[clug] Internet Security

[Scott Ferguson]

On 05/06/15 08:40, Alex Satrapa wrote:
> They used to be a “thing”. We’d get together, sign each others’ GPG keys, and talk about how easy it was to encrypt things like email.
> 
> As you can see, that worked out well ;)
> 
> Alex

Agreed.
But it did highlight the problems:-
;people don't know how to check identification (they prefer "intuition"
over "proof", and get bitten every time)
;people are lazy (and impetuous) - encryption is useless without OpSec,
but people would rather argue over whether OpSec is a purely military
term than actually implement it. e.g. little key security, no risk
management (one key for everything, one mistake by any party renders the
whole process moot).
;no one seems to know what is reasonable to secure and what is pointless
(often the meta-data is as critical as the content - but encryption does
not solve the hide-my-metadata problem) e.g. if it's signed/encrypted by
a key you've signed it's still only as secure as the key management and
security of *all* parties *forever* (there's some line about "on your
permanent record" that's relevant).

Given more time I could make a suitable analogy about a good lock on a
poor door of a house made of hessian.

The point it seems to me that most are missing is that the greatest
problem highlighted by the Snowden revelations is that companies like
Lockheed Martin, Dell, Cisco, and many others process the 5Eyes
data/metadata and I can think of no process that will protect business
data from misuse - yet more individuals use encryption of content and
encryption check sums to prove the id of the sender *and* the id of the
author (two different things) than companies. It's 2015 for Thor's sake
and still most business send email that from addresses that are
trivially spoofed - and refuse to even sign the content, let alone
encrypt it. At the very least it demonstrates that many don't "get it"
as to the true nature of business (it's war).

I could go on about TPP etc, but I won't :)

There are a large number of "experts" whose marketing is published
unedited by the media like it's news - whose "product" is "security" -
often Open Source. Sadly I've seen *none* that taught even basic OpSec -
which is like selling sports cars to children.(sigh). If you can't
secure your machine - or it's environment, then you can't secure the
data flow between there and the internets. Cue the "that contradicts my
intuition", rinse and repeat the problem (security is harder than
marketing).

On the plus side (and particularly relevant to Linux) reproducible
builds is one of the most important improvements in basic security in
recent years. Kudos to those (Debian?) people behind it.

Kind regards


> 
>> On 5 Jun 2015, at 03:31, George at Clug <Clug at goproject.info> wrote:
>>
>>    Well we have discussed personal security on the Internet before,
>> but "Crypto Parties" ?
>>
>> No one invited me to the party   : (           (left out
>> again)
>>
>>
>> http://www.abc.net.au/news/2015-06-04/crypto-party-craze-push-for-privacy-in-the-post-snowden-era/6521408
>>
>> --
>> linux mailing list
>> linux at lists.samba.org
>> https://lists.samba.org/mailman/listinfo/linux
> 
> 
>