Well perhaps not anywhere, I would be surprised if he had got a life sentence in any other Western country though. He was a first time offender convicted of non violent crimes. The FBI wanted to catch a crime boss, the head of a drug cartel, what they got was an intelligent young guy, a university graduate who started silk road as an experiment in economic theory based on the idea of a free unregulated market. The FBI did all they could to make sure his trial did not reflect who this guy really was and they prosecuted the guy they wanted him to be and got the sentence they wanted him to get. In my opinion a parody of justice. Yes they did but the FBI dropped those charges. The charges he was convicted of were all related to silk road; money laundering, narcotics, hacking. I hope he gets his sentence reduced on appeal.
I do too. He was sentenced as an example. The judge admitted that, as I recall. How can that be just?
Going back to TLS and certificates, why is it so difficult to find concrete information on this ? From the previous discussion it appears as of right now, if a MITM can coerce the browser into accepting a fake certificate there is nothing we can do, so, I have been trying to learn exactly what happens when you import a server certificate into the browser's certificate store. Does the browser then compare the server certificate each time with the one it has in it's store and does it still also check it against the CA ? Reason I ask, I think what we really need to do is cache server certificates, well at least their fingerprints, expiry dates etc. Then each time we connect to the same server the browser not only authenticates the received certificate with the CA it also checks against its own cache, to make sure it received the same certificate as last time (ideally we would have verified the authenticity of the one in the cache by other means, like a phone call to the owner). This would mean, if a MITM tries to send a fake certificate so your TLS will use his encryption keys instead of the server's encryptions keys and even if he has coerced a CA to authenticate the fake certificate, your browsers cached certificate will tell you it is not the same certificate as the one received last time you went there. I am thinking if that is not what happens when you import a server's certificate into the browser's certificate store then a firefox plugin could do something along those lines what do you all think ?
This thread has migrated to topics which are in no way associated with the original premise and intent. If you want to post about unassociated issues, please do so elsewhere. This thread is entitled 'Personal Cyber Security: Is It A Lost Cause'. Please restrict comments to that topic- not repeated back and forth about TLS, MITM attacks, and Ross Ulbricht who, by the way, got what he deserved. Your cooperation in keeping this thread coherent and on-topic will be appreciated.
I don't think that making controversial comments on the off-topic posts is a very good idea if you want to stop people from commenting on off-topic stuff. That's a pretty bold assertion about Ulbricht, you know, in Europe you can only get life for murder or treason, not drugs or hacking, America is an anomaly of the first world. And everything in the case is so unbelievable that you can't be certain of what the reality of the entire situation was. You said it so you get a rebuttal, but I kept it brief.
So following that interlude; Specifically, why take measures to secure the personal data on your computer if that same data is also in the hands of government agencies and business concerns who have already proven to be compromised. What is there to gain ?
Some (or a lot of) data may indeed be compromised at the level of the website or service, but I can still hide my real identity from said website or service, at least for certain things like posting on this forum. And even if the NSA and Google are tracking all my emails with friends and my Amazon purchases, there is still a lot of reason to keep criminal hacker types out of my Amazon account or whatever else by securing my system. People are more worried about their identity being stolen and their bank account being drained than about the government spying on them (like it or not), and although keeping your computer clean is not a catch-all, it certainly reduces your risk.
I had considered the questions in your title post to be rhetorical, designed to invite discussion on that which causes security vulnerabilities in the first place. I will discuss TLS and MITM elsewhere. If your comment regarding the state persecution of Ross Ulbricht reflect your personal views on such things we have little in common anyway.
It's very simple. Government agencies and business concerns possess a great deal of information about us. And they also possess a great deal of information about any pseudonyms that we may use. But as long as those pseudonyms are effectively compartmentalized from our meatspace identities, they are still useful pseudonyms. And the only things that ensure that compartmentalization are personal cyber security and good OPSEC. Whatever we think of Ross Ulbricht and his fate, the relevant point here is that he failed to prevent the FBI from connecting the DPR and Ross compartments. And we can learn from how that went down.
By taking such measures, you make yourself less vulnerable. Not everyone is going to have all your data and some personal data can be updated and replaced if it ends up somewhere that is hacked. There is a lot of personal information that is semi public anyway. If you are referring to just identity theft, personal identifying data is stored in databases somewhere even if you never put it online yourself. Any time you have to turn an application in for school or work or submit a form to some business or institution, it can end up in a database that more than likely could be compromised. That being said you don't necessarily have to make it easy by being sloppy with it online by using an insecure system.
I think of it this way, if in the 1930's the information gathering governments and corporations have on everyone today had been available then, the job of the Waffen SS would have been made a lot easier.
Re-phrase... I think of it this way, if in the 1940's certain information gathering governments and/or corporations were able to do then what they do now, then we'd likely be speaking German, as that would be the global language. Almost all aspects of allied success in WWII would have been nullified. This also includes how the allies ended up with the nuke. Think on that a second or two.
@Slink489 If you take a closer look, you'll see that we're on that same road again, with the same end results in our future. Only the names have changed.
I think at the moment cyber security really is almost a lost cause. 20 years of poor implementation combined with deliberate subversion leaves us unable to trust the architecture we need to be able to trust in order to implement effective security policy.
I don't think personal cyber security is a lost cause as long as you can still protect what matters to you. It's all about risk management; you need to consider what assets you are trying to protect. For instance, if you think that your asset is your personal data and you gave it to an entity who got hacked, there is nothing you can do when it comes to your computer; however, if your asset is your photo collection stored on your computer, you can still protect it if you have some good security measures is place.
No physical lock or safe is impenetrable and they don't claim to be. The are to keep the honest, honest, to keep the petty thieves away, and to keep the determined dishonest delayed x amount of minutes and increase chance of recovery. Given that, do you still use locks? Are they pointless?
They would be pointless if the lock manufacturer created a master key and gave it to the criminals who want to break in and imo that is where we are right now in terms of personal cyber security. I'm sure not all those "master keys" aka exploits were implemented deliberately but I am quite sure a lot of them were and they come thick and fast but only so fast as the hacking community, network and systems analysts etc, can discover them and to compound the problem not only are government agencies that used to protect our security working against us they are actively encouraging third parties to do so. US Navy Soliciting zero days. I'm sure a nice fat check from the US Navy or the NSA would persuade all kinds of people in all kinds of positions to sneak a little exploitable security weakness into whatever project they are involved in and of course it makes no difference who solicits such things, once they exist it is just a matter of time before cyber criminals and those working for foreign governments find them. Id bet the Chinese and Russian governments have thousands of people working full time decompiling, reverse engineering penetration testing and tearing source code apart piece by piece looking for such built in vulnerabilities.
There are master keys (and keys generated by serial number) for physical locks. Any system can be exploited/circumvented/overloaded/broken through. We're flawed humans stuck in three dimensions. Hey...what am I saying here? It was an analogy to illustrate a specific point!
As long as the likes of TLAs have ANY inroads at all into our computers, then it's a lost cause. As for honesty: If I am honest, then a lock has nothing to do with keeping me as such...
That would be true if you're a high priority target. Even if one assumes that a TLA has the ability to break into any computer they choose, that doesn't automatically mean that they have done so. We're talking about hacking on a global scale, which requires automated attacks. No matter how good their techniques may be, there are limits to what can be done via automation. A properly implemented privacy/security package should be able to resist the automated attacks. Beyond that, it becomes a question of how bad do they want you. I'm speculating here, but without actual facts to go by, it's the only option available. One has to assume that the automated attacks are designed with cost/benefit in mind. Automated attacks are going to target the packages that they encounter the most, aka current versions of Windows running standard AV security suites with the usual collection of open ports and exploitable standard set of running features and services. It's reasonable to assume that they've got such automated attacks for more than Windows. I'd expect that these cover Apple and the default packages of many linux distros as well. When your system falls outside of the expected norms, automated attacks become less effective. This is where a little obscurity and misrepresentation can go along way. Oversimplified example. Faking your user agent, browser and OS, won't fool a hacker for long. If that misrepresentation also includes what javascript reports, it can be enough to deceive an automated attack and cause it to launch the wrong exploit. If your logging is good, you'll be alerted to the attack. For global surveillance, the situation will be quite similar with encryption. They're going to target the most used encryption. I have to believe that facilities like the Utah data center were built to defeat HTTPS on a massive scale. It's also safe to assume that they're targeting the other "standards" like AES. Unfortunately, there's no viable option to HTTPS. For strong encryption, there are other options that are not standards and have never been broken. Against TLAs, there likely aren't any bulletproof defenses. If you're directly targeted, your defenses will eventually fail. That doesn't mean that they will fail on the first attack or that these attacks can't be detected and give you time to react. Don't assume that you're defeated before you're attacked. History and current events show that unconventional tactics and methods can defeat a superior adversary. That applies to computer and network security as well.
@noone_particular Rather than directed at a niche group of privacy minded individuals, the "Personal Cyber Security" part of the thread title seemed to apply to everyone. It also seems to me to be a black and white statement (with no qualification) so bear in mind I've answered in that light. If there is even one tiny crack in the armor, (vulnerabilities, backdoors and the like) then that's all that's required for an inroad into your system to get who knows what. Unless there is absolute surety then there is uncertainty and at that point we are back to the "all we can do is do our best" position. It's black and white. Either your online life is entirely secure from (all) prying eyes or it is not. I'd much prefer it is not. How many people at Wilders can conclusively say 100% they're totally confident their whole online experience is secure. There's a lot of smoke and mirrors about this. I think it would be very useful to actually figure out who is a high priority target. Not only that, but why they're targeted. The answer to that could really open a can of worms. I also think that group is far bigger (and expanding) than what people want to know or care about. There's no shortage of clues, for example, the way the meaning of the favored buzz word "terrorist" has been purposely changed (over time ) to make it include just about anybody. That in itself is a dead giveaway. Since familiarity breeds contempt anyway, dumbed down people who flinched at the connotations to start with will eventually just pass if all off and accept the new meaning as if it's always been.Typical conditioning. In light of what we've read about TLA's; the ways TOR is increasingly viewed with suspicion; an ongoing onslaught of more vulnerabilities popping up, and now VPNs under the spotlight more and more, shouldn't we remember they want to include everyone in their data tapping. Record EVERY phone call EVERY email etc etc. What did one of them say? collect it all. I'm sorry but as a principle I don't want ANY of it collected AT ALL and how "benign" it is isn't the point. Such brazen statements are indicators of how far down this slippery slope we are and how willing people are to succumb to the conditioning is another. They want everyone real bad and I have other reasons to believe they will achieve that sometime down the track. Maybe encryption is going to stave off the inevitable for a while but it is immensely complex for even IT professionals, how much more Mr and Mrs average. If we don't understand it then how do we know if a breach has occurred until after the fact? Unless you're a proficient coder, developer, scientist and any number of other highly qualified specialists required to understand absolutely everything needed then you can't trust electronic communication 100%. If we don't fall into that category then we have a few options. Do the best we can and hope for the best with data we've risked...OR... trust no one and tailor our usage to exclude what we don't want to risk. If I can't be 100% sure my bank acct # is absolutely airtight secure, then prudence says don't even go there. For various reasons I believe the writing is on the wall. It's not a case of if but when... but until "it" happens I'll carry on with these strategies. Do what I can to be as safe as I can, using the "prevention is better than cure" mindset... and use common sense...like not joining facebook, or posting your details online, online banking, avoiding "smart" devices (like the plague) . IOW because I can't be absolutely sure of security and privacy, it limits what I'm prepared to do online. In this sense, as long as I'm limited, is as long as it's a lost cause. Yes, being outside expected norms is a good point and will be our best means of defence, but for who knows how long? If ports on post XP systems are hardwired open that's a potential for exploits. If that hideous IE is so tightly woven into the OS that it calls out from who knows where, that's another potential disaster. What about hardware incompatibilities that will eventually force peoples hands? Staying on older systems still able to be locked down is dependent on the user in some cases encountering very steep learning curves. I have to ask the question, if the internet is for everyone, then how are the masses going to cope with all this if they want security and privacy? Lets remember who is in cohorts with who and who are the adversaries, but most people see them as great "friends" so they're sucked in hook line and sinker. I wouldn't hesitate for a moment to say Apple will be in it up to their ears just like the M$'s FB's Googles etc.
No it doesn't. I think I know me better than you do. Maybe, but they won't be afterwards if they lie about it. Here's an exercise: go and find all the people you know, known to be honest (as an ongoing attribute as you have portrayed) and ask them all how often a lock has "kept them honest".
And this would be relevant if you were the only person we have to worry about; I was speaking of "people". That's cherry-picking. That's also the incorrect question; the more accurate question would be when there wasn't a lock at all, are people tempted and of those, do any succumb. Here's another one, "Have you corrected every error that was in your favour without hesitation?". "Keep them honest" by not putting a stumbling block before them. cf. http://www.wsj.com/articles/SB10001424052702304840904577422090013997320
