Securing your systems

Dan Poirot dtpoirot at gmail.com
Mon Jan 4 18:51:17 UTC 2016


I have been a two factor authentication fanboy for a good, long time.

While Industry and Government are big fans of the RSA dongle and photo ID
smart-cards, the one-time PIN need not be a significant burden. 

There is a nice discussion on using Google Authentication here:
	
https://support.google.com/accounts/answer/1085463?hl=en&ref_topic=1099588

Using Google Auth on my iPhone 6 (and the iPhone's fingerprint scanner)
gives me 2+ factor (just how good is the scanner?)

My watch also calculates Google Auth one time use PINs:
	
http://pebble.devpost.com/submissions/21538-pebbleauth-two-step-authenticati
on-for-pebble 

- dan


-----Original Message-----
From: devel [mailto:devel-bounces at ntpsec.org] On Behalf Of Eric S. Raymond
Sent: Monday, January 04, 2016 12:01 PM
To: devel at ntpsec.org
Subject: Securing your systems

Two days ago Susan Sons came to my place and we spent a day hardening my
security.  I now have full-disk encryption on both the Great Beast and my
laptop, a lock code on my phone, I'm using Signal for encrypted SMS, and
have begun to set up 2FA on my web accounts that support it.
Some weeks back, at her urging, I switched to a GPG key with the largest bit
width currently possible.

Why bother?  Because, as Susan explained and Mark has previously noted, DDoS
via NTP is a favored tool for all manner of bad guys from script kiddies up
to and including advanced persistent threats like the PLA and the Russian
Mafia.  They have a strong interest in compromising NTPsec's security so
they can know what we know about unpublished vulns.

This means, in particular, that our personal computers are prime targets. So
are our GPG keys - both personal and project-related.

Take this threat seriously.  We probably don't need to worry about
rubber-hose attacks, because the bad guys want a compromise that's covert
and deniable.  But some of our potential adversaries are state-level actors
with enough patience and resources that they were able to undetectably
subvert Google's Perforce repositories (undetectably until the inserted code
was noticed, anyway - that one was probably the PLA).  They will throw as
much cracking skill at us as they think they need to.

While we can't perfectly secure ourselves against the likes of the PLA or
the NSA, we can and should make it difficult for them to compromise our
security without being noticed.

Susan was, therefore, right to insist that I tighten up my security.
Those of you who aren't hardened at least to the level I described above
should do likewise.
-- 
		<a href="http://www.catb.org/~esr/">Eric S. Raymond</a>

There's a truism that the road to Hell is often paved with good intentions.
The corollary is that evil is best known not by its motives but by its
*methods*.
_______________________________________________
devel mailing list
devel at ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel



More information about the devel mailing list