[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] WSJ- Google- Sonic Mr. Applebaum

To: Eugen Leitl <eugen@xxxxxxxxx>
Subject: Re: [tor-talk] WSJ- Google- Sonic Mr. Applebaum
From: Jeroen Massar <jeroen@xxxxxxxxx>
Date: Tue, 11 Oct 2011 20:28:29 +0200
Cc: tor-talk@xxxxxxxxxxxxxxxxxxxx
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 11 Oct 2011 14:28:57 -0400
Dkim-signature: v=1; a=rsa-sha256; c=simple/simple; d=unfix.org; s=DKIM2009; t=1318357718; bh=cVZQRgUu9yZQDKjEtXU7gDe+lf/ff7YhCM5C3oe6e/A=; h=Message-ID:Date:From:MIME-Version:To:CC:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding; b=QBOW37v4ecI5Jts/LdkVoRG8BAL8Kb4uCYJmCGbb5/Dx/oCr+XjvQA4uuduJA2lpl lzcLdZb5BUCkED1b+TRy8jClSe9Den03YtAoWsXO+n6Ev2qX3edHj7jEwNNffYTtYE oajARXHr9VJ8M33CTgDpEyZ/Sb8A1WHKuRFj/7asvXi5vF2NU2vX6gB3F8lW0y+GbK pIppHs4tF/4UtKDDxGzq67nWZ97AteXm3+vgF+tn5V1Or3Zd+xSBgc1FTKfqL6PZM+ tcOg8yILsuoBwvNEMCrtt9dyfEB4pOL69blIqFXIzEPz5WpU0WeSZ6dv5TVOHgx3LY iLGjpzKF/0twg==
In-reply-to: <20111011152908.GV25711@xxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "This mailing list is for all discussion about theory, design, and development of Onion Routing." <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
Organization: Unfix
References: <1318264946.14388.140258153147161@xxxxxxxxxxxxxxxxxxxxxxxxxxx> <4E932657.3090404@xxxxxxxxx> <20111010202713.GC25711@xxxxxxxxx> <4E936185.6040609@xxxxxxxxx> <20111011080706.GF25711@xxxxxxxxx> <4E9436C9.7010806@xxxxxxxxx> <20111011152908.GV25711@xxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1

On 2011-10-11 17:29 , Eugen Leitl wrote:
> On Tue, Oct 11, 2011 at 02:30:01PM +0200, Jeroen Massar wrote:
> 
>> Of course you are raising the bar, 
> 
> That's the main idea.
> 
>> but that is the only thing you are
>> doing, as the adversary can still walk in, be that with a warrant making
> 
> If they have to dispatch a warm body to a remote physical
> location my job is done already. If it has to be a warm sentient
> body who has to analyze an unfamiliar situation and attempt an
> undetected physical layer attack I've already succeeded wildly 
> beyond all expectations. 

I fully agree, it is all about delay and cost.

From that perspective the cheapest way in is to send that not so
sentient warm body directly to you though. But we are running in circles
here don't you think ;)

[..]
>> How exactly does that matter? It will already be too late and your full
[..]
>> hardware will be off site in a location that you don't control, still
> 
> Do you see the difference between Gmail or Amazon cloud rendering upon
> Caesar what is his and my logless postfix running on you own hardened box,
> with mail residing client-side on a crypto filesystem? 

The only difference is that for your hardened box it is way more
expensive (your hardware+hosting costs money and gmail costs nothing),
very noticeable as being 'special' as you likely don't share it too much
with others and especially not the 'sheep' that are so good to hide
traffic in.

Yes, your setup will be way more secure, but at which cost and to
protect exactly what?

The original thread & threat point was about 'is gmail safe for email',
where my point was 'if you do GPG then they can only see the src/dst
email address' (and obviously other SMTP headers).

Your threat point seems to be to safeguard every single bit at a very
high price, while that is completely valid, that is not for everybody
though.

>> running fully and no way for you to stop them from doing what they want
>> to do with it, be that freeze the memory or any component needed.
> 
> Do you have the slightest idea how much that would cost, especially if
> I'm not to notice?

The fact that you will have such a hardened box is already easily
noticeable and it will cost you a lot too.

The gmail + PGP setup is free, and if they compromise one, well, just
set setup a new one. Heck, jump to Yahoo or GMX or every other one.

>> Or do you watch that video screen 24/7 like in the movies with the
>> guards on duty being shown a replay? :)
> 
> My thinking is that I wouldn't hire you as a security consultant.

You are clearly thinking of hiring one, I guess you need one too.

Note that I am not a security consultant in any way, thus I can't help
you with even if you wanted me to.

>>> If there's a convenient temporal lacune on multiple probes, you know 
>>> your hardware is no longer trusted.
>>
>> I am surprised if you are that paranoid that you trust the hardware in
> 
> You seem to have poor reading comprehension and security analysis skills.

Ever considered that you are the one who diverted completely from the
original subject? ;) I'll skip over the even more silly bits which have
no technical merit at all.

[..]
>>> They are welcome to tap the network. It's what they already can do,
>>> by mirroring the incoming switch port and packet capturing there.
>>> This is not relevant to accessing secrets locked in hardware, or
>>> present at runtime.
>>
>> Nope, but that is why a vampire tap can also do power, so they can
>> remove the box from the rack/location that you have as 'secure' and then
> 
> My boxes are already on an UPS.

And then there is a cable between the UPS and your hardened box, that
cable can be clamped too. Or did you cement that all in? :)

> That's the whole point, or provider
> can simply cut power, and simulate an outage. The point is that they
> would have to physically approach the rack, at which point there will
> be a triggered recording. You have no idea where the recording goes 
> and which out of band channels it might use. If you're smart, you'll
> back off when you see the LED glow. If you can see NIR, I mean.

Must be an awesome datacenter that nobody ever approaches that rack of
yours.

> We can play this game ten times to Sunday, and I can assure you 
> that with a minimal amount of planning you can make the traceless
> extraction of tamper-proof hosted secrets arbitrarily difficult. 

Difficult and very expensive. I don't think that is what people who just
want to have a bit of privacy for their email want to go all the way for.

>> they can do whatever time consuming things you want.
>>
>> Unless you have a full remote kill switch in there packed with some C4
>> or so.
> 
> It's lead azide, actually. I see you've been reading my stolen design documents.

Every 10 year old who watched a silly movie can come up with that one.

[..]
>> Did you build that TPM token? I am just trying to give obvious hints
>> here and above etc...
> 
> You're being out ouf your depth and not realizing it.

Right back at ya! ;)

[..]
>> For most people though, unless you are doing super secret evil stuff,
>> just using a Gmail account with PGP in combo with SMTP/IMAP is good
>> enough(tm) a security measure.
> 
> By not using a Gmail account or Amazon cloud you don't even have 
> to use GPG.

So you mean you don't use E-mail at all and everybody is using the same
crypto system as you, or they drop "mail" all on that hardened box?

Is an option, not very workable on a large scale, especially when you
introduce more people to use that system as then the trust system starts
breaking down.

[..]
>> likely know who is footing the bill, just follow the money and thus
>> where your bed lives.
> 
> You should avoid mixing uppers and downers with your psychoactives.
> It's really bad for your health.

Thanks for the tip! Fortunately I am a completely drug-free person.

[..]
>>> Why do you bother breathing? You'll die, anyway.
>>
>> I don't have to bother breathing, not everybody is Darth Vader, it
> 
> See, I don't have to bother using cloud or Gmail for private 
> purposes, either.

Everybody their own thing.

Obviously your threat model is a lot more paranoid than that of the
original message.

>> happens automatically more or less as a reflex for most people and there
>> is so much fun in the world without having to consider conspiracy
>> theories ;)
> 
> If you ever ran a Tor exit, you know there's no need for theories.

Always good to hear that I don't run any, then I don't have anything to
worry about that either ;)

Greets,
 Jeroen
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- [tor-talk] WSJ- Google- Sonic Mr. Applebaum
  - From: Andre Risling
- Re: [tor-talk] WSJ- Google- Sonic Mr. Applebaum
  - From: Jeroen Massar
- Re: [tor-talk] WSJ- Google- Sonic Mr. Applebaum
  - From: Eugen Leitl
- Re: [tor-talk] WSJ- Google- Sonic Mr. Applebaum
  - From: Jeroen Massar
- Re: [tor-talk] WSJ- Google- Sonic Mr. Applebaum
  - From: Eugen Leitl
- Re: [tor-talk] WSJ- Google- Sonic Mr. Applebaum
  - From: Jeroen Massar
- Re: [tor-talk] WSJ- Google- Sonic Mr. Applebaum
  - From: Eugen Leitl

Prev by Author: Re: [tor-talk] Securing servers
Next by Author: Re: [tor-talk] Securing servers
Previous by thread: Re: [tor-talk] WSJ- Google- Sonic Mr. Applebaum
Next by thread: Re: [tor-talk] WSJ- Google- Sonic Mr. Applebaum
Index(es):
- Author
- Thread