[clug] Offline snooping
Scott Ferguson
scott.ferguson.clug at gmail.com
Thu Feb 6 01:05:03 MST 2014
On 06/02/14 17:33, Bob Edwards wrote:
> On 06/02/14 17:18, Scott Ferguson wrote:
>> Re-sending to the list
>>
>> On 06/02/14 16:03, Bryan Kilgallin wrote:
>>> Thanks, Scott:
>>>
<snipped>
>
> Where do you start from if you want a truly trusted computing platform?
An interesting question Bob, that made me re-consider a few issues-
putting aside the reality of OpSec being part an integral, but often
ignored (except when it comes to apportioning blame) of System
Security[*1] - an *abacus*. Seriously.
AFAIK it's the only working, perfect integrity shell, on verifiably
trustable hardware. Of course it won't do Fffacebook... :)
> What would you need to have in order to stand up in court and testify
> that you know beyond a reasonable doubt that your computing platform
> is completely trustworthy?
After more consideration on that question (and I stand by my original
answer). Based on my experience the court often wrongly concedes that
"expert opinion" given by "computer professionals" meets the standards
of scientific evidence. So add "convincing presentation skills" to the
requirements.
>
> Cheers,
>
> Bob Edwards.
>
[*1] security being an end-to-end problem, *if* the "secure" computer is
in a perfectly secure environment and never connected to a network, the
biggest problem is the meatbag sitting at both ends. What people seem to
want is a "simple solution" that's "usable". Firstly simple is a synonym
for dumb, and secondly "usable" generally means "not do-able" without
compromising security (too many eggs in one basket being common).
Unrealistic expectations are the predictable accompaniment of magic
boxes - and serious risk management would ban most of the activities the
average "user" wants a "secure" system for.
More information about the linux
mailing list