I would never have my private keys leave a smart card. I'd assume your PGP private key on hard drive, located in your home directory no less, is as good as compromised.
A script that is compatible with POSIX Bourne shell (/bin/sh) would be more appropriate. FreeBSD, for example, does not come pre-installed with bash. If you want cross-platform portability, this is a better default.
There's no contest between physical vs. virtual isolation. Theo de Raadt and @thegrugq are right when they're saying you shouldn't put much trust in virtualisation-as-isolation model. Just look at the recent VENOM bug.
Looks right. There isn't much of a trail here (the wiki page is relatively new and mostly created by one individual), but I'd buy the general story. They do sound partisan, if not for their history and conflict with the Kremlin. I don't know that this is the case, but given the prevalence of Civil Society Organizations and NGOs in the form of news media fronts created inside Russia and the Baltics by the allies and the recent cleanup of these installations by the Kremlin - properly or no the Meduza team was likely seen as proxy political voices.
> They are highly skilled network attack specialists, with basically no way to apply their skills other than working for the NSA.
Why is commercial "cyber" security industry not a viable option? It pays well, there's currently a notable skill shortage and they can work in "pen-testing", "red teaming" and "exploit development" areas.
I will copy/paste from the other answer I gave to this same question:
> Pen testing is a viable alternative in the same way that driving a car is an alternative to designing an engine.
"Red teaming" is little different.
Further, much of the commercial world is thinly veiled NSA work. Who do you think the biggest clients of Reversing Labs, for instance, are? They're not just any commercial firms. They're commercial firms providing services to the NSA.
Bug bounties and HackerOne are sick jokes compared to what governments pay.
Virtually none of the commercial work is thinly-veiled NSA work.
I know literally none of the people behind "Reversing Labs", your comment is the first I've heard of that company, and, examining what their product does, I can't understand how what appears to be an email antivirus product is somehow helping NSA.
Their products are very useful in a defensive context. Not all of the NSA's work comes under the heading of cyberweapons or intelligence-gathering. They do plenty of defensive development, too.
RL's Titanium Core is one of the best unpackers around, and thus incredibly valuable for anyone doing malware analysis. Couple it with Titanium Cloud (blacklisting/whitelisting of samples) and you have the core of a system that can go interesting places. Try not to cringe at the bill. Toss in a sandbox or three and you're really getting somewhere. Add in a couple of MITRE standards for requisite government headaches, obviously.
From what I've seen, a fair amount of security product companies are selling to the NSA. Doesn't work for SaaS and services, because the NSA tends to require that whatever you're selling run on their network.
It's worth remembering that the NSA isn't afraid to buy from tiny companies and In-Q-Tel exists to enable investment.
So you're talking about companies selling to NSA in the same sense as they would sell products to Allstate? As in: literally the exact same products in exactly the same packaging sold to exactly the same purchaser as would exist at Allstate?
Who cares?
You dodged part of my comment. Once again: virtually none of the commercial security work --- or even the offensive security work --- is thinly veiled NSA work. Virtually none of it.
What on earth led you to believe you'd be able to defend such a statement?
That I've seen enough of it firsthand. They may offer the same product to Allstate, but the products are developed with government customers in mind. I'd cite Sandvine, but I'm not personally aware of them selling to the NSA - although it wouldn't surprise me. I've also sat in the room as people discuss the best way to do business with the NSA, and the consensus was that for some kinds of products the best approach is to develop the thing and sell it as a packaged product without a care given about selling to anyone else.
Sure, they might sell to someone else, but nobody involved cares about that.
What I've seen suggests that there are really two commercial security sectors. One centered on the west coast and focused on the private sector. The other is centered on the east coast and centered on the US government. It's all commercial, after a fashion, but the two don't typically interact very much. Each tends to think of itself as "the security sector".
Well. Except when Mandiant decides to point fingers. Then there's briefly lots of interaction.
What you're doing now is re-answering a question I posed upthread without addressing the question I just asked.
Yes, of course, every enterprise product company in the world --- in security, disaster response, configuration management, issue tracking, document management, what-have-you, every single one --- sells to FedGov. They all have special teams to do it. And FedGov has special requirements; for instance, Common Criteria certification.
Now: can you answer my actual question? How on earth did you feel you'd be able to defend your statement that most commercial security work is thinly-veiled NSA work? That's not just not true, it's almost literally the opposite of true.
Is your answer "there's this East Coast sector of the security industry that sees itself as the whole security industry that is almost entirely thinly-veiled NSA work"? If so: can you name 3 companies in that East Coast security sector? I've worked in security for just about 20 years now and can name many, many East Coast companies, and very few of them have ever done work for NSA, or, for that matter, done work that would be interesting to NSA.
Leidos, ManTech, and Endgame (provided you're willing to allow Atlanta) come to mind. All do substantial amounts of security work. Mandiant, too, though they're now owned by FireEye.
Two giant government contractors that happen to have small security teams, and one tiny boutique firm. The funny thing is you didn't mention Raytheon or Lockheed, both of which have teams that I suspect are larger than the three teams you mentioned put together. All of them are dwarfed by the commercial security industry. Most of them are backwaters nobody in the field thinks about when they think about security.
This is an embarrassing admission: I couldn't remember how to spell Raytheon.
I do know that the people in those fields tend to think of themselves as "the security industry". They also don't generally work on material that the more private-sector-focused industry cares about or gets exposed to, like how to secure a network when you have brain-damaged political network policies.
I think you need to be more careful about how you word this.
It is a true but very uninteresting statement to say that "most government contracting work is thinly veiled government work".
Obviously, you don't feel like that's what you're saying. But to defend the statement that much of security in general is thinly veiled USG work, you cite SAIC, ManTech, and (now) Raytheon. Giant government contractors.
The security industry as a whole is enormous. It includes big chunks of Cisco, IBM, EMC, Symantec, Intel, and HP, and literally hundreds of companies the likes of Duo, Cloudflare, Accuvant, and Lookout.
The clear implication of your comment upthread is that most commercial security work is not only done for the USG, but is offensive work done for NSA. That's why you compared it to HackerOne and called their rates a "sick joke". Not only would that statement still not be true if most commercial offensive work was done by NSA (government rates on vulnerabilities are not as lucrative as extragovernmental rates are), but it is itself not true at all. Ironically, the numbers get even worse for your argument when we narrow the security industry down to offensive work.
I might lose an argument about how much bogus "defensive" security product stuff gets sold through GSA teams to NSA and DoD in general. But most of my experience --- apart from the four years I spent working for what was at the time Sandvine's biggest competitor, where we never once had a discussion about selling to NSA --- is on the offensive side. Virtually none of the commercial offensive security work that is done is done to benefit NSA.
> much of the commercial world is thinly veiled NSA work
While security agencies of various governments are on the buy-side on the "zero day" vulnerability market, majority of commercial "cyber" security companies are not dealing in "cyber weapons" and are not involved with NSA. There are plentiful examples of successful "white hats": H. D. Moore, Dan Kaminsky, Tavis Ormandy, Michał Zalewski, even our own Colin Percival and tptacek etc. You don't have to do work for government to play in this area.
It's less of an excuse and more of a statement about the current state of reality. Are there examples and counter-examples and so on? Absolutely. Do any of them change the state of reality by existing? No. Is a very sizable portion of private-sector work today paid for by the NSA, directly or otherwise, including both defensive and offensive capabilities? You bet.
As a result, saying people should go to the commercial world isn't actually much of a change. It's not an alternative to the current reality because it is the current reality.
It's worth remembering that you probably don't hear about the big players very much in places like this. Endgame, MITRE, Leidos, etc. They tend to stay out of the limelight while still employing substantial numbers of people.
multitail is great. I really cannot use command line utils that don't support colors/highlighting anymore. htop instead of top, etc. It just gives me much better visibility and readability. I'm surprised that so many non-color utils are still being used. It just feels so 1994 to me to stare at a white on black display. I guess there's nothing more slow moving and conservative than shell interfaces, thus articles like these that shame us into using different tools.
Personally, I'd love to see some hot young talent just do a 100% redo of the standard gnu utils from an interface perspective. Just go crazy with new interface and display ideas, novel presentation modes, novel navigation, etc while still maintaining backwards compatibility. I could see a big disruption here.
I wrote a Python script (called synesthesia)[1] that'll colorize input based on regex matches, and any matched text will be the same color for the same content.
The use case that drove its development was needing to keep track of UUIDs across multiple logs - and grep --color will colorize its matches, but not differentiate between ones that have different content. With this, I could watch both logs as data was passed from one to the other and keep track of e.g. the orange one.
I also thought it would be nice to be able to use patterns from logstash's grok, so I wrote grokpat[2] to find patterns for me. A lot of grok's patterns use atomic groups, which aren't available in Python 2, so I wrote redi[3] to convert them from grok's syntax to Python compatible syntax.
I use htop and turn the colours off... thing I like about htop is I can use the mouse. It's so F-key-based, which, especially on a laptop, means you have to take your eyes off the screen to find the keys.
Of course, I'm not opposed to colours, I'm opposed to colours that look tacky / l33t hax0r, which would be most terminal stuff. I like 𝐛𝐨𝐥𝐝 better than trying to find colours I won't hate.
Switching between many programs and systems, I have a hard time keeping track of what colors mean what. Especially when people start customizing their colors. There are enough tools to show you what a file is, I don't need directories printed in red and files in blue and symlinks in green. ls -l is good enough and works everywhere.
In the same vein, P.O.R.T.A.L.[0] mitigates against leaks by running Tor on a separate hardware router. In principle, it should reduce the risk of geolocation, as VM esape to dom0 is not possible. Annual success of pwn2own should tell you that all browsers are thoroughly compromised. If your adversary can escape to dom0, they should be able to reveal your real source IP. Whonix seems to provide this as an option[1], but not by default.
Wouldn't any process running as root on the computer be able to re-flash the router?
This is also an order of magnitude harder than Whonix, while I consider Whonix, Tails, and TBB to all be the same order of magnitude difficulty. (And your router's screwed if you mess up.)
This does seem to provide better security, although probably comparable to the Physical Isolation that you mentioned.
> Wouldn't any process running as root on the computer be able to re-flash the router?
No, because router's management interface is only available out-of-band. This is a conscious design decision to mitigate against this threat: "In order to protect the PORTAL from tampering from malware (or malicious users), it also requires a third administration interface. This can be either a serial console, or physical connection."[0]
