[Someone1234]

I love the EFF (and have donated money) but I am going to disagree with them on this one.

As they themselves fully admit, the first thing the big g is going to do is test that their malware v2 isn't detected by this. In the same way that malware authors now check against Microsoft AV because it is the most popular.

So my point is that traditional AV in this scenario is a loser and will remain a loser because it is a race AV just cannot win. It will only alert you to an attacker well after the fact.

A far better EFF suggestion to "at risk" individuals (e.g. journalists, activists, etc) is read only systems. For example grab a Live DVD of a Linux distribution, boot it, use it, and then as soon as you turn it off everything is reset to 0.

That won't address the "baseband issue" (e.g. firmware infections, uEFI, etc), but neither does this. Only physical security really addresses the baseband.

[dannyobrien]

Hey, Danny O'Brien from EFF here. You're absolutely right: the best defense against malware attacks of any kind is to increase the level of protection that systems have, whether that's read-only distributions, compartmentalization approaches like <a href="https://qubes-os.org/">Qubes</a>, or just generally fixing the vulnerabilities that malware must exploit to take control.

Detekt is mostly about a different and earlier part of the problem: allowing groups that may be currently targets of illegitimate state surveillance to confirm that they have been infected by specific tools that we know to be used by state attackers, and therefore confirm that they are indeed under this specific sort of surveillance.

Up until now getting to the point of confirming that fact, has mostly relied on manual examination by experts. If an activist or journalist suspects they may be under surveillance or infected with malware, they need to navigate the usual challenges to fixing a malware infection, plus they need to eliminate the (often far more probable) case that they are infected with the usual petty criminal spyware.

This is about being able to positively identify a relatively small number of cases of targeted illegitimate surveillance, out of a ecosystem of hundreds of thousands of potential targets, and a huge array of potential exploiters of vulnerabilities. Right now all the organizations supporting Detekt (EFF, Amnesty International, Privacy International and Digitale Gesellschaft) receive queries about potential infection cases from all around the world: now we can scale up a little the first step of that triage we conduct. The positive identifications that come out of Detekt we can take further, and base, for instance, the <a href="http://www.washingtonpost.com/business/technology/us-citizen... cases against the Ethiopian government</a> in the UK and US that PI and EFF are conducting.

[secfirstmd]

Just to back up what Danny is saying here.

As part of a number of groups that do digital and physical security training for journalists and human rights defenders, most of us have/do recommend the use of live CDs like TAILS etc. Unfortunately my experience has shown that it is very very difficult to get anything other than a small percentage of journalists or HRDs using them for any period of time - especially in countries where IT literacy levels are low. Linux (and also PGP) is just too much of a cultural shift for most people. I mean even a security conscious guy like Glen Greenwald didn't even bother to learn PGP or Live CD usage in the first few months of Snowden reaching out to him.

It is a gap in capability that many of us (including Danny at EFF) are working on day and night to try and bridge though!

[hackuser]

> As they themselves fully admit, the first thing the big g is going to do is test that their malware v2 isn't detected by this ... it is a race AV just cannot win.

This can be said of every security solution. The value of security is to increase the attackers' cost, which will deter attackers who don't want to pay the higher price. There is no absolute security.

Also, the prospect of updates will increase attacker costs more, as some attackers will feel the need to proactively avoid detection by future versions too.

[munin]

or, gosh, incorporate a security system that doesn't rely on obscurity of defenses or ignorance on the part of your attacker..?

[Perdition]

Got a link to this consumer OS whose implementation is mathematically proven secure?

[munin]

this is the entire point of defenses like ASLR and stack canaries. the attacker knows they are there, but knowing the form of the defenses doesn't inherently aid the attacker...

[Perdition]

Knowing a defense has weaknesses doesn't make it worthless when it takes extra effort for an attacker to exploit that weakness. There is no proven secure consumer OS (I'm including common userland apps in that) so things like ASLR and stack canaries are just extra obstacles to get around.

Real security needs to be layered.

[Istof]

Grab a live DVD, but how do you make sure that the hash used to verify the ISO is what it should be? transfer it offline? because if you are trying to avoid being spied on by the government, I don't think CAs/TLS can be used

[sneak]

> A far better EFF suggestion to "at risk" individuals (e.g. journalists, activists, etc) is read only systems. For example grab a Live DVD of a Linux distribution, boot it, use it, and then as soon as you turn it off everything is reset to 0.

It's called TAILS. It also triggers scrutiny by "the big g".

http://www.theregister.co.uk/2014/07/03/nsa_xkeyscore_stasi_...

[zmanian]

All of these memory signature scanning tools have a limited window of opportunity before the malware adapts. The involved organizations probably determined that the value of the current set of signatures was near the end and there was value to getting some parties outside of direct collaborators using the tool during a brief window.