We can do that. We have the technology. Such mods are fairly simple.
With an ability to switch the light off, again mechanically. You may have to do some covert filming of cops.
Not all free speech defenders (I know, I know); the EFF recently filed a brief defending Defence Distributed, the group that produced and distributed a design for a 3D printed firearm.
1 Like
Major points for EFF then.
It all depends on your threat model and who you think youâre securing it from. It is secure from you and non-nation state actors. From the NSA, less so but more than you think.
Can you independently audit it? Will it let you in to take a look whatâs for real?
1 Like
You have embedded so many partially false statements in this post that it will be difficult to address them without running on too long. However, let me speak in re a key one: âIn the real world, people demand convenience. [âŚ] increase in convenience [effects] a decrease in securityâ. This (as amended) has much validity, but your statement that every increase in convenience must effect a decrease in security is not the 2nd law of thermodynamics; itâs an opinion.
More to the point, this sort of statement in re the phone OS has nothing to do with key points I and a few others were focused on in this thread, namely the ease with which manufacturers could have installed (as defaults) physical barriers to protect camera lenses, and to a less obvious extent, mikes. A âconvenientâ, malleable, inter-operability maximizing OS cannot magickally access physical hard switches, sliding covers etc, unless itâs designed to do so. Many design elements which could do an average user some good are not in the OS. They are often very simple, physical things, some of which have been in use in appliances and technical equipment for decades.
I know and work with one 60-something UNIX user who still has a dumb phone and an ancient laptop (Debian). He shudders with disgust when he talks with me about the way weâve been laid bare in the past few years. I am not willing or able to live his Luddite life; no one who raises teenagers today could do it. However, like him, I am not partial to the âwe need to fuck you morons over due to your demand for easy toysâ argument.
As an aside, itâs been a long time since I regularly used a UNIX mainframe, and Iâve never been more than a user. My most recent experience with UNIX involved staggering around cluelessly on a Centos 5 machine, desperately trying to find the damned chrontab file which should have been in /etc but wasnât⌠and then hand typing rsync -ar every afternoon for months.
I have no desire to go back to âdoing it allâ by hand. I do not believe we need to in order for our modern appliances to be much more secure than they are now.
1 Like
I donât know which packaging system Centos uses but I usually go this way:
apt-get install mlocate
updatedb (may not be needed if installer runs it)
locate <filename or its part>
In this case,
locate crontab
Thereâs also apt-file.
apt-file find <filename or its part>
which finds the packages in which the filename part you are looking for is.
Couples well with strace, which tells you what files a traced process is looking for and where; if missing, they can be found in a package and that then installed.
2 Likes
Thanks. We gave up a year ago and switched to a Windows platform for the modeling software this machine is dedicated to. I was supposed to be the âexpertâ on managing the Linux machine; it would have been funny if it werenât so far off base. Developing a modest expertise in UNIX is not hard, but it required time I donât have. Iâm supposed to be using the equipment; not breastfeeding it 24/7/365.
2 Likes
I do so love the smell of de haut en bas in the morning.
Hereâs a useful hint; patronising people wins you no friends.
1 Like
Not silly, itâs a good start. How about freedom of the press, in the context of the National Security Letter and corporate PR? It requires a press to make a public press release.
Cent certainly annoys me as well, and I know youâve moved to Windows, but for posterity âcrontab -Eâ works out of the boxâunless someone changed it (which happens a lot).
But to your main point, as a infosec professional ( https://www.linkedin.com/in/jeremy-pickett-6aa0aa33 ) I agree with @kupfernigk. I donât see half truths in the post you are replying to, but nuance. And I am happy to discuss any particular points youâd like to talk about.
3 Likes
It wasnât a particularly well thought out post on my part, but I continue to be amazed that people donât understand that:
- All software has bugs.
- The more software, the more bugs.
- Some non-zero percentage of bugs will be an attack vector
- Therefore, the more software, the more vulnerabilities.
It wasnât so long ago that I posted on another site that a firewall which is running in a VM is not a true firewall for other VMs on the same host and got into an argument with someone who works on hypervisors. The next thing was an attack on a hypervisor using a vuln in the microcode of some AMD processors which could be exploited from the application layer. So I tend to reject @hmclachlanâs idea that you can make a fully secured system which still allows interoperability. I do feel that a lot of people nowadays are OS-and-above level only and donât understand quite how high the software ziggurat is getting. But, now Iâm retired, itâs get off my lawn mode rather than memo to CTO mode.
3 Likes
If you take a tainted input, you may be exploited.
If your memory can be read, you may be exploited.
If you have sensors, you may be exploited.
I like the idea of say shutters for cameras, so for example my co-workers wont accidentally see me in my pajamas during a remote Skype call. But saying computers/phones should be secure be default is the equivalent of saying banks should be secure by default.
6 Likes
Fixed that for you.
But there are degrees of exploitedness and different threat models. A script kiddie is not the NSA and a botnet malware distributor is not the Peopleâs Army.
3 Likes
I aceept your patch, and it will be published in the next build 
5 Likes
Please feel free to reject this assertion; I didnât make it, & did not intend to give this impression when posting brief retorts to enso (after he savaged some poor neophyte who had voiced a legitimate concern). I should not have belittled you then, but you seemed to be giving him broad support for every word heâd written in this comments thread.
I should not have written âsystems should be secure by defaultâ; I understand that implies the operating system. Rather I should have said that appliances should be designed with security as a primary consideration.
Vulnerability of OSs seems to be unavoidable; its the work-arounds that I have hope for. I donât think any operating system can attain the kind of security you might deem âfullâ. Iâm convinced that our appliances can be far, far better, however, and that shutters, manual indicators of on v. off for switches (mandatory on German-made analytical equipment I used for c. 30 years) and similar design elements can go a long way towards securing our devices. If they were normalized â culturally â among those who manufacture these kinds of devices, then the âguy with the âunsecureâ device sitting next to my kid on the busâ issue is also mitigated. And yes, mitigation is all one can hope for.
Having said that, I strongly disagree with your argument â so accepted among the tech elite â that it was the demanding, feckless consumers who created our wretched status quo. The device users
did not make the decisions which brought us to where we are now; they were largely unaware of the price they pay â in code â for having handsome toys. Hell, I even knew on some level, and I didnât grow wary until I saw my first pinhole camera built into my new laptop (c. 2010). Iâve never met the âaverage consumerâ who actually demanded such a thing⌠only designers who thought it cool, and then standardized it.
Why is it we still have lidless Sauron eyes on the back and front of every smartphone as an industry default? âConsumer demandâ does not truly account for it, not given how malleable demand truly is. If you make something truly better, the âdemandâ gravitates to it. In order to create this demand however, one needs to actually have a small touch of respect for ones target audience â the user.
1 Like
Er, rightâŚ
Sure, they canât steer you off the road, but controlling brakes and transmission can still allow them to drive you off the road.
1 Like
Except that the picture you disingenuously included, showed neither a steering issue, or an âoff the roadâ issue. Thatâs a parking lot, not a road. The car was only going straight, having driven out of parking space, and was a demonstration of breaking control. This picture has nothing to do with steering. Had the driver wanted, he could have turned the steering wheel, and avoided going into the ditch.
All of which is moot, as this issue was patched years ago.
That was exactly the point I made (which apparently you missed entirely). You keep (disingenuously?) bringing up steering when that wasnât originally mentioned nor is that the issue - that vulnerability did allow remote control of brakes and throttle, which is more than sufficient to cause someone to drive off the road (or worse). And yes, it was patched - but again, the issue is whether the government could compel the automaker to force an update that would unpatch it. I donât think thatâs likely, but itâs not fundamentally any different from whatâs being asked of Apple.
1 Like
Ok, Iâll happily amend my statement to, âThis picture has nothing to do with driving off the roadâ.
