Re: [Full-disclosure] Megaupload Anonymous hacker retaliation, nobody wins
Hi Marcio, Thanks for your answer. On 01/26/2012 02:07 PM, Marcio B. Jr. wrote: >> I don't want to get into any >> "conspiracy theory" - either one thinks that way or doesn't, but if you >> look at the patterns, then let's just say that strong interest groups >> somehow always seem to get past these democratic barriers to create >> situations in which they can generate profit. > > "conspiracy theory"?? "let's just say"?? > > That happens. It is, say, a fact. I agree, unfortunately... >> Fortunately, most of the >> time they still need to play for the public and ask "nicely" first >> before they can do whatever they damn well please. > > Wrong. > > Corporations do whatever they please, and that is achieved through > propaganda, which in turn, prepares the masses to think they are being > asked "nicely". If we break it down then yes, it effectively comes down to this. However disgusting. But I don't believe this is so much black and white. I don't think they have managed to brainwash everyone so much yet so that they don't need some RPG to justify their actions. We can call this propaganda or whatever. But we still have some nerve and some power in our hands to say no to things that we don't like, and this constitutes our own "propaganda". And when we do say no loud enough, they usually back off and try another way. If this was not the case, actions like the previous blackouts wouldn't have meant a damn thing, the bills would have passed immediately. Why play around when you can just do it without consequence? I think "they", or rather, the pawns they control, do need our - however limited - approval for now, and we should take advantage of that. > >> But I feel that is >> changing. > > Yes, it's getting internationally worst. Search for ACTA. > > One crackdown we're living in. Goal is: keeping knowledge away from the > people. Don't we know that over here with the EU scandal... Citizens here (and not just here, sadly) still think that our national bank is a "National" bank... some even go out as far as saying it is, as far as they honestly believe, answerable to the government or to the people. Then, just when a straightforward-looking thing, like an obligation for the president of the "National" bank having to take a sworn oath to the constitution creates an uproar among EU interests and we are suddenly branded almost fascists as a country because of this and similar issues, do some start to question what the heck is going on with the world they think they knew... > >> Yes, we have such thing >> as democracy out there > > Where is it? Switzerland maybe? The kibbutzim of Israel? I'm afraid I misphrased this. Let me try the other way... maybe seen just as wrong, but perhaps more correctly put... We have the fabric of democracy - filled for the most part, with pawns. Pawns we're being offered as a "choice". Hard to work a democracy or make any kind of serious vote when your only choice is, more often than not, pawn A and pawn B. >> Lately, after Wikipedia and many others stood by the people, peacefully >> but with great resolve, public will has won. Not necessarily because >> that was the will of the people - to have none of PIPA etc... - > > Not the people as a whole (which would be ideal) but a small part of > it who is trying to participate more often in wide scope decisions. But this also shows that even if there're only a small part of "activists", people who are rather passive can still be influenced by their actions, change their view no matter what CNN noise propagates... thereby possibly negating the effect of the mainstream "washing machine". Even if only (for the sake of saying it) 10 people are shouting, many more could start to quietly agree with them and it will, inevitably, influence their future actions. And, for now at least, public opinion does matter, otherwise there would be no need for the propaganda system. > >> but more >> likely because we have triggered this protection of "self interest" in >> the officials. > > Which is still a "will". A will, yes. But at least our will. We show them our will that unless they satisfy our needs now and again, we will not vote for them and they won't get money, very simply put. They still be stuck between two masters, but they will not be so easily convinced to ignore us. >> Quite simply, elected ones got afraid of not being >> re-elected, or just going too far and getting into something they cannot >> handle with a popular face. They appeared to have no "valid" moral >> reason anymore to cooperate with the passing, so they bailed out. > > That is not democracy but a rotten representative system. Masses were > taught to accept it as fair. No argument there... But unfortunately, it all comes down to human nature... As far as I've seen it, anyone having the "initiative" to be any kind of serious leader or official - respect goes out to the few exceptions - has the inherent capacity for greed. Greed is a he
Re: [Full-disclosure] Megaupload Anonymous hacker retaliation, nobody wins
On 01/26/2012 03:04 AM, Marcio B. Jr. wrote: > On Wed, Jan 25, 2012 at 6:53 PM, Levente Peres wrote: >> This will give decision makers EXACTLY what they WANT. > > Those who have already given up democracy think that way. Not necessarily. I strongly believe in the principle of democracy. In fact I'm from a country where people fought and died for it, similar to the US and many others. And I also hear simple people like me and politicians alike, talk about it, and cite it over again, but more often than not, I just don't see it happening. I don't want to get into any "conspiracy theory" - either one thinks that way or doesn't, but if you look at the patterns, then let's just say that strong interest groups somehow always seem to get past these democratic barriers to create situations in which they can generate profit. Fortunately, most of the time they still need to play for the public and ask "nicely" first before they can do whatever they damn well please. But I feel that is changing. They get more and more bold, for example, just yesterday I read Chris Dodd saying something like... “Those who count on ‘Hollywood’ for support need to understand that this industry is watching very carefully who’s going to stand up for them when their job is at stake. Don’t ask me to write a check for you when you think your job is at risk and then don’t pay any attention to me when my job is at stake.” ... in "plain daylight", on Fox News I believe. Yes, we have such thing as democracy out there - but we also have self-interest, and this self-interest also exists in officials, and it can be exploited. Lately, after Wikipedia and many others stood by the people, peacefully but with great resolve, public will has won. Not necessarily because that was the will of the people - to have none of PIPA etc... - but more likely because we have triggered this protection of "self interest" in the officials. Quite simply, elected ones got afraid of not being re-elected, or just going too far and getting into something they cannot handle with a popular face. They appeared to have no "valid" moral reason anymore to cooperate with the passing, so they bailed out. This is what peaceful show of resolve and public will has achieved and I'm immensely proud of that... I honestly believe that this is a very effective way to resist if enough people stand behind it, like with the blackouts. But these interest groups know that officials also have a mandate to protect "security", which is a largely different matter. If they can picture it so that security's being violated somehow, and start making enough noise about "security" and telling people that "you could be attacked next" as so on, then quite simply, people will start demanding them to do whatever they wanted to do in the first place. "We want to be secure, now you are our officials, so do whatever needs to be done!" Not all people of course... not everyone will react this way. But just enough to allow them to move on, the "majority", or so they will make it appear trough mainstream media. That way they can proceed without loosing chance for re-election, in fact they may even be lauded as heros who can make hard decisions. A nice abuse of democratic principles. On the other hand, if this "threat" can be pumped up big enough to warrant an "attack on the country", then it's even worse. Then they won't need you to agree to/with anything, they can do whatever they want to do by definition of "protecting national security". This is why I believe that going to cyberwar (essentially: hard violence) over this or anything else is counter-effective. Levente ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Megaupload Anonymous hacker retaliation, nobody wins
On a personal note, maybe OFF... I fail to see the gain in such retaliations, especially in organized ones... First the Megaupload retaliation, now the UN... and for what... I know people want to be heard, but this is plainly sending the wrong message. This will give decision makers EXACTLY what they WANT. They coax otherwise smart people into acting out violently, thereby creating just the false-flag "anarchy" to prove their point, which is: "yes, we need to censor and control everything especially the Internet, because see, there's already a 'war out there at the gates and we need to protect etc. whatever'". We've seen it before countless times and this reverse strategy almost always works. If anyone from the "responsible" groups are reading this, please know that I'm not against the point that you are trying to make... You are all learned and knowledgable people, otherwise you wouldn't have been able to pull this complicated scheme off... but I implore you to reconsider such outbursts in the future for the sake of the very thing that you are trying to protect... What's done is done, but let's not give these goons one more reason to take away freedom even more so... Please. Just consider this. That's all I'm asking... And I guess that's all I wanted to say. Levente On 01/25/2012 08:20 AM, karma cyberintel wrote: (CBS) - The week began on a high note for Internet activist. The biggest organized effort to blackout websites in solidarity over the Stop Online Piracy Act (SOPA) and Protect IP Act (PIPA) was a huge success sources form for more details http://www.karmacyberintel.net/2012/01/megaupload-anonymous-hacker-retaliation-nobody-wins/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Apache Killer
My findings, hope it helps... Properly configured HAProxy with queue management and per-server limits can dampen the effects quite drastically. In my testing (three low-end SunFire servers and a LB) an attack volume of well over a 1000 threads was necessary to notice any small speed degradation on the frontend - which triggeres anti DOS immediately if done from outside LAN. System immediately recovers fully when the attack stops, no coredumps, nothing, not even after half an hour of sustained attack. No crashing or unstability whatsoever happened on any servers, not even at 2000, but dared not to test further on a live system... If performed from multiple IPs or varied content etc however, a pattern recognition scheme would be necessary to block it I believe... Also tested it with a simple one-server setup with Squid as frontend before apache, it reported not vulnerable... Not tested any further yet. Done on a "barefoot" apache however, it was devastating even at 100 threads regardless the lots of RAM and quadcode setup :-( Levente 2011.08.20. 14:31 keltezéssel, HI-TECH . írta: > Disabling mod_gzip/mod_deflate is a workaround I guess. > > 2011/8/20 Moritz Naumann: >> On 20.08.2011 00:23 HI-TECH . wrote: >>> (see attachment) >>> /Kingcope >> Works (too) well here. Are there any workarounds other than rate >> limiting or detecting + dropping the traffic IPS-wise? >> >> Moritz >> > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > > --- > avast! Antivirus: Inbound message clean. > Virus Database (VPS): 110819-1, 2011.08.19 > Tested on: 2011.08.20. 14:32:33 > avast! - copyright (c) 1988-2011 AVAST Software. > http://www.avast.com > > > > ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Possible issues with encrypted Linux filesystems?
Dear All, Yesterday I had a very interesting conversation with Anthony G. Basile, Ph. D. of D'Youville College about filesystem security. We thought that we should continue this discussion here, so we could all contemplate on the possibility of such a thing being possible. After reading Anthony's article, which you may find here... http://opensource.dyc.edu/random-vs-encrypted ...I've became worried about something very alarming, which I'd like to hear your opinion about. You see, it's one thing that you encrypt data, and then make backups, encrypt those backups, and the attacker could get valuable information by comparing the patterns of the two... But when encrypting an entire operating system space, you actually encrypt much more than the data you wish to protect: you encrypt your system files, your packages, all of it. Now this may sound like an ideal thing to do, but I'm not so sure about that anymore. Now, as we know, most Linux distributions have at least some files, directories, whatever that are bound to be the same on all systems. For example, binaries of gcc, some base directory names like /var, /usr, /home, layouts, and things like that. Even more, if you are using a "standard" distro like CentOS, you are assured to have literally gigabytes of data in forms of binary RPM packages on a default "base" installation, which not only are sure to be the same on all systems, but even their distribution across filesystems are prone to be predictable. For simplicity's sake, let's just put these into one bucket and call them "known artefacts". I'm now worried that if an attacker knows, or "guesses" that you are using, say, CentOS Linux 5.5, (or at least some mutation of Red Hat), he might use this knowledge of "known artefacts" to his advantage, by starting out from the data he knows "must be there", and looking for it's "patterns". I don't know... This may be a longshot, wishful thinking or both, but somehow it feels to me like it's a lot easier to break a code when you already know exactly what the decrypted data is, and what it looks like. It should be like reverse-engineering ancient-egyptian text by seeing the same damn text in two or three other different languages you can actually understand... Essentially you could at the very least improve your chances at success if you have several certain, fixed points of reference for the decryption procedure (these "artefacts" we mentioned). I'll dare to go even further... Even if you are not encrypting your entire system, just the data... you could be leaving behind arefacts like file format headers, etc etc... or in case of LVM, logical flesystems within the LVM could leave behind headers, identifiers to mark the type, end or beginning, etc. of FS, whatever. I agree it's not much, and probably no concern, but if you want to be extremely paranoid, it's something. Now I'm not pretending to be an encryption expert... But I've go to tell it to you, If there's any possibility to this - then it creeps me out. Worst case scenario, we could be looking at the possibility of breaking virtually any "standard" distro as long as one could "guess" (or "brute-force-guess") the version and type of the distro, AND the system is encrypted along with the data to be protected... I'd like you guys to put me back to ease by either proving me fatally wrong, or if there's anything to this... well, then we should discuss anyway. Best Regards, Levente Peres ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Just how secure encrypted linux partitions really are?
stormrider, Jeffrey, Thor... and all others, You gave me quite a bit of thinking, reading and reconsidering to do. I'm going to have to redesign the whole issue from scratch - not that it's a bad thing. Better investing some more time and effort now, than sweat maybe later. Thank you so much for taking the time to answer me. Levente 2010.12.12. 12:28 keltezéssel, stormrider írta: > You should take care of a few things when encrypting hard > drives and feeling secure with it. > > * Do's * > > A) Use a token. That means: Generate a lng key. Encrypt that key and > put the encrypted key on a thumb-drive. Make sure you leave no trace > when doing that step. (Good way is to make that part from a live-cd). So > when you want to mount the disc, you use a password, that decrypts the > *real* key from the thumb-drive and uses that to decrypt the disc. > Make sure nobody copies your token. That gives you two access > components: *Have* the token and *Know* the password. Just like your > bank card. > > B) Mostly messed up rule: Use a strong password! You can have TPM or a > super secret USB Token or whatsoever. When they get your password > nothing's secure anymore. You may want to begin shivering at that point. > (shiver less when you had time to destroy your token before. Stop > shivering when you're 100% sure nobody made a copy of your token) > > * Reminds * > > As long as the machine is running there is almost no protection of the data! > > 1) Every vulnerability inside the OS or daemons or else could make > accessing your data possible - just as if there was no encryption. > > 2) Other attack vectors depend on *who* might want to take a closer > look. For some people it makes quite a lot fun to freeze your system RAM > and read it out later. That would indeed reveal your key. > > 3) Any unauthorized access to your box voids the system integrity so you > should think about countermeasures. Broken integrity means forget > encryption as a mighty little goblin might sit on your PCI bus reading > your RAM by DMA (also elves and fairies thinkable). > > So if you want to be sure about that you shouldn't leave your box alone > and running. If you do so, make sure the power gets switched off as soon > as someone enters the room. Also make sure that it takes a few minutes > to gain access to your memory sticks after power loss, as it takes some > time until the data is vanished from memory. > > You also shouldn't connect your box to any network - So actually the > best thing you can do is: keep your secrets in mind, not on disc. You > then only have to make sure not being water-boarded or so, as this might > also break your mind (this might also make you shout out any password > anyways - so avoid that) ;-) > > stromrider > > > Am 12.12.2010 01:43, schrieb Levente Peres: >> Hello to All, >> >> If anyone have serious hands-on experience with this, I would like to >> know some hard facts about this matter... I thought to ask you, because >> here're some of the top experts in this field, so I could find few >> better places. Hope you can nodge me in the right direction, and take >> the time to answer this. >> >> Let's suppose I have a CentOS server, with encrypted root partition, and >> I put the /boot partition on a separate USB key for good measure. >> Encryption technology is the default which "ships" with CentOS 5.5 and >> it's LVM. >> >> If someone gets hold of that machine, or rather, the drives inside the >> Smart Array, what are the chances he can "decrypt" the root partition, >> thus gaining access to the files, if he doesn't know the key? I mean I >> know that given enough time, probably it could be done with brute-force. >> But seriously, how much of a hinderance this is to anyone attempting to >> do this? Does it offer any serious protection or is it just some >> inconvenience to the person conducting the analysis of the machine? How >> realistic is it that one can accomplish the decryption inside a >> reasonable amount of time (like, say, within half a year or so)? >> >> Could some of you please give me some of your thoughts about this? And, >> maybe, what other methods of file system encryption are out there which >> are more secure? >> >> Thanks, >> >> Levente >> >> >> >> ___ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > ___ > Full-Discl
[Full-disclosure] Just how secure encrypted linux partitions really are?
Hello to All, If anyone have serious hands-on experience with this, I would like to know some hard facts about this matter... I thought to ask you, because here're some of the top experts in this field, so I could find few better places. Hope you can nodge me in the right direction, and take the time to answer this. Let's suppose I have a CentOS server, with encrypted root partition, and I put the /boot partition on a separate USB key for good measure. Encryption technology is the default which "ships" with CentOS 5.5 and it's LVM. If someone gets hold of that machine, or rather, the drives inside the Smart Array, what are the chances he can "decrypt" the root partition, thus gaining access to the files, if he doesn't know the key? I mean I know that given enough time, probably it could be done with brute-force. But seriously, how much of a hinderance this is to anyone attempting to do this? Does it offer any serious protection or is it just some inconvenience to the person conducting the analysis of the machine? How realistic is it that one can accomplish the decryption inside a reasonable amount of time (like, say, within half a year or so)? Could some of you please give me some of your thoughts about this? And, maybe, what other methods of file system encryption are out there which are more secure? Thanks, Levente ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/