Full Disclosure mailing list archives
RE: Insecurity in Finnish parlament (computers)
From: "Todd Towles" <toddtowles () brookshires com>
Date: Mon, 27 Dec 2004 09:10:14 -0600
The NSA has bigger fish to worry about than Finland. =) Sorry
-----Original Message----- From: full-disclosure-bounces () lists netsys com [mailto:full-disclosure-bounces () lists netsys com] On Behalf Of Markus Jansson Sent: Sunday, December 26, 2004 10:17 AM To: James Tucker Cc: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] Insecurity in Finnish parlament (computers) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sun, 26 Dec 2004 06:34:24 -0800 James Tucker <jftucker () gmail com> wrote:The only charge appropriate for this case would be what isinformallyknown as a 'gag order' and will require that you disproveunder a courtof law all statements made by Mr Jansson. In fact, you will have to prove that Mr Jansson's comments are causing you loss of revenue or damaging the overall reputation of your organisation through false claims.Heh, I dont believe there are such laws here in Finland. If we where talking about private enterprise or individual person, it would be possible if its clear that Im lying and causing great damage.Items 1 to 9 on the list would suggest physical access to a device, this is likely to have been contradictory to law.Perhaps, if you think that *I* got access by using illegal means. Then, ofcourse, someone would have to prove that and if they dont, well...It is also possible, that he has had only limited access to one particular device, this would not be conclusive and may notbe a truerepresentation of the state of affairs of all devices owned by the Finnish government.It is unlikely that all the computers have the same security holes for many reason, but I have gotten confirmations from several computers/users that atleast most of the issues I have described exist in most, if not all, computers.Item 10 negates the likelihood of physical access, this would contradict the above and would seem to make the story inconsistent.Maybe I didnt (if I did infact myself) have means to access everything in those computers... ;)Item 12 describes a well known problem, however this cannotbe fixed bythe users of the system.Oh yes, they could and should move from TeliaSonera to Elisa for example, that uses secure COMP-128-3 and A5/3. Its been years and years since this security hole was shown first so they have had plenty of time, but they just dont give a drek (both in TeliaSonera and in our parlament).Furthermore item 12 describes a scenario which simply is notrealistic.Whilst the encryption algorithms in use may be crackable innear realtime on a modern computer,A5/1 is crackable IN REAL TIME. http://www.gsm-security.net/faq/gsm-a3-a8-comp128-broken- security.shtml http://cryptome.org/gsm-crack-bbk.pdf http://www.gsm-security.net/faq/gsm-a5-broken-security.shtmldissection of the modulation scheme and isolation of asingle device ismost certainly NOT possible with a single laptop.Ofcourse you need few additional tools for that, but the point is, that the security of the system is broken.Most likely there are no civilians in Finland with the resources to actually carry out the attack described.Some civilians do have. However, Finnish people are so uninterested in politics that they really would bother. ;) But other goverments and intelligence agencies would surely be interested and willing to wiretap and listen.Item 13 has more implications than have been considered and would require more than a little insider knowledge to pull off the attack.Perhaps. The issue is, that it can be done and they should protect themselfes against it.In terms of civilian liability this method of attack is absolutely absurd. It would require co-ordination from several places and a significant knowledge of existing infrastructure surrounding that geographical location.That sort of information is easily obtained. No co-ordination is really required, just put up a false GSM base station next to our parlament building with a strong enought signal and voila!Such hard work is rarely necessary, as it would make moresense to justknock out the government worker and steal their laptop With a good getaway plan this would take far less time, and not cost hundreds of thousands of dollars.True, that attack is more potential especially since the laptop HDD:s are not encrypted (as they should).We are discussing government security here, but if there issomethingoccurring that would concern the NSA or MI5/6 thenencrypting your GSMcomms will be the least of your security concerns.I was under the impression that NSA etc. spy for their living anything they can. I bet members of parlaments and their assistants are very good targets.Firstly it would appear that Mark is a common sensationalist.Argumentum ad hominem. Red herring.Having taken part in quite unscientific objections with members of Greenpeace for a start.Argumentum ad hominem. Red herring.Tetra security for example is claimed to be useless on his site, but once again his lack of understanding of Radio Frequency eavesdropping shows a clear lack of knowledge in this area.Red herring. Useless blahblahblah. Please clarify. Give proper arguments. As I sayed, TETRA might be backdoored for NSA as sayed by EU, and TEA algorithms are not open and tested for security, so there is no point on trusting them. Please tell me what is incorrect in those two arguments of mine.Another clear example of his sensationalist attitude without proper understanding or thought is in his discussion of SSHsecurity, where heclaims that authentication keys are useless because they cannot be known trusted during the first connection instance (or maybe he just hasn't realised you should save the keys during a build??).Argumentum ad hominem. Red herring. Dont try to put words into my mouth. I clearly say in my pages:"Unless you can receive the publickey or the fingerprint of the publickey used in some secure manner." And this is absolutely true.Common reports of Man in the Middle attacks being possible are not understood either.Red herring. Not only possible but very real and easy to do.As shown by the idiosyncratic inclusion of a key fingerprint on the same page as his PGP key links (for added security!?). If someone wanted to sit in the middle, would they not change both thekey and thefingerprint reported?Argumentum ad hominem. Red herring. My key is available from various locations, and so is the fingerprint.There are so many 'bits' that you simply could not filterall of themusing standard electronics.Red herring. Actually it sayes in my Finnish pages "they might know about it", just translation error.What you might want to do is provide substantial evidence though, in order to not end up in lawsuits.Contact members of our parlament or their assistants and ask them. I have. Markus Jansson Turku http://www.markusjansson.net -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.4 wkYEARECAAYFAkHO5O8ACgkQp4wnv3Na2tox5gCguVzXFJkwpVspnbyQf1BdjSUWfWcA nisJBbqDg/d5IuApeiG0RVYc8qiL =YEVR -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Insecurity in Finnish parlament (computers), (continued)
- Re: Insecurity in Finnish parlament (computers) Carlos de Oliveira (Dec 23)
- Insecurity in Finnish parlament (computers) Mustajärvi Olli (Dec 23)
- Re: Insecurity in Finnish parlament (computers) Peter Besenbruch (Dec 24)
- Re: Insecurity in Finnish parlament (computers) James Tucker (Dec 26)
- Re: Insecurity in Finnish parlament (computers) Alex V. Lukyanenko (Dec 24)
- Re: Insecurity in Finnish parlament (computers) Peter Besenbruch (Dec 24)
- Insecurity in Finnish parlament (computers) Mustajärvi Olli (Dec 23)
- Re: Insecurity in Finnish parlament (computers) Thomas Sutpen (Dec 25)
- Insecurity in Finnish parlament (computers) Mustajärvi Olli (Dec 23)
- Insecurity in Finnish parlament (computers) Mustajärvi Olli (Dec 23)
- Re: Insecurity in Finnish parlament (computers) James Tucker (Dec 26)
- RE: Insecurity in Finnish parlament (computers) Todd Towles (Dec 27)
- Re: Insecurity in Finnish parlament (computers) Markus Jansson (Dec 27)