[Freedombox-discuss] Out of band monitoring of PSN

[Ben Mendis]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have other work that I really should be doing instead of feeding the
trolls so this will likely be my last response on this topic.

On Thu, 28 Jun 2012, freebirds at hushmail.com wrote:

> Ben Mendis wrote: "Because a UUID is just a number. A number, by
> itself, is not a threat"
>
> Whereas, using PSN and AMD DASH or Intel AMT is how IT
> administrators, hackers and government discretely remotely take
> complete control of computers.

DASH or AMT, maybe. But PSN, no. You have yet to demonstrate in any way
how a PSN could be used by an attacker to gain remote access to a
system. Please stop spreading this FUD.

> Whereas, PSN can be tracked without
> opening a browser, without being online.

Again, you have yet to demonstrate how a PSN could magically be
transmitted from my computer to Microsoft's servers when my system is
not connected to any network. I know, it's unreasonable of me to
challenge you on this because you're not a programmer, but frankly if
you don't know what you're talking about, don't spread this FUD.

> Did Freedomboxfoundation sign a nondisclosure agreement? If not,
> please do and then ask.

Assuming they did sign an NDA, or assuming I signed an NDA... wouldn't
that implictly (or even explicitly) mean that we would not be able to
disclose any response we received from these companies under that
agreement. Unless I'm mistaken, that's the whole point of an NDA.


> Today, I did post my questions on ARM's forum. I will post their
> replies if any.

Please do. But also realize that the existence of a PSN or TrustZone in
the CPU does not inheirently represent a threat to the security of the
system. At least not from any of the evidence that you have been able to
produce. These processor features can only become a threat in conjuction
with specific local software that is intentionally designed to access
those features of the processor. Removing the serial number is not a
good "fix" for the issue you have been describing, because in those
scenarios the software that the user is running is not trustworthy, so
they're fucked anyways. If you only run trustworthy software, there's no
issue.

If you had bothered to become a programmer and learn about how
computers work on the inside, then you'd be able to understand my
skepticism of your claims. What you're saying basically amounts to, "If
someone knows your name, then they can use your name to hi-jack your
brain and use mind-control to make you do whatever they want." While
that might be the plot of some popular fictions, it's not reality.


Furthermore, I think it's hillarious that you're lecturing us on what is
and isn't "private" from a Hushmail account. You don't even own your
private key. Hushmail has servers in the USA which puts them under US
jurisdiction. If the gov't was investigation you, they could subpoena
Hushmail for ALL of your emails, decrypted and in plain text. And since
Hushmail owns your private key, they would be legally obligated to
give you up. Your fourth amendment rights don't even enter into it. And
that's not conspiracy theory, it's US Law. Go read about it or talk to
the talented lawyers at the EFF if you don't belive me.

Good game,
Ben the Pyrate

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEcBAEBAgAGBQJP7LDmAAoJEMco5sYyM+0wh5gH/A0X3pIUl62J9yp2rdmvoghe
g91sX2CVXA/jPCHZW79vCEXhq0DYHSJrYVp3if54ytSnPcZu3U8E8fKWZ13TAM7N
MHNBVo51ygj8vV+F9KpByBkshHNmCv0JA2ubxDo4I5CelsUrljJbKDe50pRxCWvH
h+5gBiuoZ3xFh5B55EUA3snuOVS5ZJ8ENjPFcM8IrDKtsVnODRzs5LubKxCLZVm8
E1Kirbxnm1SCIuj12s2Idu6LWZd34Nk2ZGhXiaq3JAZp9PSm5hF2WBUG3eNttpQq
1vy5Nojje9YRmaboltYiqX4TNbHfjFbhOVFeVykAlHNqsl4DZyTfIGuJjD72GSk=
=yrqy
-----END PGP SIGNATURE-----