Re: [cryptography] To Protect and Infect Slides
If your server or ISP generates log files, as all do, you cannot be secure. If upstream servers generate log files, as all do, you cannot be secure. If local, regional, national and international servers generate log files, as all do, you cannot be secure. So long as log files are ubiquitous on the Internet, no one can be secure. Log files are the fundamental weakness of the Internet because system administrators claim the Internet cannot be managed and maintained without them. This is not true, it is merely an urban legend to conceal the interests of system administrators and their customers to exploit Internet user data. There is no fundamental need for log files, except to perpetuate the other urban legend, privacy policy, which conceals the abuse of log files by web site operators and their cooperation with "lawful" orders to reveal user data, most often by being paid to reveal that data to authorities, to sponsors, to funders, to advertisers, to scholars, to private investigators, to inside and outside lawyers, to serial cohorts, cartels and combines, to providers and purchasers of web sites, to educators of cyber employees, to courts, to cybersecurity firms, to journalists, to anybody who has the slightest justification to exploit Internet freedom of information by way of phony security, privacy and anonymizing schemes. In this way, the Internet corrupts its advocates by inducing the gathering and exploiting user data, . It is likely your organizaion is doing this ubiquitous shit by pretending to ask for advice on security. As if there is any. NSA is us. At 05:44 PM 1/4/2014, you wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 31/12/13 21:13, Jacob Appelbaum wrote:
I'm also happy to answer questions in discussion form about the content of the talk and so on. I believe we've now released quite a lot of useful information that is deeply in the public interest.
All the best, Jacob
Hi people:
As most of the people around the world, I find really troubling all these revelations. Of course we suspected this kind of shit, we just didn't know the gory and surprising details.
I work in a libre-software e-voting project [0] which has been deployed in some interesting initiatives already [1] and we strive to make it as secure as possible [2], though our resources are currently limited. Of course, anyone is welcome to join and help us.
Do you have any specific recommendation for securing the servers of the authorities who do the tallying, in light of latest revelations? it seems really difficult to get away from the NSA if they want to get inside the servers.
Kind regards, - -- [0] https://agoravoting.com [1] http://www.theguardian.com/world/2013/sep/11/joan-baldovi-spain-transparency... [2] https://blog.agoravoting.com/index.php/2013/01/03/agora-a-virtual-parliament... -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iF4EAREIAAYFAlLIjtMACgkQqrnAQZhRnaqPhwEA8DWIYkdp4gyC4uo6asng0Olc 1viSsZazIcv1TC9w8S4BAN0Q+iZ7boZOconhKCBBfele9Im9/+0Dt0j/M+ySVeQ7 =e6ab -----END PGP SIGNATURE----- _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
On 2014-01-05 01:01, John Young wrote:
If your server or ISP generates log files, as all do, you cannot be secure. If upstream servers generate log files, as all do, you cannot be secure. If local, regional, national and international servers generate log files, as all do, you cannot be secure.
So long as log files are ubiquitous on the Internet, no one can be secure.
Log files are the fundamental weakness of the Internet because system administrators claim the Internet cannot be managed and maintained without them.
This is not true, it is merely an urban legend to conceal the interests of system administrators and their customers to exploit Internet user data.
There is no fundamental need for log files, except to perpetuate the other urban legend, privacy policy, which conceals the abuse of log files by web site operators and their cooperation with "lawful" orders to reveal user data, most often by being paid to reveal that data to authorities, to sponsors, to funders, to advertisers, to scholars, to private investigators, to inside and outside lawyers, to serial cohorts, cartels and combines, to providers and purchasers of web sites, to educators of cyber employees, to courts, to cybersecurity firms, to journalists, to anybody who has the slightest justification to exploit Internet freedom of information by way of phony security, privacy and anonymizing schemes.
In this way, the Internet corrupts its advocates by inducing the gathering and exploiting user data, . It is likely your organizaion is doing this ubiquitous shit by pretending to ask for advice on security. As if there is any. NSA is us.
How would you monitor, maintain & troubleshoot administration & security issues on your servers if you do not have logs? Or are you talking about retention of said logs?
At 05:44 PM 1/4/2014, you wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
On 31/12/13 21:13, Jacob Appelbaum wrote:
I'm also happy to answer questions in discussion form about the content of the talk and so on. I believe we've now released quite a lot of useful information that is deeply in the public interest.
All the best, Jacob
Hi people:
As most of the people around the world, I find really troubling all these revelations. Of course we suspected this kind of shit, we just didn't know the gory and surprising details.
I work in a libre-software e-voting project [0] which has been deployed in some interesting initiatives already [1] and we strive to make it as secure as possible [2], though our resources are currently limited. Of course, anyone is welcome to join and help us.
Do you have any specific recommendation for securing the servers of the authorities who do the tallying, in light of latest revelations? it seems really difficult to get away from the NSA if they want to get inside the servers.
Kind regards, - -- [0] https://agoravoting.com [1] http://www.theguardian.com/world/2013/sep/11/joan-baldovi-spain-transparency... [2] https://blog.agoravoting.com/index.php/2013/01/03/agora-a-virtual-parliament... -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iF4EAREIAAYFAlLIjtMACgkQqrnAQZhRnaqPhwEA8DWIYkdp4gyC4uo6asng0Olc 1viSsZazIcv1TC9w8S4BAN0Q+iZ7boZOconhKCBBfele9Im9/+0Dt0j/M+ySVeQ7 =e6ab -----END PGP SIGNATURE----- _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Logs needed run the Internet steadily, securely and cheaply are not what logs files have grown into: Bloated, malicious, exploitive and very lucrative spying on users. This is why there are thousands of firms providing log files exploitation programs and services. Every product manufacturer touts its spying capabilities through innocent sounding "log files" ostensibly serving administrative purpose but then just below that claim are the burgeoning other uses of maximizing profits. Log files are metadata of the Internet, the tip of a giant iceberg of metadata. This is the dirty secret, the family jewels, of the Internet, carefully rationalized and guarded by sysadmins. Sysadmins have become the traitors, or patriots, of the Internet. Traitors against the public, patriots for the powerful exploiters of the Internet. Exploitation of bloated little known, behind the public scene log files exceeds that of all search engines combined. Exceeds offiical spying in all nations. Indeed, facilitates spying in all nations for generous fees and to diffuse understanding of how cyber spying works, who its architects are, what is the architecture. Snowden hints are this but so far only pretty facades have been disclosed, the underlying operation apparently to threatening to "national security" to be revealed to the public. Sysadmins just adore being foundational to this architecture of deceit The argument log files are essential to run the Internet is a cover for the huge industry which goes right through that tiny aperture of access to construct an unbelievable spying operation, far more insidious than that of the official spies, which as we know merely copy the industry and buy a small number of its products. At 11:42 AM 1/6/2014, Laurens Vets wrote:
On 2014-01-05 01:01, John Young wrote:
If your server or ISP generates log files, as all do, you cannot be secure. If upstream servers generate log files, as all do, you cannot be secure. If local, regional, national and international servers generate log files, as all do, you cannot be secure. So long as log files are ubiquitous on the Internet, no one can be secure. Log files are the fundamental weakness of the Internet because system administrators claim the Internet cannot be managed and maintained without them. This is not true, it is merely an urban legend to conceal the interests of system administrators and their customers to exploit Internet user data. There is no fundamental need for log files, except to perpetuate the other urban legend, privacy policy, which conceals the abuse of log files by web site operators and their cooperation with "lawful" orders to reveal user data, most often by being paid to reveal that data to authorities, to sponsors, to funders, to advertisers, to scholars, to private investigators, to inside and outside lawyers, to serial cohorts, cartels and combines, to providers and purchasers of web sites, to educators of cyber employees, to courts, to cybersecurity firms, to journalists, to anybody who has the slightest justification to exploit Internet freedom of information by way of phony security, privacy and anonymizing schemes. In this way, the Internet corrupts its advocates by inducing the gathering and exploiting user data, . It is likely your organizaion is doing this ubiquitous shit by pretending to ask for advice on security. As if there is any. NSA is us.
How would you monitor, maintain & troubleshoot administration & security issues on your servers if you do not have logs? Or are you talking about retention of said logs?
At 05:44 PM 1/4/2014, you wrote:
I'm also happy to answer questions in discussion form about the content of the talk and so on. I believe we've now released quite a lot of useful information that is deeply in the public interest. All the best, Jacob Hi people: As most of the people around the world, I find really troubling all
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 31/12/13 21:13, Jacob Appelbaum wrote: these revelations. Of course we suspected this kind of shit, we just didn't know the gory and surprising details. I work in a libre-software e-voting project [0] which has been deployed in some interesting initiatives already [1] and we strive to make it as secure as possible [2], though our resources are currently limited. Of course, anyone is welcome to join and help us. Do you have any specific recommendation for securing the servers of the authorities who do the tallying, in light of latest revelations? it seems really difficult to get away from the NSA if they want to get inside the servers. Kind regards, - -- [0] https://agoravoting.com [1] http://www.theguardian.com/world/2013/sep/11/joan-baldovi-spain-transparency... [2] https://blog.agoravoting.com/index.php/2013/01/03/agora-a-virtual-parliament... -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iF4EAREIAAYFAlLIjtMACgkQqrnAQZhRnaqPhwEA8DWIYkdp4gyC4uo6asng0Olc 1viSsZazIcv1TC9w8S4BAN0Q+iZ7boZOconhKCBBfele9Im9/+0Dt0j/M+ySVeQ7 =e6ab -----END PGP SIGNATURE----- _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
How would you monitor, maintain & troubleshoot administration & security issues on your servers if you do not have logs? Or are you talking about retention of said logs?
I read from this that excessive logging outside of a debugging scenario, coupled with either bad security or wilful sharing of log files, is the culprit. So you're running a server, you want logs. Fine; what do you need to know? Statistical information about access, but not necessarily *who* is accessing. Perhaps you need to see if one person is accessing more than their share, but unless they exceed a certain threshold you don't want to record who they are; hash the IPs with a salt. Sure, yes, I expect you can reverse IP hashes, but at least you're trying. Point being that logs are for debug and performance monitoring, but in this era of A) spying without consent and B) wilful assistance of spies by sysadmins globally, to be a good guy you have to wear blinders and collect only what you need. To resist the urge to hoard that comes with being raised in a marketing-heavy capitalism and with seeing storage volumes growing exponentially and remembering your days of scrimping on poorly encoded mp3s. Store what you need. Ditch the rest before it's even paged. On 06/01/14 16:42, Laurens Vets wrote:
On 2014-01-05 01:01, John Young wrote:
If your server or ISP generates log files, as all do, you cannot be secure. If upstream servers generate log files, as all do, you cannot be secure. If local, regional, national and international servers generate log files, as all do, you cannot be secure.
So long as log files are ubiquitous on the Internet, no one can be secure.
Log files are the fundamental weakness of the Internet because system administrators claim the Internet cannot be managed and maintained without them.
This is not true, it is merely an urban legend to conceal the interests of system administrators and their customers to exploit Internet user data.
There is no fundamental need for log files, except to perpetuate the other urban legend, privacy policy, which conceals the abuse of log files by web site operators and their cooperation with "lawful" orders to reveal user data, most often by being paid to reveal that data to authorities, to sponsors, to funders, to advertisers, to scholars, to private investigators, to inside and outside lawyers, to serial cohorts, cartels and combines, to providers and purchasers of web sites, to educators of cyber employees, to courts, to cybersecurity firms, to journalists, to anybody who has the slightest justification to exploit Internet freedom of information by way of phony security, privacy and anonymizing schemes.
In this way, the Internet corrupts its advocates by inducing the gathering and exploiting user data, . It is likely your organizaion is doing this ubiquitous shit by pretending to ask for advice on security. As if there is any. NSA is us.
How would you monitor, maintain & troubleshoot administration & security issues on your servers if you do not have logs? Or are you talking about retention of said logs?
At 05:44 PM 1/4/2014, you wrote: On 31/12/13 21:13, Jacob Appelbaum wrote:
I'm also happy to answer questions in discussion form about the content of the talk and so on. I believe we've now released quite a lot of useful information that is deeply in the public interest.
All the best, Jacob
Hi people:
As most of the people around the world, I find really troubling all these revelations. Of course we suspected this kind of shit, we just didn't know the gory and surprising details.
I work in a libre-software e-voting project [0] which has been deployed in some interesting initiatives already [1] and we strive to make it as secure as possible [2], though our resources are currently limited. Of course, anyone is welcome to join and help us.
Do you have any specific recommendation for securing the servers of the authorities who do the tallying, in light of latest revelations? it seems really difficult to get away from the NSA if they want to get inside the servers.
Kind regards,
_______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
participants (3)
-
Cathal Garvey -
John Young -
Laurens Vets