Re: [PLUG] groan

Rich Freeman on 25 May 2018 11:37:30 -0700

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] groan

From: Rich Freeman <r-plug@thefreemanclan.net>
To: Thomas Delrue <delrue.thomas@gmail.com>
Subject: Re: [PLUG] groan
Date: Fri, 25 May 2018 14:37:13 -0400
Cc: LeRoy Cressy <rev.cressy@protonmail.com>, Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: "plug" <plug-bounces@lists.phillylinux.org>

On Fri, May 25, 2018 at 12:43 PM Thomas Delrue <delrue.thomas@gmail.com>
wrote:

> On 05/25/2018 09:20 AM, Rich Freeman wrote:

> > The problem is that even if you don't have a smart TV, all your friends
do,
> > so if the NSA is listening in they get to hear your friends talking
about
> > you.  Add in Facebook/SMS, and for that matter basically all the
internet
> > traffic there is, and a lot of off-internet private line traffic for the
> > major cloud providers, and any cooperative data feeds they get...

> Or as you keep repeating in most of these types of threads: "Why
> continue fighting? The terrorists have won this battle anyways. You
> stand no chance of winning so what's the point to keep fighting?
> Besides, they /want/ their panem et circenses..."

> I find that type of fatalism hidden under a thin veil of "practicality"
> or misplaced "reasonableness" tiresome and damaging. I think that it's
> nothing more than hiding behind the status quo or "fait accompli".

Your accusation is absolutely true, but I'll stick by my attitude, because
I see no practical alternative.

Hey, if I were supreme leader every store would take NFC payments, the
government wouldn't spy on you, everybody would get along, and you wouldn't
have to go to work on Monday morning.

However, that just isn't the world we live in, and trying to fight the
system makes no sense when it has no positive impact on your life.

> It's not about whether you are /currently/ on their radar, it's about
> whether or not you will ever be on their radar because then they will
> throw the book at you: what is legal/acceptable today, may not be
tomorrow.
> And when, FSM forbid, you do get on their radar, your adversary will
> recall *exactly* what you did on May 27th, 2002 since they have a record
> of it, but you won't & you will tell them something inaccurate; and
> lying to a law enforcement officer is illegal in this country and
> carries a harsh prison sentence so you just got an extra charge with
> prison time on top of everything else just for that.

Absolutely true, but they'll know what I did on May 27th regardless of
anything I try to do to prevent it.

> > Personally I'm more concerned with identity theft/etc.  I don't care if
the
> > NSA can break bitlocker/etc.  I care that if I lose my laptop somebody
> > isn't stealing all my cookies and credit card numbers.

> Sure, that's a more pertinent threat, you're right to be concerned about
> any one of these things. But that doesn't take any of the threats of
> privacy invasion away, it just adds to them. You should still care that
> the NSA can break bitlocker, because if they can, so can the DGSE, the
> GRU&SVR, the MSS, the Mossad and pretty much any other intel service
> worth their salt - of which there are more than you may think. And if
> they can, then non-state actors aren't that far behind either.

That depends on how the NSA can break it.  If it is due to a weakness in
the system then that would be exploitable by anybody.  If it is because of
an otherwise-secure back-door, then that access would be limited to the NSA.

In the case of something like bitlocker the NSA could compromise it simply
by having the TPM module accept signed commands to release its key data, or
decrypt data even without a verified boot path.  Unless you had the NSA
signing key (which the manufacturer would not have - you don't need it to
implement this in a TPM), you wouldn't be able to utilize this exploit.
Well, at least not without defeating the TPM hardware, but if you can do
that then the backdoor doesn't make any difference.

Alternatively the bitlocker software could encrypt the session key using an
NSA public key and write that on disk somewhere.  However, that would be a
lot easier for an auditor to detect than something designed into the TPM
chip.

Now, to the extent that the NSA doesn't have a private backdoor and is just
hacking the hardware, then conceivably anybody else would have the same
opportunity assuming they invested the same amount of effort into defeating
it.

-- 
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Follow-Ups:
- Re: [PLUG] groan
  - From: Chris Norton <chris@nortoninc.info>

References:
- Re: [PLUG] groan
  - From: prushik <prushik@gmail.com>
- Re: [PLUG] groan
  - From: Michael Leone <turgon@mike-leone.com>
- Re: [PLUG] groan
  - From: LeRoy Cressy <rev.cressy@protonmail.com>
- Re: [PLUG] groan
  - From: Rich Freeman <r-plug@thefreemanclan.net>
- Re: [PLUG] groan
  - From: Thomas Delrue <delrue.thomas@gmail.com>

Prev by Date: Re: [PLUG] groan
Next by Date: Re: [PLUG] groan
Previous by thread: Re: [PLUG] groan
Next by thread: Re: [PLUG] groan
Index(es):
- Date
- Thread