Sorry OpenBSD people, been a bit busy

classic Classic list List threaded Threaded
57 messages Options
123
Reply | Threaded
Open this post in threaded view
|

Re: Sorry OpenBSD people, been a bit busy

Roderick
On Mon, 7 Oct 2013, James Griffin wrote:

> [...] But when people don't listen, or continuosly repeat themselves
> unnecessarily, the discussion digresses and becomes irrelevent and/or
> annoying for those of us subscribed to the list. That's the point I
> tried to make. Anyway, this is digressing too.

No. This was obviously not the "reason". The offenses did not come from
people that complained about the amount of Emails. And I was not in the
discussion alone: mainly I answered; if I repeated, then because people
did not understand me. Perhaps was the thema a little off-topic, but in my
oppinion not irrelevant, it deserves to be discussed, and an objective
discussion here was impossible. On the other side, I understand that such
discussions can be disturbing in a mailing list. This is one of the reasons
because I was for the existence of the old OpenBSD Usenet Groups.

In my opinion, the reason of the insults and diffamations is something very
primitive. For many people the operating system they use is part of their
identity (as for others their car or their mobile telephone). Without
their Operating System they feel to be no one. Belonging to a "community"
they feel as part of an elite. Insulting and diffamating people outside
make these feelings stronger, people insulting and diffamiting one individual
feel to be more together, they need it colectively from time to time.
Not to be part of it is a question of conscience, also of education,
from the ones that do it you cannot expect a much better behaviour.
BTW. The insults came together with the demand that I leave the list, not that
I stop posting about the thema: I was the enemy outside the "community".

Rodrigo.

Reply | Threaded
Open this post in threaded view
|

Re: Sorry OpenBSD people, been a bit busy

Kevin Chadwick-2
In reply to this post by Theo de Raadt
> Why?  With a group of others, I started setting up an Internet
> Exchange in Calgary, and this has taken much time because it is highly
> politicized and has encountered some resistance.

So has your internet access (ISP) improved too since a while back or
just locally and what resistance did you encounter - pro surveillance?

The UK broadband speeds have shot up and become more of an asset but
they are also becoming far more of a liability too. I am not too
bothered about well secured?? monitoring systems for the good of us all
by authorites that perhaps put as much importance on the security of the
monitoring systems as anyone else? if not more? but I am extremely
concerned about the government now even pushing ISPs to put in layer 7
filters such as TalkTalks homesafe on the cheapest and crappiest
hardware (of the same make as those with backdoors in audio switches,
thankfully firewalled) and possibly providing a cover for the previously
rejected advertising data harvesting systems of the future under the
compelling and so reason scuppering highly questionable method of
stopping kiddy porn.


If only more ISP engineers understood why OpenBSD is so secure or
atleast as much as they traditionally did with the mantra of ISP's
transport packets and that's all for safety reasons.

--
_______________________________________________________________________

'Write programs that do one thing and do it well. Write programs to work
together. Write programs to handle text streams, because that is a
universal interface'

(Doug McIlroy)

In Other Words - Don't design like polkit or systemd
_______________________________________________________________________

Reply | Threaded
Open this post in threaded view
|

Re: Sorry OpenBSD people, been a bit busy

Scott McEachern-2
On 10/08/13 07:20, Kevin Chadwick wrote:

>
> So has your internet access (ISP) improved too since a while back or
> just locally and what resistance did you encounter - pro surveillance?
>
> The UK broadband speeds have shot up and become more of an asset but
> they are also becoming far more of a liability too. I am not too
> bothered about well secured?? monitoring systems for the good of us all
> by authorites that perhaps put as much importance on the security of the
> monitoring systems as anyone else? if not more? but I am extremely
> concerned about the government now even pushing ISPs to put in layer 7
> filters such as TalkTalks homesafe on the cheapest and crappiest
> hardware (of the same make as those with backdoors in audio switches,
> thankfully firewalled) and possibly providing a cover for the previously
> rejected advertising data harvesting systems of the future under the
> compelling and so reason scuppering highly questionable method of
> stopping kiddy porn.
>
>
> If only more ISP engineers understood why OpenBSD is so secure or
> atleast as much as they traditionally did with the mantra of ISP's
> transport packets and that's all for safety reasons.

I didn't want to bring this up before, but it might be an interesting
discussion, even though off-topic.  Feel free to ignore this part of the
thread.

After reading Theo's post, I wondered what effect an IX had on what we
now know about NSA surveillance.  I don't know anything about it, but I
suspect it won't make any difference.

Some of Snowden's leaked documents detail how the NSA has the private
keys for various US corporations, and they set up various computers on
the backbone links.  Basically, the NSA can imperceptibly vacuum up all
data.  Scary shit, really.

A few people have suggested they are vacuuming /everything/, not just
"foreigners", while others counter that there's just too much data, and
it's infeasible for them to store it.

I propose that not only is it possible, but quite likely.  When google
mysteriously went offline for about 5 minutes a while back, it was said
that Internet traffic dropped by 40%.  A shitload of that is going to be
YouTube, which the NSA can easily ignore.  I've also heard that
something like 40% of Internet traffic is porn, so they can ignore that,
too.  Another big chunk goes to people downloading movies/TV by NetFlix,
torrent or from the cable-type companies themselves.  Again, the actual
content can be ignored, but the metadata can be kept.  Duplicate data
can be ignored as well. There's no need for the NSA to keep 10,000
copies of the same shit Fox or CNN spews to 10,000 daily visitors.  Just
keep the metadata. No need to keep advertisements, cool graphics/CSS
stuff, or HTML. That can all be stripped away.

Whether those "40%" numbers are accurate or not -- and I doubt they are
-- isn't the point.  The point is that a metric shitload of content can
be safely ignored.  It wouldn't surprise me in the least if it were to
be revealed that all the NSA actually traps is maybe 5% of total
Internet traffic.  Not because of a lack of capacity, but a lack of
interest in "crap".  Now go look at the two big data centres under
construction.  Everyone knows about the Utah data centre, but there's
another, slightly smaller one, under construction on the East coast.  
(Sorry, I can't remember exactly where.)

But that's not the scariest thing.

The scariest thing is when a friend of mine talked about how cool his
smartphone is.  I replied with the standard stuff:  "You're being
watched and recorded" (etc).  He said he doesn't care.  He just doesn't
care if the government watched the sex vids he shared with some ladies
online, or read his emails.  Paraphrasing him, he asked, When was the
last time someone I knew had a government official knock on their door?  
Never!  And you'll never see it happen in your lifetime, either!

I did reply with a few thought-provoking ideas, but I know damn well he
won't think about it, because he just doesn't care, and no matter what I
say, he never will.  (I did ask him, when /will/ it be too much for you,
and will it be too late?  He didn't reply.)

I would suggest that most of the general population shares his apathy.  
Sure, a few people get riled up for a few minutes, but that goes away
when Miley does something stupid with her ass, a dancing show comes on,
or Michael Bay blows up a lot of stuff on the big screen.

Now we're finding out that the FBI and NSA own a whole lot of Tor
nodes.  Some suspect half of them are government controlled, especially
the exit nodes.

More scary?  The likes of Bruce Schneier and Glenn Greenwald, both privy
to the compendium of Snowden's documents, are saying things like "We
haven't seen the half of it...  It gets worse."  I can't wait..

A question for Theo and those in the know:  Do these IXs in any way
deter or foil the NSA?  Or do they "just" make for better connectivity?  
Just curious.

@Kevin Chadwick:  About your comment "stopping kiddie porn", read my
sig.  I think he said that in 2006.

--
Scott McEachern

https://www.blackstaff.ca

"Beware the Four Horsemen of the Information Apocalypse: terrorists, drug dealers, kidnappers, and child pornographers. Seems like you can scare any public into allowing the government to do anything with those four."  -- Bruce Schneier

Reply | Threaded
Open this post in threaded view
|

Re: Sorry OpenBSD people, been a bit busy

Kyle R W Milz
On Tue, Oct 08, 2013 at 08:20:32AM -0400, Scott McEachern wrote:
> I didn't want to bring this up before, but it might be an
> interesting discussion, even though off-topic.  Feel free to ignore
> this part of the thread.
>
> After reading Theo's post, I wondered what effect an IX had on what
> we now know about NSA surveillance.  I don't know anything about it,
> but I suspect it won't make any difference.

I have a colocated server in the same data center that the IX is being
installed in. I live in Calgary and also have a home internet connection
with a major ISP here, Shaw Cable.

Traceroutes from my home to the data centre are pretty normal, enmax
envision is a local commercial fibre carrier:

traceroute to getaddrinfo.net (216.171.227.98), 64 hops max, 40 byte packets
 1  192.168.1.1 (192.168.1.1)  6.809 ms  2.461 ms  14.730 ms
 2  * * *
 3  64.59.132.169 (64.59.132.169)  14.543 ms  10.710 ms  13.220 ms
 4  66.163.71.102 (66.163.71.102)  13.731 ms ra2so-tge2-1.cg.shawcable.net (66.163.71.98)  14.216 ms  13.916 ms
 5  rx0so-enmax.cg.bigpipeinc.com (66.244.207.158)  13.478 ms  10.950 ms  14.982 ms
 6  a72-29-245-70.enmaxenvison.net (72.29.245.70)  12.979 ms  33.446 ms  9.483 ms
 7  a72-29-245-66.enmaxenvison.net (72.29.245.66)  14.227 ms  13.917 ms  16.484 ms
 8  216-171-224-253.datahive.ca (216.171.224.253)  9.981 ms  14.946 ms  25.484 ms
 9  216-171-224-5.datahive.ca (216.171.224.5)  46.234 ms  29.974 ms  35.703 ms
10  216-171-227-98.datahive.ca (216.171.227.98)  36.741 ms  40.197 ms  41.490 ms

Now here is where things get interesting, from the data centre to my
home:

traceroute to krwm.net (184.64.152.209), 64 hops max, 40 byte packets
 1  216-171-227-97.datahive.ca (216.171.227.97)  0.636 ms  0.622 ms  0.411 ms
 2  216-171-224-246.datahive.ca (216.171.224.246)  0.409 ms  0.505 ms  0.561 ms
 3  gige-g2-7.core1.yyc1.he.net (72.52.101.149)  6.267 ms  0.823 ms  0.557 ms
 4  10gigabitethernet3-2.core1.yvr1.he.net (184.105.223.218)  17.967 ms  11.860 ms  16.505 ms
 5  10gigabitethernet12-3.core1.sea1.he.net (184.105.222.1)  35.960 ms  14.592 ms  20.456 ms
 6  rc1wt-ge4-1.wa.shawcable.net (206.81.80.54)  27.318 ms  23.863 ms  23.819 ms
 7  66.163.70.209 (66.163.70.209)  19.439 ms  20.140 ms  19.439 ms
 8  dx6no-g1.cg.shawcable.net (64.59.132.170)  24.978 ms  20.165 ms  19.573 ms
 9  krwm.net (184.64.152.209)  139.806 ms  33.179 ms  27.907 ms

Take a look at the 5th and 6th hops, they are in the US. The data
goes from Calgary to Vancouver down into the US to Seattle and then all
the way back to Calgary.

So long winded answer to your question: Canadian internet traffic will
stay in Canada and won't make these ridiculous loops.

I guess if the NSA has coerced with CSIS or whatever the Canadian
equivalent is then there might be cause for worry there (quite likely as
we parrot almost everything the US does).

> Some of Snowden's leaked documents detail how the NSA has the
> private keys for various US corporations, and they set up various
> computers on the backbone links.  Basically, the NSA can
> imperceptibly vacuum up all data.  Scary shit, really.
>
> A few people have suggested they are vacuuming /everything/, not
> just "foreigners", while others counter that there's just too much
> data, and it's infeasible for them to store it.
>
> I propose that not only is it possible, but quite likely.  When
> google mysteriously went offline for about 5 minutes a while back,
> it was said that Internet traffic dropped by 40%.  A shitload of
> that is going to be YouTube, which the NSA can easily ignore.  I've
> also heard that something like 40% of Internet traffic is porn, so
> they can ignore that, too.  Another big chunk goes to people
> downloading movies/TV by NetFlix, torrent or from the cable-type
> companies themselves.  Again, the actual content can be ignored, but
> the metadata can be kept.  Duplicate data can be ignored as well.
> There's no need for the NSA to keep 10,000 copies of the same shit
> Fox or CNN spews to 10,000 daily visitors.  Just keep the metadata.
> No need to keep advertisements, cool graphics/CSS stuff, or HTML.
> That can all be stripped away.
>
> Whether those "40%" numbers are accurate or not -- and I doubt they
> are -- isn't the point.  The point is that a metric shitload of
> content can be safely ignored.  It wouldn't surprise me in the least
> if it were to be revealed that all the NSA actually traps is maybe
> 5% of total Internet traffic.  Not because of a lack of capacity,
> but a lack of interest in "crap".  Now go look at the two big data
> centres under construction.  Everyone knows about the Utah data
> centre, but there's another, slightly smaller one, under
> construction on the East coast.  (Sorry, I can't remember exactly
> where.)
>
> But that's not the scariest thing.
>
> The scariest thing is when a friend of mine talked about how cool
> his smartphone is.  I replied with the standard stuff:  "You're
> being watched and recorded" (etc).  He said he doesn't care.  He
> just doesn't care if the government watched the sex vids he shared
> with some ladies online, or read his emails.  Paraphrasing him, he
> asked, When was the last time someone I knew had a government
> official knock on their door?  Never!  And you'll never see it
> happen in your lifetime, either!
>
> I did reply with a few thought-provoking ideas, but I know damn well
> he won't think about it, because he just doesn't care, and no matter
> what I say, he never will.  (I did ask him, when /will/ it be too
> much for you, and will it be too late?  He didn't reply.)
>
> I would suggest that most of the general population shares his
> apathy.  Sure, a few people get riled up for a few minutes, but that
> goes away when Miley does something stupid with her ass, a dancing
> show comes on, or Michael Bay blows up a lot of stuff on the big
> screen.
>
> Now we're finding out that the FBI and NSA own a whole lot of Tor
> nodes.  Some suspect half of them are government controlled,
> especially the exit nodes.
>
> More scary?  The likes of Bruce Schneier and Glenn Greenwald, both
> privy to the compendium of Snowden's documents, are saying things
> like "We haven't seen the half of it...  It gets worse."  I can't
> wait..
>
> A question for Theo and those in the know:  Do these IXs in any way
> deter or foil the NSA?  Or do they "just" make for better
> connectivity?  Just curious.
>
> @Kevin Chadwick:  About your comment "stopping kiddie porn", read my
> sig.  I think he said that in 2006.
>
> --
> Scott McEachern
>
> https://www.blackstaff.ca
>
> "Beware the Four Horsemen of the Information Apocalypse: terrorists, drug dealers, kidnappers, and child pornographers. Seems like you can scare any public into allowing the government to do anything with those four."  -- Bruce Schneier

Reply | Threaded
Open this post in threaded view
|

Re: Sorry OpenBSD people, been a bit busy

Scott McEachern-2
On 10/08/13 10:33, Kyle R W Milz wrote:
> Now here is where things get interesting, from the data centre to my
> home:
[...]

> Take a look at the 5th and 6th hops, they are in the US. The data
> goes from Calgary to Vancouver down into the US to Seattle and then all
> the way back to Calgary.
>
> So long winded answer to your question: Canadian internet traffic will
> stay in Canada and won't make these ridiculous loops.
>
> I guess if the NSA has coerced with CSIS or whatever the Canadian
> equivalent is then there might be cause for worry there (quite likely as
> we parrot almost everything the US does).

I've seen similar paths when tracerouting from my location (NE of
Toronto) to west coast sites.  Depending on the site, the packets take a
little detour to NYC, Chicago, Seattle, etc., before coming back into
Canada.

Please forgive my little ramble here:

20 years ago, my girlfriend and I drove from Whitby, Ontario (just east
of Toronto) to Banff, Alberta.  We drove through Calgary, BTW. On our
way out there, we decided to take a short cut through some northern
states: Michigan, Wisconsin, Minnesota and finally North Dakota, before
heading north to Winnipeg, and continuing west.  It was considerably
shorter than driving through northern Ontario, above Lake Superior.

Stupid me, I completely forgot I had a bag containing something the
border authorities would very seriously frown upon.  They gave a cursory
check to the trunk, and I paid a $2 duty on the (obvious) case of beer
that I bought in Canada.  The guys in the car ahead of us got the full
shakedown.

We slept in the car until the border opened.  It wasn't until we pitched
our tents for the first time, the next night, and broke out the bag,
that I realized my (our) mistake.  Needless to say, we didn't cross the
border again and took the long way home.

My point is that staying in Canada and not crossing the border might be
a good idea by car, (and that was pre-9/11), but I don't think in this
day and age that it really matters if your packets cross the border or not.

Remember, Canada is one of the "Five Eyes" (along with the US, UK,
Australia and New Zealand) whose intelligence agencies happily share
information.  How much, we don't know, but it gets around legal
loopholes about not being able to spy on your own citizens.  (Which the
NSA disregards entirely.)

The Canadian equivalent to the NSA isn't CSIS, it's CSEC.
https://en.wikipedia.org/wiki/Communications_Security_Establishment_Canada 
The ECHELON section on that page explains the Five Eyes setup, about
sharing information, and it's been going on since 1948.  And don't
forget, since we are "foreign", it is within the NSA's mandate to
monitor us.

So you bet your ass they are watching us, because they can.

While I have no proof of this, it is strictly my unfounded theory, I
would also think that the NSA pays particular interest to OpenBSD. It's
right there on the OpenBSD site's pages that they're located in Canada
to /specifically/ avoid US "interference".

If you were the NSA, wouldn't you find an organization that:

1) blatantly says they're in Canada to avoid US government problems,
2) is arguably the most secure OS on the market,
3) (I think..) was the first to use integrated heavy crypto, including
IPSec,
4) has a subtle (and sometimes not so subtle)
anti-government/anti-establishment tone on the mailing lists,
5) is completely open source with all commits publicly viewable,
6) is probably run by a bunch of "commie hippies" (in their eyes),

wouldn't /you/ (as the NSA) keep an eye on those liberal bastards?

My friend replied to me, from his gmail account, to my email server
located in my own home, using my own Canadian-registered domain, "And if
a government really wanted to track you, well, lets face the facts. You
and I just aren't that important. haha"

I had to point out to him that, let's face facts, you are exactly one
degree of separation from someone, who (albeit tangentially) is involved
with not just any FOSS organization, but OpenBSD, who is /probably/
"watched".  I'm in the list archives, and listed on the donations page.  
You are one degree of separation from someone who runs their own
servers, has publicly said uses full disk encryption on Internet-related
servers (and knows how to pull a power cord), and runs a members-only
site that requires HTTPS.  All of that is considered "suspicious".  If
the NSA is looking around, they've probably noticed me, and looked at
me.  Too paranoid?

I failed to mention (here), that one of my oldest friends is in the
Canadian Forces.  He works in SIGINT.  I don't know what he does, and I
don't know his exact clearance, just that at the least it's "secret"
level.  I know he can't talk about anything work-related (and doesn't).  
Before he got his clearance, how far did they look into my friend's
friends, like me?  I have no idea.

So, I said to my other friend: that "You and I just aren't that
important. haha" may be true, but keep in mind you are two degrees away
from someone with (at least) "secret" clearance in SIGINT in the
military, with the connection (me) being someone who /might/ have been
looked into, or is actively watched.  Also remember, the NSA /really/
loves to draw pretty pictures showing relationships/associations between
people and organizations.

Food for thought for everyone, but like I said, he doesn't care and
won't think about it.

--
Scott McEachern

https://www.blackstaff.ca

"Beware the Four Horsemen of the Information Apocalypse: terrorists, drug dealers, kidnappers, and child pornographers. Seems like you can scare any public into allowing the government to do anything with those four."  -- Bruce Schneier

Reply | Threaded
Open this post in threaded view
|

Re: Sorry OpenBSD people, been a bit busy

Martin Schröder
In reply to this post by Kyle R W Milz
2013/10/8 Kyle R W Milz <[hidden email]>:
> I guess if the NSA has coerced with CSIS or whatever the Canadian
> equivalent is then there might be cause for worry there (quite likely as
> we parrot almost everything the US does).

YYCIX is subject to canadian laws.
It likely must have a lawful interception interface for the canadian
police/whatever.
Canada is a member of Five Eyes.

Best
   Martin

Reply | Threaded
Open this post in threaded view
|

Re: Sorry OpenBSD people, been a bit busy

Kevin Chadwick-2
In reply to this post by Scott McEachern-2
> Food for thought for everyone, but like I said, he doesn't care and
> won't think about it.

As I say I am far more concerned about 'modern' incompetent ISP's.
Uncaring ISPs or ISP's that can only care about profit (and so
advertising) or they are out of business and tasking them (perhaps to
their delight) with layer 7 filtering which requires great care and
expertise and arguably only securable passively which I am sure they
will not be doing.

This should certainly be stopped as it may give people with mostly evil
intentions similar access as the NSA or just reduce reliability perhaps
at a time when the net is needed most. Sounds like it was quite a bit
of work though or was that mostly the resistance?

Global government surveilance is not going to be stopped or the
backbone avoided and atleast likely comes from mostly good intentions
even if it is bound to be abused or infiltrated at times.

--
_______________________________________________________________________

'Write programs that do one thing and do it well. Write programs to work
together. Write programs to handle text streams, because that is a
universal interface'

(Doug McIlroy)

In Other Words - Don't design like polkit or systemd
_______________________________________________________________________

Reply | Threaded
Open this post in threaded view
|

Re: Sorry OpenBSD people, been a bit busy

Scott McEachern-2
In reply to this post by Martin Schröder
On 10/08/13 16:36, Martin Schröder wrote:
> YYCIX is subject to canadian laws.
> It likely must have a lawful interception interface for the canadian
> police/whatever.

Americans are subject to the highest law of the land:  The US
Constitution.  You know, that document the President and damned near
every government employee has sworn an oath to obey and protect.

The NSA has broken that oath.  Not long after the Snowden leaks started,
the Director of National Intelligence, James Clapper, spoke before
congress and explained what the NSA is "up to", in an attempt to play
down Snowden's revelations.  Then more Snowden documents came out,
proving that the DNI just /lied/ to congress.  Curiously, he's not in
jail, and is still in office.  Lying to congress is an indictable
offense, er, a "felony offence" in US legal-speak.

Now here's another fun bit of trivia for you:  The constitution outranks
*all* other laws, like state, regional, municipal, etc. All except one:  
Foreign treaties.  They hold equal rank to the constitution.  Think
about that, vis a vis foreign treaties with other intelligence
agencies.  The same applies in Canada with our Constitution and Bill of
Rights.

Lawful interception, you say?  Subject to Canadian laws?  Privacy laws?  
There are no privacy laws in either the US or Canadian constitutions;
look it up.  But we /do/ have treaties.

> Canada is a member of Five Eyes.

Thank-you for proving my point.  Nice treaties with the other members
since 1948.  Treaties that have equivalent legal weight to the
constitutions of the respective countries.

If you think our (Canadian) "morally superior" privacy laws, and our
national/provincial privacy commissioners have any say in the matter,
you're fooling yourself.

A couple of weeks ago, John Tory, a very well-respected radio
commentator (and former lawyer, former CEO of Rogers, former politician,
etc.) on a respected AM talk radio station, interviewed a fellow who
works deep inside the telecom industry.  Sorry, I can't remember the
chap's name.  Tory asked the guy, "So what ISPs are giving customer data
to the government?"  The guy deadpanned, "All of them.  All of them are
doing it."

Of course, there's no actual proof of this at the moment, but given what
Snowden has released so far, and what those documents indicate (eg.
PRISM) I think this theory has moved from "pure speculation" to "most
likely" status.

--
Scott McEachern

https://www.blackstaff.ca

"Beware the Four Horsemen of the Information Apocalypse: terrorists, drug dealers, kidnappers, and child pornographers. Seems like you can scare any public into allowing the government to do anything with those four."  -- Bruce Schneier

Reply | Threaded
Open this post in threaded view
|

Re: Sorry OpenBSD people, been a bit busy

RichardET
I am not flippant enough to say that the NSA revelations do not matter,
but what are we supposed to do?  The Middle Eastern terrorism threat is
real and we need to be able to stop them anyway necessary.

All it takes is one of them to hit every Walmart in the neighborhood,
buy every pay-as-you-go phone they have, then pass them out to their
friends in every Mosque.  Now you have a new terrorism threat.  So,
welcome to the real world my friend, and wake up.


On Tue, 8 Oct 2013, Scott McEachern wrote:

> On 10/08/13 16:36, Martin Schröder wrote:
>> YYCIX is subject to canadian laws.
>> It likely must have a lawful interception interface for the canadian
>> police/whatever.
>
> Americans are subject to the highest law of the land:  The US Constitution.
> You know, that document the President and damned near every government
> employee has sworn an oath to obey and protect.
>
> The NSA has broken that oath.  Not long after the Snowden leaks started, the
> Director of National Intelligence, James Clapper, spoke before congress and
> explained what the NSA is "up to", in an attempt to play down Snowden's
> revelations.  Then more Snowden documents came out, proving that the DNI
just

> /lied/ to congress.  Curiously, he's not in jail, and is still in office.
> Lying to congress is an indictable offense, er, a "felony offence" in US
> legal-speak.
>
> Now here's another fun bit of trivia for you:  The constitution outranks
> *all* other laws, like state, regional, municipal, etc. All except one:
> Foreign treaties.  They hold equal rank to the constitution.  Think about
> that, vis a vis foreign treaties with other intelligence agencies.  The same
> applies in Canada with our Constitution and Bill of Rights.
>
> Lawful interception, you say?  Subject to Canadian laws?  Privacy laws?
> There are no privacy laws in either the US or Canadian constitutions; look
it
> up.  But we /do/ have treaties.
>
>> Canada is a member of Five Eyes.
>
> Thank-you for proving my point.  Nice treaties with the other members since
> 1948.  Treaties that have equivalent legal weight to the constitutions of
the

> respective countries.
>
> If you think our (Canadian) "morally superior" privacy laws, and our
> national/provincial privacy commissioners have any say in the matter, you're
> fooling yourself.
>
> A couple of weeks ago, John Tory, a very well-respected radio commentator
> (and former lawyer, former CEO of Rogers, former politician, etc.) on a
> respected AM talk radio station, interviewed a fellow who works deep inside
> the telecom industry.  Sorry, I can't remember the chap's name.  Tory asked
> the guy, "So what ISPs are giving customer data to the government?"  The guy
> deadpanned, "All of them.  All of them are doing it."
>
> Of course, there's no actual proof of this at the moment, but given what
> Snowden has released so far, and what those documents indicate (eg. PRISM) I
> think this theory has moved from "pure speculation" to "most likely"
status.

>
> --
> Scott McEachern
>
> https://www.blackstaff.ca
>
> "Beware the Four Horsemen of the Information Apocalypse: terrorists, drug
> dealers, kidnappers, and child pornographers. Seems like you can scare any
> public into allowing the government to do anything with those four."  --
> Bruce Schneier

Reply | Threaded
Open this post in threaded view
|

Re: Sorry OpenBSD people, been a bit busy

Scott McEachern-2
In reply to this post by Kevin Chadwick-2
On 10/08/13 16:41, Kevin Chadwick wrote:

> As I say I am far more concerned about 'modern' incompetent ISP's.
> Uncaring ISPs or ISP's that can only care about profit (and so
> advertising) or they are out of business and tasking them (perhaps to
> their delight) with layer 7 filtering which requires great care and
> expertise and arguably only securable passively which I am sure they
> will not be doing.
>
> This should certainly be stopped as it may give people with mostly evil
> intentions similar access as the NSA or just reduce reliability perhaps
> at a time when the net is needed most. Sounds like it was quite a bit
> of work though or was that mostly the resistance?
>
> Global government surveilance is not going to be stopped or the
> backbone avoided and atleast likely comes from mostly good intentions
> even if it is bound to be abused or infiltrated at times.

History has demonstrated time and time over that it is the nature of
government to keep and expand power at all costs.  Surveillance states
don't go away until a major upheaval takes place.  Look at East
Germany's Stasi, or the former USSR's KGB.  Oh wait, that came back
again with a new name, the GRU I believe.

As I said in a previous post, it's most likely that the NSA is vacuuming
up /all/ Internet data.  Even if they aren't grabbing 100% of it,
they're definitely getting the "interesting bits".  And that data is
going to be stored forever.

Even if your data is safely encrypted today, that data will be stored
somewhere for pretty much eternity.  In 20 years when supercomputers, or
quantum computers, can make mincemeat of today's strong crypto, that
data will be analyzed to "predict" the future by learning from the past.

Even if you can pretend the US government of today, or any other
government for that matter, is truly innocuous with the best intentions
(ha!), that doesn't take into account the nature of future governments.

Back in the pre-WW2 days, Belgium (or was it the Netherlands?  I
forget.) kept detailed census and medical data on their citizens,
including their religious affiliation.  It was useful data for a
friendly government, never to be abused.

Then WW2 happened, and Hitler's Nazis invaded.  They found that data,
especially the religion part, quite useful, and we all know how that
turned out.

The NSA has been playing this game not for years, but *decades*. The
breadth of PRISM and other programs with names always written in caps is
astounding.  They, and other intelligence agencies, are /everywhere/.  
Routers and switches with backdoors from the US (like Cisco), China
(Huawei), Russia and others.  Splitters on backbone fiber, like "Room
641A".  Superfast computers that intercept HTTPS/SSL data using acquired
private keys from "friendly" or coerced companies.  Moxie Marlinspike
demonstrated these techniques at a black hat conference in 2009, google
for it.

Sounds far fetched?  Look at the revelation that LavaBit did indeed shut
down because the FBI insisted on having their private keys, and
installing a "device" on their network to intercept and decrypt the
data.  They originally were (allegedly) targeting just Snowden's
account, but when the head of LavaBit declined, the FBI wanted the data
for /all/ users.  So he shut it down.  Then Silent Circle shut down, and
the list continues to grow.

More food for thought?  Go read Naomi Wolf's book "The End of America".  
(https://en.wikipedia.org/wiki/Naomi_Wolf for a quick outline.)  Don't
have time to read it?  Watch her youtube video (~48mins) of a speech
given at the U of Washington in 2007.
(https://www.youtube.com/watch?v=y8u-5gsZdgc, amongst others) Hopefully,
it will make you think about the direction the US is heading.

--
Scott McEachern

https://www.blackstaff.ca

"Beware the Four Horsemen of the Information Apocalypse: terrorists, drug dealers, kidnappers, and child pornographers. Seems like you can scare any public into allowing the government to do anything with those four."  -- Bruce Schneier

Reply | Threaded
Open this post in threaded view
|

Re: Sorry OpenBSD people, been a bit busy

Zé Loff-2
In reply to this post by RichardET
> The Middle Eastern terrorism threat is
> real and we need to be able to stop them anyway necessary.
>
> All it takes is one of them to hit every Walmart in the neighborhood,
> buy every pay-as-you-go phone they have, then pass them out to their
> friends in every Mosque.

Well fuck you and your fucking stereotypes, you fucking bigot.

And thank you for validating the quote on Scott's signature, btw.

Reply | Threaded
Open this post in threaded view
|

Re: Sorry OpenBSD people, been a bit busy

RichardET
I used to work at empire blue cross. I had many friends who worked in the
Trade Towers.I lived for a time in Battery Park nearby.So go to hell
asshole, the USA will neverLet another 9/11 happen again, And Snowden is
quite the jerk. These guys were recently planning attacks on Toronto as a
matter of fact and were discovered in time, maybe thanks to the NSA.
So sit in your tea house pouring over your netbook,Fuckin around, and
hide. And go to hell.
Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE
network.

From: Zé LoffSent: Tuesday, October 8, 2013 6:08 PMTo: Richard ThorntonCc:
Scott McEachern; [hidden email]: Re: Sorry OpenBSD people, been
a bit busy

> The Middle Eastern terrorism threat is
> real and we need to be able to stop them anyway necessary.
>
> All it takes is one of them to hit every Walmart in the neighborhood,
> buy every pay-as-you-go phone they have, then pass them out to their
> friends in every Mosque.

Well fuck you and your fucking stereotypes, you fucking bigot.

And thank you for validating the quote on Scott's signature, btw.

Reply | Threaded
Open this post in threaded view
|

Re: Sorry OpenBSD people, been a bit busy

Chris Cappuccio
In reply to this post by Martin Schröder
Martin Schr?der [[hidden email]] wrote:
> 2013/10/8 Kyle R W Milz <[hidden email]>:
> > I guess if the NSA has coerced with CSIS or whatever the Canadian
> > equivalent is then there might be cause for worry there (quite likely as
> > we parrot almost everything the US does).
>
> YYCIX is subject to canadian laws.
> It likely must have a lawful interception interface for the canadian
> police/whatever.
> Canada is a member of Five Eyes.

This is the duty of the ISP that serves the (snooped) end-user, not the IX.

The ISP is the only entity in a position to capture all traffic for an end-
user unless they are multi-homed. Then the authority has to ask multiple ISPs
to tap for them.

Reply | Threaded
Open this post in threaded view
|

Re: Sorry OpenBSD people, been a bit busy

Scott McEachern-2
In reply to this post by RichardET
On 10/08/13 17:38, Richard Thornton wrote:
> I am not flippant enough to say that the NSA revelations do not matter,
> but what are we supposed to do?  The Middle Eastern terrorism threat is
> real and we need to be able to stop them anyway necessary.
>
> All it takes is one of them to hit every Walmart in the neighborhood,
> buy every pay-as-you-go phone they have, then pass them out to their
> friends in every Mosque.  Now you have a new terrorism threat.  So,
> welcome to the real world my friend, and wake up.

Seriously, after everything I've said so far (I see you just replied
privately to my most recent post), you're suggesting that *I* wake up to
the real world?  I suggest you take that message to the ignorant,
complacent, apathetic masses.  Please.

Take a look at the prime-time TV lineup on the major US networks, and
the "cable" stations like Showcase, HBO, etc.  What are their plots
mostly focussed on?  Terrorism.  Top-rated shows like NCIS, NCIS: LA,
and the like:  Terrorism.  My point is that the media is feeding the
viewers a non-stop diet of potential terrorist plots. It's ridiculously
pervasive, and the fear is taking over peoples' minds.

Why do you think Bruce Schneier calls the TSA's actions "security
theatre"?  They're reactive, not proactive.  Maybe the NSA/CIA/FBI are
trying to be proactive, but what's their track record?

The intelligence agencies each had a piece of the 9/11 puzzle.  Due to
infighting and protecting their respective turf, they didn't share
information, and 9/11 happened.  Hindsight is 20/20, but it was revealed
that if they had only cooperated, 9/11 could have been prevented.

Look at the Boston bombings.  The FBI received intel from the Russians,
of all people, beforehand that the two brothers were up to something.  
How did that work out for them?

The Times Square bomber was stopped by a curious NYPD cop, not an
three-letter agency.

How about those US soldiers that converted to Islam, raising red flags
with their unusual behaviour and behavioural changes, going on shooting
rampages?  How did the FBI do there?

Maybe they have foiled attacks, but you'd think they'd be shouting that
from the rooftops saying, "Look!  We're doing good!  Our Billion dollar
budgets are justified!"  People know about PRISM now, but even if they
wanted to keep the source of their intel under wraps, I'm sure they
could find a way to "parallel construct" a plausible explanation without
revealing too much.

Like you said in a fresh post, maybe the NSA was helpful in stopping the
potential attacks on Toronto and various rail lines.  Who knows.  Read
my previous paragraph again.

And for the record, both you and Ze Loff should stick to facts and
rational discussion.  Bigots and morons are best defeated with those,
and they'll show their true colours, debasing their own opinions.  
There's no need for insults and ad hominem attacks.

You feel that Snowden is "quite the jerk"?  You're entitled to that
opinion, but there are a great many people, myself included, that think
he is a hero for exposing blantant lies and violations of the law and
constitution.  Snowden, and some other previous NSA employees, saw the
insanity of this, and the future of it.  They were appalled, and went
public.  They are heroes.

Privately, you casually dismissed Wolf as "another blow hard", "the
liberal version of Ann Coulter".  Maybe so, but attacking her personally
does not negate the validity of her points.  Watch the video, and think
about it with an open mind, if you can.

You asked, "What are we supposed to do?"  There are no easy answers
here.  I fully realize that there are shades of grey involved.  But you
aren't looking at the thin end of the wedge; we've long passed that
point, and you are ceding your rights to allow it to not only continue,
but to expand.  Remeber what Ben Franklin said:  "Those who would give
up essential liberty to purchase a little temporary safety deserve
neither liberty nor safety."

His point in that quote speaks directly to the nature of government.  It
hasn't changed since then.  Government will take a mile when you give
them an inch.  You've probably heard the glib comments that more people
in the US have died from choking on fishbones/car accidents/etc. in the
last 12 years than have died from terrorism.

But at what price, both financially (military spending) and in terms of
rights in a growing surveillance state?  Where does it end, and what is
the logical conclusion?

I just don't have the answers, but I can repeat the suggestions of Bruce
Schneier:  Trust the math.  Trust the crypto.  Be careful with the
implementation.  The NSA isn't so much working on breaking the crypto
(for now), as they are attacking the end points.  That's why they hacked
the "Tor Bundle".  That's why they control so many Tor exit nodes.

Stick to known trusted OSes, like OpenBSD.  Avoid proprietary software,
especially software developed in the US.  Avoid this "cloud" nonsense;
house and be resonsible for your own data and security.  Why on earth
anyone or any company would trust a third party with their data is
beyond me.  Utter lunacy, to save a buck. And if you really /must/ use
some cloud storage service, encrypt your data using a FOSS OS, again,
preferably OpenBSD, before putting it out there.

You don't know me, you shouldn't trust me (of course), so I suggest you
do your own reading and homework.  Bruce Schneier (google him) is a
seriously respected cryptoanalyst in the industry, so start by reading
his papers, articles and comments.

Sometimes our Theo lets fly with a few interesting comments.  Pay
attention.  He's a good man and fine leader; listen to him.  I'd love to
buy him some pizza and beer, and pick his brain for what he thinks is
coming down the road.  Unfortunately, Calgary is a three-day drive away
for me, and I'm not silly enough to discuss such things via email. :)

Remember, your security is *your* responsibility.  It's now established
that you cannot trust the government or any major US firms.  Make that,
"any US firms", period.  Schneier has written many papers on how poorly
people evaluate risk, and risk assessment.  Read up on those old papers
through the lens of the Snowden revelations, and make your own decisions.

I don't know what the future holds.  My crystal ball is broken.  I have
my suspicions, and I'll bet more than a few of them will be borne out by
future Snowden revelations.

As long as known insecure OSes like Windows, (who cooperate with the
NSA), run horribly insecure software, like anything from Adobe (Flash,
Reader, Acrobat, Shockwave), Oracle (Java), or Apple (iTunes,
QuickTime), continue to dominate the market, we're screwed.  It just
takes one 0wned end point, which the NSA is very specifically attacking,
and the best encryption in the world falls down due to vulnerable end
points.

You sent emails with the tagline "Sent from my BlackBerry 10 smartphone
on the Verizon Wireless 4G LTE network."  BlackBerry/RIM, a Canadian
firm located just a few hours west of me, bent over and grabbed their
ankles for the Indian government, so that government had a back door
into the "secure" BB devices.  (Hey, wasn't "proper security" a big
selling/marketing point for them?  Oh yes, it was.) I wonder who else
they've grabbed their ankles for?  And Verizon? Ah yes, it's now been
documented that they cooperate with the NSA too.  So, like I said to my
friend with his Galaxy smartphone: Enjoy!  I'm sure you're "not that
interesting".

Think.  Read.  Listen.  Even to those you don't typically agree with.  
Listening to contrary views will help give you a balanced opinion and
thought process.  Look at the writing on the wall, that is, patterns.  
The patterns of history, wrt current patterns.  Try.

PS:  I'm sure this is much to your consternation, but Ze was correct:  
Your post did validate my current sig.  Which is sad, really.  But
you're off to a good /start/, you're using OpenBSD on at least some
devices.  (You are, right?)

Thanks for listening, everyone.

--
Scott McEachern

https://www.blackstaff.ca

"Beware the Four Horsemen of the Information Apocalypse: terrorists, drug dealers, kidnappers, and child pornographers. Seems like you can scare any public into allowing the government to do anything with those four."  -- Bruce Schneier

Reply | Threaded
Open this post in threaded view
|

Re: Sorry OpenBSD people, been a bit busy

Scott McEachern-2
In reply to this post by Theo de Raadt
On 10/06/13 20:48, [hidden email] wrote:

> Now, why do I mention this in relation to OpenBSD?  Well, at the end
> of 2007 someone decided to open an impersonation account on twitter in
> my name, and start sending a mix of things I have said (see wikiquote
> for instance), with things that I would never say.  That account is
> http://twitter.com/theoderaadt
>
> A few notes:  The account has now changed to declare that it is a
> parody account and renamed to "Not Theo de Raadt", as of a few days
> ago.  If you read back into the past, you will see true character of
> the account and the individual.
>
> People in the local community were directed to the account, to give a
> negative, if not slanderous, view of my character.  The ones directing
> them have high-profile roles in the community, so people would take
> what they say as true.  Since I am the network manager for the
> exchange equipment, this by extension was meant to hurt YYCIX.
>
> Why would stewards of important infrastructure projects deliberately
> spread such false stories?

[...]


> Layers of hurt being thrown around.  Why?

I don't know, but I can guess.  Probably the same reason that a year or
two ago some crap came out trying to discredit OpenBSD's IPSec
implementation: To discredit you, and OpenBSD as a whole.

Like I said, I have absolutely no doubt the NSA has been keeping tabs on
OpenBSD as a whole.  Anything more than that is pure speculation on my part.

You, and the project, are financially reliant on donations, so if you
are discredited, those donations lessen, and the project falters.  I'd
bet money that the NSA would love to see OpenBSD "go away".

What other real options would someone, like the NSA but not necessarily
them, or just them, have?

Hack the OpenBSD servers?  Good luck with that.  OpenBSD is the "gold
standard" in the hacker underground.  I've heard hackers say that when
they are looking for targets, they skip the OpenBSD boxes they find; a
waste of time.  (I don't know how true that is, so take it with a grain
of salt.)

Inject code?  (Like was alleged in the IPSec situation.)  Good luck.  
Commits are public, reviewed, audited, etc.

Corrupt the project leaders, usually financially.  Theo is an idealist.  
(I mean that in a good way, don't get me wrong.)  If he wanted to make
serious money, he could easily do so with his reputation, experience,
and skill set.  I wish anyone luck with corrupting Theo, or those he
trusts, with money.  I deeply believe that unlike psychopathic
CxO-types, he's not in it for the money, or power.

Blackmail the leaders into doing your bidding.  Last I checked, Theo
isn't married, so he doesn't have to worry about a leak of him with his
mistress.  I suspect that Theo wouldn't cave if someone were to reveal
he used the services of ladies of the night.  (For the record, I'm just
making up scenarios here, I have no idea what he does in his private
time, other than cycling.)

The other thing to consider is that I don't think many people in the
OpenBSD community would give a shit if Theo did "questionable" things in
his private life.  I'm not interested, and I doubt any serious person
would be.  I simply look at the work he does.  The dedication and quality.

*Everyone* has secrets, period.  Nobody wants cameras in their bedrooms
or bathrooms.  (Canada had a Prime Minister in the 70s by the name of
Pierre Trudeau, that said quite clearly that the state has no business
in the bedrooms of the nation.  He made plenty of mistakes, but he got
that one dead right.)  What would Theo's (fictional!) indiscretions, or
any other dev's indiscretions, have to do with OpenBSD development?  
Nothing.

However, not everyone thinks that way, so I think one of the simpler
ways to attack OpenBSD is to discredit the project (IPSec), and
discredit the project leader (fake twitter bullshit).  This demoralizes
the funding base.  It scares people away, whether they are existing
users or potential users.  Some say there's no such thing as bad
publicity.  I beg to differ.

Theo needs to continuously refute the bullshit with truth and honesty,
standing on his body of years of dedication and work. Given his status,
I'm sure that would be a full-time task in itself.  Perhaps a PR firm
using OpenBSD could donate some work in that area, to give back.  (I
realize that's wishful thinking, but you never know..)

I'm sure Sun Tzu could read more into this, but he's dead.  One of his
principal tenets was "know your enemy", and thanks to Snowden et al., we
have seen the enemy, they are legion, and include the NSA. Now we know
much more about them, their tactics and methods.  Again, he is a hero.

I'd laugh if his future leaks were titled "To: NSA; Subject: From Russia
with Love". :)

--
Scott McEachern

https://www.blackstaff.ca

"Beware the Four Horsemen of the Information Apocalypse: terrorists, drug dealers, kidnappers, and child pornographers. Seems like you can scare any public into allowing the government to do anything with those four."  -- Bruce Schneier

Reply | Threaded
Open this post in threaded view
|

Re: Sorry OpenBSD people, been a bit busy

RichardET
In reply to this post by Scott McEachern-2
I love OpenBSD, seriously, and developers of it are clearly geniuses. And
any chance I get I promote it.
Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE
network.

From: Scott McEachernSent: Tuesday, October 8, 2013 7:17 PMTo:
[hidden email]: Re: Sorry OpenBSD people, been a bit busy

On 10/08/13 17:38, Richard Thornton wrote:
> I am not flippant enough to say that the NSA revelations do not matter,
> but what are we supposed to do? The Middle Eastern terrorism threat is
> real and we need to be able to stop them anyway necessary.
>
> All it takes is one of them to hit every Walmart in the neighborhood,
> buy every pay-as-you-go phone they have, then pass them out to their
> friends in every Mosque. Now you have a new terrorism threat. So,
> welcome to the real world my friend, and wake up.

Seriously, after everything I've said so far (I see you just replied
privately to my most recent post), you're suggesting that *I* wake up to
the real world? I suggest you take that message to the ignorant,
complacent, apathetic masses. Please.

Take a look at the prime-time TV lineup on the major US networks, and
the "cable" stations like Showcase, HBO, etc. What are their plots
mostly focussed on? Terrorism. Top-rated shows like NCIS, NCIS: LA,
and the like: Terrorism. My point is that the media is feeding the
viewers a non-stop diet of potential terrorist plots. It's ridiculously
pervasive, and the fear is taking over peoples' minds.

Why do you think Bruce Schneier calls the TSA's actions "security
theatre"? They're reactive, not proactive. Maybe the NSA/CIA/FBI are
trying to be proactive, but what's their track record?

The intelligence agencies each had a piece of the 9/11 puzzle. Due to
infighting and protecting their respective turf, they didn't share
information, and 9/11 happened. Hindsight is 20/20, but it was revealed
that if they had only cooperated, 9/11 could have been prevented.

Look at the Boston bombings. The FBI received intel from the Russians,
of all people, beforehand that the two brothers were up to something.
How did that work out for them?

The Times Square bomber was stopped by a curious NYPD cop, not an
three-letter agency.

How about those US soldiers that converted to Islam, raising red flags
with their unusual behaviour and behavioural changes, going on shooting
rampages? How did the FBI do there?

Maybe they have foiled attacks, but you'd think they'd be shouting that
from the rooftops saying, "Look! We're doing good! Our Billion dollar
budgets are justified!" People know about PRISM now, but even if they
wanted to keep the source of their intel under wraps, I'm sure they
could find a way to "parallel construct" a plausible explanation without
revealing too much.

Like you said in a fresh post, maybe the NSA was helpful in stopping the
potential attacks on Toronto and various rail lines. Who knows. Read
my previous paragraph again.

And for the record, both you and Ze Loff should stick to facts and
rational discussion. Bigots and morons are best defeated with those,
and they'll show their true colours, debasing their own opinions.
There's no need for insults and ad hominem attacks.

You feel that Snowden is "quite the jerk"? You're entitled to that
opinion, but there are a great many people, myself included, that think
he is a hero for exposing blantant lies and violations of the law and
constitution. Snowden, and some other previous NSA employees, saw the
insanity of this, and the future of it. They were appalled, and went
public. They are heroes.

Privately, you casually dismissed Wolf as "another blow hard", "the
liberal version of Ann Coulter". Maybe so, but attacking her personally
does not negate the validity of her points. Watch the video, and think
about it with an open mind, if you can.

You asked, "What are we supposed to do?" There are no easy answers
here. I fully realize that there are shades of grey involved. But you
aren't looking at the thin end of the wedge; we've long passed that
point, and you are ceding your rights to allow it to not only continue,
but to expand. Remeber what Ben Franklin said: "Those who would give
up essential liberty to purchase a little temporary safety deserve
neither liberty nor safety."

His point in that quote speaks directly to the nature of government. It
hasn't changed since then. Government will take a mile when you give
them an inch. You've probably heard the glib comments that more people
in the US have died from choking on fishbones/car accidents/etc. in the
last 12 years than have died from terrorism.

But at what price, both financially (military spending) and in terms of
rights in a growing surveillance state? Where does it end, and what is
the logical conclusion?

I just don't have the answers, but I can repeat the suggestions of Bruce
Schneier: Trust the math. Trust the crypto. Be careful with the
implementation. The NSA isn't so much working on breaking the crypto
(for now), as they are attacking the end points. That's why they hacked
the "Tor Bundle". That's why they control so many Tor exit nodes.

Stick to known trusted OSes, like OpenBSD. Avoid proprietary software,
especially software developed in the US. Avoid this "cloud" nonsense;
house and be resonsible for your own data and security. Why on earth
anyone or any company would trust a third party with their data is
beyond me. Utter lunacy, to save a buck. And if you really /must/ use
some cloud storage service, encrypt your data using a FOSS OS, again,
preferably OpenBSD, before putting it out there.

You don't know me, you shouldn't trust me (of course), so I suggest you
do your own reading and homework. Bruce Schneier (google him) is a
seriously respected cryptoanalyst in the industry, so start by reading
his papers, articles and comments.

Sometimes our Theo lets fly with a few interesting comments. Pay
attention. He's a good man and fine leader; listen to him. I'd love to
buy him some pizza and beer, and pick his brain for what he thinks is
coming down the road. Unfortunately, Calgary is a three-day drive away
for me, and I'm not silly enough to discuss such things via email. :)

Remember, your security is *your* responsibility. It's now established
that you cannot trust the government or any major US firms. Make that,
"any US firms", period. Schneier has written many papers on how poorly
people evaluate risk, and risk assessment. Read up on those old papers
through the lens of the Snowden revelations, and make your own decisions.

I don't know what the future holds. My crystal ball is broken. I have
my suspicions, and I'll bet more than a few of them will be borne out by
future Snowden revelations.

As long as known insecure OSes like Windows, (who cooperate with the
NSA), run horribly insecure software, like anything from Adobe (Flash,
Reader, Acrobat, Shockwave), Oracle (Java), or Apple (iTunes,
QuickTime), continue to dominate the market, we're screwed. It just
takes one 0wned end point, which the NSA is very specifically attacking,
and the best encryption in the world falls down due to vulnerable end
points.

You sent emails with the tagline "Sent from my BlackBerry 10 smartphone
on the Verizon Wireless 4G LTE network." BlackBerry/RIM, a Canadian
firm located just a few hours west of me, bent over and grabbed their
ankles for the Indian government, so that government had a back door
into the "secure" BB devices. (Hey, wasn't "proper security" a big
selling/marketing point for them? Oh yes, it was.) I wonder who else
they've grabbed their ankles for? And Verizon? Ah yes, it's now been
documented that they cooperate with the NSA too. So, like I said to my
friend with his Galaxy smartphone: Enjoy! I'm sure you're "not that
interesting".

Think. Read. Listen. Even to those you don't typically agree with.
Listening to contrary views will help give you a balanced opinion and
thought process. Look at the writing on the wall, that is, patterns.
The patterns of history, wrt current patterns. Try.

PS: I'm sure this is much to your consternation, but Ze was correct:
Your post did validate my current sig. Which is sad, really. But
you're off to a good /start/, you're using OpenBSD on at least some
devices. (You are, right?)

Thanks for listening, everyone.

--
Scott McEachern

https://www.blackstaff.ca

"Beware the Four Horsemen of the Information Apocalypse: terrorists, drug
dealers, kidnappers, and child pornographers. Seems like you can scare
any public into allowing the government to do anything with those four."
-- Bruce Schneier

Reply | Threaded
Open this post in threaded view
|

Re: Sorry OpenBSD people, been a bit busy

Scott McEachern-2
On 10/08/13 20:42, [hidden email] wrote:
> I love OpenBSD, seriously, and developers of it are clearly geniuses. And
> any chance I get I promote it.

Excellent, and I applaud you for that.

You should take a look at the papers/presentations the devs have given.  
The stuff Theo wrote on W^X was mind boggling.  Over my head, but I got
the gist.  I'm not going to find the ones I'm thinking of (it's been a
while since I read them), I'll leave that as an exercise for the
reader.  You'll find plenty of mind-blowing stuff.

(Ok, I can't resist.  I'll link to one particular page that's really
easy to understand:
http://www.openbsd.org/papers/eurobsdcon_2013_time_t/mgp00003.html.
Maybe another, this is from 2005, and I nearly lost my mind:
http://www.openbsd.org/papers/ven05-deraadt/index.html)

I don't mean to single out Theo, but he started this thread, so he
remains the focus.  You should read the stuff the other devs have
written, it's all excellent stuff.  The genius shines through.

> Sent from my BlackBerry 10 smartphone on the Verizon Wireless 4G LTE
> network.

All I can say is, I hope you don't do anything private with your
device.  You have two /proven/ weak points in your hand.  Anything
HTTPS/TLS/SSL on your handheld is probably moot, but I'd still use
crypto anyway. :)  Convenience comes with a price.

And Richard, thanks for sharing your thoughts.  It adds to the balance.

--
Scott McEachern

https://www.blackstaff.ca

"Beware the Four Horsemen of the Information Apocalypse: terrorists, drug dealers, kidnappers, and child pornographers. Seems like you can scare any public into allowing the government to do anything with those four."  -- Bruce Schneier

Reply | Threaded
Open this post in threaded view
|

Re: Sorry OpenBSD people, been a bit busy

RichardET
In reply to this post by Scott McEachern-2
The NSA is just a backdrop against the real corruption, which guys like
Sen. Ted Cruz, who intentionally manipulate the markets by threatening to
default on USA debt.  Only an idiot would not assume these Senators are
selling their stocks before this stupid debate, drive the markets down,
buy on the cheap, then bam!  Come up with a deal, and make a huge windfall
profit.  meanwhile they keep everyone focused on other issues such as NSA
while they literally rape the country.


On Tue, 8 Oct 2013, Scott McEachern wrote:

> On 10/08/13 16:36, Martin Schröder wrote:
>> YYCIX is subject to canadian laws.
>> It likely must have a lawful interception interface for the canadian
>> police/whatever.
>
> Americans are subject to the highest law of the land:  The US Constitution.
> You know, that document the President and damned near every government
> employee has sworn an oath to obey and protect.
>
> The NSA has broken that oath.  Not long after the Snowden leaks started, the
> Director of National Intelligence, James Clapper, spoke before congress and
> explained what the NSA is "up to", in an attempt to play down Snowden's
> revelations.  Then more Snowden documents came out, proving that the DNI
just

> /lied/ to congress.  Curiously, he's not in jail, and is still in office.
> Lying to congress is an indictable offense, er, a "felony offence" in US
> legal-speak.
>
> Now here's another fun bit of trivia for you:  The constitution outranks
> *all* other laws, like state, regional, municipal, etc. All except one:
> Foreign treaties.  They hold equal rank to the constitution.  Think about
> that, vis a vis foreign treaties with other intelligence agencies.  The same
> applies in Canada with our Constitution and Bill of Rights.
>
> Lawful interception, you say?  Subject to Canadian laws?  Privacy laws?
> There are no privacy laws in either the US or Canadian constitutions; look
it
> up.  But we /do/ have treaties.
>
>> Canada is a member of Five Eyes.
>
> Thank-you for proving my point.  Nice treaties with the other members since
> 1948.  Treaties that have equivalent legal weight to the constitutions of
the

> respective countries.
>
> If you think our (Canadian) "morally superior" privacy laws, and our
> national/provincial privacy commissioners have any say in the matter, you're
> fooling yourself.
>
> A couple of weeks ago, John Tory, a very well-respected radio commentator
> (and former lawyer, former CEO of Rogers, former politician, etc.) on a
> respected AM talk radio station, interviewed a fellow who works deep inside
> the telecom industry.  Sorry, I can't remember the chap's name.  Tory asked
> the guy, "So what ISPs are giving customer data to the government?"  The guy
> deadpanned, "All of them.  All of them are doing it."
>
> Of course, there's no actual proof of this at the moment, but given what
> Snowden has released so far, and what those documents indicate (eg. PRISM) I
> think this theory has moved from "pure speculation" to "most likely"
status.

>
> --
> Scott McEachern
>
> https://www.blackstaff.ca
>
> "Beware the Four Horsemen of the Information Apocalypse: terrorists, drug
> dealers, kidnappers, and child pornographers. Seems like you can scare any
> public into allowing the government to do anything with those four."  --
> Bruce Schneier

Reply | Threaded
Open this post in threaded view
|

Re: Sorry OpenBSD people, been a bit busy

Indunil Jayasooriya
In reply to this post by Scott McEachern-2
On Wed, Oct 9, 2013 at 6:42 AM, Scott McEachern <[hidden email]> wrote:

> On 10/08/13 20:42, [hidden email] wrote:
>
>> I love OpenBSD, seriously, and developers of it are clearly geniuses. And
>> any chance I get I promote it.
>>
>
> Excellent, and I applaud you for that.
>
>
My favourite O/S is also OpenBSD. Theo and his guys protect the world. so
they are naturally protected.





Thank you
Indunil Jayasooriya
http://www.theravadanet.net/
http://www.siyabas.lk/sinhala_how_to_install.html   -  Download Sinhala
Fonts

Reply | Threaded
Open this post in threaded view
|

Re: Sorry OpenBSD people, been a bit busy

Scott McEachern-2
On 10/08/13 22:35, Indunil Jayasooriya wrote:
> My favourite O/S is also OpenBSD. Theo and his guys protect the world. so
> they are naturally protected.

Almost, but not quite.

Theo actually has a devoted core of followers around the globe, highly
trained in gung-fu, krav maga, and ninjitsu.  They fight to kill.

Meetings take place on a secret, members-only OpenBSD-powered web
server.  One word, and a problem can be "solved", anywhere, any time.  
Or so I hear...

So yes, he and his fellow devs are protected, while they protect the world.

--
Scott McEachern

https://www.blackstaff.ca

"Beware the Four Horsemen of the Information Apocalypse: terrorists, drug dealers, kidnappers, and child pornographers. Seems like you can scare any public into allowing the government to do anything with those four."  -- Bruce Schneier

123