[liberationtech] cellebrite report

R. Jason Cronk rjc at privacymaverick.com
Wed Feb 27 07:42:27 PST 2013 

You could play Guitar Hero to get in your phone...

http://bojinov.org/professional/usenixsec2012-rubberhose.pdf

Another option would be to use animal species.  There are some 3-30 million
different species of animals. Even restricting oneself to vertebrates, you
have about 50,000 species (a five fold increase over a 4 digit pin).  The
user would be presented with a series of reducing questions. Question 1)
Amphibian, Reptile, Bird, Mammal, Fish, etc....  The user need only
remember how to get to their one animal choice.  Additional orders of
magnitude could be had by adding invertebrates, plants, minerals on the
front end or subspecies on the back end.

Jason


On Wed, Feb 27, 2013 at 9:06 AM, Tom Ritter <tom at ritter.vg> wrote:

> The Passcode section of the report is blank, I guess indicating the
> user did not have a passcode?
>
> The article does mention passcodes:
>
> > All modern smartphones can be locked with a PIN or password, which can
> slow down,
> > or in some cases, completely thwart forensic analysis by the police (as
> well as a phone
> > thief or a prying partner). Make sure to pick a sufficiently long
> password: a 4 character
> > numeric PIN can be cracked in a few minutes, and the pattern-based
> unlock screen
> > offered by Android can be bypassed by Google if forced to by the
> government. Finally,
> > if your mobile operating system offers a disk encryption option (such as
> with Android
> > 4.0 and above), it is important to turn it on.
>
> The iPhone has a class of data that is encrypted when the device is
> locked, and decrypted based off a key derived in part by the passcode
> when unlocked.  I think this, combined with separate passwords for FDE
> and screen unlocking would be good classes of improvements we can make
> in all mobile platforms (not just phones).
>
> I'd also love to see some research into alternative, higher entropy
> but simple-to-use screen unlock systems.  At first I was thinking
> something akin to a pattern unlock, but a path through a 3D maze: your
> password is a series of turns, but even presented with five choices
> five times the keyspace is too small.  What keyspaces present a large
> number of easy-to-parse options that fit nicely on a phone screen?
> Maybe a map?  I've seen a few attempts[0,1, and others] but I've not
> been convinced they wind up with an order of magnitude more choices
> that the baseline 10000 of a 4-digit passcode.
>
> -tom
>
> [0] http://www.youtube.com/watch?v=kHBjzlFalvA
> [1] http://clam.rutgers.edu/~birget/grPssw/authSueE.pdf
> --
> Too many emails? Unsubscribe, change to digest, or change password by
> emailing moderator at companys at stanford.edu or changing your settings at
> https://mailman.stanford.edu/mailman/listinfo/liberationtech
>



-- 
*R. Jason Cronk,* *Esq., CIPP*
(828) 4RJCESQ
rjc at privacymaverick.com
blog.privacymaverick.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20130227/42ba220b/attachment.html>

More information about the liberationtech mailing list