RE: [Full-Disclosure] Insecurity in Finnish parlament (computers)

• Previous message: Michael Evanchik: "[Full-Disclosure] (no subject)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 27 Dec 2004 09:10:14 -0600
To: "Markus Jansson" <markus.jansson@hushmail.com>, "James Tucker" <jftucker@gmail.com>

The NSA has bigger fish to worry about than Finland. =) Sorry

> -----Original Message-----
> From: full-disclosure-bounces@lists.netsys.com
> [mailto:full-disclosure-bounces@lists.netsys.com] On Behalf
> Of Markus Jansson
> Sent: Sunday, December 26, 2004 10:17 AM
> To: James Tucker
> Cc: full-disclosure@lists.netsys.com
> Subject: Re: [Full-Disclosure] Insecurity in Finnish
> parlament (computers)
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Sun, 26 Dec 2004 06:34:24 -0800 James Tucker
> <jftucker@gmail.com> wrote:
> >The only charge appropriate for this case would be what is
> informally
> >known as a 'gag order' and will require that you disprove
> under a court
> >of law all statements made by Mr Jansson. In fact, you will have to
> >prove that Mr Jansson's comments are causing you loss of revenue or
> >damaging the overall reputation of your organisation through false
> >claims.
>
> Heh, I dont believe there are such laws here in Finland. If
> we where talking about private enterprise or individual
> person, it would be possible if its clear that Im lying and
> causing great damage.
>
>
> >Items 1 to 9 on the list would suggest physical access to a device,
> >this is likely to have been contradictory to law.
>
> Perhaps, if you think that *I* got access by using illegal means.
> Then, ofcourse, someone would have to prove that and if they
> dont, well...
>
>
> >It is also possible, that he has had only limited access to one
> >particular device, this would not be conclusive and may not
> be a true
> >representation of the state of affairs of all devices owned by the
> >Finnish government.
>
> It is unlikely that all the computers have the same security
> holes for many reason, but I have gotten confirmations from
> several computers/users that atleast most of the issues I
> have described exist in most, if not all, computers.
>
>
> >Item 10 negates the likelihood of physical access, this would
> >contradict the above and would seem to make the story inconsistent.
>
> Maybe I didnt (if I did infact myself) have means to access
> everything in those computers... ;)
>
>
> >Item 12 describes a well known problem, however this cannot
> be fixed by
> >the users of the system.
>
> Oh yes, they could and should move from TeliaSonera to Elisa
> for example, that uses secure COMP-128-3 and A5/3. Its been
> years and years since this security hole was shown first so
> they have had plenty of time, but they just dont give a drek
> (both in TeliaSonera and in our parlament).
>
>
> >Furthermore item 12 describes a scenario which simply is not
> realistic.
> >Whilst the encryption algorithms in use may be crackable in
> near real
> >time on a modern computer,
>
> A5/1 is crackable IN REAL TIME.
> http://www.gsm-security.net/faq/gsm-a3-a8-comp128-broken-
> security.shtml
> http://cryptome.org/gsm-crack-bbk.pdf
> http://www.gsm-security.net/faq/gsm-a5-broken-security.shtml
>
>
> >dissection of the modulation scheme and isolation of a
> single device is
> >most certainly NOT possible with a single laptop.
>
> Ofcourse you need few additional tools for that, but the
> point is, that the security of the system is broken.
>
>
> >Most likely there are no civilians in Finland with the resources to
> >actually carry out the attack described.
>
> Some civilians do have. However, Finnish people are so
> uninterested in politics that they really would bother. ;)
> But other goverments and intelligence agencies would surely
> be interested and willing to wiretap and listen.
>
>
> >Item 13 has more implications than have been considered and would
> >require more than a little insider knowledge to pull off the attack.
>
> Perhaps. The issue is, that it can be done and they should
> protect themselfes against it.
>
>
> >In terms of civilian liability this method of attack is absolutely
> >absurd. It would require co-ordination from several places and a
> >significant knowledge of existing infrastructure surrounding that
> >geographical location.
>
> That sort of information is easily obtained. No co-ordination
> is really required, just put up a false GSM base station next
> to our parlament building with a strong enought signal and voila!
>
>
> >Such hard work is rarely necessary, as it would make more
> sense to just
> >knock out the government worker and steal their laptop With a good
> >getaway plan this would take far less time, and not cost hundreds of
> >thousands of dollars.
>
> True, that attack is more potential especially since the
> laptop HDD:s are not encrypted (as they should).
>
>
> >We are discussing government security here, but if there is
> something
> >occurring that would concern the NSA or MI5/6 then
> encrypting your GSM
> >comms will be the least of your security concerns.
>
> I was under the impression that NSA etc. spy for their living
> anything they can. I bet members of parlaments and their
> assistants are very good targets.
>
>
> >Firstly it would appear that Mark is a common sensationalist.
>
> Argumentum ad hominem. Red herring.
>
>
> >Having taken part in quite unscientific objections with members of
> >Greenpeace for a start.
>
> Argumentum ad hominem. Red herring.
>
>
> >Tetra security for example is
> >claimed to be useless on his site, but once again his lack of
> >understanding of Radio Frequency eavesdropping shows a clear lack of
> >knowledge in this area.
>
> Red herring.
> Useless blahblahblah. Please clarify. Give proper arguments.
> As I sayed, TETRA might be backdoored for NSA as sayed by EU,
> and TEA algorithms are not open and tested for security, so
> there is no point on trusting them. Please tell me what is
> incorrect in those two arguments of mine.
>
>
> >Another clear example of his sensationalist attitude without proper
> >understanding or thought is in his discussion of SSH
> security, where he
> >claims that authentication keys are useless because they cannot be
> >known trusted during the first connection instance (or maybe he just
> >hasn't realised you should save the keys during a build??).
>
> Argumentum ad hominem. Red herring.
> Dont try to put words into my mouth. I clearly say in my
> pages:"Unless you can receive the publickey or the
> fingerprint of the publickey used in some secure manner." And
> this is absolutely true.
>
>
> >Common reports of Man in the Middle attacks being possible are not
> >understood either.
>
> Red herring.
> Not only possible but very real and easy to do.
>
>
> >As shown by the idiosyncratic inclusion of a key fingerprint on the
> >same page as his PGP key links (for added security!?). If someone
> >wanted to sit in the middle, would they not change both the
> key and the
> >fingerprint reported?
>
> Argumentum ad hominem. Red herring.
> My key is available from various locations, and so is the fingerprint.
>
>
> >There are so many 'bits' that you simply could not filter
> all of them
> >using standard electronics.
>
> Red herring.
> Actually it sayes in my Finnish pages "they might know about
> it", just translation error.
>
>
> >What you might want to do is provide substantial evidence though, in
> >order to not end up in lawsuits.
>
> Contact members of our parlament or their assistants and ask them.
> I have.
>
>
> Markus Jansson
> Turku
> http://www.markusjansson.net
> -----BEGIN PGP SIGNATURE-----
> Note: This signature can be verified at
> https://www.hushtools.com/verify
> Version: Hush 2.4
>
> wkYEARECAAYFAkHO5O8ACgkQp4wnv3Na2tox5gCguVzXFJkwpVspnbyQf1BdjSUWfWcA
> nisJBbqDg/d5IuApeiG0RVYc8qiL
> =YEVR
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• Previous message: Michael Evanchik: "[Full-Disclosure] (no subject)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]