[Cryptography] Liberty Safe reveals that it has backdoor access to it's physical safes and provides access to law enforcement.

[efc at swisscows.email]

On Fri, 15 Sep 2023, efc at swisscows.email wrote:

>> On Fri, 8 Sep 2023 15:23:46 -0700
>> Ray Dillinger <bear at sonic.net> wrote:
>> 
>>> More commonly, in fact, I've seen new attack surfaces heavily
>>> advertised as "secure" and emphasized in a way that deliberately
>>> draws attention away from blatant, bizarre defects in existing attack
>>> surfaces,
>> 
>> An example is two-factor authentication exposing a mobile phone to the
>> chain of attack surface to use Gmail, Twitter, Github, etc. They
>> advertise it as for your security. Yet it forces you to expose another,
>> previously unlinked device to attack. One single source target becomes
>> the gateway to all linked attack targets. If your online account gets
>> hacked then the attacker may learn your phone number. And if the phone
>> gets owned then every two-factor service and token on it for all such
>> services is then owned.
>> 
>> Multiple attack zones are then amalgamated and linked to a single
>> source zone or device. This enables shifting all attack zones to one
>> source or, 'single source target attack' or 'amalgamated targets
>> attack.' Nation-state actors no doubt salivate over an infrastructure
>> that guarantees the organs of state a single source attack for all
>> disparate communications targets of each user.
>> 
>> A password in my brain is generally safer than an app or SMS stream that
>> can be compromised. Although a passphrase may in some cases not be
>> computationally more secure than a token mechanism or two-factor sytem,
>> the simple passphrase is often _structurally_ more secure because that
>> passphrase only links to and exposes one service target.
>> 
>> If the state organs get your phone they then would have access to all
>> linked accounts because of required two-factor authentication schemes
>> being amalgamated into a single authentication source. If SMS
>> verification was required the organs don't even need the phone. They
>> can tap the SMS gateway and spoof the account owner to intercept
>> malicious reset or login requests. This is an upstream single source
>> intercept.
>> 
>> I'm tempted to rant about passkeys here for similar and more nuanced
>> reasons that delve into political machinations. But I'll resist for
>> now.
>> 
>> I would advise to not store the family jewels in a safe unless the safe
>> itself is nearly impossible to locate. Ask some Appalachian hillbillies
>> about the historical versatility of a shine jar wrapped in rags and two
>> feet of dirt. Search warrants don't work in a hidden cave three miles
>> from the nearest road. Or if you have a sense of humor, ask how angels
>> hide golden plates and Dead Sea scrolls. I have yet to hear of the FBI
>> serving a search warrant on any angels.
>> 
>> 
>

Hello sybershock.com,

This is very interesting to me, because the trend the last couple of years in my opinion have been ever more factors added, be they
sms, email, google authenticator, apps and so on.

Another trend in recent years, is increasing consolidation into centralized, online, password repositories like lastpass who then
become very attractive targets.

Would you say that long, high-quality password _only_ overall are more secure?

And if not, what would be your choice when it comes to protecting a internet connected server in todays day and age?

Best regards,
Daniel