Its usually easier to gain access to a resource by exploiting those who have the perms you seek. On Aug 10, 2013 1:37 PM, "Sean Alexandre" <sean@alexan.org> wrote:
On Sat, Aug 10, 2013 at 12:42:16PM +0200, Lodewijk andré de la porte
2013/8/9 Sean Alexandre <sean@alexan.org>
Or, maybe it was cover-up, to get the information "legally." But I'm guessing they really couldn't get what they wanted.
This. They don't want to show people what power they have. So they use
"most public method", letters. They are very, very, very aware of what you might guess. You have to remember they could legally prevent him from saying he even received letters, they have done so in the past.
Why haven't they now? Might it have to do with you assumptions? Or is it as innocent as genuinely not wanting to cause more harm than needed?
Do you think the NSA is innocent?
I can't really argue with that. I think it's very possible this is just "parallel contruction" where they want to cover their tracks and say they got things "legally."
Still, I have to hope it's possible to run a service such as Lavabit and have it be so locked down that it can't be backdoored. Nothing can be 100% secure, but secure enough that it's very, very unlikely.
I'd like to see a github project that has scripts (puppet?) to take a fresh Debian box and lock it down as much as possible, running only ssh.
Those scripts could be used to create a CTF box sitting out on the open Internet, for others to try and hack into. Pen test it to death. Update
wrote: the the
scripts. Make the config as perfect as possible.
Then others could take those scripts and add more modules to them, for other services: exim, dovecot, apache, roundcube. People could pick and choose which they want to run.
Put different boxes out there, as other CTF machines to pentest.
Make it fun. Give people rewards, or some kind of recognition, if they can break into the box.
"Encryption works," we know. End-point security's the weak link. This could be a way to shore that up.
Thoughts?
Its usually easier to gain access to a resource by exploiting those who have the perms you seek. These types of competitions are neat; skilled attackers aren't really incentivized to sink 0days on CTF games when there's a huge payoff for responsibly disclosing / not to mention the potential payoff of malicious use of an Apache code exec. Your best bet is relying on operating systems with a good track record, using a capabilities based security model (pax + grsec on nix). Routine administrative bits: least privileges, patches, hardened binaries, isolation.