CDR: Re: Lions and Tigers and Backdoors, oh, my...

Michael Motyka mmotyka at lsil.com
Thu Sep 28 15:08:15 PDT 2000


DH wrote :
>One very common security model is that the security perimeter includes
>the PC and you're only concerned with transmission interception.  
>
Definitely the wrong place to draw the dotted line if you're truly
worried about your information.

>MS is swiss cheese but most OS have some weakness in many configs.
>
>How many people actually look at the source of the code they
>install on *nix machines???  How many of those who do are actually qualified
>to do security reviews?  Cf. recent PGP bugs.
>
Not enough.

>If you're really worried you'd use a sealed PDA (that you can control at
>all times) to capture/render and the PC is just for transport.  [This
>applies Tim's modularity argument to hardware.]
>
>I'd consider a Starium unit a dedicated PDA in this context.
>
>Of course, both PDA and Starium remain succeptible to shoulder surfing, bugs, 
>your windows modulating a laser, etc.
>
>dh
>
Using an embedded system is not a new topic here. I think its the only
viable method of securing data.

On that note, given the little wireless gizmo of Tim's description, the
device could have, via appropriate applications on the insecure
host/transport gateway, access to a services on the host that would
expand its list of resources without compromising security. The obvious
useful resources are the network and mass storage though other i/o might
be interesting. All storage of course would be encrypted and never
available as plain text on the host. Any i/o used should not carry
information that is to be kept private, only as a means to transport
non-critical data into the PDA.

What is required is a PDA that is open sourced all the way down to the
HW. Is the Palm this way? I think I've asked this before but frankly I
don't remember the answer. There are probably others that are OK. Yopy
looks interesting. Which ones will still be around in a couple of years?






More information about the cypherpunks-legacy mailing list