nationwide interception of Facebook & webmail login credentialsin Tunisia

Sat Jan 29 18:15:34 GMT 2011

On 27/01/2011 00:43, John Young wrote:
> Is it not now conventional cybersecurity wisdom that there is 
> no secure means of digital network communication? That any 
> network system -- with certs or not, with end-to-end-encryption 
> or not, with TOR-like and cloud-like mechanisms or not, as well 
> as any other network comms means -- requires a supplemental 
> offline physical implement of security. Such as a token, card or 
> other physical tools which assure absolute, non-TEMPEST-able 
> isolation from a network for at least for first step of the comms 
> and at the last step of receipt. Along the network path all flow 
> is penetrable and interceptible, even the onion-layers and 
> foolsgold .smil, .intel and kin.

that is FUD, pure and simple. There are almost certainly flaws in almost
every solution, which with enough time and money you could exploit - but
in most cases you would need to work forward (black bag the endpoints)
and if you already know who to bug, why bother with the fancy
interception when a simple logger app will do just fine?

> Perhaps that is the security FUD of token, card and other
> means, but recently the NSA claimed in a public security
> conference that there could be no network security, none.

Consider the source there. With decreasing budget and increasing
traffic, even low grade cryptography is a threat - there is a limit in
practical terms how many (even 40 bit) sessions you can intercept and
scan for keywords and/or vox recognition, so if even 40 bit crypto
became the norm, the task of blanket scanning would become beyond even
the abilities of an organization with unlimited budget, never mind one
with real world limits.

Conventional wisdom should, therefore, be that, given a highly targeted
and personal attack, only the most stringent (and intrusive) of personal
security regimes has a hope of keeping your traffic private, and any
endpoint device left out of your control for more than five minutes
should be considered compromised.  I doubt things have gotten as far as
blanket inclusion of such intrusive measures in all commodity pcs sold
(although I could see that as a "feature" of TCM/TPM beyond just the
basic specs :)

> Perhaps that too is NSA FUD, all too commonly practiced
> by security agencies as a means of lowering expectations
> as budgets are decreased.
> 
> It is true that NSA and ilk regularly pronounce such and such
> security is either too strong or too weak, and parade, publish,
> leak, leave behind laptops, redact FOI releases, unleash demon
> hackers, and rue disclosures by experts who betray national
> interests for transient vainglory, and such fomulaics, in order 
> to promulgate too much or too little certainty about security.

The NSA and its ilk are paid to give competent advice on such things to
those who pay them. They aren't paid to give such advice to you, and
certainly don't have a great track record of being to honest to those
who DO pay them.

The truth still is though - the vast majority of compromises out there
come from either deliberate action or accidental loss of data, from
those authorized to access it, whenever their own desire to copy
otherwise secure data onto an insecure medium outweighs (in their
opinion) the security guidelines telling them not to do so.

The NSA and its ilk are caught between two stools - they would LOVE to
make endpoints secure, in their role as security advisor, but would hate
anyone (even their own clients) actually doing so, as that would make
their role as communications interceptor much, much harder.  Where they
draw that line (and what they say in private, as opposed to public
statements) is obviously unknowable.