RE: Insecurity in Finnish parlament (computers)

["Todd Towles" <toddtowles () brookshires com>]

The NSA has bigger fish to worry about than Finland. =) Sorry

> -----Original Message-----
> From: full-disclosure-bounces () lists netsys com 
> [mailto:full-disclosure-bounces () lists netsys com] On Behalf 
> Of Markus Jansson
> Sent: Sunday, December 26, 2004 10:17 AM
> To: James Tucker
> Cc: full-disclosure () lists netsys com
> Subject: Re: [Full-disclosure] Insecurity in Finnish 
> parlament (computers)
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Sun, 26 Dec 2004 06:34:24 -0800 James Tucker 
> <jftucker () gmail com> wrote:
> > The only charge appropriate for this case would be what is 
> informally 
> > known as a 'gag order' and will require that you disprove 
> under a court 
> > of law all statements made by Mr Jansson. In fact, you will have to 
> > prove that Mr Jansson's comments are causing you loss of revenue or 
> > damaging the overall reputation of your organisation through false 
> > claims.
>
> Heh, I dont believe there are such laws here in Finland. If 
> we where talking about private enterprise or individual 
> person, it would be possible if its clear that Im lying and 
> causing great damage.
>
>
> > Items 1 to 9 on the list would suggest physical access to a device, 
> > this is likely to have been contradictory to law.
>
> Perhaps, if you think that *I* got access by using illegal means.
> Then, ofcourse, someone would have to prove that and if they 
> dont, well...
>
>
> > It is also possible, that he has had only limited access to one 
> > particular device, this would not be conclusive and may not 
> be a true 
> > representation of the state of affairs of all devices owned by the 
> > Finnish government.
>
> It is unlikely that all the computers have the same security 
> holes for many reason, but I have gotten confirmations from 
> several computers/users that atleast most of the issues I 
> have described exist in most, if not all, computers.
>
>
> > Item 10 negates the likelihood of physical access, this would 
> > contradict the above and would seem to make the story inconsistent.
>
> Maybe I didnt (if I did infact myself) have means to access 
> everything in those computers...  ;)
>
>
> > Item 12 describes a well known problem, however this cannot 
> be fixed by 
> > the users of the system.
>
> Oh yes, they could and should move from TeliaSonera to Elisa 
> for example, that uses secure COMP-128-3 and A5/3. Its been 
> years and years since this security hole was shown first so 
> they have had plenty of time, but they just dont give a drek 
> (both in TeliaSonera and in our parlament).
>
>
> > Furthermore item 12 describes a scenario which simply is not 
> realistic. 
> > Whilst the encryption algorithms in use may be crackable in 
> near real 
> > time on a modern computer,
>
> A5/1 is crackable IN REAL TIME.
> http://www.gsm-security.net/faq/gsm-a3-a8-comp128-broken-
> security.shtml
> http://cryptome.org/gsm-crack-bbk.pdf
> http://www.gsm-security.net/faq/gsm-a5-broken-security.shtml
>
>
> > dissection of the modulation scheme and isolation of a 
> single device is 
> > most certainly NOT possible with a single laptop.
>
> Ofcourse you need few additional tools for that, but the 
> point is, that the security of the system is broken.
>
>
> > Most likely there are no civilians in Finland with the resources to 
> > actually carry out the attack described.
>
> Some civilians do have. However, Finnish people are so 
> uninterested in politics that they really would bother. ;)  
> But other goverments and intelligence agencies would surely 
> be interested and willing to wiretap and listen.
>
>
> > Item 13 has more implications than have been considered and would 
> > require more than a little insider knowledge to pull off the attack.
>
> Perhaps. The issue is, that it can be done and they should 
> protect themselfes against it.
>
>
> > In terms of civilian liability this method of attack is absolutely 
> > absurd. It would require co-ordination from several places and a 
> > significant knowledge of existing infrastructure surrounding that 
> > geographical location.
>
> That sort of information is easily obtained. No co-ordination 
> is really required, just put up a false GSM base station next 
> to our parlament building with a strong enought signal and voila!
>
>
> > Such hard work is rarely necessary, as it would make more 
> sense to just 
> > knock out the government worker and steal their laptop With a good 
> > getaway plan this would take far less time, and not cost hundreds of 
> > thousands of dollars.
>
> True, that attack is more potential especially since the 
> laptop HDD:s are not encrypted (as they should).
>
>
> > We are discussing government security here, but if there is 
> something 
> > occurring that would concern the NSA or MI5/6 then 
> encrypting your GSM 
> > comms will be the least of your security concerns.
>
> I was under the impression that NSA etc. spy for their living 
> anything they can. I bet members of parlaments and their 
> assistants are very good targets.
>
>
> > Firstly it would appear that Mark is a common sensationalist.
>
> Argumentum ad hominem. Red herring.
>
>
> > Having taken part in quite unscientific objections with members of 
> > Greenpeace for a start.
>
> Argumentum ad hominem. Red herring.
>
>
> > Tetra security for example is
> > claimed to be useless on his site, but once again his lack of 
> > understanding of Radio Frequency eavesdropping shows a clear lack of 
> > knowledge in this area.
>
> Red herring.
> Useless blahblahblah. Please clarify. Give proper arguments. 
> As I sayed, TETRA might be backdoored for NSA as sayed by EU, 
> and TEA algorithms are not open and tested for security, so 
> there is no point on trusting them. Please tell me what is 
> incorrect in those two arguments of mine.
>
>
> > Another clear example of his sensationalist attitude without proper 
> > understanding or thought is in his discussion of SSH 
> security, where he 
> > claims that authentication keys are useless because they cannot be 
> > known trusted during the first connection instance (or maybe he just 
> > hasn't realised you should save the keys during a build??).
>
> Argumentum ad hominem. Red herring.
> Dont try to put words into my mouth. I clearly say in my 
> pages:"Unless you can receive the publickey or the 
> fingerprint of the publickey used in some secure manner." And 
> this is absolutely true.
>
>
> > Common reports of Man in the Middle attacks being possible are not 
> > understood either.
>
> Red herring.
> Not only possible but very real and easy to do.
>
>
> > As shown by the idiosyncratic inclusion of a key fingerprint on the 
> > same page as his PGP key links (for added security!?). If someone 
> > wanted to sit in the middle, would they not change both the 
> key and the 
> > fingerprint reported?
>
> Argumentum ad hominem. Red herring.
> My key is available from various locations, and so is the fingerprint.
>
>
> > There are so many 'bits' that you simply could not filter 
> all of them 
> > using standard electronics.
>
> Red herring.
> Actually it sayes in my Finnish pages "they might know about 
> it", just translation error.
>
>
> > What you might want to do is provide substantial evidence though, in 
> > order to not end up in lawsuits.
>
> Contact members of our parlament or their assistants and ask them.
> I have.
>
>
> Markus Jansson
> Turku
> http://www.markusjansson.net
> -----BEGIN PGP SIGNATURE-----
> Note: This signature can be verified at 
> https://www.hushtools.com/verify
> Version: Hush 2.4
>
> wkYEARECAAYFAkHO5O8ACgkQp4wnv3Na2tox5gCguVzXFJkwpVspnbyQf1BdjSUWfWcA
> nisJBbqDg/d5IuApeiG0RVYc8qiL
> =YEVR
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html