A "low profile" spy radio used by the S.O.E. in World War II. It weighs 16 kilograms and fills a suitcase. Compare that to modern HF radio designs which can fit far more functionality into an Altoids tin.
"Nothing works against the success of a conspiracy so much as the wish to make it wholly secure and certain to succeed. Such an attempt requires many men, much time, and very favorable conditions. And all these in turn heighten the risk of being discovered. You see, therefore, how dangerous conspiracies are."
— Francesco Guicciardini, Ricordi Politici, 1528-1530
"Fawn — next time with fewer people"
— Robert "Bud" McFarlane, note to Fawn Hall, 22 April 1987
Topics on this page
Remember that if a system can have its cryptographic keys "recovered", you shouldn't rely on it to keep your information confidential! Beware commercial applications that claim to include methods for encrypting your files! There are tools that quickly break the toy "encryption" included in Microsoft Word, Microsoft Excel, WordPerfect, Quattro Pro, PKZIP, Paradox, Lotus 1-2-3, and many more. For tools to break this toy "encryption" see:
A "low profile" spy radio used by the S.O.E. in World War II. It weighs 16 kilograms and fills a suitcase. Compare that to modern HF radio designs which can fit far more functionality into an Altoids tin.
According to a Reuters story on 24 Dec 2002, the U.S. Transportation Security Administration foolishly relied on these toy systems, and anyone could download and decode "restricted" documents from their web server.
TrueCrypt has free open-source disk encryption for Windows, MacOS X, and Linux: http://www.truecrypt.org/
There are some disturbing holes in Microsoft's EFS (Encrypting File System) — see the details on my page on os-specific issues.
Absolutely no fault of Google, but some silly web administrators have misconfigured their servers. Instead of the web server being kept within the sandbox of /var/http/html (or wherever) on UNIX, or C:\inetpub on Windows, the server serves out everything on the disk.
Here's a whole page dedicated to clickable searches
like this:
http://johnny.ihackstuff.com/index.php?module=prodreviews
There are U.S. federal standards on how to overwrite magnetic media in a way that is considered secure. The short version is:
Something like all zeros, then all ones, then pseudo-random bits, and finally verify that you can read the same pseudo-random sequence back out. For more details on just how to do this on various types of media see the nice summary at zdelete.com or, for the full details, see the original DOD documents.
However, while NSA definitely is aware of DOD 5220.22-M and recommends its use, there is no such thing as "the NSA standard" or "the NSA method" above and beyond this. Just 3 overwrites (and then carefully destroy the media for maximum safety). Note that DOD services may have their own nomenclature for "DOD 5220.22-M".
If you really want to pursue this (because you think that your advisary is likely to apply atomic-force microscopy on your media to recover data after you overwrote it), read this 1996 paper. Also be aware that physical disk geometry is automatically (and silently!) remapped by drive electronics during the media service life, meaning that sensitive data may have been written to spare cylinders. It can be difficult to verify that you are writing the patterns to all addressible locations. If you really care, use a hammer.
See CryptoHeaven for secure e-mail, online storage, and file sharing. Hmmm, shades of Neil Stevenson's cryptographic data haven in Cryptonomicon...
Secure MIME is gaining momentum as a standard for secure e-mail. See:
A proprietary solution for automated e-mail encryption is offered by Tumbleweed, http://www.tumbleweed.com
FIPS 140-1 specifies security requirements for cryptographic modules used by U.S. government agencies to secure unclassified but sensitive information. See:
Cryptek makes the DiamondNIC LAN card, certified at B2 by NSA, plus LAN and WAN hardware solutions: http://www.cryptek.com
Fortezza (tm) cryptographic cards are made by:
VPNet Technologies, +1-408-445-6000, makes encryption boxes that sit between your LAN and your router.
Certicom Corp, +1-905-507-4220, makes the Certifax 3000, a secure FAX machine. http://www.certicom.com/
nCipher makes a PCI-bus cryptographic accelerator card. http://www.ncipher.com/
Atalla network encryption hardware is sold by HP, see http://h20223.www2.hp.com/NonStopComputing/cache/76417-0-0-0-121.aspx
Also see the COMSEC section on another page.
Narus and Verint sell mass surveillance and eavesdropping equipment to a wide range of governments. From their web pages:
Narus
Narus is the leader in real-time traffic intelligence
for the protection and management of large IP networks
Real-time Traffic Intelligence
is the ability to protect and manage large IP networks
by understanding in detail the behavior of the traffic
Product
NarusInsight is the most scalable traffic intelligence system
for capturing, analyzing and correlating IP traffic
in real time.
Verint Systems is a leading provider of Actionable Intelligence solutions and services for enterprise workforce optimization and security intelligence.
In addition to the U.S. government and U.S. telecommunications companies, Verint's customers have included Mexico (the government's nation-wide telecommunications eavesdropping system), Vietnam (equipment used by all ISPs for government mandated monitoring of discussions of democracy), and many others.
Narus has sold their high-end systems to the People's Republic of China's Internet monitoring and enforcement agency, the Information Technology Security Certification Center. According to the U.S. State Department's Country Reports on Human Rights Practices issued March 6, 2007, after this upgrade:
The authorities reportedly began to employ more sophisticated technology enabling the selective blocking of specific content rather than entire Web sites. Such technology was also used to block e-mails containing sensitive content ... New restrictions aimed at increasing government control over the Internet included stricter Web site registration requirements, enhanced official control of online content, and an expanded definition of illegal online content. The country's Internet control system reportedly employed tens of thousands of persons. The government consistently blocked access to sites it deemed controversial, such as sites discussing Taiwan and Tibetan independence, underground religious and spiritual organizations, democracy activists, and the 1989 Tiananmen massacre. The government also at times blocked access to selected sites operated by major foreign news outlets, health organizations, and educational institutions.
According to James Bamford's The Shadow Factory, Narus has also sold its eavesdropping systems to fun and friendly governments like Pakistan, Egypt, Saudia Arabia, and Libya.
Glimmerglass Networks sells intercept hardware for optical networks, as described by their president and CEO in a story in Aviation Week and Space Technology, July 26, 2010, pp 57-58.
Authentication and integrity are at least as important, or even more important, as confidentiality in some applications. See my networking monitoring/sniffing page for this category.
For secure voice links, get real hardware.
Do not trust the "voice-scrambling" units sold via ads in popular magazines! Trivial trivial trivial for anyone who understands analog circuit design. Click here for a circuit to both do that trivial "scrambling" and to break it.
Also see my page with some GSM COMSEC details.
It's hard to figure out the laws of one country, let alone several. To export from the U.S., January 2000 finally saw some loosening of U.S. laws, but do not assume that anything goes!
Now, where are you exporting it to?
France and Russia (well, at least on paper...) require you to
register cryptography, and don't allow import of
strong cryptography.
Israel, Singapore, and Hong Kong all have differing rules
of their own.
Germany and Malaysia seem to regulate digital authentication.
Saudi Arabia simply bans all cryptography.
If you have to do anything with multinational
applications of cryptography, check out the excellent
Koop's Crypto Law Survey:
— http://rechten.uvt.nl/koops/cryptolaw/
— http://cwis.kub.nl/~frw/people/koops/lawsurvy.htm
A generally quite critical look at U.S. laws is at: http://www.eff.org/
Be very careful about reckless use of xhost! xspy is a tool for grabbing all keyboard and/or mouse input from an unsecured X display — click here to get a copy. This is very useful for convincing people of the insecurity of mis-used X! Make certain you understand xauthority, and avoid the reckless xhost +!
Click here to see my page with a simple explanation of IPsec.
If you use PPTP, the Point-to-Point Tunneling Protocol,
do not use the Microsoft implementation,
which is now proven to be broken!
See:
— http://www.counterpane.com/pptp.html
— http://oliver.efri.hr/~crv/security/bugs/NT/pptp2.html
Use the L2TP protocol instead.
There's a lot of concern over "spyware". To avoid most (but not all!) spyware, use any browser except for the horribly insecure Explorer. Most people like Mozilla's Firefox. Beware, browsers in general tend to be buggy (due to their complexity), they all have security problems, but because of both poor design and poor software production, Explorer has a much worse track record.
Most organizations find that preventing the use of Explorer solves much of their spyware/adware problems.
|
|
|
|||||||||
|
|||||||||
|
| © Bob Cromwell Sep 2010. Created with /bin/vi and ImageMagick, hosted on OpenBSD with Apache. Root password available here, privacy policy here. |
