[cryptography] Preserve us from poorly described/implemented crypto

Marsh Ray marsh at extendedsubset.com
Tue Jun 7 12:00:32 EDT 2011


On 06/07/2011 07:18 AM, Ian G wrote:
>
> People in tall glass buildings should learn not to throw electronic
> stones then.... It's easy, just use a laptop w/ethernet. No wireless, no
> keyboard loggers. Corporates know how to issue laptops.

If the Vice-President of Large Fund Risk Arbitrage (or whatever) tells 
the IT nerd to get him a wireless keyboard, he gets one. I know this 
because I was once the IT nerd.

>> On the defense side, the agencies that are experienced at looking at
>> signals also have the mission of protecting the US government itself.
>> Surely they realize it's impractical to keep every off-the-shelf
>> keyboard out of every marginally sensitive location.
>
> Then, the rest of society has to pay for their incompetence?

Well, yeah, obviously. Let us hope this is the least of it. :-)

On the other hand, driving security improvements for everyone is a great 
way that government purchasing requirements can improve security for 
everyone. Perhaps in this case it has even encouraged the development of 
an off-the-shelf secure wireless keyboard.

Other stuff I'd like to see government purchasing encourage:

Opaque covers for cameras on computers.

Require hard-wired physical cut-out switches on all microphones and 
antennas attached to or in computers. Software and chipset logical 
switches don't count, they can usually be hacked. Anything but a simple 
physical disconnect switch proves impractical to verify.

General purpose computers get hacked far to easily to allow them to have 
open microphones and cameras. Combined with wifi, this is a ridiculous 
combination to permit.

My Toshiba notebook has a wireless cut-off switch. But it appears just 
sets a bit that the driver is supposed to respect. Of course this is 
useless if the driver is unreliable or compromised. When running Linux 
for example, it often detects and offers to associate with nearby access 
points even when the switch is off! This means that at least the 
receiver is still operational and is thus willing to accept and process 
attacker-supplied data.

> Anyone know what the price of a DoD-secured keyboard is :)

Anyone else see this from a few years back?

Many cars now come with Bluetooth for hands-free mobile phone operation. 
Turns out they have the same challenge as this keyboard implementing an 
effective method of securing the initial association.

The result is...The Car Whisperer:
http://trifinite.org/trifinite_stuff_carwhisperer.html

- Marsh



More information about the cryptography mailing list