Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I can't speak with any authority about how safe encryption is. I look at it as another obstacle instead of the end all be all. Really it's about reducing risk. A reasonably encrypted file is to much work for anyone other than a nation state. And if they really want to decrypt something of mine, I shouldn't be worried about it but rather why they are targetting me in the first place. Most people are not and never will be targets. If you are a target you have bigger problems than someone decrypting an email regardless of content.
Security expert Graham Cluley believes that the presence of seemingly random passwords such as “18atcskd2w” and “3rjs1la7qe” on the list indicates that bots use these codes over and over when they set up dummy accounts on public email services for spam and phishing attacks. Email providers could do everyone a favor by flagging this kind of repetition and reporting the guilty parties.
I'm always confused by people wanting encryption that the government can't crack. In the UK there is now a law which effectively means life in prison if encryption keys, passwords or whatever are not handed over and the US government has this place they call "Gitmo" for people who do things like encrypting data and wearing Casio watches.
Then there's keeping things safe from corporations. Are your holiday snaps really worth $20K of computing time to a corporation?
used.
I'd say it's worth it. For one, any portable device can easily be lost. Whether it's a smartphone or a laptop, you probably want encryption here in the event you lose the device, and someone may be able to recover a save password for your banking/paypal etc.
Just as important on a desktop machine that never leaves the house, burglaries do happen, and it's likely a computer or hard drives would be some of the things stolen.
Any personal information can be used for identity fraud. Encryption there would help save you from that.
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680
Rep:
Quote:
Originally Posted by coralfang
I'd say it's worth it. For one, any portable device can easily be lost. Whether it's a smartphone or a laptop, you probably want encryption here in the event you lose the device, and someone may be able to recover a save password for your banking/paypal etc.
Just as important on a desktop machine that never leaves the house, burglaries do happen, and it's likely a computer or hard drives would be some of the things stolen.
Any personal information can be used for identity fraud. Encryption there would help save you from that.
Please read more carefully. I do not suggest that encryption is not worth it but I ask whether your secrets are worth the tens of thousands that breaking decent modern encryption costs. I also ask whether your genitals, to put it crudely, are more breakable than your encryption scheme.
Encrypt, of course, but nation states and corporations have other means.
Last edited by 273; 03-30-2017 at 01:38 PM.
Reason: typo's
"And, quite frankly, I am not seriously worried about hostile governments!"
I am worried about: Google®!
The reality of the present-day Internet is that "e-v-e-r-y-b-o-d-y is eavesdropping, at e-v-e-r-y opportunity," merely because they have figured out that they can.
In this real-world context, then ... very practical pragmatic security becomes:
Quote:
"Putting your communications into ... an envelope!"
In this scenario, "you're not really trying to keep Your Government from steaming-open your envelope, and perhaps scissoring the letter that you entrusted within."
Instead, you're simply trying to keep your letter from being trivially(!) read by others, "as though you had written it upon a postcard, instead."
- - -
And so, "a very pragmatic modern-day description of 'the fundamental importance of cryptography'" just might be:
Quote:
... "a postcard"
... or ...
"reading the damned thing aloud at the top of your lungs from the very highest hills", for every marketer within earshot on Planet Earth to psycho-analyze"
... or ...
...
a letter" In an envelope.
- - -
Cryptography: in the end, nothing more than 'the 21st Century™ replacement of: "an 18th-Century 'paper envelope ...'"
And yet, a thing profoundly(!) important, merely for "being 'a thing nothing more than that,'," in the face of ... quite inexplicably ... "nothing(!) at all!'"
A thing very(!) significant, not because it can or cannot be "(even, 'effortlessly' ...) steamed open," but merely because it is there.
"Because, one by one by one, now, you actually have to doit."
Yessir, although "any single envelope" might – or, might not(!) – quite-effortlessly be "steamed," hundreds of millions of individually-"enveloped" messages per day are quite a different matter.
And yet: "isn't this standard practice, even for every bit of your 'junk mail?'" (That is to say ... "in your mailbox at the end of your driveway?")
Stop and think of it: exactly how costly and how difficult would it be for someone, if they could only work from the content of physical mailboxes containing sealed letters (which, by the way, they are already not permitted to "steam open") to discern anything-of-value about the junk-mail that you daily receive?
Therefore: why, exactly, is it so damned easy(!) to learn "exactly where yourdaughter was standing, ten minutes ago?!?!"
Last edited by sundialsvcs; 03-30-2017 at 05:44 PM.
You may as well say that, "majorgovernments will do as they please," because in the end they will.
Phil Zimmerman, the original developer of PGP®, wrote a little treatise – the readily-available versions of it are more cleaned-up than his original – called Why I Wrote PGP. "It's personal. It's private. And it's nobody's business but yours."
These paragraphs seem appropriate here:
Quote:
Originally Posted by PZ:
Perhaps you think your email is legitimate enough that encryption is unwarranted. If you really are a law-abiding citizen with nothing to hide, then why don't you always send your paper mail on postcards? Why not submit to drug testing on demand? Why require a warrant for police searches of your house? Are you trying to hide something? If you hide your mail inside envelopes, does that mean you must be a subversive or a drug dealer, or maybe a paranoid nut? Do law-abiding citizens have any need to encrypt their email?
What if everyone believed that law-abiding citizens should use postcards for their mail? If a nonconformist tried to assert his privacy by using an envelope for his mail, it would draw suspicion. Perhaps the authorities would open his mail to see what hes hiding. Fortunately, we don't live in that kind of world, because everyone protects most of their mail with envelopes. So no one draws suspicion by asserting their privacy with an envelope. Theres safety in numbers. Analogously, it would be nice if everyone routinely used encryption for all their email, innocent or not, so that no one drew suspicion by asserting their email privacy with encryption. Think of it as a form of solidarity.
Until now, if the government wanted to violate the privacy of ordinary citizens, they had to expend a certain amount of expense and labor to intercept and steam open and read paper mail. Or they had to listen to and possibly transcribe spoken telephone conversation, at least before automatic voice recognition technology became available. This kind of labor-intensive monitoring was not practical on a large scale. It was only done in important cases when it seemed worthwhile.
Today, of course, it is not merely "the government" that is spying on you. Corporations do it, and sell the information. Superlatively detailed information of this sort will one day prove itself to be a weapon of war – a war unlike any other mankind has ever known. And, we merely "gave it away." Phil's comment about "tapping conversations and transcribing it" is also obsolete: "Siri-"like technology can be built into the telephone switch, and there are people who insist that this isn't "wiretapping" because a human isn't the one "listening in."
We live in a far-too open world, and therefore a very dangerous one.
Readily-available public key technologies, as I've said, give you three very crucial assurances:
It is not a forgery: the message did come from its purported sender.
It has not been tampered with: the message you received is exactly what was sent, and there is no "man in the middle."
(If you wish ...) The message could not be read by others.
And, most importantly of all, it is easy. OpenVPN is transparent. Any e-mail package worth its salad dressing can transparently validate signatures, encrypt or decrypt messages, sign messages, and so on ... unobtrusively. And yet, the encryption is believed to be very strong. Surrounding it, also, is key-management and other considerations which are also well thought-out and very strong.
Last edited by sundialsvcs; 03-31-2017 at 08:01 AM.
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680
Rep:
I live in a part of the world where they're wanting to make encryption illegal again without full, unencumbered government access.
A decade or so ago I would have expected the story linked to above to be regarding China, Russia or a dictatorship somewhere...
So, the UK may be back to The Clipper Chip in the very near future.
And, as I mentioned, should be government become interested in you failure to provide the keys used to encrypt that data will result in a prison sentence of 2 to 5 years in jail but there's no reason that can't be extended until you do give up the keys since it's essentially a "contempt of court" type offence (notice the word "jail" not "prison").
In the UK, at least, the war for private data and communications has been lost. Hopefully the rest of the world will fare better.
Personally, I think that "Clipper chips," like any and every other notion of "key escrow," is and always will be thoroughly unworkable.
This is not the solution. (And, besides that, it could never possibly be imposed.)
Nevertheless, if an officer of the law presents you with (in American parlance ...) a searchwarrant, duly issued by a Court of Law, which demands that you turn over the encryption key, I personally think that you must(!) indeed, "timely do so." If you refuse, you are indeed (at least ...) "in contempt of court."
Since "you, of course, have done no wrong," you ought to be willing to cooperate with the officers, and with the Court who has authorized them, in their efforts to catch "the real bad guys."
- - -
But, having said all that, there remains another fundamental issue, unrelated to all of the preceding legalities:
"How can I, as the legitimate possessor of a secret that truly is worth vast amounts of money (and irreplaceable business advantage) to me, be made certain that some bumbling, under-paid, forever a civil servant, courtclerk(!) does not give my priceless(!)-to-me crypto key ... which I divulged to you as the Honorable Court required ... to my cunning business competitor?"
Indeed: "How will I be protected from the possibility that said competitor 'made this whole thing up,' just to get his hands on that key?"
A crypto key – say, to an oil-exploration company – might legitimately(!) be worth hundreds of millions of dollars, and there are those out there who would do a-n-y-t-h-i-n-g to get their hands on it. (Including, if need be, "faking" a civil or a criminal complaint.)
Remember: "I am a legitimate, truly-innocent, businessman who has done no wrong." My concern is that my competitor might snooker you – purposely deceiving you and the entire legal process that you so-diligently and earnestly represent – just to get his hands on my secret and thus upon the data which it now protects.
Just sayin' . . .
Last edited by sundialsvcs; 03-31-2017 at 07:05 PM.
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680
Rep:
Nevertheless, the UK government is demanding keys to all private conversations. If they stop before outlawing PGP we've only lost a couple of decades of progress...
To see mention of "the real bad guys from somebody who lives in a country known foor its modern-day slavery and abusive lack of access to trial for people left to be abused for years in jails is a little funny, in an ironic way.
I think that the question about handing over keys to encryption revolves around one case here lately. The court claims they have evidence that the guy has kiddie porn on his computer and they are demanding to get the encryption keys. Under the Constitution you are not required to provide incriminating evidence. The guy should get a different court to lift his "contempt of court" order but that will never happen. How the court knows there is illegal data on his computer I can't say as they didn't seem to mention it.
Yes, contempt of court is a really broad and too far ranging tool.
A lady lawyer here was ordered to name where her client buried the body. Somehow the court found out that she knew. She spent a few days in jail and decided to tell. Then she sued the court for a million or so.
Personally I'd think that heinous crimes should never be protected.
live in a part of the world where they're wanting to make encryption illegal again without full, unencumbered government access.
.. from article
Quote:
As the security expert Bruce Schneier has written: “I can’t build an access technology that only works with proper legal authorisation, or only for people with a particular citizenship or the proper morality. The technology just doesn’t work that way. If a backdoor exists, then anyone can exploit it.”
Quote:
Fortunately, Rudd appears not to want to go down that road. She put the emphasis on working with the tech companies to find a solution rather sweeping legislation. Later, she clarified her views on encryption. She told Sky’s Sophy Ridge on Sunday programme: “End-to-end encryption has a place. Cybersecurity is really important and getting it wrong costs the economy and costs people money, so I support end-to-end encryption.”
She said she supports end-to-end encryption for families (presumably those using WhatsApp?), for banking and for business. But she insisted: “We also need to have a system whereby when the police have an investigation, where the security services have put forward a warrant signed off by the home secretary, we can get that information when a terrorist is involved.”
Yes, it is easy to support end-to-end when you assume only good people use it..
Distribution: Debian Sid AMD64, Raspbian Wheezy, various VMs
Posts: 7,680
Rep:
The frightening thing being that the Gestapo Officer Rudd here is suggesting this not because a child could have been saved from abuse or people from a terrorist attack but because a man who commited murder using a car and a knife used WhatsApp shortly before doing so. There is absolutely no way that the government being able to read everything everybody is posting all the time would have stopped his act. Only a complete and utter brainless moron would think that to be the case.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.