← Back to context

Comment by nickpsecurity

10 years ago

There's regular security solutions then there's those meant to stop High Strength Attackers. I warned ProtonMail's team and infrastructure wouldn't handle the latter. I was expecting stealth 0-days, though, given there's DDOS mitigations available. That they went down due to DDOS was a bit of a surprise.

"Cost estimates for these solutions are around $100,000 per year since there are few service providers able to fight off an attack of this size and sophistication. These solutions are expensive and take time to implement, but they will be necessary because it is clear that online privacy has powerful opponents."

No shit lol... Not a good sign that they're already in reactive mode. On other end, that MyKolab hasn't gone down might mean they're already compromised or just not targeted by this attack. I wonder what it is. They're just a GPG carrier in a semi-neutral jurisdiction in my usage, though. ProtonMail would've been, too, but I figured they'd be more likely to have service issues.

2 comments

nickpsecurity

Reply
vskarine  10 years ago

You mentioned that you warned ProtonMail's team about High Strength Attackers. What else did you warn them about? What other security flaws do they have in your opinion?

  • nickpsecurity  10 years ago

    I warned others about them. I rarely warn projects any more because my associates and I have done that until we were blue in the face with little effort. My MO is to just post good stuff in forums that attract talent so they might see and adopt it. In any case, I posted a write-up on what real security is and what goes into it on Schneier's blog in response to a [false] comment saying secure coding is all you need. Here's the Pastebin of it:

    http://pastebin.com/y3PufJ0V

    Here's a specific example where I try to make a step-by-step guide for high assurance Tor without knowing its internals. Just drew on my prior work:

    https://www.schneier.com/blog/archives/2014/09/identifying_d...

    Hope what High Assurance Security takes is more clear now. Unless you get lucky (eg GPG), you need high assurance to resist TLA's successfully and that might just be delaying inevitable. Still need monitoring & tamper-detection.