Loading ...
Sorry, an error occurred while loading the content.

RE: [hackers-il] network eavesdropping

Expand Messages
  • Tzahi Fadida
    I think that many people don t know that encryption of the HD is pretty worthless since if you are a criminal and goes to court then you will be requested to
    Message 1 of 16 , Dec 1, 2004
    • 0 Attachment
      I think that many people don't know that encryption of the HD is pretty
      worthless since
      if you are a criminal and goes to court then you will be requested to
      decrypt the information
      or be in a state of contempt of court and stay in jail until you open it.
      You'd better destroy the data in that case.
      One solution that comes to mind is putting all your data on some kind of
      temporary storage
      not on location that expires without putting a password.
      Somewhere with no relation with the US gov.
      Another thing people don't understand is that screens can be sniffed using
      radiation readers
      (gov hadware of course) and they can sniff you thru your window or see the
      screen reflection.
      or just put a fiber optic on your window and countless measures.

      Pretty much, all of the above is probably worthless attempts if they know
      where you live because
      they can spy on you in many ways, most are primitive and sufficient.
      Better they won't locate you.

      Regards,
      tzahi.

      > -----Original Message-----
      > From: Arik Baratz [mailto:arik.baratz@...]
      > Sent: Friday, November 19, 2004 11:06 PM
      > To: hackers-il@yahoogroups.com
      > Subject: Re: [hackers-il] network eavesdropping
      >
      >
      >
      > On Fri, 19 Nov 2004 12:36:58 -0000, mehlng <mehlng@...> wrote:
      >
      > > Hi,
      > > I want to ask a fundumental question about web security.
      > > Why is plain-text transfers from private computer to a website is
      > > consider highly insecure?
      >
      > Security is a relative term. It's all about WHO is a
      > potential attacker, HOW MUCH a potential attacker stands to
      > gain from the attack (converted to money) and HOW MUCH effort
      > does it take to successfuly attack you (converted to money).
      >
      > Let's take an example.
      >
      > Say you are a mobster. The FBI is after you. They know you
      > use your computer to commit serious crimes by submitting data
      > to plain-text web-sites, and naturally they want to eavesdrop
      > on your computer. The FBI don't gain money from the attack,
      > but if you are a major mobster and the attack successfuly
      > nabs you the government will gain $50000 from taxes that you
      > are no longer not-paying.
      >
      > They can, for example, put a keyboard logger on your
      > computer. They need to break into your house and install it.
      > Let's say that the manpower needed to do that 'costs'
      > $50/hour per person, for 3 hours - that's $150. In that case,
      > the attack is definitely worth it, and you will be attacked.
      >
      > They can alternatively go to your ISP and listen on the ISP's
      > router. Since the infrastructure is in place, they only need
      > to send a single agent, for 1 hour, and that would cost $50.
      >
      > Or they may confiscate the destination web server and read
      > the data you submitted of its disk. $50.
      >
      > You can plainly see that it pays to use encryption if you're
      > a mobster, because that increases the cost of the attacks so
      > much that only keyboard-logging remains viable.
      >
      > So ask yourself: Is the information I'm submitting worth so
      > much that someone will be willing to go to the trouble of
      > getting it? If the answer is yes - then it is insecure. If
      > the answer is no - then you can send your cleartext
      > information and nobody will care.
      >
      > -- Arik
      >
      >
      > ------------------------ Yahoo! Groups Sponsor
      > --------------------~-->
      > $9.95 domain names from Yahoo!. Register anything.
      > http://us.click.yahoo.com/J8kdrA/y20IAA/yQLSAA/saFolB/TM
      > --------------------------------------------------------------
      > ------~->
      >
      >
      > Yahoo! Groups Links
      >
      >
      >
      >
      >
      >
      >
      >
    • Arik Baratz
      Hi Tzahi ... ... or use the steganographic filesystem, in http://stegfs.sourceforge.net/ Plausible Deniability ... Just for CRTs ... For every screen ...
      Message 2 of 16 , Dec 1, 2004
      • 0 Attachment
        Hi Tzahi

        On Wed, 1 Dec 2004 17:08:46 +0200, Tzahi Fadida <tzahi_ml@...> wrote:
        >
        > I think that many people don't know that encryption of the HD is pretty
        > worthless since
        > if you are a criminal and goes to court then you will be requested to
        > decrypt the information
        > or be in a state of contempt of court and stay in jail until you open it.
        > You'd better destroy the data in that case.
        > One solution that comes to mind is putting all your data on some kind of
        > temporary storage
        > not on location that expires without putting a password.
        > Somewhere with no relation with the US gov.

        ... or use the steganographic filesystem, in http://stegfs.sourceforge.net/

        "Plausible Deniability"

        > Another thing people don't understand is that screens can be sniffed using
        > radiation readers
        > (gov hadware of course) and they can sniff you thru your window or see the
        > screen reflection.

        Just for CRTs

        > or just put a fiber optic on your window and countless measures.

        For every screen

        > Pretty much, all of the above is probably worthless attempts if they know
        > where you live because
        > they can spy on you in many ways, most are primitive and sufficient.
        > Better they won't locate you.

        Depends on how much of your life is virtual. If you follow some very
        basic rules (although people will look at you funny if they know) you
        can avoid most of the problems of captured hardware, sniffed keys,
        captured screen, etc.

        -- Arik
      • Nadav Har'El
        ... This is the same issue as those new code machines in cars. Criminals find it hard(?) to break them, but it s trivial when they can just point a gun at
        Message 3 of 16 , Dec 1, 2004
        • 0 Attachment
          On Wed, Dec 01, 2004, Tzahi Fadida wrote about "RE: [hackers-il] network eavesdropping":
          >
          > I think that many people don't know that encryption of the HD is pretty
          > worthless since
          > if you are a criminal and goes to court then you will be requested to
          > decrypt the information
          > or be in a state of contempt of court and stay in jail until you open it.
          > You'd better destroy the data in that case.

          This is the same issue as those new "code" machines in cars. Criminals find
          it hard(?) to break them, but it's trivial when they can just point a gun
          at you and tell you "Hey, you know the code - punch it in! now!", which
          makes them armed robbers.

          The government threatening you until you give them your keys is exactly
          like armed robbery, in this context.

          Virtually no kind of passive security (locks, walls, etc., and their
          electronic equivalents like encryption) can do anything against an *armed
          robbery*, which means the attacker finds the person who has legitimate
          access (keys to the lock, encryption keys, PIN codes, iris picture, or
          whatever) and threaten them with a gun to open the security measures for
          him, or perform the required theft (or whatever) for him.

          Anyway, if you fully destroy your data - in a way that even you yourself
          don't access to it any more, then you're screwed too. If you leave yourself
          even one small way to get your data back, then, well, the armed robber can
          force you to reveal it...

          > Pretty much, all of the above is probably worthless attempts if they know
          > where you live because
          > they can spy on you in many ways, most are primitive and sufficient.
          > Better they won't locate you.

          Right. If the bad guys know where you are, nothing is simpler than just
          shooting you and you're dead. All other scenarios are much less worying
          to me, so I don't see why someone should.

          --
          Nadav Har'El | Wednesday, Dec 1 2004, 18 Kislev 5765
          nyh@... |-----------------------------------------
          Phone +972-523-790466, ICQ 13349191 |The path of least resistance is what
          http://nadav.harel.org.il |makes rivers and politicians crooked.
        • Arik Baratz
          ... There s a Visonic keyboard called CL-8. It s a widely used keypad for simple entry control, flash rom, 50 possible codes, etc. They have a feature they
          Message 4 of 16 , Dec 2, 2004
          • 0 Attachment
            On Wed, 1 Dec 2004 17:44:18 +0200, Nadav Har'El <nyh@...> wrote:
            > > or be in a state of contempt of court and stay in jail until you open it.
            > > You'd better destroy the data in that case.
            >
            > This is the same issue as those new "code" machines in cars. Criminals find
            > it hard(?) to break them, but it's trivial when they can just point a gun
            > at you and tell you "Hey, you know the code - punch it in! now!", which
            > makes them armed robbers.

            There's a Visonic keyboard called CL-8. It's a widely used keypad for
            simple entry control, flash rom, 50 possible codes, etc. They have a
            feature they call 'ambush digit' (yes, it's an Israeli company). For
            all codes you key in, you can append this digit. The code will work as
            expected, but an extra relay will be switched, hopefully wired to a
            silent alarm. This way if you are at gunpoint, you can punch in the
            ambush digit, and the attacker will never know.

            In the context of cars, an alarm system I once had had a feature where
            if the car door was opened when the ignition was on, it would stall
            the engine after 5 minutes. This way if you're car-jacked you can
            leave the engine running, the car-jacker will be s*** out of luck when
            he discovers 5 minutes later that the car stalled and doesn't start
            again. You're not around to get the bullet by that time.

            > The government threatening you until you give them your keys is exactly
            > like armed robbery, in this context.

            Apart from having plausible deniability using the steganographic
            filesystem, you can design your system to accept two password. One
            would be rather easy, and 'decrypt' innocent data, and the other will
            be harder and give access to your real data.

            > Anyway, if you fully destroy your data - in a way that even you yourself
            > don't access to it any more, then you're screwed too. If you leave yourself
            > even one small way to get your data back, then, well, the armed robber can
            > force you to reveal it...

            The armed robber doesn't have to know how many copies you have. You
            can plausibly have only two copies and still keep a third one. Unless
            they can decrypt your mind. In that case the extra copy should be
            hidden with a trusted accomplice in a way that you have no access to,
            and encrypted by both you and your accomplice.

            > > Pretty much, all of the above is probably worthless attempts if they know
            > > where you live because
            > > they can spy on you in many ways, most are primitive and sufficient.
            > > Better they won't locate you.
            > Right. If the bad guys know where you are, nothing is simpler than just
            > shooting you and you're dead. All other scenarios are much less worying
            > to me, so I don't see why someone should.

            Well, if it's your data they're after and not you, they won't kill
            you. In fact they will take great pains not to kill you.

            -- Arik
          • omer mussaev
            ... This reminds me of old story by JWZ: http://www.jwz.org/gruntle/rbarip.html ... ===== -- o.m. __________________________________ Do you Yahoo!? Take Yahoo!
            Message 5 of 16 , Dec 2, 2004
            • 0 Attachment
              --- Nadav Har'El <nyh@...> wrote:

              > On Wed, Dec 01, 2004, Tzahi Fadida wrote about "RE:
              > [hackers-il] network eavesdropping":
              > >
              > > I think that many people don't know that
              > encryption of the HD is pretty
              > > worthless since
              > > if you are a criminal and goes to court then you
              > will be requested to
              > > decrypt the information
              > > or be in a state of contempt of court and stay in
              > jail until you open it.
              > > You'd better destroy the data in that case.
              >
              > This is the same issue as those new "code" machines
              > in cars. Criminals find
              > it hard(?) to break them, but it's trivial when they
              > can just point a gun
              > at you and tell you "Hey, you know the code - punch
              > it in! now!", which
              > makes them armed robbers.
              >
              > The government threatening you until you give them
              > your keys is exactly
              > like armed robbery, in this context.


              This reminds me of old story by JWZ:
              http://www.jwz.org/gruntle/rbarip.html

              > --
              > Nadav Har'El | Wednesday,
              > Dec 1 2004, 18 Kislev 5765
              > nyh@...


              =====
              --
              o.m.



              __________________________________
              Do you Yahoo!?
              Take Yahoo! Mail with you! Get it on your mobile phone.
              http://mobile.yahoo.com/maildemo
            Your message has been successfully submitted and would be delivered to recipients shortly.