My 13 year old OpenPGP key was getting a bit long in the tooth (and vulnerable!), so I’ve decided to publish a new, stronger key. Please check out my OpenPGP page and download/import my new key.
If you have no idea what any of this means, check out this article.
How to remain secure against NSA surveillance | Bruce Schneier | World news | theguardian.com
1) Hide in the network. Implement hidden services. Use Tor to anonymize yourself. Yes, the NSA targets Tor users, but it’s work for them. The less obvious you are, the safer you are.
2) Encrypt your communications. Use TLS. Use IPsec. Again, while it’s true that the NSA targets encrypted connections – and it may have explicit exploits against these protocols – you’re much better protected than if you communicate in the clear.
3) Assume that while your computer can be compromised, it would take work and risk on the part of the NSA – so it probably isn’t. If you have something really important, use an air gap. Since I started working with the Snowden documents, I bought a new computer that has never been connected to the internet. If I want to transfer a file, I encrypt the file on the secure computer and walk it over to my internet computer, using a USB stick. To decrypt something, I reverse the process. This might not be bulletproof, but it’s pretty good.
4) Be suspicious of commercial encryption software, especially from large vendors. My guess is that most encryption products from large US companies have NSA-friendly back doors, and many foreign ones probably do as well. It’s prudent to assume that foreign products also have foreign-installed backdoors. Closed-source software is easier for the NSA to backdoor than open-source software. Systems relying on master secrets are vulnerable to the NSA, through either legal or more clandestine means.
5) Try to use public-domain encryption that has to be compatible with other implementations. For example, it’s harder for the NSA to backdoor TLS than BitLocker, because any vendor’s TLS has to be compatible with every other vendor’s TLS, while BitLocker only has to be compatible with itself, giving the NSA a lot more freedom to make changes. And because BitLocker is proprietary, it’s far less likely those changes will be discovered. Prefer symmetric cryptography over public-key cryptography. Prefer conventional discrete-log-based systems over elliptic-curve systems; the latter have constants that the NSA influences when they can.
C’mon, folks. A simple vulnerability assessment would have discovered this issue.
In what can only be called the mother of all inept network deployments, guest access was left on this Internet-facing content management system and a file marked PUBLIC that was supposed to be only for the staff of the airport had a sub folder called /security which had the airport’s network documentation, security procedures documents, airport terminal hardware manuals and internal financial documents. All of this was found within the first 30 minutes of only basic Googling from his airplane waiting seat, says Halfpap.
The biggest concern is the lack of response from the airport’s IT staff:
Armed with this information he contacted the airport in January 2012 to talk with the CIO or someone in charge of information security. But Halfpap got no response. No voice mails were ever returned. Halfpap tried contacting McCarran Airport via email as well and via its public Twitter account; he got no response.
 | Kevin Jarnot jarnot 9846 Tracks |
 | Tarkus Emerson, Lake & Palmer 3 days ago |
 | One of a Kind Part II Bruford 5 days ago |
| One of a Kind Part I Bruford 5 days ago |
| Hell's Bells Bruford 5 days ago |
 | Knowing Anderson & Stolt 2 weeks ago |
