timcmay at got.net
Tue Jul 15 12:08:20 PDT 2003
On Tuesday, July 15, 2003, at 09:05 AM, Major Variola (ret) wrote:
> At 09:29 AM 7/15/03 -0400, Sunder wrote:
>> So, the best way to avoid that situation and not being able to reach
>> big red switch, is simply not to attract their attention in the first
>> place by not following the footsteps of Jim Bell. :)
> Stego + broadcast is indeed your friend.
>> A more likely, and far more important, scenario to worry about is the
>> black bag job whereby a hardware keystroke recorder can get installed
>> without your knowledge...
>> There may be ways to prevent/detect this... Software (open or closed
>> source) alone won't help very much.
> Epoxy and other conformal coatings are also your friends.
Thinking about this brief comment, I assume MV means sealing a PC to
make black bag opening more apparent.
But this suggest a return to _sealing wax_. Seriously.
A dab of sealing wax (available in most stationery stores, save for
Staples, Office Depot, OfficeMax, Paper Barn, StaplerWorld, Nothing But
Rubber Bands, and other warehouses masquerading as stationery stores)
over the side panels and other access points, even over the floppy and
CD-ROM ports (carefully!), and a distinctive signet ring or other such
seal-making device could be quite easy to use.
(As we all know, CIA and other spook agency "flaps and seals"
specialists are well-versed in duplicating such seals...but probably
only after collecting good information. An FBI black bag job is likely
to encounter the sealing wax and seal and be unable to duplicate it.
There may be tools now to take a fairly good impression, perhaps with a
fast-setting polymer, and then make a convincing duplicate of the seal.
All crypto is economics, though, and simple seals probably work against
There are other methods:
-- keep key material on a USB or PCMCIA flash card dongle.
-- wear this around your neck or otherwise make it secure against
girlfriends, wives, others who may try to copy it
-- use a small handheld PC (like the HP machines) or Palm OS device as
the "front-end" for security apps: at the simplest level, use it to
store very long keys which don't get typed-in, but instead are
cut-and-pasted in a way to bypass the keyboard driver completely.
Note: It is common in military crypto for their to be different levels
of "security tokens" to increase physical security. Rarely are the keys
to the kingdom gotten merely by sitting down and typing stuff into a
computer. For one thing, this encourages people to get lazy and write
the passwords and keys down on Post-It notes or on pieces of tape stuck
to the underside of paperclip holders or other entropically-obvious
things. For another thing, it makes remote attacks or keystroke logging
much more of an attack mode. Finally, the rigamarole or ritual of
having physical tokens on chains around one's neck tends to make the
process of security seem more serious, which can cause more care to be
(All of this slows down the process. The rigamarole that a shipboard
crypto shack will put up with is not the same as what Joe Sixpack will
put up, as we all know. RSA-like crypto makes crypto a lot less
expensive to deploy, but it's wrong to think it makes it a no-brainer,
point-and-click process....except in things like SSL, where it does a
specialized job without human involvement.)
-- the usual point about having a network with a secure machine locked
up very well in a closet or safe (I have a large gun safe, which I
usually run a small heating element into to prevent condensing
conditions...I have toyed with the idea of putting a small PC running
on 25-40 watts, or less, into this gun safe, with only a power cord and
Ethernet wire coming out).
-- and the usual point about having cameras watching the areas where
the PCs and keyboards are located.
(Yeah, maybe the black bag types can find and disable the cameras, but
then Alice knows something unusual happened. But odds are pretty good
they _can't_ find all of the cameras or microphones or sensors,
especially in a building with many PCs and wires and other gadgets.
They can cut the power, but smart folks have things on battery backups,
or self-powered, or on laptops left plugged-in and able to run for 3-4
hours without AC power, etc.)
Were I setting up such a system, all sorts of inexpensive ideas suggest
By the way, I recommend the novels of Thomas Perry, especially
"Pursuit," "Vanishing Act," and his others in the "Jane Whitefield"
series. All four novels of his I have read so far deal centrally with
issues of people trying to escape those tracking them, kind of a
private version of the Witness Security Program (popularly called
"Witness Protection"). The novels are filled with good ideas, and a few
glaring misses, about changing identity, avoiding patterns, etc.
If there's a weakness in his novels, it's that not enough modern
technology is used. I cringe when I see his characters not even using
readily-available throwaway cellphones to stay in contact, or not even
setting up Hotmail accounts to communicate. (He favors postal dead
drops, which in at least one of the novels allows an attacker to find
out the home and name of another....a determined opponent, like the
government, would know the names and addresses quickly.)
Still, his series fits with the kind of security awareness and
hypervigilance we often discuss.
More information about the cypherpunks-legacy