Its usually easier to gain access to a resource by exploiting those who have the perms you seek. On Aug 10, 2013 1:37 PM, "Sean Alexandre" <[1]sean@alexan.org> wrote: > > On Sat, Aug 10, 2013 at 12:42:16PM +0200, Lodewijk andr de la porte wrote: > > 2013/8/9 Sean Alexandre <[2]sean@alexan.org> > > > > > Or, maybe it was cover-up, to get the information "legally." But I'm > > > guessing > > > they really couldn't get what they wanted. > > > > > > > This. They don't want to show people what power they have. So they use the > > "most public method", letters. They are very, very, very aware of what you > > might guess. You have to remember they could legally prevent him from > > saying he even received letters, they have done so in the past. > > > > Why haven't they now? Might it have to do with you assumptions? Or is it as > > innocent as genuinely not wanting to cause more harm than needed? > > > > Do you think the NSA is innocent? > > I can't really argue with that. I think it's very possible this is just > "parallel contruction" where they want to cover their tracks and say they got > things "legally." > > Still, I have to hope it's possible to run a service such as Lavabit and have > it be so locked down that it can't be backdoored. Nothing can be 100% secure, > but secure enough that it's very, very unlikely. > > I'd like to see a github project that has scripts (puppet?) to take a fresh Debian > box and lock it down as much as possible, running only ssh. > > Those scripts could be used to create a CTF box sitting out on the open > Internet, for others to try and hack into. Pen test it to death. Update the > scripts. Make the config as perfect as possible. > > Then others could take those scripts and add more modules to them, for other > services: exim, dovecot, apache, roundcube. People could pick and choose which > they want to run. > > Put different boxes out there, as other CTF machines to pentest. > > Make it fun. Give people rewards, or some kind of recognition, if they can break > into the box. > > "Encryption works," we know. End-point security's the weak link. This could be > a way to shore that up. > > Thoughts? > Its usually easier to gain access to a resource by exploiting those who have the perms you seek. These types of competitions are neat; skilled attackers aren't really incentivized to sink 0days on CTF games when there's a huge payoff for responsibly disclosing / not to mention the potential payoff of malicious use of an Apache code exec. Your best bet is relying on operating systems with a good track record, using a capabilities based security model (pax + grsec on nix). Routine administrative bits: least privileges, patches, hardened binaries, isolation. References 1. mailto:sean@alexan.org 2. mailto:sean@alexan.org