On 2013-10-11 16:37, Seth Mos wrote:
On 11-10-2013 11:57, Adrian Zaugg wrote:
Dear all
After having read the whole NSA thread on this list, it came up to my
mind that pfsense web GUI could declare itself "conform to US laws" upon
the point when there are known backdoors included or otherwise the code
was compromised on pressure of govermental authorities. It would be the
sign for the users to review the code and maybe to fork an earlier
version and host it in a free country, where the protection of personal
data is a common sense and national security is not so much an issue.
?
And which country would that be?
There are many countries which would be a possibility . If wiretapping
is done there or not is not so relevant. Relevant is, if the authorities
can and do inject backdoors into the project by legal force.
Pretty much everything we have in pfSense is checked in the version
control system. Even in the beginnings (0.83) with CVS. Even our builder
scripts are in a RCS system, and it verifies all checksums on external
(mostly FreeBSD ports) software we download for the build.
I am not an expert, but in the NSA-thread above there have been examples
given, how CVS can be circumvented. Also, the gap between the sources
and the binaries could possibly be an port of entry for nasty stuff I guess.
Again: The real threat by my comprehension is not some "guy in the
internet" trying to place malicious code into the code base, but simply
and plainly some NSA officers knock the door an force the project
leaders to do it.
The way the most intelligence agencies these days perform the wire
tapping is by getting a switch mirror port at a internet exchange. Even
fiber optics can be tapped without too much problems.
Yes, they do that. And much more, because they do not restrict
themselves to a single source. They e.g. get the data from the data
providers (google, facebook, amazon, etc.) AND wiretap the internet
backbones AND program trojan horses to send them to their peoples (see
e.g. https://en.wikipedia.org/wiki/Bundestrojaner#Staatstrojaner) AND
collect geolocation data from your mobile phone provider AND force your
encrypted-email provider to hand out their SSL keys to them AND ... etc.
etc. etc.
But: With all those methods they can only collect EXTERNAL data. With
exception the mentioned trojan horse, they do not as easily get your
INTERNAL data, e.g. the data that circulates between the computers of
your intranet.
By infiltrating a firewall software such as pfSense, they could get a
grip onto the most important neuralgic point of the intranet, since much
of the internal traffic flows over this box. Think e.g. about all that
VPN traffic that flows over the firewall, e.g. because a company
connects many branches via VPN...
So: Getting a grip onto the firewall would surely be highly interesting
for them...
In .NL all large ISPs have a mandatory wiretap in place that stores
datetime stamped headers of the internet traffic for discovery purposes
from the authorities. The best part of this, it is paid for by the
customers, since the ISP needs to pay for the system and storage.
Yes, but see above.
Regards,
Seth
Regards
Thinker Rix
_______________________________________________
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list
