1

Scenario: You are on Craigslist searching for cheap electronics and come across an add for cheap E-reader. It's a bit of a deal with about 20-40% off the retail price so you contact the seller and all seems normal. You meet up to buy it and while you are discussing the E-reader you want to catch the seller off guard (in an effort to elicit an honest answer/reaction) and ask them a pointed security question (or two) that will gauge whether that person even knows enough to do anything technologically malicious.

What question(s) do you ask?

Let's assume you both are just an average Jack and Diane not cold war spies...

I submit imagine something like this:

While Jack and Diane are closing the deal Suckin' on chili dogs outside the tastee freeze, Diane says...

Diane - "Hey Jackie, do you know what the hex file signature books on this E-reader?"

Jackie sits back, Reflects his thoughts for the moment, Scratches his head...

Jack - "What's a hex file signature?"

Diane - "Nevermind baby, You ain't missin' nuth-in."

Jack - "Oh yeah, life goes on..."

Two American kids done the best they can and close the deal.

In the above scenario, Diane feels relatively confident that Jack doesnt really know enough to root a device and put malware on it so she can feel safe buying from this football star.

I realise the premise is not the most secure because anyone can lie and depending on how well you can read a poker face you may not be able to discern the truth, but I am just looking for a quasi-security theatre solution. I mean once again, we are assuming you are buying an E-reader to just read 50 shades of grey and not the latest Presidential Intelligence Briefing

Also note that this is not limited to Ebooks, Americans, football stars, or 80's music lovers.

Mark
  • 34,390
  • 9
  • 85
  • 134
Matthew Peters
  • 3,592
  • 4
  • 21
  • 39

1 Answers1

9

Jack sits back, Reflects his thoughts for the moment, Scratches his head wondering if you mean the magic bytes that would be used by file(1), the signature of the internal fs, the UUID of the device... and how to phrase it to be understood by Diane.

Jack - "What do you mean. What's that?"

Diane thinks Jack has absolutely no idea and proceeds with the transaction.

Alternatively, suppose you confirm that Jack is a complete noob. However,

  • ... his ex-girlfriend Eve put a trojan horse there before giving it to him.

  • ...he is so incompetent at handling computers that his Desktop got infected and malware spread to the eBook.

  • ... he bought it from Mallory who did something malicious to it.

  • ... he is the lower rank from a criminal gang selling infected ebooks. He only sells them, and has no idea on how they were infected.¹

And all these scenarios assuming Jack is indeed caught off-guard, has an honest reaction and you are able to accurately discern it.

Really, if you are concerned about the device old contents, you should do a factory reset of the device. That will wipe it.

(Not the kind of answer you were expecting, but should serve you better)

¹ Just kidding. If the deal is too good to be true, then the catch is unlikely to be because they infected the ebook reader² (with which goal? to get a copy of 50 shades of grey from you?). I would expect that the device does not exist, is counterfeit, stolen, broken... Those would be easier ways to make money (for a criminal) selling readers.

² I assume you are not Angela Merkel aide.

Ángel
  • 17,578
  • 3
  • 25
  • 60