[Cryptography] Justice Dept. Revives Push to Mandate a Way to Unlock Phones

[R0b0t1]

On Sun, Mar 25, 2018 at 7:40 PM, Natanael <natanael.l at gmail.com> wrote:
>
> Den mån 26 mars 2018 01:12Erik <erik at erikgranger.name> skrev:
>>
>> What are some possible technological responses that can be utilized to
>> protect against this sort of legislation? I'm curious what people here would
>> do if some legislation of this sort were written into law.
>
>
> The legal equivalent of the nuclear option is something like the clipper
> chip / access via TPM:s or equivalent circuitry, demanding full access to
> observe everything that happens, perhaps remotely. Perhaps even banning
> non-approved hardware from accessing the phone network.
>
> That would mean devices would ship essentially irrevocably compromised. You
> would need to physically tamper with the CPU, probably breaking it, to
> remove it. You can't really achieve meaningful security otherwise.
>
> For anything less, where they only got access if they have physical access
> to your device: just only use apps with encrypted communication and storage.
> Use strong passwords. If they decrypt your device they still don't know the
> keys to for example your Signal database or your OpenKeychain keys.
>
> You could otherwise repurpose other clean hardware, like using an RPi (with
> the necessary accessories) as phone. Much less fancy and usable, sure, but
> it would be the safest option.
>

This is already the case - all useful desktops contain general purpose
chips with bulk memory access for "remote management." All cellphones
ship with basebands that either suffer the same problems, or perhaps
can not knowably be off, or are not performant.

Broadcom devices are not necessarily clean. They require blobs and
have a closed boot process. Many others might still have silicon level
exploits. There is no safe device until one is made.


Should you care, Allwinner parts are worth consideration, though -
most let you run code in EL3 (supervisor).

Cheers,
     R0b0t1