[guardian-dev] Fwd: [OTR-dev] OTR and Cold Boot Attacks

Jacob Appelbaum jacob at appelbaum.net
Wed Feb 1 15:58:16 EST 2012


On 02/01/2012 11:28 AM, Hans-Christoph Steiner wrote:
> 
> This is something we should also deal with in Gibberbot, but I don't think its urgent. Cold boot attacks are still rare and difficult, and its very hard to script physical actions like grabbing a phone, freezing it, etc. ;)
> 
> I guess the core idea is to write over the unencrypted message contents in memory once the data has gotten to where it needs to go.
> 
> That reminds me, we should have a "no logging at all" pref in Gibberbot so that unencrypted messages are never stored anywhere.  It'll be annoying, because if you switch away from Gibberbot and it gets killed by Android, when you come back, the messages will all be gone.
> 


Just FYI - I've been contacted for years by many different agencies and
companies wanting to weaponize the Cold Boot Attack. I declined every
single offer but it was clear that someone would eventually bite; I
believe the DHS/ICE has a way to do it at airports for laptops and phones.

So I'd say "urgent" but you know, I'm biased. :)

All the best,
Jacob


More information about the Guardian-dev mailing list