anonymous coward: > Nathan Freitas: > > On 04/02/2014 07:01 PM, anonymous coward wrote: > >> Many people use TOR or secure ways to chat on smartphones. > > > >> The last months have reveiled how hard secret services attack our > >> phones. > > > >> This leads me to the question, how secure are our smartphones at > >> all? > > > > It comes down to what are you afraid of? > > > Thanks to all for replying. > > Well, I try not to get caught in the dragnet. Besides, I have no special > threat model or fear. > > But, the situation could change quickly in certain situations without > your intention. > > For example, I want to talk to political activists, I would like to > discuss with them, no matter if I share their views or not. This could > easily make you interesting for certain people. Sometimes just talking > to certain people could make you suspicious. > > And this is my concern. If you are concerned with protecting the social graph of who you are communicating with, there is *maybe* exactly one communication system that exists today that can protect this information from a dedicated adversary with resources on the order of a drug cartel. The system I'm referring to is a prototype written by a Google engineer in their spare time: https://pond.imperialviolet.org/ It comes with this disclaimer: "Dear God, please don't use Pond for anything real yet. I've hammered out nearly 20K lines of code that have never been reviewed. Unless you're looking to experiment you should go use something that actually works." Of course, even if Pond itself is secure (and it very well may be - despite the disclaimer, Adam Langley is actually a very capable cryptographic engineer), if you use it on a normal, non-hardened computer, your social graph can still be obtained by compromising that computer. > Is a mobile device safe to use for "sensitive" discussions? > > In my view and recent events suggest you can become a target, although > you are just a small number. Just talking to people could cause this. > > If I listen to the discussion in this thread, a mobile device is not > adequate at all to protect your data in case of a targetted attack. It is my opinion that there is little substantial difference between a computer you get off the shelf today, and a WiFi-only mobile device you get off the shelf today. Both have to be hardened in ways that are just as involved as the blog post I wrote about hardening Android. This is sadly currently out of the reach of most humans today, if they are dealing with an adversary with resources significantly beyond their own. There is no "perfect", there is only "bad", and "better". Because of this, every situation needs detailed analysis to understand the nature of the information you are trying to protect, and the resources and capabilities of the adversary you are trying to protect it from. > I guess, the only safe way would be to use an offline device for storing > data and a second device for online communication. And a third device > may be necessary. There are devices, that connect with bluetooth to your > smartphone and do all all the encryption totally encapsulated in its own > little box. > > I don´t have any current need for such steps, but want to know what is > the current state in security. Unfortunately, the current state of security is that it sucks. In fact dangerously so - to the point where I am not optimistic about our ability to have functional computing devices at all in about 5-10 years time unless drastic changes are made: https://blog.torproject.org/blog/deterministic-builds-part-one-cyberwar-and-global-compromise -- Mike Perry
Attachment:
signature.asc
Description: Digital signature
-- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk