I love how people with a clue suggest people use different passwords everywhere and then more or less every single page in the universe require you to have a freaking login and often don't use any central stuff for doing so (somewhat better now with facebook and Google then again do I really want to connect my accounts that way?)
I'm confused. Are you saying we shouldn't use individual logins, and should use a centralized system of login and authentication instead? That's precisely what we do NOT need. Reusing passwords across multiple sites increases the speed and attack vector.
Using a centralized service ("Log in with your Facebook or Twitter Account here...") magnifies the problem even further.
No, if you want true security in the current environment, always choose to create an account, using the local system's own mechanism, and keep a unique, strong password embedded in that system.
Sharing passwords across systems or reusing the same authentication mechanism across systems is just opening a huge hole so big you could swim in it.
What happens when a flaw in the central authentication system is discovered? What happens when your Facebook credentials are stolen, and now hundreds of other sites you've enabled their use upon, suddenly become open to the criminals who obtained your Facebook authentication?
Resist the urge to centralize you authentication. Seriously, you're asking for trouble. Don't do it.
LBE Security, DroidWall and Permission Manager. Use all three.
Oh, and if you want to fool the Google Play into delivering an app that claims to be incompatible, use Market Helper, or install FDroid or AppBrain Market.
I use a combination of LBE Security, DroidWall and Permission Manager to lock things down tightly. Silly free flashlight apps that try to read my SMS datastore? Nope, denied. Calculators that try to use WiFi or my cellular network? Denied. Games that try to read my IMEI? Denied.
Super secure, tight controls and you can lock everything down, in or out. Use all three.
According to TFA, NSA knows full well exactly this and tried it, but couldn't gain control of a sufficient number of exit nodes. That's not surprising, it really would take controlling quite a lot of exit nodes.
Are we sure they didn't just root the botnet around mid-August/early September?
Why did the FBI not just raid the location, take the physical servers and storage assets, clone them and then let the courts sort it out? That way they could go and fetch the keys themselves, MiTM the traffic to the host through his ISP, masquerading as Lavabit, and snarf whatever they needed. They're already doing it in other cases.
What I'm wondering, is that when someone comes to your door with a warrant, and you say "No" and close the door, why would they allow you to go back and manipulate the bits and digital information that comprises the portion the warrant asked for?
In this case, how was Lavabit even allowed to shut down their services, if the FBI was at the door asking for the keys?
Do you turn your phone off when you drive your the car or go about your daily business? Unlikely.
If you leave your battery in your phone, even in the 'off' position, your phone is still on, still capable of receiving and sending, including E911. Just because the screen says it's been turned off, doesn't mean it's been turned off. Pull the battery out.
Soon though, that won't be enough, and your phone and other devices will be able to transmit their location, data, etc. without the need for a battery.
I picked up one of these (Black Hole Faraday Bag - RF Signal Isolation for Forensics, Large Window Size) and toss my gadgets in it, roll it up when I'm out traveling and don't need my phone broadcasting my location, GPS or AGPS every 3 seconds. Same with my iPad, GPS, EZ-Pass, and so on.
And what happens when those keys are transmitted in the clear, across the two endpoints, when SSL might as well be cleartext at this point, given the computational power, intentional design flaws and other mechanisms of the NSA to break the conversation in real-time.
Do you trust your exit node or proxy? Defcon had a recent talk on setting up proxy servers as a very quick way to find people who have something to hide. Now you have their IP address and their destination.
It's not just about exit nodes anymore. The NSA can, and regularly does, de-anonymize users within the Tor network, with or without compromised or 'baddie-controlled' exit nodes.
Tor works only as long as exit nodes are not in the bad guy's control.
Correction: Tor only works (in its current implementation) when there isn't a single bad node in the entire network. IOW, not going to happen.
Then they can make a public and private key for whatever.com. Then they use their fake Intermediate CA Inc.certificate to sign that. Unless you the person visiting whatever.com specifically have an original copy of the real whatever.com certificate public key, and you look at the public key of the certificate every time you visit the website, you'll never notice that the NSA has replaced the real certificate with theirs. As long as they're using the correct Verisign private key, your browser will not detect any problems.
If you blindly stumble around the Internet accepting certs, not checking source and destination, you deserve what you get. If you verify the authenticity of your connections, and deny/block/forbid those that don't match, you'll be much closer to the secure environment we're all striving for.
The important bit, the one that has value to *me*, is that it can hide my identity. It can hide the identity of people who are afraid of oppression, it can hide the identity of whistle blowers, it can hide the identity of people asking for help.
Actually, no, it can't. You're thinking of i2p, not Tor.
If you're confused, you need to read up on the major flaws and vulnerabilities in Tor that allow the NSA or enough controlling entities to de-anonymize anyone using Tor. In fact, the more Tor exit nodes, the easier it is.
The tremendous spike in users using Tor could be both in reaction to the NSA news, or proactive from the NSA ramping up their use of Tor to more-rapidly de-anonymize the traffic coming across those exit nodes.
They don't need to crack the traffic, if they de-anonymize the clients in and out of Tor, it's cleartext on both ends. With SSL and VPNs now being as wide open as cleartext and easily broken, it's a moot point.
They do not need to do real-time processing of the data: that is only necessary for filtering.
That may be true for passive surveillance (http traffic, emails, IMs), but most-definitely not for VPNs, as in this specific case.
You absolutely need to trap the packets in real time in order to actually break the VPN connection open so you can get at the actual payload (cleartext, post-decrypted) data within the stream. The initial cryptographic handshake has to be captured, in order for them to peel it open and get inside.
You can't do that days later, when all you have is an encrypted stream of bits.
Eighty Nine Percent of New Zealanders oppose new legislation to broaden the powers of the GCSB, the New Zealand Signals Intelligence agency that has tradisionally been used to spy on other countries.
But wait, that also means that at least 51% of the population actually voted for those who put these laws and legislation into effect. Can the same people who voted them into power, also vote them out?
It doesn't matter if she was searching for 'pressure cooker bombs', because that is not illegal!
She has not committed any crime, nor should she be suspected of one. In fact, she shouldn't have let them in the house, because they have no warrant, nor any valid reason to suspect her of doing anything against the law.
Since when was curiosity or knowledge seeking a crime? Is that where we are now? Living in fear of learning more, because those who think they're holding the power, are looking at everything we do?
In October 2004 in Caracas, Venezuela, a fire in a 56-story office tower burned for more 17 hours and spread over 26 floors. Two floors collapsed, but the underlying floors did not, and the building remained standing.
But... how do you KNOW they're doing what they say they're doing? Really? Without an intentional MiTM machine you can use to analyze what is ultimately being sent upstream to SpiderOak, you can't be sure.
Remember too, peeling apart and masquerading SSL/https sites is VERY easy to do, including certificate forging. Many companies do this today to decrypt (yes, decrypt) SSL traffic to then scan the plaintext content of the request. Heck, you can even set up Squid to do that if you want.
Slashdot Mirror
Why not use KeePass on your phone then? It supports BlackBerry, Android and iOS.
Or export the data from KeePass and GPG ascii-armor that and email it to youself?
There's plenty of ways to do that. I keep lots of non-web data within KeePass, and it's been remarkably useful to me for more than just "logins".
I'm confused. Are you saying we shouldn't use individual logins, and should use a centralized system of login and authentication instead? That's precisely what we do NOT need. Reusing passwords across multiple sites increases the speed and attack vector.
Using a centralized service ("Log in with your Facebook or Twitter Account here...") magnifies the problem even further.
No, if you want true security in the current environment, always choose to create an account, using the local system's own mechanism, and keep a unique, strong password embedded in that system.
Sharing passwords across systems or reusing the same authentication mechanism across systems is just opening a huge hole so big you could swim in it.
What happens when a flaw in the central authentication system is discovered? What happens when your Facebook credentials are stolen, and now hundreds of other sites you've enabled their use upon, suddenly become open to the criminals who obtained your Facebook authentication?
Resist the urge to centralize you authentication. Seriously, you're asking for trouble. Don't do it.
No source.
Non-free.
No Mac version.
Nothing for mobile devices.
No thank you.
LBE Security, DroidWall and Permission Manager. Use all three.
Oh, and if you want to fool the Google Play into delivering an app that claims to be incompatible, use Market Helper, or install FDroid or AppBrain Market.
I use a combination of LBE Security, DroidWall and Permission Manager to lock things down tightly. Silly free flashlight apps that try to read my SMS datastore? Nope, denied. Calculators that try to use WiFi or my cellular network? Denied. Games that try to read my IMEI? Denied.
Super secure, tight controls and you can lock everything down, in or out. Use all three.
Are we sure they didn't just root the botnet around mid-August/early September?
http://www.infosecurity-magazine.com/view/34453/massive-botnet-is-behind-tor-usage-spike-/
Can we be absolutely certain that the botnet itself, and every single node, is 100% secure and non-rootable from the NSA's 0-day toolkits?
Why did the FBI not just raid the location, take the physical servers and storage assets, clone them and then let the courts sort it out? That way they could go and fetch the keys themselves, MiTM the traffic to the host through his ISP, masquerading as Lavabit, and snarf whatever they needed. They're already doing it in other cases.
What I'm wondering, is that when someone comes to your door with a warrant, and you say "No" and close the door, why would they allow you to go back and manipulate the bits and digital information that comprises the portion the warrant asked for?
In this case, how was Lavabit even allowed to shut down their services, if the FBI was at the door asking for the keys?
Something doesn't add up here.
Do you turn your phone off when you drive your the car or go about your daily business? Unlikely.
If you leave your battery in your phone, even in the 'off' position, your phone is still on, still capable of receiving and sending, including E911. Just because the screen says it's been turned off, doesn't mean it's been turned off. Pull the battery out.
Soon though, that won't be enough, and your phone and other devices will be able to transmit their location, data, etc. without the need for a battery.
I picked up one of these (Black Hole Faraday Bag - RF Signal Isolation for Forensics, Large Window Size) and toss my gadgets in it, roll it up when I'm out traveling and don't need my phone broadcasting my location, GPS or AGPS every 3 seconds. Same with my iPad, GPS, EZ-Pass, and so on.
...aaaand, here's some code to use to make your own (which I just posted about only yesterday
And what happens when those keys are transmitted in the clear, across the two endpoints, when SSL might as well be cleartext at this point, given the computational power, intentional design flaws and other mechanisms of the NSA to break the conversation in real-time.
Still trust the other end? I don't.
It's not just about exit nodes anymore. The NSA can, and regularly does, de-anonymize users within the Tor network, with or without compromised or 'baddie-controlled' exit nodes.
Correction: Tor only works (in its current implementation) when there isn't a single bad node in the entire network. IOW, not going to happen.
Let's also keep in mind that 60+% of the funding for Tor, comes directly from the Department of Defense (DoD).
Concerned yet? You should be.
But Trsst relies on a protocol (SSL) that we know is now suspect, and likely broken in most cases (weak keys, compromised CAs).
So what now?
This is precisely why you should be checking site fingerprints and using browser add-ons like Certificate Patrol, in combination with a secure browser (eg: TorBrowser).
If you blindly stumble around the Internet accepting certs, not checking source and destination, you deserve what you get. If you verify the authenticity of your connections, and deny/block/forbid those that don't match, you'll be much closer to the secure environment we're all striving for.
Actually, no, it can't. You're thinking of i2p, not Tor.
If you're confused, you need to read up on the major flaws and vulnerabilities in Tor that allow the NSA or enough controlling entities to de-anonymize anyone using Tor. In fact, the more Tor exit nodes, the easier it is.
The tremendous spike in users using Tor could be both in reaction to the NSA news, or proactive from the NSA ramping up their use of Tor to more-rapidly de-anonymize the traffic coming across those exit nodes.
They don't need to crack the traffic, if they de-anonymize the clients in and out of Tor, it's cleartext on both ends. With SSL and VPNs now being as wide open as cleartext and easily broken, it's a moot point.
http://blog.erratasec.com/2013/08/anonymity-smackdown-nsa-vs-tor.html
And direct yourself and others to Project Meshnet:
https://projectmeshnet.org/
Sorry, but it's now too easy to de-anonymize traffic within and around Tor. The more Tor nodes there are, the -easier- it becomes.
Read and learn, then direct everyone to start using i2p and Project Meshnet (https://projectmeshnet.org/)
http://blog.erratasec.com/2013/08/anonymity-smackdown-nsa-vs-tor.html
That may be true for passive surveillance (http traffic, emails, IMs), but most-definitely not for VPNs, as in this specific case.
You absolutely need to trap the packets in real time in order to actually break the VPN connection open so you can get at the actual payload (cleartext, post-decrypted) data within the stream. The initial cryptographic handshake has to be captured, in order for them to peel it open and get inside.
You can't do that days later, when all you have is an encrypted stream of bits.
<cite>http://www.groklaw.net/article.php?story=20110409161444432</cite>
They don't win unless we've stopped fighting. And we're a long, long way from that.
But wait, that also means that at least 51% of the population actually voted for those who put these laws and legislation into effect. Can the same people who voted them into power, also vote them out?
It doesn't matter if she was searching for 'pressure cooker bombs', because that is not illegal!
She has not committed any crime, nor should she be suspected of one. In fact, she shouldn't have let them in the house, because they have no warrant, nor any valid reason to suspect her of doing anything against the law.
Since when was curiosity or knowledge seeking a crime? Is that where we are now? Living in fear of learning more, because those who think they're holding the power, are looking at everything we do?
Sorry, no.
http://www.serendipity.li/wot/other_fires/other_fires.htm
Here's one example:
In October 2004 in Caracas, Venezuela, a fire in a 56-story office tower burned for more 17 hours and spread over 26 floors. Two floors collapsed, but the underlying floors did not, and the building remained standing.
See http://www.cbsnews.com/stories/2004/10/18/world/main649824.shtml
But... how do you KNOW they're doing what they say they're doing? Really? Without an intentional MiTM machine you can use to analyze what is ultimately being sent upstream to SpiderOak, you can't be sure.
Remember too, peeling apart and masquerading SSL/https sites is VERY easy to do, including certificate forging. Many companies do this today to decrypt (yes, decrypt) SSL traffic to then scan the plaintext content of the request. Heck, you can even set up Squid to do that if you want.
http://blog.blackfoundry.com/2011/06/02/break-open-dropbox-ssl-traffic-with-squid-proxy/
http://www.squid-cache.org/Doc/config/ssl_bump/
That's fairly easy to subvert: Don't ever use the same salt. Ever.
Look at something like PFS for where this is heading:
https://en.wikipedia.org/wiki/Perfect_forward_secrecy
Google is already using this today.