> He connects to the Internet only through an encrypted, password-protected channel, and copies and pastes his password from a USB thumb drive. He never types in a password directly, because, he said, “the Chinese are very good at installing key-logging software on your laptop.”
Apparently he didn't realize that it's also trivial for snooping software to monitor the clipboard content.
Not to mention access everything on the external drive. Relying on one-factor authentication when the system may be (well, is) in the hands of the enemy is just asking for trouble.
Use a token or smartcard in addition to your password.
I wouldn't rely on Google Authenticator to secure my logins from a "government national security" level attacker.
If they're capable of installing keyloggers at customs inspection, I suspect they're also capable of imaging my phone at the same time.
While I'm _reasonably_ confident the crypto in the app is probably done right, the truth is I've got barely 13bits of entropy in my unlock code for Authenticator - and I could easily work out how to brute-force it given a realistic "government security agency" sized IT infrastructure. (Hell - even spinning up 10,000 EC2 instances for long enough to crank up the android simulator and try all possible 4 digit "PINs" one at a time would probably only cost "nice dinner out" kind of money…)
It surprises me how many security precautions taken sounds more like superstition to me than an educated understanding of protecting your data.
Cut and paste instead of typing -- really? We all know the clipboard is equally insecure. This is logic that seems to come from a child-like understanding of how computers work.
Why don't more organizations have their own secure token system? Then add a layer of secondary authentication over access to any sensitive data? Security is more about creating reasonable inefficiencies that ensure the right people are accessing information than it is about protecting your passwords from key loggers.
Copy/paste protects from purely physical key loggers, they can be hard to detect by visual inspection if you do it right and they wont go away even you wipe the laptop. You would have to do something more complicated to capture clip board data purely in a physical manor.
But he says software keyloggers, so that's pretty moot.
It's not just the Chinese that people are worried about. Travelers also wipe their cell phones and laptops to avoid giving up sensitive data to the customs inspectors at the U.S. borders.
Very true, I would bet that often times a govt such as the US will take precautions against the very same technological espionage that they themselves are performing, as they will figure if they built something and are using it, so is somebody else (china).
Weren't most of the laptops being discussed originally manufactured in China?
It seems strange to consider the devices to be contaminated if privately inspected by Chinese officials, when there were plenty of previous opportunities to root them at the factory.
There's a big difference between your negotiating counterpart quietly alerting Customs to do a special job when you pass through tomorrow, and rooting every laptop your country makes and sells to everyone in the world.
The better attack vector here is to champion an encryption technology that you a) have a backdoor too or b) have the computing resources to crack within a reasonable time, or c) both a) and b). :-)
“The Chinese are very good at covering their tracks,” said Scott Aken, a former F.B.I. agent who specialized in counterintelligence and computer intrusion. “In most cases, companies don’t realize they’ve been burned until years later when a foreign competitor puts out their very same product — only they’re making it 30 percent cheaper.”
Isn't cheaper stuff better for consumers in the long run? Besides, how do companies know that their foreign competitors didn't legitimately reverse engineer and/or independently reinvent the product in question, especially if the product comes out years later?
Apparently he didn't realize that it's also trivial for snooping software to monitor the clipboard content.