This editorial comes to you from Dense Fog Nashville Traffic. Dense Fog Nashville Traffic, the thing Paul was stuck in while mulling over an old request to be an expert witness at a trial where I would talk about email headers and where and how they could be faked.
TL;DR – author muses about theoretical potential authoritarian requirements that a person not speak while authorities are searching a house.
Why so local?
Security has come a long way these days. Every mobile device touts bank level encryption, multi-factor authentication, biometric identification, VPNs with no logging, but as is evidenced by story after story of locating cybercrime and tracking down people that doesn’t seem to be cutting it for the criminal masterminds out there.
Illicit business done on devices continues to be what seems to be in the news. Police raided so and so’s apartment, seized X devices, and a month or two later you’ve got charges and evidence from the devices. This tends to be a repeated story. People set up their authentication, lock their system down, and get caught in an unexpected raid, information is extracted, criminal mastermind charged with 40+ counts which usually causes them to accept a deal that gives the information over.
But it’s 2022… everyone should know that no matter what a company advertises about security there’s always someone selling a backdoor. Apple’s iPhones have a ton for sale if you’re willing to pay the price. Not saying Google’s better, just I know the name of the group holding onto a ton of Apple backdoors.
Google has done a lot to push their Tensor chips to do on-device security. I fully expect the Pixel 7 Pro to be the premiere phone of choice for your local independent pharmaceutical distributor soon, and that’s not me coming down on the company, it’s just I really believe at this point that the focus for security is shifting to on-device as people have great reason to believe that off-device leaves them more vulnerable. It’s a valid assumption. Google’s doing great on-device security. No joke.
Any service operating in any country your country has legal ties to is probably going to fork over any information they have about you at the tip of a hat from law enforcement. *cough* Ring *cough cough*. That’s been one of the guiding selling points of VPNs. VPNs cause other services to have one fewer ways to track you, and using things such as an anonymizing browser mean they have even fewer ways as cookies and tracking info can’t jump from session to session.
Storing and processing things locally that were obtained via theoretically untraceable methods (TOR, a real VPN,) probably seems like the safer bet and it’s being pushed. Really, there are good reasons such as having to access content online means every time you do it you’re at some risk. Also good reasons to hire computing power in another nation and run a virtual desktop that you only connect to over TOR behind a VPN, but we’re not getting into how I read The Sun…
The assumption in security is that more is coming and being done locally, and as such criminals probably are moving away from the easily-subpoenaed online models. More incriminating evidence on that Windows 7 box, less on Amazon Storage.
When the authorities show up
Let’s say I have a bunch of incriminating evidence on my machines. Authorities have a valid warrant and come in to secure a mass of devices. What these days is to prevent someone from saying “ok google, here’s a passphrase.” that immediately physically destroys media, or worse yet detonates an explosive designed to kill? Really, there’s not much.
Yeah, maybe I watched too many SAW movies but it seems like very shortly the next moves of those skirting the law are, at the very least, machine-destructive failsafes triggered by your voice (or lack of internet suddenly, or movement of the computer, etc.) but mostly I’m interested in the voice triggered scenario than the 10,000 ways you can rig something to break.
Using Google Assistant, Alexa, or Siri to trigger a de-incriminating process that a forensic computer specialist could not work their way around. “Hey Google, say hi to the police.” and 5 seconds later a trash compactor squishes a hard drive that has an obscenely long SATA cable connecting it to a computer.
I fully expect this has happened already. I just can’t find good sources this early in the coffee consuming day.
I start wondering how long until the suspected criminals are held at gunpoint and told to not utter a word. Of course the counter to that would be AI recognizing people it doesn’t recognize in the house and self destruct initiated automatically. And the next step would be cutting power to a residence which would easily be defeated by UPSes, that AI, and self destruction.
But I highly suspect we’re going to see some attempts shortly by authorities to allow them to prevent suspects from saying a word to defend themselves because Assistant routines are easy these days. I can automate a process to turn a lever that’s attached to a water shutoff that activates an acid powder in a computer on a hard drive in about seven minutes.
In the end
I’m not advocating for or against anything here, just musing that I highly suspect there will be an attempt in the law enforcement sectors to prevent people from speaking at all, and currently illegal confiscation (in the US,) of on-body devices during searches to prevent booby traps or fail safe mechanisms from being triggered. Also that regardless of what authorities come up with there will always be another way to destroy local content and trigger automatic routines.
Oh yeah, also that on-device doesn’t really mean anything in terms of security when attempting to evade authorities. Oh, the audio in the room where I’m doing my illicit dealings is only being processed by a Tensor chip on my device? You mean that firmware the phone has pushed by my carrier to my phone isn’t able to, I don’t know, access the hardware microphone in the abstraction layer in this particular instance to eavesdrop? Noooooo…
That firmware doesn’t have the ability to see what’s on the screen by accessing the GPU memory below the kernel level and transmit it over a different layer transport that’s not under Android and viewable? Would find that hard to believe.
So that’s what I do in foggy mornings while stuck in traffic. Think about what’s next in security, society, and government.