Lavabit and End-point Security

[Sean Alexandre]

On Sat, Aug 10, 2013 at 12:42:16PM +0200, Lodewijk andré de la porte wrote:
> 2013/8/9 Sean Alexandre <sean at alexan.org>
> 
> > Or, maybe it was cover-up, to get the information "legally." But I'm
> > guessing
> > they really couldn't get what they wanted.
> >
> 
> This. They don't want to show people what power they have. So they use the
> "most public method", letters. They are very, very, very aware of what you
> might guess. You have to remember they could legally prevent him from
> saying he even received letters, they have done so in the past.
> 
> Why haven't they now? Might it have to do with you assumptions? Or is it as
> innocent as genuinely not wanting to cause more harm than needed?
> 
> Do you think the NSA is innocent?

I can't really argue with that. I think it's very possible this is just
"parallel contruction" where they want to cover their tracks and say they got
things "legally."

Still, I have to hope it's possible to run a service such as Lavabit and have
it be so locked down that it can't be backdoored. Nothing can be 100% secure,
but secure enough that it's very, very unlikely.

I'd like to see a github project that has scripts (puppet?) to take a fresh Debian 
box and lock it down as much as possible, running only ssh. 

Those scripts could be used to create a CTF box sitting out on the open
Internet, for others to try and hack into. Pen test it to death. Update the
scripts. Make the config as perfect as possible.

Then others could take those scripts and add more modules to them, for other
services: exim, dovecot, apache, roundcube. People could pick and choose which
they want to run.

Put different boxes out there, as other CTF machines to pentest. 

Make it fun. Give people rewards, or some kind of recognition, if they can break
into the box.

"Encryption works," we know. End-point security's the weak link. This could be
a way to shore that up.

Thoughts?