@dashrender said in US DOJ Continues Its Attack on User Privacy:

@scottalanmiller said in US DOJ Continues Its Attack on User Privacy:

@dashrender said in US DOJ Continues Its Attack on User Privacy:

@scottalanmiller said in US DOJ Continues Its Attack on User Privacy:

@dustinb3403 said in US DOJ Continues Its Attack on User Privacy:

Rosenstein also said

"...People want to secure their houses, but they still need to get in and out. Same issue here."

Not even close, those people are welcome to come and go in their damn house. You on the other hand might get shot in the face if you just walk into someone's house uninvited.

People can still get in and out of their phone. I don't have to give my door key to the DoJ.

Yeah - I'm trying to come up with a physical example to compare to digital security - but I'm coming up blank.

Doors aren't bad. You lock your door, the DoJ is an intruder, the key company does not send copies of your keys to the DoJ.

It's really not good enough. The DOJ can hack your door with lock picks or just bust it down.

I suppose a better example would be a universal garage door opener that only the government is supposed to have, but of course, once the bad guys know about that, they will keep hacking the government until they steal one of those universal door openers. Secure keys for encryption would be the same. The government is as leaky as a cauldron, there's almost no chance they could keep keys like this from the hackers. Then instantly everyone would be vulnerable.

Everyone that uses a mainstream OS or device that operates anywhere in the world that has any operations within the US. Yup

@zubairkhanzhk you're welcome!

I saw something about this the other day... It is interesting to say the least.

I've used tor, it's functional, but removes a lot of what most people consider useful from most websites.

@Breffni-Potter said in The SHA1 hash function is now completely unsafe:

If you burn 110K in cash.
And have a team of cyber security experts.

Today, yes. But in six months it'll be a script and $30K in compute power. In two years it'll be $500 of AWS time.

Can't reply on SW, it's having one of its "this thread won't let you respond" hiccups.

@JaredBusch Awesome. Tks Jared. Tested and works beautifully!

Yes, I have. It was talked about on Security Now a few years ago.

It allows TNO (Trust No One) on cloud storage . You control the keys for encryption. of course, if you don't have the keys, the data is useless.

@BRRABill said in How to Require TLS for Outbound SMTP Connections with MDaemon:

I think what he meant was encrypted from the e-mail client (Outlook, Webmail) to the MD server.

That's confusing because it isn't email at that point but is just an internal application API. If it is Outlook, for example, it talks directly with Exchange as a client manipulating stuff on Exchange. If it is OWA, it's Exchange that you are looking at directly (the "email" is still on Exchange.)

@scottalanmiller said in Let's Encrypt stats:

@Jason said in Let's Encrypt stats:

I'm guessing a lot of kids/teens and college age are using let's encrpyt hence the .ninja

I'm confused, aren't all those domains only used by ninjas?

Go Ninja, Go Ninja, Go!

Only the other night for me and it was all on one project so I'm not sure what it was, yet.

@thwr said in Kickstart with LUKS:

@scottalanmiller said in Kickstart with LUKS:

@thwr said in Kickstart with LUKS:

@thwr said in Kickstart with LUKS:

But if the server walks, the TPM walks with it and the security has been totally bypassed. In fact, IMHO, if you have the key on TPM and it decrypts automatically on start up and you had to state if the system was encrypted or not, at best you could say "sort of." While you might get away with saying that it is encrypted, if asked the other way "is the data wide open", the answer would also be yes because it's not encrypted when someone looks at it.

Ah, sorry, misunderstood your posting in the first place. Well, that's chicken-egg. You can either have it decrypt automatically or not. If going for automatic decryption, we have to make sure the machine can't decrypt e.g. when it gets stolen or sold.

For this, storing the key on the host alone, even with TPM, may not be enough (don't know enough about TPM at this point. Sealing to system state seems quite safe, but...). Thus, we need to bring in another factor. Let's call it "location awareness", e.g. pulling the actual key from the network and TPM stores just something to authenticate against the "key server". Server offsite -> no decryption.

Past boot, it is up to you to secure the server by traditional means. Strong passwords, no or strongly secured RS232 TTY and so on.

Exactly, something externally has to trust that the system is where it is supposed to be physically so that it will release the key. We considered using this but decided that security trumped downtime and kept the system requiring human intervention and just accepted large downtimes in the event of a reboot.

Agree, downtime due to a misconfiguration, some failure on the network or the key server would be an issue. What if we look at some back approach: If some removeable storage with a key is present at boot, LUKS will use this key. Otherwise, it tries to pull it from the key server as described above? Should be pretty solid and a backup is in place (key on USB stick) in case something goes south.

This surely is an approach for environments requiring a very high level of security, but I like the idea.

I've seen places do that, pop in a key and use that, but you have to trust that people will remove it immediately and store it somewhere.

Hmmm, if he cares so much about security he should disable the Universe repository, it's full of security holes. Essentially, installing anything from there is an exercise in installing a backdoor.

Of course, there's not much choice, you want that software to be available. Though choice 😉

@tonyshowoff said:

@scottalanmiller said:

@tonyshowoff said:

@Dashrender said:

@scottalanmiller said:

@Dashrender said:

Frankly, I'm frustrated that ICANN has allows so many registrars and SSL cert providers. There are over 1400 CAs trusted by Windows in 2010.

Any one of those CAs can be compromised and their root cert used to sign fake certs for any site on the internet, instantly having Windows trust those certs.

The whole security model on the internet is just broken. We don't have secure DNS or reliable Certificate Pinning.

It would be a monopoly if they didn't make it basically open. Or monopoly-ish. Not an open market.

Frankly, in this case, a monopoly, like you want for healthcare, seems like the better play. The fees should either be free or extremely low, only enough to handle the costs of administration and hardware required.

Universal coverage does not imply monopolistic treatment. Further, most countries with universal health coverage also have private systems too.

Like Panama... good healthcare for free or suckers can pay for private American healthcare from Johns Hopkins.

Or Bosnia, the only place I know of where the "free" is way worse than private to an insane degree, and that's because of a war so at least that's an excuse.

Johns Hopkins is the hospital that thought that nut job who thinks the pyramids were grain stores and all kinds of whacky things led their surgical department. You'd have to be insane to get treated at a hospital letting crazies like that even work there let alone run departments.

(Working there as a janitor would be okay, just not in healthcare portions of the business.)

That's the kind of hospital that removes your spleen because "if God wanted you to have it, he'd not have made it make you sick." Those people scare me.

Do they support booting from UEFI yet?

That was a good show, really was.

I should email that to everyone here.

@Dashrender said:

I did this one, installed my own cert into Outlook 2013 - my boss hated it - the little certificate icon made her think all of my emails were marked high priority.

"It is actually a finger extended in the traditional Native American greeting that contains all the respect you deserve."