UK launches massive, one-year program to archive every email

[Backwoods Bud]

http://tech.yahoo.com/blogs/null/136610

In a move that even the most nonchalant of privacy advocates is crying foul over, the UK has put into effect a European Union directive which mandates the archival of information regarding virtually all internet traffic for the next 12 months. The program formally goes into effect today.

The data retention rules require the archival of all email traffic (the identities of the sender and receiver, but not the contents of the messages), records of VOIP telephone calls (traditional phone calls are already monitored), and information about every website visited by any computer user in the country. The rules are being pushed down "across the board to even the smallest company," as every ISP large or small will be required to collect and store the data. That data will then be accessible -- to fight "crime and terrorism," of course -- by "hundreds of public bodies" to investigate whatever crimes they see fit.

Technically the new directive applies to all countries of the EU, but individual nations appear to be complying with the rules to various degrees. Privacy-obsessed Sweden is reportedly ignoring the rule completely, for example.

The privacy implications of the rule are enormous, as everything UK citizens do online will now be under the watchful eye of EU's powerful Home Office. One privacy advocate, whose anger is clearly barely being held back, called it "the kind of technology that the Stasi would have dreamed of." Naturally, the government counters that this kind of information has already proven invaluable in tracking down criminals, including the killer of an 11-year-old boy a couple of years ago.

Privacy concerns aside, another issue becomes one of how exactly to manage all this data. A report dating back to 2004 estimated that a single, large ISP in the UK would need up to 40 million gigabytes of storage capacity to store the traffic data from a year of user activity. Even in 2009, that kind of storage doesn't come cheap, nor does the challenge of managing it all come easy.

 

[CMoon]

outrageous

 

[gdup]

wow that's insane. If that happened in the states people would riot.

 

[Hazeseeker]

It won't stop me from growing anyway, i enjoy chillin out smoking my erb too much, were not doing anyone any harm, stand strong with a strong stand

peace

 

[b8man]

More fear inducing madness from the UK.

So anyone arrested for anything can probably be charged with something if they search long and hard enough at their internet use. "ok, so you didn't do that, but we found out that you were talking to someone who has a name that sounds like a terrorist - so we're detaining you".

There should be riots on the streets protesting this.

 

[CMoon]

Technically the new directive applies to all countries of the EU, but individual nations appear to be complying with the rules to various degrees. Privacy-obsessed Sweden is reportedly ignoring the rule completely, for example.

Hey wonder if they'll find any cabinet ministers ordering online porn movies and letting muggins pay for it, if theres investigation needed its them robbing fekas on the second home allowance first........wait till my m8 goodman sees this, the barracades will burn or was that briquttes

 

[SuperConductor]

More fear inducing madness from the UK.


There should be riots on the streets protesting this.

I'm really glad this is the impression people from other countries are getting of the UK, just a shame very few people here are seeing it yet. Our country is gladly walking into a fascist nightmare and buying the fearmongering hook line and sinker. People in your country seem to take freedom for granted but we take giving it away for granted.

They want us to riot. Before and during the recent G20 protests the police and the media basically tried incite riots but most of the protesters were there to protest not riot, the police still managed to beat everyone in hitting distance and killed one guy too but most of the press didn't say a thing.

It's slowly getting really bad here. We are the most surrveilled country in the world, I can't walk anywhere in my town centre without being on camera and it's a small town in the arse end of nowhere while at the same time it's now illegal for me to take a photograph of the same town centre and I'd be arrested for taking a photo of a policeman. We need iris scans and fingerprints on an rfid chip to get a passport, our local governments employ children to snoop on their neighbours to make sure we recycle and don't use too much landfil, our government is constantly instilling fear into the populace wether it's fear of terrorists, peadophiles, environmental disater you name it but they never tell us to fear bankers and politicians even though they are the dangerous ones. I could go on and on but basically Britain is almost very nearly fucked.

But as they keep telling us if you're not doing anything wrong you have nothing to worry about

 

[mrbiggs]

next their gonna make us join the f-ing euro.spying bastards.

heres a link:
The Data Retention (EC Directive) Regulations 2009
http://www.opsi.gov.uk/si/si2009/draft/ukdsi_9780111473894_en_1

 

[mrbiggs]

for all the people in the UK who are not happy with this
http://lpuk.blogspot.com/2009/04/civil-disobedience-protest-at-data.html

 

[jamrockjay]

I'm really glad this is the impression people from other countries are getting of the UK, just a shame very few people here are seeing it yet. Our country is gladly walking into a fascist nightmare and buying the fearmongering hook line and sinker. People in your country seem to take freedom for granted but we take giving it away for granted.

They want us to riot. Before and during the recent G20 protests the police and the media basically tried incite riots but most of the protesters were there to protest not riot, the police still managed to beat everyone in hitting distance and killed one guy too but most of the press didn't say a thing.

It's slowly getting really bad here. We are the most surrveilled country in the world, I can't walk anywhere in my town centre without being on camera and it's a small town in the arse end of nowhere while at the same time it's now illegal for me to take a photograph of the same town centre and I'd be arrested for taking a photo of a policeman. We need iris scans and fingerprints on an rfid chip to get a passport, our local governments employ children to snoop on their neighbours to make sure we recycle and don't use too much landfil, our government is constantly instilling fear into the populace wether it's fear of terrorists, peadophiles, environmental disater you name it but they never tell us to fear bankers and politicians even though they are the dangerous ones. I could go on and on but basically Britain is almost very nearly fucked.

But as they keep telling us if you're not doing anything wrong you have nothing to worry about

So bloody true m8, it makes me sick. I dread to think what kind of country and type of society my kids with inherit. The biggest danger to our country are the imbociles that govern us and we are just as bad as we take it without a whimper. We have more cctv cameras than anywhere else in the world, fact.

On another note, Im sure if i had fraudulantly over claimed on my expense account at work i would now be out of a job, so why do all these MPs that are elected by us the people keep their jobs when they fiddle their expenses? We elect these people and pay their wages, expenses and god knows what else and they just dont give a toss about anything or anyone other than themselves.

Im sure if any of this kinda thing would happen in America heads would roll, or there would be riots. What r ur thoughts?

 

[j.guit.err]

Well the ACLU would be all over that in a hurry. They file lawsuits about anything remotely related to an issue like that. I don't think that any politician would be bold enough to try that right now, if at all. It's possible in the future, but I think the tech requirements would come up as an unreasonable expense. Sarbanes-Oxley is already decried as too much money, I can't imagine what would happen if the government mandated this.

 

[GMT]

is this really suprising?
also what hasn't been released is whether MPs and other govt officials, will also have their contacts tracked, or whether in the interests of "security" they will be exempt somehow.
Did anyone sreiously think that congestion charges were about reducing congestion? They have plate recognistion technology that tracks who goes into and out of the city centres, but only to make sure they pay the charge of course, not to monitor peoples movements.
Get arrested, DNA collected and stored, (not proven guilty, just arrested), but only so that they can identify repeat offenders where dna is recovered from the scene of a serious crime.
Go onto the streets to protest something, they film everything (unless it's the site of them committing a crime), then not one camera captures the incident, unless its a camera owned by a private citizen.
If the Conservatives get into power next time, then we lose the Human Rights Act, stated by Cameron. We lose all our basic rights under the law.
That's when the real shit will start. This stuff right now is just laying the foundations.
The economy has been deliberately crashed, now 30% of mortgage holders are in negative equity. Which basically enslaves them to the banks, which remember the govt just took a majority shareholding in. And this is just the start of the recession.
The people are being pushed towards major riots so that marshal laws can be introduced, and justified, which is the important thing.
The production of food has been forced abroad, so that the uk is no longer self sufficient in food production. The economy is either service based, or foriegn owned, meaning any real profits go abroad. The borders are open, so the basic services are being spread out over a larger and larger population reducing its effectiveness while the economy is reducing which reduces the ability to pay for basic services. The govt is borrowing so much money from overseas that the interest repayments alone will criple us, and the money is being spent to prop up companies owned by foriegn corporations so that they will employ uk workers for a few more years. The future is looking very bleak.

There again I'm a stoner, so paranoid and prone to believing conspiracy stories. I need to be punished and re-educated so that I can become a productive member of society.

 

[nekoloving]

http://tech.yahoo.com/blogs/null/136610

In a move that even the most nonchalant of privacy advocates is crying foul over, the UK has put into effect a European Union directive which mandates the archival of information regarding virtually all internet traffic for the next 12 months. The program formally goes into effect today.

The data retention rules require the archival of all email traffic (the identities of the sender and receiver, but not the contents of the messages), records of VOIP telephone calls (traditional phone calls are already monitored), and information about every website visited by any computer user in the country. The rules are being pushed down "across the board to even the smallest company," as every ISP large or small will be required to collect and store the data. That data will then be accessible -- to fight "crime and terrorism," of course -- by "hundreds of public bodies" to investigate whatever crimes they see fit.

Technically the new directive applies to all countries of the EU, but individual nations appear to be complying with the rules to various degrees. Privacy-obsessed Sweden is reportedly ignoring the rule completely, for example.

The privacy implications of the rule are enormous, as everything UK citizens do online will now be under the watchful eye of EU's powerful Home Office. One privacy advocate, whose anger is clearly barely being held back, called it "the kind of technology that the Stasi would have dreamed of." Naturally, the government counters that this kind of information has already proven invaluable in tracking down criminals, including the killer of an 11-year-old boy a couple of years ago.

Privacy concerns aside, another issue becomes one of how exactly to manage all this data. A report dating back to 2004 estimated that a single, large ISP in the UK would need up to 40 million gigabytes of storage capacity to store the traffic data from a year of user activity. Even in 2009, that kind of storage doesn't come cheap, nor does the challenge of managing it all come easy.

YOU USE EMAIL AS IF IT'S SECURE? OMFGWTFBBQDIE

right. so lets try to go over this a little folks.
email is not secure.
again i say
EMAIL IS NOT SECURE

email is transmitted plain text - and for the most part vulnerable to MITM [man in the middle] attacks. if you want to talk privately, get on irc.

 

[nekoloving]

now lets be very clear here about the purpose of this post. I'm not trying to scare anyone or make anyone paranoid. safety through anonymity is what we all tend to rely on when sending and receiving these things. once your singled out, fighting a nation-state level of professionalism and resources is a. very tough and b. may be illegal where you live. so in addition to anything else make sure you know your local encryption laws.

ok i did think about it, and decided to double post instead of edit as I'm going further rather than merely expanding my reply.

1. the problem:

great article on email security:

http://www.geekwisdom.com/dyn/node/116

Email is insecure but it doesn't have to be

Posted Thu, 2005-02-17 09:52 by geekwisdom

• Blogs:
  • Security/Privacy

Perhaps you've heard that e-mail is insecure. Do you know why it is considered insecure? Do you know how to secure your e-mail?
Many of the protocols involved with the sending and receiving of e-mail are not considered secure protocols, in the sense that they are vulnerable to eavesdropping. For instance, Simple Mail Transport Protocol (SMTP), the protocol used to route e-mail around the Internet, is typically implemented without any type of transport encryption. This means that unencrypted e-mail messages are viewable to anyone with the tools to eavesdrop on the network connections between mail servers. Post Office Protocol (POP) and Internet Message Access Protocol (IMAP), when implemented without transport encryption, suffer from the same eavesdropping problems as SMTP. Even when SMTP is implemented with transport encryption it does not, by default, require the authentication of e-mail message senders, therefore mail servers cannot be sure that the senders of messages are really who they claim to be. Even though POP and IMAP require users to authenticate themselves, messages are sent and delivered using SMTP. The result is a situation where the recipient of an e-mail message can be positively identified but the sender cannot.
In addition to the vulnerabilities of the protocols which are used to transport e-mail across the Internet, one must consider the potential vulnerabilities related to the storage of their e-mail messages. Most mail servers store messages on the hard drive in the same format in which they were received, and since the majority of e-mail is sent in plain-text anyone with the right privileges on the mail server can read the stored e-mail messages.
How can you be sure that the sender of an e-mail message is really who they claim to be? Have you ever thought about how easy it is to impersonate someone using e-mail? SMTP does not authenticate the sender of an e-mail message. Therefore, I (or anyone) can send an e-mail and claim to be anyone else. It is typically possible to identify the address of the computer which sent the message, but this still does not mean that it was really me using the computer to send the message.
How can you be sure that an e-mail message was not modified by a third-party before you received it? Since most e-mail is sent in plain-text and since most e-mail servers store messages in the same format they were received, it is trivial for someone with the right privileges to view and to modify e-mail messages which are not digitally signed or encrypted.
The plain-text nature of e-mail and the inability to authenticate the sender of a message make e-mail insecure. For these reasons, you should consider e-mail to be similar, from a security standpoint, to postcards. Postcards can be read by anyone who comes in contact with them. You would not send any sensitive information via postcard, nor should you send any sensitive information via unencrypted e-mail.
E-mail can be secured
SSL client certificates and the S/MIME standard can be used to secure your e-mail. SSL certificates and S/MIME provide the ability to digitally sign e-mail messages and to encrypt message contents, including attachments. Each SSL client certificate must be signed by a certificate authority (CA). With an SSL client certificate installed, you will be able to digitally sign e-mail messages as well as encrypt messages. By digitally signing messages, you will provide a method for recipients to authenticate your identity and verify that a message was not modified during transit. By encrypting a message you drastically reduce the probability that anyone other that the intended recipient can read your message.
Simply having an SSL client certificate installed and configured is not enough. The sanctity of your digital identity (the SSL client certificate) is only as good as the password (or pass phrase) used to protect it. Failing to set a password or using a weak password for your certificate can be worse than not having a certificate at all. Consider the impact of a unauthorized person using your computer to send digitally signed or encrypted e-mail messages using your identity. For this reason, special care should be taken to choose a strong pass phrase to protect your certificate. This is usually done when installing your certificate.

OK so we see that its POSSIBLE to use essentially the same SSL that we normally do in websites to secure our email from tampering.

now what, you ask is a mitm?

Anatomy of a Wireless "Evil Twin" Attack (Part 1)

by Lisa Phifer, Vice President, Core Competence Inc.
"Evil Twin" is one of several catchy labels referring to attacks in which unsuspecting Wi-Fi users are tricked into associating with a phony wireless Access Point (AP). Also known as AP Phishing, Wi-Fi Phishing, Hotspotter, or Honeypot AP, these attacks use phony APs with faked login pages to capture credentials and credit card numbers, launch man-in-the-middle attacks, or infect wireless hosts.
Fortunately, there are steps you can take to defend yourself from Evil Twins, ranging from user education to strong authentication. Let's disassemble this attack to see where vulnerabilities are exploited and mistakes are made during an Evil Twin attack.
Leveraging a weak foundation

Users fall for e-mail phishing because fake messages are easy to craft, and SMTP senders are not required to authenticate. Evil Twin Wi-Fi phishing exploits similar weaknesses: 802.11 management packets are easily forged, and APs do not prove their identity. To make matters worse, laptops, PDAs, and other Wi-Fi devices automatically select and connect to the AP offering the best signal within a named wireless LAN (WLAN).
As shown in Figure 1, 802.11 associations are initiated by users requesting WLAN access from their stations. APs advertise their presence by sending Beacons, which stations can listen for passively. Or stations can actively send Probe Requests to solicit Probe Responses from all APs with a given ESSID. ESSID (Extended Service Set ID) is the name given to any group of APs providing wireless access to the same upstream network, such as a corporate network or the Internet. Stations can be configured to probe for specific ESSIDs, but Windows XP Wireless Zero Config (and many other Wi-Fi client utilities) probe for any ESSID to discover a list of Available Wireless Networks.
AP Beacons and Probe Responses carry information about the WLAN, including an identifier (Basic Service Set ID, or BSSID) that is usually the AP's MAC address. Based on signal strength and advertised capabilities, the station sends the "best" AP an Authenticate Request. An AP using WEP can optionally challenge the station to prove it knows a shared key. But in most WLANs, the AP just returns an Authenticate Response. The pair exchange an Associate Request/Response to establish a data connection that lasts until either party sends a Disassociate or Deauthenticate packet.
Why does this exchange leave stations vulnerable to Evil Twin attack?

1. Stations connect to any AP with a given ESSID. ESSIDs are advertised names, visible to all within radio range. Even if you've configured your AP to omit the ESSID from its Beacon, the ESSID is still sent in Probe, Authenticate, and Associate packets. Thus, any would-be attacker can see the ESSID and make an AP appear as though it were a member of someone else's WLAN by using, for example, your AP's ESSID; a common default ESSID (e.g., "linksys"); or a hotspot ESSID (e.g., "tmobile").
2. The AP identifies itself with a public address that is not authenticated. Although every LAN device has a unique factory-set address, MAC addresses are easily reconfigured by Network Interface Card (NIC) utilities and programs like SMAC. Thus, any 802.11 device can transmit packets that appear to originate from your AP or your station's MAC address.
3. None of these 802.11 management packets are cryptographically protected against eavesdropping, modification, insertion, or replay. Attackers can easily capture legitimate packets using open source tools, resending them later with modifications. Evil Twin attacks sometimes begin with sending forged Deauthenticate or Disassociate packets to disrupt existing associations, forcing stations to repeat the sequence shown in Figure 1.

Wouldn't using Wired Equivalent Privacy (WEP) or Wi-Fi Protected Access (WPA) eliminate these weaknesses? The answer is no. WEP and WPA and WPA2 (802.11i) encrypt data after the association is established, but cannot prevent ESSID, BSSID, MAC address, or management packet spoofing. However, as we will see, 802.1X can potentially detect an Evil Twin before the user can be compromised.
Setting the trap

Now that we've seen how legitimate 802.11 associations form, let's consider what happens during an Evil Twin attack.
First, the attacker targets an ESSID. In a conference center, hotel, or airport, the attacker can use that venue's hotspot ESSID. Or he can run Hotspotter to listen for Probes from nearby stations, watching for common ESSIDs. Because Windows XP automatically probes for every ESSID it has associated with in the past, it is not hard to find stations seeking residential or hotspot ESSIDs. To target a specific WLAN, the attacker can run NetStumbler, Wellenreiter, Ethereal, or another freely-available stumbler or analyzer to identify a WLAN's ESSID.
Next, the attacker deploys a phony AP (broadcasting the target ESSID) near victim stations. The attacker could deploy a hardware AP, but more often runs AP software (e.g., HostAP, SoftAP, wifiBSD) on a laptop or PDA. For example, Quetec's 4-in-1 PC card can turn any Windows PC into a SoftAP, creating a platform for further attacks.
Since most stations will associate with any AP having a given ESSID, it may not be necessary to forge the AP's MAC address. But if the victim has tried to stop rogue associations by using a MAC-based Access Control List, or the attacker hopes to confuse Intrusion Detection Systems, the phony AP's MAC address can be set to a legitimate BSSID, thereby creating a "Base Station Clone." This is how the attack earns the nickname, "Evil Twin."
To bait the trap, the phony AP is usually connected to the Internet or your company's network. For example, a Hotspotter AP can be plugged into a hotel's wired broadband connection, using "free Internet" to lure unsuspecting guests. Or a laptop running SoftAP can use a second wireless NIC to associate with a legitimate AP, transparently relaying traffic between victims and the upstream network they had intended to reach.
Reeling in the victim

Launching a phony AP in a populated area is often enough to attract victims. For example, a SoftAP sitting near you in an airport or cafe may present a stronger signal than the legitimate AP, hidden in the distance. At the office, employee laptops will automatically reconnect to a phony AP broadcasting recently-used home/hotspot ESSIDs. If intended victims don't associate to the phony AP without encouragement, the attacker can force roaming by using AirJack or void11 to send Deauthenticate or Disassociate packets, carrying the legitimate WLAN's BSSID.
Once a victim associates to a phony AP, the attacker has a "man in the middle" platform from which to launch exploits. Conceptually, the AP's position is similar to that accomplished in Ethernet LANs through ARP Poisoning. But it's easier to achieve this through an Evil Twin, since the attacker does not require physical access to a LAN port or switch, and wireless stations put themselves at high risk by behaving promiscuously.
What comes next?

• Using any Web server (IIS, Apache), the attacker can present a fake hotspot login page to steal the victim's username, password, or credit card number. Airsnarf, a shell script, demonstrates this simple attack.
• Victims can be redirected to the fake portal or any phony server by DNS spoofing. The attacker either uses DHCP to designate himself as the WLAN's DNS server, or intercepts queries addressed to other DNS servers. The phony AP's DNS server then resolves e-commerce URLs to localhost so that it can present look-alike Web pages.
• There, common Web phishing attacks can solicit confidential information or use active content to infect the station. For example, at Interop 2005, AirDefense identified APs posing as a free wireless network, presenting a malicious Web page that downloaded a virus whenever the victim clicked anywhere on the page.
• As described in "Nandi versus Virtual Virtuoso: Part 2," application packet injection tools like Airpwn can modify content sent to victims. Airpwn listens to one wireless NIC and injects traffic through a second wireless NIC -- for example, responding to any "GET" or "POST" packet with an offensive graphic image.
• Finally, a phony AP can run traditional man-in-the-middle (MitM) tools like Dsniff and Cain. Dsniff can access encrypted data by tricking SSH clients into accepting a forged SSH server public key, or tricking Web users into accepting a forged SSL server certificate. Cain also records cleartext passwords sent by common applications like email. These are just two of many MitM attacks that can be run on a phony AP to take advantage of traffic relayed between the victim and upstream servers.

Now that you've followed the steps of an Evil Twin attack, what can you do to counteract them? I suggest eight countermeasures in Part 2 of this article.

but that's a wireless attack you say! I'm not on a wireless network, it doesn't apply to me!!!

sorry guyz and galz, its the principal that's the same. i only need to put myself in a position where i can read and insert packets to perform a mitm attack. oh and let this be a lesson to you who run wireless - i've yet to see a network that takes more than 15 min to crack once its been known. again i repeat, YOU CANNOT SECURE WIRELESS EFFECTIVELY AT THIS TIME. ok right sorry for the side rant.

ok part two to the article:

Anatomy of a Wireless "Evil Twin" Attack (Part 2: Countermeasures)

by Lisa Phifer, Vice President, Core Competence Inc.
Evil Twin attacks (described in detail in Part 1 of this article) trick users into associating with phony wireless Access Points (APs). Evil Twins wrap old Man-in-the-Middle attacks in new 802.11 clothing, creating a risk that grows at the same rate as Wi-Fi deployment.
Tools used to launch Evil Twin attacks (also known as AP Phishing, Wi-Fi Phishing, Hotspotter, or Honeypot AP) are plentiful and potentially dangerous. No published research quantifies attack frequency in corporate networks, but AirDefense estimates that over 80 percent of those using Wi-Fi at InfoSec 2005 were susceptible to this attack. The same can be said for the vast majority of residential WLAN and public hotspot users.
So, how can you defend yourself or your employees against Evil Twin attacks? Here are eight suggestions.

1. For starters, include Evil Twin attacks in your Wi-Fi Acceptable Use Policy, making users aware of these phony APs, the vulnerabilities they exploit, the risks they pose, and defensive measures.
2. When you're traveling, if that AP offering free Internet seems too good to be true, it probably is. Given a choice between free wireless and paying out of pocket, most people choose free every time. A company-defined plan that pays for safe Wi-Fi access -- at least to some degree -- may help keep your users out of trouble.
3. Encourage employees to use "secure hotspot" tools. For example, the iPass Connect client uses an encrypted login protocol, eliminating interaction with spoof-able login portals. T-Mobile offers an "enhanced WPA network" option in US hotspots, using 802.1X to authenticate users over TLS, verifying the Authentication Server's certificate to help defeat Man-in-the-Middle attacks.
4. Back at the office, use 802.1X Port Access Control for robust mutual authentication. Avoid weak Extensible Authentication Protocol (EAP) types such as LEAP; use EAP-TLS, EAP-TTLS, or PEAP to check the server's signature against a trusted CA certificate configured into every station. Although stations still cannot authenticate APs, your 802.1X Authentication Server will authenticate your APs.
5. Teach users never to accept certificates or keys presented when connecting to APs or application servers. Warn them to avoid "downgrade" attacks, where a phony AP operates without 802.1X or a phony portal operates without SSL. Phishing often succeeds when users make mistakes; education can help users to recognize attack symptoms.
6. Client promiscuity is the primary vulnerability exploited by phony APs. Teach users to disable NICs when not in use. Configure wireless clients to reduce risk. For example, configure Windows XP to connect only to Preferred Networks, only in Infrastructure Mode, and only upon request, reducing risk of Hotspotter exploits. In small WLANs, configure clients such as Cisco ACU with a list of Specified APs. (But, given that MACs can be forged, balance how much effort you put into this against the amount of security benefit you'll realistically derive.)
7. Companies that centrally-manage employee desktops, laptops, and/or PDAs should control wireless station configuration, taking users out of the equation, or at least reducing their role. For example, a product like Wavelink Avalanche or Windows Active Directory Group Policy Objects can be used to administer 802.11 and 802.1X parameters on Windows PCs.
8. Use a Wireless Intrusion Detection or Prevention System to detect unauthorized APs, recognize attack signatures for tools like Hotspotter, and automatically break associations between legitimate stations and phony APs. These provide the Wi-Fi equivalent of Network IDS/IPS, but wireless host IDS is also starting to emerge. For example, AirDefense Personal is a host-resident scanner that warns users when unexpected events occur, such as roaming to another AP (which may or may not indicate Evil Twin activity).

No single measure listed here is sufficient to stop all forms of Evil Twin attack. However, by combining these measures and educating users, you can build a strong defense to detect and deflect phony APs encountered in home, hotspot, and office environments.
For more of Lisa's in-depth advice on wireless networking issues, check out her Wireless Corner.
Loved it? Hated it? Send comments to Lisa at: [email protected]

added part two b/c its not fair to scare on wireless without a little explanation on how to secure. sorry for the few wasted minutes reading if you don't care/doesn't apply. anyhow the point is in the correct position, given that email is typically plain text, its easy to read it in transit.


so we've seen:

a. email is insecure
b. email server can be secured
c. what mitm really is


however i would like to point out - even if you set your emails to be encrypted to your desired sender, if its not encrypted on the way back thats an open book - kinda like listening to one side of a phone convo - god forbid, though that they send you a reply without that.

so now we need to become parinoid ~!!!~

its obvious at this point [i think] that we need our own email server somehow in order to be convinced to a T that it cannot be used against us.

but lets revisit something from the first article:

How can you be sure that the sender of an e-mail message is really who they claim to be? Have you ever thought about how easy it is to impersonate someone using e-mail? SMTP does not authenticate the sender of an e-mail message. Therefore, I (or anyone) can send an e-mail and claim to be anyone else. It is typically possible to identify the address of the computer which sent the message, but this still does not mean that it was really me using the computer to send the message.

there is no way to guard against this.


2. the solution: a begining


so i'm not going to go through and make a guide on how to secure email servers, though i would recommend placing your server in a country thats legally seperated and possibly not co-operating with your country.

so from usa point of view: russia is good, nl is good, se is good - all to a point. being across national lines and having a server that does email is NOT illegal. but it DOES mean that they gotta get real formal to getcha.

so, you say.
lets assume that i have an email server of my own
how do i prevent this????

set it up so that it only accepts emails from its own service. run it on an internal port. nothing hits the net. only allow connections via a custom 4096 bit cert [far far above the 1024-2048 thats normally used {1024 has been demonstateably crackable via brute force in a reasonable amount of time by a single supercomputer array}]; and only accept emails from itself, or other servers you know are for a FACT secured.

the only thing left is to secure the server itself - and that's where we leave off.

 

[GMT]

my wireless laptop just displayed the error message "warning, I need a tin foil hat" I think you just worried it.

 

[resinryder]

wow that's insane. If that happened in the states people would riot.

Think so? Saw a intelligence officer with Cheyenne Mountain, one of our nations highest security complexes, state a couple of years ago during an interview that at that time they were intercepting over 1 million emails a day from the states.
Besides, if we did start rioting, Janeane Garofalo would just go back on CBS, NBC, CNN, any one that would give the stupid bitch air time, and declare that we were just all a bunch of racist rednecks for not following along blindly. Someone needs to give her the coveted Lemming award.

 

[RetroGrow]

Political correctness gone wild.
Because of the notion that all people should be treated equally, the borders of the UK and the USA have been over run. The UK has so many Muslims living there, that these immigrants are making life miserable for the natives. We have to watch them every second for fear that they will blow something up. England, and many European countries are losing their national identity to these invaders. What a shame that we have to "pretend" that these people are our welcome neighbors, when in fact, they are the enemy and should be extinguished.
All the great cultures of Europe are being overwhelmed. When you allow your country to be invaded by barbarians, this is what you get. No security. Paranoia rules.
The only way to stop it is to stop these people from immigrating.
But that would be politically incorrect.
Sad and pathetic.
Gutless "leaders" who pander, rather than protect.

 

[GMT]

I think the term extinguished is going too far. But I do think that it's time for the servants/leasders/masters of a country to put the inhabitants of that country first before bowing down to the process of globalisation. When you open the borders of a country, you invite people from countries that failed to create a country worth living in. When you then invite them to live in your country in the same way that they lived in their own country, then how can you expect them to be a positive influence on your country. Although when the servants/leaders/masters of your country use these people as an excuse to tighten their grip on the original inhabitants, then who is to blame for the biggest deterioration? The immigrants or your S/L/Ms?

 

[nekoloving]

Think so? Saw a intelligence officer with Cheyenne Mountain, one of our nations highest security complexes, state a couple of years ago during an interview that at that time they were intercepting over 1 million emails a day from the states.
Besides, if we did start rioting, Janeane Garofalo would just go back on CBS, NBC, CNN, any one that would give the stupid bitch air time, and declare that we were just all a bunch of racist rednecks for not following along blindly. Someone needs to give her the coveted Lemming award.

the way they DO THIS IS MITM lol i'll prove it:

we need a

because you can have your template set a size and just scroll, so you can put REAAAAAAAAAAAAALY large docs and just read and scroll in the meantime:

http://privacynotes.com/privacy_blog/2006/05/att-nsa-spying-evidence.html

http://www.att.com/gen/press-room?pid=4800&cdvn=news&newsarticleid=22372
like they wouldnt be allowed to say they didnt lol

http://www.spamdailynews.com/publish/ATT_tech_outs_NSA_spy_room.asp

now i'm warning you this next site can get into very heavy reading at times but here:
http://arstechnica.com/old/content/2006/04/6585.ars
http://arstechnica.com/security/news/2008/03/an-overview-of-the-nsas-domestic-spying-program.ars
http://episteme.arstechnica.com/eve/forums/a/tpc/f/174096756/m/481008758831/inc/-1
http://origin.arstechnica.com/news....rivacy-when-your-definition-matches-ours.html
http://origin.arstechnica.com/search.ars?Tag=domestic+spying

this is what your SUPPOSED to be afraid about.

p.s. forgot to add that .mil .gov do have a second physical network. and massive dark lines. this network is NOT a thread directly for these attacks, as it's physically completely separate and boxen on THAT network are not supposed to be able to access THIS network [well the www is a collection of nets but whatever] - and really for national defense and security this IS a good thing.

 

[purpledomgoddes]

all digital com are recorded/archived - wherever it is originated/connected to.

just 1's and 0's. not very difficult.

read how internet began, where traffic goes, etc. read james bamford's shadow factory or puzzle palace.

borders are non-existent when comes to net; important thing is servers, ip addy of modems, computers, etc. automatic updates to comp, etc. all relay ip addy, etc. architecture of net was created to record all (circa 1969, ucla, et al.). there are storage facilities as large as small cities, w/ legacy storage gear - not to mention fiber optic storage, 3d holographic storage, etc. this does not even account for pen registers/trap&trace, key stroke regs', etc.

read how comp's actually communicate. just 1's and 0's. shouldnt be that hard to see how done/is done. OLD, KNOWN ops were 'carnivore', and 'echelon' for data mining; alledgedly discontinued. other, newer, unknown versions potentially exist.

hope this helps.