Re: Broadband Router Comparisons

[Valdis . Kletnieks]

On Sun, 27 Dec 2015 08:37:25 +0100, Mikael Abrahamsson said:
> If someone like Consumer Reports or similar agency started testing and
> rating devices on these things like long-time support, automatic updates,
> software quality etc, and not just testing wifi speed as a factor of
> distance, we might get somewhere.

As finally we come full circle to the original question "who, if anybody,
has a list of which things are crap and which aren't" :)


pgpDPEoPzQIME.pgp
Description: PGP signature

Re: Broadband Router Comparisons

[Mikael Abrahamsson]

On Sun, 27 Dec 2015, valdis.kletni...@vt.edu wrote:

As finally we come full circle to the original question "who, if 
anybody, has a list of which things are crap and which aren't" :)


Yep, and as far as I know, this list doesn't exist because people doesn't 
care enough so that someone would put the effort into creating such a 
list.


--
Mikael Abrahamssonemail: swm...@swm.pp.se

Re: de-peering for security sake

[Owen DeLong]

> On Dec 26, 2015, at 20:35 , Baldur Norddahl  wrote:
> 
> Owen you misunderstood what two factor is about. It is not practical to
> brute force the key file. Nor is it practical to brute force a good
> passphrase or password. Both have sufficient strength to withstand attack.

This simply isn’t as true as it’s assumed to be, but let’s move on for the 
moment.

> But two factor is about having two things that needs to be broken. The key
> can be stolen, but the thief needs the password. The password can be
> stolen, but the thief needs the key. He needs both.

If the key file is stolen, you have one search space, the pass phrase to unlock 
the key.

If the key file is not stolen, you have one search space: the key.

> SSH password + key file is accepted as two factor by PCI DSS auditors, so
> yes it is in fact two factor.

PCI DSS auditors think that NAT is a form of security, so don’t get me started 
on the
fact that the PCI DSS auditors haven’t a clue about actual security. PCI DSS is 
more
about security theater than security. In some ways, they’re even less competent 
than
the TSA.

> But it is weak two factor because the key file is too easily stolen. NOT
> because the key file can be brute forced. Nor because hypothetically
> someone could memorize the content of the key file.

Either way, you only have one search space. If you don’t have the key file, 
then the
key is your search space. If you have the key file, then the passphrase may be 
an
easier search space.

> It is also weak because the key file can be duplicated. Note it does not
> stop being two factor because of this, but stronger hardware based two
> factor systems usually come with the property that it is very hard to
> duplicate the key. Other examples of a two factor system were the key is
> easy to duplicate is credit card with magnetic strip + pin. Example where
> it is hard to duplicate is credit card with chip + pin. Both are examples
> of where the password (the pin) is actually very weak, but it is still two
> factor.

To actually be two-factor, it needs to be two of something you have, something
you know, something you are. The strongest combination is something you know
and something you are (e.g. Retina, hand scan, etc. combined with PIN/Password).

SSH Key protected by pass phrase is just two things you know. Admittedly, one
of them is a thing you know because you stored it on disk instead of memorizing
it, but it’s not really something you have because as you pointed out, it can be
easily duplicated and also it can be transported without requiring physical
movement.

Something you have, in order to truly be a second factor, has to be a unique
item that is:
1.  In your possession
2.  Cannot be (easily) duplicated without your knowledge
(The greater the degree of difficulty for duplication, the 
better this is,
but a Schlage key, for example, is sufficiently difficult to 
qualify in most
cases).
3.  Theft can be reliably detected by the fact it is no longer in 
your possession.

An RSA or DSA key does not meet those criteria because it can be copied without
your knowledge and without removing the key from your possession.

> Btw, you should not be using RSA anymore and a 1024 bit RSA key does not in
> fact have a strength equal to 1024 bits entropy. It was considered equal to
> about 128 bit of entropy, but is believed to be weaker now. I am using ECC
> ecdsa-sha2-nistp521 which is equal to about 256 bits. Although some people
> with tin foil hats believe we should stay away from NIST altogether. Unless
> someone breaks the crypto, you are NOT going to brute force that key.

I think you’re the first person to bring up 1024 RSA keys here. I only said 
private
keys. A very large fraction of SSH users are still using 1024 bit DSA keys in 
the
real world. I am still using 2048 bit DSA keys. ECC would be better.

I also didn’t say that a 1024 bit key had 1024 bits of entropy. I said that a 
1024
bit key and a 256-character pass phrase have about the same entropy. There
are about 128 bits of entropy in a good 256 character pass phrase. There are
about 128 bits of entropy in a 1024 bit DSA key.

> Yes I get your argument, you are saying break the key and you won't need
> the password, but a) you can't actually break the key before the universe
> ends, b) it is still two factor, just a extremely tiny in the academic

If you have enough cheap GPUs, you can actually break a 1024 bit key
well before the universe ends. In fact, you can probably break it before
the end of 2016 if you’re willing to put about $30k into the process.

> sense little bit weaker two factor. All crypto based two factor systems

No, it’s not a second factor. See above… It’s two things you know and not
something you have and something you know as you have claimed.

Calling a private key something you have instead of something you know
is the same kind of 

Re: Broadband Router Comparisons

[Michael Thomas]

On 12/26/2015 11:37 PM, Mikael Abrahamsson wrote:
Providing security updates is just a cost, there is no upside, because 
these boxes sit in a closet, unloved until they stop working, and 
they're thrown out and replaced by a new unloved box that goes into 
the closet until it stops working again.


IMO, this is the real problem, but there's a real opportunity. Routers 
are for most

people the only things which:

1) are always on
2) have internet connectivity

Which is pretty cool if you need something that is, oh say, a central 
controller

for your home. Put a headless Android in it, allow 3rd party apps, water the
lawn with it. Love ensues.

This is, I imagine, why Google bought Nest: they want to be that home 
central

controller. The home router is more ubiquitous though, IMHO.

Mike

Re: de-peering for security sake

[Valdis . Kletnieks]

On Sun, 27 Dec 2015 05:35:19 +0100, Baldur Norddahl said:

> SSH password + key file is accepted as two factor by PCI DSS auditors, so
> yes it is in fact two factor.

They also accept NAT as "security".  If anything, PCI DSS is yet another example
of a money grab masquerading as security theater (not even real security).
I remember seeing a story a while ago that stated that of companies hit
by a data breach on a system that was inside their PCI scope, something
insane like 98% or 99% were in 100% full PCI compliance at the time of
the breach.  The only conclusion to be drawn is that the PCI set of checkboxes
are missing a lot of really crucial things for real security.  (And let's
not forget the competence level of the average PCI auditor, as the ones
I've encountered have all been very nice people, but more suited to checking
boxes based on buzzwords than actual in-deopth security analysis).

So excuse me for not taking "is accepted by PCI auditors" as grounds for
a claim of strong actual security.


pgpXtWYoHA6th.pgp
Description: PGP signature

Re: de-peering for security sake

[Mike Hale]

"done right the cost shouldn't be super much more."
I disagree.  Done wrong, it's not super much more.

Done right, it's massively more.

Like Randy said, compare salaries alone.  A good security employee
will run you, what, 100k or more in the major job markets?  And how
many do you need, full time, to provide acceptable coverage for your
environment?

The costs add up really fast without a corresponding return.



On Sun, Dec 27, 2015 at 12:27 PM, Christopher Morrow
 wrote:
> On Sun, Dec 27, 2015 at 2:49 PM, Mike Hale  wrote:
>> "really isn't a whole lot different from 'lock your damned doors and
>> windows' brick/mortar security."
>>
>> Except it's *massively* more expensive.
>>
>
> is it? how much does a datacenter pay for people + locks + card-key +
> pin-pad + ...
>
> vs
>
>  the requisite bits for security their customer portal/backoffice/etc ?
>
> done right the cost shouldn't be super much more.
>
> -chris
>
>> On Sun, Dec 27, 2015 at 11:26 AM, Christopher Morrow
>>  wrote:
>>> On Sun, Dec 27, 2015 at 1:59 PM,   wrote:
 On Sun, 27 Dec 2015 05:35:19 +0100, Baldur Norddahl said:

> SSH password + key file is accepted as two factor by PCI DSS auditors, so
> yes it is in fact two factor.

 They also accept NAT as "security".  If anything, PCI DSS is yet another 
 example
 of a money grab masquerading as security theater (not even real security).
>>>
>>> is it that? or is it that once you click the checkboxes on /pci audit/
>>> 'no one' ever does the daily due-diligence required to keep their
>>> security processes updated/running/current/etc ?
>>>
>>> I'm not a fan of the compliance regimes, but their goal (in a utopian
>>> world where corporations are not people and such) is the equivalent of
>>> the little posterboard person 42" tall before the roller-coaster
>>> rides, right?
>>>
>>> "You really, REALLY should have at least these protections/systems/etc
>>> in place before you attempt to process credit-card transactions..."
>>>
>>> In the utopian world this list would be sane, useful and would include
>>> daily/etc processes to monitor the security controls for issues... I
>>> don't think there's a process bit in PCI about: "And joey the firewall
>>> admin looks at his logs daily/hourly/everly for evidence of
>>> compromise" (and yes, ideally there's some adaptive/learning/AI-like
>>> system that does the 'joey the firewall admin' step... but let's walk
>>> before running, eh?)
>>>
>>> so, it's not really a mystery why failures like this happen.
>>>
 I remember seeing a story a while ago that stated that of companies hit
 by a data breach on a system that was inside their PCI scope, something
 insane like 98% or 99% were in 100% full PCI compliance at the time of
 the breach.  The only conclusion to be drawn is that the PCI set of 
 checkboxes
 are missing a lot of really crucial things for real security.  (And let's
 not forget the competence level of the average PCI auditor, as the ones
 I've encountered have all been very nice people, but more suited to 
 checking
 boxes based on buzzwords than actual in-deopth security analysis).
>>>
>>> people toss pci/sox/etc auditors under the bus 'all the time', and i'm
>>> guilty of this i'm sure as well, but really ... if you put systems on
>>> the tubes and you don't take the same care you would for your
>>> brick/mortar places ... you're gonna have a bad day. 'cyber security'
>>> really isn't a whole lot different from 'lock your damned doors and
>>> windows' brick/mortar security.
>>>
 So excuse me for not taking "is accepted by PCI auditors" as grounds for
 a claim of strong actual security.
>>
>>
>>
>> --
>> 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0



-- 
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0

Re: Broadband Router Comparisons

[Stephen Satchell]

On 12/26/2015 11:37 PM, Mikael Abrahamsson wrote:

If someone like Consumer Reports or similar agency started testing and
rating devices on these things like long-time support, automatic
updates, software quality etc, and not just testing wifi speed as a
factor of distance, we might get somewhere.


Just how would a reviewer rate "long-time support" and "software 
quality"?  As for "automatic updates", that's at the whim of the 
manufacturer down the road, so any evaluation of updates would be dated 
the second it's printed.


Testing WiFi speed as a factor of distance is a repeatable test, so that 
the chance of a lawsuit over the result is slimmer.


Consumer Reports, for example, sends out a survey to its readers to 
collect information on long-term ownership experience of cars.  It's a 
large enough investment that people are willing to fill out the survey. 
 Not so broadband routers.

Re: de-peering for security sake

[Christopher Morrow]

On Sun, Dec 27, 2015 at 2:49 PM, Mike Hale  wrote:
> "really isn't a whole lot different from 'lock your damned doors and
> windows' brick/mortar security."
>
> Except it's *massively* more expensive.
>

is it? how much does a datacenter pay for people + locks + card-key +
pin-pad + ...

vs

 the requisite bits for security their customer portal/backoffice/etc ?

done right the cost shouldn't be super much more.

-chris

> On Sun, Dec 27, 2015 at 11:26 AM, Christopher Morrow
>  wrote:
>> On Sun, Dec 27, 2015 at 1:59 PM,   wrote:
>>> On Sun, 27 Dec 2015 05:35:19 +0100, Baldur Norddahl said:
>>>
 SSH password + key file is accepted as two factor by PCI DSS auditors, so
 yes it is in fact two factor.
>>>
>>> They also accept NAT as "security".  If anything, PCI DSS is yet another 
>>> example
>>> of a money grab masquerading as security theater (not even real security).
>>
>> is it that? or is it that once you click the checkboxes on /pci audit/
>> 'no one' ever does the daily due-diligence required to keep their
>> security processes updated/running/current/etc ?
>>
>> I'm not a fan of the compliance regimes, but their goal (in a utopian
>> world where corporations are not people and such) is the equivalent of
>> the little posterboard person 42" tall before the roller-coaster
>> rides, right?
>>
>> "You really, REALLY should have at least these protections/systems/etc
>> in place before you attempt to process credit-card transactions..."
>>
>> In the utopian world this list would be sane, useful and would include
>> daily/etc processes to monitor the security controls for issues... I
>> don't think there's a process bit in PCI about: "And joey the firewall
>> admin looks at his logs daily/hourly/everly for evidence of
>> compromise" (and yes, ideally there's some adaptive/learning/AI-like
>> system that does the 'joey the firewall admin' step... but let's walk
>> before running, eh?)
>>
>> so, it's not really a mystery why failures like this happen.
>>
>>> I remember seeing a story a while ago that stated that of companies hit
>>> by a data breach on a system that was inside their PCI scope, something
>>> insane like 98% or 99% were in 100% full PCI compliance at the time of
>>> the breach.  The only conclusion to be drawn is that the PCI set of 
>>> checkboxes
>>> are missing a lot of really crucial things for real security.  (And let's
>>> not forget the competence level of the average PCI auditor, as the ones
>>> I've encountered have all been very nice people, but more suited to checking
>>> boxes based on buzzwords than actual in-deopth security analysis).
>>
>> people toss pci/sox/etc auditors under the bus 'all the time', and i'm
>> guilty of this i'm sure as well, but really ... if you put systems on
>> the tubes and you don't take the same care you would for your
>> brick/mortar places ... you're gonna have a bad day. 'cyber security'
>> really isn't a whole lot different from 'lock your damned doors and
>> windows' brick/mortar security.
>>
>>> So excuse me for not taking "is accepted by PCI auditors" as grounds for
>>> a claim of strong actual security.
>
>
>
> --
> 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0

Re: Broadband Router Comparisons

[Hugo Slabbert]

 From: Michael Thomas  -- Sent: 2015-12-27 - 08:49 

>
>
> On 12/26/2015 11:37 PM, Mikael Abrahamsson wrote:
>> Providing security updates is just a cost, there is no upside, because
>> these boxes sit in a closet, unloved until they stop working, and
>> they're thrown out and replaced by a new unloved box that goes into
>> the closet until it stops working again.
>
> IMO, this is the real problem, but there's a real opportunity. Routers
> are for most
> people the only things which:
>
> 1) are always on
> 2) have internet connectivity
>
> Which is pretty cool if you need something that is, oh say, a central
> controller
> for your home. Put a headless Android in it, allow 3rd party apps, water the
> lawn with it. Love ensues.
>
> This is, I imagine, why Google bought Nest: they want to be that home
> central
> controller. The home router is more ubiquitous though, IMHO.

Hence: https://on.google.com/hub/

> Mike
>

--
Hugo
h...@slabnet.com: email, xmpp/jabber
also on Signal



signature.asc
Description: PGP/MIME digital signature

Re: de-peering for security sake

[Randy Bush]

> 'cyber security' really isn't a whole lot different from 'lock your
> damned doors and windows' brick/mortar security.

hellofalot more holes to cover.  and the salaries of the guards are a
bit higher for the net; so more incentive for pointy heads to skimp.

randy

Re: de-peering for security sake

[Owen DeLong]

> On Dec 27, 2015, at 11:26 , Christopher Morrow  
> wrote:
> 
> On Sun, Dec 27, 2015 at 1:59 PM,   wrote:
>> On Sun, 27 Dec 2015 05:35:19 +0100, Baldur Norddahl said:
>> 
>>> SSH password + key file is accepted as two factor by PCI DSS auditors, so
>>> yes it is in fact two factor.
>> 
>> They also accept NAT as "security".  If anything, PCI DSS is yet another 
>> example
>> of a money grab masquerading as security theater (not even real security).
> 
> is it that? or is it that once you click the checkboxes on /pci audit/
> 'no one' ever does the daily due-diligence required to keep their
> security processes updated/running/current/etc ?

You ask this as if those two were mutually exclusive. They are not. I believe
that both are actually true. The PCI-DSS checklist can be completed without
relatively weak security and involves a lot of theatrical requirements that have
nothing to do with actual security.

Beyond that, yes, most organizations survive the audit and then go back to
ignore it until time for the next audit mode.

> I'm not a fan of the compliance regimes, but their goal (in a utopian
> world where corporations are not people and such) is the equivalent of
> the little posterboard person 42" tall before the roller-coaster
> rides, right?
> 
> "You really, REALLY should have at least these protections/systems/etc
> in place before you attempt to process credit-card transactions…"

Right. And that’s a decent goal. Unfortunately, if you read the actual document,
the standards require lots of things that don’t actually improve (and in some
cases can actually degrade) security, such as NAT.

> In the utopian world this list would be sane, useful and would include
> daily/etc processes to monitor the security controls for issues... I
> don't think there's a process bit in PCI about: "And joey the firewall
> admin looks at his logs daily/hourly/everly for evidence of
> compromise" (and yes, ideally there's some adaptive/learning/AI-like
> system that does the 'joey the firewall admin' step... but let's walk
> before running, eh?)

Yeah, it doesn’t actually require anyone or anything to ever really look at
logs at all.

> so, it's not really a mystery why failures like this happen.

This is a bit of a tangent, really. The discussion was about authentication 
factor
counts and Baldur tried to use PCI-DSS acceptance of password-encrypted
private key authentication as two-factor to bolster his claim that it was, in 
fact
two-factor, when it clearly isn’t actually two-factor as has been stated 
previously.

The comments about PCI-DSS being a non-credible standard were primarily
an additional note that his argument was built on thin air.

>> I remember seeing a story a while ago that stated that of companies hit
>> by a data breach on a system that was inside their PCI scope, something
>> insane like 98% or 99% were in 100% full PCI compliance at the time of
>> the breach.  The only conclusion to be drawn is that the PCI set of 
>> checkboxes
>> are missing a lot of really crucial things for real security.  (And let's
>> not forget the competence level of the average PCI auditor, as the ones
>> I've encountered have all been very nice people, but more suited to checking
>> boxes based on buzzwords than actual in-deopth security analysis).
> 
> people toss pci/sox/etc auditors under the bus 'all the time', and i'm
> guilty of this i'm sure as well, but really ... if you put systems on
> the tubes and you don't take the same care you would for your
> brick/mortar places ... you're gonna have a bad day. 'cyber security'
> really isn't a whole lot different from 'lock your damned doors and
> windows' brick/mortar security.

Conceptually, sure. However, in actual implementation, there’s a plethora of
decent locksmiths and reasonably good security contractors out there to provide
good solutions for physical security.

In the cyber security world, the waters are a lot murkier. There are no good
standards to allow a lay person to identify a good capable contractor vs. a
charlatan with a flashy web site. Most of the widely known standards are
crap. I’ve met some really good CISSPs in my day, but I’ve also met a number
of people touting their CISSP certification who don’t realize that NAT is 
actually
detrimental to security and a few who even claimed that NAT was good.

Several couldn’t even get the concept of separating NAT from stateful inspection
after repeated attempts to explain it to them in kindergarten terms.

Cyber security is a lot harder to understand well and quite a bit more 
complicated
than physical security.

Owen

Re: de-peering for security sake

[Christopher Morrow]

On Sun, Dec 27, 2015 at 3:32 PM, Mike Hale  wrote:
> "done right the cost shouldn't be super much more."
> I disagree.  Done wrong, it's not super much more.
>
> Done right, it's massively more.

please cite useful numbers... It's not (I think) really all that much
more. Sure it's a new expense (not really, since ... you've always had
security costs) but it's not 'massive'.

> Like Randy said, compare salaries alone.  A good security employee
> will run you, what, 100k or more in the major job markets?  And how
> many do you need, full time, to provide acceptable coverage for your
> environment?
>

ideally you need 2-3 people (for a larger operation, less for small
shops) with a bunch of automation to help things run along. Ideally
your 2-3 experts aren't responding to the pager, almost all of that is
offloaded to your noc/etc staff in a manner that they can actually
deal with problems NOT as pager-spam which gets turned off. 'high
quality alerts' with actionable playbooks.

it'd be great if more of this was COTS-able for the smaller shops... I
bet a bunch of it IS, though the parts aren't quite in place today :(
which is sad.

> The costs add up really fast without a corresponding return.

the return is not having to fend off the WSJ reporters of the world,
and consequent lawsuits from your customers, subscribers, partners,
etc...

-chris

> On Sun, Dec 27, 2015 at 12:27 PM, Christopher Morrow
>  wrote:
>> On Sun, Dec 27, 2015 at 2:49 PM, Mike Hale  wrote:
>>> "really isn't a whole lot different from 'lock your damned doors and
>>> windows' brick/mortar security."
>>>
>>> Except it's *massively* more expensive.
>>>
>>
>> is it? how much does a datacenter pay for people + locks + card-key +
>> pin-pad + ...
>>
>> vs
>>
>>  the requisite bits for security their customer portal/backoffice/etc ?
>>
>> done right the cost shouldn't be super much more.
>>
>> -chris
>>
>>> On Sun, Dec 27, 2015 at 11:26 AM, Christopher Morrow
>>>  wrote:
 On Sun, Dec 27, 2015 at 1:59 PM,   wrote:
> On Sun, 27 Dec 2015 05:35:19 +0100, Baldur Norddahl said:
>
>> SSH password + key file is accepted as two factor by PCI DSS auditors, so
>> yes it is in fact two factor.
>
> They also accept NAT as "security".  If anything, PCI DSS is yet another 
> example
> of a money grab masquerading as security theater (not even real security).

 is it that? or is it that once you click the checkboxes on /pci audit/
 'no one' ever does the daily due-diligence required to keep their
 security processes updated/running/current/etc ?

 I'm not a fan of the compliance regimes, but their goal (in a utopian
 world where corporations are not people and such) is the equivalent of
 the little posterboard person 42" tall before the roller-coaster
 rides, right?

 "You really, REALLY should have at least these protections/systems/etc
 in place before you attempt to process credit-card transactions..."

 In the utopian world this list would be sane, useful and would include
 daily/etc processes to monitor the security controls for issues... I
 don't think there's a process bit in PCI about: "And joey the firewall
 admin looks at his logs daily/hourly/everly for evidence of
 compromise" (and yes, ideally there's some adaptive/learning/AI-like
 system that does the 'joey the firewall admin' step... but let's walk
 before running, eh?)

 so, it's not really a mystery why failures like this happen.

> I remember seeing a story a while ago that stated that of companies hit
> by a data breach on a system that was inside their PCI scope, something
> insane like 98% or 99% were in 100% full PCI compliance at the time of
> the breach.  The only conclusion to be drawn is that the PCI set of 
> checkboxes
> are missing a lot of really crucial things for real security.  (And let's
> not forget the competence level of the average PCI auditor, as the ones
> I've encountered have all been very nice people, but more suited to 
> checking
> boxes based on buzzwords than actual in-deopth security analysis).

 people toss pci/sox/etc auditors under the bus 'all the time', and i'm
 guilty of this i'm sure as well, but really ... if you put systems on
 the tubes and you don't take the same care you would for your
 brick/mortar places ... you're gonna have a bad day. 'cyber security'
 really isn't a whole lot different from 'lock your damned doors and
 windows' brick/mortar security.

> So excuse me for not taking "is accepted by PCI auditors" as grounds for
> a claim of strong actual security.
>>>
>>>
>>>
>>> --
>>> 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
>
>
>
> --
> 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0

Re: de-peering for security sake

[Christopher Morrow]

On Sun, Dec 27, 2015 at 1:59 PM,   wrote:
> On Sun, 27 Dec 2015 05:35:19 +0100, Baldur Norddahl said:
>
>> SSH password + key file is accepted as two factor by PCI DSS auditors, so
>> yes it is in fact two factor.
>
> They also accept NAT as "security".  If anything, PCI DSS is yet another 
> example
> of a money grab masquerading as security theater (not even real security).

is it that? or is it that once you click the checkboxes on /pci audit/
'no one' ever does the daily due-diligence required to keep their
security processes updated/running/current/etc ?

I'm not a fan of the compliance regimes, but their goal (in a utopian
world where corporations are not people and such) is the equivalent of
the little posterboard person 42" tall before the roller-coaster
rides, right?

"You really, REALLY should have at least these protections/systems/etc
in place before you attempt to process credit-card transactions..."

In the utopian world this list would be sane, useful and would include
daily/etc processes to monitor the security controls for issues... I
don't think there's a process bit in PCI about: "And joey the firewall
admin looks at his logs daily/hourly/everly for evidence of
compromise" (and yes, ideally there's some adaptive/learning/AI-like
system that does the 'joey the firewall admin' step... but let's walk
before running, eh?)

so, it's not really a mystery why failures like this happen.

> I remember seeing a story a while ago that stated that of companies hit
> by a data breach on a system that was inside their PCI scope, something
> insane like 98% or 99% were in 100% full PCI compliance at the time of
> the breach.  The only conclusion to be drawn is that the PCI set of checkboxes
> are missing a lot of really crucial things for real security.  (And let's
> not forget the competence level of the average PCI auditor, as the ones
> I've encountered have all been very nice people, but more suited to checking
> boxes based on buzzwords than actual in-deopth security analysis).

people toss pci/sox/etc auditors under the bus 'all the time', and i'm
guilty of this i'm sure as well, but really ... if you put systems on
the tubes and you don't take the same care you would for your
brick/mortar places ... you're gonna have a bad day. 'cyber security'
really isn't a whole lot different from 'lock your damned doors and
windows' brick/mortar security.

> So excuse me for not taking "is accepted by PCI auditors" as grounds for
> a claim of strong actual security.

Re: de-peering for security sake

[Randy Bush]

> The costs add up really fast without a corresponding return.

i think there is a corresponding return, just not one that is perceived
by the pointy heads.  yet.  but that is changing as more and more get
pwned and the public and legal costs become greater and more apparent.
patience.

randy

Re: de-peering for security sake

[Mike Hale]

"please cite useful numbers"

For what?  IDS?  SIEM?  Log aggregation in general?  For companies
that have none of that, spinning up the best practice systems can
easily cost half a mil a year (QRadar is 200k for our sized
environment; a good netflow system is like 50 [100k+ for something
like Lancope], one FTE to support and manage this as and additional
workload on server and network guys in dealing with issues these tools
find).  And that's just the tip of the iceberg.  An additional 500k a
year is tough to justify (and costs way, way more than simply locking
the doors or hiring a team of security guards at 10 an hour).
Simplistic, of course, but one example of the cost difference.

"Sure it's a new expense (not really, since ... you've always had
security costs) but it's not 'massive'."

Depends on the organization.  For those who don't have a
security-specific team, it is new spend.

"ideally you need 2-3 people (for a larger operation, less for small
shops) with a bunch of automation to help things run along."

Absolutely agree.  So we're looking at 200-300k just in pure salary
cost, plus what, 40% extra for various benefits?

That automation piece too is incredibly pricey (either in time and
labor of software).

"though the parts aren't quite in place today :(
which is sad."

One hundred percent in agreement.  This is much, much harder for the
smaller organizations to take.  I wish there were services that made
this way easier.  I think this is where small system integrators could
partner with security services that provide tier one security response
(something like arctic wolf) and provide that needed coverage...but
that's not inexpensive either (though way cheaper than hiring your own
security dudes).

"the return is not having to fend off the WSJ reporters of the world,
and consequent lawsuits from your customers, subscribers, partners,
etc..."

True.  But how do you put that in money terms?

Obviously, I think the spend is absolutely important, and it's
something that is vitally important to the business.  But I've found
it very challenging in making that case in a way that works, precisely
because of that increased amount of spending.

"but that is changing as more and more get
pwned and the public and legal costs become greater and more apparent.
patience."

It is.  Sony and Target were really useful in that regard.

On Sun, Dec 27, 2015 at 12:51 PM, Christopher Morrow
 wrote:
> On Sun, Dec 27, 2015 at 3:32 PM, Mike Hale  wrote:
>> "done right the cost shouldn't be super much more."
>> I disagree.  Done wrong, it's not super much more.
>>
>> Done right, it's massively more.
>
> please cite useful numbers... It's not (I think) really all that much
> more. Sure it's a new expense (not really, since ... you've always had
> security costs) but it's not 'massive'.
>
>> Like Randy said, compare salaries alone.  A good security employee
>> will run you, what, 100k or more in the major job markets?  And how
>> many do you need, full time, to provide acceptable coverage for your
>> environment?
>>
>
> ideally you need 2-3 people (for a larger operation, less for small
> shops) with a bunch of automation to help things run along. Ideally
> your 2-3 experts aren't responding to the pager, almost all of that is
> offloaded to your noc/etc staff in a manner that they can actually
> deal with problems NOT as pager-spam which gets turned off. 'high
> quality alerts' with actionable playbooks.
>
> it'd be great if more of this was COTS-able for the smaller shops... I
> bet a bunch of it IS, though the parts aren't quite in place today :(
> which is sad.
>
>> The costs add up really fast without a corresponding return.
>
> the return is not having to fend off the WSJ reporters of the world,
> and consequent lawsuits from your customers, subscribers, partners,
> etc...
>
> -chris
>
>> On Sun, Dec 27, 2015 at 12:27 PM, Christopher Morrow
>>  wrote:
>>> On Sun, Dec 27, 2015 at 2:49 PM, Mike Hale  
>>> wrote:
 "really isn't a whole lot different from 'lock your damned doors and
 windows' brick/mortar security."

 Except it's *massively* more expensive.

>>>
>>> is it? how much does a datacenter pay for people + locks + card-key +
>>> pin-pad + ...
>>>
>>> vs
>>>
>>>  the requisite bits for security their customer portal/backoffice/etc ?
>>>
>>> done right the cost shouldn't be super much more.
>>>
>>> -chris
>>>
 On Sun, Dec 27, 2015 at 11:26 AM, Christopher Morrow
  wrote:
> On Sun, Dec 27, 2015 at 1:59 PM,   wrote:
>> On Sun, 27 Dec 2015 05:35:19 +0100, Baldur Norddahl said:
>>
>>> SSH password + key file is accepted as two factor by PCI DSS auditors, 
>>> so
>>> yes it is in fact two factor.
>>
>> They also accept NAT as "security".  If anything, PCI DSS is yet another 
>> example
>> of a 

Re: Broadband Router Comparisons

[Michael Thomas]

Nice,  but i want my router to have an android environment itself, not 
just to

be controlled by my phone (which i want as well, of course).

The proximity sensor for app developers would be fun to play with, for 
example.


Mike

On 12/27/2015 09:43 AM, Hugo Slabbert wrote:


 From: Michael Thomas  -- Sent: 2015-12-27 - 08:49 



On 12/26/2015 11:37 PM, Mikael Abrahamsson wrote:

Providing security updates is just a cost, there is no upside, because
these boxes sit in a closet, unloved until they stop working, and
they're thrown out and replaced by a new unloved box that goes into
the closet until it stops working again.

IMO, this is the real problem, but there's a real opportunity. Routers
are for most
people the only things which:

1) are always on
2) have internet connectivity

Which is pretty cool if you need something that is, oh say, a central
controller
for your home. Put a headless Android in it, allow 3rd party apps, water the
lawn with it. Love ensues.

This is, I imagine, why Google bought Nest: they want to be that home
central
controller. The home router is more ubiquitous though, IMHO.

Hence: https://on.google.com/hub/


Mike


--
Hugo
h...@slabnet.com: email, xmpp/jabber
also on Signal

Re: IPv4 shutdown in mobile

[Scott Weeks]

---
> North America is by far the leader in number of IPv6 enabled customers

On the top ten country list, I see

 6 European countries (Belgium, Germany, Luxembourg, Estonia, France, Norway)
 1 African country (Liberia)
 1 North American country (USA)
 1 Oceanian country (Kiribati)
 1 Asian country (Malaysia)


Not a good comparison.  Christian (the Kiribati guy) has a very 
different set of circumstances than, say, EU or NA folks.

https://en.wikipedia.org/wiki/Kiribati

"The nation comprises 33 atolls and reef islands and one raised coral 
island; Banaba. They have a total land area of 800 square kilometres 
(310 sq mi)[13] and are dispersed over 3.5 million square kilometres 
(1,351,000 square miles). Their spread straddles the equator and the 
International Date Line, although the Date Line is indented to bring 
the Line Islands in the same day as the Kiribati Islands. The 
permanent population is just over 100,000 (2011), half of whom live 
on Tarawa Atoll."

scott

Re: IPv4 shutdown in mobile

[Bjørn Mork]

Mikael Abrahamsson  writes:

> North America is by far the leader in number of IPv6 enabled customers
> which
>
> https://www.stateoftheinternet.com/trends-visualizations-ipv6-adoption-ipv4-exhaustion-global-heat-map-network-country-growth-data.html#networks
>
> shows.

On the top ten country list, I see

 6 European countries (Belgium, Germany, Luxembourg, Estonia, France, Norway)
 1 African country (Liberia)
 1 North American country (USA)
 1 Oceanian country (Kiribati)
 1 Asian country (Malaysia)

Looks like Europe is way ahead to me :)


Bjørn

Re: de-peering for security sake

[Mike Hale]

"really isn't a whole lot different from 'lock your damned doors and
windows' brick/mortar security."

Except it's *massively* more expensive.

On Sun, Dec 27, 2015 at 11:26 AM, Christopher Morrow
 wrote:
> On Sun, Dec 27, 2015 at 1:59 PM,   wrote:
>> On Sun, 27 Dec 2015 05:35:19 +0100, Baldur Norddahl said:
>>
>>> SSH password + key file is accepted as two factor by PCI DSS auditors, so
>>> yes it is in fact two factor.
>>
>> They also accept NAT as "security".  If anything, PCI DSS is yet another 
>> example
>> of a money grab masquerading as security theater (not even real security).
>
> is it that? or is it that once you click the checkboxes on /pci audit/
> 'no one' ever does the daily due-diligence required to keep their
> security processes updated/running/current/etc ?
>
> I'm not a fan of the compliance regimes, but their goal (in a utopian
> world where corporations are not people and such) is the equivalent of
> the little posterboard person 42" tall before the roller-coaster
> rides, right?
>
> "You really, REALLY should have at least these protections/systems/etc
> in place before you attempt to process credit-card transactions..."
>
> In the utopian world this list would be sane, useful and would include
> daily/etc processes to monitor the security controls for issues... I
> don't think there's a process bit in PCI about: "And joey the firewall
> admin looks at his logs daily/hourly/everly for evidence of
> compromise" (and yes, ideally there's some adaptive/learning/AI-like
> system that does the 'joey the firewall admin' step... but let's walk
> before running, eh?)
>
> so, it's not really a mystery why failures like this happen.
>
>> I remember seeing a story a while ago that stated that of companies hit
>> by a data breach on a system that was inside their PCI scope, something
>> insane like 98% or 99% were in 100% full PCI compliance at the time of
>> the breach.  The only conclusion to be drawn is that the PCI set of 
>> checkboxes
>> are missing a lot of really crucial things for real security.  (And let's
>> not forget the competence level of the average PCI auditor, as the ones
>> I've encountered have all been very nice people, but more suited to checking
>> boxes based on buzzwords than actual in-deopth security analysis).
>
> people toss pci/sox/etc auditors under the bus 'all the time', and i'm
> guilty of this i'm sure as well, but really ... if you put systems on
> the tubes and you don't take the same care you would for your
> brick/mortar places ... you're gonna have a bad day. 'cyber security'
> really isn't a whole lot different from 'lock your damned doors and
> windows' brick/mortar security.
>
>> So excuse me for not taking "is accepted by PCI auditors" as grounds for
>> a claim of strong actual security.



-- 
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0

Re: Broadband Router Comparisons

[Larry Sheldon]

On 12/27/2015 19:56, Mike wrote:


On 12/27/15, 4:57 PM, Larry Sheldon wrote:

On 12/26/2015 23:49, Mike wrote:

[snip]


Firstly, they are all junk. Every last one of them. Period. Broadband
routers are designed to be cheap and to appeal to people who don't know
any better, and who respond well (eg: make purchasing decisions) based
on the shape of the plastic, the color scheme employed, and number of
mysterious blinking lights that convey 'something important is
happening'. Further, the price point is $45 - $70 thereabouts, putting
some definite constraints on the actual quality of the engineering and
components that go into them. I feel that we, the service provider,
endure a significantly high and undue burden of cost associated with
providing ongoing support to customers as a result of the defects
contained therein.


Why don't you offer an acceptable (to you) device at a price
acceptable to me as a part of the service.  I'd buy it.



NO SUCH DEVICE EXISTS, because you can't afford it. If I were to take
you seriously however - and we're talking about eliminating all excuses
and simply getting down to it and making a marginally qualified showing
at expecting uninterrupted service - the entire environment is what has
to be solved. The device would be cisco or juniper branded, internal
redundancy / failover features to allow hitless upgrades or module
failures, have dual (preferably, triple) power supplies, would be
required to be housed in a locked enclosure with air conditioning and
online double conversion battery with the addition of an external backup
generator with its own separate backup fuel supply, which is further
tested weekly and mantained with inspections and oil changes. The router
would be under service contract with the manufacturer, would be
monitoring by my noc, and would receive appropriate software upgrades as
required, and you would pay for this monthly in addition to your
internet service. Furthermore, you also would be required to have at
least two distinct connections to me and make a deposit to provide
credit in the event you falsely claim 'trouble' where no trouble exists.
A seperate 'test pc', also in it's own enclosure and normally offlimits
to you, and connected to said router and backup power and such, would be
agreed upon as the test fixture that we would monitor TO. It would
display current network statistics including packet loss and latencies
to various on and off-net locations, with current time and date logging
on screen. You would agree that you are to blame each and every time you
'can't get on', while the test pc clearly shows on it's local screen to
you otherwise. You would be required to forfeit a portion of your
deposit each time you called for technical support and were determined
to be at fault and to blame for your own issue.


I'll accept the challenge and try to be briefer.

If it can't be did at a price I'll accept, then let us stop crying about 
how bad it is.  You don't like it, turn it off.


(For the record, I do not require all of that stuff--if I am "grid off" 
then having a standby power system would be nice to power our CPAPs, but 
commo is going to be down and it might as well be dark and quiet.)


And for the matter of "false" failure reports--there IS a work around 
for you:  From Day ONE, Hour Zero, Minute Zero, Second Zero, supply 
stuff that WORKS the way your sales people said it would.


If you start out peddling crap that does not work, you will establish 
yourself as a peddler of crap and the first place to call.


I used to work for a company that did a pretty good job of doing that so 
when somebody did call they often sounded apologetic and tended to need 
to be convinced that, no this one is ours, but we are on it and we hope 
to be back at  HH:MM.


For people that purchased large quantities of what we sold we provided 
alarm displays or ring downs to tell THEM we broke something.



--
sed quis custodiet ipsos custodes? (Juvenal)

Re: de-peering for security sake

[James Downs]

> On Dec 26, 2015, at 12:34, Owen DeLong  wrote:
> 
> Also, note that the only difference between a good long passphrase and a 
> private key is,
> uh, wait, um, come to think of it, really not much.

Are you equating a long PSK with PKE? They’re quite different.

Re: Broadband Router Comparisons

[Larry Sheldon]

On 12/26/2015 23:49, Mike wrote:

On 12/23/2015 06:49 PM, Lorell Hathcock wrote:

All:

Not all consumer grade customer premises equipment is created
equally.  But end customers sure think it is.  I have retirement aged
customers buying the crappiest routers and then blaming my cable
network for all their connection woes.  The real problem is that there
were plenty of problems on the cable network to deal with, so it was
impossible to tell between a problem that a customer was having with
their CPE versus a real problem in my network.


OK, I have resisted, but now I must ask.

I am coming up on 77 YOA, been un-employed for a long time, have a tiny 
toy network that supports a couple of lap-tops, a couple of desk-tops, a 
couple of net-work-connected printers, and a melange of 
visitor-transported "personal devices" NOS--the latter group, the two 
lap-tops, one of the printers, and one of the desk-tops supported by 3 
wiffy radios (one radio is a port of the "routher").


My network sees the the world via a cable-company provided MODEM (which 
also supports the telephone service in the house) and a WRT54GL 
"router", which I guess is what y'all are talking about (although it 
looks to me more like a 6-port bridge that can do NAT).


I've had one "router" fail and replaced it.  I have myriad network 
failures that go away if I wait long enough (I have called in a few 
times, mostly to confirm that the cable has gone dark and they know it, 
a couple to have them tell me to reboot everything I rebooted before I 
called them.  In some of those incidents the "trouble came clear while 
testing", the rest "came clear while waiting for the repair man to get 
here".


Just what is it that I should be doing better?  And where is this better 
equipment available?


[tl;dr;wrn]

--
sed quis custodiet ipsos custodes? (Juvenal)

Re: Broadband Router Comparisons

[Hugo Slabbert]

On Sun 2015-Dec-27 09:58:50 -0800, Michael Thomas  wrote:

Nice,  but i want my router to have an android environment itself, not 
just to

be controlled by my phone (which i want as well, of course).


Sure.  My message was strictly in response to:


This is, I imagine, why Google bought Nest: they want to be that home
central controller. The home router is more ubiquitous though, IMHO.


...and not specifically about:


Which is pretty cool if you need something that is, oh say, a central
controller for your home. Put a headless Android in it, allow 3rd party 
apps, water the lawn with it. Love ensues.


--
Hugo

h...@slabnet.com: email, xmpp/jabber
PGP fingerprint (B178313E):
CF18 15FA 9FE4 0CD1 2319 1D77 9AB1 0FFD B178 313E

(also on textsecure & redphone)



The proximity sensor for app developers would be fun to play with, for 
example.


Mike

On 12/27/2015 09:43 AM, Hugo Slabbert wrote:


 From: Michael Thomas  -- Sent: 2015-12-27 - 08:49 



On 12/26/2015 11:37 PM, Mikael Abrahamsson wrote:

Providing security updates is just a cost, there is no upside, because
these boxes sit in a closet, unloved until they stop working, and
they're thrown out and replaced by a new unloved box that goes into
the closet until it stops working again.

IMO, this is the real problem, but there's a real opportunity. Routers
are for most
people the only things which:

1) are always on
2) have internet connectivity

Which is pretty cool if you need something that is, oh say, a central
controller
for your home. Put a headless Android in it, allow 3rd party apps, water the
lawn with it. Love ensues.

This is, I imagine, why Google bought Nest: they want to be that home
central
controller. The home router is more ubiquitous though, IMHO.

Hence: https://on.google.com/hub/


Mike


--
Hugo
h...@slabnet.com: email, xmpp/jabber
also on Signal





signature.asc
Description: PGP signature

Re: Broadband Router Comparisons

[John Levine]

>> Based over what has been leaked, announced, or passed as pork barrel since
>> 9/11, its probably time a tin foil hat factory was created to speed up the
>> issuance of said hats.
>
>https://www.kickstarter.com/projects/shieldapparel/shield-the-world-s-first-signal-proof-headwear

No need to wait, order now:

https://www.etsy.com/listing/55473505/knit-tinfoil-hat-made-to-order

R's,
John

RE: Broadband Router Comparisons

[Keith Medcalf]

On Sunday, 27 December, 2015 17:58, Larry Sheldon  said:
> On 12/26/2015 23:49, Mike wrote:
>
> [snip]
>
> > Firstly, they are all junk. Every last one of them. Period. Broadband
> > routers are designed to be cheap and to appeal to people who don't know
> > any better, and who respond well (eg: make purchasing decisions) based
> > on the shape of the plastic, the color scheme employed, and number of
> > mysterious blinking lights that convey 'something important is
> > happening'. Further, the price point is $45 - $70 thereabouts, putting
> > some definite constraints on the actual quality of the engineering and
> > components that go into them. I feel that we, the service provider,
> > endure a significantly high and undue burden of cost associated with
> > providing ongoing support to customers as a result of the defects
> > contained therein.

> Why don't you offer an acceptable (to you) device at a price acceptable
> to me as a part of the service.  I'd buy it.

Cable Companies / Telco's cannot do that.
If you bought the device you would want control of it.  (PWC do not permit 
foreign controlled devices on their networks)
This is anti-thetical to their (CableCo/TelCo) business model.

This is why most PWC (People With Clue) have the CableCo/TelCo configure their 
crap as a pure bridge with all other features disabled and use their own 
equipment.  The local lan port on the bridge is the Demarc.

If there is "no transport" at the demarc port, the problem lies with the 
CableCo/TelCo.  If there is, the problem is your own equipment.

Telling where the problem lies is trivial.

Re: Broadband Router Comparisons

[James Downs]

> On Dec 27, 2015, at 20:00, Keith Medcalf  wrote:

> They end up with ALL the data they can capture; they have COMPLETE management 
> control; and, can execute whatever code they want, without your prior 
> approval or choice, on the device at any time they please, including 
> permanent changes in the software and configuration.

What’s what I assume as well. This makes it, and the nest, and any related 
devices unwelcome.

Re: Broadband Router Comparisons

[Josh Reynolds]

Based over what has been leaked, announced, or passed as pork barrel since
9/11, its probably time a tin foil hat factory was created to speed up the
issuance of said hats.
On Dec 27, 2015 10:10 PM, "Hugo Slabbert"  wrote:

> On Sun 2015-Dec-27 20:58:18 -0600, Josh Reynolds 
> wrote:
>
> And now that the new bill has passed, they (along with many others) will be
>> "mishandling" your data often and legally with 3 letter agencies and other
>> corporations. :(
>> On Dec 27, 2015 8:48 PM, "James Downs"  wrote:
>>
>>
>>> > On Dec 27, 2015, at 09:43, Hugo Slabbert  wrote:
>>>
>>> > Hence: https://on.google.com/hub/
>>>
>>> The device looks cool, and sounds cool, but what data does google end up
>>> with, and what remote management can they do? Their policy pages aren’t
>>> exactly clear, and they’ve mishandled personal data a number of times
>>> previously.
>>>
>>>
> Probably wise to be keep the tinfoil hat within arm's reach, I think.  My
> ref was strictly "yep, they appear to be making a play at the home
> controller market via a broadband router trojan horse" and not in any way
> an endorsement or comment on the merits of the device.
>
> --
> Hugo
>
> h...@slabnet.com: email, xmpp/jabber
> PGP fingerprint (B178313E):
> CF18 15FA 9FE4 0CD1 2319 1D77 9AB1 0FFD B178 313E
>
> (also on textsecure & redphone)
>

Re: Broadband Router Comparisons

[Larry Sheldon]

On 12/27/2015 02:19, valdis.kletni...@vt.edu wrote:

On Sun, 27 Dec 2015 08:37:25 +0100, Mikael Abrahamsson said:

If someone like Consumer Reports or similar agency started testing and
rating devices on these things like long-time support, automatic updates,
software quality etc, and not just testing wifi speed as a factor of
distance, we might get somewhere.


As finally we come full circle to the original question "who, if anybody,
has a list of which things are crap and which aren't" :)


Indeed.  Interesting how often that has happened here over the years.

Sometimes it seems more like one of those "counseling" cartoons with 
everybody sitting in a circle learning new words for their problem 
description.



--
sed quis custodiet ipsos custodes? (Juvenal)

Re: Broadband Router Comparisons

[Valdis . Kletnieks]

On Sun, 27 Dec 2015 17:56:02 -0800, Mike said:

> NO SUCH DEVICE EXISTS, because you can't afford it. If I were to take
> you seriously however - and we're talking about eliminating all excuses
> and simply getting down to it and making a marginally qualified showing
> at expecting uninterrupted service - the entire environment is what has
> to be solved.

OK. Now repeat the process, but specify something that isn't enterprise
quality, but *does* let you do basic diagnostics from the help desk or NOC.
Does it answer ping?  What's the signal quality? Does it need a push of
updated firmware?  What traffic load is it seeing?

That should get you 95% of the way there, at only 0.5% of the cost.


pgpa5nY8XqlYU.pgp
Description: PGP signature

Re: Broadband Router Comparisons

[Valdis . Kletnieks]

On Sun, 27 Dec 2015 22:12:25 -0600, Josh Reynolds said:
> Based over what has been leaked, announced, or passed as pork barrel since
> 9/11, its probably time a tin foil hat factory was created to speed up the
> issuance of said hats.

https://www.kickstarter.com/projects/shieldapparel/shield-the-world-s-first-signal-proof-headwear


pgpOzN_SIQg_E.pgp
Description: PGP signature

Re: de-peering for security sake

[Owen DeLong]

> On Dec 27, 2015, at 14:33 , Baldur Norddahl  wrote:
> 
> 
> 
> On 27 December 2015 at 22:08, Owen DeLong  > wrote:
> This is a bit of a tangent, really. The discussion was about authentication 
> factor
> counts and Baldur tried to use PCI-DSS acceptance of password-encrypted
> private key authentication as two-factor to bolster his claim that it was, in 
> fact
> two-factor, when it clearly isn’t actually two-factor as has been stated 
> previously.
> 
> I wanted to stay out of this, but Owen you are full of shit here. I am 
> pointing out that your homemade definition does not match up with what others 
> think two factor means. PCI DSS might be utter crap, but they are still more 
> than "Owen DeLong and his personal opinion”.

Dude… It’s not just my opinion. Virtually every one else who chimed in on the 
thread other than you backed my position on this.

> You are utterly confused about the meaning about two factor. You apparently 
> believe the magic words "two factor" is a statement about the security of a 
> system, while it is in fact just a simple property. A property that even an 
> inherently insecure and weak system can have. 

No, as I pointed out, you can have very weak security with two weak factors.

However, the property two-factor means something and it’s not what you 
apparently think.

> It is not, as you have said, about strengthen the search space of a crypto 
> key (just double the key length if you need that). In fact, many two factor 
> systems do not use crypto keys at all. An example of such a non crypto based 
> system is a credit card with magnetic strip plus pin. The magnetic strip 
> contains just the card number, which can also be read directly from the card 
> and even memorized by the owner.

Actually, the magnetic stripe contains quite a bit more than the card number, 
but that’s another tangent.

I never said you had to have crypto for two-factor, nor did I say that two 
factor magically made things stronger.

> We need two factor because if you have just one factor, say the password, the 
> hacker will simply call the user and ask him to tell the password. And the 
> users will happily obligate. Experience shows this. On the other hand, if you 
> give the users a single factor system with a physical token (a key), that 
> gets stolen, misplaced or "borrowed" far too easily. Therefore industry 
> standard is card + pin to enter a building (=two factor). Secure places 
> require three factor (card + pin + biometric).

Card+pin is an example of two factors… You _HAVE_ the card and you _KNOW_ the 
PIN.

Password-encrypted Key, OTOH, is something you _KNOW_ and something else you 
_KNOW_. It’s not something you _HAVE_ or something you _ARE_.

There are three generally accepted categories of Factors for authentication…

1.  Something you HAVE
2.  Something you KNOW
3.  Something you ARE

In order to qualify as 2-factor, a system must require something from two of 
the categories. Two things from the same category do not qualify.

> SSH keys are two factor because people do not in general memorize the key 
> file. Because they do not, you can not gain access to the system with only 
> what you know (=in your mind). Unless the user violated protocols and changed 
> the passphrase to null, you can not gain access just by possession of the key 
> file. That is all that is required to name it two factor. That Owen DeLong 
> believes the system stinks does not change that at all.

Something on disk counts as something you know. A private/public key pair is 
not something you HAVE because it’s not a physical object and it’s certainly 
not something you ARE.

It’s clearly in the something you KNOW category for all practical purposes, 
even if you don’t memorize it into your mind.

Now, a private key in black box where you feed it encrypted stuff to be 
decrypted or decrypted stuff to be encrypted and you cannot extract the private 
key, that could be something you HAVE.
But at that point, it’s the black box that is the thing you have, not the key 
itself. The key in the box and the boxes ability to decrypt/encrypt using that 
key is merely a mechanism for proving
that you have the correct black box.

> Historically the banks used to depend on a system that is the same as ssh 
> keys: certificate files you have on your computer to access the bank website. 
> That also is a two factor system. The users did not usually memorize the 
> content of the certificates. The system is weak because bad guys used malware 
> to steal the certificate files and install key loggers to also get the other 
> factor, the password. 

Again, real two-factor authentication depends on factors from different 
categories above. The certificate, like it or not, whether you memorize it or 
not, is something you KNOW, not something you HAVE.

To qualify as something you HAVE, it has to be a unique physical token with 
some 

Re: Broadband Router Comparisons

[Mike]

On 12/27/15, 4:57 PM, Larry Sheldon wrote:

On 12/26/2015 23:49, Mike wrote:

[snip]


Firstly, they are all junk. Every last one of them. Period. Broadband
routers are designed to be cheap and to appeal to people who don't know
any better, and who respond well (eg: make purchasing decisions) based
on the shape of the plastic, the color scheme employed, and number of
mysterious blinking lights that convey 'something important is
happening'. Further, the price point is $45 - $70 thereabouts, putting
some definite constraints on the actual quality of the engineering and
components that go into them. I feel that we, the service provider,
endure a significantly high and undue burden of cost associated with
providing ongoing support to customers as a result of the defects
contained therein.


Why don't you offer an acceptable (to you) device at a price 
acceptable to me as a part of the service.  I'd buy it.



NO SUCH DEVICE EXISTS, because you can't afford it. If I were to take 
you seriously however - and we're talking about eliminating all excuses 
and simply getting down to it and making a marginally qualified showing 
at expecting uninterrupted service - the entire environment is what has 
to be solved. The device would be cisco or juniper branded, internal 
redundancy / failover features to allow hitless upgrades or module 
failures, have dual (preferably, triple) power supplies, would be 
required to be housed in a locked enclosure with air conditioning and 
online double conversion battery with the addition of an external backup 
generator with its own separate backup fuel supply, which is further 
tested weekly and mantained with inspections and oil changes. The router 
would be under service contract with the manufacturer, would be 
monitoring by my noc, and would receive appropriate software upgrades as 
required, and you would pay for this monthly in addition to your 
internet service. Furthermore, you also would be required to have at 
least two distinct connections to me and make a deposit to provide 
credit in the event you falsely claim 'trouble' where no trouble exists. 
A seperate 'test pc', also in it's own enclosure and normally offlimits 
to you, and connected to said router and backup power and such, would be 
agreed upon as the test fixture that we would monitor TO. It would 
display current network statistics including packet loss and latencies 
to various on and off-net locations, with current time and date logging 
on screen. You would agree that you are to blame each and every time you 
'can't get on', while the test pc clearly shows on it's local screen to 
you otherwise. You would be required to forfeit a portion of your 
deposit each time you called for technical support and were determined 
to be at fault and to blame for your own issue.

Re: Broadband Router Comparisons

[James Downs]

> On Dec 27, 2015, at 17:56, Mike  wrote:

> The device would be cisco or juniper branded, internal redundancy / failover 
> features to allow hitless upgrades or module failures, have dual (preferably, 

After the last week or so, I wouldn’t trust a service provider who insisted on 
installing juniper at my site.

Re: Broadband Router Comparisons

[Josh Reynolds]

And now that the new bill has passed, they (along with many others) will be
"mishandling" your data often and legally with 3 letter agencies and other
corporations. :(
On Dec 27, 2015 8:48 PM, "James Downs"  wrote:

>
> > On Dec 27, 2015, at 09:43, Hugo Slabbert  wrote:
>
> > Hence: https://on.google.com/hub/
>
> The device looks cool, and sounds cool, but what data does google end up
> with, and what remote management can they do? Their policy pages aren’t
> exactly clear, and they’ve mishandled personal data a number of times
> previously.
>
>

Re: Broadband Router Comparisons

[Hugo Slabbert]

On Sun 2015-Dec-27 20:58:18 -0600, Josh Reynolds  wrote:


And now that the new bill has passed, they (along with many others) will be
"mishandling" your data often and legally with 3 letter agencies and other
corporations. :(
On Dec 27, 2015 8:48 PM, "James Downs"  wrote:



> On Dec 27, 2015, at 09:43, Hugo Slabbert  wrote:

> Hence: https://on.google.com/hub/

The device looks cool, and sounds cool, but what data does google end up
with, and what remote management can they do? Their policy pages aren’t
exactly clear, and they’ve mishandled personal data a number of times
previously.



Probably wise to be keep the tinfoil hat within arm's reach, I think.  My 
ref was strictly "yep, they appear to be making a play at the home 
controller market via a broadband router trojan horse" and not in any way 
an endorsement or comment on the merits of the device.


--
Hugo

h...@slabnet.com: email, xmpp/jabber
PGP fingerprint (B178313E):
CF18 15FA 9FE4 0CD1 2319 1D77 9AB1 0FFD B178 313E

(also on textsecure & redphone)


signature.asc
Description: PGP signature

Re: de-peering for security sake

[Baldur Norddahl]

On 27 December 2015 at 22:08, Owen DeLong  wrote:

> This is a bit of a tangent, really. The discussion was about
> authentication factor
> counts and Baldur tried to use PCI-DSS acceptance of password-encrypted
> private key authentication as two-factor to bolster his claim that it was,
> in fact
> two-factor, when it clearly isn’t actually two-factor as has been stated
> previously.
>

I wanted to stay out of this, but Owen you are full of shit here. I am
pointing out that your homemade definition does not match up with what
others think two factor means. PCI DSS might be utter crap, but they are
still more than "Owen DeLong and his personal opinion".

You are utterly confused about the meaning about two factor. You apparently
believe the magic words "two factor" is a statement about the security of a
system, while it is in fact just a simple property. A property that even an
inherently insecure and weak system can have.

It is not, as you have said, about strengthen the search space of a crypto
key (just double the key length if you need that). In fact, many two factor
systems do not use crypto keys at all. An example of such a non crypto
based system is a credit card with magnetic strip plus pin. The magnetic
strip contains just the card number, which can also be read directly from
the card and even memorized by the owner.

We need two factor because if you have just one factor, say the password,
the hacker will simply call the user and ask him to tell the password. And
the users will happily obligate. Experience shows this. On the other hand,
if you give the users a single factor system with a physical token (a key),
that gets stolen, misplaced or "borrowed" far too easily. Therefore
industry standard is card + pin to enter a building (=two factor). Secure
places require three factor (card + pin + biometric).

SSH keys are two factor because people do not in general memorize the key
file. Because they do not, you can not gain access to the system with only
what you know (=in your mind). Unless the user violated protocols and
changed the passphrase to null, you can not gain access just by possession
of the key file. That is all that is required to name it two factor. That
Owen DeLong believes the system stinks does not change that at all.

Historically the banks used to depend on a system that is the same as ssh
keys: certificate files you have on your computer to access the bank
website. That also is a two factor system. The users did not usually
memorize the content of the certificates. The system is weak because bad
guys used malware to steal the certificate files and install key loggers to
also get the other factor, the password.

In my country (Denmark) they decided hardware keys are still too expensive,
so they developed a two factor system based on paper keys. You will get a
piece of paper with a few hundred random numbers. When you log in, you are
asked to type one of the numbers in to prove that you are in possession of
the key paper. The codes are just 6 digits and infinite weak if you believe
them to be part of any crypto scheme. This system has also been broken
because now bad guys ask the users to take pictures of the key paper to
prove something, and the users happily do just that. Banks are still happy
though, because the loss is less than the cost to ship hardware keys to
everyone.

Only strong two factor systems are really resistant to the users defeating
the system by doing stupid things. That does not mean that only strong two
factor systems are two factor. That would be silly - Owen what would you
then name weak and broken two factor systems? It is a property - nothing
more.

Regards,

Baldur

Re: Broadband Router Comparisons

[Larry Sheldon]

On 12/26/2015 23:49, Mike wrote:

[snip]


Firstly, they are all junk. Every last one of them. Period. Broadband
routers are designed to be cheap and to appeal to people who don't know
any better, and who respond well (eg: make purchasing decisions) based
on the shape of the plastic, the color scheme employed, and number of
mysterious blinking lights that convey 'something important is
happening'. Further, the price point is $45 - $70 thereabouts, putting
some definite constraints on the actual quality of the engineering and
components that go into them. I feel that we, the service provider,
endure a significantly high and undue burden of cost associated with
providing ongoing support to customers as a result of the defects
contained therein.


Why don't you offer an acceptable (to you) device at a price acceptable 
to me as a part of the service.  I'd buy it.



--
sed quis custodiet ipsos custodes? (Juvenal)

Re: de-peering for security sake

[Mike Hale]

Also think of it from the perspective of the authenticating host.

That SSH connection relies *only* on the key for authentication.  It
requires nothing else.  How you protect that key is irrelevant.  All
that matters is that the host is accepting a single form of
authentication.  It's clearly single-factor.

You can call pseudo-multi-factor if you want.  It's certainly better
than a shitty password.  But it's not multi-factor by the generally
accepted definition (although I'd place it under 'something you have'
rather than the 'something you know' section).

On Sun, Dec 27, 2015 at 5:08 PM, Owen DeLong  wrote:
>
>> On Dec 27, 2015, at 14:33 , Baldur Norddahl  
>> wrote:
>>
>>
>>
>> On 27 December 2015 at 22:08, Owen DeLong > > wrote:
>> This is a bit of a tangent, really. The discussion was about authentication 
>> factor
>> counts and Baldur tried to use PCI-DSS acceptance of password-encrypted
>> private key authentication as two-factor to bolster his claim that it was, 
>> in fact
>> two-factor, when it clearly isn’t actually two-factor as has been stated 
>> previously.
>>
>> I wanted to stay out of this, but Owen you are full of shit here. I am 
>> pointing out that your homemade definition does not match up with what 
>> others think two factor means. PCI DSS might be utter crap, but they are 
>> still more than "Owen DeLong and his personal opinion”.
>
> Dude… It’s not just my opinion. Virtually every one else who chimed in on the 
> thread other than you backed my position on this.
>
>> You are utterly confused about the meaning about two factor. You apparently 
>> believe the magic words "two factor" is a statement about the security of a 
>> system, while it is in fact just a simple property. A property that even an 
>> inherently insecure and weak system can have.
>
> No, as I pointed out, you can have very weak security with two weak factors.
>
> However, the property two-factor means something and it’s not what you 
> apparently think.
>
>> It is not, as you have said, about strengthen the search space of a crypto 
>> key (just double the key length if you need that). In fact, many two factor 
>> systems do not use crypto keys at all. An example of such a non crypto based 
>> system is a credit card with magnetic strip plus pin. The magnetic strip 
>> contains just the card number, which can also be read directly from the card 
>> and even memorized by the owner.
>
> Actually, the magnetic stripe contains quite a bit more than the card number, 
> but that’s another tangent.
>
> I never said you had to have crypto for two-factor, nor did I say that two 
> factor magically made things stronger.
>
>> We need two factor because if you have just one factor, say the password, 
>> the hacker will simply call the user and ask him to tell the password. And 
>> the users will happily obligate. Experience shows this. On the other hand, 
>> if you give the users a single factor system with a physical token (a key), 
>> that gets stolen, misplaced or "borrowed" far too easily. Therefore industry 
>> standard is card + pin to enter a building (=two factor). Secure places 
>> require three factor (card + pin + biometric).
>
> Card+pin is an example of two factors… You _HAVE_ the card and you _KNOW_ the 
> PIN.
>
> Password-encrypted Key, OTOH, is something you _KNOW_ and something else you 
> _KNOW_. It’s not something you _HAVE_ or something you _ARE_.
>
> There are three generally accepted categories of Factors for authentication…
>
> 1.  Something you HAVE
> 2.  Something you KNOW
> 3.  Something you ARE
>
> In order to qualify as 2-factor, a system must require something from two of 
> the categories. Two things from the same category do not qualify.
>
>> SSH keys are two factor because people do not in general memorize the key 
>> file. Because they do not, you can not gain access to the system with only 
>> what you know (=in your mind). Unless the user violated protocols and 
>> changed the passphrase to null, you can not gain access just by possession 
>> of the key file. That is all that is required to name it two factor. That 
>> Owen DeLong believes the system stinks does not change that at all.
>
> Something on disk counts as something you know. A private/public key pair is 
> not something you HAVE because it’s not a physical object and it’s certainly 
> not something you ARE.
>
> It’s clearly in the something you KNOW category for all practical purposes, 
> even if you don’t memorize it into your mind.
>
> Now, a private key in black box where you feed it encrypted stuff to be 
> decrypted or decrypted stuff to be encrypted and you cannot extract the 
> private key, that could be something you HAVE.
> But at that point, it’s the black box that is the thing you have, not the key 
> itself. The key in the box and the boxes ability to decrypt/encrypt using 
> that key is merely a mechanism for 

Re: Broadband Router Comparisons

[James Downs]

> On Dec 27, 2015, at 09:43, Hugo Slabbert  wrote:

> Hence: https://on.google.com/hub/

The device looks cool, and sounds cool, but what data does google end up with, 
and what remote management can they do? Their policy pages aren’t exactly 
clear, and they’ve mishandled personal data a number of times previously.

Re: Broadband Router Comparisons

[Scott Weeks]

---
>https://www.kickstarter.com/projects/shieldapparel/shield-the-world-s-first-signal-proof-headwear
https://www.etsy.com/listing/55473505/knit-tinfoil-hat-made-to-order
--


There is just no end to stoopid.  There's apparently an 
infinite quantity available.

scott

RE: Broadband Router Comparisons

[Keith Medcalf]

On Sunday, 27 December, 2015 19:46, James Downs  said:
> > On Dec 27, 2015, at 09:43, Hugo Slabbert  wrote:

> > Hence: https://on.google.com/hub/

> The device looks cool, and sounds cool, but what data does google end up
> with, and what remote management can they do? Their policy pages aren’t
> exactly clear, and they’ve mishandled personal data a number of times
> previously.

They end up with ALL the data they can capture; they have COMPLETE management 
control; and, can execute whatever code they want, without your prior approval 
or choice, on the device at any time they please, including permanent changes 
in the software and configuration.