Hello trueriver,

Thanks for your post. No, you're not being overly cautious. Regarding your 
thoughts on whether there is much point securing the OS, I had the same 
kind of issues after my computer was hacked earlier this year. I realised, 
I couldn't just do a small fix here or there, as the issue of security was 
a bit like a water-carrying pipe with many punctured holes: patching just 
one or a few holes only meant that water came out of some other holes.

The result of my encountering of these issues, was the creation of a Wikibooks 
book on end-user computer security 
<https://en.wikibooks.org/wiki/End-user_Computer_Security>, particularly 
aimed at individuals without much resources (resources such as money)—feel 
free to add/edit its content, as it is a wiki.

On Wednesday, 25 November 2020 at 14:31:55 UTC trueriver wrote:

> ... 

In the days of CRT monitors one way the security of a computer system 
> could be compromised non-intrusively (ie without amending the 
> installed code) was by picking up the radio-frequency leakage ...
>
> Nowadays we do not have to worry about CRT monitors. But TVs are 
> increasingly delivered with their own internet connection, ...  

Clearly there is a computer inside which can be hacked, and if 
> so a remote shoulder surfing attack would be very possible. 
>
>
Getting back to your particular issues, smart TVs (and other 
internet-connected devices), are clearly a security concern, and I am not 
convinced that these issues are adequately dealt with for general 
consumers. Firmware doesn't generally seem to be sufficiently locked-down, 
meaning that middle-men attackers can possibly reprogram devices without 
leaving much evidence that leads personally back to them.
 

> Is the same true of monitors and of TVs that do not have an apparent 
> internet link? ... 
>
>
Regarding microprocessor/micro-controller VDUs without 
wireless-communications tech, they are probably safer. However, because you 
can now even get small WiFi SD cards <https://en.wikipedia.org/wiki/Eye-Fi>, 
even at what appears to be relatively inexpensive prices, I would perhaps 
be concerned over whether such VDUs might have undergone tampering so as to 
be able to steal your information through wireless means.

...if there much point securing the OS when the monitor might be an easier 
> target 
> for those out to (umm) monitor our reading and our keystrokes? 
>
>
There is a point in securing the OS in spite of the other security 
vulnerabilities you've highlighted, but only as part of a comprehensive 
security solution. It only takes the weakest link in the chain...
 

> ... I wonder if there is already some available mitigation? ...
>
>
In terms of available mitigation, the latest idea I've had (not yet 
properly included in the book), is to buy computer hardware with anonymity 
over Amazon (see some notes about it here 
<https://en.wikibooks.org/wiki/Talk:End-user_Computer_Security/Main_content/Broad_security_principles#Concerning_%C2%A7%E2%9F%AAUser_randomly_selecting_unit_from_off_physical_shelves%E2%9F%AB,_and_add_%C2%A7%E2%9F%AAAnonymity_based%E2%9F%AB?>).
 
You could also try using brands you trust more, or that are advertised as 
being more secure than normal. Also, you might think about going 
"barebones" in respect of the VDU: strip out the "bells and whistles" so as 
to reduce the attack surface.


Hope this helps,


Kind regards,


Mark Fernandes

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/31910182-8bc7-400c-bd63-b389e479feban%40googlegroups.com.

Reply via email to