ya… always. I get more than little freak out by the amount of people who think that “insert whatever” should be perfect.
I’m a security engineer. I know encryption at a high level and how to leverage it for my purposes, but not the math or intricacies. I rely on smarter people than I to do that, and I just read and study their thoughts and research. The encryption is fine in that sense. Not attacking you by any means, just wanted to point that out. I’m legitimately frustrated with his video because I literally know better. He’s a smart guy but he’s out of his league here. The equivalent would be me trying to make a video saying how VI is a fundamentally flawed text editor because X person made it and has keyloggers build into it, without supplying evidence.
1 Like
I am assuming that Https is superior to the previous http and regardless of doubts on the origins that best practice should be used until proven otherwise. The story of computer science in general. I think someone stated if one person stop using https that he has done a disservice.
HTTPS is just the secured/encrypted version of HTTP. The guts are still there.
I believe him to be a person that if you present him with the evidence and the reasoning about how something he has done is disservice , he will move to correct it. I guess we will see.
1 Like
People did. Including me. He ignores it.
1 Like
This guy knows:
Hippo
Hippo
3 days ago (edited)
I am not entirely sure if you are just trolling or if you really believe this, i actually think this video is dangerous (explained below).
Problem #2:
It is not easy to fake a certificate, there are two ways, first is to hack (steal the private key) from a CA that which root cert is trusted by everyone, this would be on the same level as attacking google or other large services directly. Second option is to install your root cert on the victims computer, which is almost pointless because if you already have access that allows this you could get any data anyway. That is both very hard, so HTTPS is at least effective against the typical MitM attacks.Problem #3:
Yes, the NSA developed SHA-2 and has proposals for RNGs, but these are also reviewed by other cryptography experts and after years still considered secure. Almost all certs are generated by openssl on Linux, you also don’t trust at all these open source implementations? Btw, AES is also from the NSA, and they helped with many others encryption standards. So you rather communicate in plaintext than some encryption because you think it is pointless anyway? This is dangerous.Also it seems that you didn’t understand the whole point of transport encryption, it is not against the NSA etc. (they can get the data from the servers anyway directly) it is against manipulation of the website only in the transport (server <-> client). This makes it important also to sites that don’t require a (bank) login. With plain http it is for example possible to change the content on the website (spread false information), inject malicous Javascript and much more…
Yes, every software has bugs and SSL/TLS has big flaws for sure, but is is still the best we have so far und should be used whenever possible. Every system is insecure from the core (the CPU), but that does not mean we should give up and call it pointless, that helps nobody.
And Lunduke remains silent.
The can’t be perfect so fuck it we are all going to die logic is also flawed…By life. While we are still here and not all dead we do need to push towards our goals. One of which is security.
1 Like
TL;DR on my feelings about this.
A world with backdoored encryption is probably better than a world with no encryption at all. We know the whole CA cert thing does not really solve the problem of trust. it just moves it back one step.
Here’s my comment, so you won’t have to go to YouTube to read it:
Sites that have not been maintained are dangerous. If someone has not renewed their certificates, why should you expect them to have kept up with security updates?
SHA 1 and 2 were developed by the NSA, yes, but cryptographers have looked at both of them for years now. At best, you can be concerned about the constants that are used, but those are specifically designed to be above suspicion; see the Wikipedia article for Nothing up my sleeve numbers
If you are actually worried about certificate authorities, you could support CACert or Let’s Encrypt.
Ignoring a perfectly reasonable system merely because you don’t like who developed parts of it is the height of stupidity. With an alternative system you couldn’t prevent covert code contribution from the NSA either, you would just give yourself a false sense of security. How ironic is that?
1 Like
Supposedly they will be making their own laptops eventually, but at the moment they work closely with/resell Clevo and Sager machines, or so I heard in Hacker News comments.
That isn’t the bad part.
Not trusting them is not only the smart thing to do, its the SAFE thing to do.
However, we should not dismiss them simply because we do not trust them.
I don’t trust some of my co-workers nearly at all. That does not mean I should immediately dismiss any new ideas or concerns they might have with something we are both working on.
Can confirm, I got a S76 Lemur 2015 model. Terrible build quality. And when I say terrible; its because its mostly plastic.
Negatives: shit chicklet keyboard, not backlit. Shit trackpad. TN panel. 1360 x 768. Speakers are utter garbage.
Positives are that its easy to upgrade, non-locked down UEFI, and thermals are pretty good. Can upgrade to a M.2 SSD as well as a 2.5" drive bay and an optical drive.
They have, its this one. Its a step up (aluminum chassis), but the keyboard is not backlit and its still a shitty chicklet. And all this for $900 starting? Fuck that.
Instead of trying to make better laptop they decided to roll their own OS; which I guess is fine. Only problem is that if you want people to buy your laptop then make a good product.
What is severely lacking for todays laptops in general.
- metal chassis
- IPS display
- 8 Hr battery life (last a full fucking work day of actual use god dammit)
- good trackpad (won’t wear down over time, solid feel)
- good keyboard (tactile, backlit, non-chicklet)
There are only a handful of laptops that meet most of this criteria, Apple included (although they have shit internal components), because I guess no one wants to make a good functional product.
So far, the only things I’ve seen come close to this the is LG Gram 2018 rev 2 that was debuted at CES 2018. I almost don’t care that it will cost over $1500, I’m tired of all the shit quality everyone seems to make.
Rather than System76, I keep an eye on Purism, don’t know that much about their hardware, but it is a metal chassis.
Mostly though, I like reading through their development blog posts, especially the ones about porting Coreboot, and the crazy things that break during development. Take a look at the Schrödinger’s Wi-Fi section in this post about Intel ME.
My 5c: Lunduke isn’t wrong if I understand what he tries (and fails) to say. What I think he talks about is the Chain of Trust principle, which we use pretty much everywhere. Rutkowska (Qubes OS) always brings up the same subject, but in regard to TPM and signed bootloaders and all that crap. And yes, the CoT is kinda dangerous. Not as dangerous as not having an encryption at all, but it’s still bad.
@Levitance
"He came to this conclusion based of some very wild speculation on his part, like his assertion that it’s easy to fake a certificate. Spoiler alert, it’s not. "
EDIT: (I broke the quote so I did it manually)
I was listening to ‘Security Now’ this week (Twit.tv) and Steve Gibson mentioned that there was a black market for certificates found recently. The long and short of it was that if you paid the right entity, you could have a certificate made for you that looked like it came from an actual CA. Steve came to the conclusion that it was most likely an insider that is doing this on the side illegally, but it could also just be spoofed.
With that said, I don’t agree with Lunduke’s point I just wanted to bring that story up to your attention.
2 Likes
I don’t suppose you recall which episode this was mentioned in? I’d like to give it a listen. I can think of a number of ways this could come up, but they would be clamped down very quickly just due to the nature of certificates. There would need to be more than just a weak CA somewhere, or a CA whose private key was compromised. If they were using an actual valid CA, then the first time a fake cert was discovered, that weak CA would be immediately identified and burned at the stake.
No, if this is going on, there’s got to be more to it, like getting large swaths of computers (be it the OS, or the browser in the case of browsers that have their own trust store) to trust a bogus CA. Honestly I’d bet money on browsers being compromised. The Internet is a filthy place, and browsers swim in it like hogs in filth. 
And just to keep things tidy, even if that was the case, it doesn’t mean that HTTPS is broken, and it doesn’t change the fact that Lunduke didn’t back up any of his assertions in this video. I know you’re not arguing this point, but I want to take every opportunity to point out the fact that Lunduke does not back up his claims at all, ever in this video.
2 Likes
@Levitance It was this week’s episode: Security Now 652 ‘WebAssembly’
I looked into the show notes HERE and the article used as a reference is HERE. And I am always happy to provide my documentation and evidence, because that’s what you are supposed to do when you have an opinion/argument [particularly on a public forum…or in a youtube video].
1 Like
Thanks much! I’ll give that a listen.
1 Like