On 22/08/17 10:22, Jape Person wrote:
Hence, why I suspect that they are vulnerable. I bought these
things because my wife trips over her cables 3 or 4 times a day,
and wireless ones are just easier to deal with from a workstation
logistics standpoint.
Wireless things do not solve the problem of having to cope with
wires. They just replace this with the bigger problem of unauduitable
firmware directly exposed to the attacker (via radio or sometimes
infrared communication).
My suggestion is to instead address cabling directly. If your wife
trips because cables are in the floor, then use some wire to coil the
excess length so that it does not hang. If your cables have to go
through a walkway, then pass them through the bottom of the ceiling,
so that the floor will be clear and thus avoid the “tripping hazard”.
Use a cable extension if required. You may need to go to a hardware
store to buy a cable tray or a wall-mountable cable clamp.
I'll look into getting the test suite from Bastille to see if I
can figure out how to do some testing on these things to see if
they look vulnerable. Do you really think that this is unauditable?
Bastille claims to have produced Open Source tools for doing just
that.
If the device firmware is secret, then it is unauduitable. Of
course, this applies to wired keyboards too. The problem is that
wireless keyboards are exposed to possible attackers, while wired
keyboards are not.
I have not heard about Bastille. Apparently they sell a
vulnerability scanner for wireless devices. I can easily be wrong
here because I just took a quick glance at
“https://www.bastille.net/product/introduction/”;.
By doing vulnerability scanner, one can only test the device for a
limited set of *known* vulnerabilities (the test suite must know what
to look for). I would not trust any wireless device just because a
vulnerability scanning found nothing on it. Without seeing the
firmware source code, one can not tell if it has vulnerabilities
previously unknown.
That is why opaque cryptographic systems can not be trusted. This
is covered in any practical cryptography book.
Practical cryptography -- isn't that an oxymoron, for most users
at least? [...]
I was referring to *books* that address the issues related to
*deploying* cryptographic systems as opposed to theoretical issues
or cryptanalysis (for example, the mathematics of elliptic curve
cryptography, hash constructions “probably secure” based on the
random oracle model, and other details that are not relevant to the
end users). The question of whether cryptography can be practical is
a very different matter.
I believe that cryptography is already practical. For example,
encrypting e-mail with Enigmail and Thunderbird is very easy. Many
distributions have graphical installers (lay users are allergic to
ncurses-type interfaces) with which an encrypted volume can be set
up easily. Many web sites use TLS transparently to the user, et
cetera.
In a day when people post their most personal experiences and
thoughts on Facebook or Twitter for everyone to read [...]
But about the huge amorphous mass of typical Facebook users, those
are a lost case. The fact that they couldn't be made to properly
secure their information –even if their despicable lives depended on
it– is not a fault of the cryptography systems. It is a fault of
their indolence and incompetence. Related:
<https://web.archive.org/web/20140329180453/http://eatliver.com/i.php?n=4043>.
Personally I do not care about “privacy” in the normal sense,
because I do not care about the opinion of people about myself
(However, I do care about *arguments* that I am doing something
wrong). However, I care abut encryption because I do not want to
leave through the Internet personal information that maybe can be
used *against* me.
Regards.