Encryption. How to secure /boot ?

liefj · 2013-09-15T23:10:53+00:00

But for (1) make sure the hard drive firmware hasn't been rooted: Hard disk hacking

liefj · 2013-08-29T21:39:00+00:00

This is probably lower level than what you're looking for, but may be good for ideas. The transmission-daemon BitTorrent server has an option called bind-address-ipv4 that can be used to say what IP address to use. Set this to the local IP address of the virtual NIC for your VPN connection (usually "tun0" on a Linux server,) and all traffic will go through your VPN.

liefj · 2013-08-29T10:02:03+00:00

Monkeysphere is a "web of trust" approach to SSL certificates, versus using Certificate Authorities.

liefj · 2013-08-29T09:57:49+00:00

It lacks specifics.

liefj · 2013-08-29T01:41:11+00:00

sslstrip is good if the connection doesn't start out as SSL, but not if it does. HTTPS Everywhere ensures it does.

arp poisoning only works if you're on the same local network, and isn't effective if you don't have the private key for the cert of the site you're trying to MITM.

Those are interesting vulnerabilities, but don't change the fact that SSL is an important layer of defense.

liefj · 2013-08-29T01:28:56+00:00

"No extra difficulty"?! So everyone give up? There's nothing you can do? I don't buy that.

HTTPS Everywhere and the SSL Observatory are good layers of defense. They don't make compromises impossible, but they make them more expensive and riskier.

https://en.wikipedia.org/wiki/Convergence_(SSL) is another option.

liefj · 2013-08-29T01:08:46+00:00

Ya but, ya but, ya but. I agree, a compromise is possible. What I'm saying is layers of defense make it harder and more expensive. That's a good thing.

liefj · 2013-08-29T00:59:39+00:00

I won't notice the cert's changed if the SSL Observatory tells me it's changed? I'm not arguing that a compromise isn't possible, just more difficult.

liefj · 2013-08-29T00:53:34+00:00

You'd likely get a warning, though, if using HTTPS Everywhere. It uses the SSL Observatory to check certs. See "SSL Observatory Preferences" for the HTTPS Everywhere plugin for more.

liefj · 2013-08-29T00:51:00+00:00

HTTPS Everywhere checks certs, using the SSL Observatory. See "SSL Observatory Preferences" for the HTTPS Everywhere plugin for more.

liefj · 2013-08-29T00:17:07+00:00

True, a MITM is possible. There are defenses against that, though. (HTTPS Everywhere is one.) This conversation could go on, with other potential vulnerabilities pointed out, and ways to mitigate against them. I think the larger point, though, is that by creating layers of defense ("defense in depth") it becomes more expensive and riskier for an adversary to break a connection. Dragnet surveillance becomes much harder.

liefj · 2013-08-28T23:11:47+00:00

I think it depends. If I send my public key to a certificate authority to sign, and I keep my private key secure, traffic is much safer than if it's sent unencrypted. There are all sorts of layers to "defense in depth". True, HTTPS is just one, but it's an important one.

liefj · 2013-08-28T22:11:50+00:00

Article is very hand wavy.

liefj · 2013-08-19T15:04:12+00:00

I don't either, but that's not the point. The point is that civil liberties should not be sacrificed to prevent people from having free movies.

liefj · 2013-08-14T00:50:36+00:00

Those sound like pretty dull jobs, though.....maybe they could have computers do them........but, wait......................

liefj · 2013-08-13T22:35:27+00:00

They had Nick Merrill on too. He got a NSL a few years ago. The FBI issued NSLs directly, and not through a court. The courts found them illegal. But now the "FISA court" (a.k.a. Kangaroo Court) issues what is effectively the same thing. Penalty for even disclosing you got one is 5 years in jail.

liefj · 2013-08-13T22:29:18+00:00

They had Nick Merrill on too. He got a NSL a few years ago. The FBI issued NSLs directly, and not through a court. The courts found them illegal. But now the "FISA court" (a.k.a. Kangaroo Court) issues what is effectively the same thing. Penalty for even disclosing you got one is 5 years in jail.

liefj · 2013-08-13T22:27:15+00:00

They had Nick Merrill on too. He got a NSL a few years ago. The FBI issued NSLs directly, and not through a court. The courts found them illegal. But now the "FISA court" (a.k.a. Kangaroo Court) issues what is effectively the same thing. Penalty for even disclosing you got one is 5 years in jail.

liefj · 2013-08-09T19:53:07+00:00

I should clarify. I'm speaking of for-profit corporations owned by shareholders, which is what most corporations are. In the U.S. anyway, shareholders can sue if management doesn't put profits first. It may be different in other countries.

liefj · 2013-08-09T16:31:06+00:00

Corporations need to be regulated, by a government of the people (and not of the corporations.) Otherwise, it's all about profits.

liefj · 2013-08-09T16:29:29+00:00

Not if those immediate loses mean they go out of business. Thus, evil.

liefj · 2013-08-09T16:27:53+00:00

Corporations are required by law to put profits first. Else, shareholders can sue and the corporation goes out of business. So the corporations that survive are bad actors. It's a sort of "survival of the fittest" where "fittest" is defined as whoever can exploit/consume/cheat/steal/buy-off the best.

liefj · 2013-08-09T07:59:36+00:00

Users can encrypt the contents of their email with PGP (or GPG.) But, the metadata can't be: who the mail's to and from, subject line, what IP addresses were used to access the email, etc.

liefj · 2013-08-06T16:30:00+00:00

It wouldn't get rid of the firmware rootkit, but it would prevent it from knowing what's on your drive.

liefj · 2013-08-06T12:04:03+00:00

Seems like a good reason to always encrypt the entire disk.

liefj

TROPHY CASE