Sunder wrote :

Great and wonderful except:

1. If such spyware has already been installed on your system you can't trust your os therefore: [snip]

Yes - end of story.

2. Any hard drive you can access so can they. "They" can patch your disk: [snip]

The only way I can think of to prevent this is to have the disk completely encrypted in which case you could safely give a copy to anyone who wanted one. The BIOS shouldn't be trusted either. The problem then is booting which could be done from some sort of card/dongle that you carry with you that requires a (many digit)PIN before it regurgitates your boot code.

3. Newer G3+ Mac's use open boot prom or some such which lives in eeprom. Such things can be patched at that layer and can propagate on bootup. Booting off a read only disk (CDROM, etc) wouldn't help in this case.

Yup. Maybe a bootFLASH can be replaced with some SRAM which must be downloaded from your key device before booting. Something like : power up, hold processor in reset, remove boot SRAM from bus, load boot code, switch boot memory to system bus, allow startup.

4. If you live in a crowded area, your iPod can be lifted off you in a false mugging, or break in, pick pocketting while you're at a restaurant, movie, etc.

A physical device plus a PIN seems somewhat immune to that problem. In fact you could keep multiple copies.

5. Watching for files that change daily is a fool's task for the reasons mentioned above, and the Sysiphean task it presents. Better get the equivalent of Cops or Tripwire to do the work for you, but they too can be tampered with.

Mostly.

6. If McAffee bent over to the Feds, you can be sure that so will the makers of Zone Alarm and other firewalls.

Probably anything that is exported and some that aren't.

7. Remember, they don't need to capture all your keystrokes. Just the ones you use as passphrases. And they don't need to copy your whole hard drive, though they easily could when you're out of the house. Just your secret key file and your passphrase.

8. If you shut off your computer when you leave your house, it makes their job that much easier. If you leave it on, they could note what's open and put it back to the same spot.

Not if there is no code in the clear on the machine - no functional BIOS, no usable HDD.

9. If you use a login screen, etc, Or they could simply run something that would take a snapshot of your desktop, shutdown your Mac, install the malware/copy your files, then and boot off of a floppy that displays the screen you left up, plus a Type 1 Bomb (MacOS equivalent of blue screen of death), and eject the floppy thus - making it look like your Mac crashed, or, simply go down to the basement and trip your circuit breakers making it look like you've had a power failure (even UPS's run out at some point.)

With the BIOS and HDD encrypted off is safe. Might be a neat little gizmo with a keypad. BIOS is encrypted on the motherboard. Boot memory is SRAM that is lost when power is removed ( lost short of extreme detection measures that is ). The little gizmo reads the encrypted BIOS, decrypts and transfers it to boot SRAM.

10. Ordered any new copies of a bit of software? Maybe they have a deal with FedEx, UPS, the Mailman. Maybe what you're getting is the upgrade and then some. How can you tell that copy of SmallTalk doesn't carry an extra bit of code just for you? How can you tell that the latest patch to MacOS you've just downloaded really came from Apple? Sure DNS said it was from ftp.apple.com but how do you know that the router upstream from your internet provider didn't route your packets via ftp.fbi.gov?

Once they have physical access, you're fucked. Remote access is almost as dangerous as them having physical access, however it can work in your favor as they won't be as familiar with your environment, and thus are far more likely to expose the malware to you.

Sure, all of these things are more or less preventable, except for physical access, and a lot of these come down to trust and reputation. But reputation and trust are also rubber hose-able (if there is such a word.) :)

You can trust your best friend until you find out otherwise. You can trust your bank until you find out otherwise. You can trust your software provider until you find out otherwise. But by the time you've found out, if you've found out at all, you've already been fucked.

Maybe just installing an OS you got as a binary is all it takes to be F'd. Maybe rebuilding that OS with an F'd compiler propagates the effedness. If you have everything encrypted until your key device readies it for boot then you could run a F'd BIOS, OS and apps as long as you kept the system isolated. Let it log all it wants. Sounds like a good sentence for a Windows box. Mike