I am not apologizing or legitimizing what they are doing⌠Buy why go through a locked front door (encrypted channels) when there is an open window (zero day or scared tech company)?
The culture of us infosec professionals has got to change, including LEOs.
I donât understand what Iâm looking at at the top of the post. Was the FBI using old fashioned typewriters to create reports in 2007?
Its the only way to be really secure. They know what is compiled in to popularly available operating system kernels.
Didnât they once fuck over a dealer using one of the âsecureâ crypto webmail systems by breaking into his house & swapping out his keyboard with one that had a built in keylogger? Sure I read that story here on BB.
Never underestimate physical security.
But the evil maid attack against full-disk encryption is a real and tried attack vector - and implementing physical security needs a somehow different mindset and knowledge.
Unfortunately IT security is still regarded as product and not process, too often when I ask about security concepts I get the answer âwe have a hardware firewallâ.
And in about thirty seconds to a minute, youâll have a real firewall on the red ethernet cableânow thatâs protection!
outline of a joke: I like my ? like I like my ? - air-gapped.
That. And thatâs why both the hardware and software and physical security people should drink and/or smoke together and exchange notes.
I work in infosec; historically, in research, in bug finding, in working on offensive and defensive systems. At that level, I donât know anyone who would be for this push. And I know plenty who have the USG as major customers over the years â advanced endpoint and network protection folks, bug finder sorts, and so on. Myself included.
Could be, in those sectors we are biased. After all, one, we know for a fact that the USG has no problem with getting access to systems. Including the FBI. Some sell to the USG, some work for consultancies who sell to the USG. Others make systems designed to detect and protect against zero day.
So the whole push, seems to me, to be without consulting anyone from that sector. It seems, to me, to be like the intelligence with the Iraq War, where there were experts on Iraq whose opinions were ruled down. In fact, all intelligence analysts with experience in the area and all intelligence officers with proven product results were ignored. So those who had their agenda could push it.
To me, all of this is just one slow disaster after another. One great spectacle of idiocy after another, that has itsâ time in the limelight, and then⌠that limelight changes. It becomes more bright, and those standing in it become clear as to who and what they really are. In the limelight, it is vague, debatable. In the light of day⌠it is not. At all.
Infosec double secret handshake engaged
Obligatory.
Thatâs what a duress password/PIN is for, to be entered in the early stage of interrogation before the adversary steps things up. Get asked nicely, enter the duress access code, show innocent content while the machine is forgetting the real key and possibly destroying traces of being encrypted.
Sure, you get beaten up, but you wonât be able to compromise yourself further (and potential other people involved).
The key is that you can initiate the action while not under rubberhose-grade persuasion yet, and then have no way back even if they break you.
I donât know about you, but the idea that I might willingly destroy the thing I could give them that might stop them torturing me* goes somewhat against the grain.
* Yeah, I know, likelihood that they would actually stop torturing me is low.**
** But not nearly as low as the chance that Iâll ever actually be in this kind of situation.
The trick is to take that option when you still believe they would not even start.
This topic was automatically closed after 5 days. New replies are no longer allowed.
