Schneier on Security

Nick P • August 31, 2013 1:32 PM

@ Ashley and other’s curious about RAM/truecrypt distros

Re: Linux Live distro

You’re mainly just picking one you think you can use. That you can use and accept a given distro is more important than any other factor because people tend to stop using things that piss them off. 😉 Usability, interface styles, supported apps, hardware support and more vary among distros. My basic security goals are that

(a) they’re not windows,
(b) they run in RAM,
(c) you can install TrueCrypt on them, and
(d) they work with your hardware.

So, I list a few under this paragraph. Download them and burn them onto CD’s. Try each on your machine. Many have simple interfaces such as busybox which are good for security due to less features, yet not so good for usability. I’d say start with Ubuntu Live as you’ll figure it out quickly. Then, if can get a hardened one to work, then start using it instead.

Ubuntu Live CD: The default. You get several options at startup. Choose to “try it” instead of installing it. Then, everything loads from CD (or USB). It’s heavyweight because it’s designed for features and usability. Your security will probably be OK if you’re not targetted specifically: the obscurity of Linux alone makes most malware miss it.

Damn Small Linux: This is a tiny Linux made to run totally in RAM and comes with a minium of applications. Only runs on x86 processors. Uses Fluxbox window manager and optionally can add on popular software. Designed for old machines more than security.

Puppy Linux: Security engineering veteran Terry Ritter sold me on using this one for security purposes. Brian Krebs likes it too. Similar to Damn Small Linux but: much easier to use across the board; better interfaces available; you can save changes to the file system incrementally on the DVD itself. Ritter argued the latter feature was a nice compromise for data persistence on a mostly no persistence distro. Krebs and Ritter on using Puppy.

Lightweight Portable Security: LPS is an interesting option because it’s made by Dept of Defense for protecting their systems. It’s goal is making sure the system starts clean, doesn’t change the disk, and can act as a secure thin client. And it’s free for us too. 🙂 They also include an encryption tool they use. Does that tool have backdoors or something? Who knows. However, most tools they make to protect their systems are pretty good and quite a few people outside DOD use this distro. So, I’ll include it for those reasons.

Tin Hat Linux: Last, but certainly not least, is a distro with this goal: “The central design consideration in Tin Hat is to construct an operating system that can hide data from an attacker even if he has physical access to the computer.” I haven’t used it yet so I’m not sure of its quality. It has interesting security features, though, and meets the basic requirements I stated early on. It also uses the Hardened Gentoo project’s technology which provides resistance to certain attacks.

Note: One additional motivation for my choosing these different platforms is diversity. Schneier blog readers know I’m a fan of different codebases to reduce odds of success in one-size-fits-all attacks. These systems use Gentoo, Slackware, Ubuntu, Knoppix, etc.

Note for Windows or Mac lovers: the solution for you people is “Write Protect.” Seems to be a forgotten, but effective, technology. You install Windows, install needed apps, do ALL updates, clean temp files out, run hardening procedures in online guides, and then turn on write protect. Any changes to the running system, by you or by malware, will not be saved. That basic mechanism gives you the same protection as a LiveCD if it’s hardware based (usually a switch). There’s also security software, from OS hooks to virtualization schemes, that claim to do this. They might work, might not. You can also set up VM’s with very restrictive configurations to do this. However, the simpler the better and that would be switches at the storage hardware level.

Re TrueCrypt

“I guess the part that’s confusing is if I boot up a ram based distro, it only comes with what’s installed by default for that distro. Of course I can always install truecrypt / macchanger etc.. But after a reboot those changes and programs are not saved. I feel like there is an important step I am missing here.”

Good catch. There are two main solutions:

1. Install it upon every bootup.
2. “Remaster” the LiveCD to include it.

Install Each Time

I used this method early on. It was inconvenient, but required little technical knowledge. I booted up a Live CD for which truecrypt has a graphical, few-clicks installer. I kept the truecrypt installer on my main HD partition in main folder. So, upon LiveCD boot, I performed these steps:

1. Made sure there was no internet connectivity to reduce risk. My laptops have hardware switches for wireless.

2. Run a mount command to active my HD.

3. Open the HD folder with the installer and run it.

4. Unmount my HD just in case.

This whole process took a minute or two. I had to google the mount commands and figure out which Linux device represented my actual hard disk. I just went through sda, sdb until i saw my disk’s folders in the mounted folder. I’ll add that Ubuntu and some distros might automatically see it in “Places” menu at the top. In them, you basically just click on it and the system mounts + opens it.

Remaster Onto LiveCD

This the better (and harder) route. Remastering means you customize whats on the disc. You might change the interface, add TrueCrypt/OpenOffice/VLCmediaplayer, etc. Each distro does this differently and whether you can figure it out might be a factor in which you pick. There’s googleable step by step guides on “remastering” or “changing apps on a LiveCD” for many I listed. If you get one to work on your PC and like it, then Google changing it to try those steps. If the steps work, then add in TrueCrypt and whatever necessary apps you need. And TAKE OUT any you don’t need cuz they’re wasted space and extra attack surface.

Conclusion

Sorry if I couldn’t give a simple recommendation. These operating systems are all made by different people with different preferences, goals and levels of maturity. Choosing a Live distro is a very personal thing that only you can do. Ubuntu is great as a start. Puppy is endorsed by pro’s like Ritter, so that’s even better if it works on your machine. So, get one, figure out how to get it on Internet/wifi, get firefox + noscript, get truecrypt, and start using it for basic workflow. If nothing else, you’re “I’ve been infected!” days are over. 😉

Nick P • August 31, 2013 3:52 PM

@ Avid Reader

“I liked your comments. I would request a HowTo guide on setting these methods up for less computer savvy people. SSL tunneling can be difficult to figure out on your own. ”

I might write one up in the future along with recommended tools and configuration steps. Meanwhile, there’s excellent resources on using proxies that are one Google (or DuckDuckGo) away. And many have screenshots of each step. 🙂

re secrets on paper beats $5 wrench cryptanalysis

“I would disagree with you on the cigarette written partial/password. It will make the volume much harder to crack, but if it gets intercepted or stolen, it makes it that much easier. You’d be left with a memorized password, or no password at all. If you’re in the middle of being arrested, you don’t have the second or two to destroy it.”

I certainly need to revise how I presented that idea. There’s two categories of usage here:

1. A trusted place that nobody will be looking at or with visibility to give you the 2-3 seconds it takes to burn a note.
2. On the move in unknown places where you can get grabbed or searched without notice.

The key on cigarette paper idea is definitely for situation 1. It can also be disabled for when you’re doing no 2 so it’s not really a weakness: just not available there. The advantage of it is that it allows a totally random, long password. And you can change the password often because it’s as simple as writing the new one down and burning the old one. Even if tortured, you cannot reveal the secret because you don’t know it. The reasoning here is that most people can’t remember nearly uncrackable passwords or change them often. Yet, most people can hide a tiny piece of paper in their house or bury it in a box in the woods.

Another common variety of this trick is a strong password + key file on tiny flash card or thumb drive. Another is to enter a strong password plus a bunch of random characters from a piece of paper. Brings extra benefits I’ll identify in next reply.

re my using hashes to preprocess secrets

“I disagree with using SHA2 or any other hashing algorithm to generate the password as well. All it is is obfuscate the method of encryption.”

That’s the classic argument people give me on all kinds of my obfuscation methods. Yet, the argument is weak because experience shows sound techniques + extra guesswork for the attacker is A Good Thing.

1. They can’t work around what they don’t know.
2. The obfuscation methods can vary on an individual basis, requiring custom attacks for each target.
3. Certain obfuscation methods are very simple to implement.
4. Some obfuscation methods can cover weaknesses in usage of other tools.

In this example, the truecrypt volume is protected by a password. The TrueCrypt tool runs that password through some steps to generate needed keys. Attackers familier with TrueCrypt and knowing nothing else will run vanilla anti-TrueCrypt tools on your volume that essentially try to crack the password. This means the password should be very random and long to resist their attacks. Interesting enough, the output of good hash functions has that property even if you input the crappiest password (see 4 above). So, I included these options into my enhanced truecrypt scheme:

1. Pick at random a one way crypto function to use that generates long, random output. Make sure it’s an option in a popular, easy to use hashing/crypto tool so the tool’s existence doesn’t give away the precise methods.

2. Generate a 128-bit (minimum) salt. This was what I put on the cigarette paper. Use either hex or BASE64 encoding.

3. Chose a number of times to run the hash function. (optional)

4. Input your STRONG password and salt into the hash. Optionally, do the iterations. Use the result as the TrueCrypt passphrase.

Now, what we’ve done is that we’ve made it impossible for them to crack the TrueCrypt volume without knowing (a) your password, (b) salt and (c) the specific steps you taken. Those steps use proven primitives in a safe way to accomplish the obfuscation. The steps become both extra entropy and computational complexity for the attacker. And the 128bit salt can be easily destroyed at any time. Extra obfuscations to consider and not exhaustive list by far:

• Instead of password, use a passphrase that combines a variety of characters (my default for all user secrets)

• Use a combination of hashes and iterations in this process. Assign each one a number (in order of appearance in tool’s help file). Then, the obfuscation is essentially a pin: 4917 might mean 4th hash 9 times, then 1st hash 7 times. Limited by your memory and max number of available algorithms/iterations.

• Build extra obfuscation into the tool itself. They have to checksum/hash it to see it’s modified. Reduce deniability, though.

• Tie the activation of crypto to a certain location (advanced method). Will reduce deniability if custom software is used to accomplish it, but there are 3 party methods that don’t require that.

• Any time a file must be deleted, create a new volume, write the salt for it down, move any files you keep to it, and burn the salt to the old one. Again, you sure aren’t going to remember a 128-bit secret and they aren’t going to crack it. So, call it “perfect forward secrecy” for data at rest. 🙂

(Note: this is also the best way to move critical informations between documents such as Word or PDF that can contain much metadata. New document, copy what you keep, and delete the old one.)

So, what we have is…

1. Strong password. Required anyway. Proven value. Is baseline.

2. Hidden extra steps. Increases attackers’ work, observation and sophistication requirements.

3. Perfect forward secrecy or entropy boosting via keyfiles or paper secrets.

Obfuscation has saved many of my designs and systems from attack over the years. This has worked with software, protocols, system configurations, firewalls, physical security and so on. In some cases I got to watch the attacker try all kinds of really clever stuff, fail, and move on. The combination of strong security engineering with secrecy and tight usage controls is also key component of NSA’s Type 1 crypto systems. They’d probably fail more quickly if NSA open sourced them.

So, obfuscation has proven value used properly. It’s even protected my life at times. The examples people give that supposedly “prove” it doesn’t work involve security designs built only on obfuscation, often poor obfuscation at that. Such foolish approaches led to fool’s (false) security. Good security engineering practices + obfuscation techniques that don’t undermine their assurances equals better overall security posture against majority of attacks.

Note: none of this stuff by itself will save you from conviction due to not turning over a key to law enforcement. It seems like a rare situation, though. Online dead drops are one solution. Brings me to another advantage of paper: unlike files and flash drives, it’s extremely easy to hide going through a border crossing even with PC inspection, metal detectors and strip searching. Parts of the secret can even be specific scratches or imperfections on your clothing. They gonna take everyone’s clothes? I think not!

“I would recommend this as an alternative. Truecrypt has an excellent option of using keyfiles with a password. Generate 1000 files, each made of 64 bytes of random data. Save them to your non-writable media with identical C/M/A time stamps. Use 10-15 of them along with your password for the input to Truecrypt. It is still a guessing game as too which numbered files you use. ”

It’s an interesting idea. It meets the requirement of extra step the enemy has to figure out and boosts entropy to final key. The key weakness is it might take extra manual steps or an unusual executable on your system. It’s also more complex. The simplest version of my truecrypt scheme is a strong password and salt (on paper or hidden device) entered directly into the TrueCrypt password box. That’s two factor, entropy boosting, requires no extra software, takes one step and allows the salt to be destroyed. The next version uses a generic tool to combine the password and salt with a cryptographic function for more of the same benefits. Simple, easy and deniable. 😉

I’ll also add that people the salt can even be the stuff on your state ID, a page of a magazine you carry, and so on. That tradeoff means you carry nothing unusual at all (compared to the average user of privacy tools). Their attack requires (1) knowing you’re using extra steps; (2) knowing what the input source is; (3) knowing any transforming trick you use such as starting point or typing words backwards. Near total deniability: you’re just another truecrypt user and can pass a full physical inspection.

Privacy/security maxims to remember: As simple as necessary to meet requirements. Used proven primitives, principles and procedures to achieve critical security properties. Optimize obfuscations to minimize users’ activity and maximizing opponent’s. Use nothing that stands out to auditors.

So, if you do design your own solution, just remember these maxims to improve your safety and success.

Re removing the battery

“My only other input to this rather intelligent OPSEC conversation is this. When you are using your ram only computer at the coffee shop, bring your laptop power converter and take out the laptop’s battery, and set a bios password. If you should be raided as you are working, yank the cord out of the computer. The computer will loose power, and the only two options they will have of data recovery is to try to freeze the ram and do a quick read on it for encryption keys, and crack your passwords. The bios password and quick decay rate of ram should work well to thwart them. A lulzsec member was taken down with his computer running. On site forensics is standard procedure these days.”

That is a great tip and made me feel foolish for forgetting to mention the issue (facepalm). I’ll add, though, that it may be a risk. A lay judge or jury might consider it suspicious if you’re wifi, have LEO defeating tools, and pulled the plug when cops walk in to question you. “Destruction of evidence,” “obstruction,” etc. Anyone worried about that can use this improvement that I came up with after my battery died.

Use a totally dead battery. Tada! Craigslist one if needed. Also, use Puppy Linux as your basic setup. Your defence will be that you were just following Brian Kreb’s security advice and your laptop is “an old piece of s***… the battery doesn’t even work anymore I always have to find an outlet to use at these places. So lame…” Makes for a more believable excuse. 😉

(There’s other tricks that can be built on top of that idea. I leave them to readers imagination.)

Nick P • September 1, 2013 8:34 AM

@ Clive Robinson

“When it comes to tools to include or check for, one I’ve found to be very valuable over the years is an arbitary precision command line calculator that is either programable or usable from simple shell scripts.”

That’s an interesting thought. It reminded me of another one though: TI graphing calculators. I remember putting all kinds of programs on them in the past. I even thought of using them as a trusted path due to the screen size, keyboard, and programmability. Settled on electronic organizers type designs b/c their letters are easy to work with. But, yeah, a traveling student with a graphing calculator and the program section locked might be deniable.

“My suggestion for running a system that is immune to most known and many unknown vulnerabilities is to use Amiga DOS, open VMS, straight DOS 6.2 and use a network translation layer (LUA/SNA, Token ring, IPX, or other transports). This is also convenient for use as a straight router. I’d tell you what I use but then I’d have to take my equipment offline. Give you a hint, it rhythms with CPM.”

It works well enough so long as they don’t know what you’re using. Plus you get to be different. (!!!) Since it’s obfuscation, though, you might as well use a desktop Linux. There’s almost no malware for it. And the others you listed (except VMS) will be even easier to hit when they target you due to little security focus. So, you might as well use a BSD, Linux or a “trusted” UNIX.

Btw, although I long recommended it, VMS was recently EOL’d by HP. They acquire a rock solid system, invest almost nothing in it, don’t try to market it at all, and then kill it. It was one of their most profitable divisions. Imagine what VMS would have been if received about 5% of the money and development Linux got. They wasted such a good opportunity.

@ Prinz Wilhelm

Rice paper: yes! That’s the one I was trying to name! I forgot so I said cigarette paper instead b/c at least it burns well. But, yes, I think old spooks used rice paper for some of their communications. Your other ideas are nice too. 🙂

@ lost in the thicket

“How important is it for the distro to be on a CD and not on say a USB stick? How exposed is a USB-based live boot?”

I’m actually not sure in a practical sense. The assumption is that the enemy never gets their hands on it regardless b/c physical possession = compromise. Also, you’re booting up into a clean machine. So, you’re main remote threat profile here is:

1. People hacking your machine while it’s running to steal your data or somehow rootkiting it.
2. People subverting the update process.

The 2nd one is a separate issue. Wrt the first, a CD/DVD-R have the benefit of being write once. The USB might get written to while you’re using the system. So, that’s the main risk. If you want USB performance, then you can mitigate the risk by using a write protected USB drive, preferrably with a physical switch (floppies had that). This USB’s sticks design is a perfect example of how simple system integrity can be. 😉

“Yes, the evil maid can manipulate the USB stick. How exposed is the stick, given it is a non-Windows live boot, to malware from the Internet? It seems that it would have to be specifically targetted, but maybe I’m being naive.”

Another advantage of paper is that it isn’t executable. Using any executable media means you definitely have to hide it. If they grab it, you must assume it’s untrustworthy. At that point you have to ditch your data or put the USB in another machine (Walmarts? wink) to pull the key files off it. Then, you transfer that keyfile to the private machine in a way that doesn’t allow compromise. You can use hashes as part of a tamper detection strategy if you want but it’s easier to just protect the USB device.

Nick P • September 2, 2013 11:07 AM

@ Daniel, Clive

I appreciate the reply. I haven’t heard of any compromise that’s happened in practice. Yet, the possibilities you both present mean that using the SSD’s is a bad idea. I previously avoided them because of their wear levelling algorithms. Now a new reason.

While analysing this, I also looked into SSHD’s. These are the hybrid devices that combine a HD for storage and SSD-style flash for performance boost. I was trying to determine the risk the SSD element poses. Ideally, there would be no direct access to the SSD portion except in its hardware. My quick research showed that this is not the case: vendors might use firmware, drivers, client software, etc. There’s not really a standardized method that I see. So, we should probably consider the SSHD’s bad for crypto too.

@ name.withheld

“Seems you both are “old-school” and I mean that in the positive sense of the word. It also seems you are in good company with Dirk and Clive. If you guys say something I tend to pay attention. There are others here that are quite astute, seasoned and informed pros that have a deep history, and I appreciate your comments. Which allows me to regain the ground I’d lost by going so far-a-field.”

Why thank ya! Re your three bullet points, I have no comment because there are many variables and a lack of concrete data to go on. More speculation than anything else.

Nick P • September 2, 2013 2:12 PM

@ figureitout, Z.Lozinsky

Many of the NSA designed devices in the past came with a “zeroize” function that wiped key material with a button press. My own similar designs copied that albeit with random overwrite instead. Another trick I use is keeping the critical data in a specific section of physical memory (e.g. first so many bytes) so it’s easier to guarantee its destruction.

Old discussion about these things:
https://www.schneier.com/blog/archives/2011/03/erasing_data_fr.html

I’ll add that, since then, several new possibilities have appeared:

1. Using a SOC like Aegis, SecureCore, or SecureME processor that encrypts pretty much everything going out of it. Makes everything else untrusted.
2. The Air Force’s HAVEN virtualization system uses an FPGA system to encrypt the RAM of running machines. Run your sensitive data that way and now you’re mainly worried about destroying a key. That’s one zeroize button away. 😉
3. Although Clive and I worked out nice thermite solutions, Skunkworks improved on them nicely with a recipe that could be used in a server room w/out harming other equipment. Or in your house without harming… your house.

Just make sure, for thermite solutions, you use at least triple redundancy, very simple components, and shielding from environmental stuff. It’s also best to keep them in a concrete enclosure both to contain the mess and to keep an incoming attacker from simply knocking it over to interrupt the progress.

Nick P • September 4, 2013 10:28 AM

On TrueCrypt: Safe or Subverted?

There are some legitimate concerns in using TrueCrypt. However, there’s more concerns with NOT using TrueCrypt. Here’s what we know about it from a security perspective:

1. It’s maintained by a closed group of developers with a shared approach to building the project (good for code quality).
2. Its design and crypto approach have mostly favorable reviews by people in that domain.
3. That it maintains security properties, speed and reliability on 2-3 platforms speaks to the developers’ skill.
4. The source code has been reviewed more than once without finding backdoors.

5. I’ve never seen evidence posted about a backdoor being detected.

6. The TrueCrypt encryption has foiled the Feds plans on numerous occasions.

All together, it seems like the evidence is in TrueCrypt’s favor. The main backdoor risks I see are these:

1. The binary is the source + a backdoor.

2. Any drivers or hardware interfaces used for full-disk encryption might facilitate a bypass due to their privileged status.

3. Users assume because one version passes an audit that the binary for the next is safe. And it’s backdoored.

The solution to these is to compile from audited source. And check the hashes of the source to make sure it’s what the auditors had. If that fails, one might be able to get a copy from the auditors. People wanting even more assurance can always raise some funds to pay a well-known security persona or company to dig into the code for them. That TrueCrypt has a decent amount of time between releases that would allow the cost to be spread out over time.

Re Their terms saying they can lie to you

Far as I can tell, the TrueCrypt agreement isn’t much different than the norm in practice. Many say anything can change without notice and give the vendor no liability. There’s plenty of ways to combine those two to make the users anything but happy. 😉 The TrueCrypt claim, if not a legal tool, to me seems like John C Dvorak’s goofy Terms of Use or a similar mockery on how bogus agreements are. Non-conformists in software shops are known to do stuff like that.

Re Licensing issues

This is the most legit gripe. I say just ignore their license. Anyone really needing to modify it can attempt to negotiate it with the developers, maybe for a large donation. If that doesn’t work, then one might just have the mod done in a country that doesn’t recognize the laws that protect their code. The TrueCrypt team coming after you legally would only shed more light on them and provide an opportunity to use the discovery process against their organization. Just a guess here but their code has probably been incorporated into many systems with little to no regard for their licensing terms. 😉

Re Subversion resistance

The only way to provide maximal assurance against developer subversion of software is to use an EAL7-type development process with several qualified reviewers and development tools that you trust. And you need a few things on top of that. And clever people still have a few opportunities to maybe slip something in there. Good luck finding an encryption app for personal use that meets such a standard. Meanwhile, TrueCrypt has been good enough for many years now.