nationwide interception of Facebook & webmail login credentialsin Tunisia

Thu Jan 27 00:43:31 GMT 2011

Is it not now conventional cybersecurity wisdom that there is 
no secure means of digital network communication? That any 
network system -- with certs or not, with end-to-end-encryption 
or not, with TOR-like and cloud-like mechanisms or not, as well 
as any other network comms means -- requires a supplemental 
offline physical implement of security. Such as a token, card or 
other physical tools which assure absolute, non-TEMPEST-able 
isolation from a network for at least for first step of the comms 
and at the last step of receipt. Along the network path all flow 
is penetrable and interceptible, even the onion-layers and 
foolsgold .smil, .intel and kin.

Perhaps that is the security FUD of token, card and other
means, but recently the NSA claimed in a public security
conference that there could be no network security, none.

Perhaps that too is NSA FUD, all too commonly practiced
by security agencies as a means of lowering expectations
as budgets are decreased.

It is true that NSA and ilk regularly pronounce such and such
security is either too strong or too weak, and parade, publish,
leak, leave behind laptops, redact FOI releases, unleash demon
hackers, and rue disclosures by experts who betray national
interests for transient vainglory, and such fomulaics, in order 
to promulgate too much or too little certainty about security.

So how can befuddled members of parliaments and congresses
much less law enforment authorities and pitable citizenry 
know what to do about edicts of ambiguity amplified almost 
beyond comprehension by implementing directives, trials 
and errors, academics and researchers pinheading gaffs 
and gaps, data breaches true and false, boondoggling
contractors and their obfuscating legal counsels angling
for prolonged litigation out of sight of oversight?

Why would titans of cybersecurity throw up hands and state
impossible except, except, except perhaps another billion
would do it if renewed annually, bespeaking mantrically
"no absolutes in security." 

While similar this is not medieval selling indulgences.
It's cyberwarfare, by crikey.

At 08:18 AM 1/25/2011 -0800, you wrote:
>That would not deal with the falsifying of certificates.  Assuming the
code-base of this is not intentional corrupt, the addition of an extension
such as certpatrol is also required (a firefox extension), to notify one
when the SSL cert swap by the government/ISP (using the browser accepted as
'true' passported C.A.(s) under their control) has taken place (a MiTM is
in progress notification function).  The other known way would be
manual/local (each time) inspection of the cert fingerprint(s).  e.g. you
note Facebook's fingerprint then check each time it's got the same 'print.
Then (once under notice the hack is under progress) you could retreat, or
start playing your own pre-planned counter-measures ... depending on the
peril of the situation, tactics, etc, call the government, depending on the
nature of your business, etc. > >:/ > >Best, > >PP > > >--- On Tue,
1/25/11, Richard W.M. Jones <rich at annexia.org> wrote: > >> From: Richard
W.M. Jones <rich at annexia.org> >> Subject: Re: nationwide interception of
Facebook & webmail login credentials in Tunisia >> To: "UK Cryptography
Policy Discussion Group" <ukcrypto at chiark.greenend.org.uk> >> Date:
Tuesday, January 25, 2011, 3:35 AM >> >> JGC's blog has the technical
details: >> >>
http://blog.jgc.org/2011/01/code-injected-to-steal-passwords-in.html >> >>
Moral of the story is to use https:// URLs to fetch the >> initial form >>
(ie. https://facebook.com/).  The Firefox >> HTTPS-Everywhere extension >>
automates this completely (https://www.eff.org/https-everywhere) -- no >>
thought or technical skills required. >> >> Rich. >> >> -- >> Richard Jones
>> Red Hat >> >> > > >      
> 