On Saturday 11 Jun 2016 21:48:49 Dale wrote: > Mick wrote: > > On Saturday 11 Jun 2016 17:57:11 Dale wrote: > >> Howdy, > >> > >> I ran up on a video website that had some info on it. I found it > >> interesting and was curious about what it said and another question I > >> been wondering about. It mentioned using a VPN so that the NSA, my ISP > >> and others couldn't "see" what was going on. > > > > I don't think there is any VPN service offered for a fee to the public > > that > > hasn't been compromised by the NSA, with or without the cooperation of its > > owners (unless it is based outside the USA). > > > > At a basic level a VPN tunnel is no different to functionality than SSH. > > Like SSH both ends (local & remote peers) must be able to negotiate a > > connection over the VPN tunnel. High(er) grade ciphers, PFS and SSL > > certificates create a more secure tunnel than otherwise would be the > > case. > > After the Snowden thing, I read a article that talked about how the NSA > could monitor https data and decrypt it basically, live. In other > words, they didn't have to spend time breaking it because they already > knew how to break it with some sort of backdoor method. I don't recall > where the article was just that it was a site I've seen mentioned a fair > amount when it comes to geeky/nerdy stuff. In other words, not some > site just looking to stir the pot.
Yes, the NSA has used supercomputers to precalculate large primes for at least up to 1024bit DHE, as used by many VPN and SSL connections. > >> So, my first question, > >> does that work and does it require the site on the other end to have it > >> set up as well? > > > > BOTH sites must be able to negotiate a tunnel, using the same ciphers. > > IKE > > VPNs are more fiddly to set up and troubleshoot than SSH. > > > >> Bonus question, is it easy to use on any site if it > >> doesn't require the other end to use it? > > > > The way public these public VPN services work is by acting as a proxy > > server forwarding your connection ownard to your intended website, > > without revealing your local IP address. As long as the connection to > > the intended website is also encrypted, e.g. over https, then your > > connection remains both anonymous and secure. > > This explains some of what I read on the link Dutch posted. Since https > seems to have already been broken, well, there goes that. Only some of it is broken, depending on the configuration of the particular webserver and the browser. Banks in particular used to configure their web servers to the lowest common denominator (mostly for their customers' MSIE compatibility) and until the Snowden revelations came out many banks were still using RC4 SSL ciphers. > >> I'm thinking of using this for > >> my banking/financial sites as well if it is a good idea. > > > > Good idea if you are out and about a lot, using unsecured public WiFi for > > this purpose. Depending how you can configured your Linksys you could > > use your own local network for the same purpose, i.e. as a SOCKS5 server. > > I only access my bank and such from my desktop. I don't have a laptop > or one of those smart phones either. I wouldn't mind a laptop but not > interested in a smart phone. That said, I've been notified by me cell > phone folks that I have to get a newer phone before they do their tower > upgrade. If I don't, my phone won't work any more. I have a old > Motorola Razr thingy. Hey, it makes/receives calls and does a decent > text. It works. I also don't butt dial since it is a flip phone. lol When you get yourself a smart phone you should be able to use its VPN client to connect to your home's LAN and the bounce off to the Internet from there. Or you can wait until you get back home and browse the Internet using a normal size screen. :p > >> This is something I been wondering about and I've seen a few posts here > >> that bump around the edges of this question. As most here know, I use > >> Gentoo. It's a older install but I keep it up to date. I sit behind a > >> DSL modem, a older Westell one, and a Linksys router, the old blue nosed > >> one. Neither modem or router has wireless stuff included. Is that > >> hardware and my Gentoo install pretty secure for most hackers? In other > >> words, since I don't keep the formula to run car/truck engines on water > >> here, would this stop most since there is nothing worth stealing here? > > > > You haven't given this much thought ... How would all these hackers who > > want to steal the secret of running car engines on water, know that you > > have nothing worth stealing in your secret lab? > > Well, I'm sure a lot can be told by the fact that I'm on a basic home > DSL account. I'm not on J. B. Blows secret services network. Now if I > had a super fast connection that had something interesting in the name, > then I could see someone peeking around and thinking, let's go break > into this network because he has some neat stuff to steal. Basically, > I'm not NSA.gov. ;-) Although, it would be odd but funny to read about > the NSA being hacked since they are the ones nosing into everyone else's > stuff. o_O Malicious hackers and state-actors scan all networks for victims. You may have no data of interest, but many hackers wouldn't mind adding your PC to their herd of botnets. > >> I'm not interested in a NSA based hardened install here, just reasonably > >> secure. > >> > >> Basically, I'm just wanting to make sure I'm reasonably secure here. > >> > >> Dale > >> > >> :-) :-) > > > > I guess you are reasonably secure, if by secure you mean protecting your > > LAN from unwanted penetration and you have a firewall configured on the > > Linksys, your PC's are NAT'ed and finally you have a firewall configured > > on your Gentoo PCs. However, being secure is a relative term and in your > > case ill defined. > There is a website somewhere out there that scans to see if a puter can > be seen or not. I've ran it before and it always gives me a clean bill > of health. Basically, the only port it sees is the one it is using to > do the test. Sort of hard to break into something they can't see but > I'm sure there is some hacker out there somewhere that could get around > that too. Security by obscurity, which is what the GRC 'Shields Up' port scan website proposes, offers no security at all. Don't get me wrong, S Gibson has set up a really good marketing enterprise at grc.com and made tons of money by spreading FUD. In the days of MSWindows 98 when ports and shared folders were inadvertently left open to the Internet with no firewalls in-between, port stealth was one desperate measure to increase security. However, the fact a port may not respond to a probe does not mean in any way that the port is not vulnerable to attack. Thankfully, I don't think many of us are using MSWindows 98 directly connected to the Internet these days. ;-) > I'm not going to dream about being as secure as a bank or > something. It's not reasonable to think I could do that. Hmm ... I wouldn't be that sure. Gentoo well configured is pretty secure and does not use RC4 ciphers or allows the connections to be degraded to lower strength ciphers like some banks do. In addition, I hope you have not outsourced responsibility for your own network's security to some underpaid drone in a 3rd world country, as your bank probably has. > I just want > to be reasonably secure given what I can reasonably do. I've had folks > tell me that DSL is more secure than cable service. I've also read that > having a router added into the mix also helps, since it is one more step > they have to make. Hopefully that is enough. OK, we're back into discussions that may have held true back in 1998 .... Cable modems operated as a node exposing local users connections to each other. You used to be able to connect to a neighbour's MSWindows 98 PC and browse his files. These days cable nodes implement DOCSIS 3.0 or 3.1 spec. which includes encryption between CMTS and modem. In addition, most modern cable modems also offer NAT routing. So the security of consumer LANs is the same with your typical DSL router. > I've been running Linux for over a decade. So far, I've never had > anyone hack into anything here. How would *you* know? ;-) > I use Lastpass to handle my passwords > and use a pretty secure master password. I just try to do the things I > can to make it at least difficult. If someone wants to go to the > trouble to break in to find out that I'm subscribed on a bunch of Linux > mailing lists, well, they deserve what they get. ROFL > > Thanks. > > Dale > > :-) :-) -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.
