Lavabit and End-point Security

Sat Aug 10 12:44:37 PDT 2013

Its usually easier to gain access to a resource by exploiting those who
have the perms you seek.
On Aug 10, 2013 1:37 PM, "Sean Alexandre" <sean at alexan.org> wrote:
>
> On Sat, Aug 10, 2013 at 12:42:16PM +0200, Lodewijk andré de la porte
wrote:
> > 2013/8/9 Sean Alexandre <sean at alexan.org>
> >
> > > Or, maybe it was cover-up, to get the information "legally." But I'm
> > > guessing
> > > they really couldn't get what they wanted.
> > >
> >
> > This. They don't want to show people what power they have. So they use
the
> > "most public method", letters. They are very, very, very aware of what
you
> > might guess. You have to remember they could legally prevent him from
> > saying he even received letters, they have done so in the past.
> >
> > Why haven't they now? Might it have to do with you assumptions? Or is
it as
> > innocent as genuinely not wanting to cause more harm than needed?
> >
> > Do you think the NSA is innocent?
>
> I can't really argue with that. I think it's very possible this is just
> "parallel contruction" where they want to cover their tracks and say they
got
> things "legally."
>
> Still, I have to hope it's possible to run a service such as Lavabit and
have
> it be so locked down that it can't be backdoored. Nothing can be 100%
secure,
> but secure enough that it's very, very unlikely.
>
> I'd like to see a github project that has scripts (puppet?) to take a
fresh Debian
> box and lock it down as much as possible, running only ssh.
>
> Those scripts could be used to create a CTF box sitting out on the open
> Internet, for others to try and hack into. Pen test it to death. Update
the
> scripts. Make the config as perfect as possible.
>
> Then others could take those scripts and add more modules to them, for
other
> services: exim, dovecot, apache, roundcube. People could pick and choose
which
> they want to run.
>
> Put different boxes out there, as other CTF machines to pentest.
>
> Make it fun. Give people rewards, or some kind of recognition, if they
can break
> into the box.
>
> "Encryption works," we know. End-point security's the weak link. This
could be
> a way to shore that up.
>
> Thoughts?
>
Its usually easier to gain access to a resource by exploiting those who
have the perms you seek.

These types of competitions are neat; skilled attackers aren't really
incentivized to sink 0days on CTF games when there's a huge payoff for
responsibly disclosing / not to mention the potential payoff of malicious
use of an Apache code exec.

Your best bet is relying on operating systems with a good track record,
using a capabilities based security model (pax + grsec on nix). Routine
administrative bits: least privileges, patches, hardened binaries,
isolation.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/html
Size: 3378 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20130810/95e0db94/attachment-0001.txt>