127 comments

[ 3.2 ms ] story [ 204 ms ] thread
Kinda surprised biometrics are recommended. I’ve always thought passcodes were more secure - particularly as the data is not easily accessible by interrogators for example.
Biometrics are recommended if the data is not classified.

Remember this is for people working on sensitive information.

This is what the NSA's original mission was, to keep people safe and strengthen the American defense posture from the single person up to the entire infrastructure that we rely on day-to-day. The mission has shifted to offense after 9/11 so there's conflicting goals here (can't patch something we're using against the bad guys)

NSA was always about offense and is strictly for international offense.

The only shift after 9/11 was getting the three agencies to actually talk to each other.

It says on their mission statement that they do SIGINT and information assurance (i.e. IT security) and there is plenty of public evidence that they do both. Plus they've been deeply involved with designing cryptographic protocols and equipment for the US govt for a very long time which is part of SIGINT but it's not the offensive part.

https://www.nsa.gov/about/mission-values/

The NSA was created in a reorganization of US SIGINT/COMINT services, because SIGINT/COMINT during the Korean War had been unsatisfactory. Its primary mandate has always been COMINT.

https://www.nsa.gov/about/cryptologic-heritage/historical-fi...

> The Brownell Committee suggested that the creation of AFSA could be seen as a "step backward," and recommended that the power of the director, AFSA, to centralize COMINT be increased.

> In October, Harry Truman authorized a reorganization and renaming of AFSA, and in November, the secretary of defense authorized the replacement of AFSA by the National Security Agency.

No it wasn't. Take a look at the movie Enemy of the State that was released in 1998, 3 years before 9/11. In the movie the NSA is monitoring all calls, has NRO satellites that tail them, and a bunch of other Tinfoil hat stuff that was confirmed by the Snowden leaks a decade later. The biggest fiction in the movie was their ability to connect the dots and do stuff in real time as depicted.

The NSA director even said they were appalled how the agents were portrayed and went on PR campaigns to defend them selves. They were always spying but not ruthless killers as depicted in the movie.

https://en.wikipedia.org/wiki/Enemy_of_the_State_(film)

It explicitly says 'minimal sensitivity'. That basically means the threat vector is "I left it at the cafe."
If every NSA employee has a perfect security posture, any adversary is going to have to take more extreme measures to get information. Better to let them have the occasional un-updated iPhone.
No it’s not. The best way is to break them with your h yielding security posture.
I went to a legal presentation at Defcon a couple of years back where they said that the government needs a court order / warrant in order to force you to tell them your password, but if you're using biometrics, they can just force you to touch your finger to your phone or scan your eyes without it. It's some legal loophole.... so in that respect I think passwords ARE more secure.
Smart, but there is a way to force your (faceid/touchid) iphone to require your password by holding the power button to get to the "slide to power off" screen.
A defendant was compelled to use their face to unlock their computer in a recent case (2021) [1]. The reasoning given by an analyst:

> requiring a defendant to expose his face to unlock a computer can be lawful, and is not far removed from other procedures that are now routinely approved by courts, with proper justification: standing in a lineup, submitting a handwriting or voice exemplar, or submitting a blood or DNA sample

Contrasting the logic used by a judge in a similar case in (2019) [2]:

> If a person cannot be compelled to provide a passcode because it is a testimonial communication, a person cannot be compelled to provide one’s finger, thumb, iris, face, or other biometric feature to unlock that same device

Ars has a summary of more cases [3]. It looks like in several instances state courts allowed the devices to be unlocked using biometrics, but the rulings were reversed at the federal level. In many cases a warrant was required.

1. https://archive.is/i2Bx9

2. https://archive.is/px2Qz

3. https://arstechnica.com/tech-policy/2020/06/indiana-supreme-...

Presumably NSA employees are not using their phones for illegal activities, so they should not be in a situation where a court will order them to unlock their phone.
There are two threats, bad actors, and law enforcement.

Biometrics is good for law enforcement but is it tougher for hackers?

>> biometrics are recommended.

Maybe by the NSA. Any defense attorney will tell you otherwise. If your fingerprint unlocks your phone then the cops will hold your finger to the phone. If you face unlocks your phone then they will do that too. A pin/password means you retain at least some control.

If this was an Archer episode, I'd point out that while dead people cannot divulge pins/passwords their fingerprints still work.

I believe they're recommending setting your phone up in a "lock immediately upon sleep; require password after five minutes" configuration.

Passwords are better than biometrics for security; but between password validations, presuming some level of convenience is needed, using biometrics to check that the same person is still there is better than "just stay unlocked for a few minutes even after being put to sleep".

It's like HTTP Basic Auth (sending credentials with every request), vs. logging in, receiving a short-lived session cookie, and then sending that session cookie with your requests for a few minutes.

PIN/password to unlock the device, plus biometrics to access certain sensitive data or applications on the device.

It’s not perfect, but I think it strikes the best balance.

It says to protect your lock screen with a password, and additionally protect minimally sensitive data on an already-unlocked device with biometrics for convenience.
> Power the device off and on weekly.

Thoughts, HN? I can see how this might be good for performance, but how is it good for security?

It's possible to have a security exploit which can compromise a running device, but is not able to make itself permanent across restarts (e.g. changes programs in RAM but not in flash)

That's my best guess.

Concrete example: all the recent ios jailbreaks (aka sandbox escape and/or EoP exploits) are tethered, which means they're undone/reset after a reboot.
(comment deleted)
Makes it harder to maintain persistence on the device, I believe. Whether it solves the problem in question is another matter.
Running your malicious actions without writing to disk is a very effective way of bypassing a lot of security and forensics technologies.

As soon as you make changes have persistence you have proof and some operators are not oaky with that.

a lot of exploits deliberately avoid persistence as an extra layer of protection from detection. Since most folks rarely restart their phones these bugs can live on your phone until a restart. So by restarting your phone on a weekly basis you are potentially wiping out memory only infections.
Another explanation is the hardware root of trust. On iOS, for example, hardware root of trust in a separate physical security processor validates all code in a chain. An exploit cannot gain persistence across a reboot unless it has access to the private signing keys of Apple
This is a good tip to avoid persistence. Lots of exploits won’t survive a reboot and so the target would have to be exploited again.
beermonster has it right.

For a very recent example of this, see the NSO Pegasus scandal from the past couple of weeks.

A reboot "unloads" the malware (until the adversary sends another payload, anyway.)

There is a whole category of potentially exploitable bugs that result from programs simply running. Slow memory leaks, floating point precision loss, and integer overflows to name a few. But this is more likely about clearing caches.
It’s to get rid of exploits that have no persistence.

For example, your running kernel space may be compromised but your on-disk kernel image may be still pristine due to a secure boot chain. That’s why rebooting can help remove such exploits.

I highly doubt this is as complicated as persistence.

1) even on mobiles you still get the occasional webview or other core library update and need to reboot to complete the patch.

2) modern versions of Android use per-file encryption. Periodically rebooting flushes unencrypted buffers.

Surprised they go with "DO NOT" connect to wi-fi, but just "avoid" attaching untrusted hardware devices. That seems backwards.
"Avoid jumping off cliffs" does not mean that occasionally it's ok to jump off cliffs.

Is the surgeon general's advice "Pregnant women should avoid alcohol" unclear?

The U.S. Surgeon General's mandatory warning for alcohol states "women should not drink alcoholic beverages during pregnancy because of the risk of birth defects." It does not use the word "avoid".
The Surgeon General avoids using the word "avoid" on their warnings.
Problem with this: keep your phone with you always conflicts with don’t have secure conversations within mic range of your phone. You can’t do both of these.

But otherwise this is great and I would probably add “reset and replace devices often.”

The rooms where you can have secure conversations will have a bank of tiny lockers outside the door for phones/keys.
Usually, but not always. I've been to rooms that don't have this and there's just a pile of phones sitting outside.
Are lockers really that secure? Similar documents advise against leaving laptops in hotel rooms or cars, even if locked, because they are easy to get into. I imagine a locker is not hard to break into. Small locks can be picked in a second or two by people with practice, which does not look different than retrieving your own phone.
The lockers are just so you have a place to put your phone. They are not secure in any way. Using a keyed locker just ensures you don't pick up someone else's phone by accident after the meeting. Remember that secure rooms live inside secure buildings, usually inside a secure facility with a fence and guy standing at the gate. And the guy has a gun.
> Using a keyed locker just ensures you don't pick up someone else's phone by accident after the meeting

It also prevents casual but intentional unauthorized access, just not a determined attacker.

As you note, there are other layers of security for that.

It's prohibited to bring phones into places where you will have these kind of conversations
We have lockers to secure phones when you can't take them with you.
I’ve seen most of these recommendations before, but the “mic-drowning case” to muffle room audio is new to me. Certainly makes sense, but are there any common commercial phone cases that advertise this feature?
I would also like to know. I’ve only found phone cases that hide the camera via a slide or flap.

Ideally I’d like both the mic and camera cover

Having recently switched to iPhone I have been very surprised at finding my wifi and Bluetooth automatically turning on. There could be a better way, but I had to create a shortcut to disable connectivity until I manually turn it back on
They're not automatically turning on if you're "turning them off" from Control Center. Those buttons just temporarily disable them (and state that clearly when you do so). The only way to actually turn off Wifi and Bluetooth is to go into Settings and turn them off there.
"Clearly" it's not as clear as you think it is.

On android, if I turn bluetooth off from the quick access menu, it stays off--which is what I expect.

Can't get much clearer than text that says "Disconnecting nearby wi-fi networks until tomorrow."
But that same button used to be a permananent toggle, and now there is no way to restore the (better) old behavior. Another instance of Apple thinking they know better than their users.
You are not everyone. Just because you think it's better doesn't mean it actually is. Most of the time when I want to disconnect from Wifi, it's a temporary measure because the network I'm connected to is slow or dead. I imagine it's the same for many others.

Apple is notoriously allergic to putting toggles for every little thing, and that shouldn't be a surprise to software developers. We all know every user-configurable setting increases complexity.

If you want to have a disconnect button, add as another button choice to the panel. Even make it default. But the original button shouldn't have been broken with no recourse.

Not to mention, some brief wordy nearby text display in tiny print after the fact, is the opposite of clear.

> We all know every user-configurable setting increases complexity.

They can also mean the difference between a tool and a toy or even worse, a slave collar.

One of the good practices in programming is to not hardcode things. Where that is followed, often the hardest part about configurability is the UI for it, since under the hood it's already determined by a bunch of variables anyway, and it's mostly a matter of exposing them nicely to the user.

Besides, it's way more complex to have a timed toggle than just a toggle.

> a slave collar

for real? because you have to go into the Settings app to turn off wifi permanently? Sometimes you people are delusional.

"you people" -- you don't know the first thing about me. And this argument to excuse to treat adult consumers like infants, and use the people that don't mind as the measure all other adults have to reduce themselves to, is used for a lot more than just a wifi toggle.
It's different than Android, and different from itself pre-iOS13. It is a new behavior that cannot be toggled.
Also the BT is often turned on after an update. I know this because I’ve never ever used it, therefore never had it on purposely.
They do that in order to allow accessibility devices to connect for disabled users, I’ve been told.
This is one of the nice things about shortcuts. I created a shortcut that will turn off wifi and Bluetooth. You can then add an icon to your home screen to run the shortcut and boom. Both are actually turned off…not just disabled for 24 hours. I also have a shortcut to turn them back on when I need them.
As much as I prefer iOS to Android, this is my biggest pet peave. They way they are so aggressive with bluetooth and wifi is annoying. I hate that they don't even go through DHCP most of the time and just assume that last known IP is still available, all to "help it connect quicker". Just get your own IP because having to toggle wifi on multiple devices is way slower and annoying. I get that AirDrop and FindMy** and other features require these things to work but how about just giving a (one-time) warning when people turn them off. Most people will never turn them off ever so let the subset of us who want them off have it work in a sane way.
> I hate that they don't even go through DHCP most of the time and just assume that last known IP is still available, all to "help it connect quicker".

Oh, I forgot all about that.

I worked at a K-12 that deployed Apple devices awhile back, and this behavior was a nightmare for network management. Especially for travelling teachers who would take their device to several different buildings throughout the day (and, therefore, different IP subnets with the same WiFi name).

The worst part was that some of the devices would just... never emit a DHCPREQUEST. They'd either ignore the fact that there was an address collision confusing everyone else's ARP tables, or connect to the network but stick with an IP that had no route to a gateway. As I recall -- it's been awhile -- even setting the lease duration to something very low didn't seem to help. Indeed, I think that made it worse.

It was bad enough at one point that we had those devices with the worst behavior set up with reserved IPs and a hidden WiFi network that was a district-wide VLAN with a single subnet.

If you turn it off via settings it stays off. The control center just disconnects for 24hrs.
I know its a minor inconvenience, but this is one of my biggest pet peeves with the whole OS. I wish there was a way to change the setting to actually control things with control center...
Indeed, who even thought up such a misfeature? Much less made it default.
It’s one of those features that is more annoying for you or me, but useful for 95% of (less technical) users.

My guess is accidentally disabling those services via control center was a common issue.

I’d rather it be the other way, but that’s probably why it’s not.

I don't understand why it would ever be useful. Either you want it on, or not. Imagine if your mute button decided to reset every now and then. Pause button, or flashlight?

Basically nothing else works like that.

In fact figuring out how to turn off wifi with the combination of Airplane mode and wifi button just about blows my mind every time I try. So complicated.

You're in a user bubble.

Imagine you're not good at using computers. I've seen people accidentally turn on do not disturb and be unable to figure out why their phone isn't ringing so they think it's broken.

We are in a small minority of 'power users' - iPhones have hundreds of millions (billions?) of users across the entire world.

That's happened to me. I had to google it, turns out there's a physical switch I never used on the side of the phone that enables it and pushed accidentally.

IMHO, these are not good excuses to avoid a clear interface. If the rules are simple and clear, and presented clearly, even the dumbest of the dumb can learn them. Trying to guess and out-think the user only ends up in more confusion.

I think we're mostly in agreement?

When you disable wifi/bluetooth via the control center, pop-up text appears saying exactly what that means. I'm not sure how they could make that more clear. It still may not be your (or my) desired default, but I at least understand the reasoning.

Tiny, wordy, brief text after the button press is not what I'd describe as clear. If you need to add "comments" to a (now three-state) button, it's a sign that the interface needs work.

It's extra complexity in the form of rules added to what was previously a simple to understand toggle button. That it goes against historical norms, reduces privacy, and wastes a bit of power is the icing.

- a wifi popup came up and someone connected to it.

- the wifi is not connected to the internet or requires username/password

- user disables it

24 hours later, the user is racking up their mobile data plan because they forgot to enable the wifi again.

This prevents it.

Bluetooth,

- You disconnected from a speaker that was being used so someone else could connect

- The next day you go to get in your car in the morning and it didn't give you the directions through the radio. Whatever

- That afternoon it works and you don't think about it. It fixed itself.

Just different users.

Long press the Bluetooth or Wifi icons in Control Center and you can entirely disable either in the panel, saving you a trip to Settings.
This does not, in fact, work as it seems. I think the best bet is a Shortcut that turns off Wi-Fi and Bluetooth entirely, as concernedctzn suggested below.
You can use the Shortcuts app to make a custom shortcut that permanently turns off both wifi and bluetooth, and then add that shortcut to your news/leftswipe menu to reduce the number of swipes/taps to get to it
You can disable it from the settings app.

The icon in the swipe up control center is for temporarily disconnecting it…which it literally tells you when you click it.

(comment deleted)
If you long-press the icon in Control Center, it brings up a panel that allows you to turn Wifi and Bluetooth entirely.

In general, try long-pressing everything: there's generally shortcuts or "power moves" afterwards.

Are you sure? This is not the case in the latest iOS. Long-pressing the icons in Control Center offers a wider view and access to hotspot and airdrop settings. Pressing either WiFi or Bluetooth from this second menu has the same effect as the icons on the first page, (you can inspect settings afterwards and see it’s still “off until tomorrow”) and further long presses on the second page icons only let you choose which WiFi network or Bluetooth device to connect to.
On my phone (iOS 14.6), the Wifi and BT say "New Wi-Fi network connections have been turned off from Control Center" after long press. But that _seems_ to be the same message as if I do the "until tomorrow" way.

And the actual Wi-Fi and Bluetooth sliders are decidedly in the ON position. I must've concluded that since it didn't do the "until tomorrow" message then it behaved as I wanted.

I stand corrected.

Sorta have to wonder if it's safe to open that pdf locally—the site doesn't quite work on the phone.
Defense links for anyone on government systems that might not have easy access to documentcloud.

https://media.defense.gov/2020/Jul/28/2002465830/-1/-1/0/MOB...

Corresponding NSA document for OCONUS (travel outside continental US)

https://home.army.mil/stewart/index.php/download_file/view/1...

> Do not charge your devices by connecting them to charging stations, computers, televisions, DVRs, etc. Use only issued chargers or those acquired with sufficient OPSEC.

I'm surprised the government/military does not issue its employees USB condoms to obviate this worry.

Same reason people treat internal email as insecure: you get used to the convenience, then one day you reply-all to an outside address. In this case, you get used to using public chargers with a condom and one day you forget the condom.
The parallels don’t quite line up, as in this case, they could be issued official cables that have a condom integrated/soldered on. Maybe in a special colour to remind you that these are “secure” cables.

It’d be like your internal corporate email client not even letting you send mail out to external addresses.

Sure, you could intentionally set up IMAP with an untrusted client and then send such messages (and likewise, you could intentionally bring some other insecure cable with you); but someone doing that would likely have a visible pattern of doing that, long before they actually get spearphished—one that could be noticed and reprimanded.

Of course, ideally, you’d make using the insecure clients / cables impossible, by giving the “other end” a proprietary shape that only the secure client/cable fits with.

(Maybe they could design a little adapter that could be semi-permanently socketed into a phone’s USB-C/Lightning port, turning it into something proprietary that only their secure cable has the male end for? I’m assuming here they still need a data connection — with a different special cable — for device maintenance; otherwise you could just make that little socketed-on adapter be the condom.)

One problem with both Android, and Ios: impossible to disable automatic previews

Send yourself a link by SMS, or some popular messenger like Whatsapp.

Your phone will automatically make you a browser page preview, and in the process run every browser exploit available.

Google added an extremely well hidden option to disable it it Messages few versions ago. Since there is no way to be sure Google does not remove it, and add some kind of another autoplay like feature in the future, I just replaced the SMS app altogether to one which does not peek into my conversations https://play.google.com/store/apps/details?id=com.simplemobi... (google straight tells they can get a copy of your SMSes as per their disclaimer if you use Google Messages for "improving service")

Sounds like we need a more secure messenger app?
We need, but making a default SMS app straight sending your texts to Google.com by default, and making it very hard to disable for a technically illiterate user is beyond unethical.
No idea how Android does it but Apple has recently moved message parsing and preview generation into a heavily sandboxed process.
Well, considering all those restrictions and how it's still not secure enough anyway how long before the recommendation will be "Don't use your smartphone. Use the landline phone in your office" ?
Because land lines are super secure and no one has found out how to tap the line from a switching station?
Even if I take your comment at face value a landline phone in an NSA office is most likely still more secure than any smartphones if I am to believe that NSO/Pegasus thing.
I worked for a company where we sent folks onsite to very secure sites.

Nothing electronic EVER arrived at the facility or left with you when you left the facility that wasn't accounted for. Nothing that ever entered that wasn't needed, NO phones allowed ever. You and your vehicle were searched on arrival and exit. We went through a lot of laptops...

With the complexity of hardware / software involved, I suspect that's the only way.

>We went through a lot of laptops...

Why? I'm not seeing the connection

If you brought a laptop into the site, it did not leave.

I think wrote my original post in a way that wasn't clear.

AH!

Thought they wouldn't let it in either. Makes sense now.

Why do people need smart phones, really? The only time they come in handy is for driving directions.

It turns out my Samsung candy bar phone with no camera, GPS and internet leads the way in security.

Why stop there? You can't get hacked if you don't have electricity.
Why do people need electricity, really? The only time they come in handy is for charging your phone so you can get driving directions, or hacked.
You must work at my company’s cyber security team. They’re convinced that the safest stuff is when that stuff is never allowed to exist in the first place. Which is probably true but in my opinion misses the point.
Why do people need computers, really? A smart phone is a small portable computer with a phone built in. Maps is one of the types of apps that most people use but it's not the only one. Email, social media, text messaging, note taking, audio and video recording, a camera, a compass, pedometer, access to cloud file storage, reading apps like nook or kindle are a few of the apps that I use regularly on my phone in places where a laptop or even a tablet wouldn't be inconvenient or impossible.
I've given some serious thought to going back to a dumb phone and a separate navigation device in the car, but I don't know if a stand-alone comsumer GPS with maps and turn-by-turn navigation is something you can even buy anymore, since 99% of people use their phones for that now.
You could use your current phone for maps in the car, and a new dumb phone for calls. Of course, then you're paying for 2 phones.
I'm curious if anyone has any leads/stories on compromised 3rd party devices? Would love to learn more about detecting these things. Like say a USB charging brick that also attempts malware or a keyboard etc?
Is there much that can be done to detect them? I know they're for sale for pen testing and what not, but I've never seen much in the realm of preventing or protecting against them.
I've thought about somehow creating a raspberry pi that sits between usb devices and snitches on data transfer that is not expected? It could be really hard to do, and probably easy for a device to mask (only attempt attacks when other file operations are happening)
Annoyingly, putting your device in a shielded evidence bag without turning it off can cause its various radios to franticly seek connections and even amplify their signals until they completely empty your battery.

Useful to have if you are curious about protests or concerts and other gatherings of people with a significant criminal element who could get your IMEI stingray-ed and then palantir-ed.

I usually change my phone to airplane mode for long drives or hikes through signal-less wilderness, otherwise they'll thrash around searching frantically for signal until they drain the battery outrageously fast. It's really quite annoying.
>Use strong lock-screen pins/passwords: a 6-digit PIN is sufficient if the device wipes itself after 10 incorrect password attempts.

im calling BS. NSO and others have demonstrated repeatedly they can (and do) bruteforce these pin based logins quickly and efficiently without triggering the wipe using sidechannel attacks on running services and software over the air and through USB. use a PASSPHRASE.

>Consider using Biometrics (e.g., fingerprint, face) authentication for convenience to protect data of minimal sensitivity

remember: the fifth amendment does not cover biometrics . if a DUI case can forcibly extract your blood, then you can and will be required to present your face to unlock a laptop. use passphrases.

>DO NOT jailbreak or root the device.

this often allows people to remove pre-installed spyware just as easily as it can be installed.

> remember: the fifth amendment does not cover biometrics . if a DUI case can forcibly extract your blood, then you can and will be required to present your face to unlock a laptop.

On the iPhone theres a neat trick: If you seem to be in a situation where you might be forced to hand over your phone (and unlock it with bio), hold down the power button for a second or two (secretly/inconspicuously in your pocket or wherever your phone is). This will disable fingerprint unlocking and you will be forced to enter PIN.

Doesn't seem to work on Android (11 at least) though.

> Doesn't seem to work on Android (11 at least) though.

I'd hold the power button a bit longer and turn off the device altogether. Granted, not as convenient.

Hmm okay yeah, that works. Had to hold it for 5+ seconds and then it rebooted.
Android doesn't have a stealthy way to do it without powering down, but you can either activate lockdown mode, reboot, or power down and the next access will require PIN, not biometrics.
I'd imagine it varies by OEM, as my BlackBerry KeyOne gives me the option to "Lock Now" when I hold the power button for 2 seconds. It does actually lock out biometrics, as I've tested it previously.
My Samsung S10 has an option to "enable lockdown mode" in the power menu which disables notifications, biometrics unlock and smart lock.
Yeah that's tricky to do in your pocket though. If you take out your phone and hastily do something like that you're gonna activate "I have something to hide" suspicions.

But as another commenter pointed out you can hold the power button for a longer time (5+ seconds) and the phone will turn off or reboot, which achieves the same thing. Just quicker and stealthier on the iPhone.

AFAIK you must hold down both power and volume button on IOS for this to work. On Android there’s a Lockdown mode option which others have mentioned.
Do you have an iPhone at hand to confirm? Because I'm quite sure that just the power button for a second or two is enough. At least it was with iPhone SE (original) back in spring 2020 (I'm nowadays on Android).