Difference between revisions of "Security"

From Organic Design wiki
(Article updated via HTTP request)
(Security news: BootHole UEFI hack via GRUB2 buffer overrun)
 
(88 intermediate revisions by the same user not shown)
Line 1: Line 1:
#REDIRECT [[Privacy]]
+
{{glossary}}<onlyinclude>This few paragraphs from Bastiat's [[The Law]] is a good introduction to personal security; What, then, is law? It is the collective organization of the individual right to lawful defence.
 +
 
 +
Each of us has a natural right — from God — to defend his person, his liberty, and his property. These are the three basic requirements of life, and the preservation of any one of them is completely dependent upon the preservation of the other two. For what are our faculties but the extension of our individuality? And what is property but an extension of our faculties?
 +
 
 +
If every person has the right to defend — even by force — his person, his liberty, and his property, then it follows that a group of men have the right to organize and support a common force to protect these rights constantly. Thus the principle of collective right — its reason for existing, its lawfulness — is based on individual right. And the common force that protects this collective right cannot logically have any other purpose or any other mission than that for which it acts as a substitute. Thus, since an individual cannot lawfully use force against the person, liberty, or property of another individual, then the common force — for the same reason — cannot lawfully be used to destroy the person, liberty, or property of individuals or groups.</onlyinclude>
 +
 
 +
The assurance of physical security can be provided to members of a [[social mechanism]] in the same way as other aspects of the [[common vision]] are achieved - using a [[trust group]] based [[assurance]] system to avoid the need for a centralised institution. Members behave together as a group in [[alignment]] with the [[common vision]] to ensure fundamental shared values are maintained such as protecting them against harm and preventing them from harming others.
 +
 
 +
== Informational security ==
 +
Another important aspect of security concerns the assurance that our data is [[privacy|private]] and distributed. A huge population of people around the world are now realising the need to work together in [[alignment]] with the [[common vision]], and realise that to do this we need to have full control over our information in our own hands, but at the same time we also need to take advantage of distributed storage. The only answer to really achieving this is [[peer-to-peer network]]s. The so called "cloud" services offered by centralised corporations are unable to offer true security or [[privacy]].
 +
 
 +
== Second Realm statement on Security ==
 +
Security starts with keeping the peace. While this might sound obvious it is nevertheless often forgotten. Keeping the peace means that one is active in not starting trouble and to stay out of harmʼs way before a conflict can start or escalate. We must refrain from provoking others to attack us by the behavior we display. It starts with not employing violence ourselves unless it happens in self-defense, not defrauding others, not breaking agreements, not bragging and challenging. Quietness, integrity and honesty combined with confidence reduces the risk of conflict greatly.
 +
 
 +
== Security news ==
 +
*2020-07-30: [https://www.debian.org/security/2020-GRUB-UEFI-SecureBoot/ BootHole UEFI hack via GRUB2 buffer overrun]
 +
*2020-06-20: [https://awakesecurity.com/blog/the-internets-new-arms-dealers-malicious-domain-registrars/ The Internet’s New Arms Dealers: Malicious Domain Registrars]
 +
*2020-04-22: [https://nakedsecurity.sophos.com/2020/03/02/siri-and-google-assistant-hacked-in-new-ultrasonic-attack/amp/ Voice assistants hacked via ultrasonic waves]
 +
*2020-04-15: [https://mashable.com/article/zoom-500000-accounts-dark-web/ 500K Zoom accounts being sold on the darkweb]
 +
*2020-03-06: [https://flatkill.org/ Flatpak - a security nightmare]
 +
*2020-01-31: [https://blog.kraken.com/post/3662/kraken-identifies-critical-flaw-in-trezor-hardware-wallets/ Kraken identifies critical flaw in Trezor hardware wallets]
 +
*2019-12-09: [https://arstechnica.com/gadgets/2019/12/wireguard-vpn-is-a-step-closer-to-mainstream-adoption/ Wireguard to be shipped in Linux kernel 5.6 in 2020]
 +
*2019-12-04: [https://www.zdnet.com/article/two-malicious-python-libraries-removed-from-pypi/ Two malicious Python libraries caught stealing SSH and GPG keys] ''- one library was available for only two days, but the second was live for nearly a year''
 +
*2019-09-07: [https://arstechnica.com/information-technology/2019/08/skype-slack-other-electron-based-apps-can-be-easily-backdoored/ Skype, Slack, other Electron-based apps can be easily backdoored]
 +
*2019-01-22: [https://justi.cz/security/2019/01/22/apt-rce.html Remote Code Execution in apt/apt-get]
 +
*2019-01-17: [https://www.troyhunt.com/the-773-million-record-collection-1-data-reach/ The 773 Million Record "Collection #1" Data Breach]
 +
*2018-11-26: [https://www.zdnet.com/article/hacker-backdoors-popular-javascript-library-to-steal-bitcoin-funds/ Event-stream js library hacked by new "maintainer"]
 +
*2018-11-15: [https://pastebin.com/bwvqHhbA Hackers say they've collected months of passwords and decrypted emails from ProtonMail]
 +
*2018-11-05: [https://news.ycombinator.com/item?id=18382975 Now Samsung and Cruiser doing "secruity"] ''- their SSD drive locking is little more than a marketing gimmick :-(''
 +
*2018-11-05: [https://twitter.com/vcsjones/status/1059442274621366272 More Microsoft "security" this time with BitLocker]
 +
*2018-10-26: [https://www.bleepingcomputer.com/news/security/trivial-bug-in-xorg-gives-root-permission-on-linux-and-bsd-systems/ Trivial Bug in X.Org Gives Root Permission on Linux and BSD Systems] ''- fixed in [https://www.debian.org/security/2018/dsa-4328 Debian with Xorg-2:1.19.2-1+deb9u4] and [https://launchpad.net/ubuntu/bionic/+source/xorg-server Ubuntu/Mint with Xorg-2:1.19.6-1ubuntu4.2]''
 +
*2018-10-06: [https://www.bloomberg.com/news/articles/2018-10-04/the-big-hack-the-software-side-of-china-s-supply-chain-attack Bloomberg not backing down, adding more fuel], [https://www.businessinsider.com/supermicro-share-price-crushed-by-report-it-sold-servers-compromised-by-chinese-spies-2018-10 Supermicro stock down 53%]
 +
*2018-10-04: [https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies] ''- see also, [https://news.ycombinator.com/item?id=18138328 this] thread about it, also [https://www.supermicro.com/newsroom/pressreleases/2018/press181004_Bloomberg.cfm Supermicro], [https://www.apple.com/newsroom/2018/10/what-businessweek-got-wrong-about-apple/ apple] and [https://aws.amazon.com/blogs/security/setting-the-record-straight-on-bloomberg-businessweeks-erroneous-article/ amazon] both deny it all''
 +
*2018-05-14: [https://lists.gnupg.org/pipermail/gnupg-users/2018-May/060318.html Werner Koch from gnupg.org responds to recent PGP exploit news]
 +
*2018-02-14: [https://securelist.com/zero-day-vulnerability-in-telegram/83800/ Vulnerability in desktop version of Telegram using right-to-left character in filenames]
 +
*2018-01-03: [https://thehackernews.com/2018/01/intel-kernel-vulnerability.html Meltdown and Spectre, two new kernel side-channel attacks] ''- more detail [https://arstechnica.com/gadgets/2018/01/meltdown-and-spectre-every-modern-processor-has-unfixable-security-flaws/ here], paper from 1995 explaining that instruction prefetching would cause this [https://pdfs.semanticscholar.org/2209/42809262c17b6631c0f6536c91aaf7756857.pdf here]!''
 +
*2017-10-16: [http://www.zdnet.com/article/here-is-every-patch-for-krack-wi-fi-attack-available-right-now/ Practically all wifi is insecure due to an exploit in WPA2 called KRACK] ''- details about KRACK [https://www.krackattacks.com/ here]''
 +
*2017-05-01: [https://arstechnica.com/security/2017/05/intel-patches-remote-code-execution-bug-that-lurked-in-cpus-for-10-years/ Intel patches remote hijacking vulnerability that lurked in chips for 7 years] ''- flaw in remote management feature gives attackers a way to breach networks''
 +
*2017-02-25: [https://www.engadget.com/2017/02/24/how-used-cars-became-a-security-nightmare/ How used cars became a security nightmare]
 +
*2017-02-23: [https://security.googleblog.com/2017/02/announcing-first-sha1-collision.html Announcing the first SHA-1 collision]
 +
*2017-02-11: [https://arstechnica.com/security/2017/02/a-rash-of-invisible-fileless-malware-is-infecting-banks-around-the-globe/ A rash of invisible, fileless malware is infecting banks around the globe]
 +
*2016-11-17: [http://arstechnica.com/security/2016/11/meet-poisontap-the-5-tool-that-ransacks-password-protected-computers/ PoisonTap] ''- $5 [[Pi]]-based hacking device (see also our local [[PoisonTap solution]])''
 +
*2016-09-25: [http://arstechnica.com/security/2016/09/why-the-silencing-of-krebsonsecurity-opens-a-troubling-chapter-for-the-net/ IoT devices being used for massive DDoS attacks]
 +
*2016-08-25: [https://www.sigmobile.org/mobicom/2015/papers/p90-aliA.pdf Keystroke Recognition Using WiFi Signals]
 +
*2016-01-16: [http://www.undeadly.org/cgi?action=article&sid=20160114142733 Client-side bug found in OpenSSH that exposes private keys]
 +
*2015-02-26: [http://cointelegraph.com/news/113562/the-worlds-most-secure-operating-system-adds-a-bitcoin-wallet Tails Linux adds a bitcoin wallet]
 +
*2014-10-27: [http://cointelegraph.com/news/112810/researcher-discovers-tor-is-vulnerable-to-malware-binaries-inserted-into-binary-code Researcher Discovers Tor Is Vulnerable To Malware Binaries Inserted By Exit Nodes]
 +
*2014-10-15: [https://community.qualys.com/blogs/securitylabs/2014/10/15/ssl-3-is-dead-killed-by-the-poodle-attack POODLE - a fatal security flaw found in SSL 3.0]
 +
*2013-12-31: [http://arstechnica.com/information-technology/2013/12/inside-the-nsas-leaked-catalog-of-surveillance-magic/ Your USB cable, the spy: Inside the NSA’s catalog of surveillance magic] ''- latest batch of documents from Snowden shows NSA's power to pwn''
 +
*2013-12-31: [http://rt.com/usa/dell-appelbaum-30c3-apology-027/ Sorry for letting them snoop? Dell apologizes for ‘inconvenience’ caused by NSA backdoor]
 +
*2013-12-20: [http://rt.com/usa/rsa-nsa-deal-weaken-encryption-581/ Major computer security firm RSA took $10 mln from NSA to weaken encryption]
 +
*2013-12-11: [http://arstechnica.com/security/2013/12/we-cannot-trust-intel-and-vias-chip-based-crypto-freebsd-developers-say/ “We cannot trust” Intel and Via’s chip-based crypto, FreeBSD developers say] ''- following NSA leaks from Snowden, engineers lose faith in hardware randomness''
 +
*2013-08-04: [http://bitcoinmagazine.com/freedom-hosting-taken-down-founder-arrestes-users-fed-javascript-exploits/ Freedom Hosting Taken Down, Founder Arrested, Users fed Javascript Exploits]
 +
**[http://www.reddit.com/r/technology/comments/1joqr6/half_of_all_tor_sites_compromised_freedom_hosting/ original discussion of the code]
 +
**[http://arstechnica.com/security/2013/08/attackers-wield-firefox-exploit-to-uncloak-anonymous-tor-users/ Ars on the exploit]
 +
*2013-07-27: [http://rt.com/news/new-zealand-protest-bill-683/ New Zealanders protest national security bill]
 +
*2012-11-20: [http://www.bbc.co.uk/news/science-environment-13940928 Quantum cryptography done on standard broadband fibre]
 +
*2013-06-25: [http://news.netcraft.com/archives/2013/06/25/ssl-intercepted-today-decrypted-tomorrow.html SSL: Intercepted today, decrypted tomorrow] ''- see also the Perfect Forward Secrecy setup in [[Install a new server]]''
 +
*2012-12-09: [http://boingboing.net/2012/12/09/congressman-calls-for-ban-on-3.html Congressman calls for ban on 3D printed guns]
 +
*2012-10-03: [http://keccak.noekeon.org/ The Keccak sponge function family] ''- NIST selects Keccak for SHA-3''
 +
*2012-08-05: [http://articles.mercola.com/sites/articles/archive/2012/08/05/internet-security-virus.aspx If You See This Google Warning, Act Fast: Big Brother is Watching]
 +
*2012-08-03: [http://www.emptyage.com/post/28679875595/yes-i-was-hacked-hard Yes, I was hacked. Hard.] ''- iCloud hack''
 +
*2012-07-30: [http://arstechnica.com/security/2012/07/broken-microsoft-sheme-exposes-traffic/ Attack against Microsoft scheme puts hundreds of crypto apps at risk]
 +
*2012-06-25: [http://arstechnica.com/security/2012/06/securid-crypto-attack-steals-keys/ Scientists crack RSA SecurID 800 tokens, steal cryptographic keys - in under 15 minutes]
 +
 
 +
== See also ==
 +
*[[Privacy]]
 +
*[[SSL]]
 +
*[[SSH]]
 +
*[[The social mechanism]]
 +
*[[Governance]]
 +
*[http://www.skyhunter.com/marcs/capabilityIntro/ Introduction To Capability Based Security]
 +
*[http://vimeo.com/46044290 Your Cellphone is Covered in Spiders - Pragmatic Android Security] ''- by Cooper Quintin''
 +
*[[Random numbers, Encryption and Hashing]]
 +
*[https://www.2uo.de/myths-about-urandom/ Myths about urandom]
 +
*[http://movementmetric.com/ MovementMetric] ''- authentication mechanism using simple body movements such as winking''
 +
*[http://www.moserware.com/2009/09/stick-figure-guide-to-advanced.html The story of AES done with stick-figures :-)]
 +
*[http://www.muppetlabs.com/~breadbox/txt/rsa.html Prime Number Hide-and-Seek: How the RSA Cipher Works]
 +
*[https://community.rackspace.com/general/f/34/t/75 Investigating Compromised Servers] ''- article by the Rackspace community''
 +
*[http://wiki.cacert.org/Risks/SecretCells CACert on secret cells compromising security within organisations]
 +
*[https://www.eff.org/deeplinks/2018/10/there-are-many-problems-mobile-privacy-presidential-alert-isnt-one-them There are Many Problems With Mobile Privacy but the Presidential Alert Isn’t One of Them]
 +
*[https://blog.cryptographyengineering.com/2015/10/22/a-riddle-wrapped-in-curve/ Should we change our RSA keys to ed25519?]
 +
*[https://nullsweep.com/http-security-headers-a-complete-guide/ HTTP Security Headers - A Complete Guide]
 +
*[https://lwn.net/Articles/531114/ All about Linux namespaces]
 +
*[http://loup-vaillant.fr/tutorials/128-bits-of-security Discussion about the meaning of 128 bits in various contexts]
 +
*[https://forums.whonix.org/t/fixing-the-desktop-linux-security-model/9172/21 Discussion on isolation applications in desktop environments on Linux and Android] ''- scroll down to SokPuppettes comments''

Latest revision as of 01:15, 31 July 2020

Glossary.svg This page describes a concept which is part of our glossary

This few paragraphs from Bastiat's The Law is a good introduction to personal security; What, then, is law? It is the collective organization of the individual right to lawful defence.

Each of us has a natural right — from God — to defend his person, his liberty, and his property. These are the three basic requirements of life, and the preservation of any one of them is completely dependent upon the preservation of the other two. For what are our faculties but the extension of our individuality? And what is property but an extension of our faculties?

If every person has the right to defend — even by force — his person, his liberty, and his property, then it follows that a group of men have the right to organize and support a common force to protect these rights constantly. Thus the principle of collective right — its reason for existing, its lawfulness — is based on individual right. And the common force that protects this collective right cannot logically have any other purpose or any other mission than that for which it acts as a substitute. Thus, since an individual cannot lawfully use force against the person, liberty, or property of another individual, then the common force — for the same reason — cannot lawfully be used to destroy the person, liberty, or property of individuals or groups.

The assurance of physical security can be provided to members of a social mechanism in the same way as other aspects of the common vision are achieved - using a trust group based assurance system to avoid the need for a centralised institution. Members behave together as a group in alignment with the common vision to ensure fundamental shared values are maintained such as protecting them against harm and preventing them from harming others.

Informational security

Another important aspect of security concerns the assurance that our data is private and distributed. A huge population of people around the world are now realising the need to work together in alignment with the common vision, and realise that to do this we need to have full control over our information in our own hands, but at the same time we also need to take advantage of distributed storage. The only answer to really achieving this is peer-to-peer networks. The so called "cloud" services offered by centralised corporations are unable to offer true security or privacy.

Second Realm statement on Security

Security starts with keeping the peace. While this might sound obvious it is nevertheless often forgotten. Keeping the peace means that one is active in not starting trouble and to stay out of harmʼs way before a conflict can start or escalate. We must refrain from provoking others to attack us by the behavior we display. It starts with not employing violence ourselves unless it happens in self-defense, not defrauding others, not breaking agreements, not bragging and challenging. Quietness, integrity and honesty combined with confidence reduces the risk of conflict greatly.

Security news

See also

Retrieved from "https://organicdesign.nz/wiki/index.php?title=Security&oldid=128246"