Also, from your Tinfoil Hat Linux link, this idea is hilariously awesome:
Keystroke monitoring — THL has gpggrid, a wrapper for GPG that lets you use a video game style character entry system instead of typing in your passphrase. Keystroke loggers get a set of grid points, not your passphrase.
I wonder if it might be possible to implement that idea into other operating systems?
Air gapped with new hardware: "Since I started working with the Snowden documents, I bought a new computer that has never been connected to the internet. If I want to transfer a file, I encrypt the file on the secure computer and walk it over to my internet computer, using a USB stick. To decrypt something, I reverse the process. This might not be bulletproof, but it's pretty good."
Air gapping is certainly not unprecedented, but individuals using it have traditionally been considered pretty "tinfoil-y".
edit: "I wonder if it might be possible to implement that idea into other operating systems?"
gpggrid itself could probably just be built on any other Linux install. Certainly it could be recreated. One of the neat features of TFL that I really like is the idea of blinking LEDs on the users keyboard instead of displaying things on screen. Effective? Who knows... but certainly amusing.
IF he was serious he would be burning CDs/DVDs instead of using a read-write USB stick. It is tedious, but blank media is cheap and there is precedent (that I'm sure Bruce is aware of): The DoD's own (classified) SIPRNet was infiltrated via a flash-drive based virus back in 2008.
I kinda thought the same thing about flash-drive viruses, and why Bruce wasn't using CDs/DVDs instead. Then I realized if he was really serious, he wouldn't say what he's really using, and he'd have a USB honeypot plugged into his network-facing computer.
Note that he didn't say what software he's running on the new air-gapped computer. The difference between locking down one air-gapped PC running only software required for encryption and locking down the entire network of PCs running the wide variety of software required to do everything everyone needs to do on the SIPRnet is huge.
Another approach might be to set up an old-fashioned serial link between the machines. It's easy enough to observe and audit all the traffic that passes through a serial cable.
The switch is electrical and advisory. The SD card reader is free to ignore it.
Search for "Bootable SD Card Method" here: http://chdk.wikia.com/wiki/Prepare_your_SD_card (I have a Canon camera that runs CHDK. Those instructions work, and the camera can write to the SD card.)
The SD card switch is actually read by an external physical sensor (a tiny button like the write-protect buttons inside of ancient 3.5" floppy drives), at least on most SD cards. I had an SD card whose switch wasn't quite thick enough to trigger the writability sensor of an SD card reader, so I had to wrap it in tape.
He's not doing that because of concerns about PGP, just to be clear, but because his host computer isn't secure (none of ours are); he's doing basically the same thing as the people who run their browsers in a VM, or the same thing that security professionals tell business owners to do when they want to access their online banking.
The general idea is to use a machine which has minimal opportunity to be compromised through other activities. There have been known to be exploits that allow a compromised VM guest to compromise the host, and obviously if you compromise the host you can compromise all the other guests.
Using a separate VM is worse than using a separate physical machine and better than doing nothing. Whether it's "good enough" depends on who you are. Who are the plausible attackers? What do you stand to lose if it goes wrong?
The VM is easily vulnerable to the host OS, so running in a VM only protects the activities you do in the VM in the sense that the software pwning the host might not be looking for it. So not really.
Unless you are not using the host OS for anything _other_ than virtualization. If the host OS is used to host VMs[1], which are then used for specific tasks (casual browsing, banking, development, etc). Any exploit will be limited to the VM. This would be a pretty solid setup. It is only vulnerable to attackers that have direct access to the hardware, or have the ability to exploit the hypervisor.
[1] in other words if the host OS is used as a hypervisor, or if the host OS _is_ a hypervisor.
> Germany's best-selling PC magazine
c't periodically distributes "Bankix"
on their CD.
>I believe that quite a few people
actually use it.
That sounds like a great attack vector. How secure are factories where discs are pressed? Even without access to the factory you could buy a bunch of magazines and repackage them with compromised CDs.
Someone would probably notice, checking the DVD against a checksum.
Repackaging it seems to be tricky, since the paper inlay is bound in the magazine, it's not just stuck on the cover or whatever. You tear it out at a perforation, leaving part of the DVD cover inside.
There are much more exposed attack vectors on online banking users, I would think.
And you can always just download the ISO and check it against the hash (and the PGP key).
I've set up VMs for people with their credentials in the VM and nowhere else, and the host firewalled pretty restrictively such that that VM is pretty useless except for banking. I suspect compliance is high on systems like that.
Most European banks do. Only few US banks do. Primary reason for this difference is that it's trivial to transfer money from one European bank account to any other bank account. It basically works like email, where you can just enter any destination bank account number. With US bank accounts the process is much harder, as you first need to add and confirm the second bank account (which somewhat reduces the risk of what can happen if someone gets access to your account).
We're almost to a point where the question isn't whether or not they support it, it's finding out that they have a program, clicking through tiny text links at the bottom of pages, and figuring out how yet-another-implementation works.
The major ones that I've used do - Chase and Bank of America, both through sending codes over SMS to login and perform certain activities once logged in. For BoA, even if you stole my password and browser cookie (to get past the login check), you still wouldn't be able to do anything but pay my bills for me. Anything that might send money to a new destination, like creating a new billpay recipient, changing the info of one, or adding a wire transfer destination, requires an additional 2-factor code.
Both my banks do (European banks, specifically Rabo and ABN/AMRO).
These are still not immune to phishing attacks but it's a lot better than TAN codes or some other 'dumb' authentication scheme.
Typically these systems work in conjunction with pin-and-chip card, a small piece of hardware that generates the codes and a challenge / response system built into the website you use for the authorization.
Separate challenges exist for logging in (read access) and transferring money.
Those are common in Brazilian banks as well. At least four of the six biggest (I don't remember about the last two) do two-factor authentication.
Another cool thing I've seen in Banco do Brasil was the need to authorize the computer you're going to use in a ATM or in a 1-800. If I recall correctly, they do that with a Java applet.
Recently they also launched a common-malware-search-and-destroy application of MANDATORY use in Windows computers (my mom uses, she asked me. And yes, the digital certificates were all valid).
My American Express personal savings does. HSBC does and even allows you to enter your 2FA on a JavaScript keyboard (clicky click) if you choose to mitigate the threat of a key logger.
Given what we know about USB sticks, especially their use in Iran, you would have to be ABSOLUTELY FUCKING RETARDED to trust them.
Oh so he encrypted his files, and walked them between his stand alone and his internet machines. Yeah, okay this established the file's integrity, and that's just fantastic.
But what assurance does he have that the USB stick isn't getting infected on the internet machine, and then deploying stealth hacksaw services onto the standalone, to buffer and relay data and commands each time it jacks in?
I mean, that's exactly what Stuxnet was designed to fucking do.
It's different if you own your own USB stick and only use that stick, and have the hosts configured correctly. Arbitrary USB devices picked up off the ground or provided by malicious people do terrify me, mainly because they can be keyboards or whatever in usb-stick physical packaging.
Even USB sticks that are your own USB sticks could be keyboards or whatever. Unless you've verified it isn't a store bought USB stick is just as risky as one that you picked up from the street or that someone gave you, in both cases you have no idea 'where it's been' before it got into your possession.
No, the vast majority of USB sticks in the world are not pwned. If you randomly go out to purchase one in a large market, it's pretty likely to be safe.
Things like the Bagram PX were concentrations of high value targets with only one source of supply. The general USB stick marketplace is a lot safer. In China they're often fake and thus unreliable (smaller than advertised), but in the US, I'd be pretty comfortable driving to a Best Buy 50 miles away and picking up a random USB token.
A USB key someone hands you is much more likely to be a targeted attack. A USB key randomly lying on the ground outside a target is also much more likely to be an attack.
The vast majority of USB sticks are lost, not attacks, the vast majority of USB keys handed to you are handed to you in good faith, not as attacks.
That doesn't mean there are no attacks.
So prudence is adviced in either case, on the off chance that the one that you have is a bad one. Ditto for anything else that you stick into a USB port.
That webcam plugged into your computer, are you sure the mike isn't on all the time and that the driver doesn't pass your speech during the day out in compressed and encrypted form to some server farm at night ;)
Just like bareback sex with partners who remain monogamous for the duration of your relationship, repeatedly sticking the same USB device into your computer is a lot less risky than sticking a wide variety of USB devices of unknown provenance into your computer...
Air-gapping is really the only way to stay secure. Plus, I would worry about cameras, microphones and vibration monitors, so I would want to put the air-gapped machine in a room that is away from any other electronics. Ideally in some sort of faraday cage, or at least located a reasonable distance away from walls - to bring it up to TEMPEST (or similar) standards. Unfortunately, most of us do not have the space in our homes to do it properly, so we have to resign ourselves to losing control of our machines and our data.
I see a new product. The air gap - a micro computer that takes simple commands, like mail, ftp and get, to serve as a simple go between layer for people who want this kind of privacy.
IMHO, the hard part would be creating the interface on the on the pc.
Julian Assange worked on projects relating to maze navigation, theorizing that people could memorize the muscle sequences but not be able to tell them under pressure, or fail under pressure.
Randomizing the position of landmarks eg. go to A, B, E, C, F, then showing a map could let the user enter a different sequence of keystrokes to get the same result.
Which way is that?
Also, from your Tinfoil Hat Linux link, this idea is hilariously awesome:
Keystroke monitoring — THL has gpggrid, a wrapper for GPG that lets you use a video game style character entry system instead of typing in your passphrase. Keystroke loggers get a set of grid points, not your passphrase.
I wonder if it might be possible to implement that idea into other operating systems?