On 06/07/2011 07:18 AM, Ian G wrote:
People in tall glass buildings should learn not to throw electronic
stones then.... It's easy, just use a laptop w/ethernet. No wireless, no
keyboard loggers. Corporates know how to issue laptops.
If the Vice-President of Large Fund Risk Arbitrage (or whatever) tells
the IT nerd to get him a wireless keyboard, he gets one. I know this
because I was once the IT nerd.
On the defense side, the agencies that are experienced at looking at
signals also have the mission of protecting the US government itself.
Surely they realize it's impractical to keep every off-the-shelf
keyboard out of every marginally sensitive location.
Then, the rest of society has to pay for their incompetence?
Well, yeah, obviously. Let us hope this is the least of it. :-)
On the other hand, driving security improvements for everyone is a great
way that government purchasing requirements can improve security for
everyone. Perhaps in this case it has even encouraged the development of
an off-the-shelf secure wireless keyboard.
Other stuff I'd like to see government purchasing encourage:
Opaque covers for cameras on computers.
Require hard-wired physical cut-out switches on all microphones and
antennas attached to or in computers. Software and chipset logical
switches don't count, they can usually be hacked. Anything but a simple
physical disconnect switch proves impractical to verify.
General purpose computers get hacked far to easily to allow them to have
open microphones and cameras. Combined with wifi, this is a ridiculous
combination to permit.
My Toshiba notebook has a wireless cut-off switch. But it appears just
sets a bit that the driver is supposed to respect. Of course this is
useless if the driver is unreliable or compromised. When running Linux
for example, it often detects and offers to associate with nearby access
points even when the switch is off! This means that at least the
receiver is still operational and is thus willing to accept and process
attacker-supplied data.
Anyone know what the price of a DoD-secured keyboard is :)
Anyone else see this from a few years back?
Many cars now come with Bluetooth for hands-free mobile phone operation.
Turns out they have the same challenge as this keyboard implementing an
effective method of securing the initial association.
The result is...The Car Whisperer:
http://trifinite.org/trifinite_stuff_carwhisperer.html
- Marsh
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography