[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] WSJ- Google- Sonic Mr. Applebaum

To: Jeroen Massar <jeroen@xxxxxxxxx>, tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] WSJ- Google- Sonic Mr. Applebaum
From: Eugen Leitl <eugen@xxxxxxxxx>
Date: Tue, 11 Oct 2011 17:29:08 +0200
Delivered-to: archiver@xxxxxxxx
Delivery-date: Tue, 11 Oct 2011 11:29:27 -0400
In-reply-to: <4E9436C9.7010806@xxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "This mailing list is for all discussion about theory, design, and development of Onion Routing." <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <1318264946.14388.140258153147161@xxxxxxxxxxxxxxxxxxxxxxxxxxx> <4E932657.3090404@xxxxxxxxx> <20111010202713.GC25711@xxxxxxxxx> <4E936185.6040609@xxxxxxxxx> <20111011080706.GF25711@xxxxxxxxx> <4E9436C9.7010806@xxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx
User-agent: Mutt/1.5.18 (2008-05-17)

On Tue, Oct 11, 2011 at 02:30:01PM +0200, Jeroen Massar wrote:

> Of course you are raising the bar, 

That's the main idea.

> but that is the only thing you are
> doing, as the adversary can still walk in, be that with a warrant making

If they have to dispatch a warm body to a remote physical
location my job is done already. If it has to be a warm sentient
body who has to analyze an unfamiliar situation and attempt an
undetected physical layer attack I've already succeeded wildly 
beyond all expectations. 

> it legal, or just by going in. Criminals don't ask for your Ok.

Sure, the Shabak will garrote your cat. Or maybe your cat is quite
safe, after all.

> >> into that colo and use vampire taps to replug (both power and network)
> > 
> > Did you catch the part with the video, also streamed off-site?
> 
> How exactly does that matter? It will already be too late and your full

Have fun with your slippery slope of absurdities. Yes, there's a nuke
triggered to a dead man's switch.

> hardware will be off site in a location that you don't control, still

Do you see the difference between Gmail or Amazon cloud rendering upon
Caesar what is his and my logless postfix running on you own hardened box,
with mail residing client-side on a crypto filesystem? 

> running fully and no way for you to stop them from doing what they want
> to do with it, be that freeze the memory or any component needed.

Do you have the slightest idea how much that would cost, especially if
I'm not to notice?

> Or do you watch that video screen 24/7 like in the movies with the
> guards on duty being shown a replay? :)

My thinking is that I wouldn't hire you as a security consultant.

> Yes, nice things like mercury switches, glueing the whole thing together
> and other such tricks can even deny physical access, but really, what
> are you trying to protect there? :)

I am really illustrating a number of distinct, staged models with progressive
costs both to Alice and to Mallory. You can consider them each, one at a
time. It's not out of question. 

> 
> > If there's a convenient temporal lacune on multiple probes, you know 
> > your hardware is no longer trusted.
> 
> I am surprised if you are that paranoid that you trust the hardware in

You seem to have poor reading comprehension and security analysis skills.

> the first place. You do realize where the designs come from and where
> they are built right? :)

You do realize that you're trying to teach your grandmother to suck eggs?

> Yes, you will know that your hardware from that point is untrusted, but
> who says it was not before?

Always titrate your paranoia to functional levels. If you think your
entire toolchain is compromised and Really Care(tm) then bootstrapping 
from scratch including synthesizing your hardware from a minimal Forth 
core is quite possible.

> >> your box without you noticing anything and monitor the rest from there on.
> > 
> > They are welcome to tap the network. It's what they already can do,
> > by mirroring the incoming switch port and packet capturing there.
> > This is not relevant to accessing secrets locked in hardware, or
> > present at runtime.
> 
> Nope, but that is why a vampire tap can also do power, so they can
> remove the box from the rack/location that you have as 'secure' and then

My boxes are already on an UPS. That's the whole point, or provider
can simply cut power, and simulate an outage. The point is that they
would have to physically approach the rack, at which point there will
be a triggered recording. You have no idea where the recording goes 
and which out of band channels it might use. If you're smart, you'll
back off when you see the LED glow. If you can see NIR, I mean.

We can play this game ten times to Sunday, and I can assure you 
that with a minimal amount of planning you can make the traceless
extraction of tamper-proof hosted secrets arbitrarily difficult. 

> they can do whatever time consuming things you want.
> 
> Unless you have a full remote kill switch in there packed with some C4
> or so.

It's lead azide, actually. I see you've been reading my stolen design documents.

> But that is why I mention rubberhose: if they want to get the info in
> there, they will politely ask you for them instead.
> 
> >> As for TPM, who build that piece of hardware and are you sure that a
> >> copy of your keys are not kept elsewhere?
> > 
> > Because you generated the key itself, of course, and using a
> > physically secured TPM token you installed yourself.
> 
> Did you build that TPM token? I am just trying to give obvious hints
> here and above etc...

You're being out ouf your depth and not realizing it.

> For that matter, did you write and audit 100% of the code, oh and not to
> forget the compiler that you are using for that code? And what about
> that little video camera just behind your screen, did you notice it
> already? ;)
> 
> Like everything in live, it just depends on how much you care.
> 
> For most people though, unless you are doing super secret evil stuff,
> just using a Gmail account with PGP in combo with SMTP/IMAP is good
> enough(tm) a security measure.

By not using a Gmail account or Amazon cloud you don't even have 
to use GPG.

> > It can be rather hard to access a piece of hardware hotglued into
> > an internal USB port, with hardware with live IPMI monitoring,
> > including chassis intrusion detection, including motion-detected
> > streaming video streaming to cryptographically secured local
> > filesystem and also off-site.
> 
> Local filesystem does not matter, as you won't see it. Thus if the video

If I can't see it, I know I'm compromised.

> cuts, the only lesson you learned is that the box is not to be trusted
> anymore, but then it is already too late in most cases as they also

Knowing when you're under scrutiny is the second feature of the setup.
The first point is not being a sitting duck.

> likely know who is footing the bill, just follow the money and thus
> where your bed lives.

You should avoid mixing uppers and downers with your psychoactives.
It's really bad for your health.

> > It is all doable, but it won't be done in practice or ordinary
> > threat models.
> >  
> >>> I used to store crypto secrets on USB smartcards, and have
> >>> streaming video in the rack, all on UPS. Nowadays, it's even easier.
> >>>
> >>> No point to make it too easy. Mallory should earn his keep.
> >>
> >> At one point or another they just apply rubberhose crypto thus don't
> >> make it too difficult.
> > 
> > Why do you bother breathing? You'll die, anyway.
> 
> I don't have to bother breathing, not everybody is Darth Vader, it

See, I don't have to bother using cloud or Gmail for private 
purposes, either.

> happens automatically more or less as a reflex for most people and there
> is so much fun in the world without having to consider conspiracy
> theories ;)

If you ever ran a Tor exit, you know there's no need for theories.

-- 
Eugen* Leitl <a href="http://leitl.org";>leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] WSJ- Google- Sonic Mr. Applebaum
  - From: Jeroen Massar
- Re: [tor-talk] WSJ- Google- Sonic Mr. Applebaum
  - From: Julian Yon
- Re: [tor-talk] WSJ- Google- Sonic Mr. Applebaum
  - From: Ted Smith

References:
- [tor-talk] WSJ- Google- Sonic Mr. Applebaum
  - From: Andre Risling
- Re: [tor-talk] WSJ- Google- Sonic Mr. Applebaum
  - From: Jeroen Massar
- Re: [tor-talk] WSJ- Google- Sonic Mr. Applebaum
  - From: Eugen Leitl
- Re: [tor-talk] WSJ- Google- Sonic Mr. Applebaum
  - From: Jeroen Massar
- Re: [tor-talk] WSJ- Google- Sonic Mr. Applebaum
  - From: Eugen Leitl
- Re: [tor-talk] WSJ- Google- Sonic Mr. Applebaum
  - From: Jeroen Massar

Prev by Author: Re: [tor-talk] WSJ- Google- Sonic Mr. Applebaum
Next by Author: Re: [tor-talk] attacks on Tor hidden services
Previous by thread: Re: [tor-talk] WSJ- Google- Sonic Mr. Applebaum
Next by thread: Re: [tor-talk] WSJ- Google- Sonic Mr. Applebaum
Index(es):
- Author
- Thread