
Why one of cybersecurity’s thought leaders uses a pager instead of a smart phone - doctorshady
http://www.washingtonpost.com/blogs/the-switch/wp/2014/08/11/why-one-of-cybersecuritys-thought-leaders-uses-a-pager-instead-of-a-smart-phone/
======
avn2109
Geer is a pretty salient guy. There are several gems buried deep in the text
here:

>> "For me, trust is the availability of effective recourse."

That's a tidy little definition, and quite pithy. And this next one might
apply to engineering in general (he brought it up in the context of
"fast/good/cheap---pick 2").

>> "I think security engineering are [sic] about tolerable failure modes --
are about what the tolerable levels of failure are."

~~~
shit_parade
>> " For me the default of "the data doesn't exist" seems more natural to me
than trusting everyone to not abuse it."

I disagree, the data exists, this is fundamental, we are not going towards
data impoverishment, we are necessarily living in an environment rich with
data. I rather have accurate data by far.

~~~
UVB-76
> I disagree, the data exists, this is fundamental, we are not going towards
> data impoverishment, we are necessarily living in an environment rich with
> data. I rather have accurate data by far.

It may be an inexorable trend, but for the time being, individuals and
organizations generally have a choice about the amount of data they collect.

------
falcolas
The discussion about "What is Public" was absolutely fascinating, and a bit
frightening, to think about.

> Technology is changing what is public by changing what is observable, and
> that's what I'm getting at. And I don't know the answer, but I do know that
> if we don't answer it, things will continue.

We already see the excesses of things like this from the paparazzi and the
effect it has on a celebrity's privacy; what happens when the long range
lenses are compact and cheap enough to fit in phones, and easily combined with
the technology to see through walls?

~~~
InclinedPlane
That's immaterial, frankly. The fact is that there's a growing ocean of data
out there, collected intentionally, unintentionally, and as a side-effect of
other activities.

More and more the difference between "public" and "not public" in the future
will be a matter of processing, not of existence. Imagine the maximal
capability if computing were infinite and free.

Every piece of data that was vaguely public (and remember that things like
purchasing history is not necessarily always private) could be cataloged and
collated together. Imagine if every picture you've ever been in could be
pulled up by anyone on a whim, and then fleshed out with metadata as
appropriate. Everything from that selfie you posted to facebook when you were
12 to your car in the background of someone else's picture on the street just
last week. We will lose a lot of privacy just through things like this.
Strangers will be able to track our lives and our histories just through the
careful application of computing power. As computers get more powerful that
capability will merely increase. It'll be possible to guess fairly accurately
whether you are single or in a relationship, how much money you make a year,
and so on just by observing things like a handful of pictures and collection
of various other metadata, much of which is already out there.

Think about that in the context of someone who suddenly becomes famous, for
example, such as a movie star or a candidate for elected office. If all it
takes is pressing a single button to collect an enormous amount of information
on someone's history. Now imagine all that data in the hands of people as
callous and malicious as political opposition groups or tabloid reporters.

~~~
tormeh
"It'll be possible to guess fairly accurately whether you are single or in a
relationship, how much money you make a year"

Well, you could probably get a decent guess just by looking at the house and
garage. Some things have always been easy to guess accurately, but one novel
problem is that we need more and more effort to be anonymous, online and
offline. Double lives may be desirable for some, and it's just getting harder.
Now you can at least withdraw a wad of cash, leave all your cards and
electronics at home and be reasonably anonymous. In the near future you would
probably need face paint to avoid image recognition and even further on you
would need to subject yourself to an electro-magnetic pulse to get rid of
nano-robots you can't wash away.

------
josho
I wonder if we are experiencing the typical adoption curve of security. That
is, a technology arrives, we rush to adopt. Then over time we become aware of
the consequences of this new technology (eg. loss of privacy) and
legislation/policy steps in to correct that gap.

This time however I am not convinced that the US will ever be ready to correct
the situation (I am more bullish on Europe). It strikes me that the
organizations (companies and government departments) gain to much by their new
incursions into privacy and data. While these same organizations are also some
of the most powerful, so they have the influence to ensure that corrections
from legislation and policy remain only superficial.

~~~
chrisfosterelli
I don't think legislation/policy is the solution. We have seen time and time
again that when the government steps in they create ineffective and ridiculous
boundaries that do little in practice. Problems like these need to be solved
with technology, user friendly and default encryption would go a long way in
most of these cases.

~~~
acdha
> We have seen time and time again that when the government steps in they
> create ineffective and ridiculous boundaries that do little in practice.

Right now, there's no cost for having weak security. What you're talking about
is the technocratic approach, which is often what industry lobbies heavily for
– get the government to bless whatever you were going to do anyway and make it
complicated to increase the barrier to entry for new companies. This is what
we have in many cases coupled with laws which shield companies from the
consequences of their mistakes (e.g. try suing a credit agency for spreading
incorrect data about you).

It's not a given that it has to work this way – the other approach which many
people in the security industry have called for is changing the laws to shift
liability to the companies. That mandates the desirable outcome but allows
companies to pick a level of risk which they (and their insurers) are
comfortable with – which provides nice incentives to do things like not
collect sensitive data if possible – and use whatever technology is
appropriate to meet those needs.

> Problems like these need to be solved with technology, user friendly and
> default encryption

This is a common misunderstanding. Solving these problems – and ensuring that
they stay solved in the future – ultimately costs money. Companies will not
spend that unless they have both a requirement and a reasonable expectation
that there will be noticeable consequences for not meeting it. Without
enforcement, you'll get things like those meaningless Verisign / McAfee
banners on webpages which signals that they consider security as a marketing
exercise.

Since the average person is utterly unable to compare different products in
this manner and it's a difficult, ongoing job even for the skilled security
practitioner, there has to be some outside pressure to make information
available. Once you have that, the technology will follow.

~~~
chrisfosterelli
That all sounds good in theory, but in practice I would argue you can't simply
create effective laws like that.

I agree that companies will not spend on security unless they have a reason
too -- but how exactly can you effectively legislate that? Helping people make
informed choices with where they put their business is a much better solution,
in my opinion.

You say that there is no cost for having weak security, but that is not
because there is no legislation, it's in _spite_ of it. Legislation written by
people who don't understand the technology they are regulating is not helping.

~~~
acdha
It's usually because legislation specifically _blocks_ liability, as requested
by the backers. By default you could sue a credit agency for reporting false
information but they specifically got that exempted, similar to the way
companies have managed to establish things like EULAs or binding arbitration
as alternatives to the legal system.

All we need to do is restore the primacy of the legal system over suborned
alternatives but that requires undercutting decades of successful marketing
the idea that government is inevitably bad or corrupting which has been highly
effective at convincing people not to expect better.

------
listic
'GPS built into cars, ... Do you care about that? As I'm sure you know, the
most common reaction is "I live a good life, I have nothing to hide."'

Doesn't GPS lack reverse channel by design (i.e. receive-only)? I thought GPS
is safe, as all it can do is receive satellite data and has now way to
disclose your location.

~~~
codezero
Many modern cars combine the onboard GPS with so called "value added" services
that uplink data over wireless networks whether you subscribe to the service
or not: OnStar, and several custom manufacturer networks. In particular, Tesla
vehicles do this. I know my Volkswagen does as well.

~~~
pjc50
Note the EU soon to be mandated "eCall" system, where your car is supposed to
phone the emergency services with your location in the event of a crash.

------
owenversteeg
Well, here's why I don't have a smartphone.

I (a programmer) spend 10 hours or so on my computer per day. Not having a
smartphone prevents me from being always one step away from a computer. This
lets me "disconnect" from everything else.

~~~
jsmeaton
I left my phone in a cab 2 weeks ago and I'm still waiting for them to post it
back to me. It's been extremely liberating being disconnected - I haven't
missed it nearly as much as I thought I would.

I also spend about half the time I used to in the toilet ;)

~~~
vijayr
I went to a camp for 4 weeks - no internet, tv, phone, books or newspapers. It
was surprising how quickly I (and others) adjusted, and did not miss any of
those. It was liberating to do physical work, and sit down and talk to people
face to face.

I guess we need all this noise _because_

a)most of us don't do anything meaningful with our time and

b)most people can't be alone with their thoughts/sit still for 5 mins. They
need a "fix" (internet, tv etc) and

c)true/deep friendships and relationships are less common, compared to 30-40
years ago (how many people even know the names of their neighbors, or
recognize them?)

------
listic
English is not my native language, but this is one of the few times I need
help understanding the interview. Could you please explain what he means by:

"I testified actually twice -- once at the FCC, once in a congressional
committee -- that if you required location tracking, I was going to give one
up. ... I said I would give it up, and went ahead and did it."

~~~
xenophonf
If FCC and Congress required location tracking, the guy was going to give up
his mobile phone. He stated this in his testimony.

FCC/Congress required location tracking. Greer gave up his mobile phone as a
result.

~~~
listic
"Gave up" as "stop using"? Did FCC and Congress require Greer to personally
track himself? (Why?)

Also, I find it wonderful that in USA you still have an option to use a pager.
Many countries don't have it anymore, because all paging companies went out of
business already.

~~~
MaulingMonkey
> "Gave up" as "stop using"?

Yes.

> Did FCC and Congress require Greer to personally track himself? (Why?)

I believe this is in the context of tracking cellphone users in general. This
is used to support "Enhanced 9-1-1": When someone dials the emergency
services, they can have a rough idea of where the caller is, even if the
caller doesn't know where they are.

Of course, there are plenty of more nefarious uses one can imagine as well.

------
cordite
This totally reminded me of the book Rainbow's End, where most things are
essentially black boxes, made out of other black boxes. Turtles all the way
down.

~~~
jessaustin
As was emphasized toward the end of that book, the apostrophe isn't actually
present in the title. The title is actually a statement about rainbows, and
about life.

~~~
cordite
I never noticed. I read it in 3 solid chunks within 2 days.

------
AlyssaRowan
I'm aware that GCHQ has a geolocation project for pagers, specifically, so...
yeah.

~~~
doctorshady
How would that be possible? The communication protocol is entirely one way.
Even if it weren't, most paging sites are just a single, relatively high
wattage transmitter, unlike cell services.

~~~
AlyssaRowan
Specific details are hard to come by, I have no RF expertise myself, and I
have no idea how deployed, operational or effective such a project may be, but
it has definitely been an area of interest.

A source vaguely intimated it might have something to do with retro-reflection
from receivers' local oscillators when illuminated by much higher-strength
signals than designed for. They mentioned equipment provided by GCHQ to the
Security Service (MI5) for operational triangulation of short-wave radio
receivers in the 1980s-1990s (I can see why that might have been relevant to
their interests then...) and/or pagers in the 1990s-early 2000s. Does that
help?

~~~
doctorshady
I'm afraid I'm not much of an RF person either, but that's interesting.

------
shit_parade
Go placidly amid the noise and haste, and remember what peace there may be in
silence. As far as possible without surrender be on good terms with all
persons.

Speak your truth quietly and clearly; and listen to others, even the dull and
the ignorant; they too have their story.

Avoid loud and aggressive persons, they are vexations to the spirit. If you
compare yourself with others, you may become vain and bitter; for always there
will be greater and lesser persons than yourself.

Enjoy your achievements as well as your plans. Keep interested in your own
career, however humble; it is a real possession in the changing fortunes of
time.

Exercise caution in your business affairs; for the world is full of trickery.
But let this not blind you to what virtue there is; many persons strive for
high ideals; and everywhere life is full of heroism.

Be yourself. Especially, do not feign affection. Neither be cynical about
love; for in the face of all aridity and disenchantment it is as perennial as
the grass.

Take kindly the counsel of the years, gracefully surrendering the things of
youth.

Nurture strength of spirit to shield you in sudden misfortune. But do not
distress yourself with dark imaginings. Many fears are born of fatigue and
loneliness.

Beyond a wholesome discipline, be gentle with yourself. You are a child of the
universe, no less than the trees and the stars; you have a right to be here.
And whether or not it is clear to you, no doubt the universe is unfolding as
it should.

Therefore be at peace with God, whatever you conceive Him to be, and whatever
your labors and aspirations, in the noisy confusion of life keep peace with
your soul. With all its sham, drudgery, and broken dreams, it is still a
beautiful world. Be cheerful. Strive to be happy.

“” Max Ehrmann, "Desiderata"

------
shit_parade
this guy sounds like an apologist.

------
shit_parade
"And I don't go visit other people's apartments at random -- I could but I
don't."

LOL

------
peterwwillis
Well that's pretty embarrassing. Looks like Dan did a Black Hat presentation
with two dryer lint traps stuck to his face.
[[http://img.washingtonpost.com/blogs/the-
switch/files/2014/08...](http://img.washingtonpost.com/blogs/the-
switch/files/2014/08/14666596867_cdd3efb92c_k.jpg)]

It's kind of ridiculous to think of paging devices as secure or private in any
way. The main reason one might have to use one over a cell phone is they are
passive devices, unless you use a two-way feature. But everything goes over
the wire unencrypted and broadcast for between 10 minutes and four hours. An
example is the famous 9/11 pager logs:
[http://911.wikileaks.org/](http://911.wikileaks.org/)

~~~
pessimizer
>But everything goes over the wire unencrypted and broadcast for between 10
minutes and four hours.

'Everything' in transit to or from a pager is different than 'everything' in
transit to or from, or at rest within, in addition to the current location of
a smartphone. Not to mention the ability to change the code executing on them
in order to use any sensors that you please.

