On 07/30/2012 08:09 AM, Matt Mackall wrote: > About the only way to mitigate this is software full-device encryption.
Ha, well, now that this has been stated for the 100th time, can we stop being theoretical and overall technical, and start getting practical? The issue is that full-disk/device encryption on most consumer smartphones, if it is available at all, is a) not on by default and b) often does not work so well. To me, this means a few things: 1) Training organizations must ensure that "How to activate full device encryption" is a standard topic in the coming years (as the majority of smartphones move to OSes like Android 4.x) 2) Training orgs must ensure that they teach people "How to smash a smartphone into a thousand pieces using a heavy lamp and flush it down the toilet" (true story, btw!) is taught as standard curriculum 3) App developers today who are building mobile software targeted to high risk situations need to better ensure their data is always encrypted by default, using something like GnuPG, SQLCipher or IOCipher, or even just basic symmetric encryption of fields and files 4) App/Service developers must be careful about what data they store, persists, sync, send into the default apps or storage on a smartphone (i.e. SMS-based services, Photo Galleries, data collections apps using SDCard, etc), as this is the most vulnerable to logical/physical extraction BTW, there was a great talk at #HOPE9 by Cooper from Radical Designs, on this very topic, among others. You can find the slides and video links here: https://guardianproject.info/2012/07/19/from-hope9-your-cell-phone-is-covered-in-spiders-practical-android-security/ +n _______________________________________________ liberationtech mailing list [email protected] Should you need to change your subscription options, please go to: https://mailman.stanford.edu/mailman/listinfo/liberationtech If you would like to receive a daily digest, click "yes" (once you click above) next to "would you like to receive list mail batched in a daily digest?" You will need the user name and password you receive from the list moderator in monthly reminders. You may ask for a reminder here: https://mailman.stanford.edu/mailman/listinfo/liberationtech Should you need immediate assistance, please contact the list moderator. Please don't forget to follow us on http://twitter.com/#!/Liberationtech
