OMG Paul, On Wed, Jun 26, 2013 at 9:19 AM, Paul Mooring <[email protected]> wrote:
> Matt, > > There couldn't be a saner point to add to this conversation. I'm > frequently surprised at how even people who understand computers and > networking treat security as some sort of dark magic. If you have a fully > patched Linux desktop with no externally listening services, no one (not > even the NSA) can get in without going to extreme lengths. Wait, let me send you a PDF file; since you are sure to be running a browser from her, or better yet, point you to a nice javascript plugin, like BEef? <http://beefproject.com/> > People are so frightened by the PRISM controversy that they aren't > acknowledging that it's great insight into how the government really does > gather data, they ask for it while holding a really big gun. There was no > crazy backdoors or complex exploits involved, they just told companies that > had data to give it to them and the companies complied. The lesson we > should be learning from this is that data you put on the Internet is not > private, ever. > Well said Paul. It reminds me of the quote "A completely secure server is one buried in concrete 30 feet down." Hopefully, that is including all TCP/IP services because the linux kernel can be trivially fuzzed.<http://resources.infosecinstitute.com/intro-to-fuzzing/> Even with encryption and pgp keys (all forms of encryption<http://it-clowns.com/c/files/drawer/crypt.ppt>have been broken) all our information is available. Even on our internal networks, our SSH and HTTPS sessions are easy hijack and intercept without VPN/VLAN (and someone even with). > > Paul Mooring > Operations Engineer > www.opscode.com > > Also see my comments below: > > > From: Lisa Kachold > > It's trivial to send you a PDF or Javascript Browser Exploitation BEef > > hook and walk through your systems > > How do NoScript and using evince/kpdf instead of Acrobrat Reader affect > those > trivial exploits? > Noscript stops the BEef from hooking. You open a PDF with exploits or shellcode and your still owned. > > > agents that can be delivered via email (Kaseya or LivePerson) and J2EE > > exploits that can be launched easily = opening you wide. > > Of course, if you're using a mail client that executes things found in > attachments, you'll get pwn3d quickly. Are there any mail clients that do > those things in this day and age? > Microsoft Outlook is the only one I can think of, other than the versions in Blackberry phones made to use the same type of email "view panes". > I thought they'd even partially fixed > Not completely! > Outhouse in that respect. J2EE? Who has all the components of J2EE > installed > (besides Java developers)? In the last 5 years, I've seen exactly 2 Java > applets in the wild. Client-side Java is *uncommon* in the modern WWW > AFAICT; > the things people used to use Java for have been taken over by Flash/JS. > That's due to browser security = but you can still easily GET a J2EE virus/infection (in all manner of ways from Win7 to SAP to linux/Mac). > > > Surveillance technology continues from all your expenditures, all your > > travel (license plate readers), and your phone behaviors, and can include > > remote viewing (without camera technology you would recognize). > > I can see how it'd be easy to track credit card transactions (bank records) > and car movements (via traffic cameras). Could you explain "remote viewing > without camera technology" more clearly? > It's a common tool that allows military to see inside of buildings. ARGUS uses it: http://motherboard.vice.com/blog/pretty-soon-drones-will-be-able-to-see-inside-your-bedroom > > -- > Matt G / Dances With Crows > The Crow202 Blog: http://crow202.org/wordpress/ > There is no Darkness in Eternity/But only Light too dim for us to see > > --------------------------------------------------- > PLUG-discuss mailing list - [email protected] > To subscribe, unsubscribe, or to change your mail settings: > http://lists.phxlinux.org/mailman/listinfo/plug-discuss > --------------------------------------------------- > PLUG-discuss mailing list - [email protected] > To subscribe, unsubscribe, or to change your mail settings: > http://lists.phxlinux.org/mailman/listinfo/plug-discuss > -- (503) 754-4452 Android (623) 239-3392 Skype (623) 688-3392 Google Voice ** it-clowns.com <http://it-clowns.com/d/> Chief Clown
--------------------------------------------------- PLUG-discuss mailing list - [email protected] To subscribe, unsubscribe, or to change your mail settings: http://lists.phxlinux.org/mailman/listinfo/plug-discuss
