, all of my files are translated into swahili before being encrypted in 512bit encryption, before it's all put onto a hardrive enclosed in tin foil so the commies can't scan it using their radar (cos RADAR KNOWS EVERYTHING, cos I saw some film about it once), and if I ever need to print something out I print it in white ink so nobody can see it, and don't even get me started on software...
Man, you have it easy - call that security?
One thing I worry about as far as systems security is how information can "leak" out of a system. Of course there's the internet, or any other network connection. Then there's the one article on slashdot some time ago that detailed how one can reconstruct the image on your CRT display by intercepting the RF emissions.
If I was to secure a box, The *first* thing I'd do would be to put it in a vault, and sever all network links. I wouldn't even have the vault door open with the machine on. If there's no network connection to the machine, physical security is key, and indeed all that really matters.
But I think it's all a matter of perspective. Are you trying to protect your stuff from casual crooks and script kiddies, or more determined individuals who are much more clandestine in their operations?
Model 551, Chambered in 6mm
> stored on a 256bit AES encrypted volume.
I hope you opted out of having a swap file.
Paranoid about computer security?
Never do anything on a computer in which you would have a problem with your SO, religious leader, law enforcement, employer, friend, and someone you never met standing behind your shoulder watching as you do it.
BSD is designed. Linux is grown. C++ libs
Well...
-I have a custom designed and maintained *nix firewall with snort, portsentry, hostsentry, and logsentry on it between me and the internet.
-My wireless uses WEP, yeah. But I also use OpenVPN with SSL authentication and encryption to enable access to my network for my wireless devices. So all wireless traffic is basically encrypted above and beyond WEP
-All of my important data is in one location with a backup with appropriate file and directory perms
-The most sensitive data on that system is encrypted
-Any Windows boxes that HAVE to be on my network at home (currently the TV computer) are pretty much firewalled off to the internal network with the exception of Samba and port 80 access
The number one thing I've done to be secure: stop using Windows if I don't have to. Haven't had a problem since that switch.
Obscurity. who knows me. the only people who would even want to hack into my computer are people who don't even know what Linux is. much less a command line. I consider myself safe from them. they wouldn't even know where to find a script kiddie even if there were SKs who worked on macs. you don't know me .. this was posted via Library so heck yeah noone's getting my data. I could leave VNC with a whitespace password on my computer for 2 years and noone would bother getting in.
Welcome to Slashdot.
You are now offically the biggest faggot we have on here.
My humor is obviously so much more valuable than pr0n.
If I was that paranoid the last thing I would do is using an OS like Windows XP. Remember that story with the mysterios NSA registry key in former Windows versions..
For starters: :)
:) and I do love this country very much.
1.) No machine with data on it is left by itself. Meaning all machines with my data on it are laptops and are with me at all times.
2.) No windows except those used at work. All *bsd derivatives.
3.) User Data kept on removable harddrive with 256bit AES and 42+ password length.
4.) All machines have small partition with DBAN installed in case of the need for emergency wipe.
5.) All internet traffic(including DNS) bounced off proxies at a couple of friends locations not in this country. SSL tunnel to those proxies(recently I've been trying Tor as well).
6.) Camera monitoring of all locations within house/work that contains my data. Remote storage of images.
7.) Some homebrew stuff still in the works for monitoring/locking
There is always a part of me that wants to scratch it all and move to the side of a mountain in canada somewhere...but, I stay for the convenience of living here
For the most part, the idea of Information Security in the corporate world(public sector as well I am sure..as 2 friends of mine are in the military) is almost non-existent. Some of the people I work with have their heads so far up their ass it makes you wonder why you continue to try to propose changes.
Although the above does seem overkill for most. It is not really a paranoia issue for me. I just don't like the idea of those I don't know peeking at my data or where I go on the internet.
Truth be told. If those high enough want to know what you are doing, they will find out. So for those who are doing bad things...there really is no refuge that can't be sought out.
I have an awesome firewall on my computer (it came with Windows XP!) and I encrypt all my files and every keystroke I make in real time with ROT-26!
Fitzghon
They look much harder at AC posts then us rambling registered users who normally have nothing interesting to say...
:-)
There is no saftey in anonymity, only mediocrity. People are always looking to see who hides behind the mask even as they step over the unwashed masses.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
What the author did was serious overkill.
The simple solution (for personal computers) is removeable media like a external USB harddrive. Connect it to your PC when you need to access sensitive information. Yes this dosent help if your system is all ready compromised, but if this has all ready happened chances are your fucked either way.
This also works well with portable computers, but using memory sticks. if your in a insecure area (cafe) and need to leave your laptop for a few moments, just take the stick with you.
It sounds like the author focused on securing his data only while hes not accessing it, like the encrypted data and silly long passord, but when hes all ready logged in, and the data is decrypted, your security is lossed. And the fact that most people leave their machines on (while logged in) this dosen't help in anyway.
His computer is only secured while he is logged out, and his computer is turned off, but still not physicaly secure.
Chances are if your in an enviorment that is not secure, this is your first mistake, and really if you have information that is this important, why the hell are you connecting that machine to the internet anyways.
TruePunk | Games
I'm so paranoid that I refuse to talk to myself just because THEY might be listening..
The password? I tore it to bits, put bacon grease on it, and fed it to the dog.
I got three words for you - Pooper Scooper Exploit.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
I haven't seen anyone mention their own security level on their computers: admin, user, or in-between. Running a program with admin access gives the authors of that program admin access to your computer. I run as user, not to limit myself but to limit authors (both their intentions and their mistakes).
The trend to have programs auto-update themselves increases the concern. Sure, I trust the program now, but will I tomorrow? How do I know that the program's company keeps their employees happy?
Other security measures at the desktop, such as firewalls, anti-virus, and anti-spyware, are only reliable if they are protected from anything the user can run. Any new malware run as admin can disable all that or (worse) fake your security measures' effectiveness.
As Paranoid as an Android can be.
All my sensitive stuff is on encrypted disk images. My root password is well constructed and more than a dozen characters. My screen saver requires said password, and kicks in fairly quickly. Anybody who uses my computer gets their own separate account. Nobody, not even girlfriends, gets to use my account. I run LittleSnitch to control access on a per-app basis. I have not yet, but will soon set up a dedicated firewall box in the living room closet.
I've been considering a motion-activated web cam set to upload to an Undisclosed Location, but I really don't want the Vice President staring at my coffee table all day.
Other than that, I rely on the fact that Winders users present a nearly infinite number of much softer targets. Well, that and the fact that any cracker out probably already has a better line of credit than I do.
Quantum materiae materietur marmota monax si marmota monax materiam possit materiari?
My password is imaginary (I have to rotate the keyboard 90deg to type it)
I have to say I have a different scanner that uses another body part - one that for sure at least prevents female access.
However the downside is that I feel compelled to log out and "reauthorize" about fifteen times a day, then I keep forgetting to save stuff. Such is the cost of security!
I'm running openbsd 3.6, encrypted swap, AES 256 encrypted disk (port of netbsd's cgd) for all my programs except the bare boot. I also run heavy IPSEC between all my normal hosts, yes, even on the local wired network. I use diceware to generate my passwords, and try to keep at least 64 bits of entropy (its not that hard if you practice remembering the passwords), I use a 128 bit entropy password for the disk encryption key. I run openbsd firewalls in front of *EVERYTHING*, I filter not only by IP, but by mac address as well. Don't neglect your patches either. Oh, and I keep my sensitive materials encrypted with GPG as well. One thing to remember is that disk encryption only protects cold disks, if you have the beast mounted, someone with physical access can take your keys from memory and you have nothing! If you've got firewire, you might want to do what I did with my notebook, and fill the firewire ports with epoxy (and if you're *REALLY* paranoid, fill the screw holes as well).
and reformatted all my media multible times before crushing them under the wheels of a passing steam roller. As a final set I took the remains and smelt them at over 1200 degrees using my home built blast furnace.
Now no one will ever get my data HAHAAHAH! ehhh dang what was my gmail password?
Si vis pacem, para bellum! For evil to succeed good men need only do nothing!
My Linux Command of the Day site : LCOD
"I recently went overboard on securing my information"
"as secure as Windows XP can be"
These are mutually exclusive.
I store my bookmarks in a PHP/MySQL application separate from my PC. When company comes over I switch the app from private to public view and clear my browser history. That's enough to keep out the casual "what's he been up to" jokers while allowing guests to check their web mail and/or E-bay. _Nobody_ uses my PC unsupervised though.
The nice part of being a PC parts packrat is that when company is coming over for an extended visit I can set them up a spare box with a bare-bones OS and a web browser, and just wipe it when they leave. Knoppix works great for that, also.
I learned to stop worrying when I started getting virus-infected email from the CIO.
That's "Mr. Soulless Automaton" to you, Bub.
If preventing physical access entirely is not possible, it's best to make sure that you have a tough BIOS password and booting from CD disabled. Just about anything on any hard drive can be accessed with a custom built linux Live CD. In a world with free 250MB web-mail accounts, you just e-mail anything you find interesting.
I generally recommend Slax as a good place to start when making a custom CD.
Aero
Please stop hurting America -- Jon Stewart
he would have lied about the specs to his setup ;)
The /home-partition on my laptop is encrypted.
I store tapes off-site.
I shred or burn every piece of paper that can be used to track me down (shipping-labels, address-labels, letters, addressed letters).
cheers,
Rainer
Windows 2000 - from the guys who brought us edlin
Back in my ol' hacking days I had 1 laptop that never EVER was in my house that all hacking was done with. it never had anything on it that could attach me to it (yes, I used gloves when handling it ALWAYS) and never EVER used floppies to store any of the information on it. Zenith minisport, it used 2 inch floppies so it was impossible to get more of them anyways.
All my 'Sploits were on that machine and I never used it or hacked from in the town I lived in.
This was all back when I was a wee one, and is my distant past. but I learned from some of the best (a friend was a 414 member) and one thing that was instilled in me was to be insanely paranoid.
to the point that where I had the laptop stored I had ways of detecting if someone had been there.
if it looked like someone was there abandon it and never EVER return.
His father was Ex-CIA and he was one of the very few that were not nabbed when they took 414 down. no I never knew his real name and no I do not know where he is or have had any contact with him for over 20 years now.
basically his help in telling me to be insanely paranoid kept me out of the law's hands until I finally grew out of it and left the illigitmate stuff for the other newbs. (note social engineering is far more fun and will nab you LEGITIMATE access to things, and it's a key talent that will get you very far in the corperate and business world... the ultimate hack is getting the sysadmin to give you an account.)
things like installing back to back modems in offices you find access to their phone closet, (Man I had to have at least 8 of those around) tapping lines and installing outside line access and YES even making rubber handset couplers to couple a pair of payphones together for some 1200bps goodness that would make tracing you harder than hell. (put the modems in a box make the box cut power to both modems when it is opened so you know when someone discovers your redirect, that is a first warning that they are tracing you, telephone guys are clumsy and will start poking around back then, they never had any FBI agents that were well versed in telephone equipment until recently.. Using a telephone gear box to conceal your modems works best, and makiing it look like 10-11 phone lines enter that box also makes it more tempting to open it first.)
SO basically, acting pretty much like a spy would, expecting danger at every turn and NEVER giving others information, espically not friends that od the same thing, is as paranoid as I was.
it kept me from getting caught and out of Jail. although I never did anything illegal, nothing at all, I was a perfect student that did not even own a computer!
I also have no idea who reprogrammed the Altairs in the computer lab to flash their led's in a cylon eye sweep!
but oh man it looked so fricking cool!
Do not look at laser with remaining good eye.
Is there a way to encrypt a filesystem so that it has two different decryption keys. Where one key will hide the real stuff and the other key is a dummy key that will decrypt my stuff to look like an innocent adult porn viewer.
I'm surprised no one has tried plugging Evidence Eliminator or CyberScrub as their solution to privacy...
But then this story isn't really about hiding your tracks after looking at pr0n.
but if I told you my security, that would show you more than I want. Wait I have to kill you now.
I can program myself out of a Hello World Contest!!
Just How Paranoid Are You?
Me, paranoid? Why I'm not paranoid at all, who ever gave you that idea? No, seriously, who was it? May I have their full name, email and snail mail address?
I have a box dedicated to file storage only. I secure it in the following manner (well, in the process of doing so.)
1. I run OpenBSD and know how to admin it. It runs ONLY SSH and Samba. It's behind a software router, runs pf.
2. Samba will only be accessible on the loopback interface.
3. Connections to the machine are made via SSH, you must have both a password and a PK authentication. The client has to port forward the appropriate ports for Samba to work.
4. Firewall scrubs packets (prevents some potential TCP/IP exploit tricks)and only allows connections to and from my internal network and my machine at work from the outside.
And that's it. I don't think this would work with more than one machine serving files via Samba, because of port forwarding. I haven't gotten the Samba attached to the local interface yet, right now samba is just limited to the single client I access files from via the firewall. I'd be curious if anyone has issues with the security of this setup. Basically, I want Samba, but with the stronger authentication and encryption of SSH.
First of all, 99.9999% of us is probably incapable of securing our system so well that it would prevent 'big brother' from getting to our info (most of us can't/won't bother with TEMPEST shielding for example). Or staying with our computers/info 24 hrs/day to guard it.
Secondly, most of us are probably so insignificant as individuals that the odds of 'big brother' even being interested in any of us individually is non-existent (except in delusions of self-importance which do nothing more than attempt to compensate for feelings of inadequecy).
Thirdly, all this does not mean you shouldn't use tools to protect your privacy. Over the past few years, the threat to privacy and data theft has become real--the enemy is identity theives, nosy peers, business competitors, etc.
ACtually wasn't there one of the "hacker challanges" a few years back that told you the root password. Over couse none of the services were run as root and root access was disabled from SSH.
Disable WinXP unwanted 'features', a firewall, an anti-virus, anti-spyware, GPG encryption, a good password policy, avoiding unsecure software (like IE, use Mozilla or firefox) some knowledge about all those things work together and, most important, common sense (don't open strange e-mails from people you don't know, good rules for your firewall, and things like that). With that I've never had a virus or spyware. I think this is secure enough except if the NSA goes after you.
Even better, it's easy to do all this using just freeware software.
"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former" - Albert Einstein.
then do the following:
1) Make sure it isn't connected to any network.
2) Pour it in concrete, making sure it looks like an asteroid.
3) Shoot it into space, preferably on a intercept course with planets like Saturn and Jupiter (the further away, the better).
4) Pray those planets don't support intelligent life, aliens don't find it and last, but not least pray humanity will never get some sort of interest for the planet in question.
Access to the box is a entirely different problem, though.
Leave me alone!
Dvorak keyboard
Take off every sig. For great justice.
I use Compucage http://www.compucage.com/ for raw physical security because their products are simply the best around. I find that a good physical deterrence is the first step to securing my box properly.
After Compucage, I then use passwords, encryption,....
If my box goes missing, then all my other efforts become meaningless. Yah, some people think I'm a little nuts, but I've never had a box go missing.
pi=sigma{n:0-infinity}[(1/16)^n][(4/(8n+1))-(2/(8n +4))-(1/ (8n+5))-(1/(8n+6))]
http://shit.slashdot.org/article.pl?sid=05/01/23/2 22210
This really begs the question of WHY. I completly understand a firewall, anti-virus, keeping up with security updates, etc. But when you start using all the encryption, I think you are hiding something from the cops, and not just protecting yourself from Joe ScriptKiddie.
The best part? You can check the integrity of your backups just by doing a search in the p2p app, from anywhere in the world!
I have no problem with your religion until you decide it's reason to deprive others of the truth.
reminded me that I did not update my windows for a while. Windows update, here I come.
I'd say your secured enough to keep you out of trouble for a bit.
But a firewall is only a thin blanket on a cold night. And how is your encrypted volume supposed to help? If you computer is compromosed and the volume is mounted... folks have a one stop shop to all your fancy data. An what if your computer is snatched from your home? Is your RAM clean? Swap space? Unlinked inodes?
If you really want to start to be secure, don't use the internet. And keep your inportant data locked up in a safe.
Telling people the version of OS you use doesn't mean shit, how has the security through obscurity fallacy not gotten through to you yet? I am using an openbsd snapshot from jan 16. Quick, h@x0rz me now.
I pressed this button and it made my house into a house with a combination lock on it.
Seems pretty secure.
This
GET YOUR ASS TO MARS!
GET YOUR ASS TO MARS!
Beeeeeep! This implant will self-destruct in 90 seconds.
I google for 2 minutes and find a great instructional video on how to open said laptop lock with a piece of paper and some tape.
A few days go by, a new directive: "Please keep your laptop locked away in a drawer when you leave for the day."
My offsite backups are removable disk packs stored at my sister's house. They contain unencrypted ResiserFS partitions with the files simply copied using rsync.
I suppose that in theory she could read them.
Fortunately for my data security, she's a computer journalist, so she doesn't believe that any disk formats except NTFS and the various FAT variations exist.
Doesn't mean they aren't still after you....
... thought of as ignorant.
I'd start by not using windows xp. Microsoft has put in atleast 19 ways for it to dial home or broadcast its presence on a network. As well as being an un-audited, non-open code base there is no way to know how many backdoor holes and trojans are installed into the base operating system itself. All you have is trust that a multibillion dollar, monopolistic company that crushes its competitors in any way possible really wants to keep you secure. Why dont you use ROT13 in your security scheme as well? Its just as effective in the end.
...and that is why I never disclose the location of my password safe to anyone.
to keep one information device, always on my person, that never (really, NEVER) connects to anything directly. No Bluetooth, No WiLAN, not desktop sync. I install to it by memory card using a USB reader on the PC, take the card out and take the data off it. Wipe the card and never copy from the device back again. I always carry the device and memory card on me. I have lots of connected devices, just not this one.
I have often thought that it would interesting to secure some of my personal data with GPG or some other form of encryption, but you have to write the decrypted data somewhere to use it. Then you have to consider that the information could end up being mirrored in the swap file or some temp file.
It seems to me that safety could only be obtained with a readonly system that uses a RAM disk as a writable medium.
Yes you could say paranoid, Drives are encrypted including swap, use openbsd and SElinux.
:)
Encrypt my irc, newsgroups, mail, use Tor and ant tech for p2p, pgpnet between internal machines, pgp keys held offsite.
Not that I have much to hide, But learning to break your own protection methods and making stronger network implementations and anonymous applications is an interesting hobby
"I disapprove of what you say, but I will defend to the death your right to say it." - Voltaire
This is a topic I've had some interest into. I run Win2000 pro, here's what I usually do:
./ crowd, but still).
Connectivity
------------
1/ Prefer a NAT router device.
2/ Password its interface.
3/ Disable any kind of server it might run (dns, dhcp).
4/ Disable UPnP (that net little thing that allow WinXP to create forwarding rules on its own)
5/ Always use switches over hubs (you don't want your communications to be forwarded to every other host on your lan, right ?)
Firewalling Windows
-------------------
1/ Choose a firewall that doesn't prove to be fuzzy (Norton and the likes, in my opinion, lack clarity).
2/ Make an exclusive set of rules, ie. block anything you didn't explicitely allow.
3/ Allow loopback traffic.
4/ Allow DNS traffic (port 53 inbound and outbound) ONLY with your ISP DNS server ip.
5/ Create tight rules for each application that you're willing to grant network access.
Windows
-------
01/ Don't use administrator privilegdes, except for maintenance (ie. create and run an user account).
02/ Password those accounts (obvious for the
03/ Disable any service that isn't vital to you or the system (that can make a lot).
04/ Make your nic config static (you don't need dhcp for your home network).
05/ Uninstall Netbios file sharing protocols (both client and server).
06/ Use TCP/IP Filtering to block any TCP port that isn't required by one of your servers (certainly useless considering we set up a firewall, but we're talking about paranoia, right ?)
07/ Disable WSH (aka. shell scripting host, or vbs): HKLM\Software\Microsoft\Windows Script Host\Settings\Enabled = 0
08/ Set every IE security zone to high, except for the trusted section (set that one to medium) which you will need in order to allow Windows Update to function.
09/ Make sure your firewall doesn't allow IE to connect to anything but Windows Update.
10/ Use Firefox, disable Java support.
11/ Use Thunderbird, set a master password so the passwords for your mail accounts aren't stored in plain text.
Sensitive files
---------------
1/ I enclose my sensitive archives in password protected rar files. That's probably not the most efficient way, I'm sure, but it doesn't seem so bad still.
2/ Make the password for those especially strong.
Maintenance
-----------
1/ Make sure you have an up-to-date antivirus ready at hand.
2/ Install both AdAware and SpyBot (or others, in any combination that suits you).
3/ Keep things up to date, especially client and server applications.
4/ Keep windows up to date.
Entered your password in order to post a comment here, didn't you?
Or something along those lines. ;-)
Anyway... Yes, physical security tops the list. The 'Lab' area of our home, where I do 95% of my work for both home-based business and hobby, is heavily alarmed with PIR motion and door sensors. Visitors are never left alone in the area, and computers are logged off or locked except when they're in immediate use at that moment.
All the systems are secured with difficult-to-guess passwords, and the main house entry itself is protected with electronic access control (proximity cards) and a Medeco high-security mortise lock. The alarm system fires off a notification of intrusion or panic to the monitoring center within ten seconds of being triggered.
Our 'net presence has a hardware firewall (a Watchguard Firebox series unit) that provides NAT and other protections too numerous to go into here.
Our wireless access point runs WPA with a huge key and MAC-address filtering, and is on a separate subnet off of the Firebox. The only stations permitted to even try to connect are those who have their MAC address in our ACL. In addition, I'll be setting up a RADIUS server soon, so the WPA keys get rotated regularly.
All the workstations have current antivirus packages that update regularly (thank you, AVG Antivirus!)
NO ONE is permitted to connect to our LAN from the inside without my express consent, and this means that I check out the system they're proposing to use thoroughly before they hook up. If they don't want to allow me access for an anti-spyware and anti-virus scan, I'm happy to point them towards the free wireless access at the Covington Library.
If all else fails, we turn the dragons loose. If the Knights of Olde didn't so well in their armor, what chance do you think some hapless script-kiddie wannabe is going to have?
After all, dragons need junk food too...
Do you think I'm paranoid? Who wants to know? And why?
Bruce Lane, KC7GR,
Blue Feather Technologies
I have my wireless router right off my cable modem. Everything in my house is feeding off that. I've got a WRT54G running the Satori firmware. Most of the computers in my house are Powerbooks, however, the machine I am typing this on and use day-to-day is a Windows XP box. I never turn it off. I use Firefox and Thunderbird. I have Norton Antivirus installed and up-to-date and periodically I run Spybot. Also on my network is a Windows 2003 PC (soon to be replaced by a Mac mini) sharing out files to my house. It only has necessary services running.
So here is my question: when are you too paranoid? I keep an eye on my router logs and aside from the occasional ping or malware-infected PC scanning my subnet, all is quiet. The only point of entry into my network is the router, and at this point I'm unaware of any real risk I have running my particular router configuration. People are talking about subnetting their home network, firewalls, logs, turning off their computers, disabling wireless and Bluetooth, etc. This is excessive. My wireless network uses WPA and I live in a suburban neighborhood. Call me ignorant, but I feel as though my setup is sufficiently secure.
If someone hacked through my router and somehow gained access to my 192.168.x.x network, there is very little they would find of value to them on my computer.
Besides, credit card numbers are left on Post-Its all over my work space... far more secure than on my PC. ;)
Always post slashdot anon.!
Um, what's the point of having a laptop that stays at work?
Why aren't those fools told to take their laptop with them when they go home, lest they lose it to sombody who actually needs it.
Let's assume that your password can only be made of the letters a-z, the numbers 0-9, and their corresponding uppercase or shift-keyboard eqivalents. Simple math would indicate that there would be roughtly 72^30 possible combinations of passwords. The Windows calculator program eats this as 5.2477712140573920113791072551143e+55 possible passwords.
Assuming that you could process a billion (10e+9) passwords per second, that would mean it could take approximately 5.24e+46 seconds to attain the password. Good luck waiting that long. Then again, you may get lucky within the first 24 billion years.
The moral of the story: long passwords can be a good thing.
--Chag
All my personal information is licensed under the gpl 2.0
...::----::...
I am in no way affiliated with this sig.
This takes longer than clicking my xterm shortcut and typing ifconfig fxp0 down.
Hold it right there, cowboy! you're running X as root? care to share your IP with the rest of us?
Most people say that my home network is overkill.
I have a dedicated wireless access point/NAT/SPI Firewall connected to my broadband modem.
This allows me to use wireless (configured with WPA encryption, for what it is worth)
Of course, I do not trust wireless encryption, but I do like the convenience of wireless. This resulted in my adding a dedicated wired NAT/SPI Firewall attached to my wireless "DMZ".
Both of my dedicated firewalls allow VPN access through them and my wired on is setup as a dedicated VPN device. This allows my wireless DMZ users to access my wired protected network through an encrypted VPN over an encrypted wireless link - I figure that this should confuse most wireless packet sniffers out there, but I'm sure that anyone who really wants to will get through.
In terms of protecting my data, I use encrypted volumes with physical USB keys that are locked through biometrics. So even if someone gets ahold of my USB keys, they will still need my fingerprint (yes, I know that it is all over my house and on the USB device too - To fix this I could always create my own custom fingerprint to us from a latex model of a finger and a knife)
All kidding aside, the general concept of a dual firewall setup for the paranoid users with both wired networks and wireless networks is a good solution.
I'm an Anonymous Coward you insensitive clod!
You can add Limbaugh and Bush's IQs together and it couldn't boil water
Is that in Celsius or Fahrenheit? Better yet Kelvin perhaps? I only ask because the last option would leave them smarter then all of us while the middle would at least make them barely above average.
I knew the metric system was good for something ;)
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
All you need to do is plug in a X10 module that is controlled with your linux machine using bottlerocket, and then write a plug in for snort or your favorite network sniffer. 3 bad packets in a row and just have the X10 module go off.
Depending on how paranoid you are, that X10 module can turn off your dsl/cable modem, switch, router, or even your linux machine or turn on a light or siren.
as for physical security, it's only a myth. a guy with a crow bar can get just about anywhere that's not military controlled.
Oh and if you use the X10 example above, please remember people drive around tripping those all the time with their wireless remotes.
Why read the article when I can just make up a snap judgement?
Claiming that revealing your OS version is a security issue is advocating security through obscurity. There is no security benefit to having your OS version hidden.
They will hear you and learn of your weaknesses! Dumbasses! Announce to the world how you secure your system. Stupid stupid stupid.
Rule number two about 'sercurity': Get rid of Linux and install BSD.
ND
This statement is forty-five characters long.
I reveal my password anytime someone asks. ,X177987 Of course that password was only valid 10 years ago at a job a place I don't work anymore, and they forced random changes monthly. However that is my password. It just isn't valid for anything, and never will be again because I don't reuse my passwords.
Just because you don't knoe how to enable the icon by slecting one check box, doesn't mean the rest of us don't.
...there might be a poll for this: Is is legal for you to encrypt and hide your stuff?
It isn't everywhere. And in the UK for instance, if the goverment demand your password you must turn it over, if you don't (or forget) you go to jail.
Very handy...
If Google really cared they would fix Android Chrome to reflow text, instead of discriminating
Friends don't help friends install M$ junk.
... if someone uses a zero-day exploit to install a rootkit.
If you want to be truly paranoid about intrusion detection, occasionally boot up *OUTSIDE* the os and run tripwire from known, trusted read-only media.
You can never equivocate too much.
In a business environment, encrypting your work product would call for disciplinary action. Security is in the hands (competent or not) of the IT staff. What is on your computer is company property. I would assume, as a pointy haired manager, that encrypted material on a company hard drive was something in violation of company policy: warez, porn, etc..
"Any sufficiently advanced incompetence, is indistinguishable from malice." Grey's Law
I don't run Linux since I like to play games and my wireless card does not support.
I have a Linksys WRT54G acting as a NAT for my network with WPA Encryption and a longish passphrase, MAC white list, interface over https, policy restrictions blocking some spyware/malware hosts, filtering unused IP ranges, and filtering certain ports.
On the PC, I have Norton Antivirus Corporate Edition, Spyware S&D and Spywareblaster Immunizations, Adaware SE 1.05, and AxCrypt. I use Firefox and Thunderbird as my primary browser, keep my software and windows up to date, and have scheduled scans for spyware and viruses once a week. AxCrypt uses 128bit-AES on my personal files (both sensitive and embarassingly bad writing). I do confess to having some read only shares on my network since I have a HTPC and like to stream movies and music since it has a tiny hard drive. My porn is not protected, but hidden using the file property "hide" and turning off show hidden folders/files.
Speaking of the HTPC, it has nothing sensitive on it and I have some read only and full access to one share on it. It's behind the NAT and runs Windows Firewall as well because it can. I have Filezilla Server on there with a SafeTP wrapper to encrypt transferring of files and login information.
Johnny installs InsecureOS 1.0. Outwardly, this OS appears to be a FreeBSD box, but that's just a farce.
Which of the following options should Johnny select?
1. Tell everybody that he is, in fact, running InsecureOS 1.0.
2. Shut the fuck up and maintain the FreeBSD farce.
3. Install a better OS.
Clearly, the right choice is option 3, but let's just arbitrarily cross that option out. Now, which is the best choice?
It is a fact that revealing certain aspects of a system makes it easier to crack. Is there any logical connection between that fact and the concept of security through obscurity? Only to people who can't think straight.
You don't seem to be able to make the distinction between these two ideas:
1. Obscurity IS security.
2. Obscurity ENHANCES security.
I use index cards to store information. Yes, there are problems with index cards, but you can't hack into them, and the thieves will be more interested in stealing my credit cards and electronic goods than pieces of paper.
1 and 2 are the same. It doesn't matter. He's pretending to run freebsd, h@x0rm@n runs automated exploit tool against Johnny, and he's fucked. He can say he's running VMS on fucking vax for all h@x0rm@n cares, it does not matter in the least. There is no additional security in pretending to be secure, cause anyone who wants to can just check if he's lying or not.
Vancouver Washington was here before Vancouver BC.
I just don't keep anything on my computers I would hate to explain to a judge! (Not that I HAVE anything I would hate to explain to a judge.)
An IDE-to-USB adapter for hard drives cost $3 at the local computer junk store. It will take all of 5 minutes to copy all the data on your secure computer. Please tell me this post was a bad attempt at humor.
No offense, but do you really think your stuff is THAT important to others? Maybe it's just because I'm 21 and invincible!!! but all this seems overkill to me for a personal machine. I feel fine on my XP machine over a measly 128-bit WEP wireless connection and NAT router. And uh-oh, I even have some ports forwarded for games, P2P, and HTTP! AHH!! I think some of this paranoia is just a matter of self-importance. Who's gonna take the time to h4x0R my box to get a big load of nothing?....he asks, not really wanting to know....
plain XML, for um, anyone who has acces to the school, the county reasurch department, or the department of education. Belive me, after that, theres no point in keepinganything eles securate.
read all the information you can get
and they are just about to start to computerise the helth system."transparent acess to all you medical records by anyone who says they treet you"
Im too paranoid?!
Even if they manage to take my hard drive, the data won't last until the trial...
The society for a thought-free internet welcomes you.
Can I ask you what are your intentions by asking about my security settings?
It is not because you are not paranoid that they are not out there to get you
I'd just pick any 128-bit encryption that is considered secure enough. I can remember 15 characters much more easily than 60 and it's for all intents and purposes equally hard to bruteforce (that is, not going to happen in the near future)
So, first you pretend you aren't talking about obscurity ("where did I say anything about obscurity?"), then you admit you were talking about obscurity, and try to make a scenario where it would help. Then when that fails, you just start making up random senseless gibberish, and you think *I* need a course in logic?
I am talking about revealing your OS version does not make you less secure, and that is factual. Your opinion is that revealing your OS version makes your security problems more likely to be attacked, but that's very much debatable.
I don't know if I'm supposed to talk about it, but some of the OpenBSD developers have been working on hardware solutions for realtime encryption of data going to and from RAM, anything leaving the on-chip cache would go through an AES chip using a temporary session key.
If your temp files always live on MFS, temporary data will only exist in RAM or in swap, and with the above solution, when the system is shut down the data in those two locations becomes unrecoverable when the sesion keys are flushed.
And I thought I was paranoid!
let me get this straight. You are using windows xp and you are worried about security? Let me tell you something about security. What in the world could you possibly have on your computer that is damn valuable to require a dedicated hardware firewall and all the rest of the crap that you have installed? Not to mention the slowdown that you are experiencing because of all that crap. If you want better security change your OS. Then you should also know that even if you have an extremely secure system you still can't eliminate the human factor and after all that's the way most secure system get owned. Oh yeah and that 30 character pass that you are using is no different than say a 10 character one. You almost never see people trying to bruteforce passwords. Takes too damn long. Not to mention that you crapy home computer has nothing that a cracker would want to get so badly that they will have to work that hard on it. Security paranoia was invented by a dumb sys admin so that he would know the name of his condition.
I'm so paranoid that the only way to deal with life is to assume that I'm already dead and God's just screwing with my head before deciding my final fate.
fast as fast can be. you'll never catch me.
I hit him on his sig earlier.
you want Rankine where the BP of water is 671.67.
And to keep this from being redundant to my previous post:
Ther Rankine scale starts at absolute 0 (like Kelvin), but uses Farenheight graduations rather than Centegrade graduations.
-nB
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
"Send me your IP address and a check or moneyorder for $49.00 and I'll take care of the rest."
Bah what a rip! I'll do it for 48 dollars and a 100 cents.
Tom
Someday, I'll have a real sig.
I keep stuff pretty secure. In fact, if I told you how, I'd have to kill you.
They'd find my Harry Potter and CRFH fanfiction and fanart? They find out I'm a gamer? They see backups of my website and forum? They find out that they just wasted their time? Fine by me. ;) The worst thing they could find would be a mildly racy photo of me. I don't keep personal or company info on it
I just use XP, virus scanning software, Ad-Aware, and Firefox instead of IE. I don't stupidly open attachments or click on random links.
It's really just a gaming rig. If something goes wrong, I can wipe the HD and have everything reinstalled within hours. Nothing's happened in the last year, so I'm not particularly worried. Why pay good money for a hardware firewall and other fancy solutions when there's nothing there that I'd cry over if it was lost?
The government REALLY is out to get me.
It is better to be the hammer than the anvil.
Heck, I'll do it for 47 dollars, 8 quarters and a nickel. You can afford a nickel, can't you?
Rule Number 3 about sercurity': Get rid of your computer.
For FREE NO ADS! 1GB/20GB PHP MySQL With a Control Panel Hosting
the 21st Century equivalent of the Jolly Roger, that ubiquitous hello.jpg file from goat dot see ecks.
I've recently tried gnome after ignoring it all this time and was glad to see it had a user switch option (via gdmflexiserver) so one user could log in without logging the other out.
But a few rough spots still. The first main problem is that all users have to disable their screen savers as the screen saver screen does not have an option tied in to switch user. This alone prevents it from being a means of locking out say the kids, but still giving them an option (via the gui) to log in.
The other problem is even if you switch before a user's screen saver kicks in, it will still kick in after the allotted time, while the other user is in their login.
And finally, the gdmflexiserver as far as I understand it, is kinda a kludge tying another Xserver to the other user. Maybe I'm misunderstanding it but it seems this wouldn't scale well resource wise. AFAIK, win xp and mac X share the same Xserver for lack of better description and lighten the resources with multiple users logged in. Also some people have problems with sound daemons being shared across Xservers.
So there is a fair amount of work to be done there, but just adding the new user option to xscreensaver would get us the core functionality now.
So a user would be able to walk away from their machine and lock the screen, and know they are keeping other users out, while not interupting their running apps and not preventing others from doing what they need to do.
BTW it takes about 2 seconds to fry a single disc, but due to different power ratings on models your milage may vary.
DON'T TRY THIS AT HOME, use the office one first.
I have 28 separate personalities and each of them has stolen the identity of someone else, they each have accounts on our computer and behave as though they were the person who's identity they have assumed. Our system is totally insecure since none of us can agree on a password but at least no one will find out any personal information from us because it all belongs to someone else.
Your reply is accurate but I dont like it after many a time trying to explain technical and *not so technical* stuff to people with blank stares.
I dont believe your post really answers the question by itself. But in conjunction with the parent post it is more than adeqate. Why?
The mismatch between the question and the correct technical answer and the answer the poster may accept or understand for me this illustrates the difference between the "knows" and the "dont knows". I've come up with an idea that I use often to deliver technical messages. I call it the *eggyolk* concept. Its certainly not unique but it serves me well.
Eggyolk explanation
Soft gooey and yolky on the inside, the simple message. The outside white bit (albumin), the technical message (context to facts) and finally the shell, the concrete facts. Why does it work?
Detail looses people
Many people do not wont detail. Through lasiness, inability or time constrained, they dont want detail. Instead they are more interested in snippits of information from coversations. This may go some of the way to explain the popularity of blogs compared to say newspapers and technical reports. So the eggyolk idea is to find a information snippit that links to deeper information hidden within.
A good example may be the *Dummies* of books - (Consults, 'DOS for dummies'). Technical details wrapped in bullet points, clear language and graphic design.
As for how paranoid you should be read about the creator of PGP, Phil Zimmerman and his Phils articles on data privacy and paranoia.
peterrenshaw ~ Another Scrappy Startup
because if i was, i'd be posting anonymously!
Revealing my password allows someone to access my account. Revealing my OS version allows nothing that couldn't already be done. Try again.
We had a so-called security expert put them on a bunch of my SUN systems at a job in 1999, Talked our PHB into buying into that. Took all of a week to get the jerk and his dumb idea out of our site. Once the power went out and the Junior who was on late shift couldn't start the systems. PCs are easy to get around and Suns are a evil to fix after that sort of nonsense.
Sorry about the writing. Robot fingers, you know? Cliff Steele in DOOM PATROL #23
A few points that come to mind:
*) Backups? If you do have backups, are they encypted? If not, then what happens if your machines breaks or is stolen?
*) Spyware/Malware. If someone is able to get spyware on your computer are you certain that you'd notice anything in the logs? Do you do anything to protect the logs from alteration?
*) Email. Your email server supports encrypted passwords? Do you trust your email server? As much as you trust that encypted volume?
*) DNS. Do you run your own DNS server or do you trust what your ISP's DNS server tells you? Okay, this is a little tinfoilish...
*) Government. Rember what happened to Susan McDougal when she decided not to testify? I'm pretty sure the government could put you away for a long time if you decided not to give up that 30-character password.
*) Friends/Family. Maybe you don't have anyone living with you, but do you want a potentially relationship ending "you don't trust me" argument?
*) Does this information exist somewhere else? If you are trying to keep private stuff like social security numbers, etc. there are usaully plenty of other places where they can be stolen. If you are talking about confidential documents/reports/spreadsheets -- are you sure that no one has printed these?
*) What happens when you die? Maybe you don't care, but those left behind when you pass on may want/need access to that computer.
*) You or the Computer? Rember people talking about car jackings going up once people started using really effective ant-theft devices? If you really, really have something people would steal on your computer do you want them to steal the computer or do you want a gun in your face?
In other words, this setup might not help you against random, normal threats and is going to make real, personal threats worse.
But the BG-500 seems semi-cool.
-- I browse at +5 with stripped sigs
"What about doctors? Lawyers? Accountants? Schools? Bookstores? etc."
They're all safe, they use WindowsXP.
According to their website, it's now "easier than ever to download security updates."
it's modded +2 interesting, you see, instead of +2 funny.
just in case it's not a joke, you are aware that a BIOS password does sweet FA if someone has physical access to your disks, or your machine's compromised whilst running, aren't you?
just checking.
ric
A better question would be: Do you have anything worth protecting? Most of the people I've seen go to extreme lengths to keep worthless crap secure, just so they can go around telling everyone how secure their POS is.
10 print "i am networkboy"
20 goto 10
in all those ZX spectrums in shops about 20 years ago?
Pay attention to firewall logs what's the point? 97% of the IP address are phantoms infected with a worm or remote controlled by a Hacker or the address is spoofed. I use to send in my logs to mynetwatchman and dshield but it became very clear that Internet Providers don't take action they just bounce the messages back with an autoreply the owners of these infected computers don't give a shit if they did there pc's and servers would not be repeat offenders. I just watch my own backyard keep my system secure and clean and block everything with my hardware firewall.
...from when you were contracting, right?
this is where that self same company makes a bid for data archival and you make double your normal take-home just for walking those DLTs home and back each day...
I took a black magic marker and wrote my passwords, PINs, bank account #s, CC #s, and SSN all on the lid of my Powerbook.
That way I figure nobody will bother trying to break into my Powerbook - therefore it is probably pretty secure.
There are some odd things afoot now, in the Villa Straylight.
Just stick an IPSEC gateway in front of your machine, and only allow inbound SSH from traffic than passed through the IPSEC gateway.
Simple, auditable, and secure.
I do not deploy Linux. Ever.
It looks like most people here go way overboard in the paranoia dept. Granted your buisness should be well protected, but unless you have an online buisness, the best way to protect yourself is to keep your computer systems disconnected from the Internet. (Or at the least put multiple firewalls between the two)
As for your home computer, I have found that using a router with a built-in firewall, and XP's built in firewall are all that I have needed so far. Sure if someone wants to get in, they will, but following that logic, there is no way to stop all access unless I never connect it to the internet.
I guess all I'm basicly saying is that if its that critical - keep it off the net. Otherwise, just do enough to keep the script kiddies out and relax.
I'm suprised no one has hinted on the use of hushmail email service. It's quite good for the lazy. Also: http://forums.gentoo.org/search.php?mode=results
(Sorry, Olivia Newton-John, but) I'd say "Let's get Physical!"
I'm one sorry chap who experienced the following physical-related security issues.
1. Toddler sticking a penny/pence into the CD slot. Shattered CD, anyone? Put the toddler in the closet???
2. Bumping coffee, not only soaking the keyboard, but dripping in between the kitchen table crack (where the extra table leaf is stored) and onto the uncovered PC box below. Now its a coffee-cup holder off of my swivel chair's arm.
3. Flooding of basement; the site of a vanilla box half-submerged with all your data (AAAAAURGH!). Rack-em high.
4. Dropping a all sorts of tools into the uncovered PC box. Five to be exact, what's a hardware tweaker to do? I'd still leave the cover off anyway. Just placed further higher up.
5. Windows XP installation hosing the MBR to my LILO/GRUB sector. This one really smarts. I've gone Linux-based VMWARE instead and jailed that F*CKIN' Windows partitions.
6. Tripping over the power cord to my MAIN MAN (server, that is), resulting in unrepairable EXT2 data corruption (this is before the days of journaling yore, known as EXT3). Now, we have EXT3 and a power strip placed at 6' level.
7. Kid downloading free gameware (covertly loaded with SPYWARES!!!). Evicted the kid.
8. Get some freaky unexplained reboot issues (actually caused by living next to a Weather Radar tower honing into my overclocked PC). (Live on an upward hill) Fixed that by keeping the PC cover on. Later, moved away (the smarter move).
Nowaday, I avoid all of the above with a patented 15x20' office space out in my garage, in a non-flood zone, locked, naturally-lined with aluminum-foiled insulation and tripled pin-holed web-cam survellianced at undisclosed vector-point location.
Sheesh!
http://nsolo.kicks-ass.net/my_dogs_name.JPG
All of my sensitive information is kept on a windows box that has no network card, and all data is stored on the disk encrypted, and only decrypted into a ram disk. If I want to transfer files to the computer, I load them into the unfrozen drive of a second pc that has DeepFreeze on it, unplug the network card, restart, move the files onto a usb disk, and then transfer them from the usb disk back to my secure computer's ram disk, where they are encrypted then stored on the harddisk.
It all depends on what you're trying to secure. All data isn't equal. My shopping list I couldn't care less about securing. I would go to great lengths to protect trade secrets worth millions of dollars though.
This seems to escape a lot of people, but really it's just like physical security. Do you keep all your books in locked safes surrounded by armed guards? You would probbably do that with a million dollars worth of diamonds or gold bricks though.
AccountKiller
having been confined to 98se until recently, i had assumed microsoft had by now managed to create a workable implementation of local user security in xp (aka nt5). however, since i began using it i learned this is not the case. despite the fact that properly working local security models have existed in other operating systems (even vms) for several decades, xp's local security model has a fatal flaw -- almost every application requires that you have local administrator privilege or it will not work properly. and no, you can't just give yourself local administrator privilege to install and then take it away -- that does not always work. so if you have an xp machine with more than one user, you choice is to not let those users use basic applications like Palm Desktop (it's a documented requirement, so it's 'not a bug' [yeah, right]) and cd/dvd burning software, or give everyone local administrator privilege -- which rather defeats the purpose of having a local administrator privilege. the security implication of this is that if you value your personal files and would like to prevent other users from deleting or modifying them, you need to host them on another computer (like a samba equiped linux box). anything you store locally on the xp box is obviously not secure (local administrators can delete or modify any locally stored file) -- and if you host the files on another xp box, you need to not have any real users on it for the same reason. gotta love microsoft's innovative operating system. oy.
My computer is a 286 and runs a 1988 version of SCO Xenix. I feel reasonable sure nobody is targeting viruses at me.
When I'm not using my computer, I pour 15,000 lbs of concrete over it. Granted, this makes it hard to just "sit down and hack." Last week, my dad called and said "Read your email, I sent you something important." My stupid upstairs neighbour called the cops over the sound of the jackhammer at 2 AM. Stupid neighbour.
My internet connection is a 110 baud modem. It's not connected to my computer, but rather to a teletype, which prints out the incoming packets. I manually enter the packets using an old morse code key (long=0, short=1). I have the same setup attached to my computer. I am now up to 75 bps in two-handed morse-code-binary transcription.
The password to my computer is set to the winning numbers in next week's lottery. Unfortunately, this means I can only log in within one hour after the lottery draw, because that's the only time I know the pastword. One of my friends suggested I instead use the fact that my computer is predicting the winning numbers to enter the lottery, but that would be revealing my password. Stupid friend.
I have a head to memorize those things for me.
I figure if they can crack that, I'm screwed anyway.
Terrorists can attack freedom, but only Congress can destroy it.
Hardware FW blocks all inbound, only way in is to trick me to inviting you in, e.g. spyware or social engineering. I guess you could try 0wning the firewall itself. Of course you can always try to break into my dwelling.
Once you get in, there's not much more more than standard OS security, and there are root-kits out there for most OSes. Yes, I keep up to date with security patches but that's not rock-solid.
I also use mal-ware scanners and blockers, and don't use apps known to be hazardous to my machines' health.
I don't use heavy-duty encryption, etc. Frankly, I'm at more risk of someone breaking in and stealing my PC to pawn it than trying to 0wn it.
Why do you ask?
It works better if you use:
/dev/urandom | tr -cd "[:graph:]"
cat
No point in securing windows because there is no such thing as a secure windows(at least not a usable one). To any that thinks that hacking windows makes them a hacker; I just hope one day you grow-up and act your age and not your shoe size.
Ok, lets say I told you I was running redhat 6.2, not openbsd. Lets also say it was the truth. How does that change anything? If I am not a complete moron, then I have updated any vulnerable services, so you still have nothing. If I am an absolute moron and its a plain default install of redhat 6.2, then someone else will have already beaten you to h@x0rzing me, even though I didn't get the chance to tell them my OS version! Even if I changed all services to say I am running openbsd, it wouldn't matter, I would still already be rooted. It does not matter.
...and I'm confident that the tinfoil hat on my head is secure, I'll reconfigure my bootloader to scrub my harddisk if the wrong boot password is entered, add a chip to the drive electronics cable to swap bits back and forth and ensure that the whole thing is encrypted in a way that needs to have the disk in my system, and bolt my system to the floor. I may see if building LCD phased glasses to allow the light from my screen into my eyes at appropriate rates will stop someone leaning over my shoulder.
I'm wondering if having a 512 character signal on a random open port that torches the system would be a good idea: you never know when you will want to ring up the thing from The Outside to make sure my parents don't find my porn. I mean, I'm thirty-seven and an adult, but that would be a bit embarrasing. But I don't go Outside too often and growl at anyone coming near my basement and My Precious.
(Some or all of the above may not be true.)
I just take the damn thing with me wherever i go (note: hard drive, not the actual comp)
A bullet may have your name on it but splash damage is addressed "To whom it may concern."
last post
Soundproofing Acoustics noise
Who needs brute force? When he's out or asleep, I'll boot using a Knoppix CD and image the HD to an external device.
I recall certain underworld figures were busted because their crypto was no protection against the keylogger the feds installed (when is the last time you checked inside your keyboard?).
Failing that, some crack-head will kick in the front door and hock the server. (as a side note, my Unix console is a 486 laptop in the middle of the desk, "steal me instead!")
If the data is that sensitive, I'd read Cryptonomicon a few more times.
"Everything is adjustable, provided you have the right tools"
A few things:
- It's probably easy to establish rapport with the poster's sister and gain access to his system that way
- Security is not just about making things uncrackable. It's just as important to set things up so that you know when they have been cracked
- Your security is directly proportional to your capability to make the perpetrator suffer
this is like a tinfoil-hat convention!
I enjoy large posteriors and I cannot prevaricate.
I rot13 encode all of my thoughts, because a tin hat is suspicious
See, it's so easy. Most of you assume Windows or Linux... I use OS/2. Security through obscurty. j/k really, with OS/2, I have 386 HPFS installed for security and encryption on a per file basis. 3 wrong passwords, and I have the thing set to erase it. There's also a dead man's switch on it. If I don't log into the machine in a preset number of days, it'll turn on, fire off an email to the wife with any info she may need and scrub the system so it's bare. And yes, I have accidentally forgotten my password and lost a lot of crap, but it works. Now even if the HD is removed and someone installs it on another box, forensics dongles, what have you, it's encrypted, and it's an HPFS partition. and there's a BFS partition as well. Not too many tools these days have the HPFS still in them, let alone recognise BFS. You'd have to dig to find the tools to effectively aquire the data. Also, should someone figure out it's an OS/2 machine, what's the likelihood that they even care anymore what data is on it? There's that stigma of OS/2. So there's a ton of things going for it in that alone.
In my house I just use a relatively secure firewall and block ports commonly used for exploits. I figure anyone interested in personal data will break into a less secure network. Because it's less secure. Network security is much like a lock. There is no unbreakable lock, but you can make it not worth the theif's time if you are using a stronger lock than your neighbor down the street.
I hide my money and porn under my mattress.
I keep backups and browse smartly with Firefox. I also have a hardware NAT and regular run my Ad-Aware and AVG. Plus, I don't think I have too many confidential things on my system.
There's really nothing on my computer worth stealing, but the thought of blowing away my entire setup and starting from scratch gives me hives. So I have an old pentium running a dedicated linux firewall with NAT to the internal network. Everything is blocked, with the exception of ssh which is forwarded to my linux box inside the network. There are no wireless connections.
;-).
I have an iptables firewall running on my personal linux machine, and I use the ssh AllowUsers directive to only allow remote logins from my username. Other than that there's nothing running that's visible from the outside. I also check for security updates every day. Naturally I also have a strong root password and never log in as root unless I'm doing something that requires it.
I could get a lot more paranoid than that, but I think having a strong dedicated firewall, not running services I don't need, etc. is enough to keep me protected from the vast majority of malware out there. That, and not running windows...
Yes, we understand these tags always apply: fud, dupe, typo, slashdotted, topic name
There really are some easy ways to protect yourself that most people overlook. This is what drives me nuts about a lot of information which is stolen, it should have never been offered in the first place.
Unless you NEED internet access, don't have it. For personal PC's, turn them off when you aren't using them, and for goodness sakes, don't use an admin account unless you need to. That is the biggest common mistake.
If you insist on leaving your computer on, power off your DSL/Cable box, or manually unplug. It isn't that hard. And disconnect from the wireless network. Password protecting your login isn't enough, password protect access to your hard drive, as in no boot-up without password. Then make sure to turn it off after you are done.
Most solutions aren't hard. Yes you need a firewall, yes you ought to have PGP, but the most effective are the easiest.
Basic honor and respect. If I need pass codes, I need better people in my life.
Plus, despite any copy-protection I might employ, the 'Man' has the technology to see what's on my system any time he wants.
Nobody really cares what you keep on your hard drive. They just want you to feel guilty so that you live under perpetual self-inflicted stress and misery.
-FL
Oh Well,
;)
.
.
.
.)
.
.
.
.)
.
.)
.
.
.
.
Call me a Troll, a most pleasant change, but I'm a true believer in that information truly wants to be free.
(All that 2600 and Phrack et al - a whole new industry for the Freudian school.. .
So, I hear you ask, what has that to do with anything?
Client side I am what you could refer to as an enlightened (though highly educated) fool. I run Windows XP.
Yeah, I know.
When you're in my position there's really no goddamn choice. Let's just leave it right there for the sake of the - uh.. . argument? Don't get testy - we're getting there..
Eventually..
As I started earlier (although rather pretentious and philosophical) information wants to be free.. . So what the FCKU do you guys keep of information in physical form on your storage devices that someone would ever beset you with?
Let's face it. Most people worrying about this are tinfoil hats. They may adorn pretty and wonderful hats, but of of little interest. Even to us, much less to the Echelon(s) of The Power That May Be (tm).
Oh.. . I hear you all call Troll - once again..
Well, fair game. Or not.. . In a Bill Bailey sort of Bweildered way.. . (However - this thread is not Part Troll..
What the FCKU do this mongoliod (in the DIVO sense) do to protect his data, I hear some of you cry - or maybe in slightly disjointed whispers?
Well.. . In one word - Nothing! (Oh.. . and then maybe?)
Ok. For posterity - Ere' goes..
No sensitive information - like the next 911 or personal identifiers of any kind ('cept for my non-deniable IP address - butyou can't have that without a subpoena - such a nifty word)..
In another phrase: There's no information on my connected devices that could ever amount to anything.
Remember? Information wants to be free.. . Especially from you - even more so if you have it connected to the interweb.
Oh.. . And then I guess I have to mention it since I'm an enlightened fool, as opposed to a mere fool..
I run ZoneAlarm Pro. And NAV 2005 - fully functional in every (but one) way. And Spybot
Search & Destroy. And SpyWare Blaster. Aha! And that's not all - I run Gia.. . Uh.. . No. M$ AntiSpyware tooo! (Lay off! It's free! Never heard about it before it was..
(Please FCKU off about the security debate on those tools.. . Same, same - but different topic?)
And if that was not all.. . There is of course a treat for you hardware lovelies out there - an ADSL router with my absolute control.. . Yeah, it's cute in a Nazi sort of way. Nothing can
get past it without my personal approval.. . For every instance.. . Of course it also helps with a little feedback from it.. . telling me when/if something changed - I can't help the provider helping it from it self..
Oh.. . And I have a little wintel honey pot in front of this of septic too.. . (Same config, my
beautiful inquisitive ones..
So.. . Uh.. . What.. . Who.. Eh.. . Yeah!
This brings us undeniably not straight back to the original matter at hand..
Your IP is most likely traceable, your storage is most likely crackable (speaking of the general pubic).. . Above all - Your data is most likely worth FCKU all..
So in conclusion.. . I'm out of alcoholic beverages and psychotropic stimuli..
Keep your goodies stenoed, pgp'd - mil + then some grade - and above ALL - Keep it away from any sort of networking. - Be it word of mouth, sleight of hand, electro/magnetic wonders of the new Reich.. . ad nauseam.
I'm sure you all don't get the point by now..
But.. . Above all.. . Why FCKUing hide?
Information wants to be free - as in beer?
No - Now I can't remember where I hid that last one...
This space is powered by Google Ad-nauseam.
yeah, my removable media is secure. I use magneto optical. Like I have ever seen anyone else use it.
security through obscurity.
That kind of shit was going on long before Bush II; he didn't start it.
But then again, I guess you'd rather bitch about and bash Bush and be blinded to the problem.
You're probably one of those people who repeats the mantra "The only thing Clinton lied about was sex" and believes that Janet Reno was A-OK.
Bush, Ashcroft, and the USA-PATRIOT Act are just more of the same of what's already been going on (eg - the 1994 Crime Bill, the 1996 Anti-Terrorism Bill, etc. etc.)
A real paranoid wouldnt be online at all...
---- Booth was a patriot ----
the 30 character password makes 0 difference unless you made hte reg changes.. fwiw. but i'm sure everyone here knows that.
This is an application installation design issue. This is not an issue with the operating system security. InnoSetup as an example has a flag which installation creators can set to require administrative privileges. general guidelines say only to use it when it's actually needed. Not everyone follows guidelines, but MS is hardly to blame for this.
You can't just give yourself local administrator privilege to install and then take it away
"Run as..." can be accessed using an alternate click to impersonate any user when running any application. I have it on by default, so I can't tell which key combo; it's probably SHIFT + Right Click. Granted, some applications won't run because they think they're admin all the time and can do whatever they want, since they were installed as such. This is again an application issue.
so if you have an xp machine with more than one user, you choice is to not let those users use basic applications like Palm Desktop (it's a documented requirement, so it's 'not a bug' [yeah, right]) and cd/dvd burning software, or give everyone local administrator privilege -- which rather defeats the purpose of having a local administrator privilege
A solution is to find out which files your application requires access to and provide file-by-file access to users who need to run the program. You would do this for data files as well, so I don't see how this is any different. The complexity comes in when figuring out which files to "unlock". using a tool like filemon from http://www.sysinternals.com/ can help in that regard.
Nero as another example provides a tool to allow users without administrative privileges access to the DVD Burner. Their application is the problem, so they provided the solution. It's not up to MS to do this for them.
local administrators can delete or modify any locally stored file
You could theoretically make an account group with administrative-style privileges, and be able to lock this entire group out from folders. In my case, I have a laptop connected to a corporate LAN. noone logged in from that lan (including network admins!) can access primary shares on my drive. However, I've given read-only access to non-network systems so I can get stuff I need from any test computer (which are never logged on to the network).
In summary, you should think again about being admin yourself, since you don't understand the basic principles of administration. These same techniques (with variations of course) equally apply to any other OS. Unfortunately MS makes it look like it's easier than it really is.
click-clack, front and back. I'm not moving this car otherwise.
The guy is willing to go through the trouble of entering a 30 character password every day but still keeps his critical data under Windows!?
I *was* using SSH until someone found it on port 22 and was probing it non-stop for days. Time for a reconfigure.
If someone enters the room (or any of the consecutive faraday cages) without typing in the correct 15-digit code at the alarm panel within 2 seconds, the power automatically shuts off, loosing any data on the ramdrive. It also detonates a homemade bomb of about 100 kg explosives, 500 kg rusty nails and broken glass, and about a ton of sulphuric acid, and causes the five samples of smallpox virus stored outside the house, to be released.
At least now I know my hiscore-data for wolfenstein 3d is secure!
Gentoo Linux / 2.6.10 kernel( current - ie patched regularly )
ssh with password-less authentication ie you need a special generated key, which is checked by challenge / response mechanism, to log in
Courier-IMAP over SSL for remote mail access
Apache-2.whatever.is.latest
Firewall blocking all ports except the above
Squid for internet access for my LAN ( no masquerading )
Nothing of importance is stored on the gateway.
My workstation is:
Gentoo Linux / 2.6.10 kernel - also updated regularly
ssh with password authentication ( so if someone gets into the gateway, they don't automatically get into my workstation )
:)
Everything important is on this machine
I don't run any services I don't need on the above 2 machines.
Our games PC runs Windows XP - updated regularly. Nothing important is on this PC - apart from my high scores
my personal setup..., I have cheap netgear firewall/ wireless router, which feeds directly into a linux box running 2.4.x kernel with the NSA seLinux patches... additionally, I filter outbound traffic... only related/established inbound traffic is allowed... the only method of accessing my server from the internet is to portknock, and then use a modified version of SSH (created by modifying the "magic numbers"/ control codes)... if you port knock improperly, you get dumped into a honeypot network... and autoblocked in the firewall... the only way to reset the rule in the firewall is to knock with the proper unlock sequence... I know you all saw the wireless router... but, I just want to remind you, that, with my setup, everything connected to it, is treated as hostile... including the wireless... as the linux router treats everything on it's outside interface as hostile... the port knock setup I use is based upon doorman... and it is configured to restrict the rules to ip/sourceport pairs... so even if my remote workstation was compromised unbeknownst to me... the hostile party couldn't connect to the server, as the firewall rule restricts to the source port on my ip... utilizing ssh tunnels, you can cascade several layers of firewalls, to provide added security... as far as physical data security, removable flash media coupled with crytoloop and aes-1024 (yes, aes-1024 is a valid cryptoloop spec... ) ... provides a reasonable amount of security... especially as USB key devices are readily available and cheap...
so, to compromise the system, they have to gain access to your keys... a good start to physical security of your box is to disable root, compile sudo, configure sudo to use sudosh, install log monitoring, tripwire...
on my server, all of my users must connect using ssh certificates... on my workstation, only certain users get a real shell... and other dummy users exist whos shell is set to a script which sends notification....
I also went a step further and setup an account which starts a recursive bcwipe on the hard-disk... also, it cats /dev/random over the swap partition... (after disabling swap) ... and reboots when complete... before doing this... make sure you make and maintain backups of your OS on removable media, preferably stored in a safe with a higher than 10-minute master rating...
this user/password combo, is what I call a panic passwd... and serves to (hopefully) erase all traces, but, at the very least... it makes their life a bit more difficult...
another idea I've played with in the past, is to hack the kernel and change the magic numbers of the file system... (ie. the character's which mark start/end of inode, etc...) ... and to modify the fsutils to the same setup... this, while tedious, etc... I've only done twice... and it worked very well... the theory behind this is that you prevent them from simply removing the hard-disk from your machine and putting it in another machine, or booting off of a live CD...
I quit messing with this about the time that I bought my first SD-card, and cryptolooped with 3DES ... it was just a much more effective end to the same means.... however, the swap partition can be a problem... (the best way around this is to get lots of RAM -- 1.5 GB is nice... -- and configure your swap to use a ramdisk ... silly... but some programs, like gcc... still require swapspace to work properly... ) ... this way, a simple reboot solves all your swap-device issues...
the biggest thing I can think of, is to use long passphrases... and include special characters, use random Capitalization, and spread numbers throughout it...
MOST IMPORTANTLY .... NEVER write your passphrases down, and trust no one... if someone requires access to your machine, make them their own account... and use a logging shell, such as sudosh... also, use some of the features like account time-outs, etc... (do a man /etc/passwd
I've used BestCrypt http://www.jetico.com/ on Linux for 6+ years now. This is a kernel plugin and a commandline tool for user-level volume creation, mounting, password change, etc. It features a good number of encryption methods and uses plain files on existing filesystems for storing the encrypted volumes.
.bash_login checks if the volumes are mounted and, if not, starts prompting for passwords. When I logout, .bash_logout asks if I want to unmount (close) the encrypted volumes.
Then I've created a number of BC volumes, all 650 mb, to allow for easy backup of the encrypted volumes to a CD. Each volume is used for a specific type of data: Personal stuff, work related stuff, "bulk" stuff (archives that I rarely use), etc.
When I login,
If you are considing BestCrypt (BC), please be aware that kernel upgrades requires at least recompilation of BC (or a new rpm) and for major upgrades (2.4->2.6), you may have to wait for a new BC version to come out before upgrading. Not a problem for me, as I don't do the kernel circus.
For encrypted filesystems in general, do use a journaling filesystem on the volumes! My own volumes used to be ext2, since I had no journaling FS available, when they were created. After a spectacular server crash, I ended up with several hundred mb's of corrupted data. Not BC's fault - old Unix file-systems just aren't up to ugly crashes.
Nowadays, Linux itself features encrypted filesystems (lookback-something), but I haven't investigated, since my current solution has worked really well for me.
I have also considered encrypting all filesystems, but the hassle just isn't worth it for me - the server has 2x160 gb disks and the amount of sensitive data is just a few gb's. Actually I think encrypting my WinXP boxes is much more interesting. They don't hold any data, but they run applications that uses the data on the encrypted volumes - and I can't really expect (or trust) Windows to keep my private data private - temp files and such.
Client ran his business (3 years worth of data) from a Windows XP Pro desktop. Was concerned about some specific folders (financials mostly) so used the Encrypting File System available in XP (and 2000) to encrypt those folders to a key only available to his user profile.
What happens to your typical XP desktop after 3 years of registry bloat and spyware infection? His profile became corrupt, and Windows would not let him login. It could offer a "temporary" replacement profile for his username, or he could login as Administrator. Neither option gave him access to his encrypted folders, because the key was only available to the now corrupt user profile.
No problem - he religiously takes backups of all pertinent data using XP's Ntbackup. Guess what. Unlike copying data from an encrypted folder to a floppy disk or other non-NTFS partition, which will decrypt the data on the fly and store in plaintext - NTBACKUP stores the data on the tape in encrypted form. We restored from various backups - but they were all encrypted.
So: (a) don't go thinking the Admin login will have access to your files in the event of your main profile borking, and (b) don't go thinking those tape backups are in plaintext. And (c): consider keeping a plaintext copy SOMEWHERE secure anyway.
Hindsight: yes he should have exported the encryption key and stored it securely ahead of time, or made the Admin account a data recovery user for those folders.
Eventual solution was a $100 software utility which searches the hard drive including registry for all traces of the encryption scheme, and (then having been given the corrupt user profile's password) is able to decrypt all the encrypted folders. Without the password, it might have taken 100 years.
Without that tool, his business was finished.
Paranoid enough to tell you only that I use techniques that are commonly *thought* to be secure, e.g. encryption, secure proxies, etc.. Paranoid enough not to be more specific than that. :P
(No, security through obscurity isn't a "secure" defense. But it *is* a speedbump; much as a safe with 6' thick walls and 8 combos is a speedbump to safe-crackers who had no prior knowledge and were underestimatedly-guessing the existence of a 2' wall and 2 combos. Obscurity is just one more layer, but is not by any means a sole defense.)
Is Capitalism Good for the Poor?
How secure will that information be if the people who want it so much capture you and torture you to get it out of you? I'm reminded of that early episode of the Sopranos Paulie Walnuts and Pussy are beating up this Jewish husband who won't give his wife the get, and he just won't give in, until they threaten to give him an extra circumcision... :)
"... I declare our city to be a free and independent state to be named Tri-Insula!" --Fernando Wood, Mayor of NYC 1861
I am behind a linksys router, have a software firewall and an alphanumeric password, but I am not as paranoid as I used to be. I USE A MAC!!
You mean my porn vids... oops now don't tell that to my mom...
So.. . By now you know how I am a mongoloid (in the Smartass sort of way).. . Oh - Wait.. . You don't. Say goodbye to the tread now.. . Bye bye.. . FCKU you and your beer hiding family too.. .
This space is powered by Google Ad-nauseam.
I think you are too paranoid. Here are my rules that keep me from being too paranoid:
/etc and critical parts of /home.
/etc on the floppy, and run a hardened Debian. But we found that the hardened Debian had too many usability issues, and it just wasn't worth the time to set up a log server, flick the floppy's read/write tab (and mount the fs read/write) every time we wanted to update the firewall rules, learn to create a good bootable CD, etc. etc. etc....
/etc and /home on Debian boxes and the My Documents on the fileserver from the Windows boxes in about an evening.
If someone is doing something "suspicious", I don't care. They still aren't in. No point in obsessing over logs.
If someone breaks into my router, they will be able to change the logs. There's not much I can do about that other than to set up a logging server, or some other way of getting the logs off the box quickly. But then, they could break into that box, and I'm not willing to waste CDRs just to ensure that my logs are good.
My operating system is Gentoo Linux, and it isn't hardened, but services are off by default unless I explicitly enable them, and I keep all my boxes up to date. I don't harden them overly against internal attacks -- hell, I'd rather the bastard DOS me, that way I know I've been owned, instead of having a billion limitations that I'd trigger every day, and have to monitor for the slightest discrepancy, in case someone had turned me into an open relay or something. I sincerely doubt that there are many local root vulnerabilities on my mostly up-to-date boxes.
If someone has physical access, they own the box. The only way my attitude here will ever change is if I actually have secrets that are valuable. I'm willing to back up the really critical stuff offsite (gmail), but I'm not willing to encrypt everything just on the off-chance that my brother or roommate learns to use a bootable cd.
For most of my software, I take the approach that if I trust that particular piece of software, I trust all of it, and I don't want to spend so much time locking down individual parts of it. Firefox, by default, won't even prompt you to install stuff unless it's on the Mozilla site.
For mail, if I was paranoid, I'd use mutt or pine, but Thunderbird has been the easiest for me so far. I can't remember ever hearing of a vulnerability in HTML mail parsing, but then, most mail from senders I don't know gets dumped into my spam box.
I've rarely lost a huge amount of data, so I refuse to spend the money to have backups that can be rebuilt in an evening. Better to be able to rebuild in a weekend and just back up
My firewall on my router is only iptables so it can do nat, and occasionally tricks like a faked Halo 2 lag cheat, until Bungee started threatening. But there's not much I can do against a ping flood, and I'm not incredibly worried about revealing which ports are open.
The process I went through was similar to what happened at work, where we were building a brand new Linux firewall. At first, we were going to take out everything but the cdrom and floppy, boot off the cd and keep
We finally looked at what we had, and said fine, we'll use a packaged firewall on top of iptables, block all inbound data from the www, and if they can root it, we have backups. And the whole office was either Debian or Win2k, so we can rebuild from
Don't thank God, thank a doctor!
A little program called cmatrix. If I really want to impress people, I open about six transluscent aterms with green text side by side on my 1600x1200 display, have a few of them run cmatrix, and reorganize my pr0n collection on the other few, since not many people who'd be impressed by such a trick can actually read text that small.
If they aren't impressed ("You're a nerd"), I switch to another virtual desktop, and launch all my games -- all at once. Half-Life, Starcraft, ut2004, q3a, quakeforge, tuxracer, doom3, and whatever else I can get to not grab my mouse. Then I go back to the one with the aterms and hook them all into the server consoles for the games, and start messing with things like sv_gravity, god, etc.
If they still aren't impressed, I might up the ante and play a pr0n movie for them on half my screen, and go play q3a with extra gibs on the other half. And if that doesn't get them (maybe the bloody explosions and the pr0n don't mix well), I give them goatse until they go away.
Don't thank God, thank a doctor!
I had the same idea to access files at home from school and work. I had some problems, I think it was related to the fact that in Windows you can't change the port you connect to, so the client loses the local Windows network while the tunnel is up. Alternatives include a VPN, which gives you a secure network device, not limited to SMB. This requires admin privileges on the client machine, and installing extra software. I decided the way to go as WebDAV on Apache/SSL. No extra software required on the client and it's more secure than plain SMB. The client is integrated into Windows explorer. Now if there were an SCP client for windows that would map the connection to a network drive...
I'm sorry if I haven't offended anyone
No, he means that his computer fascinates him so much that he hasn't time to think about anything else.
I knew a guy like that. He would have s--- his pants, if he hadn't died of starvation first.
I have quite a bit of I.T. value in my home...software, hardware, and data. One thing I take extra care to do is make sure none of my neighbors have any clue just what I have.
For example, when I bought my house and moved in, every single piece of computer gear was put in an anonymous box without labels before being carried in. The boxes were unpacked out of view of any windows, and I arranged my shelving and desk in such a way that nothing is viewable from a window or door.
I also made sure to warn my neighbors to stay away from my German Shepherd (she's a fantastic watch dog). Not that a dog is foolproof against someone determined to get access, but it doesn't hurt to present as difficult a target as possible.
Keeping your stuff obscure via net access is all well and good, but don't forget about John Q. Public walking by on your street, or a nosy neighbor peeking through your window.
Hey! Isn't it nice to be a schizophrenic (or maybe just an alcoholic) bastard?
.
Without sucking much (french?) male Karma poultry, this incredibly nonsensical thread - be it as it may - will never be ever be read by anyone but me and my split personalities..
Ain't that grand? Yes - we all agree, thanks Me.
This space is powered by Google Ad-nauseam.
I use Linux exclusively. This is what I do to secure my privacy. Some of it would tend towards paranoid, but hopefully just that drammatic fun kind of paranoid.
1) I use an encrypted loopback to host my web browser settings and cache. You have no idea what a web page might load via JavaScript or what might be in the cache from visiting a page unintentionally.
The locate database and backups are set to skip this filesystem.
2) I use TOR as a proxy for my webbrowser for non-local browsing.
3) I use encrypted swap.
4) My screen blanker is set to lock my workstation after 10 minutes of idle time.
5) I use GPG when convenient (i.e. with other technical people who agree) and have my mail client always encrypt for those users.
6) I reset the keyboard repeat rate every 2 seconds. (I once had reason to believe my keyboard was tapped as part of an FBI investigation of a co-worker). I use logcheck to watch for keyboard errors--i.e. if the keyboard is unplugged. I also watch for the standard stuff like origin of logins, etc.
The last one is a bit over the top, and I know it. But life needs a bit of drama in it.
Mostly I prefer some privacy from my employer about what I've browsed. I understand that whether I am legally entited to that is up for debate. In my profession that is probably more gray than in many.
Yes, I use a simple tactic. I make everything known about me possibly not know about me. You think you have info on me? Maybe you do or maybe you don't. How do you know?
:) Of course the first two letters are the most important ;)
Hey, it worked for Dr. Who
:T:R:A:N:S:
"How far do you go to protect your information against 'Big Brother' or even your family/friends?"
I have become more careful of late now that I've learned that Karl Rove has been attempting to penetrate my system.
Now I turn it off, except when I'm using it and when it is turned on I only run it from a doubly shielded Faraday cage that I have built in a cave under my swimming pool. The entrance is protected by 7 large guard dogs, a grizzly bear, and a bengal tiger in a maze like path leading toward the inner perimeter. I have encircled the yard with a 30 ft concrete and brick wall and built a large concrete and lead lined roof over the entire yard and have installed several large turbine generators to generate sufficient magnetic flux to disrupt all electrical signals entering or leaving my property, except those passing on the single shielded fiber cable to my IP. The vibrations seem to be sufficient to block any seismic listening devices.
To insure that no one including Big Brother is looking at my files I have installed remote machines on several continents that are moved weekly to several hundred different IP accounts on a random basis. These also remain off, except on a prearranged pseudorandom timing that I take off a direct line from a triply shielded cesium clock I maintain in my wine cellar. I then use these machines to send pseudorandom data in chunks at 10 gbps to one another at pseudorandom intervals. Within these data streams I embedded 2048 bit encrypted messages not to exceed more than 1/100,000,000 th of the total number of packets sent/received. The position of the actual data within the stream is determined from the timing of the messages, and their position within multiple bit plane images within which the message is hidden, and not by their content.
By using subpacket splicing techniques at both ends and always ensuring that I never code or decode anything without routing through at least 2 different continents I find that NSA has finally stopped bothering me as I tie up too many of their supercomputers.
Nonetheless for all my efforts to maintain my liberty, I may have to turn it all off and give up as my wife constantly complains that its getting too expensive to pay for all that electricity, IP charges, and food for the animals, not to mention the time it now takes to tend to the grow lights now that the plants don't get much sun because of the new roof. I guess she may have a point, since I still manage to get a bunch of spam emails. I've got the server farm in the guest cottage running full time now, trying to determine if these are all from Karl Rove or some other penis enlargement salesman. I keep telling them I don't need a permanent extension, but they just don't seem to want to listen. All they want is my money.
Of course, I suspect that Mr. Public is more likely a theft risk than a data espionage/vandalism risk, I think it is important that the net effect of either is the same-- business interruption and loss of buisness credibility.
So most of my IT stuff is not visible from any windows (oddly enough, this is also necessary for the reason that the earth grounds in most of the rooms are faulty).
Occasionally I do have to show customers around my network as a demo for what I can do for them. They are, naturally, attended through the whole process.
LedgerSMB: Open source Accounting/ERP
Why do you want to know? Who sent you?
Not having anything to hide means not having to be paranoid. My 2 cents.
Well, there's DoD security, which is usually actually based on fairly sane security analysis (for instance, GSA Class 5 vaults and safes only have to withstand 30 minutes or so of attack. Why? Because it's assumed that you'll never be given the chance to stand there for 30 minutes with your power tools without a Marine popping on and following their "Shoot anybody who's trying to open the safe in an inappropriate manner, even if it's the CO" orders).
;)
But he said *REAL* paranoids... and I don't see *squat* in your reply about the constructive use of metal foil for building reverse Temptest cages (you know - where you worry about the *inbound* electromagnetic radiation rather than the outbound like us sane people..
abcdefghijklmnopqrstuvwxyz1234
Now I just need your login name.
"Your superior intellect is no match for our puny weapons!"
I consider myself very paranoid. So do everyone I know who listens to me talk about securing systems I work on. At home I did have a Linux bridged firewall for a while protecting my PC from my GF and her bro's PC yet allowed me to play Warcraft etc on the local lan just opening up the required ports. But then I had to swap hardware and needed a kernel rebuild, didnt have a CDRom handy blah blah. No more Linux boxen firewall (until i bother to fix it). But I have happily locked down my Windows PC which runs on public IP space without a Nat box or heavily blocking firewall running in front nor personal firewall running. Btw its Win2k not XP. Heres how I do it. I disable all unnecessary services except for those absolutely necessary being Event Log Logical Disk Manager Plug And Play Remote Procedure Call Security Accounts Manager Windows Installer (unless you do not need to Install a product) Windows Management Instrumentation Windows Management Instrumentation Driver Extensions And Workstation if I want to connect to other machines windows shares which I dont. Then I disable DCOM by running Dcomcnfg.exe and deselecting DCOM from running. I then disable all netbios ports by running Device Manager, show hidden devices and disable "Netbios over TCP/IP" This has disabled the majority of services running but there are still a few windows ports open namely 135 TCP/UDP even though most services such as DCOM on these ports is supossedly disabled. I then go into my Windows TCP/IP settings and goto TCP Filtering. I block all TCP and allow all UDP which stops any incoming TCP connects (the UDP filtering is SHITE in this thing). I need to use passive FTP from now on. I dn't run MS Messanger as it listens on ports not just on loopback, but use trillian as it only listens on 127.0.0.1. I do use Itunes which listens on UDP 5353 so block this port on my ADSL router which has firewall support. Other than that, any time I run a new program that has network support I run netstat -an and check if its listening on new ports. I also filter 127.0.0.1 for src and dst incase windows loopback is screwy in handling external traffic to the loopback address. I don't have multiple users on the machine just me. If someone has physical access to my house then they can install a physical keylogger if they are that keen to find out my stuff so I dont bother encrypting. Once someone has access to your box its only a matter of time before they get access to the encrypted stuff anyway. I used to run personal firewalls but personally I think they all blow goats. I would like to get my bridging firewall back up and get snort-inline working with it for a good IPS. But that is when I get time to. No externally available services run on my machine, not even ident when I connect to IRC. Oh I do allow some certain ports in via my windows filtering but like im going to say what. These aren;t for permanently running things though Yay. Maybe I'm secure. No firewall except for 1 blocked port, Windows box running on Public IP space.
Well, I keep all important data on a virtual PGP Disk volume. This in itself tends to keep things tight.
As for the network security to entertain me with, I use a Cisco 831 to run my VPN. All my computers connected wireless to my servers and even my internet connection are required to establish a link through the 831, I have also configured a low bandwidth capacity wireless network for anyone with a wireless adapter to use. This makes it so that when people see the Windows 98 computer (a VMWare session on a server), they play with it and hack on it and even use its' th low bandwidth internet connection through it. The VMWare session is automatically brought back to a clean installation every few hours, this makes it so that if anyone puts nasty programs on it, it's back to a clean install shortly.
I haven't set this configuration up for security, I set it up since I have 6 computers in the house, a license for VMware, a few spare ciscos and a pile of wireless access points laying around. Not to mention there were at least 3 free electrical outlets in the house.
HAND.
Great explanation!!!!
A few years ago, despite reasonable precautions, my computer started dialing up to the Internet on its own and later had problems with spyware, two viruses and even a worm. Yes, I had a firewall, virus scanner and did not click on most e-mail attachments. I finally re-installed Windows. Even, then the LEDs on my external modem frequently flashed at unexpected times. Was it spyware, Windows or some program was dialing home or what? Paranoid people such as me wonder. I did not have the computer set for automatic Windows or virus signature updates. Perhaps there are reasonable explanations, but I installed Linux and noticed that it did not have the unexplained chattiness anymore. Of course, there are occasional web pages, I go to, where chattiness still does occur while browsing on-line.
Windows security just wasn't cutting it, so I switched to Linux. It really amazes me that any business or home user would use any OS that is so vulnerable to spyware, viruses and worms.
I keep up to date with the latest security patches for services for I actually run but, have also wondered about hackers or "big brother" using unpublished "zero day" exploits. To minimize vulnerability there, I turned off all unnecessary services. I even turned off the sshd daemon because I do not normally have any reason to remotely log-in to this computer with SSH or SFTP.
I am not yet sufficiently familiar with using nmap or security in general to be confident about using nmap to verify that I have closed all the appropriate ports. So instead, I went to the "Shields Up" webpage at grc.com and clicked on "ShieldsUp" and then "All Service Ports" and had it probe for open ports on my computer. I passed because all my ports were closed and my computer would not even respond to a ping. Using nmap would probably accomplish the same thing and perhaps more. In one of the Matrix movies Trinity was shown running nmap from Linux as she discovered and exploited a well know unpatched security hole on computer which they hacked into. I also plan to learn to to use tripwire to detect changes in critical system files and get better at reading my log files.
I dislike all the communication in the background that goes on with advertising related URLs as I go from web page to web page. I block that from my host file by diverting hundreds of well known advertising related URLs to the 127.0.0.1 loopback address on my computer. I found Instructions doing that with Windows or Linux on the "Mike Skallas' Ad Blocking Hosts file" web page at:
http://www.everythingisnt.com/hosts.html
On my home network, use Ethernet cables instead of wireless 802.11 "WiFi" because I do not yet know enough about how to secure a wireless network. I really did not want to find some war driver parked out front with a laptop and an antenna in a Pringles can. Many people leave their WiFi networks at home or work unsecured. I wonder if my accountant or doctor makes that mistake?
I use a KVM switch to quickly switch back an forth between my new and old computer while still using just one keyboard monitor and mouse. The old computer is not part of my home network or connected to the Internet. I store some of my personal information on my old non-networked computer. I wonder if one of those tiny inexpensive new MAC Mini computers that come without a monitor would be compatible with my KVM switch? I might replace the old non-networked 266 MHz Pentium II computer with that.
I really do not spend very much time on-line looking at porn but, there are a few favorite soft-core pictures and stories that I have downloaded and saved. Of course, I encrypt that directory. The particular method of encryption that I am using probably does not address the question of what might accidentally be left behind on the swap partition. It is good enough for me, because I am only trying to avoid the awkwardness of having it seen by a girlfriend or by relatives after I die. For the encrypted financial records I might start leaving a passwor
You obivously have the issues of physical access. If your data is small enough you can keep it on you along with your OS. Or you will need a safe.
Make sure your live CD does not connect to the internet or any network, maybe don't include any networking as part of it. Even if your data is encrypted once someone has it in there possession you can consider it able to be read ultimately.
Only work in a sealed room where no one can see you type and you probably want a darkened box to put over your keyboard when it comes to typing in passwords just to further reduce the chance of being seen.
You can't afford to use a keyboard that someone else has access to in case they bug it. Use an infrared projected keyboard or fold up one that you can take with you.
Of course your machine just sitting there in your absence could be compromised. So you need to carry that with you or lock it away securely when you are not present.
How far do you want to go with this?
I'm sure someone else has already said it, but it's worth saying again.
This space intentionally left (almost) blank.
Not very.. my wife actually adds to the porn collection.. She calls it a "marital aid".
Like the subject says, this post will be ridiculously off topic, but worh every -1 I get, just for the laugh.
poop hits fan, switch gets flipped, data goes bye-bye.
Funny you should say that...
I had a summer job at one time where they processed hay that farmers would bring in for resale. As part of the process there was a rather large fan (upwards of 400hp) that would suck air through the hay via a grate in the floor and seals on the side of the rows, all in an effort to dry the hay (makes it lighter, reduces spoilage). On one occasion, a farmer dropped off some hay that had been stored atop the manure pile. That day, the switch was flipped first, and then poop hit the fan. No data was lost though.
The rest is history. No kidding, fifteen years later and there is still a stain on the side of the building. The building in question was the employee's trailer. Don't even get me started about why it was placed direcly in line with the output of that fan. Many, many things can be found embedded in the sheet metal siding of that trailer, but shite is definately the most memorable.
Check into whether the Linksys or equivalent firewalls can do the firewalling you need (including transmitting the logs). That gets you a firewall box for $50 or so and frees up your PII-466 for more useful work, and keeps your power consumption down and hardware reliability up. Alternatively, eBay seems to be a good source of laptops with broken screens, which are fine for applications like this where you don't need to plug in a monitor very often.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
After psychotherapy I found out that I don't care that much anymore. I sleep easier at night. I'd recommend that to anyone instead of building another line of DMZs etc.
Why should I be paranoid? After all, doesn't everyone have my best interests at heart?
No.
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
PGP every freakin' thing on the drive except to OS.
Lets not forget, no matter how secure you are, how much security you use, you can still get hacked or compromised. No system, no matter how good, or how paranoid, is 100% secure.
I mean where is this guys badge of 'Special'ness.
I feel like you are trying so hard to protect what? Your p0rn? The only things in my world that are of importance are my inner thoughts and credit card numbers. The rest of my gear I am open booked with.
So to be a serious serious desirer of encryption secrecy you must either have secrets, think you are self-important enough for people to desire your information, are doing illegal activities, or any combination.
My encryption method? A firewall to stop people from fscking me directly and my memory. If it's really that important and shouldn't be given out to anyone any form of recording is one recording too much. Remember the adage the only trustworthy person is a dead one.
"Life is all about strategy, mathematics and psychological perceptiveness."
I am not so paranoid, I lock my door with 5 bolts; one key goes on the cats neck, one key goes on my neck and 3 keys I keep on a random position in my house. Furtheron I have a voiceprint, fingerprint, retina scanner and breath analyser to check if it is me logging on on my computer. My wall has RF wallpaper which acts like a Faraday cage and is fully protected from and for interference to the outside. My cat needs to get food every day 3 times or a 999db alarm goes off destroying my precious p*rn drive and ears of the neightbour 20 blocks further in the street ... Big brother isn't wa
.. lets open the window on the back now and use PLAN B!!!
Hey, 4 suits are ringing my doorbell, gotta go answer the door for a moment
--- I am known for the ones who want to find me on the net. Is that a privacy risk or a privilege? One might wonder..
I let (and encourage) my fiancee to read my email, and I read hers. We tell each other everything. Trust also means open communication, y'know.