Soatok Dreamseeker1d ago

RE: https://hachyderm.io/@evacide/116274789062787020

Tangent, but this is one reason why I don't bother with "burner phones" at DEFCON.

If my day to day security practices are insufficient for DEFCON, they're insufficient for day to day life. I'm just as likely to get attacked in a random cafe.

I roll my eyes a bit at people who insist that burner phones are necessary.

Show threadSoatok Dreamseeker

A lot of security rituals you hear about from folks online are like this.

This is the kind of culture that leads to giving blanket paranoid security advice without threat modelling first.

Mar 22 at 11:47pmWeb
Show threadRabbit1d ago
@soatok It’s the security equivalent of cargo cults. If the ritual is complex, the protection must be strong!
Show threadRichard Penner1d ago

@ra6bit @soatok And lo, the number 42 arrived with wit from a very clever man. And from then on, we agreed our random seed would be 42 so that we too might be clever men. And the API key shall be checked into the public repo lest we lose it in our sticky notes ....

#SecurityAntiPatterns #AntiPatterns #GeekHumor

Show threadEmelia/Emi1d ago

@soatok Indeed. About the only reason I'd bother with bringing a burner phone to a conference is if I wanted to make it hard*er* for anyone surveilling the conference to confirm that I went (forcing them to gather additional evidence), or if I was going with the expectation that the hardware wasn't coming back with me.

Neither of which apply to most conferences I'd even remotely consider attending, therefore I don't bother with doing that. (Except laptops. Unless I need the chonkpad's hardware, I always take my old shitty one where possible, as it's an order of magnitude cheaper to replace that one should it grow legs and walk away...)

Show threadSoatok Dreamseeker1d ago
@becomethewaifu See, this is a reasonable threat model: laptops getting lost or stolen is more common than APT ninjutsu
Show threadkasia  1d ago
@soatok this this this this
I know this is a bit off-topic, but there's this strange mindset common in some privacy-centric communities, that everything you need to achieve Absolutely Perfect Privacy™ (100% unbreakable!!!) is to buy a specific set of expensive products and then proceed to commit to some random trends with negligible impact (e.g. people who use extremely outdated, ME-cleaned hardware or non-systemd distros due to... security concerns, I guess?)

And in this entire process, this snowball of a multitude of cargo cults, no one dares to suggest that maybe you should attempt to recognize what's your actual threat model
Show threadaronowski16h ago

@nullenvk @soatok

people who use extremely outdated, ME-cleaned hardware

Using such outdated CPUs, which no longer receive microcode updates, and pretending that CPU bugs don't exist doesn't seem like a good security strategy.

Show threadLasagne1d ago

@soatok

I did it with laptop.
More out of the, loss would be massive hassle, angle.
I'll not carry laptops on me all the time. Thats way different than a phone, as in more chance for physical shenanigans, shoulder surfing and then steal without "Raub" (German legal definition).

The goal of "thorough disassociation" is exponential effort. With so many footguns its not even funny.
Better don't carry a phone at all while being clandestine in a way that phones are relevant.

Show threadThe Orange Theme1d ago
@soatok "But what if someone pops a totally novel 0-day at this Starbucks!?"