It might just be better to not rely on a phone, rather than rely on something achieving perfect security against the most malicious and capable of actors.
If I was really concerned about targeted cyber attacks against me, I think that I would exclusively use computers that I would buy from random people on Craigslist, take the hard drives out and only boot with live CDs using ram disks, and only connect via random public Wi-Fi locations.
If I was really concerned about targeted cyber attacks against me, I think that I would exclusively use computers that I would buy from random people on Craigslist, take the hard drives out and only boot with live CDs using ram disks, and only connect via random public Wi-Fi locations.
Excellent precautions if you live and work in average middle-class suburbia and never go anywhere or do anything dangerous, controversial, or politically unpopular.
Lockdown Mode is not for you. It's for other people with different lives.
My point is lockdown mode won't be good enough. Which is why there is still a big bounty for it. And those wouldn't be excellent precautions if you weren't doing anything dangerous, because they would be a huge burden over just operating normally above board.
How exactly does this method stop working in cities? You could have provided some content instead of a weirdly vitriolic dismissal.
The parent was simply explaining that lockdown is not intended for a person who buys computers from Craigslist in order to enforce security.
Your mitigation is not a mitigation against being singly targeted. There are so many attack vectors in a computer outside of the boot disk. The computers sold on Craigslist should not be considered secure, since there is no level of trust in the supply chain or the state of the hardware.
For ex: If you are being directly targeted, a nation-state can purchase the computers from your local Craigslist, rewrite their bios, and list them for you to purchase. Then flood Craigslist with 100 other compromised machines.
I was explaining why your use case of purchasing computers from craigslist
does not secure against nation-state targeted attacks. Now you are changing the conversation and saying there are other ways to attack. Of course there are many other attack vectors. I mentioned that, however the conversation was about the true level of security provided by your mitigation.
I'm not changing the conversation, I'm pointing out the simple, currently-used-against-dissident attacks that are not possible if there isn't a clear connection between dissident and device. It certainly provides pretty good protection compared to having an always connected device with a unique ID carried on you at all times. Security is oftentimes about making reasonable tradeoffs based on your risk levels.
And I think you may be overestimating even the resources and capabilities of nations.
Let's say you lived in Philadelphia. You could drive down to Baltimore or up to NYC in 90 minutes. Within that range, there are literally over 10,000 individuals selling 1 or more laptops on craigslist and other sites that I did a cursory search over. And that's not even counting all of the small mom and pop shops that are selling laptops, as well as the big box stores.
How should the adversary state figure out which of those people you're going to purchase from? Should they purchase literally every laptop in the region? Okay then...what about when people start selling more laptops they had in storage because the market is red hot?
What do they even do when they have the laptops? Do they have exploits for every BIOS for every type of laptop for the past 15 years? How do they sell the laptop to me? Do they have their agents sell them? Do they have hundreds of agents who are deep undercover in America, who could lure me in?
I just don't see "buy every laptop in a region, exploit it, and resell it, hope your target picks one up" as a viable strategy, even for the wealthiest of nations, assuming you need to do it discreetly.
This is a fantasy that could only from someone who doesn't actually need it. The people who actually need Lockdown Mode-- dissidents, organizers, journalists, etc.-- also actually need to communicate with normal people, and that means having a phone. If you're so unimportant that you can get away with your proposed computing scheme, you're not going to be the recipient of targeted cyber-attacks.
Well, I don't need it, but the people who do need it usually don't have much of a clue about infosec or cyber security.
What means of communication are available to you via a phone but not via an internet connected computer?
There isn't even anything intrinsically wrong with a cell phone, other than the fact that it encourages you to carry it everywhere and merge all communications with everyone onto a single device that is default connected to the internet.
If I was really concerned about targeted cyber attacks against me, I think that I would exclusively use computers that I would buy from random people on Craigslist, take the hard drives out and only boot with live CDs using ram disks, and only connect via random public Wi-Fi locations.