Disclaimer: Needs verification of terms/more sources.

Transcript Edit

LordsSyndicate: Now, let's start off with a little bit of information - Mark won't be able to join us today, because his machine has been having some issues. Yes, it was a backdoor, and yes - it looks like it was more than likely either a COINTELPRO person, or somebody on the inside who did it. They managed to actually put a rootkit on his machine, which is really hard to do if you know what he's running as a set-up - and getting to that perhaps in a little bit. His set-up isn't exactly for the average user, but then again, it really ought to be.

And then again - since he is still running Windows - he is still subject to attacks. That's the thing. Let me be straight up here: Windows was built specifically to incorporate government backdoors? Don't believe me? Don't believe me?? Go look it up. I mean it, go look it up - go look it up right now.

Now - that's the thing. When you run Windows, your machine is basically just a bug for the NSA (National Security Agency). They can hear you through the microphone, they can see what you're typing, they can read your harddrive data, and well, there's that wonderful thing called TEMPEST.

And TEMPEST is quite important, because TEMPEST - and, for those unaware, I'd like you all to go to or - and go ahead and read up on it. They have a very beautiful timeline, as well as very, very detailed info that really gets into what TEMPEST is capable of and what it is. It is basically - to sum it up real quick - it's basically the idea that any electronic device puts out radiation. This was proven, OK? Now, this radiation/interference as per the little FCC (Federal Communications Commission) sticker on every device must be, you know, within range - it must be put out and all devices must accept interference, but their interference may not be harmful.

And that's all they put on the sticker - the rest of that reads: "No device may put out interference that interferes with TEMPEST. But all devices must accept TEMPEST interference." And there's more to that law - it's not even a law, it's a FCC act - and the FCC is an illegal organization - Congress never voted on any of that. However - back to the point: it is an illegal act being enforced by the FCC that requires all electronic devices to be able to be controlled or used as the government desires, not as you desire. Hard to believe? Go look it up - That's enough on TEMPEST, because most people don't get it.

Now - the average user, you know, is probably wondering - well, if I can't run Windows, what can I run? Well, if you're not ready to take the plunge to go with UNIX or Linux - I'm a big fan of UNIX, personally - OpenSolaris being my top, for various reasons - especially OpenSolaris with Trusted Extensions - but that's a bit more advanced than what most people are used to being able to be doing. Granted, OpenSolaris has gotten to be about as easy as Ubuntu, but doesn't quite have some of the developer support, and some of the applications you might want might not be there - but they'll be there soon, they're working on porting them.

Now, if you are running Windows and you absolutely must run Windows, then there are several tools that you must arm yourself with. And the first thing you need to realize that - you need to get that anti-virus off your system. In fact, if you're running an anti-virus on your system - you need to wipe it - reinstall your Windows, do not put a commercial anti-virus. Now, most people must be thinking - "What in the living heck?" - let me explain. Number one: it has been proven, time and time again, that anti-virus vendors will actually send real viruses in their updates, because they know - if people are smart, like myself, or Jordan, who was on last week, then our systems will not ever get viruses. And therefore, their product is useless. That's not to say if you're an idiot and you go to all these different sites, and you know, you don't really care about what you're browsing - then heck, even sometimes when you're browsing, you can hit sites that you don't expect to be malicious.

There's a very easy way to deal with all of them immediately. That is to run Firefox with the NoScript plugin. The NoScript plugin is mandatory - do not take NoScript and set it to allow for any site that you do not trust explicitly, because that then becomes a risk. The point is - NoScript stops all of these scripts. It stops any sort of loadable application that can be loaded onto your computer via the web from running. It plays straight HTML (Hypertext Markup Language) - it will allow straight images, but it will not allow Flash, it will not allow PHP or JavaScript or any sort of ActiveX control, or anything of the like.

The reason being is - real security experts know that these scripts are the most dangerous things. And you can go and look it up - Adobe has had multiple exploits, multiple rootable exploits even, which means they get administrative access on a machine. And go look at their bug reports - it's on their own webpage. Go Clusty search - now, Security flaw: "Adobe Flash". Security flaw: "Adobe Acrobat". There are many. We all know about the Microsoft bugs that send you all the information about all the patches - 'updated lines of Ptech code' - and yes, some of them actually do patch holes, but they open new holes. And that's the problem with Microsoft Updates - and you're beginning to go: "Wait a minute, no Microsoft Updates and no anti-virus - are you crazy?!". No, I'm actually running securely [sighs].

Number one: one must realize that what you've been taught about computer security is false - seriously. And I have been doing computer security now for sixteen years. [I] hosted one of the largest computer security groups in the world for two years -, now - back when they were actually worth something. You know, that takes a bit of knowledge - one would hope. You can go check out who I am on LinkedIn - - that's my profile - if you have a LinkedIn account or even if you don't., OK? I've worked for the big players - I've even done work for the government, it is not a joke.

When I talk security, I really mean it. Anyone who is a friend of mine has actually learned to trust what I say, because I always turn out to be right, whereas all of their friends usually end up being wrong. And they always end up coming to me with their machine, going: "Fix it!" [mocking]. Sorry to catch a little attitude there, but it's been a long day. I mean, we have this crap with Sheriffs arresting grandmothers - anyway, Alex [Jones] covered that today, so no need to get into that. You know, right [laughing].

Now, back to this. There are several programs - that if you must run Windows, and as I said before, are a must - number one: Firefox and NoScript. And even if you run Linux and are running Firefox, I highly recommend you run NoScript - even though you are very much not susceptible to about 99% of the attacks out there. There is still that 1% that you may encounter that may actually be able to do something. Now, if you're on Linux - one would assume that perhaps you're running your webbrowser as a non-privileged user, so - it shouldn't matter too much, the most they can do is maybe get some access on that user, and you can just delete the user and recreate it. That's not a big deal.

On Windows, though, it becomes much more serious - and the only reason it becomes much more serious is because - no one runs their computer as a limited user. Most people are too lazy - they like to be able to click on a website, download and install software all in a matter of three clicks. Believe it or not, this is the worst thing that you could ever do. And this is the number one reason why people have viruses, trojans and compromises on Windows - and that is because people run as the normal user that Windows sets up for them, which is an admin account. It is the same thing as if I gave you the root account - which is the administrator account on Linux - you are essentially God over the operating system. And that is why viruses become such an issue - and you know, of course the anti-virus vendors want you to keep buying that product, so they are not going to recommend that you don't run your system under the administrative user. If I ever have a Windows box that I use for any sort of surfing - and the only way you'll catch me running a Windows server is if somebody's paying me to do it for some big company, and even then I don't really like it, it bugs me - but, if you must, then you need to be running as a limited user. Go into your Control Panel, go into Users, and create a new user. Change the account type on that user to 'Limited user', and from then on out only log in as that user whenever you do anything on the Internet, OK? If you have to install software - then download it as that user, and you know, only download trusted things.

Now, while this may sound like a slight contradiction to my former statement about anti-viruses, this is more of an anti-virus detection system. It is free, it is open-source, and it actually catches most things that most systems don't - about 90% of the stuff. It is called ClamAV, and it will find most things. It is pretty lightweight and is pretty non-intrusive. Now, once again, I'm not a big fan of anti-viruses - you will not catch me running a single one on my system - but, as I was saying - if you must, ClamAV is your best bet. OK, because it will actually detect things - and not everybody realizes - I understand that not everybody is a computer guru, and not everybody feels confident in their skills in being able to determine what is safe and what is not. Some people do have the discernment, as it happens - there are quite a few people who do. But the average user - they don't want to care about it. That is why they run Windows to begin with - they don't want to care about what's on their computer. For better or worse, that's the case - that's 90% of the people out there who run Windows.

Now, you run your system as a limited user, and there's no way that software can install. You are running essentially under an unprivileged account, and you literally have turned Windows into something that is actually - hmm, I shudder to say 'secure' - 'almost secure' - there we go - 'almost secure'. You run Windows as a limited user and browse using only Firefox and NoScript, scanning anything you download with ClamAV if you're - you know, if you're really wanting to basically scan everything and not have to think about what you're doing or downloading, and that's fine. Personally, I'd rather, you know, think about what I'm downloading.

Only download what you need. There are many programs that claim to do lots of things, and by golly, they do do lots of things, but they also come with spyware. Sadly, 90% of all Windows freeware - this does not mean 'open-source', this means freeware, as in closed-source, binary-only downloads of things that claim to do everything, from give you webcams, to give you chat capabilities, even anti-virus scanners they claim. There was a good one, it's [struggles to come up with the name] -they're all over the place. You probably gotten some spam or a spam page where it's like: "Stealth Scan", or "Registry Scanner", or "PC Registry Clean", or something along those lines. Most of that is all laden with trojans - avoid it at all costs. Now you're thinking: "Does that mean that I have to pay for my software, and does that mean that paid software or branded software is safe?" Not necessarily. By the same token, does that mean that all things you find for free that are software for Windows are bad? No - there is a bunch of open-source software. When you start looking for software, start using the following terms: "GNU GPL" (GNU General Public License). That stands for: "GNU Is Not UNIX" - which is an open-source project which has been around for nearly as long as I've been in IT - well, longer than I've been in IT, OK? '80s even, that it's been around. And well, yeah - probably the mid '90s now that I think about it - my memory is a bit foggy today, it's been one of those days, I apologize. So - [chuckling] Avira Antivirus I hear, somebody has a question about - and I have not checked out Avira, so therefore I'm not even going to try and comment on it. If you think it's safe, it might be - but I, like I say, I don't like anti-viruses - I don't trust them. Like I say, ClamAV is the only one that I really trust - things I've used.

That's the thing - use what you know. If you know something is good, that's cool. But realize - that what you know, may not necessarily be good. For instance, let's take for example a nice little P2P (Peer-to-peer) communications client that a lot of people really seem to love - and that's Skype. Now, Skype is a useful tool - it can be. The problem is - it's a P2P client that connects to anyone else running Skype who's not behind a firewall and shares that connection. Now, you may be thinking: [imitates voice] "Well, you know, isn't the voice encrypted?". Well, let's go first off and dispel that myth. If you're going through another host, then that other host has access to your encryption key. If that other host happens to be a malicious hacker, or say a COINTELPRO shill - sitting there monitoring people's communications and running Skype specifically to monitor people's communications - then it becomes a compromise, you see? Other point behind it is - Skype is injectable. Meaning - it is subject to having things injected over its protocols. There are ways that you can send people files without them knowing it - it will download to their machine as part of their registry. In fact, you know, that's what happened to Mark today - it is not a common exploit and not something that happens often, nor have I seen it happen to many other people. Usually, only people who are bringing up very damning shit - and that's it. So, that said - you know, if you can avoid Skype, avoid Skype. There's an open-source alternative to it that's great, that is a real SIP (Session Initiation Protocol) phone - it is called Ekiga [spells name]. Plug that into Google, or my favorite search engine, Clusty - and you will come up with the website . Great, great piece of software - it is a real VoIP (Voice over Internet Protocol) system. Now, while it is possible for somebody to, oh, say, maybe execute the man-in-the-middle attack on the server - umm, the government is listening to you, they're listening to you anywhere - your phone lines, all sorts of - your computer microphones. TEMPEST, as we've mentioned before, provides lots of easy avenues. But, the point being is, that it is a real SIP gateway - it is not a P2P that uses any port and any protocol - well, Skype uses its own inherent protocol. This uses a network-standard protocol to make calls - it also, as I was going to say.... drew a blank there, I'm sorry, it's been a long day. OK, right... It's been a long day, I have been up since five o'clock AM, so guys, bear with me, and I do apologize. But the key thing behind Ekiga as I was going to say, duhh, it's open-source - [sighs] told you, I'm dead tired. But hey, that's my dedication here - you know, getting the info out, and that's what is important. You know, we would have liked to have gone on yesterday, but various technical difficulties dealing with intrusions and various other interesting things, prevented us from doing such.

Now - back to the keys here - and we're gonna run this by - you know, for the general users, and then we're going to go into a commercial break, well, we're going to go into a music break shortly. Things you want to know if you're running Windows - and there are more, but these are the basics - if you must run Windows, set up a limited user - only use the limited user account. Run Firefox with NoScript and if you must use an anti-virus, use ClamAV. Now, with that said, we're going to go to a music break here...

--- music plays --- "James McMurthy - We Can't Make It Here Anymore"

Captain Gringo: Welcome back to Piercing The Darkness, gang - [audio interrupting] this is

LS: Alrighty, ladies and gentlemen. We are back - and so, the last thing I went over was - running as a limited user, running Firefox with NoScript..

CG: [interrupting with broadcast message].

LS: Thank you, Markus. Now, as I was saying, yeah, right, we're having a little bit of a lag issue right here, so if it sounds like I'm taking some gaps, because my engineering team is trying to catch up with me - I don't even want to get into it, it's its own story. We've actually partially covered it already in one of our prior shows - discussing IPv4 to IPv6 transformers[1]. I leave the rest up to your imagination there - realize I'm running OpenSolaris. I leave it at that. OK - and everything is in a VM (Virtual Machine) - well, anything is pretty much in a VM, and they're Linux VMs at this point - nothing hooked to my host box, basically.

OK - so it seems we had an interesting question about firewall software. Now, I want you all to Clusty search or Google search - Golden Hacker Defender[2]. This is a rootkit - and if you're running a Windows-based firewall, or even have the unfortunate mishap of running some form of anti-virus, this little piece of software is designed to completely hide itself from both. In fact, there have been very few things that have been capable of detecting it - and everything that managed to detect it - the author releases updates, so that it no longer does. The author has done this for a while - and while he claims to have called it off and stopped producing his software for charge - and you used to be able to download Golden Hacker Defender for roughly $700 bucks - and then for $500 dollars a year, he would give you updates. And these updates, because of the way anti-viruses and most Windows firewalls work, they rely on updates coming from a vendor. And since his updates were always much quicker, and always tend to be, his rootkit is undetectable, OK? Even Vista cannot find it - you are not safe running Vista - in fact, you are more hackable running Vista.

There are some other interesting things that can be done to both Vista and XP if you're running one of the new Core 2 Duo CPUs (Central Processing Unit). And this involves the 'red pill'... [correcting himself] well, it's called the 'blue pill', the Blue Pill Hypervisor. It was created by a lady named Joanna [Rutkowska], and it is created specifically so if you're running a Windows system - and they've tried to test it on other ones, but they have limited success getting it to work - because it's a bit different when you're emulating and hypervising Windows and other ones - yes, it's paravirtualization, and yes, it does work, but it doesn't work quite as well as it does in Windows, because it was originally designed for Windows. She designed this as a Proof Of Concept (POC) to prove that she could silently install a hypervisor on one of these systems. The Core i7s also have this - all new CPUs have what's known as either VT or Xen instructions on-die. AMD got their instructions from the Xen Project, which is an open-source hypervisor, whereas Intel actually got their instructions proprietarilly developed by themselves, and they call that 'Vendor Pool Technology'.

Now [deep breath], what uses this stuff? Well, if you're a person like me, then it means that all your VMs run extraordinarily fast. You can run 64bit VMs on 32bit guests, and 32bit guests on 64bit OS and likewise, and mix and match, and you get pretty damn, decent performance. And so it's very useful - if you're using virtualisation. However, if you are a consumer, you have no real need of it unless you virtualise - and they don't want you to virtualise, because that means real security. You see? Virtualization means that you've taken your operating system and you've put it in some piece of software container that isolates it from the host. VMware makes a very fine product - I have my gripes here and there with that, I will admit, but overall it's a decent product. One of the best that I've seen recently is VirtualBox. And of course, there's Parallels - which is kind of really low consumer grade, and there is Xen - the Xen Hypervisor [skipping the stuff about him being unsure about the name]. Double acronyms, kinda love that. So, what Xen does is basically the same thing - except Xen is very lightweight, it's open source and has been taken on by AMD - they put the instructions on-die, it was so badass. Red Hat has based an entire hypervisor of their own that they're about to come out with based on that, as well as others. So, Xen is a very, very powerful, wonderful hypervisor.

But back to it - while virtualisation is great and can be used to give decent security, unless you are already running it, then you need to go - and if you don't plan on running it - then you need to go into your BIOS - consult your computer vendor manual if you don't understand how. Most machines - it's the Delete key, some of them, it's the F2 key, it just depends on what type of BIOS you have. You go in there, and you look for Options under the CPU - it will either be VT or Virtualization. And you want to make sure that is turned off -because, as Joanna proved, the Blue Pill [Hypervisor] can be installed on your webpage, will install a hypervisor on your system, and the attacker can be running an entire separate copy of any operating system that will run on your system in the background - and you will never know it. It even affects Vista - it affects all versions of Windows. As I say, it pretty much exists all versions of anything running on a computer with a hypervisor - but, as I've said before, it's a little bit more limited with Linux, but it's still a risk. So if you don't use it, don't know what it is, don't know how to use it, turn it off, OK?

Now, and if you don't understand how to navigate your BIOS - you need to call your vendor manufacturer and have them walk you through that - it's very important that you have that turned off, unless you use VMware, or some form of virtualization. Preferably Xen, because Xen is one of the few that will run in the background and give you a master hypervisor that prevents this from even happening. Because what happens is - if you are running a hypervisor ,this little rootkit comes in and says: "Create the master hypervisor!! Create the master hypervisor!!". [And your computer responds in turn:] "Create the master hypervisor?? It exists. Go away" [laughs]. And that's what will happen when you actually use it for virtualization - that's why it stops being a risk when you start using the technology properly.

Enough about that, though - back to the point about firewalls. Firewalls are only so good. Firewalls block incoming traffic - they do not, by default, unless it is a [struggles for words] - sorry, saw another question in the window and got distracted. Now, as I was saying, firewalls are useless unless:

A - they are on a separate piece of machinery - preferably your router or inbetween your router and your ISP. You wonder how that's possible? Well, in enterprise it's very possible, and often the way it's done. Kinda hard to do on the average cable setup, because most people don't have coax-enabled devices sitting around usually. Umm, but what you can do is - you put a firewall between your modem and your LAN (Local Area Network). And that does slightly increase your security, as I've said - it only blocks incoming [packets]. Because outgoing packets have to get out. You want to surf the web, don't you? Well, if you blocked outgoing packets, then you wouldn't be able to surf the web. The point is - that when you open a connection to someone else, that same port becomes a connection that an attacker can use to get into your machine. So, firewalls only go so far - that is why most companies who have ??? RIF ??? firewalls do not allow NAT (Network Address Translation) through the firewall. That is why NAT is a serious risk to most firewalls. They have a single proxy server that controls all access and runs it through a single port - and that way, they can actually run things like Poliwall[3][4], that are heuristic Layer 5 (OSI Model - Layer 5 - Session Layer) - well, a layer above the virus scanners. What's the difference between this and the anti-virus on your computer? This system is actually scanning network traffic. So - it's a bit different -enterprise-grade applications are very different to the consumer-grade - consumer-grade are created to make money, and gain control and turn your machine into literally bugs for the NSA.

You wonder how all of these vendors co-operate? Well, the US government has, time and time again, that these vendors must do "blah", and they've gotten bills passed to try and facilitate that in the past. It hasn't gotten far enough where it's complete mandate at the moment - it's merely being enforced as a rule of law, but - it soon will be, if Jay Rockefeller and his brother Nick [Rockefeller] have anything to say about it. And they're the ones who are carrying out all of these false-flags, as we've said before. If you see a military system compromised, it is impossible - it is a false-flag. I think we've gone over this - God, at least a hundred different ways last week. So back to it - so if you want a firewall that' useless, you want one on a router level. You want to deny everything, except for proxy traffic through a specific port. At which point - yes, you have to set up a proxy, and it's a bit of a pain. Now, firewalls that are host-based are only good for one thing - they're good for knowing that you're being attacked, perhaps, assuming the hacker isn't using one of the rootkits. And there's only one firewall that runs under Windows that is actually effective in being able to see things and [audio interruption]...

[inaudible, coming back on air]... everytime I get a DDOS (Distributed Denial of Service) attack, that's the last thing you want. That's what your attacker wants. So the firewall that I would recommend for Windows, and I will be very specific - I do not run a firewall on my Windows machines - I do not even run the Microsoft firewall. I have a specific router/firewall - I have all of that DMZed (Demilitarized Zone) to a specific gateway server - this gateway server accesses my proxy. That's how I have everything set up - that is the most secure.

Now, someone I believe asked: "Is the Blue Pill only for 64bit?". Well, I have yet to see VT instructions on anything older than a 64bit-enabled chip - and 64bit EMT instructions came before VT - so yeah, it's kind of obvious it's not just for 64bit, mind you, but all of the CPUs that support Vendor Pool Technology or paravirtualization - support 64bit as well as 32bits.

Now, let's get back to this - and let's get back to securing Windows properly. So you have your limited user account - oh, firewall for Windows, before I forget. Outpost Firewall Pro, by Agnitum. And that's useful basically for telling what's connecting to and from you. In the event that you're compromised - usually Outpost will give you pretty good warnings. Otherwise, like I say, they're mostly useless pieces of crap that bog down your machine - giving you a false sense of security. So let's get back to security here: we take our box that now has all of its software installed - we then want to go surf. We log in as a limited user - yes, applications will fail - there's specific applications that only run as an Administrator. That's kind of the other crappy thing - because most people write things that require Windows administrative privileges - and most of these also tend to be ways to open backdoors. Many DRM (Digital Rights Management) programs require administrative privileges to run. And of course, as we know from the Sony fiasco[5], which has yet to be fixed. So if you have anything that you've gotten from Sony, whether it be a CD- one of the new CDs with their DRM in it, or a DVD with their DRM in it, or you happen to have the RealPlayer codec, which has its technology built into it, then you have DRM that is a rootkit, that has been proven time and time again to allow remote access to your machine. And since it's a valid piece of software, no anti-virus will ever pick it up. Isn't that wonderful? Yeah - not in my book. Not on my host. You won't catch me running RealPlayer. If you must run RealPlayer, run the open-source version of it, called RealPlayer Lite.

Now, let's get back to this - so we have a Windows account running as a limited user; you have Firefox, and yes, I've said this a bunch - but those really are that powerful in preventing your Windows box from being compromised. The next thing that you really want to do, is - you want to learn group policy. Group policy is key here - and group policy is essentially how you configure privileges on Windows for most users. And you must be careful with group policy - because the wrong set of settings will lock you out of your machine, or lock you off your network, and you won't be able to use it. Now, that is why you must be careful and understand - that means you have to read, and read a bit. There are many settings in group policy that are safe, but there are quite a few as well that can totally - just - leave your system unusable. So, I would recommend that you learn group policy - if you must run Windows - and you learn how to implement it properly. I mean, this is not necessarily an easy task, but if you're going to run Windows, this is the only way your box will even have reasonable security.

Yes, I know - I did say running as a limited user makes it almost secure. But there are still things that can crack through. And there are still backdoors built-in to various things that allow anonymous file permissions. Many of these cannot be turned off unless you go into group policy and turn them off. Granted, if you are on a Windows domain, this will break your domain - and if you are on a Windows domain, you should not be touching your group policy anyway - that's pulled down from your domain controller.

Now, group policy - after you've taken a look at that - or, if you don't want to even take a look at that, because it scares you a little bit - there's a tool known as ??? Samurai ??? - and I realize the show here is coming to a close - so let me make this brief and let me try and sum this all up - and I'm going to leave you guys with a couple of videos on securing systems and such. It's in two parts and it's pretty interesting stuff. But that's what we're going to go out with. But before we do that, we're going to just summarize here - well, let me just say this: there is a tool called ??? Samurai ??? - it is quite dangerous in the fact that if you do use it to start ripping things out, you can leave your system unusable - just like group policy. It's a little harder - well, it makes things very simple, so you can't really crush your system with that. But if you have a known clean system, and you run that - it will rip out all of the holes, it will basically patch the holes for you, and close those features in group policy for you as well as possibly even rip out services.

Now, when it comes down to Windows, you may even want to consider for the advanced user to download a product called nLite. nLite is able to rip parts out of Windows - you can rip Internet Explorer out of Windows with this. You can rip out all of the modules that will enable people to access your system remotely with this. And basically, it is not for the tame, it is not for the foolhardy - it requires knowledge from Windows, it requires a build from scratch - and once again, it is known as nLite.

The other tool that I recommend for securing your system and actually running to harden it - if you don't want to learn group policy, but just want to learn which settings in a little GUI tool are good and bad - ??? Samurai, OK? Now, let's review this right quick: basically, for ultimate security, switch to UNIX. Trusted Extensions on OpenSolaris, TrustedBSD and, yes, SELinux even, OK - if you know what you are doing. Those are your options - run with it. Even if you're gonna run Windows, and you have to run Windows - start running your stuff in a VM. There you go - VMware. VMware Server - it's free - start putting your stuff in a VM, and that way, it can only compromise the VM - it doesn't truly compromise your system. And there's a function so that - once you have that system exactly the way you want to - you click on it, you take a snapshot out of it, and what this does is - it takes an image of it, a copy of it, that says: "I look like this.". So everything that changes after that can be erased by clicking 'Revert the snapshot'. It is more powerful than any anti-virus ever was, and is a lot quicker than reinstalling your entire system.

Now, before we cut to the videos: let's say - before we cut the videos, let's quickly review what we've learned here: you're most secure if you're running high-end security UNIX or Linux. You're slightly less secure - and don't take that as - out of the box - you have to configure those - so that's an entire show topic unto itself.

Now, I am actually going to run a video here - according to Shaheen, he couldn't find the other ones. We're going to run a video that's how to secure SELinux. Before we go to that - and that's for all you Linux gurus out there who want to learn a little bit about SELinux. Before we go to that, let's review what we've learned today:

Number one: We've learned that, if you must run Windows, run everything under a limited user, or install it in a VM.
Number two: do not use commercial anti-viruses, they merely give you trojans and viruses. Use ClamAV or another open-source option that is trusted.
Number three: NoScript is a Firefox plugin that is mandatory on any computer. OK? It blocks malicious scripts, it blocks all scripts; that way, you can trust sites that you know on a regular basis. I.e: we all know that the Prisonplanet forum is secure, so you can trust that. We all know that, so you can go ahead and trust that. And I won't really venture to comment on many other things, because many other things might not be quite as not controlled by the government - because you know, those are obviously not, and obviously not also controlled by hacker kiddies trying to get into your machine. [long breath] Some of them may even [inaudible] who may even be working for the government, that's another story, we've covered that topic.

So, that said, the big things: go to VMware, VMware Server, start playing with that. I recommend anybody who can - just get themselves a copy and play with it. You can use that to learn Linux as well. Install yourself a limited user, and start using that for all of your web and all of your Internet needs, and anything you do on the Internet; run it through there; install all your programs prior so that way, that user has access to them. Number three: NoScript. And, last but not least: no anti-virus, only ClamAV or an open-source alternative. And I will sum up the last words here before we go to the video: if you have a firewall or need a router, use a router - use a hardware firewall. Everything else is merely - is mostly useless.

And with that, ladies and gentlemen, this ends the first chapter of 'How To Secure Your Machine.

--- Video plays: "Linux HOWTO: Secure Your Data With PGP, Part 1"[6]

"Hello and welcome to this edition of Linux HOWTOs. This week, we will be discussing how to secure sensitive data using PGP (Pretty Good Privacy) - specifically, the GNU Project's implementation of the OpenPGP standard, known as GPG (GNU Privacy Guard).

Most people use encryption at least some of the time. Perhaps you have a wireless access point secured with WEP (Wired Equivalent Privacy) or WPA (Wi-Fi Protected Access), and the purchases or bank transactions you make online are almost assuredly secured using SSL.

"PGP, and its free software implementation, GPG, allow you to encrypt any data y ou choose using one of the strongest encryption methods currently available.

Perhaps you've added a password to a ZIP file or an Office document. You should know that these encryption methods are very weak, and easily crackable using conventional digital crypt-analytical methods. PGP, on the other hand, employs very strong encryption.

Phil Zimmerman, the creator of PGP, selected the most powerful and stable algorithms to use in PGP, and these algorithms have stood up to many years of careful scrutiny by the best minds in the business. This is not to say that PGP - or any encryption mechanism - is perfect, and I will try to point out some of the potential pitfalls in the process of encryption and distribution of sensitive data.

However, if you're smart about how you use PGP, you can be assured that your data is very safe. If all of the world's computers simultaneously began an attack on PGP, it is estimated that it would make them more time to crack PGP than there is time left in this universe.

Encryption is the process of obfuscating data, so that only people who either understand the algorithm or know a slice of data, known as a key, can decrypt the data. Hiding the algorithm is an example of security through obscurity, and is not as secure as using a strong, well-tested algorithm and only hiding the key. PGP is an example of encryption where the algorithm is known, but it is very strong and only the key needs to be hidden.

There are two ways the data can be hidden: with a symmetrical key, where the same key is used to encrypt and decrypt the data, and with public-key encryption, where a different key is used to encrypt and decrypt the data. These two types of encryption use different algorithms, and each has its own strengths and weaknesses.

Symmetrical key encryption is simple and fast, but there's an added danger in key distribution. It is dangerous to send the key to people who need it, because if the key is intercepted, the data is vulnerable and no longer secure.

Public-key encryption is more complex and about a thousand times slower than symmetrical encryption, but it has the benefit that a different key is used to encrypt and decrypt the key. Here is how it works: first, a key-pair is created containing a private key and a public key. The public key is primarily for encryption, and the private key is primarily for decryption. The keys are mathematically related, but only through a very complex algorithm that is strong enough to make it infeasible to deduce one from the other.

Because only the private key can decrypt data encrypted with the public key, it is safe to distribute the public key freely. This solves the problem of key distribution associated with symmetrical key encryption. Once the data has been encrypted with the public key, only the person with the private key can decrypt the data. In addition, the private key is password protected - so if you have a strong password, your data will be safe, even if your private key is compromised.

PGP uses a clever mix of symmetrical and public-key encryption, taking advantage of the strengths of each. Data encrypted with PGP is first compressed, and then encrypted with a random symmetrical key, known as the session key. This encryption is strong and fast. The session key is then encrypted with the recipient's public key, so that the session key is not known unless it is decrypted with the recipient's private key. This makes key distribution easy and secure, but since only the session key is encrypted, the encryption and decryption process is still very fast. The data encrypted with the session key and the session key encrypted with the recipient's public key is then packaged together to make a complete PGP message.

Encryption with PGP takes care of the part of data security known as confidentiality, which is restricting the number of people who can see the data. Sometimes, confidentiality is not necessarily what we need. To other areas of data security that PGP takes care of for us, are integrity, and authenticity. Integrity is in assuring that the data has not been modified in the process of transmission. Authenticity is ensuring that the data originated from where it claims to have originated it from. Digital signatures provide both integrity and authenticity verification for our data.

Digitally signing data is a simple process involving two steps: signing and verification. First the data is hashed; that is, converted to an essentially unique bit pattern of specified length. Changing even one bit in the sample of data will produce a hash that is completely different from the original. The hash verifies the integrity of the data, but it is not yet secure, and it does nothing to verify authenticity. Therefore, PGP encrypts the hash with your private key. At this point, the data has been signed. The verification process is simple: when the party to whom you transmit the data receives the encrypted hash, they attempt to decrypt the hash with your public key. If the resulting hash matches the hash of the data, the data assuredly came from you and it has not been modified.

Now that we understand a little bit about how PGP works, we can go to the computer and actually start trying out GPG. Most Linux distributions already come with GPG installed, so chances are you won't need to do this step. However, if your distribution does not have GPG already, it is a very easy program to download and install.

Simply go to Google and type in "GPG" into the search bar. And the GPG website will be the first result. And you're going to scroll down to the Download section, and then scroll down to - right about here - where it says: "GnuPG [] source compressed using bzip2", and then click this [FTP link] to download. We're going to want to save to disk - and we're gonna save it in the /usr/src directory. We create a new directory, called "gnupg-1.4.9". We're gonna save that tarball right there.

OK, so now we can go to the terminal, and change the directory to /usr/src/gnupg-1.4.9. And there's our tarball. We're going to use the tar command:

tar -xjf *

And then we're going to change to the directory that has just been created. And now, the build process is very simple, we're just going to run:


Disclaimer: There are some library dependencies for GPG, but chances are you have them already, or can easily download them from your distribution's package repository.

Now we simply run make, which will run very fast thanks to the magic of cinema. I'd like to think this is what it must be like to build things on BlueGene.

And finally:

make install"

-- end of show - music playing --- Rage Against The Machine - Wake Up

Related material Edit

Audio Downloads Edit

Megaupload - PiercingTheDarkness051209.flv

References Edit

Community content is available under CC-BY-SA unless otherwise noted.