Join 3,418 readers in helping fund MetaFilter (Hide)


Kuang Grade Mark Eleven
February 13, 2012 9:06 PM   Subscribe

He leaves his cellphone and laptop at home and instead brings "loaner" devices, which he erases before he leaves the US and wipes clean the minute he returns . In China, he disables Bluetooth and Wi-Fi , never lets his phone out of his sight and, in meetings, not only turns off his phone but also removes the battery , for fear his microphone could be turned on remotely. He connects to the Internet only through an encrypted, password-protected channel, and copies and pastes his password from a USB thumb drive. He never types in a password directly, because, he said, "Chinese are very good at installing key-logging software on your laptop." - Travel precautions in the age of digital espionage.
posted by Artw (125 comments total) 55 users marked this as a favorite

 
Artw: "and copies and pastes his password from a USB thumb drive."

He could save the trouble of carrying the thumbdrive around if he just made his password "Ctrl-C Ctrl-V".
posted by Riki tiki at 9:19 PM on February 13, 2012 [6 favorites]


I'm curious why these sorts of precautions seem particularly directed at China and Russia. I sort of assumed that pretty much every developed country was playing these sorts of games at all times. Is that not so?
posted by Scientist at 9:29 PM on February 13, 2012 [1 favorite]


I wonder how many of these capabilities are north American law enforcement's tools coming back to haunt them. The FBI has, for a long time now, been able to turn on your cellphone's microphone remotely to listen in, on a call or no. Which means the code to do that is in the phone somewhere, which in turn means other people can use it if they find it.

I guess the country where they're all made figured that gag out, unsurprisingly,
posted by mhoye at 9:31 PM on February 13, 2012 [4 favorites]


Sounds like a bit of this is personal security theater. Anything that's logging your keystrokes can easily log your clipboard or take a screenshot every x number of seconds. And I'm not being hypothetical here.
posted by gngstrMNKY at 9:35 PM on February 13, 2012 [24 favorites]


The FBI has, for a long time now, been able to turn on your cellphone's microphone remotely to listen in, on a call or no.

[citation needed]
posted by grouse at 9:36 PM on February 13, 2012 [24 favorites]


Yeah I was thinking why not adopt a No Networked Devices, pen and paper rule when overseas if you're so concerned?
posted by The Whelk at 9:37 PM on February 13, 2012 [3 favorites]


[citation needed]

FBI taps cell phone mic as eavesdropping tool

The surveillance technique came to light in an opinion published this week by U.S. District Judge Lewis Kaplan. He ruled that the "roving bug" was legal because federal wiretapping law is broad enough to permit eavesdropping even of conversations that take place near a suspect's cell phone.

Kaplan's opinion said that the eavesdropping technique "functioned whether the phone was powered on or off." Some handsets can't be fully powered down without removing the battery; for instance, some Nokia models will wake up when turned off if an alarm is set.

posted by Blazecock Pileon at 9:43 PM on February 13, 2012 [18 favorites]


A good friend and former roommate of mine has been working a legal case in Luxembourg over the past month. By their laws, in order to view information, she had to bring a fresh laptop and encrypt anything brought back to the states in such a way as to have the code be unbreakable, but also something she could memorize, as the code could not be brought back in any physical form. Among a thousand other strictly enforced protocols.

Luxembourg is basically to information security what Switzerland is to tax-havens. This is not limited to Russia and China.
posted by Navelgazer at 9:45 PM on February 13, 2012 [2 favorites]


Will a Mr. Johnny Mnemonic, travelling to China, please pick up the white courtesy telephone?
posted by likeso at 9:47 PM on February 13, 2012 [3 favorites]


Which means the code to do that is in the phone somewhere, which in turn means other people can use it if they find it.

I've never found a reliable description of this, only variously detailed descriptions and rumors (which may or may not be accurate); I suspect that it involves things like pushing an OTA software update to the phone, black-bag upgrading your phone, or making use of a remote code execution vulnerability of some kind. Of course none of those are things that would be any harder for China to do than the US.
posted by hattifattener at 9:48 PM on February 13, 2012


Why should these companies be getting any help and advice from the FBI? Frankly, if you sell out your country to cheap foreign labor and capitol you should be on your own when it bites you in the ass.
posted by dibblda at 9:49 PM on February 13, 2012 [12 favorites]


Anything that's logging your keystrokes can easily log your clipboard or take a screenshot every x number of seconds.

If you're using a detached keyboard then a logging device can be inserted between the keyboard and the computer. And even if you're not using a detached keyboard, your keystrokes can be analysed visually or mechanically in order to reveal your password. The simplest way would be to video the typist's hands, but you could also record the sound of the keys in order to pick up any difference between them, or pick up changes in pressure transmitted through the laptop's body.
posted by Joe in Australia at 9:49 PM on February 13, 2012 [1 favorite]


A few months ago, when the Dalai Lama visited Australia, I got an opportunity to meet with him briefly. I met him, shook hands with him, and he held my hand while we walked a short distance. It was an amazing experience. I also interacted with some people in his entourage. We exchanged visiting cards. My visiting cards do not have any personal email ID etc. listed. I have a fairly common Indian name.

Within a week of that meeting, my primary gmail account got hacked (it was accessed from an IP in South America). I never use that account on public terminals and take good care to keep my passwords safe. I panicked and changed my passwords on all important websites immediately. I don't think any other accounts were compromised. Starting that week, I now get a couple of emails every week wherein people apparently create gmail IDs or some other accounts on other websites and give my Gmail ID for verification. It rarely happened before that, now it is routine. I also have an old, defunct WordPress blog that is locked to everyone except those who ask for access. Again, starting that week, I now get 2-3 requests every week to grant access to that blog. Mind you, the blog doesn't even show up on Google searches, has no content whatsoever, and has been closed for more than 3 years. There has also been a huge uptick in random strangers sending me PDF/DOC documents to read and bills to pay (not my bills, just random). I haven't opened any. There was also an uptick in random strangers asking to be FB friends with me, but I deleted the FB account, so that's not a problem anymore.

Then I discovered that a friend who visited China for business just once, has been having a similar sort of experience ever since.

I can only imagine what people who actually have something to do with China on an ongoing basis have to deal with every day.
posted by vidur at 9:51 PM on February 13, 2012 [66 favorites]


The obvious choice for dealing with key loggers is to type in a completely obscure language and then provide the key to the receiving parties after you've returned.
posted by The Whelk at 9:58 PM on February 13, 2012


The FBI has, for a long time now, been able to turn on your cellphone's microphone remotely to listen in, on a call or no.

[citation needed]


Peter Burke
posted by unliteral at 9:59 PM on February 13, 2012 [1 favorite]


Frankly, if you sell out your country to cheap foreign labor and capitol [sic] you should be on your own when it bites you in the ass.

Trading with China is selling one's country out now? Really?
posted by pompomtom at 9:59 PM on February 13, 2012 [5 favorites]


Outsourcing your labor pool to a foreign country because you can't abuse the labor force at home is selling out your country. R&D is leaving as well so what will be left exactly? What is the US trade deficit with China? neutral? If dollars are traveling one way and less yuan are going the other then the US is poorer as a result.

If your manufacturing base is gone you have impoverished your nation to increase the short term stock price of your company and gotten a fat bonus out of the deal. That is selling out your nation.
posted by dibblda at 10:07 PM on February 13, 2012 [44 favorites]


The FBI has, for a long time now, been able to turn on your cellphone's microphone remotely to listen in, on a call or no.

[citation needed]


Also see the recent uproar over Carrier IQ, which while ostensibly for carriers to debug and manage devices, could very easily be used to surveil users. And yes, one of it's capabilities is the ability to remotely turn on a phone's microphone.

This reminds me of the EFF Surveillance Self-Defense Guide.
posted by formless at 10:09 PM on February 13, 2012 [3 favorites]


Sounds like a bit of this is personal security theater. Anything that's logging your keystrokes can easily log your clipboard or take a screenshot every x number of seconds. And I'm not being hypothetical here.

Yep, clipboard logging keyloggers are very real.
posted by Critical_Beatdown at 10:13 PM on February 13, 2012 [3 favorites]


Any keyboard can potentially leak information to someone who's listening carefully enough.

And don't even consider charging your phone at an airport.
posted by rh at 10:23 PM on February 13, 2012 [4 favorites]


One wonders if using something like a ChromeBook via VPN might not be handy.

The screenshot loggers can be rather laggy and bandwidth intensive though, unlike pure text ones.
posted by Samizdata at 10:24 PM on February 13, 2012


If you're going to assume your thumbdrive is uncompromised, then you should boot from a readonly liveCD image and use the thumbdrive to store your data. I don't think anyone's cunning enough to install a keylogger on a non writable CD image. It doesn't have to be on a CD, you could have that on the thumb drive as well, or leave it on the laptop's hard drive as long as you had an MD5sum of the image so you know it hasn't been compromised.

For added fun, put the liveCD image on a partition of the hard drive marked as a hibernate or emergency restore partition, alongside the supposed "main" Windows partition that's just there for them to compromise to their hearts' content because you never use it.
posted by George_Spiggott at 10:24 PM on February 13, 2012 [6 favorites]


Whatever happened to those security cards that had a keypad on them where you entered your PIN and got a one time password that worked for the next minute or so? I can find the RSA & VASCO security tokens without the numeric pad built in now, but not the ones where the pin pad is contained in the device.
posted by BrotherCaine at 10:29 PM on February 13, 2012


BTW, keyloggers can be defeated (AFAIK) with a fairly simple trick: in the middle of typing in your password, click somewhere outside the password textbox and type some characters. Return to the password textbox, carefully reposition the cursor at the end of what you've previously typed, and finish the password.

Keyloggers don't (typically) log cursor position, so instead of recording MyPassword123, they log MyPassw234njkvsaord123.

It's a good practice to follow, if you simply must log in at a public terminal.
posted by IAmBroom at 10:34 PM on February 13, 2012 [20 favorites]


>you should boot from a readonly liveCD image

Cory Doctorow gets little love here, but that is a premise in Little Brother (which I liked quite a bit).
posted by not_that_epiphanius at 10:35 PM on February 13, 2012


IAmBroom: Your technique would block automated cracking but would give more than enough clues to a real hacker to easily break your password. Reducing the search space from nearly infinite to merely millions is pretty much a total security failure.
posted by chairface at 11:01 PM on February 13, 2012 [6 favorites]


BTW, keyloggers can be defeated (AFAIK) with a fairly simple trick: in the middle of typing in your password, click somewhere outside

I'm unable to believe this. I've never messed with a keylogger but certainly ordinary retail software used for things like automated testing will record exactly what window and field received every keystroke, and these programs have been around at least since the early 90s. Any keylogger in 2012 that can't do it would be the work of a complete incompetent. The only keyloggers that are likely to be unable to capture this data would be the external hardware kind which connect inline to keyboards, and I'd be surprised if anyone has seen one of these in the wild for a long time.
posted by George_Spiggott at 11:02 PM on February 13, 2012 [5 favorites]


I can only imagine what people who actually have something to do with China on an ongoing basis have to deal with every day.

I've travelled to China for work and have remote team members over there, and in my experience...nothing?
posted by jacalata at 11:03 PM on February 13, 2012


Whatever happened to those security cards that had a keypad on them where you entered your PIN and got a one time password that worked for the next minute or so? I can find the RSA & VASCO security tokens without the numeric pad built in now, but not the ones where the pin pad is contained in the device.

They still exist, I've got one.

Even Google and Facebook have two-factor authentication now, where your phone holds your one-time password generator.
posted by meowzilla at 11:11 PM on February 13, 2012 [1 favorite]


All this caution with the phone seems silly. Couldn't you just put it in a tin, so it is inaccessible until you need it, then instantly available? Of course, no one can call or text you. But also, you can't be tracked.
posted by Goofyy at 11:15 PM on February 13, 2012 [1 favorite]


Frankly, if you sell out your country to cheap foreign labor and capitol you should be on your own when it bites you in the ass.

How's that all-American-made computer working out for you? When you turn it on, does it play the Star Spangled Banner?
posted by incessant at 11:18 PM on February 13, 2012 [4 favorites]


How's that all-American-made computer working out for you? When you turn it on, does it play the Star Spangled Banner?

Nice cheap shot. What's your point exactly? My point is that it should be made in the US or traded for something of equal value made in the US. It isn't made in the US. People in the US are poorer as a result of unequal trade with China. Some people in the US are substantially better off as a result of unequal trade with China. I'm sure this also applies to other countries around the globe as well.

If you belong to the group that continues to benefit from this, why should you get any help from the people and country you screwed if the deal turns sour on you?
posted by dibblda at 11:52 PM on February 13, 2012 [6 favorites]


At first I thought this was the James Murdoch thread.
posted by lowest east side at 12:02 AM on February 14, 2012


All this caution with the phone seems silly. Couldn't you just put it in a tin, so it is inaccessible until you need it, then instantly available? Of course, no one can call or text you. But also, you can't be tracked.

Soundproofed tin if you are worried about it being used as a microphone. Otherwise a custom firmware could be used to schedule the phone being turned on (but not the display) and the microphone used to record sound to memory for download next time the phone is available on the network. Of course, at a certain point it's easier to just bug you or the room you are in.
posted by BrotherCaine at 12:07 AM on February 14, 2012


Sounds like a bit of this is personal security theater. Anything that's logging your keystrokes can easily log your clipboard or take a screenshot every x number of seconds. And I'm not being hypothetical here.
Yeah, he should get one of those little dongles that let you use a new password each time.
The FBI has, for a long time now, been able to turn on your cellphone's microphone remotely to listen in, on a call or no.
The FBI, in this case, wasn't doing anything a hacker couldn't do. I don't know if they had permission/support of the mobile operator or not.
And don't even consider charging your phone at an airport.
Heh, I love the term "juice jacking" But yeah that's an interesting bit of reality, as USB is used more and more for charging, you're even starting to see outlets with regular USB ports. But those ports could actually be hooked into anything not just a power line.
you should boot from a readonly liveCD image
That won't help if they've hacked you at the BIOS level. In fact, most users wouldn't even notice if the machine had a hacked bootsector on the hard drive to install a rootkit then boot off a CD.

Actually, there's basically no way to really secure your hardware, unless you build it yourself. And I mean at the chip level. Like you have to fab your own chips. Maybe an FPGA would work if you trust the supplier. Ultimately it's a time/cost trade-off. The more resources someone has to spend hacking you the more paranoid you need to be. Something like Stuxnet, a virus written specifically to target one organization doing one specific thing (the Iranians, enriching uranium). In order to do it, the US/Israel had to actually figure out what hardware they were using and write a virus to target that industrial equipment. They used a security hole in windows that no one even knew about, and couldn't be defended against. It worked using USB sticks and didn't even require the machines to be hooked up to the internet.

It's pretty unlikely that anyone would ever go after you to that extent. But if they did, they could probably get you. They could target you with a browser glitch that no one even knows about yet, and buy an ad on websites they know you visit with the payload only activated when you log on.
I've travelled to China for work and have remote team members over there, and in my experience...nothing?
That you've noticed...
How's that all-American-made computer working out for you? When you turn it on, does it play the Star Spangled Banner?
My computer was built in the U.S By my own two hands! All Chinese parts, of course...
posted by delmoi at 12:12 AM on February 14, 2012 [8 favorites]


Actually, a good way for say, a mobster or spy to ensure their device doesn't have any hardware added would be to buy a phone and then fill up the insides with superglue. Before that install Cyanogen or something, and hardware indicator lights for the microphone and radio (and you might want to add hardware switches for those, as well as the GPS)
posted by delmoi at 12:25 AM on February 14, 2012


1) The great firewall of China is truly a work of dark art. Arriving in Shanghai from London with a MacBook Pro and an iPhone, when a data connection is available, suddenly familiar sites like Facebook, Twitter, and YouTube do not resolve. But one was prepared for that -- hello 12VPN. In the span of a 5-second handshake, an encrypted tunnel is created between either device and London (MacBook Pro) or Los Angeles (iPhone). The Internet returns to normal.

It's very strange being in the middle of Shanghai on a VPN-connected iPhone posting to Twitter, when few non-expats have VPN connections at home, and even less on a mobile device. It's also a bit of a blessing that the great firewall works so well, for one becomes quickly accustomed to using VPN connections and not sending unencrypted credentials or data through the great firewall.

As far as I am aware, the great firewall is an interconnected set of routers that gate all terminating cables into China. Thus, the system can be controlled from a single point -- actively controlled.

As we saw with Egypt over the summer, in most countries, it's very difficult to shut down "the internet" due to the fact that there is not such a degree of central control. In fact, the internet was designed specifically notto be centrally-controlled, thus China's undertaking and operation is quite impressive.

2) I have worked with a large Chinese manufacturer equally funded by private money out of Hong Kong and public money out of Beijing. This manufacturer has been anointed as the Chinese champion in its field, and thus enjoys considerable contracts with State Grid as well as numerous other large state agencies.

The laptop's hard drive is encrypted and logged out before plane flights. Everything important (outside of email accounts) goes on one of three TrueCrypt volumes which live on the DropBox. This was primarily done for concern of London pub theft and confidential client information, but it seems like a good idea for China as well. I've never had my laptop searched either in-bound or out-bound... in China. I have in America. Which is interesting.

And the iPhone is set to wipe itself (ha!) after whatever it is, ten mistakes. The iPhone is backed up on the DropBox in an encrypted volume as well.

But I doubt I'm a target. Several times with said Chinese manufacturer, our team has been in boardrooms in various parts of the country, from Shanghai to Beijing to tiny towns of 3 million you haven't heard of. We go for the long lunches and leave laptops open, mid-presentation. Mine automatically locks, the unencrypted volumes dismounting after 30 minutes of inactivity. I have no worries about leaving the laptop there.

Then again, I am also second figure on the totem. I had asked the project leader what his level of security was. "What?". Okay, we'll take that as a none -- unlocked front door with a sign outside that says Porsche in garage, keys on kitchen counter. THAT concerns me greatly, for he carries client documents from several large UK and EU organisations that are highly-sensitive. Launch plans, financial announcements, etc.

Not exactly the keys to the kingdom, but very sensitive information. We were told once that if a retail store spreadsheet indicating store openings went missing, it could destroy two quarters of returns. Apparently Steve Jobs did have a point with his secrecy obsession.

And I digress intentionally. As a former IT administrator, there are only two rules I continue to follow: 1) ROUTINE BACKUPS (it's amazing how many people STILL don't do this! hence the could I suppose), and 2) secure computing environment. I cannot force my superiors to follow these rules.

Thus, the real problem with these kinds of things is not technological -- TrueCrypt, OS encryption, DropBox are all free and easy, and 12VPN is $34 a year. It's educational, a human problem. Further, when I mention these liabilities to the chaps that go traveling on the project, it literally bounces off of them, as if I was speaking... well... Chinese. One went as far as to say "even if they did do something to my machine or take my passwords, it's not like they're going to do anything with it. They can't go through everyone's email."

Ha.

3) When I first went to China in 2004, I had a Typepad blog. I planned the trip from May and arrived in Beijing in September. My subdomain (nuck.typepad.com; now deceased) was blocked. Typepad.com was accessible. Thus my catchy little arrogant mid 20s assessment that "In China, I am free to speak but they are not free to listen". It impressed the other mid-20s travelers. Now I see I sounded like a damn fool.

Point being, if they could do that in 2004, what do you think they can do in 2012, resource wise? I remember the paper coming to the doors of my hotels, opening the paper... and having entire articles cut out of the middle of pages. Rumour was that there was a city somewhere which 'processed' all Western media. Every copy of the IHT I saw one day had the same article chopped out. CNN would go black whenever there was a story about China. For 10 seconds if it was a positive story, and for a minute if it was otherwise.

That takes A LOT of manpower to do those kinds of things... and China is rather famous for it's manpower at the moment.

Point is, they have two dynamics that we don't have in the West:
1) Inbound and outbound information flows are router through a single actively-controlled layer (whether newspapers or data)
2) They have the manpower to process legendary amounts of data.

As far as I am aware, no Western country has those two capabilities aligned. Then again, as mentioned, my laptop is routinely searched going in and out of the US. Never in China.

So I guess the point is take care of your data regardless of where you go. Facebook is about to launch one of the biggest IPOs in memory, and their primary asset? Personal data.
posted by nickrussell at 12:32 AM on February 14, 2012 [33 favorites]


Like you have to fab your own chips. Maybe an FPGA would work if you trust the supplier.

And the synthesis software you use to program it, of course (or to design the chip you fab); and the computer you run that software on; and the computer the synthesis software's developer used to compile the release; and… well, we've all read Ken Thompson's Turing Award lecture, right.
posted by hattifattener at 12:48 AM on February 14, 2012 [2 favorites]


I can only imagine what people who actually have something to do with China on an ongoing basis have to deal with every day.

I've travelled to China for work and have remote team members over there, and in my experience...nothing?


Sorry, poor phrasing on my part. My intention was not to suggest that everyone dealing with any Chinese entity gets hacked for sure. I am just amazed at the persistence of some of these folks with their attacks on me, even though I have practically nothing to do with China/Tibet.

Incidentally, I forgot one key detail in my last comment. The reason I started suspecting Chinese hackers in the first place was that the initial few suspicious emails to me were pretending to be from pro-Tibet individuals/groups asking me to open an attachment and read something. I had the good sense to look at the full headers straightaway and figure out that the emails were not from who they said they were from.

In my eyes, it was also proof that Dalai Lama's inner circle (I gave my visiting cards only to people who were part of his official entourage) itself has been penetrated by pro-China elements. I don't think this is news to those whose business it is to watch such things professionally, but it has been an interesting personal experience, even though it is a bit exhausting to be on the guard constantly.
posted by vidur at 12:50 AM on February 14, 2012 [6 favorites]


That you've noticed...

Very true! I was just responding to the story upthread about 'ever since I came into contact with China I have been bombarded with hacking attempts and emails and blog requests and facebook requests'. Maybe if you have any more contact, they get subtle? :)

As for why the FBI cares about companies who have 'sold out' america to china already: you know where the US gov't buys it's stuff, right? These companies. The US gov't has a very vested interest in trying to minimize the amount of backdoors that the Chinese government has into, say, IBM, Microsoft, and Apple.
posted by jacalata at 12:50 AM on February 14, 2012 [1 favorite]


It seems as if there must be a large potential market for devices that are harder (never impossible, of course) to bug. For example, add simple manual switches to phones and PCs so you can easily disconnect your camera, microphone, Bluetooth, Wi-Fi, or battery every time you're not actually using them.
posted by pracowity at 1:01 AM on February 14, 2012 [2 favorites]


Those chinese will never think to monitor the clipboard. No, no, no!
posted by CautionToTheWind at 1:26 AM on February 14, 2012


You could boot off a flash card with the read only switch set, sure they could always flip the switch writable, but that's better than nothing. You could improve upon this slightly by loading the flashcard image into ram, thus physically separating your flashcard from your machine, except when rebooting. You could surely prevent any code from running from outside the flashdrive's ramdisk image using SELinux.
posted by jeffburdges at 2:52 AM on February 14, 2012


As we saw with Egypt over the summer, in most countries, it's very difficult to shut down "the internet" due to the fact that there is not such a degree of central control. In fact, the internet was designed specifically notto be centrally-controlled, thus China's undertaking and operation is quite impressive.

Except in Iran, where all ISPs are legally required to be connected downstream of DCI, the Iranian government ISP (ASN 12880), which physically controls the layer 1 and layer 2 transit and transport connections via fiber optic cable in and out of the country.

This is AS12880.
posted by thewalrus at 3:28 AM on February 14, 2012 [4 favorites]


Like you have to fab your own chips. Maybe an FPGA would work if you trust the supplier.

There is an IBM chip fab in upstate new york which does low volume, high $$$$ chip fab work for US federal government systems and computers which are used by major defence contractors to build other products. There are a few other boutique US based chip fabs as well. For example, where does General Dynamics go to get the ICs to build a KG-175 type 1 inline crypto device?
posted by thewalrus at 3:30 AM on February 14, 2012 [1 favorite]


Maelcum produced a white lump of foam slightly smaller than Case's head, fished a pearl-handled switchblade on a green nylon lanyard out of the hip pocket of his tattered shorts and carefully slit the plastic. He extracted a rectangular object and passed it to Case. `Thas part some gun, mon?' `No,' Case said, turning it over, `but it's a weapon. It's virus.' `Not on thisboy tug, mon,' Maelcum said firmly, reaching for the steel cassette. `A program. Virus program. Can't get into you, can't even get into your software. I've got to interface it through the deck, before it can work on anything...'

`What is this thing?' he asked the Hosaka. `Parcel for me.' `Data transfer from Bockris Systems GmbH, Frankfurt, advises, under coded transmission, that content of shipment is Kuang Grade Mark Eleven penetration program. Bockris further advises that interface with Ono-Sendai Cyberspace 7 is entirely compatible and yields optimal penetration capabilities, particularly with regard to existing military systems...'

He slotted the Chinese virus, paused, then drove it home.
`Okay,' he said, `we're on..."
`Christ on a crutch,' the Flatline said, `take a look at this.'
The Chinese virus was unfolding around them. Polychrome shadow, countless translucent layers shifting and recombining. Protean, enormous, it towered above them, blotting out the void.
`Big mother,' the Flatline said.

posted by thewalrus at 3:38 AM on February 14, 2012 [8 favorites]


Anything that's logging your keystrokes can easily log your clipboard or take a screenshot every x number of seconds.

Yes, obviously a key logger running as software on your PC could capture anything. But a key logger implemented in a separate device could only look at your keystrokes.
posted by Pruitt-Igoe at 3:50 AM on February 14, 2012 [1 favorite]


How is this "roving bug" feature possible? Are manufacturers explicitly required by law to backdoor their phones, or is it sold as one of those "emergency mode" features like requiring phones to be able to place 911 calls even if they have no valid account/number with a provider?
posted by Pruitt-Igoe at 4:03 AM on February 14, 2012


I read this when it came out last week and immediately started scanning the laptops of our guys that travel out of the country a lot. So far, nothing. But the new policy is imaged laptops that get re-zapped on return and no cell if possible.
posted by Old'n'Busted at 4:13 AM on February 14, 2012 [1 favorite]


I may be missing something...and I welcome people's feedback, but I've always thought there was an easy way to defeat all keyloggers, screenshot software etc while travelling: throwaway passwords.

1. Before you leave on your trip, you connect securely to your bank/whatever and it generates say 10 or more throwaway, randomly generated passwords.

2. You write these down on a piece of paper.

3. When you travel, instead of using your master password, you login with one of your throwaway passwords. After that login, that password cannot be used again.

4. Repeat step 3 using and checking off from your list of passwords.
posted by vacapinta at 4:19 AM on February 14, 2012 [1 favorite]


vacapinta: One time passwords are a well-proven solution to some password security problems. However, they don't protect you from MITM attacks or from trojans that can hijack existing privileges in order to obtain access to private data.
posted by pharm at 4:24 AM on February 14, 2012 [1 favorite]


Unfortunately, vacapinta, one of my agents stole the physical password list from you while you were going through a security checkpoint. It's a good idea but the problem is having all of those passwords written down. This is really interesting stuff.
posted by fuq at 4:42 AM on February 14, 2012 [1 favorite]


I should add my current bank uses something similar and possibly better. They force me to have a long password and then, when you login, they ask you only for four random digits from the password - say, digits 2,4,7 and 9. The next time you login it will likely be another four random digits from your password.

So I just memorize one password but even if you watch me login, you won't be able to repeat it.

I know these things aren't foolproof but they seem an improvement from the whole copy/paste from a thumbdrive.
posted by vacapinta at 4:44 AM on February 14, 2012


vacapinta: I should add my current bank uses something similar and possibly better. They force me to have a long password and then, when you login, they ask you only for four random digits from the password - say, digits 2,4,7 and 9. The next time you login it will likely be another four random digits from your password.

So I just memorize one password but even if you watch me login, you won't be able to repeat it.


Well, unless I can see which digits you're prompted for, and watch a few logins to catch 'em all...
posted by Dysk at 5:05 AM on February 14, 2012


Couldn't you just put it in a tin, so it is inaccessible until you need it, then instantly available?

Faraday cages don't work properly unless they're grounded, and people who think security is easy are wrong.
posted by mhoye at 5:20 AM on February 14, 2012 [1 favorite]


I should add my current bank uses something similar and possibly better. They force me to have a long password and then, when you login, they ask you only for four random digits from the password - say, digits 2,4,7 and 9. The next time you login it will likely be another four random digits from your password.

Which basically means that you don't have a long password, you have a whole bunch of one-character passwords. Or worse yet, they're storing your long password unhashed. Both of these make it much, much easier for someone who compromises their password database to get a full unencrypted password dump. Weak.
posted by deadmessenger at 5:31 AM on February 14, 2012 [1 favorite]


The company I work for uses RSA key fobs. Sure they can be stolen, but then you know. And if you don't have the key fob, you can't get past the first line of defense. Doesn't help with MITM or Trojans, but it does prevent a password being stolen meaning a completely compromised network. I think more electronic one time pads should be used and should honestly be standard.
posted by Hactar at 5:32 AM on February 14, 2012


The company I work for uses RSA key fobs.

Unless they've been replaced in the last 8 months, they're compromised as well.

Lockheed found this out the hard way.
posted by deadmessenger at 5:38 AM on February 14, 2012 [6 favorites]


Both of these make it much, much easier for someone who compromises their password database to get a full unencrypted password dump. Weak.

I guess so. I forgot to mention that that is the second password I have to enter. I can also only make one mistake otherwise the system locks me out.

My bank is a pain in the ass.
posted by vacapinta at 5:41 AM on February 14, 2012


After finding out that 123456 was one of the most common passwords, I changed all of my accounts to 654321. Take that, hackers!
posted by dances_with_sneetches at 5:45 AM on February 14, 2012 [1 favorite]


A few years ago I attended a conference on security and university research projects. One of the speakers showed a short video taken by a guy who had traveled to China. He had a feeling that he was being spied upon and set up his webcam on his laptop to record the room while he was out.

Within 5 minutes of him leaving the hotel a horde of "hotel staff" appeared in his room and began going through literally everything. His clothes, his personal effects, the bed, under the bed, you name it. At one point it became clear that there were multiple agencies involved when one of the searchers asked an associate who one of the other searchers was. They also played around with the laptop but did not realize the webcam was on. They were remarkably efficient and were out in just a few minutes.

The speaker told us you can expect this whenever you travel to China and to consider alternatives to taking a laptop with you. Unfortunately, they wouldn't give us a copy of the video to take back (it was a government agency, naturally).
posted by tommasz at 5:51 AM on February 14, 2012 [8 favorites]


Both of these make it much, much easier for someone who compromises their password database to get a full unencrypted password dump.

The smart way to do it would be to generate a dozen combinations or so from the original plaintext and only store those hashes. It limits the number of combinations of random digits but would be much more secure. OTOH, I would be worried this would expose some attack vector on the hashed values, since you could know that hash X and Y both start with the same digit for instance.
posted by smackfu at 5:56 AM on February 14, 2012 [1 favorite]


@nickrussell: I have no worries about leaving the laptop there.

How do you enter the passphrase for your truecrypt volumes?
posted by devnull at 6:19 AM on February 14, 2012 [2 favorites]


Chinese Hackers Suspected In Long-Term Nortel Breach

posted by These Premises Are Alarmed at 6:21 AM on February 14, 2012


And they called me a fool when I brought my Amiga.
posted by modernserf at 6:37 AM on February 14, 2012 [10 favorites]


You can't secure a machine you don't control. It's for the same reason that manufacturers can't keep their devices locked down: At some point, the device needs to behave as advertised. To do this, it will have to do normal computer stuff. This is the same stuff that you want to prevent consumers from doing when you don't want them to do it, but the machine's got no concept of what you want.

You can make it expensive and inconvenient for the user to pass whatever tests you use in the particular contexts you want them passed. But that's the same device that your developers did their work on, and the machine doesn't have some kind of aura-reader to tell that the person hacking it is a developer.

Two-factor authentication is great. It requires the attacker to compromise both phone and computer, in order to skim both the passwords. (Or piece-o-paper and computer, in the case of one-time passwords). If you can reasonably assume they can't do that, you're safe. But when you're in China and you have to go through customs, no, that's not a reasonable assumption.
posted by LogicalDash at 6:46 AM on February 14, 2012 [1 favorite]


Clearly you need to phase shift your workstation into a parallel reality so that the ascended ancients cannot snoop on your work.
posted by Chekhovian at 7:03 AM on February 14, 2012 [1 favorite]


Man, this is interesting. I just finished reading Kevin Mitnick's memoir from last year, Ghost In The Wires, describing how, by the mid-nineties, he had hacked the DMV, the SSA, the phone companies, and a dozen software companies, and was working on monitoring the FBI investigation of him remotely as he traveled from state to state using assumed identities and ESN-switching on his phone so he couldn't be tapped. Obviously today that wouldn't be enough to keep your phone from being tapped, but I've been wondering how much would be the same; he says a couple times in the book that things can't be all that different, considering how lax people are with security when they think nobody's likely to be looking.
posted by koeselitz at 7:05 AM on February 14, 2012 [2 favorites]


This reminds me of the last password security thread in which I joked that my Metafilter password is the same as my username, and then the next time I tried to log into the site I was locked out.
posted by shakespeherian at 7:12 AM on February 14, 2012 [7 favorites]


Denial-of-service by abuse of password lockout mechanism. Can be very effective if the system isn't designed to prevent it, for instance Google throwing up a CAPTCHA after a few bad tries.
posted by smackfu at 7:25 AM on February 14, 2012


The obvious choice for dealing with key loggers is to type in a completely obscure language and then provide the key to the receiving parties after you've returned.

ph'nglui mglw'nafh quarterly results analysis wgah'nagl fhtagn
posted by FatherDagon at 7:36 AM on February 14, 2012 [1 favorite]


@devnull I expect a well-configured Little Snitch to alert of any non-authorised outbound traffic
posted by nickrussell at 7:57 AM on February 14, 2012


72 comments in and no reference to Van Eck Phreaking and/or Cryptonomicon and/or programming on your PC via morse code tapped out on the space bar?

You people are slipping.

Also, what's morse code for "@"?
posted by etc. at 8:03 AM on February 14, 2012 [2 favorites]


If dollars are traveling one way and less yuan are going the other then the US is poorer as a result.
If the dollars ever come back, then the time-integrated trade deficit afterward is zero.

If the dollars never come back, then someone just sent us free stuff we wanted in exchange for paper and ink. The people who get the free stuff in such a transaction are not best described as "poorer".
posted by roystgnr at 8:21 AM on February 14, 2012 [1 favorite]


Fiat currency isn't "paper and ink", it's a promise to perform and/or deliver, and only worth anything if your country's reputation is to follow through on those promises. The thing is, if you stop following through to lock in that "free" value of your "free stuff", then people stop taking your promise and you can't get any more stuff at all. Currency exchange rates are pretty much based on the relative value of the promise.
posted by seanmpuckett at 8:46 AM on February 14, 2012 [1 favorite]



This reminds me of the last password security thread in which I joked that my Metafilter password is the same as my username, and then the next time I tried to log into the site I was locked out.

Metafilter has a feature whereby if you type your password in, it will display for you, but be asterisked out for everyone else.

So, my password is **********. Try it, it's an amazing security feature.
posted by Pogo_Fuzzybutt at 8:46 AM on February 14, 2012 [5 favorites]


Let me give it a shot-- ilustforpogo_fuzzybutt
posted by shakespeherian at 8:47 AM on February 14, 2012 [9 favorites]


MOTHERFUCK
posted by shakespeherian at 8:48 AM on February 14, 2012 [9 favorites]


Mandatory backdoors are a bad idea, in any form, because once the backdoor is in place, there is no guarantee that only the people you approve will use it. This applies to laws as well as devices. I have long thought that National Security Letters, with their gag orders were probably a bonanza to foreign intelligence agents: all they had to do is pose as FBI agents with a phony gag letter and collect information they wanted.
posted by fings at 8:49 AM on February 14, 2012 [1 favorite]


> that is the second password I have to enter. I can also only make one mistake otherwise the system locks me out.

Then what happens? How secure is the lockout recovery procedure? My bank has no branches in my state, so requiring physical presence to undo a lockout isn't practical.
posted by morganw at 8:54 AM on February 14, 2012


Then what happens? How secure is the lockout recovery procedure? My bank has no branches in my state, so requiring physical presence to undo a lockout isn't practical.

Phone call required in which they ask you for much more information before unlocking your account. My bank is an offshore bank so physical presence doesn't work either.

Also, there is only a limited amount of stuff I can do once I'm in my account. I can't transfer large sums out for example without using yet another physical encryption device.
posted by vacapinta at 9:04 AM on February 14, 2012


"Jesus Christ. What did you call it?"
"Kuang Grade Mark Eleven."
"It's Chinese?"
"Yes."
"Off." Case fastened the virus cassette to the side of the Hosaka with
a length of silver tape, remembering Molly's story of her day in
Macao. Armitage had crossed the border into Zhongshan. "On," he said,
changing his mind. "Question. Who owns Bockris, the people in Frankfurt?"
"Delay for interorbital transmission," said the Hosaka.
"Code it. Standard commerical code."
"Done."
He drummed his hands on the Ono-Sendai.
"Reinhold Scientific A.G., Berne."
"Do it again. Who owns Reinhold?"
It took three more jumps up the ladder before he reached
Tessier-Ashpool.
"Dixie," he said, jacking in, "what do you know about Chinese virus
programs?"
"Not a whole hell of a lot."

posted by thewalrus at 9:30 AM on February 14, 2012 [4 favorites]


Kaplan's opinion said that the eavesdropping technique "functioned whether the phone was powered on or off." Some handsets can't be fully powered down without removing the battery; for instance, some Nokia models will wake up when turned off if an alarm is set.

This reeks like bullshit and fear mongering. If your cellphone is "off", it is not sending or receiving anything through the antenna. If they did, you'd be damn sure they wouldn't be allowed anywhere near an airplane.

And I find it unlikely even when the phone is powered on. Any time your phone is transmitting audio, it will generate the telltale interference sound every time you go near a loudspeaker, so it would be pretty obvious something strange was going on.
posted by ymgve at 10:04 AM on February 14, 2012 [1 favorite]


Scientist: I'm curious why these sorts of precautions seem particularly directed at China and Russia. I sort of assumed that pretty much every developed country was playing these sorts of games at all times. Is that not so?

Maybe for diplomats, but not at the same scale of state-sanctioned industrial espionage.
posted by qxntpqbbbqxl at 10:05 AM on February 14, 2012


.... it will generate the telltale interference sound every time you go near a loudspeaker....

Oh great, I thought I was paranoid before. My phone does this all day every day.
posted by dabitch at 10:18 AM on February 14, 2012


thewalrus - well that took longer than I expected...
posted by Artw at 10:19 AM on February 14, 2012


it will generate the telltale interference sound every time you go near a loudspeaker
Why is this? I would think you only get interference between a microphone and a loudspeaker being driven by that microphone in real time.

dabitch seems to know what you were talking about, maybe I am just confused.
posted by fantabulous timewaster at 10:33 AM on February 14, 2012


Electromagnetic interference, not audio feedback.
posted by Artw at 10:35 AM on February 14, 2012


The speaker buzzing/clicking when your phone transmits is a GSM band thing; not all phones do it as GSM isn't the only band out there, and not even do GSM phones do it all the time: it's transmit power related. If you're right near a tower you may never hear it at all as your phone can just whisper to the tower instead of shout.
posted by seanmpuckett at 10:42 AM on February 14, 2012


If your cellphone is "off", it is not sending or receiving anything through the antenna.

You don't know that at all. You have no way of knowing that. When your cellphone is off, all that means is the screen's off. You have no way of knowing what's still going on inside the plastic box. Some phones reportedly don't even disable their antennas in airplane mode, they just disable GSM handshaking (the source of the tick sound you mention) and can still record.

And I find it unlikely even when the phone is powered on.

Whether or not you find it unlikely is irrelevant; there are documented instances of this actually happening.
posted by mhoye at 10:50 AM on February 14, 2012 [3 favorites]


For everyone saying "just turn off your phone!", I say this: There are numerous exhaustively documented technical reasons why cellphones are not allowed inside a SCIF. Please believe me when I say that a great many very intelligent people who work full-time in the field of RF circuit design, embedded systems and wireless telecom have put a lot of thought into this.
posted by thewalrus at 10:54 AM on February 14, 2012 [4 favorites]


Man, this is interesting. I just finished reading Kevin Mitnick's memoir from last year, Ghost In The Wires, describing how, by the mid-nineties, he had hacked the DMV, the SSA, the phone companies, and a dozen software companies, and was working on monitoring the FBI investigation of him remotely as he traveled from state to state using assumed identities and ESN-switching on his phone so he couldn't be tapped. Obviously today that wouldn't be enough to keep your phone from being tapped
Actually, it would probably be much easier to get away with that today. Back then, hardly anyone used cellular data connections, so rather then looking for Kevin Mitnick, all they had to do was look for someone using a data connection. Nowadays, everyone uses data connections, so hiding among the users out there would probably be much, much easier.

On the other hand, there would be so many other ways to track someone. Back then, if you couldn't get a picture on America's most wanted no one would care, but today you could use social media to track down someone like Mitnick. Just turn it into an "ARG" or something to find him.

The other irony though, One of the big, supposedly 'expensive' hacks Mitnick was charged with stealing the source code to Solaris. Today, Solaris is open source. I'm sure he could get convicted of fraud, whatever as well.
72 comments in and no reference to Van Eck Phreaking and/or Cryptonomicon and/or programming on your PC via morse code tapped out on the space bar?
If you think about it, he had absolutely no need to actually use the morse code thing. hover spoilers
This reeks like bullshit and fear mongering. If your cellphone is "off", it is not sending or receiving anything through the antenna. If they did, you'd be damn sure they wouldn't be allowed anywhere near an airplane.
Cell phones don't actually pose any risk to airplanes. It's all bullshit and most airlines and passengers actually like not listening to everyone else's business, so there isn't much pressure to change the rules. Having the FBI spy on people wouldn't be a big enough risk to prevent it. The FBI spying on people would never bring down an airplane.

Also, it sounds like they installed hardware bugs in these phones anyway.
posted by delmoi at 11:12 AM on February 14, 2012 [2 favorites]


The last RyanAir flight I was on, they let us use our cell phones. In the air. To call people. I didn't, presuming it was expensive, but it seems like that ban was only ever so much paranoia. Just sayin'.
posted by Dysk at 11:27 AM on February 14, 2012


IAmBroom: Your technique would block automated cracking but would give more than enough clues to a real hacker to easily break your password. Reducing the search space from nearly infinite to merely millions is pretty much a total security failure.

chairface: So, you're saying that if one feels one must use a public terminal, there's no point in doing anything to avoid keyloggers?

This is the eternal geek-security mindset problem. Yes, you can figure out a way that a determined foe could sneak past my defenses. However, that doesn't make them useless.
posted by IAmBroom at 11:56 AM on February 14, 2012


When doing computer security, I am reminded of the story of the campers whose camp was invaded by the bear. It is not usually necessary to run faster than the bear, just faster than the other campers.
posted by nTeleKy at 12:09 PM on February 14, 2012


don't even consider charging your phone at an airport

Eventually people need to ask themselves: why are they called smart phones?

$100 a month to go through all this bullshit? Begs for something ... smarter.
posted by Twang at 12:20 PM on February 14, 2012


@rh don't even consider charging your phone at an airport.

Funny stuff. I especially like the line: "Others said they planned to wipe their phones after leaving the hacker conference anyway." Just how do these people wipe their phones so that they KNOW they're clean? What software are they using to check the phone to be sure that it's wiped? What if the phone has to be jailbroken just to use that software?

WHAT a freaking MINEFIELD people
posted by Twang at 12:38 PM on February 14, 2012


Metafilter: be on your own when it bites you in the ass.
posted by herbplarfegan at 12:52 PM on February 14, 2012


Faraday cages don't work properly unless they're grounded

[citation needed]
posted by Twang at 1:09 PM on February 14, 2012 [2 favorites]


Chinese Hackers Suspected In Long-Term Nortel Breach
Using seven passwords stolen from top Nortel executives, including the chief executive, the hackers—who appeared to be working in China—penetrated Nortel's computers at least as far back as 2000 and over the years downloaded technical papers, research-and-development reports, business plans, employee emails and other documents, according to Brian Shields, a former 19-year Nortel veteran who led an internal investigation.

posted by Joe in Australia at 1:36 PM on February 14, 2012


More from the author of the main link: How Much Have Foreign Hackers Stolen?
posted by homunculus at 2:02 PM on February 14, 2012


Unfortunately, vacapinta, one of my agents stole the physical password list from you while you were going through a security checkpoint.

this is a reasonable point as far as keeping the agents out of the account, but it still reveals the attack to the holder of the account: by using one of those one-time passwords you cause it to expire, which the account holder will presumably notice when they try to log in with it. So this strategy might be useful when you can tolerate short term access to the account but want to ensure that the attackers cannot continue to access your account indefinitely.
posted by Mars Saxman at 2:05 PM on February 14, 2012 [1 favorite]


This is the eternal geek-security mindset problem. Yes, you can figure out a way that a determined foe could sneak past my defenses. However, that doesn't make them useless.

I was thinking about this from a combinatorics standpoint, and this I why I think chairface is correct and people should not expect your approach to improve security very much:

The number of random strings of length N from alphabet of size A is AN. That's at least how many tests there are when doing a brute-force crack of random strings. You may have to test random strings of lengths {1..N} before you even know what N is, so you're really summing Ak, for k = 1..N.

The upper bound of subsequences in a known string of length N is 2N. Use the binary combinations in a power set of cardinality N to "turn on" letters in the original string, in order to generate subsequences.

This will be an upper bound ("worst-case scenario") on the number of tests, because there can be multiple instances of the same subsequence that get counted twice (or more), if the same letter is used more than once in the string.

Unlike the random case, you know N ahead of time, because your keylogger gives you the salted password. So your search space is much smaller.

Assuming a 72-letter alphabet (52 characters + 10 digits + 10 shifted-digits), this plot shows how the number of operations for a string of given length rises between the two scenarios. (And, again, that's assuming you know N ahead of time for the random case.)

In any case, doing 2N operations is within the purview of modern desktop computers, unless N is large. And most passwords are not very long, even ones that are salted in the way you propose.

Worse still, the way you propose adding salt doesn't appear to add random characters, so there is potentially some redundancy to exploit there in a shrunken "salt-alphabet".
posted by Blazecock Pileon at 2:09 PM on February 14, 2012


When doing computer security, I am reminded of the story of the campers whose camp was invaded by the bear. It is not usually necessary to run faster than the bear, just faster than the other campers.

But in the case of computer security, instead of one bear you may be pursued by an infinite number of monkeys.
posted by turbodog at 2:25 PM on February 14, 2012 [3 favorites]


Faraday cages don't work properly unless they're grounded

[citation needed]


Wikipedia. Any relevant textbook on the subject. Are people just getting lazy doing their own googling? I say yes, you say "citation needed".
posted by mhoye at 2:52 PM on February 14, 2012


Can someone create a two ended intermediary plug with no data pins to the phone, just power? Would that work as a charging prophylactic?
posted by BrotherCaine at 7:57 PM on February 14, 2012 [1 favorite]


mhoye: Wikipedia doesn't currently say that (except for the case of a purely static electric field, which isn't relevant here); even if it did, I'd trust my physics texts, my physics classes, Maxwell's equations, my electrical engineering texts, my electrical engineering classes, and general electrical engineering practice over Wikipedia on this subject. (I'm having deja vu; wasn't I involved in this very same argument here on metafilter just recently?)
posted by hattifattener at 9:46 PM on February 14, 2012 [1 favorite]


Dont charge phones at the airport? Even with my own charger?

It's funny how trusting people are, at conferences I'm usually spotted carrying every charger-wire known to man, and I charge my iPhone via my laptop. Still people - strangers to me - ask if they can charge their phones for "just one minute" and when I let them, I see all their images load in my iPhoto and am quite amused that they trust me like this. If I *wanted* to, I could just make backups of their phone.
posted by dabitch at 12:14 AM on February 15, 2012


hattifattener- if the cage isn't grounded, and a device is putting out energy inside the cage, where does the energy go? It has to go out or be absorbed and converted to heat.

An ungrounded faraday cage is basically a capacitor. If your cage is the right size and shape, it will just be a passive repeater for your cell phone. If it is the wrong size and shape, which is likely, it will muddle the signal enough that it becomes useless. But it is still probably going to be some kind of signal.
posted by gjc at 7:20 AM on February 15, 2012


I dont understand this stuff about grounding a Faraday cage. Anybody who has studied first-year Electromagnetism knows how a Faraday cage works. The interior EM wave causes current on the conducting cage. This current generates a field which exactly cancels any field inside the box. So, the field is zero.

I can possibly see why grounding it might help make it more safe by protecting you from high voltages but the ungrounded Faraday cage works just fine.
posted by vacapinta at 7:37 AM on February 15, 2012 [1 favorite]


Me: This is the eternal geek-security mindset problem. Yes, you can figure out a way that a determined foe could sneak past my defenses. However, that doesn't make them useless.

Blazecock Pileon gives a long and well-thought out mathematical answer to why my method still isn't good enough.

Here's why you're wrong:

I are an identity-thief, scooping up accounts from a public library/Ramada Inn/internet cafe with a keylogger. I get literally hundreds of site/username/password combos per day.

And a very few of them use the click-outside technique.

When I go to use the datasets I've collected, some don't automatically work. Do I:
(A) massage the data using complex algorithms to try 2^n possible variations on username/password combo #16314, or
(B) throw out the trash, and keep what works easily?

I do (B).

My method is secure in practicality, unless someone is specifically trying to hack you, Blazecock Pileon, or should I say, Mr. Bond?
posted by IAmBroom at 8:55 AM on February 15, 2012


"I are an identity-thief." Not an English teacher. Apparently.
posted by IAmBroom at 8:56 AM on February 15, 2012


There are almost surely key loggers that single out the password prompts, IAmBroom, well certainly your OS, browser, etc. all single them out by not displaying typed characters, probably simply drop xml tax around copypaste info, passworded info, etc. You could employ passwords with restricted permissions when using public terminals perhaps, employ a challenge response like phase, etc.
posted by jeffburdges at 9:13 AM on February 15, 2012


OK, jeffburdges, so: my method is not secure against all types of keyloggers. Still, as I said: if one must...
posted by IAmBroom at 9:22 AM on February 15, 2012


gjc : An ungrounded faraday cage is basically a capacitor.

Wrong. An ungrounded faraday cage is basically an amplifier with a massively negative gain. (Pretty sure attaching a capacitor to an antenna would shift its frequency response dramatically, too, but that's beside the point.)


If your cage is the right size and shape, it will just be a passive repeater for your cell phone. If it is the wrong size and shape, which is likely, it will muddle the signal enough that it becomes useless. But it is still probably going to be some kind of signal.

Again, wrong. Maxwell's Laws say that the flux through a surface is equal to the charge contained within that surface. The flux hitting a conductor produces a charge. If the surface is just within an conductor that absorbs the radiation and converts it into charge, said charge will not reradiate through the surface into the chargeless volume - the faraday cage interior.

Put another way: an ungrounded microwave won't burn the flesh off the guy standing in front of it. European AC current floats (neither prong is tied to ground), yet cutting the grounding plug off won't turn a microwave into a hyper-lethal weapon.
posted by IAmBroom at 9:32 AM on February 15, 2012 [1 favorite]


delmoi: "Cell phones don't actually pose any risk to airplanes."

I've always figured that the 'turn all electrical devices off' thing was just another way to keep passengers under control so they don't cause drama in flight. It's obvious to even the most casual observer that pretty much every flight probably has at least one device inadvertently left on and transmitting whatever signal so, if there was any real risk, planes would be dropping out of the sky every day. I fly regularly and it was only after a couple of dozen flights that I realised I was leaving my iPad frantically transmitting 3G (at the least, searching for a signal) in my backpack in the overhead locker. I don't recall any of those flights being anything other than routinely boring. Obviously, I haven't died in a plane crash and just not realised, because I would be in hell and that would mean MeFi wouldn't be here ;-)

I make no claim to be an expert of any sort, but I think that the main difference between China and other countries is that China doesn't deny that they spy on everyone. Thinking that you are safe from scrutiny no matter where you are is optimistic to say the least.
posted by dg at 1:58 PM on February 15, 2012 [1 favorite]


Blazecock Pileon gives a long and well-thought out mathematical answer to why my method still isn't good enough.

Here's why you're wrong:


Actually, thinking about it some more, your situation can be worse than I calculated — or, alternatively, the cracker will have an easier time — if you type a salted password twice or more on the same machine with the same keylogger.

As an example, if you first type: "129nfaiahrjsibb5nidiff3ks" and then logout and log back in with the password "2ibbfffoo3ks", then the characters that are not common can be discarded when looking for a common subsequence. Further, if you keep logging out and logging back in, the more passwords I log, the more common characters I can pull out. This reduces the search space of subsequences even further.

I would not use your technique. Partly because I'm lazy, but mainly because I just don't see numerically how it adds much security.
posted by Blazecock Pileon at 2:28 PM on February 15, 2012


Anyone here ever worked anywhere that disables ssh public key logins? Imho, ssh should remove the option for disabling public key logins, and include sshpass by default, anyone dumb enough to disable ssh's additional security deserves their users embedding passwords in expect scripts.
posted by jeffburdges at 5:41 PM on February 15, 2012


hattifattener- if the cage isn't grounded, and a device is putting out energy inside the cage, where does the energy go? It has to go out or be absorbed and converted to heat.

If it's an ideal Faraday cage, it's reflected back into the interior of the box. In a real-world Faraday cage, it's mostly reflected and some portion of it goes to heat via resistive losses in the material the cage is made of. What happens next depends on what's putting out the energy and how it behaves when it gets a lot of reflected energy. If the SWR gets high enough, something will break down.

Anyone here ever worked anywhere that disables ssh public key logins?

WTF?
posted by hattifattener at 8:44 PM on February 15, 2012


Anyone here ever worked anywhere that disables ssh public key logins?

Yes, I have. Password only. They wanted to reduce the likelihood of automated login. Yes, it was technically possible to do it anyway, but it was also technically possible to do other things like filling up a disk or deleting group-writable files and people managed to not do that either.
posted by grouse at 9:02 PM on February 15, 2012


The speaker buzzing/clicking when your phone transmits is a GSM band thing
So poorly-shielded loudspeakers are also low-quality GSM receivers? Interesting. Thanks.
posted by fantabulous timewaster at 6:25 AM on February 16, 2012


More generally, fantabulous timewaster, poorly-shielded things with wires of any sort are also low-quality GSM receivers. But only loudspeakers amplify the minute amounts of radio noise they receive and rebroadcast them as audible sounds.
posted by IAmBroom at 9:50 AM on February 16, 2012 [1 favorite]


Nortel collapse linked to Chinese hackers
posted by mek at 2:58 PM on February 16, 2012 [2 favorites]


UK Plans More Spying On Internet Users Under 'Terrorism' Pretext
posted by jeffburdges at 10:53 AM on February 19, 2012


UK Government To Demand Data On Every Call And Email
posted by jeffburdges at 8:46 AM on February 20, 2012


« Older In Praise of Older Women was condemned by some as ...  |  Nevermore?... Newer »


This thread has been archived and is closed to new comments