View previous topic :: View next topic |
Author |
Message |
GNUtoo Veteran
Joined: 05 May 2005 Posts: 1919
|
Posted: Tue Dec 11, 2007 3:24 pm Post subject: |
|
|
a second channel could be tor+privoxy:
having tor is like beeing elsewhere...
with a web page where you can know your ip and a geolocalisation service(there is one that is free) or with the dns name of the ip(.de for instance) you could know where is the exit node...
and because the tcp traffic that goes trough tor is encrypted from your computer to the exit node...your isp couldn't change the data there is inside...
but the exit node(that is in another courntry) can...but they wouldn't make the same changes as your isp...
so let's compare the isp and the exit node to tell if they modify the files...
mabe someone should do a little program to digest all theses files and compare both digest:
->rsync without portage but with the normal rsync command...both with and without tor
->merge all digest together
->diff the 2 digests |
|
Back to top |
|
|
speeddemon Apprentice
Joined: 27 Sep 2003 Posts: 162
|
Posted: Tue Dec 11, 2007 4:29 pm Post subject: |
|
|
GNUtoo wrote: | a second channel could be tor+privoxy:
having tor is like beeing elsewhere...
with a web page where you can know your ip and a geolocalisation service(there is one that is free) or with the dns name of the ip(.de for instance) you could know where is the exit node...
and because the tcp traffic that goes trough tor is encrypted from your computer to the exit node...your isp couldn't change the data there is inside...
but the exit node(that is in another courntry) can...but they wouldn't make the same changes as your isp...
so let's compare the isp and the exit node to tell if they modify the files...
mabe someone should do a little program to digest all theses files and compare both digest:
->rsync without portage but with the normal rsync command...both with and without tor
->merge all digest together
->diff the 2 digests |
Although I don't know for sure how tor works, it still wouldn't be secure. Any online encryption like that still relies on 2 part public/private keys. Its still vulnerable to a man in the middle attack from the ISP. You first packets will always have to have the public key, and it will be transmitted in the open.
The reason most people consider this kind of encryption secure is because they are assuming the ISP is secure. If it becomes compromised, well then, better start sending smoke signals.
You have to have a non-internet way of communication to share encryption keys if your ISP is not secure. |
|
Back to top |
|
|
Genone Retired Dev
Joined: 14 Mar 2003 Posts: 9538 Location: beyond the rim
|
Posted: Wed Dec 12, 2007 12:41 am Post subject: |
|
|
Just to provide some background to people not familiar with the current discussion in Germany:
The issue is that the BKA (think German FBI) and possibly other law enforcement agencies want to secretly install spyware (known as "Bundestrojaner" in the media, officially it's currently called "Remote Forensic Software") on the computer of a given suspect (with the usual "we need this against terrorists" explanation) to examine both existing data and current activities and communication. Main argument is that they want to bypass encryption that way by getting the information before it's encrypted. As they haven't provided many details regarding the technical implementation of this people have tried to come up with possible scenarios how they could install such a tool reliably. And AFAIK there are only three generally viable scenarios:
- physical access
- using unknown software exploits/backdoors
- seizing control over the ISP connection to poison downloads (which is what this thread is about)
And to add some numbers about scope, the director of the BKA said that "there maybe would be a dozen such incidents per year", but that number is generally questioned.
PS: I've just posted this so the motivation of the OP and the scope of this issue becomes a bit clearer, please lets not start a discussion about the (non)sense of the spyware idea itself in this thread |
|
Back to top |
|
|
GNUtoo Veteran
Joined: 05 May 2005 Posts: 1919
|
Posted: Thu Dec 13, 2007 6:45 pm Post subject: |
|
|
Quote: | - seizing control over the ISP connection to poison downloads (which is what this thread is about) |
they could easely do it...
they already have modified web page in canada:
http://yro.slashdot.org/article.pl?sid=07/12/11/2321221 |
|
Back to top |
|
|
ahurst Tux's lil' helper
Joined: 23 Oct 2006 Posts: 88 Location: Sheffield, UK
|
Posted: Fri Dec 14, 2007 12:03 pm Post subject: |
|
|
I think ...
The only truly reliable end-to-end channel is a quantum encrypted one: i.e. one that changes state by being read.
http://en.wikipedia.org/wiki/Quantum_cryptography
Otherwise, exchanging a public key in person by writing it in pencil on an envelope, in a randomly chosen location, so that no-one else can possibly read it with e.g. high power optics (i.e. in a covered, randomly selected location) will only keep you secure, over an insecure channel, for as long as it takes to break the key by brute force. Remember there are some awfully big and hugely parallel transistor and FPGA based computers out there designed to do precisely that, let alone future deivces.
( interesting read )
Anything else really can be defeated by a man-in-the-middle attack, by interception at the key sharing stage (in either direction).
... but I might be wrong. |
|
Back to top |
|
|
depontius Advocate
Joined: 05 May 2004 Posts: 3509
|
Posted: Fri Dec 14, 2007 2:14 pm Post subject: |
|
|
ahurst wrote: | I think ...
The only truly reliable end-to-end channel is a quantum encrypted one: i.e. one that changes state by being read.
http://en.wikipedia.org/wiki/Quantum_cryptography
Otherwise, exchanging a public key in person by writing it in pencil on an envelope, in a randomly chosen location, so that no-one else can possibly read it with e.g. high power optics (i.e. in a covered, randomly selected location) will only keep you secure, over an insecure channel, for as long as it takes to break the key by brute force. Remember there are some awfully big and hugely parallel transistor and FPGA based computers out there designed to do precisely that, let alone future deivces.
( interesting read )
Anything else really can be defeated by a man-in-the-middle attack, by interception at the key sharing stage (in either direction).
... but I might be wrong. |
Security is a trade-off. You have to realize that it isn't a boolean, that you work harder, spend more, and put up with more inconvenience, and you get more. But eventually you run into the locked closet in the sub-basement in a building on a planet orbiting Alpha Centauri, with a "Beware of Alligators!!" sign on the door. Utterly unusable. Find the security point that suits you.
That said, anyone who can afford the brute-force devices to break your (or my) keys can probably just afford to hire someone to break into your (or my) house and install a keylogger, or just plain afford to take out a contract on either or both of us.
I'm paranoid about 133t hax0rs, organized crime, and casual government surveillance. I'm not going to be able to stop the really determined ones, and the repercussions of actually stopping them might be even worse than letting them get what they want. _________________ .sigs waste space and bandwidth |
|
Back to top |
|
|
asterisc n00b
Joined: 13 Nov 2007 Posts: 13 Location: Cluj
|
Posted: Fri Dec 14, 2007 2:15 pm Post subject: |
|
|
ahurst wrote: |
The only truly reliable end-to-end channel is a quantum encrypted one: i.e. one that changes state by being read.
http://en.wikipedia.org/wiki/Quantum_cryptography
...
Anything else really can be defeated by a man-in-the-middle attack, by interception at the key sharing stage (in either direction).
... but I might be wrong. |
These one can also be defeated. In the link you provided, explains how (Eve acting as a receiver for Alice and as a sender for Bob) _________________ There are lies, damn lies and statistics! |
|
Back to top |
|
|
ahurst Tux's lil' helper
Joined: 23 Oct 2006 Posts: 88 Location: Sheffield, UK
|
Posted: Fri Dec 14, 2007 3:02 pm Post subject: |
|
|
asterisc:
Oh dear!
And I dare say a service provider offering a quantum encrypted data link would be just as susceptible to being leant on for access, as would any ISP.
Any miscreant worth his/her salt should be clever enough to realise secure communication over the Internet relies on taking some very careful precautions.
Presumably then, as a proportion of crooks out there, the law enforcers will be dredging out the more stupid ones rather then creaming off the clever ones with this policy.
In some ways I'm glad that Darwinian evolution still applies to some areas of society, but on the other hand, I'd rather the criminal underworld weren't one of the few sectors of humanity benefitting from it. The long term effect is: more clever criminals! |
|
Back to top |
|
|
steveL Watchman
Joined: 13 Sep 2006 Posts: 5153 Location: The Peanut Gallery
|
Posted: Sat Dec 15, 2007 7:24 am Post subject: |
|
|
ahurst wrote: | In some ways I'm glad that Darwinian evolution still applies to some areas of society, but on the other hand, I'd rather the criminal underworld weren't one of the few sectors of humanity benefitting from it. The long term effect is: more clever criminals! |
Indeed; one might even suspect that it was all a method of extracting remuneration from the average schmoe, but that would be paranoid. Anyone can see the elite (on either supposed side) care about us.. ;P
It's much easier just to be transparent. That's where data protection is supposed to help wrt the reasonable expectation of privacy, cf the recent IRC furore (I'll find a link later, just running outta the house.) |
|
Back to top |
|
|
fahad_se n00b
Joined: 18 Dec 2007 Posts: 2 Location: lahore, pakistan
|
Posted: Tue Dec 18, 2007 1:53 pm Post subject: what if we say? |
|
|
what if we say?
we can never be called bug free _________________ genius born once in a century |
|
Back to top |
|
|
steveL Watchman
Joined: 13 Sep 2006 Posts: 5153 Location: The Peanut Gallery
|
|
Back to top |
|
|
crackytron n00b
Joined: 16 Nov 2007 Posts: 24
|
Posted: Wed Dec 19, 2007 1:30 pm Post subject: |
|
|
Can you not proxy sync through a SSH tunnel to somewhere less insane? I haven't tried it but I'd be surprised if it was not possible. _________________ welp |
|
Back to top |
|
|
|