Smart card

[Robert J. Hansen]

> I think this is being confounded by adjoining two conversations---that
> smartcards provide additional security given a compromised system, and
> the satirical quote your provided.  I was referring in this case to the
> latter.

If you send or receive sensitive communications from a compromised
endpoint, you're screwed.  The smartcard will not save you.  It can't.

When I hear people talk about how the smartcard will keep their keys
safe even after a system compromise, I hear that as being like a
survivalist talking about how great it is his tiny bomb shelter will
keep his seeds safe after a direct hit from a nuclear bomb.  Great, I'm
very happy for you, but you're giving *terrible* advice to people who
are worried about the bomb dropping.  Even encouraging them to move
somewhere that's not a high-priority target for a nuclear strike, as
impractical as that advice is, is better.

> My point is that if you base your entire threat model and practices on
> the fact that some attacker somewhere is going to succeed in a targeted
> attack against you, then you may as well give up on security period.

If your threat model includes Tier-1 actors, you're gonna get Mossaded.

You.  Cannot.  Win.

Therefore, any threat model that assumes you're the target of Tier-1
interest is inherently -- I'll say it again -- screwed.  Once you become
a target of Tier-1 interest it's all over.

Don't come to their attention.  And don't mislead newbies by making them
think they can win against Tier-1s, either.

> You seem to be suggesting that key safety isn't even a concern if you're
> compromised---that nothing else matters, and the distinction between a
> compromise as you described with or without access to the key(s) is
> irrelevant.

You seem to think that your bomb shelter surrounded by five hundred
meters of radioactive fused glass is somehow a win.  After all, your
keys are safe, right?

Preserve the security of your endpoint system.  Nothing else will do.