I am not apologizing or legitimizing what they are doing… Buy why go through a locked front door (encrypted channels) when there is an open window (zero day or scared tech company)?
The culture of us infosec professionals has got to change, including LEOs.
I don’t understand what I’m looking at at the top of the post. Was the FBI using old fashioned typewriters to create reports in 2007?
Its the only way to be really secure. They know what is compiled in to popularly available operating system kernels.
Didn’t they once fuck over a dealer using one of the ‘secure’ crypto webmail systems by breaking into his house & swapping out his keyboard with one that had a built in keylogger? Sure I read that story here on BB.
Never underestimate physical security.
But the evil maid attack against full-disk encryption is a real and tried attack vector - and implementing physical security needs a somehow different mindset and knowledge.
Unfortunately IT security is still regarded as product and not process, too often when I ask about security concepts I get the answer “we have a hardware firewall”.
And in about thirty seconds to a minute, you’ll have a real firewall on the red ethernet cable–now that’s protection!
outline of a joke: I like my ? like I like my ? - air-gapped.
That. And that’s why both the hardware and software and physical security people should drink and/or smoke together and exchange notes.
I work in infosec; historically, in research, in bug finding, in working on offensive and defensive systems. At that level, I don’t know anyone who would be for this push. And I know plenty who have the USG as major customers over the years – advanced endpoint and network protection folks, bug finder sorts, and so on. Myself included.
Could be, in those sectors we are biased. After all, one, we know for a fact that the USG has no problem with getting access to systems. Including the FBI. Some sell to the USG, some work for consultancies who sell to the USG. Others make systems designed to detect and protect against zero day.
So the whole push, seems to me, to be without consulting anyone from that sector. It seems, to me, to be like the intelligence with the Iraq War, where there were experts on Iraq whose opinions were ruled down. In fact, all intelligence analysts with experience in the area and all intelligence officers with proven product results were ignored. So those who had their agenda could push it.
To me, all of this is just one slow disaster after another. One great spectacle of idiocy after another, that has its’ time in the limelight, and then… that limelight changes. It becomes more bright, and those standing in it become clear as to who and what they really are. In the limelight, it is vague, debatable. In the light of day… it is not. At all.
Infosec double secret handshake engaged
That’s what a duress password/PIN is for, to be entered in the early stage of interrogation before the adversary steps things up. Get asked nicely, enter the duress access code, show innocent content while the machine is forgetting the real key and possibly destroying traces of being encrypted.
Sure, you get beaten up, but you won’t be able to compromise yourself further (and potential other people involved).
The key is that you can initiate the action while not under rubberhose-grade persuasion yet, and then have no way back even if they break you.
I don’t know about you, but the idea that I might willingly destroy the thing I could give them that might stop them torturing me* goes somewhat against the grain.
* Yeah, I know, likelihood that they would actually stop torturing me is low.**
** But not nearly as low as the chance that I’ll ever actually be in this kind of situation.
The trick is to take that option when you still believe they would not even start.
This topic was automatically closed after 5 days. New replies are no longer allowed.