Go Back   SOCNET: The Special Operations Community Network > Areas of Expertise > Technology and Communications

Reply
 
Thread Tools Display Modes
  #21  
Old 9 June 2013, 02:43
anachranerd anachranerd is offline
Confirmed User
 
Join Date: Jul 2010
Location: North Dallas, TX
Posts: 122
Quote:
Originally Posted by MacDuff View Post
I'm lost when it comes to all this technical stuff but I'm interested in learning. I appreciate you all taking the time to add to the knowledge base, I think this is one of the more interesting discussions to come up lately.

One question though; are there security advantages to running Ubuntu or some other flavor of Linux?
This is a source of much debate, but overall, yes.

Due to its' open source nature, linux has had a miniscule amount of viral infections compared to Windows/OSX. Security bugs tend to get flushed out a lot quicker with open source software-due to its very nature of being open source, and therefore open to audit from many many sources(sources without any kind of profit motive mind you).
Reply With Quote
  #22  
Old 9 June 2013, 06:58
Polypro's Avatar
Polypro Polypro is offline
BTDT
 
Join Date: Oct 1999
Location: A Noisy Bar In Avalon
Posts: 11,939
Quote:
Originally Posted by BOFH View Post
...and while I don't know what Poly does to earn a paycheck, his knowledge is top notch.
Not this stuff, so thanks for the kudos Jobs bore me eventually, but hobbies make me want to learn it all...so maybe that's a good thing

P
Reply With Quote
  #23  
Old 9 June 2013, 07:08
Polypro's Avatar
Polypro Polypro is offline
BTDT
 
Join Date: Oct 1999
Location: A Noisy Bar In Avalon
Posts: 11,939
Quote:
Originally Posted by MacDuff View Post

One question though; are there security advantages to running Ubuntu or some other flavor of Linux?
IMO, YES! Who knows what gets sent back to the mother ship when you boot up an OSX or Windows machine. Could be one small GUID that identifies you through payment records of the computer/OS...nobody knows (but to be fair, nobody has proven it either).

Running a bootable version of Linux, for privacy related activity, would be painless...you could keep using OSX or Windows for other stuff. Or you could get into Virtual Machines with Virtual Box and run it that way (although I would make Linux the main, host OS, and run OSX/Windows in a VM).

Everyone should try Linux at least once...and give it 2 weeks before quitting. Mint Linux is the current fave, but I don't want to start a nerd war by disparaging Ubuntu

P
Reply With Quote
  #24  
Old 9 June 2013, 07:20
Polypro's Avatar
Polypro Polypro is offline
BTDT
 
Join Date: Oct 1999
Location: A Noisy Bar In Avalon
Posts: 11,939
Quote:
Originally Posted by Armitage12 View Post
So if I understand the most important advantages of Countermail:
(1) encrypted contents of email provided the other party is also using Countermail
(2) superior protection of your unencrypted email by passing it through their hands, compared with either your Internet service provider or free online (google/Microsoft) email, when sending to someone NOT using Countermail, by dint of their good stewardship.

[I spent about five hours last week working through some of this and I am reasonably technically minded, but it is still mentally challenging in some ways to think through all the vulnerabilities and generate possible solutions. This thread is incredibly helpful and I thank everyone for sharing their wisdom]
Yeah, pretty much. They list exactly what they can divulge, when presented with a valid order from a Swedish court...it isn't a whole heck of a lot.

When you sign up, they create a 2048/2048 RSA/RSA PGP key. That key encrypts everything in your account...whether you actually converse via PGP or not.

They use Java because that allows the passphrase to only be entered on your machine...they have no way of decrypting your content. Now, Java is usually a No-Go in the browser, due to security flaws, and HUSHMAIL has proven that they will send you an infected Java applet if asked to. CM tells you about this, and gives you the hash of their applet, so you can check it if you're that security conscious. You can turn Java on and off, in the browser, to keep it more secure...but I would just install another browser with java enabled, just for CM use (portable versions work well).

You can also go the actual IMAP mail client route, and not worry about Java. This also allows you to use your own PGP key if you want. Check the FAQ's for instructions.

P
Reply With Quote
  #25  
Old 9 June 2013, 08:18
CV's Avatar
CV CV is offline
Ungood
 
Join Date: Apr 2003
Location: US
Posts: 7,288
The only beef I have with Countermail is it's reliance and use of Java. There's just too much wrong with it right now.
__________________
It's a hipster filter. Keeps your kind out. -Jimbo


To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
Reply With Quote
  #26  
Old 9 June 2013, 08:32
tooslow tooslow is offline
Morte et une dame
 
Join Date: Apr 2011
Location: Smokey Joe's Cafe
Posts: 3,235
Interesting;
Using various past passwords I received ratings of "Instantly" to "631 thousand years".
I must pass that link along; THANK you.
__________________
'Living on the edge... of being banned from SOCNET'
Welcome to my family; do NOT make me kill you.
Reply With Quote
  #27  
Old 9 June 2013, 09:09
Polypro's Avatar
Polypro Polypro is offline
BTDT
 
Join Date: Oct 1999
Location: A Noisy Bar In Avalon
Posts: 11,939
CV,

If you have one browser for CM only, and you only enable the Java Plug-in when you want to check your CM mail, and you only go to the CM website... the risk is very, very low. Java is only really a danger when enabled in web facing programs all the time.

I run Java software locally 24/7...I just don't have it enabled in anything web related. You can also block java.exe with firewall rules.

And...just use IMAP with Thunderbird, etc... if you really want zero Java.

P
Reply With Quote
  #28  
Old 9 June 2013, 09:19
Macka's Avatar
Macka Macka is offline
Confirmed User
 
Join Date: Sep 2001
Location: SOCNET-Northeast
Posts: 2,164
what do you folks recommend for an email? A regular combination of name/initial or some random thing?
__________________
Freedom costs a Buck 0-5

Last edited by Macka; 9 June 2013 at 09:38.
Reply With Quote
  #29  
Old 9 June 2013, 10:25
HighDragLowSpeed's Avatar
HighDragLowSpeed HighDragLowSpeed is online now
Been There Done That
 
Join Date: Dec 2006
Location: Only Place For Me
Posts: 4,947
Quote:
Originally Posted by anachranerd View Post
Due to its' open source nature, linux has had a miniscule amount of viral infections compared to Windows/OSX. Security bugs tend to get flushed out a lot quicker with open source software-due to its very nature of being open source, and therefore open to audit from many many sources(sources without any kind of profit motive mind you).
You are repeating what I consider to be an open source fan boy myth. Here's why:

1) Most Software Functionality Relies On Potential Security Vulnerabilities: If an app's functionality includes some basic things such as writing to a known location in the file system in any way or needs some privileged access, those requirements are actually a potential security vulnerabilities. If an operating system has functionality that writes to the file system (which all do) or some way to provide privileged access, it has potential security vulnerabilities. This means that all OSs have potential security vulnerabilities. For example, here is a list of Ubuntu's healthy list of security issues:

http://www.ubuntu.com/usn/

Please note that is the public list. Most open source security bugs are kept confidential...so no one has ANY idea how many have been reported and, of those, how many actually were fixed. Example:

Quote:
Confidential vulnerabilities (for example coming from developer's direct communication or restricted lists) must follow a specific procedure. They should not appear as a public bugzilla entry, but only in security-restricted media like a private bugzilla section or the GLSAMaker tool. They should get corrected using private communication channels between the GLSA coordinator and the package maintainer.

http://www.gentoo.org/security/en/vulnerability-policy.xml
2) Greed Can Be Good: You'd be surprised how much more effective profit motive can be than reliance of someone's good will in driving security fixes. If a software app has a reputation for not patching, it's harder to sell licenses and services. Many companies with free open source software have programs in which security bugs are fixed - http://www.mozilla.org/security/bug-bounty.html is an example.

I guarantee that the percentage of fixed to reported bugs is likely equal and probably higher in commercial orgs than at some of the open source software orgs. Commercial orgs often fix even the theoretical vulnerabilities that are unlikely to be out in the wild particularly when they have the dedicated resources to do so. The reason? Profit motive.

Just for fun: Know what the safest browser in common use is right now? Can you tell me what company has the worst reputation for actually patching reported fixes?

3) Links Between Open Source Fixes And For-Profit Companies: From your comments, you also don't seem to realize that the vast majority of open source security fixes are written by devs at huge for-profit companies such as IBM, Red Hat, etc.. This is so that they can make more profit (see #2 above).

Open source licensing means that these companies also gleefully profit from the free labor of the few "volunteers" that do make fixes. The original idea of open source software has been quietly hijacked from an collaborative academic approach to a way that huge companies make more profit from suckers providing free labor. All this happened right under the noses of unsuspecting fan boys that continue to propagate the myths.

#4) "More Eyes" Doesn't Translate to "More Safe":
The whole "more eyes" idea is one of those myths that resonates as making sense but the facts simply don't support the idea. OpenSSH had a trojan based back door in it for many years (http://www.cert.org/advisories/CA-2002-24.html).

Quote:
An intruder operating from (or able to impersonate) the remote address specified in the malicious code can gain unauthorized remote access to any host which compiled a version of OpenSSH from this Trojan horse version of the source code. The level of access would be that of the user who compiled the source code.
Know which version had the trojan? The one posted at openssh.com over many years and across almost all versions up to that date. And this was a fairly obvious trojan.

There are a number of such examples...I just like to use the Open SSH example because it was such an obvious vulnerability in such a fundamental piece of the security puzzle.

Other than the occasional stupid dev code checkin, the days of high profile vulnerabilities based on buffer overflows should be over because it's simply so easy to do automated scanning for unsafe functions. That means that many exploits now require some level of sophistication.

The takeaway is this: just because someone knows code doesn't mean that they have the ability to review code for sophisticated security vulnerabilities. So where are a large percentage of these "qualified eyes"? Most of those eyes work in either for-profit commercial software companies (see #3 above) or for the government. Of these two groups, a large percentage of those that are able to do such reviews are unable to review open source code in their primary field of expertise (particularly for commercial devs for reasons of intellectual property tainting) or contribute to publicly available fixes.

Most of the rest that are qualified to perform security reviews do so on a space available basis unless they happen to one of the lucky that work for the various open source software foundations or are independently wealthy.

Feeling less safe now?
__________________
"I know of no country in which there is so little independence of mind and real freedom of discussion as in America." - de Tocqueville, 19th century

God made machine language; all the rest is the work of man.
Reply With Quote
  #30  
Old 9 June 2013, 12:10
Macka's Avatar
Macka Macka is offline
Confirmed User
 
Join Date: Sep 2001
Location: SOCNET-Northeast
Posts: 2,164
I don't use a VPN as of right now but have been researching them.

Here's some reviews I found: http://lifehacker.com/5935863/five-b...vice-providers
__________________
Freedom costs a Buck 0-5
Reply With Quote
  #31  
Old 9 June 2013, 12:22
Chubs's Avatar
Chubs Chubs is offline
These ain't my pants.
 
Join Date: Feb 2008
Location: SE US
Posts: 1,392
Quote:
Originally Posted by mikemac64 View Post
I don't use a VPN as of right now but have been researching them.

Here's some reviews I found: http://lifehacker.com/5935863/five-b...vice-providers
Damn I feel like I'm reading Greek in this forum.

To piggy back on what Mike was saying...I've never utilized a VPN either. A friend brought Witopia to my attention. Said he's looking at $80 or so a year for the subscription. Thoughts?
__________________
“I know of no great men except those who have rendered great service to the human race.”- Voltaire

“It is who we are; It is what we do; And we're okay with that.”- LE Funeral Closing Remark
Reply With Quote
  #32  
Old 9 June 2013, 12:37
CV's Avatar
CV CV is offline
Ungood
 
Join Date: Apr 2003
Location: US
Posts: 7,288
Quote:
Originally Posted by Polypro View Post
CV,

If you have one browser for CM only, and you only enable the Java Plug-in when you want to check your CM mail, and you only go to the CM website... the risk is very, very low. Java is only really a danger when enabled in web facing programs all the time.

I run Java software locally 24/7...I just don't have it enabled in anything web related. You can also block java.exe with firewall rules.

And...just use IMAP with Thunderbird, etc... if you really want zero Java.

P
Great points.
__________________
It's a hipster filter. Keeps your kind out. -Jimbo


To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
Reply With Quote
  #33  
Old 9 June 2013, 12:59
Macka's Avatar
Macka Macka is offline
Confirmed User
 
Join Date: Sep 2001
Location: SOCNET-Northeast
Posts: 2,164
So, what would be the difference between using a commercial VPN and say, TOR and TOR Mail?
__________________
Freedom costs a Buck 0-5
Reply With Quote
  #34  
Old 9 June 2013, 13:15
CV's Avatar
CV CV is offline
Ungood
 
Join Date: Apr 2003
Location: US
Posts: 7,288
Quote:
Originally Posted by mikemac64 View Post
So, what would be the difference between using a commercial VPN and say, TOR and TOR Mail?
The short non-technical answer is that on a commercial VPN, you're connecting to a single server. TOR is a proxy that runs their traffic through a net of (I believe) three servers before reaching it's destination. You should be aware that no matter what VPN or Proxy service you choose, you are still passing through their equipment and thus susceptible to attack at those points. While usually an acceptable risk due to the benefits, it's still a consideration.
__________________
It's a hipster filter. Keeps your kind out. -Jimbo


To view links or images in signatures your post count must be 10 or greater. You currently have 0 posts.
Reply With Quote
  #35  
Old 10 June 2013, 00:42
anachranerd anachranerd is offline
Confirmed User
 
Join Date: Jul 2010
Location: North Dallas, TX
Posts: 122
Quote:
Originally Posted by HighDragLowSpeed View Post
You are repeating what I consider to be an open source fan boy myth. Here's why:

1) Most Software Functionality Relies On Potential Security Vulnerabilities: If an app's functionality includes some basic things such as writing to a known location in the file system in any way or needs some privileged access, those requirements are actually a potential security vulnerabilities. If an operating system has functionality that writes to the file system (which all do) or some way to provide privileged access, it has potential security vulnerabilities. This means that all OSs have potential security vulnerabilities. For example, here is a list of Ubuntu's healthy list of security issues:

http://www.ubuntu.com/usn/

Please note that is the public list. Most open source security bugs are kept confidential...so no one has ANY idea how many have been reported and, of those, how many actually were fixed.

WOuld commercial companies not have at least the same or more motivation to keep a vulnerability private, and quietly fix it? They have share price and public perception to worry about...

Example:



2) Greed Can Be Good: You'd be surprised how much more effective profit motive can be than reliance of someone's good will in driving security fixes. If a software app has a reputation for not patching, it's harder to sell licenses and services. Many companies with free open source software have programs in which security bugs are fixed - http://www.mozilla.org/security/bug-bounty.html is an example.

I guarantee that the percentage of fixed to reported bugs is likely equal and probably higher in commercial orgs than at some of the open source software orgs. Commercial orgs often fix even the theoretical vulnerabilities that are unlikely to be out in the wild particularly when they have the dedicated resources to do so. The reason? Profit motive.

My current client seems to do the opposite(large tech company). They need a lot of convincing to fix anything that isnt a show stopper. That being said- I see your point about relying on goodwill. With no profit or job at stake, a lot of developers have the "fuck it" option.

Just for fun: Know what the safest browser in common use is right now? Can you tell me what company has the worst reputation for actually patching reported fixes?

Internet Explorer. 6 years ago I wouldn't have been caught dead saying that...but I will guess IE. Its the only one i use these days on my windows system and at work. Firefox and Chrome work for a month then slow down to a crawl. As to the second part of your question - I give up. Tell me...

3) Links Between Open Source Fixes And For-Profit Companies: From your comments, you also don't seem to realize that the vast majority of open source security fixes are written by devs at huge for-profit companies such as IBM, Red Hat, etc.. This is so that they can make more profit (see #2 above).

Open source licensing means that these companies also gleefully profit from the free labor of the few "volunteers" that do make fixes. The original idea of open source software has been quietly hijacked from an collaborative academic approach to a way that huge companies make more profit from suckers providing free labor.Don't forget that many OSS developers over the years have had their goal to be Linux and other OSS apps reaching mainstream/commercial acceptance. They aren't all just suckers- many use OSS development to gain experience, exposure etc. All this happened right under the noses of unsuspecting fan boys that continue to propagate the myths.

#4) "More Eyes" Doesn't Translate to "More Safe":
The whole "more eyes" idea is one of those myths that resonates as making sense but the facts simply don't support the idea. OpenSSH had a trojan based back door in it for many years (http://www.cert.org/advisories/CA-2002-24.html).



Know which version had the trojan? The one posted at openssh.com over many years and across almost all versions up to that date. And this was a fairly obvious trojan.

There are a number of such examples...I just like to use the Open SSH example because it was such an obvious vulnerability in such a fundamental piece of the security puzzle.

Other than the occasional stupid dev code checkin, the days of high profile vulnerabilities based on buffer overflows should be over because it's simply so easy to do automated scanning for unsafe functions. That means that many exploits now require some level of sophistication.

The takeaway is this: just because someone knows code doesn't mean that they have the ability to review code for sophisticated security vulnerabilities. So where are a large percentage of these "qualified eyes"? Most of those eyes work in either for-profit commercial software companies (see #3 above) or for the government. Of these two groups, a large percentage of those that are able to do such reviews are unable to review open source code in their primary field of expertise (particularly for commercial devs for reasons of intellectual property tainting) or contribute to publicly available fixes.

Most of the rest that are qualified to perform security reviews do so on a space available basis unless they happen to one of the lucky that work for the various open source software foundations or are independently wealthy.

Touche on Open SSH. That was pretty terrible. That being said- one doesn't often hear about open source software installing a rootkit or other hidden crap(remember the Sony rootkit debacle? I made LOTS of money cleaning people's computers from that )

Either way, you bring up a valid point. Resources are much more tenous in OSS projects. Can you explain why it seems linux users tend to have wayyyyyyy less security issues(or at least complain about it less)?


Feeling less safe now?

Please don't mistake me for a fanboy who will defend OSS to the death and ignore reality. I freely admit OSS has it's own many flaws....and it does sure have a cult following that goes way over the top sometimes. My own endorsement of OSS stems from a job I had from 2003-2006. We specialized in migrating small businesses to Gentoo based file and application servers. Many of these businesses would have viral infections that would spread across the network but never once affected the gentoo boxes at all.
Thanks for the input sir. Definitely lots of food for thought.
Reply With Quote
  #36  
Old 10 June 2013, 00:45
anachranerd anachranerd is offline
Confirmed User
 
Join Date: Jul 2010
Location: North Dallas, TX
Posts: 122
Anyways, today a friend discovered an app called "Ghostery". It is a browser plug in that shows you all the different tracking widgets present on the websites you visit. It also gives you the option to pick and choose which ones you want to be enabled/disabled.

http://www.ghostery.com/

Check it out. Warning- some of the results are disturbing.
Reply With Quote
  #37  
Old 10 June 2013, 02:34
BOFH's Avatar
BOFH BOFH is offline
I aim to misbehave
 
Join Date: Jul 2004
Location: \\Gibson\garbage
Posts: 4,162
Quote:
Originally Posted by anachranerd View Post
Anyways, today a friend discovered an app called "Ghostery". It is a browser plug in that shows you all the different tracking widgets present on the websites you visit. It also gives you the option to pick and choose which ones you want to be enabled/disabled.

http://www.ghostery.com/

Check it out. Warning- some of the results are disturbing.
Ghostery, https-everywhere, and no script are great.
__________________
"...for those who man the battle line, the bugle whispers low, and freedom has a taste and price the protected never know..."


While true:
Continue
Reply With Quote
  #38  
Old 10 June 2013, 07:40
Polypro's Avatar
Polypro Polypro is offline
BTDT
 
Join Date: Oct 1999
Location: A Noisy Bar In Avalon
Posts: 11,939
Quote:
Originally Posted by Chubs View Post

To piggy back on what Mike was saying...I've never utilized a VPN either. A friend brought Witopia to my attention. Said he's looking at $80 or so a year for the subscription. Thoughts?
I listed the 3 providers that a majority of privacy advocates, use. YMMV for any others.

P

Last edited by Polypro; 10 June 2013 at 08:03.
Reply With Quote
  #39  
Old 10 June 2013, 07:43
Polypro's Avatar
Polypro Polypro is offline
BTDT
 
Join Date: Oct 1999
Location: A Noisy Bar In Avalon
Posts: 11,939
Quote:
Originally Posted by anachranerd View Post
Thanks for the input sir. Definitely lots of food for thought.
The flip side is that very few people write attack code for an OS that nobody uses.

It's also easier to hide something with co-operation...look up CryptoAG.

My opinion only, but there is no way in hell I'd use Microsoft Bit Locker, or Symantec PGP....over TrueCrypt or GPG/OpenPGP.

P
Reply With Quote
  #40  
Old 10 June 2013, 08:47
Polypro's Avatar
Polypro Polypro is offline
BTDT
 
Join Date: Oct 1999
Location: A Noisy Bar In Avalon
Posts: 11,939
Quote:
Originally Posted by mikemac64 View Post
So, what would be the difference between using a commercial VPN and say, TOR and TOR Mail?
Commercial VPN:

Private company with a vested interest in keeping you as a customer.

Faster.

VPNs anonymize everything leaving your computer, not just web browsing, or PITA to configure SOCKS programs.

Written privacy policies and governed by privacy laws (which actually mean something in some other countries). PITA for the US to try and get any info on you depending on the country.

Usually forums and good support.

Some can be run from a router, giving 24/7 VPN to your entire house.

OpenVPN based (DO NOT USE PPTP!).

Some offer multi-hop, some allow connection via Tor, some allow anonymous payment.

The only major downside is if they lie, they can compromise what you do...but the good thing is that a company that did that, would be found out pretty quickly, search "Hide My Ass Logging".


Tor:

Well, what needs to be said, the Gold Standard, but as always, nothing is 100%. The things to watch out for are:

It's slow. It only works for browsing and specific programs that can connect to SOCKS proxies. An "Evil Exit Node" can compromise you if you allow real life personal info to flow through it...like sending your real name via a non-https web page, etc...

The downside to TorMail is the same - no one knows who's running it. It is PERFECT for sending and receiving email that in no way identifies who you are in real life...but no way for real info...it could be a PRISM box But being a Hidden Service, as long as you don't reveal anything, your location is safe.

I use all 4 for different things.

P
Reply With Quote
Reply

Thread Tools
Display Modes

Our new posting rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



All times are GMT -4. The time now is 20:16.
Powered by vBulletin® Version 3.8.3
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
Socnet.com All Rights Reserved
SOCNET