On 22/08/17 10:22, Jape Person wrote: > Hence, why I suspect that they are vulnerable. I bought these things > because my wife trips over her cables 3 or 4 times a day, and wireless > ones are just easier to deal with from a workstation logistics standpoint.
Wireless things do not solve the problem of having to cope with wires. They just replace this with the bigger problem of unauduitable firmware directly exposed to the attacker (via radio or sometimes infrared communication). My suggestion is to instead address cabling directly. If your wife trips because cables are in the floor, then use some wire to coil the excess length so that it does not hang. If your cables have to go through a walkway, then pass them through the bottom of the ceiling, so that the floor will be clear and thus avoid the “tripping hazard”. Use a cable extension if required. You may need to go to a hardware store to buy a cable tray or a wall-mountable cable clamp. > I'll look into getting the test suite from Bastille to see if I can > figure out how to do some testing on these things to see if they look > vulnerable. Do you really think that this is unauditable? Bastille > claims to have produced Open Source tools for doing just that. If the device firmware is secret, then it is unauduitable. Of course, this applies to wired keyboards too. The problem is that wireless keyboards are exposed to possible attackers, while wired keyboards are not. I have not heard about Bastille. Apparently they sell a vulnerability scanner for wireless devices. I can easily be wrong here because I just took a quick glance at “https://www.bastille.net/product/introduction/”. By doing vulnerability scanner, one can only test the device for a limited set of *known* vulnerabilities (the test suite must know what to look for). I would not trust any wireless device just because a vulnerability scanning found nothing on it. Without seeing the firmware source code, one can not tell if it has vulnerabilities previously unknown. > Maybe I'll just use the wireless keyboards and mice to control TVs. Ugh? I did not know that TVs that have any use for keyboard and mice input existed. I guess it's just yet another class of devices with “walled-garden type” proprietary software providing an incountable number of fancy but completely useless bells and whistles. What is next? A toaster that makes a Twitter post when the toasts are ready? >> That is why opaque cryptographic systems can not be trusted. This is >> covered in any practical cryptography book. > > Practical cryptography -- isn't that an oxymoron, for most users at > least? [...] I was referring to *books* that address the issues related to *deploying* cryptographic systems as opposed to theoretical issues or cryptanalysis (for example, the mathematics of elliptic curve cryptography, hash constructions “probably secure” based on the random oracle model, and other details that are not relevant to the end users). The question of whether cryptography can be practical is a very different matter. I believe that cryptography is already practical. For example, encrypting e-mail with Enigmail and Thunderbird is very easy. Many distributions have graphical installers (lay users are allergic to ncurses-type interfaces) with which an encrypted volume can be set up easily. Many web sites use TLS transparently to the user, et cetera. > In a day when people post their most personal experiences and thoughts > on Facebook or Twitter for everyone to read [...] But about the huge amorphous mass of typical Facebook users, those are a lost case. The fact that they couldn't be made to properly secure their information –even if their despicable lives depended on it– is not a fault of the cryptography systems. It is a fault of their indolence and incompetence. Related: <https://web.archive.org/web/20140329180453/http://eatliver.com/i.php?n=4043>. Personally I do not care about “privacy” in the normal sense, because I do not care about the opinion of people about myself (However, I do care about *arguments* that I am doing something wrong). However, I care abut encryption because I do not want to leave through the Internet personal information that maybe can be used *against* me. Regards. -- Do not eat animals, respect them as you respect people. https://duckduckgo.com/?q=how+to+(become+OR+eat)+vegan
signature.asc
Description: OpenPGP digital signature
