dear Eve,

[coderman]

On Fri, Jan 24, 2014 at 10:07 AM,  <fre3frizt at riseup.net> wrote:
> ...
> Is there any way to save any evidence of this kind of attack,

as stated earlier, you can use technical means to monitor at this level.

software defined radio with the right decoding, good position, proper
antennas can obtain full bits.  even without specific decoding,
measuring signal levels at various frequencies compared to baseline is
also useful.  and of course, you can always improve decoding after the
fact.

directly accessing flash storage and comparing firmware images in a
way otherwise not possible.

instrumenting and modifying software to verbosely report on anomalies
and make it likely attempted attacks will fail unsuccessfully. (see
also camouflage)

the list goes on and on and on,



> ... to use to help fix the vulnerability?

help fix vulnerability?  i am sympathetic to your intent, but these
exploits are the product of a large, well funded process.  they take
advantage of positioning in the middle, or next to your endpoint.
they're churned out like an assembly line.  "saving evidence to fix"
is like asking for a digest to add to your antivirus blacklist...

in this model, success is measured by doing less badly.  not by
protecting or fixing.



> ... and to provide to the EFF, ACLU, or other
> interested parties that may want to litigate?

i have alluded to this before:  multiple constraints limit what i can
disclose, and those groups are not likely to be helpful in specific
scenarios.

general efforts to eliminate public funding for CNE would be useful, however!