| View previous topic :: View next topic |
| Author |
Message |
GNUtoo
Veteran
Joined: 05 May 2005
Posts: 1919
|
 Posted: Tue Dec 11, 2007 3:24 pm Post subject: |
 |
|
a second channel could be tor+privoxy:
having tor is like beeing elsewhere...
with a web page where you can know your ip and a geolocalisation service(there is one that is free) or with the dns name of the ip(.de for instance) you could know where is the exit node...
and because the tcp traffic that goes trough tor is encrypted from your computer to the exit node...your isp couldn't change the data there is inside...
but the exit node(that is in another courntry) can...but they wouldn't make the same changes as your isp...
so let's compare the isp and the exit node to tell if they modify the files...
mabe someone should do a little program to digest all theses files and compare both digest:
->rsync without portage but with the normal rsync command...both with and without tor
->merge all digest together
->diff the 2 digests |
|
| Back to top |
|
 |
speeddemon
Apprentice
Joined: 27 Sep 2003
Posts: 162
|
| Posted: Tue Dec 11, 2007 4:29 pm Post subject: |
|
|
| GNUtoo wrote: | a second channel could be tor+privoxy:
having tor is like beeing elsewhere...
with a web page where you can know your ip and a geolocalisation service(there is one that is free) or with the dns name of the ip(.de for instance) you could know where is the exit node...
and because the tcp traffic that goes trough tor is encrypted from your computer to the exit node...your isp couldn't change the data there is inside...
but the exit node(that is in another courntry) can...but they wouldn't make the same changes as your isp...
so let's compare the isp and the exit node to tell if they modify the files...
mabe someone should do a little program to digest all theses files and compare both digest:
->rsync without portage but with the normal rsync command...both with and without tor
->merge all digest together
->diff the 2 digests |
Although I don't know for sure how tor works, it still wouldn't be secure. Any online encryption like that still relies on 2 part public/private keys. Its still vulnerable to a man in the middle attack from the ISP. You first packets will always have to have the public key, and it will be transmitted in the open.
The reason most people consider this kind of encryption secure is because they are assuming the ISP is secure. If it becomes compromised, well then, better start sending smoke signals.
You have to have a non-internet way of communication to share encryption keys if your ISP is not secure. |
|
| Back to top |
|
|
Genone
Retired Dev
Joined: 14 Mar 2003
Posts: 9538
Location: beyond the rim
|
| Posted: Wed Dec 12, 2007 12:41 am Post subject: |
|
|
Just to provide some background to people not familiar with the current discussion in Germany:
The issue is that the BKA (think German FBI) and possibly other law enforcement agencies want to secretly install spyware (known as "Bundestrojaner" in the media, officially it's currently called "Remote Forensic Software") on the computer of a given suspect (with the usual "we need this against terrorists" explanation) to examine both existing data and current activities and communication. Main argument is that they want to bypass encryption that way by getting the information before it's encrypted. As they haven't provided many details regarding the technical implementation of this people have tried to come up with possible scenarios how they could install such a tool reliably. And AFAIK there are only three generally viable scenarios:
- physical access
- using unknown software exploits/backdoors
- seizing control over the ISP connection to poison downloads (which is what this thread is about)
And to add some numbers about scope, the director of the BKA said that "there maybe would be a dozen such incidents per year", but that number is generally questioned.
PS: I've just posted this so the motivation of the OP and the scope of this issue becomes a bit clearer, please lets not start a discussion about the (non)sense of the spyware idea itself in this thread |
|
| Back to top |
|
|
GNUtoo
Veteran
Joined: 05 May 2005
Posts: 1919
|
| Posted: Thu Dec 13, 2007 6:45 pm Post subject: |
|
|
| Quote: | | - seizing control over the ISP connection to poison downloads (which is what this thread is about) |
they could easely do it...
they already have modified web page in canada:
http://yro.slashdot.org/article.pl?sid=07/12/11/2321221 |
|
| Back to top |
|
|
ahurst
Tux's lil' helper
Joined: 23 Oct 2006
Posts: 88
Location: Sheffield, UK
|
| Posted: Fri Dec 14, 2007 12:03 pm Post subject: |
|
|
I think ...
The only truly reliable end-to-end channel is a quantum encrypted one: i.e. one that changes state by being read.
http://en.wikipedia.org/wiki/Quantum_cryptography
Otherwise, exchanging a public key in person by writing it in pencil on an envelope, in a randomly chosen location, so that no-one else can possibly read it with e.g. high power optics (i.e. in a covered, randomly selected location) will only keep you secure, over an insecure channel, for as long as it takes to break the key by brute force. Remember there are some awfully big and hugely parallel transistor and FPGA based computers out there designed to do precisely that, let alone future deivces.
( interesting read )
Anything else really can be defeated by a man-in-the-middle attack, by interception at the key sharing stage (in either direction).
... but I might be wrong. |
|
| Back to top |
|
|
depontius
Advocate
Joined: 05 May 2004
Posts: 3509
|
| Posted: Fri Dec 14, 2007 2:14 pm Post subject: |
|
|
| ahurst wrote: | I think ...
The only truly reliable end-to-end channel is a quantum encrypted one: i.e. one that changes state by being read.
http://en.wikipedia.org/wiki/Quantum_cryptography
Otherwise, exchanging a public key in person by writing it in pencil on an envelope, in a randomly chosen location, so that no-one else can possibly read it with e.g. high power optics (i.e. in a covered, randomly selected location) will only keep you secure, over an insecure channel, for as long as it takes to break the key by brute force. Remember there are some awfully big and hugely parallel transistor and FPGA based computers out there designed to do precisely that, let alone future deivces.
( interesting read )
Anything else really can be defeated by a man-in-the-middle attack, by interception at the key sharing stage (in either direction).
... but I might be wrong. |
Security is a trade-off. You have to realize that it isn't a boolean, that you work harder, spend more, and put up with more inconvenience, and you get more. But eventually you run into the locked closet in the sub-basement in a building on a planet orbiting Alpha Centauri, with a "Beware of Alligators!!" sign on the door. Utterly unusable. Find the security point that suits you.
That said, anyone who can afford the brute-force devices to break your (or my) keys can probably just afford to hire someone to break into your (or my) house and install a keylogger, or just plain afford to take out a contract on either or both of us.
I'm paranoid about 133t hax0rs, organized crime, and casual government surveillance. I'm not going to be able to stop the really determined ones, and the repercussions of actually stopping them might be even worse than letting them get what they want.
_________________
.sigs waste space and bandwidth |
|
| Back to top |
|
|
asterisc
n00b
Joined: 13 Nov 2007
Posts: 13
Location: Cluj
|
| Posted: Fri Dec 14, 2007 2:15 pm Post subject: |
|
|
| ahurst wrote: |
The only truly reliable end-to-end channel is a quantum encrypted one: i.e. one that changes state by being read.
http://en.wikipedia.org/wiki/Quantum_cryptography
...
Anything else really can be defeated by a man-in-the-middle attack, by interception at the key sharing stage (in either direction).
... but I might be wrong. |
These one can also be defeated. In the link you provided, explains how (Eve acting as a receiver for Alice and as a sender for Bob)
_________________
There are lies, damn lies and statistics! |
|
| Back to top |
|
|
ahurst
Tux's lil' helper
Joined: 23 Oct 2006
Posts: 88
Location: Sheffield, UK
|
| Posted: Fri Dec 14, 2007 3:02 pm Post subject: |
|
|
asterisc:
Oh dear!
And I dare say a service provider offering a quantum encrypted data link would be just as susceptible to being leant on for access, as would any ISP.
Any miscreant worth his/her salt should be clever enough to realise secure communication over the Internet relies on taking some very careful precautions.
Presumably then, as a proportion of crooks out there, the law enforcers will be dredging out the more stupid ones rather then creaming off the clever ones with this policy.
In some ways I'm glad that Darwinian evolution still applies to some areas of society, but on the other hand, I'd rather the criminal underworld weren't one of the few sectors of humanity benefitting from it. The long term effect is: more clever criminals! |
|
| Back to top |
|
|
steveL
Watchman
Joined: 13 Sep 2006
Posts: 5153
Location: The Peanut Gallery
|
| Posted: Sat Dec 15, 2007 7:24 am Post subject: |
|
|
| ahurst wrote: | | In some ways I'm glad that Darwinian evolution still applies to some areas of society, but on the other hand, I'd rather the criminal underworld weren't one of the few sectors of humanity benefitting from it. The long term effect is: more clever criminals! |
Indeed; one might even suspect that it was all a method of extracting remuneration from the average schmoe, but that would be paranoid. Anyone can see the elite (on either supposed side) care about us.. ;P
It's much easier just to be transparent. That's where data protection is supposed to help wrt the reasonable expectation of privacy, cf the recent IRC furore (I'll find a link later, just running outta the house.) |
|
| Back to top |
|
|
fahad_se
n00b
Joined: 18 Dec 2007
Posts: 2
Location: lahore, pakistan
|
| Posted: Tue Dec 18, 2007 1:53 pm Post subject: what if we say? |
|
|
what if we say?
we can never be called bug free
_________________
genius born once in a century |
|
| Back to top |
|
|
steveL
Watchman
Joined: 13 Sep 2006
Posts: 5153
Location: The Peanut Gallery
|
|
| Back to top |
|
|
crackytron
n00b
Joined: 16 Nov 2007
Posts: 24
|
| Posted: Wed Dec 19, 2007 1:30 pm Post subject: |
|
|
Can you not proxy sync through a SSH tunnel to somewhere less insane? I haven't tried it but I'd be surprised if it was not possible.
_________________
welp |
|
| Back to top |
|
|
|
Gentoo Chat
