[Freedombox-discuss] School intimidates girl to give up Facebook password

Jonathan Wilkes jancsika at yahoo.com
Tue Mar 13 23:42:21 UTC 2012 




----- Original Message -----
> From: James Gilmore <james.d.gilmore at gmail.com>
> To: freedombox-discuss at lists.alioth.debian.org
> Cc: 
> Sent: Tuesday, March 13, 2012 5:39 PM
> Subject: Re: [Freedombox-discuss] School intimidates girl to give up Facebook password
> 
>G oing along with this line of thought from a slightly different angle,
> what if there were a device, also plugged into the wall, which you
> would plug in somewhere else in your house, that would establish a
> secure connection to the freedombox by modulating the AC power like
> the homeplug does? It's sole purpose would be to act as a key. It
> would be similar to how Keepass uses key files, except instead of
> files, it would be gpgAuth-style tokens. (http://gpgauth.org/) That
> would allow authentication to be location-based without involving
> (spoofable) GPS data.
> 
> Carrying this idea just a little further, if that handshake were
> constantly required, say every 5 seconds or so, this could harden the
> Freedombox against forensic attacks, because transferring the
> freedombox from the local power to a battery for transport would break
> that encrypted link, causing the freedombox and the key device to
> forget all passphrases in memory.
> 
> Bonus round: what if part of the handshake or encryption involved the
> electrical distance between the freedom box and the key device? This
> would make it nearly impossible to move even if they found the
> freedombox and the key and moved them simultaneously while maintaining
> electrical connectivity between the two devices. At the very least,
> transporting the freedombox to a lab would require some very custom
> equipment and know-how that is far beyond local- or state-level law
> enforcement's capacity. Well, I think so, anyway.

But in this case we must assume either a) the girl would be logging in to the social 
networking service running on her (parents') freedombox remotely from a 
cellphone-- in which case we're back to square one, or b) the girl has no interest 
in using the freedombox any more than she does using a corded telephone, and
we're back to square one.

The only solution I see is one part James' suggestion about a nuke password, and 
a much, much bigger part privacy edumacation.  Virtual key arrangements 
need to be done with the same amount of care as when a parent gives a 
physical car key to a child-- it usually comes with a speech about freedom, its 
relationship to responsibility, etc.  And just as adolescents go through a "learner's 
license", there should be a period where parents require their child's freedombox to 
have one of their own keys as a necessary (though insufficient) part of rebuilding 
from a backup.  If done correctly the child can be reasonably free of parental 
tyranny (because, for example, a parent would need to go to a lot of trouble of 
contacting people outside of the immediate family in order to rebuild the backup 
without the consent of their child), and be reasonably secure that if an aggressive 
authority figure tries to coerce them into giving up their credentials they can nuke the 
box to trigger the firewall that is an angry, possibly litigious parent, _before_ the 
breach occurs.

If the child can grasp that the parents' key is less like a form of control, and more like 
a form of free car insurance payments, then and only then will he/she really value 
his/her privacy.  But without edumacation you'll just end up with a classful of kids 
all having the ability to recreate each other's backups, aggressive authority figures 
probably coercing some of them do so, and again we're back to square one.

-Jonathan

> 
> 
> On Tue, Mar 13, 2012 at 1:34 PM, Bob Mottram <fuzzgun at gmail.com> wrote:
>> 
>> 
>>  One possibility would be to have the ability to lock the login to your 
> account to a certain geographical location.  If that location is your house, 
> then it doesn't matter if someone else coerces the password out of you, 
> because they have to be in a certain location to be able to use it.  There may 
> be much stronger legal grounds to refuse someone entry to your house.
>> 
>>  This would of course only work if you were using a mobile device with a GPS 
> receiver to access your account.
>> 
>> 
>>  _______________________________________________
>>  Freedombox-discuss mailing list
>>  Freedombox-discuss at lists.alioth.debian.org
>>  http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
> 
> _______________________________________________
> Freedombox-discuss mailing list
> Freedombox-discuss at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/freedombox-discuss
>

More information about the Freedombox-discuss mailing list