Not a Tango, nothing to see here

August 24, 2011

Tinfoil hat time (or Bad Ideas from the NSA)

Filed under: Uncategorized — antitango @ 11:15 am

Our government has a job.  It has several jobs, in fact.  Each of them paid for out of our pockets.  Yours, mine, everyone’s.  Their job is to protect us.  No more, no less.  Sometimes advice is good.  Sometimes it is not.  This is from the National Security Agency.  They’re responsible for the government’s information and signals integrity.  Why would they send something out telling normal people how to manage their networks?

Today, I got an email from a tech here at work that tossed this to the masses.  It *IS* a PDF file, so open at your own risk, but as you can see from the link, it’s from our own .gov (wait, is that a GOOD thing?)  It provides information for keeping your home network secure.  I want to say it’s aimed at the lowest rung of the ladder, but that is not true as it provides advice on some relatively technical aspects of a home network.

I dislike the advice given by this and some of it is outright dangerous.

First, it recommends Windows as an OS.  There is no mention of any alternatives.  Now, maybe that’s because it’s easiest to use or perhaps more mainstream.  Possibly.  Ever hear of COFEE?  If you’re a LEO and you’ve got one handy dandy COFEE USB flash drive from Microsoft, you have 100% full access to ANY WINDOWS PC THERE IS.  Wrap your mind around that.  COFEE isn’t even new.  It’s been around for years.  ANY. WINDOWS. PC.  Note: I clarified this a LITTLE bit.  I don’t hate Windows, I just do not believe that Windows and Security go together.  Security means NOBODY can get access to your stuff.  The ONLY way to keep something secure in Windows is to encrypt it and if it’s a drive, UNMOUNT it.  Thanks Joe for pointing out my arrogance.  Really.

Maybe.  Maybe it was because Windows is easier to use.

They do have some other good recommendations that I really like, but which may be over the heads of your average user.  They advocate sandboxing web browsers and PDF readers.  They advocate using unspecified intrusion detection systems and/or firewalls.  AWESOME advice.  Migrate to MS Office.  Did Microsoft PAY these guys to write this?  Granted, it is the de facto standard that almost all businesses use and with THAT in mind, ensuring it is updated is excellent advice.  This goes for ALL applications.  Every single program out there has bugs.  Upgrading keeps them to a minimum.

For Macs they recommend the same.  Keep it all up to date.  Awesome advice.  Another piece of advice that’s good is to limit the use of the Administrator account.  This prevents kernel level changes from being made.

See all that Linux information?  I must have missed it.  They did touch on Apple, but since they have a nice Skeleton Key to Windows, would you care to make a bet that there’s not a similar tool for Apple products available?

Networks.  They do have MOSTLY decent information in this regard.  The only problem I have with it is their recommendation of using an alternate DNS provider.  This can be good in some cases, but not for their reasons.  Their reasons straight up deter me.  They are telling you straight up that they believe in censorship.

The Domain Name Servers (DNS) provided by the ISP typically don’t provide enhanced security services such as the blocking and blacklisting of dangerous and infected web sites. Consider using either open source or commercial DNS providers to enhance web browsing security.

I do not want stuff blocked because a third party entity believes it to be dangerous or infected.  I have never, not once, gotten a virus on any PC I’ve ever personally owned.  I’m more savvy than your average Joe, but that has little to do with it.  I know what I should and shouldn’t click on.  I remove any kind of website automation so I have to whitelist it in order for it to run.  Javascript is disabled on all sites unless I ok it.  I block content coming from any .ru or .cn website (among many others).

Here’s the problem I have with their advice.  They have sway in what DNS providers return.  No tinfoil hat stuff here.  Take a look at the DHS domain name seizures.  They’ve taken entire domains because they don’t agree with the content with no oversight, method of appeal, or even due process, oftentimes having grabbed a site for the wrong reasons.  For example, one domain was taken down for copyright violations.  Since…  you know…  that’s the primary job of the Department of Homeland Security.  The problem?  The music had been given to him by the record labels in question.  What does that  have to do with this PDF from the NSA?

Government likes control.  Everything today is done under the commerce clause or in the name of terrorism.  This is why the DHS is seizing domain names.  I don’t think there’s any doubt that much of this stuff comes down to 1st Amendment violations.  If there’s no due process, it’s a rights violation.  But hey, that’s just me speaking.  It’s all for our own safety, of course.  About control.  They have warrantless wiretapping.  They have the ability to query an ISP and get all of your online activity for the past X months.  We can do nothing about it.  The more people they can get to use public DNS servers (like Google and OpenDNS), the easier it is to see what every person is doing.  Beyond that, while it hasn’t happened yet, during a crisis, they could use all of the resources they have to blackout half of the country’s ability to see websites that disagree with them.

I said it was real tinfoil hat stuff in the title!  Don’t say you’re surprised, you’re not allowed to be.

So DNS restrictions provide 2 problems.  First, it allows them to monitor all access requests.  Think of the government watching you at the library.  Talking to the librarian and asking what books you just checked out.  Second, it allows them to control where you are taken when you visit websites.  This removes your own choice.

The last few pages of the document are incredibly useful advice.  I only have issues with those that don’t pass Joe Huffman’s “Jews in the Attic” test.

What should you do if not what they’re advocating?

Again, with the exception of what I posted above, the PDF is good to go.  To me, those issues are big, however.

1. Windows is not a bad operating system.  I don’t like it because it provides me minimal control over my PCs.  It also allows ANYBODY with the skeleton key to get anything they want out of your system.  Linux does not allow that.  If you encrypt a filesystem or even your own login, you are secure.  No skeleton key is going to get at that, whether owned by an illegal criminal or a state sponsored one.  Regardless of Operating System, encryption is your friend.  TrueCrypt.  Get it. Learn it. Use it.

2. Use the DNS server provided by your ISP.  Keep alternatives on hand in case you start getting strange results.  Malware can move your DNS servers to another location and send you to spam sites for every website you try to visit.  The owner of ANY DNS site can do the same.  DNS is ran on an honor system, nothing more.

Much like physical self-defense, electronic self-defense needs to be up to you.  Just as a cop will only be there to mop up a violent crime, they will do even less with regards to your rights, privacy, and freedom online.  When it comes to online activities, neither political party is your friend.  Both groups will curtail those freedoms every chance they get.  That is truly bipartisan.



  1. Does COFEE enable the decryption of a an encrypted drive?

    This is a assuming the computer is powered down when physical access is obtained. And how about virtual machines that exist on the physical machine?

    And how about virtual hard drives files that are encrypted with the virtual machine shutdown?

    Comment by joehuffman — August 24, 2011 @ 11:46 am

  2. Absolutely not. it does not decrypt drives if they’re not currently mounted. If it’s been mounted for access when COFEE is plugged in, everything on it is fair game. You are absolutely correct about that and that’s why I advocate the use of programs like TrueCrypt. I use gpg to encrypt individual files in Linux, but I should do more. The tinfoil hat stuff about COFEE come from 1 area. Encrypted drives that are left mounted on computers that aren’t shut down.

    Comment by antitango — August 24, 2011 @ 12:08 pm

  3. heh… I was a bit harsh on Windows. I need to clarify that. I do not think Windows is a bad OS. Windows 7 is actually even enjoyable to use. I still do not recommend using it if you want security without the knowledge of how to implement it. But then again, that goes with any OS.

    “If an attacker has access to your PC, it is no longer your PC.”

    Comment by antitango — August 24, 2011 @ 12:12 pm

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

Create a free website or blog at