back to article CloudFlare pros pen paranoid phone plan for pwn-free peregrination

Travelling executives should use modern iPhones with burner SIMs, no PINs, and minimal apps, CloudFlare security boffin Filippo Valsorda says. Valsorda of the anti- distributed denial of service attack firm's London office says his 'paranoid' guide focuses on iOS because he considers it the most secure operating system …

  1. Anonymous Coward
    Anonymous Coward

    You gotta be kidding

    Yeah, and 99% of the execs I know will do none of that and blame IT staff when they are hacked somewhere in Shenzen.

    1. Anonymous Coward
      Anonymous Coward

      Re: You gotta be kidding

      And of course, we find out later this is all for naught as the chips were pwned at the factory and can turn themselves on when necessary.

      Frankly, the only way to be really REALLY secure is to not bring a phone AT ALL, take all notes on flash paper but commit to memory training so once you have them committed to your head you can burn the notes. Use only analog communications media and talk as if you're going to a birthday party or a family reunion so that there's no way to distinguish you're having a coded conversation. Or better yet, just wait 'til you get back; if a REAL emergency comes up that REQUIRES your attention, then talking it through probably isn't an option, and no computer is safe when it comes to remote comms. The decision should then be whether or not to cancel your trip and scramble home.

      1. Dave 126 Silver badge

        Re: You gotta be kidding

        > no computer is safe when it comes to remote comms.

        You can use an insecure phone to securely send short messages, if you have first, by hand, transcribed the padded plaintext through a one-time pad. If you wish to automate the use of the one-time pad using a discrete device, the processing required is so simple that the hardware and software required could be audited.

        This would work fine, if only the content of the messages and not the meta-data is of use to your adversaries.

  2. Anonymous Coward
    Anonymous Coward

    chips were pwned at the factory

    Indeed. Unless you can review the die and logic arrangement of the base silicon you can't 100% trust anything that runs on it. This fact alone suggests that a *really* paranoid user would spread the risk over a series of diverse devices with a chequered pedigree to minimise the risk of a pwned chip.

    When viewed in that light, the "advice" to stick to a single make of device seems designed to drive users to a certain ecosystem ...

    Anyone remember the film "Who Dares Wins" (with the late Lewis Collins). As an inside SAS agent, he manages to convince the baddies that whilst "perceived wisdom" is that separating the hostages makes it harder for the security services, this is in fact disinformation designed to get the terrorists to do exactly that which makes it easier for rescuers. So the (reassuringly credulous) terrorists gather all hostages into a single room, where - surprise surprise - rescue is a doddle.

    1. Anonymous Coward
      Anonymous Coward

      Re: chips were pwned at the factory

      That doesn't account for "single source" information which by its very nature can only be placed in ONE location, and if ALL the phones are dodgy, putting it ANYWHERE is game over. Like trying to separate the hostages not realizing one of them knows the weaknesses of all the cells and can exploit them without tools; it doesn't matter HOW or WHERE you put him; he can break himself (and then his buddies) out all the same.

  3. Dinsdale247

    Don't Trust American Companies

    Apple is a major US company under the control of the US government. I will not trust an iPhone until there is a neutral party reviewing their kernel code and hardware. Yes, the data is encrypted when it is written to your nand flash, but who says there is not a switch in the kernel that directs a non-encrypted copy to a nor chip that nobody has access too? The data can then be padded into standard iCloud sync messages and nobody would be any wiser. Too far fetched? Not in an age when they are finding sleeper code in hard drive firmware...

    1. Anonymous Coward
      Anonymous Coward

      Re: Don't Trust American Companies

      "Apple is a major US company under the control of the US government. I will not trust an iPhone until there is a neutral party reviewing their kernel code and hardware."

      This is a world where there is no such thing as neutral. Anyone involved is either with you or against you, meaning you're in full-on DTA mode. Since you may have been brainwashed without your knowledge, you can't even trust yourself. Even if you tried to distance yourself from everyone else, there's still satellites...

  4. Anonymous Coward
    Anonymous Coward

    Why bother with a phone if this is what you will do with it. Perhaps get a non smartphone instead.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like