The universal law
The universal, immutable law of security is: if a thing can be accessed legally, it can also be accessed illegally.
I would add a corollary: this law is doubly true of any system that claims to be "unhackable".
A crypto-currency wallet heavily promoted as "unhackable" – complete with endorsements from the security industry's loopy old uncle John McAfee and a $350,000 bounty challenge – has, inevitably, been hacked within a week. The $120 Wi-Fi-connected Bitfi wallet is a hardware device that stores your crypto-coins and assets, and …
> if a thing can be accessed legally, it can also be accessed illegally.
It's your use of the word 'if' that's caught my attention. What would it take to make a physical object inaccessible to a well-resourced attacker? You might put it in a bank vault, but that means trusting the bank - and the state, since it's the police who prevent robbers with cutting equipment taking a leisurely week to attack the vault. You might put it in a safe, but that merely means that the item to be accessed is now a physical key - a physical object, which is just making the problem recursive. You could use a passcode on your safe - but beware shiny button syndrome or the micro camera in the wall behind you. And again, in a lawless state the attackers can take as long as they want to physically break the safe. You might bury it in the woods, but again that just means the attacker only needs information to access your precious item.
It's your use of the word 'if' that's caught my attention. What would it take to make a physical object inaccessible to a well-resourced attacker?
If they're dedicated to getting into your secure device specifically, then there's very little you can do.
But in most cases you don't have to outrun the bear, you just have to outrun the next person.
Enterprising young hacker should have rewritten the software on the xevive to publish the password when entered, copied the encrypted data, faked a hack with incorrect data, returned the device and claimed the prize.
No doubt John would have, to some fanfare on stage, entered the real password on the device to prove it was never hacked. Hacker gets sms with real password opens wallet, profits a cool quarter of a million.
Really? I am shocked that his endorsement of a product might be considered a plus that product based not just on the man himself but also on the concept of "endorsement for hire" like a certain sports and actor/actresses. I daresay any celebs endorsement is just about as valuable as the paper it's printed on.
at least he can blame mind altering substances for most of his tweets.
Quite possibly Trump could as well. One of his doctors prescribed him a medication that's basically an amphetamine back in 1982, and he took until "no later than 1990". It would explain a lot if he's still taking them, although even if he isn't, long term ampetamine use causes lasting damage to the body.
That is some BS article!
" The most obvious one: modifying the device so that it records and sends the key to a malicious third party. But this is excluded from the bounty. Why is this? Because the bounty is a sham."
Another title for you: "Unhackable device can be hacked if the hardware is modified, therefore it is worthless."
This is so stupid I have no words. What next? "Incredible: You can die of poisoning if healthy food is mixed with poison" ?
Hacking something with a "warranty is void if broken" sticker is infinitely harder than one without, maybe I should suggest that as a upgrade to the device, you can pick them up on ebay cheap enough, if they'd have skipped the endorsement and spent the money on stickers, they'd have a MUCH more secure device.
First of all, you're calling out the Register's article as 'BS', but using a quote from a completely different source: the article, in that section, is quoting what Andrew Tierney wrote elsewhere. You can call bullshit on Tierney's opinions (and you'd be wrong) but you can't call bullshit on El Reg, since they're just accurately reporting someone else's (relevant and informed) opinion on the story.
Secondly, and finally, you seem to think 'hacking' is exclusively about using code to manipulate factory standard kit. Social engineering, bugs/key loggers, rubber duckies, etc etc are presumably not 'hacks' in your world, since they don't fit your absurdly narrow requirements that hacks use only stock hard/soft ware. You'd presumably also argue that even software exploits aren't technically vulnerabilities, because people aren't supposed to use software that way. God help anyone who relies on you for tech/security advice.
I still don't buy this definition of "hackable' (even though most people are not with me here; that's fine).
So if this device was sold with all electronics encased in a solid block of black epoxy, suddenly it would be the bee's knees?
Not trying to be smart (and you would say there is no chance of that happening), but I wish all "hackable" devices required modifying the hardware to gain access, like this one apparently does. I happily would settle for that for now.
What next? "Incredible: You can die of poisoning if healthy food is mixed with poison" ?
You can see that, yet you fail to see the stupidity of a food producer who sells loose items of food while claiming that their product cannot be poisoned. Planting malicious code that transmits passwords to a 3rd party is an extremely common method that hackers use to gain unauthorised access. If I can plant a backdoor in a device by gaining physical possession of it for a few minutes, then it cannot possibly be described as "unhackable." At the *very* least the case should be made such that it would be obvious if someone had opened it.
Android sits at both ends of the security scale. Run-of-the-mill unhardened Android like this (and 99.9% of consumer Android devices) offer next to no security. On the other hand, some of the most secure comms handsets also run android - albeit properly hardened and probably unrecognisable to the layperson.
If this device "holds" your digital stash, then to have it stolen means you lose your imaginary money.
The only operation that a bad person needs to perform in order to profit from this is to steal someone's Bitfi and send a ransom note to the owner.
Sometimes the "old fashioned" methods are the most effective.
Stealing the device physically and demanding a ransom isn't hacking. A device with substantial hacking resistance still can be worthwhile to have.
On the other hand, if this was just a cellphone and someone stole it, it would typically be findable remotely.
iPhone has that feature; I understand it also is fussy about interference with its internal parts. I don't have one, but it seems to me that an iPhone is a better one of what this is, than this is.
... you lose your imaginary money.
It is no more imaginary than the bits of coloured paper or plastic in your wallet, or the magnetic ones and zeros on the HDDs of your bank's computer. Earlier this year I enjoyed a very nice holiday in a distant and exotic land paid for entirely by what you are calling "imaginary money"
Biting the hand that feeds IT © 1998–2019