1. 24

  2. 3

    ““Against the average user, anything works; there’s no need for complex security software. Against the skilled attacker, on the other hand, nothing works.””

    I want to note that this is actually wrong. There’s all kinds of devices I can’t access or understand to the degree I want. This is especially true if it’s implemented in, totally or partly, silicon instead of software. The other times it requires esoteric knowledge of stuff like RF. These secrets stay secret for long periods despite billions of dollars of volume with hackers being in possession of the devices. They effectively solved the trusted client problem for those secrets with the one technique that works: defeating it costs piles of money. Money to tear the chips down, money on rare specialists, money on common specialists, and lots of time.

    So, it’s true if you say “against a skilled attacker with necessary time and money.” In many cases, they might not have the time and money. Quick example: FBI paid Cellebrite something like $100-200 grand to crack that iPhone. So, if iPhone implements DRM, your data is secure on them if your enemy can’t afford or won’t spend $100-200 grand to get it. Then, they downgrade to having to use cameras aimed at the screen, retype documents by hand, try to get exploits into apps, try to con people, etc. For media, both quality expectations and laziness can ensure the “cam” copies have minimal impact on sales. So the DRM works in that case against main audience even with smart hackers in possession of the device.

    1. 2

      Sounds pretty true to me? Even Apple with their untold billions can’t keep the iPhone secure enough that a couple of hundred grand can’t crack it.

      1. 2

        Apple doesnt care about secuurity. Their Macs were a decade behind others in security features at one point. The iPhones have a few features that help. Neither those nor the OS are implemented in a rigorous way. You could say they just added a few things with average implementation effort. And that half-ass job on a few things takes several hundred grand a year to beat.

        Now, lets say they invested in medium-to-high-assurance additions to CPU, security co-processor, and OS. They have the money to attempt it. Ive seen startups and CompSci folks on small budgets build each item. Apple might knock out whole categories of risk with a few million to tens of millions spent one time. They had tens of billions. They didnt do it. So, they dont care. That simple. Theirs stuff will sell anyway, too.

      2. 1

        True, you can attach a dongle costing a few hundred dollars ;-)

        1. 2

          Uses DongleCoin so there’s no single point of failure.