Kevin Wetzel CI PI
NCPI3908 168-CI
SLC Security Services LLC
www.slcsecurity.com
Phone: 717-831-TSCM
Toll Free: 866-585-5115 x1
Fax: 720-247-7849
My Profile and Other Sites:
LinkedIn:
http://www.linkedin.com/pub/kevin-wetzel/2/521/57a
Database Searches:
http://information.slcsecurity.com/
The contents of this message may include attorney privileged information and
may be protected from disclosure. If you are not the intended recipient of
this message please delete the message and notify the sender that you have
received a message in error. SLC Security Services LLC is not considered a
consumer reporting agency as defined by the FCRA. All communications sent
via this account are subject to monitoring and recording in addition to any
phone calls to or from the Investigative firm.
----- Original Message -----
From: "Sampo Syreeni" <de..._at_iki.fi>
To: <tscm-..._at_googlegroups.com>
Sent: Friday, January 29, 2010 10:27 PM
Subject: Re: [TSCM-L] {4648} Bypassing voice encryption on cell phones
(including CryptoPhone)
On 2010-01-29, ed wrote:
> John's points are well taken, but I believe people shouldn't throw in the
> towel in trying to achieve COMSEC.
Definitely not. But they ought to understand how hard it really is. And
they should try to grasp the real threat model. That isn't about
somebody breaking your crypto for the fun of it, unless the crypto is
really poor. It's about cold, hard, cost-benefit analysis. In that sort
of thing, good crypto is almost never the weakest link, or so the point
that is going to be attacked first.
> The more efforts people take to make the spies' jobs more difficult, the
> less effective their overall surveillance efforts will be.
Quite so. But then even the "innocent" folks who are doing this
shouldn't kid themselves either. They're giving a cover to something
else. They're not the crypto-heroes you see in movies. They're more like
cannon-fodder, as opposed to the stealthy �ber-sniper. Even if the
person whose communications were stealthed because of the cover traffic
was the cleanest, most moral person ever.
> The Wired article exposing the vulnerabilities of "secure" telephone
> products is academic. Every single one of these "successful" attacks used
> unfettered physical access to the encrypted phones to compromise them!
Perhaps so. But then Wired asked the wrong question. In the security
business, it's all threat model first, second and third. Usually your
most vulnerable point isn't about mathematically weak crypto. It's about
your physical security, in one form or another.
So when you end up on the netz, or were otherwise exposed, well, you
just lost. It doesn't much matter how or why. You simply lost the game.
So if (and as!) it's mostly about physical security, what good does
crypto do then, really? You're out in the open, and bad things are going
to happen to you.
(This is also why the oldskool crypto folks talk about rubberhose
cryptanalysis and the idea of Real Names. If they could find you, and
they could torture both you and your loved ones well and good, it's
unlikely that even the soundest of mathematics would much help you. You
then don't think that could ever happen? Well, then you just told us you
really don't have much of value to hide, so tht they don't really have
much reason to come after you in the first place. If they did, crypto
wouldn't help you as such; if they didn't, crypto wouldn't much help you
either. That's because the math holds far beyond your limbs. So if it's
really that important, every sane adversary goes for your flesh before
your math.)
> Whenever an attacker has unfettered physical access to a target's
> encrypted phone, the game's over.
True, unless your phone is truly difficult to reverse engineer and/or
tamper with. (So it's again about how much you have to lose, i.e. how
much you're willing to invest in order to keep your secrets to
yourself.) Normally it's difficult to plant a backdoor at short notice,
so it's difficult to rig the game in a short while. Then you could have
memorized a strong password. And you whould have. You could win out, at
least at the short term. Which is when they go for your limbs. Assuming
that your knowledge is worth enough, once again.
> As Cryptophone's (and no doubt other products) users manual states,
> installing third-party applications on the phone renders the phone
> insecure by definition--as does allowing an untrusted party unfettered
> physical access to the encrypted phone.
Third party software should not be a problem when the hardware has been
designed properly. Unfettered third party physical access always is, but
gain, I think it's a longer term threat. Not a short term one.
--
Sampo Syreeni, aka decoy - de..._at_iki.fi, http://decoy.iki.fi/front
+358-50-5756111, 025E D175 ABE5 027C 9494 EEB0 E090 8BA9 0509 85C2
--
You received this message because you are subscribed to the Granite Island
Group "TSCM-L Professionals List" group which is the oldest, and the largest
TSCM group on Earth. To post to this group, send E-Mail to
TSCM-..._at_googlegroups.com, to contact the list owner and moderator please
send an E-Mail message to jm..._at_tscm.com.
This group is sponsored by Granite Island Group to improve the profession of
hunting spies, and to educate the security industry in the craft of
technical counter-intelligence. Granite Island Group performs bug sweeps
like it's a full contact sport; we take no prisoners, we don't play fair,
and we give no quarter. Our professional goal is to simply, and completely
stop the spy.
Granite Island Group Offers World Class, Professional, Ethical, and
Competent Bug Sweeps, and Wiretap Detection using Sophisticated Laboratory
Grade Test Equipment.
Received on Sat Mar 02 2024 - 00:57:27 CST