Pat Gunn (dachte) wrote,
Pat Gunn

Eyes in the Walls

Recently got an email on the Neuros OSD mailing list - question was, given the possibility of hostile networks, what can be done to make the OSD more secure. Thinking more deeply about this, if one is really worried about this, one has a lot to worry about. Given the ever-increasing number of pieces of electronics in one's home, and the increasing cheapness of small-but-powerful devices, it'd be difficult for an expert to stop one's devices from potentially spying on one (especially if they might hop on any wireless network in range (and eventually have WiMax or cell-network capability)). A cheap camera, analysis of any network one might plug them into, etc, and one's security is comprimised, and this says nothing of all the people one might communicate with or TEMPEST-type attacks. One of the things I learned from working with three-letter agencies at CMU (which I don't believe goes against any of the nondisclosures I've signed) is that their manpower/cpupower per citizen is very small, and so unless they have reasons to be looking at someone (e.g. heavy use of encryption, known or believed connections with dangerous people, and more clever things), they're unlikely to be doing so on more than a cursory level. This is probably true as well of non-governmental folk who might want to spy (organised crime, businesses, etc). If they ever do become very interested in someone and can show probable cause (or if they're part of some organisation that doesn't need to), the person looked at basically loses immediately (they go to work, people enter their home and bug the place or swap some hardware/reconfigure things, etc). If one wants to hide things, the only thing they really can do is not be noticed. I find it amusing when people talk about hiding their secrets from the FBI when what they really should be thinking about is avoiding notice and their "hiding" behaviour would, if anything, just distinguish them further from some average person using the internet (even if they can get all geeks using crypto, monitoring the geeks, as self-flagged as that, wouldn't be a terrible idea if one is a TLA). To get back on the topic I wanted to raise, I don't believe that worrying about the government is as important as worrying about hackers of various sorts. Let's say one buys an Apple TV like device, a Nintendo Wii, a Playstation3, a Linksys router, and a handful of other reasonably intelligent devices. From a vulnerability standpoint, we have at least four devices there without a sysadmin that are attack vectors for one's home - even if the router is not comprimised, the devices behind it may be through bugs in content rendering. Even if we were charitable and imagined the devices ran OpenBSD, had their code continually audited for potential faults/vulnerabilities, and were run by someone at least moderately geeky, the sheer number of these systems would cause any zero-day faults to be very dangerous for large numbers of people, more when we consider that for various reasons, the devices arn't always updated regularly (sometimes never, especially when the people involved are not geeks and/or the devices don't auto-update). This is really worrying, especially if we assume that once a system is comprimised, the update functionality may be disabled/replaced with a dummy.

Interesting thing I stumbled upon today: prior appropriation doctrine versus riparian doctrine in water law. I discovered this after thinking about how wonderful chilled water is as a beverage.

  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

    Your IP address will be recorded