[ntp:security] Updates

Brad Knowles brad at shub-internet.org
Thu Aug 13 03:45:24 UTC 2015


On Aug 12, 2015, at 6:40 PM, Harlan Stenn <stenn at ntp.org> wrote:

> I added my nwtime.org address to the list, because until we rebuild all
> of the machines at ntp.org I didn't want my private key on those
> machines.

Good idea.

> What sort of offline media do you recommend for this storage?  I'm
> figuring a CD and/or an old thumb drive.

I’m going to use thumb drives, myself.  I bought some today that were name-brand (supposedly), but quite inexpensive.  They’re nice and flat but with colorful cases, so I should be able to easily tell them apart, and I can also print labels to put on them.  But a second copy using some other sort of media would be a good idea.

> Could/should we print out the beast using a QR 40-L image in case the
> CD or thumb drive becomes unusable?  I'd kinda hate to have to type all
> of those digits in, and I don't know if I trust a scanner to do that job
> correctly.

Yeah, we want printed copies of some sort, as well.  I hadn’t given thought to the specific printed format, however.

> Related topic - I'm told that if we go to China (for example), we should
> at least encrypt our disk drives.  I'm thinking this means I should not
> have any unprotected SSH pubkeys on the machine, either.

I can’t tell you what I would actually do, because I’m not in the position to do that next week, so I haven’t had that hard conversation with myself.

I would be inclined to avoid taking any kind of computer or communications device with me that I couldn’t just throw away at the end of the trip.  Or, wipe/reformat and use for my next trip over there, and not otherwise use it or connect it to anything anywhere else.  Anything on those devices would have to be considered automatically compromised or at least treated with maximum suspicion.

You could try setting up something with a VPN before you go over there, but they tend to be pretty good at blocking all the known VPN and encrypted communications solutions.

> What's BCP for this case?

Nuke it from orbit, I believe.  ;)

--
Brad Knowles <brad at shub-internet.org>
LinkedIn Profile: <http://tinyurl.com/y8kpxu>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 832 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.ntp.org/private/security/attachments/20150812/d3b330c0/attachment-0001.sig>


More information about the security mailing list