From owner-freebsd-security@FreeBSD.ORG  Mon Sep  9 05:42:07 2013
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id 9F4E02AB
 for <freebsd-security@freebsd.org>; Mon,  9 Sep 2013 05:42:07 +0000 (UTC)
 (envelope-from list_freebsd@bluerosetech.com)
Received: from yoshi.bluerosetech.com (yoshi.bluerosetech.com [174.136.100.66])
 (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 8A5CC26CE
 for <freebsd-security@freebsd.org>; Mon,  9 Sep 2013 05:42:07 +0000 (UTC)
Received: from chombo.houseloki.net (c-76-27-220-79.hsd1.wa.comcast.net
 [76.27.220.79])
 by yoshi.bluerosetech.com (Postfix) with ESMTPSA id D1BC2E6040;
 Sun,  8 Sep 2013 22:42:00 -0700 (PDT)
Received: from [127.0.0.1] (ivy.houseloki.net [10.9.70.20])
 by chombo.houseloki.net (Postfix) with ESMTPSA id 6D878260;
 Sun,  8 Sep 2013 22:41:59 -0700 (PDT)
Message-ID: <522D5FA3.7020701@bluerosetech.com>
Date: Sun, 08 Sep 2013 22:41:55 -0700
From: Darren Pilgrim <list_freebsd@bluerosetech.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
 rv:17.0) Gecko/20130620 Thunderbird/17.0.7
MIME-Version: 1.0
To: Ian Smith <smithi@nimnet.asn.au>
Subject: Re: Anything in this story of concern?
References: <20130909144142.J99094@sola.nimnet.asn.au>
In-Reply-To: <20130909144142.J99094@sola.nimnet.asn.au>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Cc: freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: "Security issues \[members-only posting\]"
 <freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
 <mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 09 Sep 2013 05:42:07 -0000

On 9/8/2013 9:44 PM, Ian Smith wrote:
> <http://www.abc.net.au/news/2013-09-06/new-snowden-documents-say-nsa-can-break-common-internet-encrypt/4940138>

Have a look at estimates on the number of internet servers and desktops 
still vulnerable to BEAST, CRIME, et al.  That's for the population of 
devices where updating the SSL library is about as easy as it gets.  Now 
consider all those network devices and embedded systems with outdated 
firmware or where updating the embedded https/ssh server is impossible 
or the vendor won't bother.

It's known the NSA prefers taps in central locations (like switches and 
routers) for better coverage efficiency.  Combine these and the question 
of whether or not they're listening is one of capacity, not capability.

This isn't really news, though.  If you're worried about it, make sure 
your stuff uses TLS v1.2 with strong ciphers and large keys.