Crivens said:Interesting that there is a turnkey ready device for this. Yes, I know that you need to do this in order to cache static parts of SSL websites, but one question : What happens if the end user does not trust the certificate you have?
kpa said:Exactly. If it turns out that CAs have been generating bogus certificates for the NSA for MITM attack purposes we can say bye bye to the whole SSL/TLS system.
According to one leading US cryptographer, the IT world should be thankful that the subversion of Windows by NSA has come to light before the arrival of CPUs that handles encrypted instruction sets. These would make the type of discoveries made this month impossible. "Had the next-generation CPU's with encrypted instruction sets already been deployed, we would have never found out about NSAKEY."
Gives them something to do. Keeps them off the streets.RichardET said:everyone ranting about it claims that it is.
Goobie said:I'm not saying stick your neck out and ask, I'm saying its a pretty big building, you'd think they'd offer some explanation. Or, do you think people jut didn't even bother thinking about it? I already know I'm screwed when it comes to a thought police future, but I also figured a lot of people were in the same boat.
kpa said:Exactly. If it turns out that CAs have been generating bogus certificates for the NSA for MITM attack purposes we can say bye bye to the whole SSL/TLS system.
Do you still add to the wealth of the Googles & Co. ?RichardET said:I haven't been here in a while, missed this thread entirely! My answer to all this is, "if everyone is so upset over this NSA leak, then why is Google still rising in wealth and popularity?" Apparently it's not really the "big deal" everyone ranting about it claims that it is. I still use Gmail, how about you?
Crivens said:
Crivens said:Some nice side order to go with the backdooring of the hardware or "BadBios". Have fun.
Crivens said:Last year's CCC congress had a talk describing how to create a USB device which can detect the OS it is connected to, or if it is being duplicated by dd or something equivalent and then serve different content.
This means that you can not check a memory stick for malware when it is connected to your (administrator) machine which is running something the hand picket target for the malware does not use. Sysadmins would check the device before allowing the PHB to connect it to some company equipment. Paranoid sysadmins would make a copy, check copy and stick, but would still not find the content which is pushed into the file system when the device is connected to some Windows machine (or MacOS, or...). Even using some $TARGET_OS in a virtual machine might not work as the timings would most likely be different.
Crivens said:Last year's CCC congress had a talk describing how to create a USB device which can detect the OS it is connected to, or if it is being duplicated by dd or something equivalent and then serve different content.
This means that you can not check a memory stick for malware when it is connected to your (administrator) machine which is running something the hand picket target for the malware does not use. Sysadmins would check the device before allowing the PHB to connect it to some company equipment. Paranoid sysadmins would make a copy, check copy and stick, but would still not find the content which is pushed into the file system when the device is connected to some Windows machine (or MacOS, or...). Even using some $TARGET_OS in a virtual machine might not work as the timings would most likely be different.
da1 said:Sounds interesting. Do you have any evidence to support this?
da1 said:Sounds interesting. Do you have any evidence to support this?
"I've been going through about $300 in USB sticks a week isolating this. :-( they've become use once devices for me"