Air Gaps

Since I started working with Snowden’s documents, I have been using a number of tools to try to stay secure from the NSA. The advice I shared included using Tor, preferring certain cryptography over others, and using public-domain encryption wherever possible.

I also recommended using an air gap, which physically isolates a computer or local network of computers from the Internet. (The name comes from the literal gap of air between the computer and the Internet; the word predates wireless networks.)

But this is more complicated than it sounds, and requires explanation.

Since we know that computers connected to the Internet are vulnerable to outside hacking, an air gap should protect against those attacks. There are a lot of systems that use—or should use—air gaps: classified military networks, nuclear power plant controls, medical equipment, avionics, and so on.

Osama Bin Laden used one. I hope human rights organizations in repressive countries are doing the same.

Air gaps might be conceptually simple, but they’re hard to maintain in practice. The truth is that nobody wants a computer that never receives files from the Internet and never sends files out into the Internet. What they want is a computer that’s not directly connected to the Internet, albeit with some secure way of moving files on and off.

But every time a file moves back or forth, there’s the potential for attack.

And air gaps have been breached. Stuxnet was a US and Israeli military-grade piece of malware that attacked the Natanz nuclear plant in Iran. It successfully jumped the air gap and penetrated the Natanz network. Another piece of malware named agent.btz, probably Chinese in origin, successfully jumped the air gap protecting US military networks.

These attacks work by exploiting security vulnerabilities in the removable media used to transfer files on and off the air-gapped computers.

Since working with Snowden’s NSA files, I have tried to maintain a single air-gapped computer. It turned out to be harder than I expected, and I have ten rules for anyone trying to do the same:

  1. When you set up your computer, connect it to the Internet as little as possible. It’s impossible to completely avoid connecting the computer to the Internet, but try to configure it all at once and as anonymously as possible. I purchased my computer off-the-shelf in a big box store, then went to a friend’s network and downloaded everything I needed in a single session. (The ultra-paranoid way to do this is to buy two identical computers, configure one using the above method, upload the results to a cloud-based anti-virus checker, and transfer the results of that to the air gap machine using a one-way process.)

  2. Install the minimum software set you need to do your job, and disable all operating system services that you won’t need. The less software you install, the less an attacker has available to exploit. I downloaded and installed OpenOffice, a PDF reader, a text editor, TrueCrypt, and BleachBit. That’s all. (No, I don’t have any inside knowledge about TrueCrypt, and there’s a lot about it that makes me suspicious. But for Windows full-disk encryption it’s that, Microsoft’s BitLocker, or Symantec’s PGPDisk—and I am more worried about large US corporations being pressured by the NSA than I am about TrueCrypt.)

  3. Once you have your computer configured, never directly connect it to the Internet again. Consider physically disabling the wireless capability, so it doesn’t get turned on by accident.

  4. If you need to install new software, download it anonymously from a random network, put it on some removable media, and then manually transfer it to the air-gapped computer. This is by no means perfect, but it’s an attempt to make it harder for the attacker to target your computer.

  5. Turn off all autorun features. This should be standard practice for all the computers you own, but it’s especially important for an air-gapped computer. Agent.btz used autorun to infect US military computers.

  6. Minimize the amount of executable code you move onto the air-gapped computer. Text files are best. Microsoft Office files and PDFs are more dangerous, since they might have embedded macros. Turn off all macro capabilities you can on the air-gapped computer. Don’t worry too much about patching your system; in general, the risk of the executable code is worse than the risk of not having your patches up to date. You’re not on the Internet, after all.

  7. Only use trusted media to move files on and off air-gapped computers. A USB stick you purchase from a store is safer than one given to you by someone you don’t know—or one you find in a parking lot.

  8. For file transfer, a writable optical disk (CD or DVD) is safer than a USB stick. Malware can silently write data to a USB stick, but it can’t spin the CD-R up to 1000 rpm without your noticing. This means that the malware can only write to the disk when you write to the disk. You can also verify how much data has been written to the CD by physically checking the back of it. If you’ve only written one file, but it looks like three-quarters of the CD was burned, you have a problem. Note: the first company to market a USB stick with a light that indicates a write operation—not read or write; I’ve got one of those—wins a prize.

  9. When moving files on and off your air-gapped computer, use the absolute smallest storage device you can. And fill up the entire device with random files. If an air-gapped computer is compromised, the malware is going to try to sneak data off it using that media. While malware can easily hide stolen files from you, it can’t break the laws of physics. So if you use a tiny transfer device, it can only steal a very small amount of data at a time. If you use a large device, it can take that much more. Business-card-sized mini-CDs can have capacity as low as 30 MB. I still see 1-GB USB sticks for sale.

  10. Consider encrypting everything you move on and off the air-gapped computer. Sometimes you’ll be moving public files and it won’t matter, but sometimes you won’t be, and it will. And if you’re using optical media, those disks will be impossible to erase. Strong encryption solves these problems. And don’t forget to encrypt the computer as well; whole-disk encryption is the best.

One thing I didn’t do, although it’s worth considering, is use a stateless operating system like Tails. You can configure Tails with a persistent volume to save your data, but no operating system changes are ever saved. Booting Tails from a read-only DVD—you can keep your data on an encrypted USB stick—is even more secure. Of course, this is not foolproof, but it greatly reduces the potential avenues for attack.

Yes, all this is advice for the paranoid. And it’s probably impossible to enforce for any network more complicated than a single computer with a single user. But if you’re thinking about setting up an air-gapped computer, you already believe that some very powerful attackers are after you personally. If you’re going to use an air gap, use it properly.

Of course you can take things further. I have met people who have physically removed the camera, microphone, and wireless capability altogether. But that’s too much paranoia for me right now.

This essay previously appeared on Wired.com.

EDITED TO ADD: Yes, I am ignoring TEMPEST attacks. I am also ignoring black bag attacks against my home.

Tags: , , , , ,

Posted on October 11, 2013 at 6:45 AM245 Comments

Comments

KBart October 11, 2013 7:24 AM

Hm, you actually can install everything you need without connecting to Internet ever. Most of Linux distributions have offline installations made specially for this purpose. They include most of drives/packages available. And if that’s not enough, you can easily add missing drivers/packages/software yourself.

Henrik October 11, 2013 7:35 AM

Great ideas, you could use SD cards which often have a physical write protect tab – to ensure writes to not occur.

also I would definitely use multiple user IDs on this computer, one for reading PDF, but not having access to other stuff. Yes, IF the exploit ALSO includes an operating system root exploit, then you are toast, but still it makes it harder to have multiple compartmented user IDs I think.

Phil Hudson October 11, 2013 7:36 AM

I hope I misread this. It looks as if you are suggesting that MS Windows is an appropriate choice of OS for a secure system.

ramriot October 11, 2013 7:42 AM

In answer to Henrik’s comment, SD cards do have a write protect tab but it is not able to stop writing to the card.

I use this feature to boot load custom firmware into my Canon digital camera. i.e with tab in write card works as normal, with tab in no-write the normal camera firmware checks for a specific disk image on the card and then boots from that image after which the camera works fine and is still able to write to the card.

Gix October 11, 2013 7:46 AM

Why not building yourself a LiveCD distribution and using that ?
Puppy Linux also fits the bill.

NickP October 11, 2013 7:52 AM

@ Bruce Schneier

Excellent breakdown!

“Yes, I am ignoring TEMPEST attacks.”

We all do for PC’s. It’s forgivable. 😉

@ All

Technical solutions and analysis of air-gapped, file transfer methods I posted in the past:

https://www.schneier.com/blog/archives/2013/09/how_to_remain_s.html#c1742081

I strongly recommend Bruce’s tip about using low risk formats such as text files. I’ve been doing that and promoting it for years. It will also save you disk space. 😉 Terry Ritter also promoted Puppy Linux LiveDVD for security-critical apps b/c (1) it’s a RAM disk and (2) as Bruce said, disk activity makes a noise you can actually hear. Nice concept.

konst October 11, 2013 7:54 AM

I was wondering the same thing. Are you actually using Windows as your operating system? Seeing the close ties that Microsoft has with many government agencies I think Windows is compromised.

kronos October 11, 2013 7:55 AM

I have one PC at home running Windows XP that connects to the internet maybe 2-3 times per year. It’s over eight years old and other than one harddrive failure is about as trouble-free as anything running Microsoft can be. Friends don’t understand why I never use it for web surfing but from a security and up-time standpoint the benefits far outweigh the problems with an air gap.

konst October 11, 2013 8:03 AM

@Bruce I’m sure you know a hell of a lot more than me about cryptography and probably securing systems but may I make some suggestions.

  1. Use Gentoo hardened with the grsecurity patched kernel. This kernel+patches protects against many exploits even those unforseen. Link: http://wiki.gentoo.org/wiki/Hardened_Gentoo

Some of it’s features:
* Enabling specific options in the toolchain (compiler, linker …) such as forcing position-independent executables (PIE), stack smashing protection and compile-time buffer checks.

  • Enabling PaX extensions in the Linux kernel, which offer additional protection measures like address space layout randomization and non-executable memory.
  • Enabling grSecurity extensions in the Linux kernel, including additional chroot restrictions, additional auditing, process restrictions, etc..

Don’t choose the SE-Linux options.

wumpus October 11, 2013 8:05 AM

“One thing I didn’t do, although it’s worth considering, is use a stateless operating system like Tails.”

While Tails looks good, it doesn’t seem to be built with an air-gap in mind. Using something like Knoppix seems more appropriate, or even better use a customized one that removes most of the features. Note that some of the smaller linux distributions allow loading into memory. This can allow users to use a single optical drive for both loading the OS and writing to the drive without having any hard drive necessary (it sounds like a notebook was used in the example). An extra benefit of loading the entire system into memory means that the loaded OS image never is in the machine after it is touched by any suspicious media. Any malware that is on media passed to this computer must then corrupt the system each time.

“Yes, I am ignoring TEMPEST attacks. I am also ignoring black bag attacks against my home.”

And as Jim Andrakakis mentions, rubber hose cryptography. Only in this case I’d expect it in the form of an NSL. One of the big problems in cryptography is how well Alice and Bob treat their plaintext. Once you set yourself up as a high profile receiver of NSA leaks, I’d simply assume that you have received an NSL and that everything you send is being sent to the NSA on pain of indefinite solitary confinement.

Wm October 11, 2013 8:06 AM

I am not paranoid, but I am disappointed that Bruce didn’t also suggest that you should keep your computer in a Faraday box.

Dave M October 11, 2013 8:10 AM

I believe that a microwave oven will make optical media quite unreadable before disposal. Try 10 seconds. I’m not sure if the microwave is safe for food use after you destroy a boatload of DVD’s, though.

bil October 11, 2013 8:10 AM

Bruce,
Given the software you’re using, I’d suggest using linux as the OS. I also like using encfs to encrypt folders with sensitive data–that way, it’s locked down when you’re not actually using the files. With full disk encryption, everything’s open while you’re logged in. And if you’re paranoid, I’d suggest converting the PDFs to another format prior to transfer, and running hashes on your static files so you can detect changes.

konst October 11, 2013 8:12 AM

To add to my suggestions. A Linux distro based on Gentoo with grsecurity extension is Tin Hat Linux. Link: http://opensource.dyc.edu/tinhat

From the description: “Tin Hat was conceived as a challenge to the old mantra that physical access to a system means full access to the data. This is certainly true in the case of unencrypted file systems, and at least potentially true in the case of encrypted. Rather, Tin Hat aims towards the ideal of guaranteeing zero information loss should the attacker physically acquire the box — either the adversary is faced with no file system to even begin cracking, or if any non-ephemeral memory is found, the adversary should not be able to tell if he is looking at encrypted data or random noise.”

Axon October 11, 2013 8:12 AM

You’re trying to reinvent the wheel here, Bruce, and I’m afraid you’re not doing a very good job of it. You really should read about Qubes and consider using it.

jeff October 11, 2013 8:14 AM

I’d second the motion to avoid Windows and get a small, secure Linux/OpenBSD image burned on a liveCD. Once you’ve created that, boot only from the CD, completely wipe and then encrypt the hard disk and use it only for data files. You can even set up the mount parameters of the hard disk and removable media to prevent execution of binaries. Wouldn’t be foolproof, but should help.

Jeff

Gweihir October 11, 2013 8:20 AM

Some remarks:

  • 1. It is quite possible avoiding to connect the computer to the Internet at all. First, wipe the disk using a Knoppix CD or the like. Then install from CD/DVD only, said Knoppix or a set of Debian DVDs is a good choice. Of course, if you are stuck in the MS island of incompatibility, it may indeed be impossible, but there is no real reason to go there.
  • 2. Does not apply if you avoid the Internet completely.
  • 3. Completely agree. Remove wireless card to be sure. Make sure it can be removed when buying the computer.
  • 4. Using a source that has a good approximation to being feature-complete, like said Knoppix, or Debian, you may be able to avoid installing anything from the Internet. If not, your approach is good advice. You may also want to download from several different sources over several different channels and compare checksums.
  • 5. “Autorun”? What is that? (Sorry….)
  • 6. Most things can be converted to RTF, which cannot really transport malware (it can but getting it to execute is basically impossible). Of course, if possible, use plain ASCII. Even Unicode is a risk.
  • 7,8. Use blank media, and use each only for one direction. Destroy after one use.
  • 8. You can get USB sticks with a physical write-protect switch from PQI, even in USB3.0. (PQI seems to have understood that there is a market segement for these.) Not quite the same thing as a write-detector, but also useful.
  • 9. Using random data to fill is a risk, unless you can verify its integrity (in which case it is not random). Far better to use a pattern and verify that on the target or an intermediate “checker station”.
  • 10. Encryption also helps by providing integrity checks, especially if you do an integrity verification in between. Unless the checking machine is compromised in exactly the same way, the checks will fail.
  • 11. Tails is not really a good choice here. It is too limited and intended for Internet connectivity. For stateless use something like a Knoppix DVD that has a good set of features.

Alan October 11, 2013 8:22 AM

A conventional (gas or electric) oven is also a good way to securely “dispose” of optical and magnetic media. 450F for 15-30 minutes usually does it. I use a foil-lined cookie tray to preserve the tray… And do this when nobody is home for a few hours afterward so the “fumes” have time to disperse.

For flash memory, a hammer works pretty well.

bob October 11, 2013 8:37 AM

I’ve always wondered about making a one-way ethernet cable.

You could chop the incoming data line and then use UDP or similar to dump stuff off the “offline” machine without any risk of incoming transmission.

If you positioned your connection’s byte counter somewhere visible, you’d have the same warning that your computer was compromised that listening out for the CD drive gives you.

Would be more convenient than CD and safer than a USB stick.

Juice October 11, 2013 8:50 AM

If you can’t find a small thumbdrive, would creating a truecrypt volume that filled all available space give you the same advantage? Or would malware just see the mounted volume as another drive?

Secret Police October 11, 2013 8:55 AM

A live operating system DVD/CD would be best because no attempts to bridge the air gap would last past a reboot. Tails has Truecrypt built in but you have to activate it in the boot options. Dee.su Liberte Linux is a much better distro with grsec and hardened gentoo but it hasnt been maintained

cowbert October 11, 2013 9:01 AM

It’s easy to disable a builtin camera (especially if you’re not using it at all): cover the camera with a piece of duct tape. It’s slightly harder to destroy a builtin mic, but most of them don’t require too much effort with a paperclip or tack to destroy the diaphragm.

OpenBSD October 11, 2013 9:02 AM

Bruce’s howto is also useful to companies: NSA may well have been an intermediate between Pretrobras and some unknown israel company https://www.schneier.com/blog/archives/2013/09/new_nsa_leak_sh.html

@AlanS, one post about Qubes was enough; three posts look like advertisment.

NSA should be able to activate some backdoor in XEN (remember that Intel VT-x and AMD-V should have been backdoored by NSA) even in Qubes.
Hence it is better not to transfer any PDF on an air-gapped computer, but only text files. With Qubes, one may be tempted to transfer the original PDF (or even to put the computer on a network) because of a relative sense of security.

Bruce will do less mistakes with a networkless Windows installation than with a networkless Linux or OpenBSD or Qubes or http://www.scs.stanford.edu/histar installation if he is not used to these OS.

Each mistake may be an improper encryption. At some point, when he will have spent time to learn some other OS on a normal computer, he will then want to use the same computer on his airgapped laptop.

Bruce should nonetheless physically take out the wifi, and the bluetooth. And the microphone, if we assume that the sound card may listen and interpret morse code or another sound code.

Note to Bruce: Don’t share the keyboard (or mices) between secure and internet computers: a keyboard may hide an USB key that the NSA can activate.

Layer_8 October 11, 2013 9:07 AM

@ Bruce

Years ago my favorite way to stay secure (enough for my private needs) was to use a second harddrive in an exchange frame and with a hardened operating system with no network driver installed.

The second hardddrive was fix built-in configured as normal system that was able to surf and work.

Beside a small partition on the internal harddrive, any partition was full encrypted to be sure, that none of the operating systems was able to see the other and do anything unwanted.

This worked fine for me, because the information I wanted to protect were always offline when I could go online. Exchange was realized with the small partition that was FAT32 formatted (also to prevent ADS).

(The ultra-paranoid way to do this is to buy two identical computers, configure one using the above method, upload the results to a cloud-based anti-virus checker, and transfer the results of that to the air gap machine using a one-way process.)

I think the ultra-paranoid way would also avoid:

  • connecting the system to the wall socket to prevent any manipulation of the power supply or any traces by consumption of electricity
  • use shielding wallpaper in an empty basement room with no windows
  • under no circumstances use one system to work worth protecting data with and something else (like I did)
  • live in a house older than 1950 (only to be sure that no electronic bugs were built-in with the cement)

I am sure you would have much more examples what could used to identify someone as “ultra-paranoid” 🙂

Gweihir October 11, 2013 9:10 AM

@Bob: Forget about that Ethernet cable. Ethernet does handshaking on connection establishment today, i.e. your cable would not work at all.

What you could do is a classical RS232 and use a microcontroller to monitor what goes into the undesirable direction and optionally block it. Or use hardware handshake lines, then you can actually cut one direction.

Side note: RS232 goes up to about 2Mbit/sec today (with special cards that are still 16550 compatible otherwise). I looked at the possibility to have anomaly detection on such a link using a very simple protocol on top for connecting a high-security system a while ago.

Gabe October 11, 2013 9:11 AM

Even if you buy a computer “off-the-shelf in a big box store”, you have no way of knowing how many times it has connected to the internet before you purchased it (during assembly, etc). Also, you have very little way of knowing what’s embedded in the bios.

Gweihir October 11, 2013 9:13 AM

@AlanS: For the purpose at hand, Linux does not have the one main vulnerability of Windows, namely that it needs an Internet connection during installation.

California Bob October 11, 2013 9:16 AM

Wikipedia has an article on Linux distros that run in RAM only.

Puppy Linux is the most popular as listed on DistroWatch. It loads completely into RAM from 3 files amounting to less than 200MB on a USB flash. Latest versions are Slacko-5.6 and Precise-5.7. You can use any Ubuntu, Debian, or Slackware package, or compile from source to be on the safe side.

For the net, just plug in a USB wifi dongle, connect, get the stuff, and then unplug. Remember, everything in RAM dissapears when you unplug the PC, so no traces are left. You must explicitly save anything you want to keep on a device outside the RAM filesystem, e.g., a folder named ‘/downloads’ on the same USB flash drive.

Hope this helps.

Scott October 11, 2013 9:21 AM

LiveCDs are a great idea, but I would also suggest using read only virtual machines if those aren’t practical. It’s fairly trivial to eliminate all connectivity via software and it provides another level of encryption through the host software itself.

As Bruce mentioned larger companies like Microsoft, Oracle, and VMWare can and have been pressured into providing backdoors, so use an open source hypervisor instead.

P.S. If you’re interested in alternatives to traditional ethernet physical layers, try Firewire or HDMI. They’re much faster than RS232 and the cables for the latter are cheap, as in disposably cheap.

Ben October 11, 2013 9:23 AM

What do you think about connecting the PC to another PC using a serial port and then using software like zmodem to up and download files manually on demand?

ManInATux October 11, 2013 9:25 AM

I’m a Linux programmer and systems administrator. I also dabble in Microsoft Windows because of the demands of my occupation. Many of you will likely hate on me for stating this, but for the purposes and corresponding methods described I don’t think a Linux distribution will be any more “secure” than using Microsoft Windows.

Yes, I can freely examine the code and build it myself on Linux, OpenBSD, etc., but it would take me years to do it right. I can even do that with Windows through a NDA, but again I’d never get anything else done. I might as well build Multics on an Itanium system. If Bruce were doing all that, he’d never have time to deliver any more speeches, or write any more books, articles, or blog entries.

If you use Windows every day, then use Windows and figure out how to secure it as best as possible. Same with any other OS.

r October 11, 2013 9:25 AM

You guys are forgetting forensic hardware write blockers. Those things could be used to read data off a usb stick without risk of data being written to it. That assuming you trust the company that made them. Or just use the medium once and destroy it.

As for extracting data from the air gapped machine, the true paranoid would encode a text file (or base64 encoded any file) in a series of high capacity 2d barcodes (such as a PDF417), print and scan them back.

kronos October 11, 2013 9:26 AM

@ Alan “For flash memory, a hammer works pretty well.”

A hammer would also work well to destroy CDs and DVDs. If one were truly paranoid, they would distribute pieces of the broken media into multiple bags and dispose of said bags in widely separated parts of town. 😉

Eligius October 11, 2013 9:27 AM

Have you considered personal virtualisation?

If you’re unconfortable with any OS other than Microsoft’s, you could install a Debian using full-disk encryption, a tiny window manager (not Gnome nor KDE) and VirtualBox on it, do a secured Windows installation (trusted media, trusted programs, etc) and then turn the image immutable. For added security you could wipe the Linux free space from time to time, as VBox’s method to track usage when running is writing a file with the differences between the initial status and the currently running. Extra points if you configure the Windows-inside-Virtualbox without any networking interface and mount external drives on Linux passing the data using the Shared Folders functionality to mitigate autorun vulnerabilities, enabling read-write only when necessary.

In a much less paranoid fashion, that’s what I’m using as a programmer who has to do tests from Windows environments from time to time. As maintaining a Windows OS is time consuming and it eventually rots to the point of require a reinstall, I have a well-known-working configuration in an immutable state so I can run any tests whatosever on the virtualised OS without worrying about the consequences: as soon as I turn it off, the next time I start it it’s back in a fresh state.

Mike Acker October 11, 2013 9:30 AM

I second the motion on Linux. I’m using Linux/MINT these days and find it fills my needs for the stuff I do

I wouldn’t buy a ‘puter “off the shelf” — ever again — after having built my first one. I recommend Building the Perfect PC (O’Reilly). You can get it from Amazon. The book will explain how to match all the product codes — so that you get a set of parts that work together. I had a lot of fun doing my first one. I used an Antec ATX case and power supply; ASUS mother board (M5A88M), Wireless card and CD/DVD drive, AMD CPU, and Seagate SATA 1TB hard drives. check carefully what all you want to connect to your ‘puter as you select your mother board.

if you want to build an INTEL base system for LINUX I’d stay away from boards using Intel EFI or UEFI at least until they are keyed for Linux. even so this stuff may require the computer to “call home” — i.e. connect to the net — before it can complete its boot-up . stick with AMD/ATI graphics — avoid NVIDIA if you are building a Linux box.

be sure to visit the Ubuntu/MINT support forums when you need to .

Linux — either Ubuntu or MINT — will include Firefox, LibreOffice, Thunderbird via the install; there is a program library where you can get extra stuff– like the Chromium Browser — which is the Open Source version of Chrome.

GnuPG is also included with the Linux install.

All that you need to do is activate Thunderbird and activate your e/mail accounts. I use CoreComm — which is a non-free service — which says they do not monitor activity.

Next, add the ENIGMAIL plug-in to Thunderbird. In Ubuntu all I had to do was search plug-ins for ENIGMAIL and click install. On MINT I had to download the package in install it .

Once you have that done you can generate your key pair. Once you have that done you can exchange PGP mail with others who have the same capability. This is NOT like a “hush mail” or “secure mail” service: your provider doesn’t decrypt you mail… nor does he have the keys to do so…

ToR

ToR still seems to be the best way to avoid Traffic Analysis although I wouldn’t use it: NSA like to try and figure out what you are up to. Playing with PGP is just a fun hobby. it really is pretty cool stuff.

later we’ll get into Trust Levels as they apply to the keys people send you.

Scott October 11, 2013 9:32 AM

Oops, I wish I could edit my posts.

One last suggestion- use OpenBSD, or if it doesn’t work for your circumstances, some other flavor of BSD Unix workalike instead of Linux. It’s my completely unfounded and unsubstantiated belief that BSD’s architecture and conservative approach to release and testing make it more secure than Linux, especially when it comes to zero-day exploits.

G October 11, 2013 9:36 AM

Building your solution on top of Windows is the equivalent of building a house on a foundation of quicksand. You are compromised out of the box.

I would suggest exploring Liberte Linux, which is hardened Gentoo but more minimal than Tails. Ask @ioerror his opinion on Liberte. These live systems are fast now off media and you should be able to accomplish everything you need with greater confidence. I would load it (with no persistence) on an air gapped computer with no OS loaded on its hard drive and updated bios. That’s it. Files on separate encrypted media. I would physically remove speakers and camera. I would only use the virtual keyboard, not a real keyboard. But only wired peripherals, if necessary. And if I needed an internet connection, I would use a different version of Liberte Linux on different media on a different computer. That should increase your air gapped and your internet connected OS.

Tinker October 11, 2013 9:36 AM

Bruce! You stated, “I have met people who have physically removed the camera, microphone, and wireless capability altogether. But that’s too much paranoia for me right now.”

Now they know your habits and can establish a proven attack vector! I mean, if it can be done to Miss Teen USA, it can be done on anyone.

I believe the best solution has been stated: Electrical Tape over the Camera Lens and a thumb tac through the mic hole.

(Why am I making fun of the paranoid, when I am one of the paranoid…?)

Michele Moore - Happy1 October 11, 2013 9:45 AM

GREAT suggestions Bruce, many thanks! A few thoughts…

Detach Your Wireless Card – Don’t trust your operating system to do it for you. I had horrible problems with data integrity on a laptop which stopped abruptly as soon as I physically detached my wifi card.

Beware of Encryption – If a keylogger is on your device, you can be locked out of your own data. Adversaries can pull your password and change it on your encrypted files which leaves them with your data and you out in the cold. This has happened to me.

Use Micro SD Cards for Data Storage, NOT USB Sticks – Micro SD cards are small and easily hidden. Just don’t forget where you put them.

Assume Keyloggers And Compromised Software Are Omnipresent – And then figure out how you can evade them.

Strict 7 x 24 Physical Security for Key Devices – This means sleeping with them under your pillow and keeping them in view at all times, like when you shower and exercise.

Many, MANY THANKS for all you do!

Michele Moore – Happy1 (U of R ’71)
http://ReportingWrongdoing.com

konst October 11, 2013 9:47 AM

After looking up the suggestions to use Liberte Linux it looks pretty good. Could be useful for journalists and human rights activists, etc. It’s probably better than Tin Hat Linux so Liberte Linux looks like the Linux I will recommend from now on.

Jeremy October 11, 2013 10:00 AM

I’ve often thought that for the truly paranoid, there needs to be an OS/Device that is So minimal as to make personal auditing feasible.
Linux is 5-15 MLOC, Firefox is 10MLOC.. Do you need all that?

Brian M. October 11, 2013 10:04 AM

Ah, the fallacies of the air-gapped computer with the sneakernet of the (floppy|USB|other) drive!
#1: Don’t do that. That’s how viruses hop from computer to computer. If you absolutely must do that, use the media once to go from the “dirty” machine to the “clean” machine, and then throw it away.
#2: Use a null-modem serial cable with an LED breakout box and UUCP, or two terminal emulator programs for transferring files. This transfers file by file, and you can see the lights flicker on the breakout box as the transfer happens.
#3: http://distrowatch.com/ is your friend for Linux distros. There are lots of choices for live CDs.
#4: Use different architectures. You can have your networked computer be an ARM or SPARC, and your isolated computer be Intel, or something like that. There’s lots of choices for non-Intel architectures these days. The virus that works on Intel won’t work on ARM, etc. At home I have a PA-RISC workstation, but that’s only used for working with HP-UX. I also have some non-IA boxes, mainly because I like mucking with them, not for security.
#5: Learn to use a network sniffer. Wireshark is your friend! You can get a low-cost smart switch that can mirror ports, so port 1 can monitor port 2, etc.
#6: Learn to write firewall rules and use browser helpers that limit what your browser does. A lot of these exploits rely on Java or JavaScript to function.

Yes, the same binary chunk can contain exploits for more than one architecture. However, something like that is mainly a downloader for the actual malware, not the complete package itself. And yes, there are exploits for all virus scanners. After all, 99% coverage means 1% missed viruses that are known to the researchers.

Honestly, if I wanted to compromise an air-gapped Windows box, I would write a virus that uses RFI to send a signal. A one-way channel is better than no channel. (And I’d have a friend buy a TEMPEST laptop for me, then run a Linux distro on it.)

Engineer October 11, 2013 10:15 AM

Frankly, I think it’s kinda astounding that you’re using windows. Given the completely lax security of Microsoft over the past decades you’re trying to plug up a machine that is full of holes.

Why not use OS X, from a company that takes security seriously, and that updates its software regularly and automatically?

Or Linux or OpenBSD – the latter being both open source and focused on security?

Seems this should be recommendation number one for an air gapped machine… then you don’t have to worry about “auto run” and the other built in bad practices.

AVee October 11, 2013 10:23 AM

Frankly, I don’t get the fuzz about the choice of OS for the airgapped system. You use the airgap because you assume the OS isn’t secure enough in the first place. Once the airgap is in place (and maintained properly, which is the hard part!) it shouldn’t matter what’s running on it. It might be full of keyloggers, trojans and be totally vulnerable, the point of the airgap is to make sure this doesn’t matter because stuff can’t escape the system. If you think it does matter you’ve got the airgap wrong.
Having said that, physical access might still be a problem. If you think you will be raided or someone might be willing to break into your home and bug your PC with hidden transmitters you need to take more measures. But if that’s the case it’s also wrong to rely on the security of the OS as somebody might simple be streaming from your monitor to the outside world seeing everything you see. I’d say in that case you might be best of with a pure read-only system for the sensitive stuff and old fashioned typing to transfer stuff which you intend to publish.

Marc-Andre Heroux October 11, 2013 10:33 AM

@Bruce,

For a MS-Windows connected to the Internet, I suggest you to have a look at: Comodo Firewall, http://goo.gl/8b5k1V

I have been able to define very granular rules/logging/etc. against applications and processes.

I agree, it takes little optimization time and research to apply some restrictions (like passive/active FTP), but you can control incoming/outgoing traffic per application and not only on packet.

Have a good one!

John October 11, 2013 10:36 AM

And don’t take candy from strangers. Especially old creepy dudes with trench coats standing next to a dark van.

Mark Six October 11, 2013 10:50 AM

Hi Bruce,

I would say that stop using Windows and be vigilant about phishing attacks is adequate to protect the average person. Of course, for somebody like you, additional measures is needed.

But, here is an additional question for you consideration. Are your would be attackers more interested in stealing your information or simply destroying it? Because encryption is useless in the latter case. You need something else.

Figureitout October 11, 2013 10:53 AM

WARNING
Do not click on Rob Legend’s name, Mod you may even want to remove. I knew it was suspicious and found out the hard way.

Like Michele Moore – Happy1 said: This means sleeping with them under your pillow and keeping them in view at all times, like when you shower and exercise.
–I would say bury a trusted device too; but could be found.

A concern of mine, is if the “secure solution” is a liveCD of linux of bsd, won’t that become a target?

Bruce
–I’d at least just keep an extra eye out, if they do enter your home you won’t really notice it. Not comforting advice, and since you’re on the road a lot, that may be an empty house and easy target….

vw October 11, 2013 11:00 AM

As an employee of a US DoD contractor, we maintain several air gapped systems (standalone and isolated networks) and many of the policies we implement are similar to your suggestions. I can also suggest:

Don’t use use thumbdrives. There have been cases (I don’t recall if they were proven or suspected…google if you’re interested) of thumbdrives from foreign manufacturers containing malware in the drive’s firmware. WORM media is the best (cd, dvd, etc.). After verifying and virus scanning the media, try to write to it again on both sides of the gap to ensure it doesn’t have an open write session.

Virus scan everything on both sides of the gap in general.

We don’t allow downgrading (isolated to internet transfer) of many file types including MS Office files because of the “hidden” metadata…it’s tough to scrub. So we do text files mostly. A safe option for shorter documents is to print them on the isolated system and scan them on the internet system. If you need to edit again, use an OCR package.

Make a known-good copy of your system install and restore frequently. (this is related to your suggestion of Tails)

Enable all the audit logs you can and review them frequently.

We don’t physically remove webcams but we try to buy hardware without them. If it’s unavoidable (it’s tough to get a laptop without one these days) we put duct tape over the lens.

Steven Hoober October 11, 2013 11:03 AM

Too many comments, so maybe someone already did this but:
The Air Gap: SCADA’s Enduring Security Myth

Unusually for ACM articles, full text is available:
http://cacm.acm.org/magazines/2013/8/166309-the-air-gap/fulltext

“…Before I go any further, I must clarify what I mean when I use the term “air gap”: What I am referring to in this column is the philosophy that says we can truly isolate our critical systems from the outside world. And this is where the myth—and the danger—lies. To begin, I do not believe true air gaps actually exist in the ICS and SCADA world. Moreover, many SCADA security experts have even stronger opinions than me on the subject—for example, see Craig Wright’s blog.a However, I do acknowledge (albeit reluctantly) that not everyone agrees with me on this…”

Fairly involved CSish discussion of why it’s not generally applicable. Bruce’s info seems good for special purposes, but promulgating air gaps as a day-to-day working environment for machine control equipment, etc. he argues is pointless.

Dv October 11, 2013 11:13 AM

Back in the 90s, as broadband trials were first starting to roll out, I needed a NAT box to share my internet connection amongst all my computers. This is back before you could walk into Walmart and walk out with a little router box. Back when folks would refuse to install broadband for you unless you ran Windows.

So I hooked up a 25Mhz (Yes, 0.025Ghz) 486 running Linux. (That was a “fun” conversation with the installer who wanted Windows. I told him go ahead. We can put Win95 on that. But I’m going to wipe it as soon as he leaves. Having Win95 on floppy, like 25 or 30 disks, helped persuade him to a more reasonable course of installation.)

That tiny box didn’t have enough disk space, so most of the Linux OS was offloaded onto a custom burned CDROM. Syslog was configured to dump all messages to the console, which was displayed on a $10 monitor off in the corner.

Whole thing was slower than molasses in January. But for a network router it worked just fine.

There were occasional break in attempts. Having everthing under the sun shutdown, and ssh configured for local access only with passwords disabled helped.

It was interesting to watch folks try to break in in real time. In the end, everyone gave up. I think they thought I had tarpitted the server slowing down their breaking attempts. Nope. The server itself really was that slow. Security through, well, I don’t know what you call it… Obsolete technology?

But it worked…

John Campbell October 11, 2013 11:34 AM

I think one other bit of useful advice:

DO NOT USE A WIRELESS KEYBOARD AND/OR MOUSE.

While this seems obvious, there are those who might go through all of the advised steps and completely ignore their rodent and keyboard setup.

Also, hopefully your laptop doesn’t have a 3G, 4G or LTE (“Let’s Track Everybody”) interface to the cellular telephone network(s).

Bauke Jan Douma October 11, 2013 11:54 AM

Isn’t it true that for a CDROM there is no discrete ‘writing only’ operation, that
it’s always write-AND-read (error correction)?

Peter A. October 11, 2013 11:56 AM

Guys, all of your advice really boils down to xkcd 538.

All these hardening and air-gapping tricks are fine to ward off indiscriminately, widely, automatically deployed attacks and surveillance as well as (possibly) protect against some booby-trapped “top secret” files. These techniques will greatly help to fly under the radar of the surveillance agencies. They may even be able to stop remote covert targeted attacks if any part of alphabetic soup gets to know that you’re up to messing in their business.

But if you really piss them off, they have any possible variety of the $5 wrench in their shops. They have all the power and impunity to get anything they want from you – and more – unless you’re going to get a protection of their competition, and it is a risky business anyway.

Bruce is basically relying on a fact that it would be a very bad PR move to harass him now, and that the milk has been spilt already. He’s only trying not to leave obvious traces and open cracks for some overzealous lowly FBI agent or someone like that.

Brian Reiter October 11, 2013 11:56 AM

Am I the only one that is thinking of the “Van Eyk phreaking” from Cryptonomicon?

More seriously, the most surprising part of this for me was discovering that Brice Schneier uses Windows primarily and in extreme high security scenarios. I would have guessed OpenBSD.

Don Martin October 11, 2013 11:58 AM

Bruce, the problem with crypto is that it is subject to brute force attack, either at rest or capture and playback. You are welcome to use my technology that randomizes the encrypted data and disperses forensically non-discernible data to multiple Cloud storage providers. Even the file names and directories have Suite A security so that no file name can be mined or ads placed based upon content.

Also, you are welcome to use the World’s Most Secure File Transfer. Here is my personal invite: http://tinyurl.com/SFC-CTO

Once you install this you have the option to create a defense strength key of 15380 bits. The 1.5 minute video at that link will explain the concept. Provably secure…
Don

Impossibly Stupid October 11, 2013 12:08 PM

“I have met people who have physically removed the camera, microphone, and wireless capability altogether. But that’s too much paranoia for me right now.”

Given the increasing popularity of Raspberry Pi and other similar minimalist computers, it might just make good sense to set up a cheap air gap system without those features in the first place. No paranoia necessary.

Aaron Maxwell October 11, 2013 12:22 PM

Regarding this: Note: the first company to market a USB stick with a light that indicates a write operation — not read or write; I’ve got one of those — wins a prize.

… It would be wonderful for such a write indicator to be able to signal (a) whether a write is currently taking place, AND (b) whether a write has taken place at all since the stick has been plugged in. Could be done with the same light; darkened when first plugged in, blinking while a write operation is happening, and lit up (maybe at half intensity) if it was blinking at any point while your attention was elsewhere.

Lucas Luitjes October 11, 2013 12:27 PM

I strongly recommend Ubuntu Privacy Remix for airgapped machines with these requirements. They’ve gone to extreme lengths without sacrificing too much usability:

All network support (LAN, wifi, bluetooth, etc) has been removed. Local harddrives can’t be accessed, as support has been removed at kernel level. Removable media and TrueCrypt volumes are mounted using noexec, so nothing from external storage can be executed. It also has a custom user-friendly GnuPG frontend, and all the crypto software you might need.

https://www.privacy-cd.org/en

It contains most of the basic office software. To be honest I’m surprised it’s not more well-known in these circles.

Joe October 11, 2013 12:32 PM

The simple solution is this: once media has touched the clean system, it must be destroyed. The only way to get information off of the clean system is to print it out. They can compromise the system, but the worst they can do is wipe your info out.

Eric October 11, 2013 12:39 PM

I see a mention of a “one-way ethernet cable” in the comments above; those are a little complex to implement properly, but I have in the past used the serial equivalent–I was involved with a project that required unidirectional data communication, and the infrastructure of choice for one of the connections was a 25-pin serial cable with half the data pins physically disabled. Another method used three UTP -> optical fiber converters, set up so the xmit on one sent to the recv on the other; the third was used as a keepalive for the transmitter.

One particular aspect that is absolutely essential in all these methodologies, though, is that your security may be technically perfect, but you only have to slip up once–mess up reconnecting your media converter, mess up disposing of used media, mess up by being slightly too predictable in where you go to download your information–and you’ll give up the whole game.

It’s sort of the dark side of the “Data wants to be free” philosophy, if you look at it; even the data that you want to stay private will end up free unless you take special measures to prevent its’ dissemination. Consider that most of the various leaks that we’ve heard about recently were intended to be kept secret by agencies who are, definitionally, all about the business of keeping and finding secrets–if you want to ensure your data is safe from illicit surveillance, you will have to take measures at least as effective.

The one advantage that persons in the private sector have over government agencies is that there’s a lot more private persons than there are government workers; there’s only so much, even with technical considerations, that government workers can surveil in a day.

However, on the down side, if you come to the agencies’ attention specifically–if you become a person of interest–then that slim advantage of numbers goes away. The more interest you generate, the more resources will be brought to bear on you, and the less effective your attempted countermeasures will be.

It may be worthwhile for persons engaged in active work of a nature that might generate surveillance to take a leaf from special operations methodologies, and to adopt different pseudonyms for individual operations and activities, even to the point of avoiding the development of a reputation in the field–it’s much more difficult to track a throwaway nom-de-guerre than it is to track the identity of a reputed individual.

Czerno October 11, 2013 1:14 PM

Regarding the notion of a “physical” write protect switch :
you’d want to check with the vendor and/or by inspection and reading specifications (if available) that…

…the “physical” switch /does/ prevent writes absolutely, IOW, I would be concerned that a switch, while advertised as a write protection, in fact might /just/ set a bit telling the device (firmware) : dear device, do not write to the medium please !

Lest of course, subverted firmware – possibly even from factory – will be able to write to the medium unbeknownst.

Secret Police October 11, 2013 1:25 PM

HiStar mini o/s is good for text files, but I dont think they ever finished it as it became a commercial VM product. You can at least manually verify the code yourself as it isnt gigantic. OpenBSD is still the best coded, and best maintained system available Anybody interested in it should buy Absolute OpenBSD 2 that just came out which is written for the latest/current BSD release. The very cautious way they introduce new software and features is what I like best, no ramming into the kernel of blobs then hoping for the best. Can also run a live cd in secure level 2 so no NSA docs can attack the system. Ciphertite has an encrypted backup scheme for OBSD too

test October 11, 2013 1:28 PM

You can easily and securely erase optical media in a microwave oven. Just set it on top of a half-full mug of water and nuke it until the sparks stop.

Secret Policia October 11, 2013 1:36 PM

RE: #1. The ultra-paranoid approach does not protect you from malware shipped from the factory which is likely to be found on most super-bloated OEM Windoze boxes (as you might find in ‘big box stores’).

Also, why not just flash the firmwares of the same machine before re-downloading the virus-checked cloud store (rather than buy two identical machines)?

Arfnarf October 11, 2013 1:41 PM

Bruce
What are you actually using your air-gapped computer for?

With the only the software you listed all you can do is a) read stuff that originated on a non-air-gapped computer and b) write stuff that will be sent to a non-air-gapped computer.

Either way, what does the air-gap buy you? What am I missing?

Secret Police October 11, 2013 1:44 PM

Derr, I forgot the best reason for using *BSD. Yarrow and other carefully tested and proven robust PRNGs. The linux /dev/random is crippled now unfortunately unless you build your own extractor or use TRNG entropy keys. Considering nation states put considerable resources into sabotaging and researching existing PRNGs should probably make it a priority for any air gapped system.

cdmiller October 11, 2013 2:27 PM

From my armchair…

Airgap + wireless hardware in the system != air gap.

Second all the calls for a linux or BSD based OS install, live CD or read only flash OS medium, encrypted directories or partitions on removable storage.

Really like the idea mentioned of a small low powered Raspberry Pi type system built from the ground up, especially in light of the minimal workload (primarily word processing). This format also makes it easier to move or hide the whole system and multiple systems are cheap to set up. The smaller it is the easier it is to wrap it in tin foil or shield it from EMP’s 🙂

Mike Nomad October 11, 2013 2:39 PM

Done the AirGapped thing for years: Wired peripherals, OpenBSD (command line only), SneakerNet (SD cards), Text Files, and BURP for good measure.

I think Bruce is just pulling everybody’s leg about that Big Box Windows rig…

gonzo October 11, 2013 2:46 PM

A number of my friends and I have put together air-gapped machines. None of us have any need for them, but it was sort of a have a few beers and ask ourselves “what would we need to do if we were in circumstances requiring us to REALLY do it right.”

Here’s how we’ve handled it:

We used Gateway Solo 5300 laptop machines. Part of it was because we found a lot of six on a local craigslist sale for $100, but there was actually some thought that went into this choice:

  1. Its a machine designed and released before 9/11 and before the Microsoft DOJ settlement. Our view is that these events were the “sea change” that lead to the virtually unfettered cooperation by hardware / software/ bios vendors who wanted neither to be accused of “helping the terrorists” nor ground into gristle by the DOJ.
  2. They’re plentiful and cheap. You can find them all day long on eBay for $10 to $30.
  3. They run Windows XP well with unnecessary services turned off. (Yes, we use Windows XP — more on that below).
  4. The case design is easy to access and easy to modify for appropriately paranoid air-gapped machine purposes.

  5. Internal wireless card easily removed.

  6. Readily available 3.5 floppy drive and internal CD drives available.

Here’s the set up:

  • Wireless card is removed.
  • Case is opened up and external connectors for ALL ports except for RS232 are desoldered and/ otherwise removed from the motherboard. (a couple guys left USB, I did not). Those that cannot be removed have data pins snipped. Ethernet connector is removed.
  • The battery is “hollowed out” — which is to say the cells and circuitry are removed so that the thing that snaps in place is just a hollow shell.
  • A normally open pin switch is installed through the bottom of the case coming out of one of the feet. This switch is wired to a simple “power on time delay” circuit powering a relay coil that controls the connection between the main external power lead and the mother board. If the machine is lifted up, the switch opens and power is discontinued. The power on delay timer is such that the pin switch has to be depressed for about a minute or more before the relay is energized to supply power. Thus the power wants to be off. A quick interruption of contact with the machine from the desk kills power and it cannot be re-established without a delay.
  • Hard drive is wiped and a fresh install of Windows XP is put on. ALL unnecessary services are turned to DISABLED. Yes, we’re using Windows. But this machine will never ever be connected to the internet or, directly, to any other net-connected computer. Autorun is disabled. There are no USB ports, no firewire, no PCMCIA, all this stuff is physically disabled, turned off in BIOS and disabled in Windows (including by the absence of driver files)
  • Once Windows is set up and running, hard drive is full system encrypted with Truecrypt or Diskcryptor.
  • Virtualbox is set up with a working DOS 6.22 VM that can talk to the serial port if you left that connected.
  • Once everything is up and running, a vigorous memory testing software is run.
  • If all is well, the machine is opened up. The system memory is encased in circuit board potting epoxy, the PCMCIA port is filled with potting epoxy, the hard drive connector is epoxied to the main board, the screw for the hard drive caddy is super glued in place, the floppy disk (or CD/DVD RW, if you need to shuffle bigger files) is epoxied in place, and the machine is closed up and sealed with “tamper evident” tape.
  • Administrator password added to BIOS.

Overkill, yeah… and there are still some potential issues. But it is both air gapped and hardened against most evil maid attacks.

Bruce Schneier October 11, 2013 2:46 PM

“Hm, you actually can install everything you need without connecting to Internet ever. Most of Linux distributions have offline installations made specially for this purpose. They include most of drives/packages available. And if that’s not enough, you can easily add missing drivers/packages/software yourself.”

Yes, probably.

I’m not bothering.

Bruce Schneier October 11, 2013 2:49 PM

“I hope I misread this. It looks as if you are suggesting that MS Windows is an appropriate choice of OS for a secure system.”

Lots of people have suggested using Linux instead. Of course they’re right; it would be more secure. But for a computer not connected to the Internet, I’m not too bothered about the incremental loss of security that comes from using Windows. And it’s what I’m used to.

Bruce Schneier October 11, 2013 2:51 PM

“I am not paranoid, but I am disappointed that Bruce didn’t also suggest that you should keep your computer in a Faraday box.”

Seems excessive to me.

But, yes, we can play this more-secure-than-you game pretty much forever.

Bruce Schneier October 11, 2013 2:53 PM

“You’re trying to reinvent the wheel here, Bruce, and I’m afraid you’re not doing a very good job of it.”

Perhaps. I’m pretty happy with my setup. It balances security and usability in a way I am satisfied with.

Bruce Schneier October 11, 2013 2:55 PM

“Note to Bruce: Don’t share the keyboard (or mices) between secure and internet computers: a keyboard may hide an USB key that the NSA can activate.”

Good point.

I’m using a laptop, so that didn’t occur to me.

Bruce Schneier October 11, 2013 2:56 PM

“Even if you buy a computer ‘off-the-shelf in a big box store’, you have no way of knowing how many times it has connected to the internet before you purchased it (during assembly, etc). Also, you have very little way of knowing what’s embedded in the bios.”

Of course.

Seems like a reasonable risk to me.

Bruce Schneier October 11, 2013 2:59 PM

“But, here is an additional question for you consideration. Are your would be attackers more interested in stealing your information or simply destroying it? Because encryption is useless in the latter case. You need something else.”

Stealing.

There are sufficient backups of the information around the world. I don’t think it is possible for any power to execute a simultaneous attack and delete everything. And the risks of a massive data dump if the attack fails are too great.

Bruce Schneier October 11, 2013 3:00 PM

“Bruce is basically relying on a fact that it would be a very bad PR move to harass him now, and that the milk has been spilt already. He’s only trying not to leave obvious traces and open cracks for some overzealous lowly FBI agent or someone like that.”

Yes. That definitely figures into my threat model.

Bruce Schneier October 11, 2013 3:02 PM

“What are you actually using your air-gapped computer for? With the only the software you listed all you can do is a) read stuff that originated on a non-air-gapped computer and b) write stuff that will be sent to a non-air-gapped computer. Either way, what does the air-gap buy you? What am I missing?”

I am using it for your (a): to decrypt and read existing files. And is is buying me the ability to do that securely.

Anon October 11, 2013 3:07 PM

It would be more interesting if Bruce expanded on how security can be scaled in real world applications such as utility company trying to protect its SCADA system where the average employee can’t be expected to look at the back of a DVD to see what percent had been written or a gov/mil network where you have to worry about the next manning/snowden insider using those usb and dvd to steal data.

Greg October 11, 2013 3:47 PM

I haven’t ready every comment and apologies if these two points are already covered, but I would also disabled auto-mount which I consider completely separate from auto-run functionality.

I would also make sure your air gap system does not have a Firewire interface at all. No FW interface, not a disabled FW interface – this is really important.

chrisb October 11, 2013 3:51 PM

I am baffled by this post, frankly.

Rather than the NSA, don’t you need to watch out for the bad guys who are very much beyond the law, who would like to seize those documents? How many million or billion dollars of 0day exploits are you air-gapping? Have some of the exploits already leaked? Did bad guys buy some Booz Allen 0days before Snowden’s actions?

If you are concerned about the NSA, shouldn’t you get good lawyers and a legal fund, rather than worry about air-gapping and encryption? The stolen files are the property of the NSA!

NSA are the good guys and everyone can see that as the US and European legal systems begin to react.

Thanks for everything that you are doing to get us back to security.

Mike Nomad October 11, 2013 3:56 PM

Bruce,

Would you give us some sort of list/explanation of your hierarchy regarding risks, acceptable risks, and what your threat model looks like that lead to your 10 Rules For The Paranoid?

Things like, “I’m not too bothered about the incremental loss of security that comes from using Windows. And it’s what I’m used to.” certainly point to some sort of calculus being done. I think I’m not the only one that would like to see what bits (sorry) are being weighed, etc.

RobertT October 11, 2013 4:53 PM

Not wishing to make people totally paranoid but if you go to all these lengths to air-gap a system you also need to remove the possibility of communications over the power-supply back onto the 110AC (or 220AC) depending on where you are. In the US it is typical to have 5 or 6 houses on a given phase after the local transformer. In Europe it is not uncommon to have 100 or more houses connected to a given 220V phase.

All computers these days use switched mode power supplies (SMPS) these are small/lite ferrite core transformers switched typically at about 150Khz. This switching noise is easily seen anywhere on the same AC feed from the main transformer by simply connecting any oscilliscope or spectrum analyzer. So if your adversary has access to the same AC phase feed as you they easily can tell if there is an appliance with a SMPS connected to the AC power.

If your adversary is only interested in low bit rate return channels (say less than 100 bits per sec) then they can modulate the bursts of power that the PC takes ( this is done simply controlling the run time of some bogus process that does lots of computations = lots of power when this process is running), this in turn means increased SMPS noise amplitude. Since the 140Khz SMPS noise is visible anywhere on the same AC phase, it follows that the modulation is also visible anywhere. Hence we have a return channel.

Solution: Always use the laptop running off the battery while disconnected from the AC power. AND always recharge the battery either outside the computer OR while the laptop is switched off. For desktops use UPS (uninterruptable power supply) and the same procedure.

P.s. with the UPS approach remove that nasty beeper noise thingy that goes off when the AC power is not present its not a return channel but it’ll give you a heck of a head ache.

Eric October 11, 2013 5:25 PM

RobertT: A low-pass filter on the circuit for your secured system’s power supply will allow the 60Hz power to go through while blocking any higher frequency noise. You may also want to consider separating the electrical ground for your secured equipment.

Low-pass filters are pretty easy to construct; it can be done by wrapping the power cable around a ferrite core.

Alain from Switzerland October 11, 2013 5:29 PM

(slightly off-topic)

I had one computer off the internet for about two weeks, i.e. with an air gap. Did not use it for anything… Even though I write software for a living, or maybe also because of that, like for most people today for me a computer has effectively become a device to communicate. Without that option it is pretty much moot, except maybe when I make my tax declaration and so – but how can I know these days that the administration where I submit my tax declaration will remain protected.

A killer app for me (besides email) is Facebook, because unlike most other stuff on the internet is is not just (mainly male) geeks or otherwise just a few people, it is lots of people who otherwise have nothing much to do with computers (except email and ordering things online). Just re-uploaded holiday pictures and so to Facebook, but avoided mostly photos with people I know on them.

Other that that, I guess I just gave in and now trust in advance and hope that somehow the “verify” part will also happen in the USA and in the world…

I guess also the NSA has to adapt that the fact that they face billions of people with sophisticated (but at the moment very insecure) communciation devices and that most of them – in or out of the USA, US citizens or not – are no danger, rather the contrary, represent what they should protect.

Still, a bit spooky to think that likely all that people will do online in the coming decade or so will be recorded and kept. At least this might make historians happy in a 100 years or so… (and I am not even sarcastic about that part)

Thanks for reading 🙂

Alain from Switzerland October 11, 2013 5:32 PM

PS: For reading Snowden documents or writing about them, of course, an air gap makes sense 🙂

Scott October 11, 2013 5:37 PM

Reading the comments here, I think you reach a point where you are so concerned about securing your system that you forget about having anything sensitive enough to warrant anyone trying to hack it in the first place.

SpaceTruck October 11, 2013 6:00 PM

Sound might be an easy way to defeat an air gap. Many speakers and microphones could probably use frequencies above human hearing. If there is any networked computer or cell phone within the room, its microphone and speakers could be compromised to become a relay. Of course the air gapped computer would have to get infected first.

Almost any computer without hurricane shielding could probably be manipulated to transmit radio waves in various ways, such as by oscillating the voltage on a usb, audio, or video cable. Redundant modulation schemes can extract extremely faint signals from far below the noise floor.

Nearby wifi access points, computers with wifi, cell phones, and maybe smart electric meters, could be compromised to make convenient receivers. Alternatively, a high gain antenna anywhere within a few miles could probably pick up the signals. I wouldn’t be surprised if the FBI already has such TEMPEST antennas spread around major cities.

A data diode could be useful to keep data flow one way. They’re traditionally electronic, but the security of an electronic one might be hard to audit if you don’t have a deep understanding of electronics. A mechanical version would be a little slow, but could be more obviously one way, and more easily constructed at home. It might consist of something like a solenoid rapidly flipping a switch, or mirror tape stuck to a speaker cone deflecting a light beam across a photo resistor. A third computer could monitor the switch flips and have no other function but to display all data passed through the data diode.

Paper printout and OCR might make a good data diode. But beware the side channel already implemented in color printers, whereby a pattern of light yellow dots encoding the printer serial number is printed out on every page to facilitate tracking of counterfeit money printing.

It might help to have two air gapped computers. One that only receives data through a diode, like encrypted emails to be read, and another that only sends out data through a diode, like emails to be sent or articles to be published. That way, the sending computer will be hard to infect, and if the receiving computer is infected, it will be harder to exfiltrate the secret keys, passwords, etc. You may even want a third computer for those occasions where you must send and receive on the same computer.

RobertT October 11, 2013 6:05 PM

BTW dont under estimate the possibility that a sneak’n’peak team will be sent in, its much more common than I originally thought, although I travel to lots of unfriendly places so that might be part of the problem. You also need to take steps to physically secure the laptop while you’re not using it. I recommend you learn the phrase “Thermite is fun”, print it in big letters on the safe that secures the laptop, anyone that has EVER seen a thermite charge go off wouldn’t risk touching the safe. Trouble is its a little difficult to get thermite through Airport security, personally when on the road I use a combination of Steel-wool with a suitable oxidizer and a mercury switch coupled to disposable battery to activate. Its not Thermite but you’ll definitely know if someone has touched the laptop.

Mike Acker October 11, 2013 6:34 PM

@Scott “Reading the comments here, I think you reach a point where you are so concerned about securing your system that you forget about having anything sensitive enough to warrant anyone trying to hack it in the first place.”

the fundamentals of security is simply to make the cost of breaking in greater than the anticipated value of the target

I’m an ORF* now so anything I do is basically hobby/curiosity type stuff.

one item that really has my attention is this “Apparmor” product. Originally from Novell (if memory serves)

the interesting thing about Apparmor is that it seems to be a very significant extension to security operations: With Apparmor we are concerned not only with who you are — but what program are you using — and what are you trying to do with it.

For example I should be able to limit Firefox to access only the /documents area, excluding my /correspondence sub-directory.

I have played with this a bit already but I need to do more.

If you think about the concept — the implications for securing a system are pretty interesting. Put LibreOffice into an Apparmor profile and you should be able to stop any macros or scripts from accessing areas that should be off limits — but are not — because when you sign on — you then have access to everything that you “Own” … using any program …

I need to learn more about this concept.
~~~
* “ORF” : Old, Retired, FELLOW. don’t ask my wife to re-state this acronym ( tee hee ) .

EvilMinionsInc October 11, 2013 7:18 PM

Good news everyone! There’s a faster and more efficient technique.

Step 1. Setup airgap.
Step 2. IF arrival of ‘inspection team’ THEN Follow them to HQ. ELSE Step 5.
Step 3. Orchestrate operation LASER SHARK
Step 4. DO Step 1 – 4 UNTIL BREAK
Step 5. Setup the real airgap.

You thought the management of SPECTRE were crazy for living in volcanoes, moon hotels, and underwater bases. Who’s laughing now!

RobertT October 11, 2013 7:40 PM

@Eric,
You can definitely add a Low pass Filter to the power supply but you need to understand how by many db the Conducted RFI emissions must be suppressed before the signal is undetectable by the adversary. I’d usually want the signal (140Khz) to be at least 40 db below the background noise of the system. So you need to use a Spectrum analyser to see just how much system noise exists before you know how good a filter to build.

On a more technical note: it is reasonably easy to build a good differential mode AC line filter (filters Active/Netural) unfortunately it is VERY difficult to build a good Common-Mode Line Filter.

So I’ll stick with the advice just use a battery to power the system.

PPS: I should also mention that return channel Power Supply comms is also easily achieved by modulating the power usage in bursts synchronous with the AC line frequency (50 or 60 hz). What this does is to create a phase modulation on the moment of SMPS “in-rush-current”, this point will move about in time because the main storage cap in the power supply sees its voltage amplitude modulated by the AC synchronous high power software task.

IF the storage cap voltage is lower, THAN the delay after the AC zero cross point (where the AC line signal (50Hz) forward biases the bridge diodes) is decreased (or phase modulated in comms speak) so the Amplitude modulation of the storage cap is turned into a phase modulation of the AC Current. This return channel can only transfer about 10bps BUT it can be observed on the MV (typically 11KV) side the AC transformer.

Not saying... October 11, 2013 7:43 PM

Best bet: post the ten things you are doing. Then make sure you are doing something completely different.

SpaceTruck October 11, 2013 8:08 PM

Another air gap data exfiltration trick is the LED, which almost every computer has. Late at night you might notice that an LED lights up a whole room. They can just point a telescope at your curtains and probably get a fairly decent data rate, possibly even in the daytime. With a flashing frequency above about 60Hz, the LED would appear to be lit steady, even if you look right at it.

If 1GB flash chips are bigger than you need, you could try serial EEPROM chips. They come in sizes down to just a few KB or less. You could use a USB to SPI or I2C converter and ZIF socket to load/read the chip. An EEPROM chip would have the additional advantage of being less likely to expose vulnerabilities of your operating system that a USB drive might exploit.

If you are going to use a USB drive, you might want to connect a USB protocol analyzer to capture all data loaded to the USB drive. If they do attack your USB drive, it would be interesting to analyze their method. If you announce you’re using a USB protocol analyzer, it may make it less likely they’ll attack that way and risk exposing their highly valuable air gap breach methods.

Nick P October 11, 2013 8:38 PM

@ AlanS

Qubes is a nice project. It tries to air gap computers virtually. Physical air gaps are much better for security, though. With Qubes, they have hardware to try to share in secure ways through various layers of software and they must try to do this without vulnerabilities. With a real air gap solution, there are two separate pieces of hardware that do controlled sharing along one interface. Hint: security analysis of one of these is much easier than the other.

“Linux has many of the same security issues as Windows. See:”

And since a Xen-based solution has Linux in its TCB it means Qubes might have issues because it depends on it. (Unless they somehow removed all influence on secure operation the Linux and Xen code might have. Somehow.) There’s also very few Dom0 host platforms, thereforce easier for a major adversary like NSA to target. With a physical solution, you can use a vast array of systems for the trusted PC whose chronology goes way back and the main untrusted system has quite the variety itself. Such a flexible setup can also take advantage of latest vulnerability mitigation technologies which often isn’t possible if you stick with a complex, GPL, platform.

So far, even MILS solutions with tiny (sub-10Kloc) kernels designed for separation and user-mode stacks designed for partitioning have unconvincing assurance arguments for desktop use and people have found potential covert channels. One team of major SKPP promoters recently downgraded their security claims for this reason. So, what does that mean for solutions based on complex VM platforms with Linux in their TCB and not designed for security at every level? Logically, they will fare worse when highly sophisticated attackers target them. Right now, they have the Mac-like advantage of not being targetted by anyone with skill, money and motivation.

@ OpenBSD

“@AlanS, one post about Qubes was enough; three posts look like advertisment.”

That was my thought. But, hey, some people get excited about certain tech. I used to promote separation kernel architecture a lot b/c it was low TCB, composable & had commercial support. I was a bit too excited about it, though. Can happen to anyone. 😉

“Note to Bruce: Don’t share the keyboard (or mices) between secure and internet computers: a keyboard may hide an USB key that the NSA can activate”

It’s a bit paranoid. A good, cheap, foreign made KVM switch will probably be fine. Has worked for many for years, actually. Overall, though, as total physical separation as possible is a good thing. Anyone with extra paranoia or precaution is justified these days.

@ Brian M.

Re using serial ports, different processor architectures

Good stuff. 🙂

@ AVee

This one is worth highlighting:

“Frankly, I don’t get the fuzz about the choice of OS for the airgapped system. You use the airgap because you assume the OS isn’t secure enough in the first place.”

Excatly! The separation, input validation and sharing mechanisms are where the real effort should go. All those non-Intel architectures I mentioned come with OS’s that probably have plenty residual flaws. It doesn’t matter, though, because the whole point of using them is that the enemy doesn’t know what you’re using due to variety & that you never live connect them. If the transfers are careful (esp one way) & you regularly clean slate the trusted machine, there’s little to nothing their fire-and-forget attacks will accomplish. Even if it’s Windows 95.

@ Mike Nomad

“Done the AirGapped thing for years: Wired peripherals, OpenBSD (command line only), SneakerNet (SD cards), Text Files, and BURP for good measure.”

Sounds good cept the SD cards. They’re probably OK but easier to subvert than CD’s and such. The more complicated tiny electronics the worse for subversion is one of my rules of thumb.

“I think Bruce is just pulling everybody’s leg about that Big Box Windows rig…”

I doubt it. There’s nothing wrong with a Windows box in the right air gap setup. There’s better options but most of the security is from denying the enemy knowledge of and access to system operation, esp. persistent long-term attacks.

Mike Nomad October 11, 2013 9:05 PM

@ Nick P

“Done the AirGapped thing for years: Wired peripherals, OpenBSD (command line only), SneakerNet (SD cards), Text Files, and BURP for good measure.”

Sounds good cept the SD cards. They’re probably OK but easier to subvert than CD’s and such. The more complicated tiny electronics the worse for subversion is one of my rules of thumb.

Your observation is correct, and situation dependent. Yes, they are easily subverted. If I have one on my person, and it is subverted, I have much more immediate problems to deal with… Which is why I like SD cards: I can destroy them very easily, and the little write tab seems to work.

@ The discussion regarding power supplies, etc. I have an old AC inverter that I was thinking about using for a next step: Take out the standard power supply in the computer, and have it rewired for DC input (since it’s all DC on the mo-board anyway), and have the DC output from the old inverter regulated and fed in. Thoughts?

Bob October 11, 2013 9:40 PM

Since you posted this, BleachBit has already updated their website to quote you saying that you use their product.

Gibbon1 October 11, 2013 11:15 PM

“”one for reading PDF, but not having access to other stuff.””

Off hand thought, an air gap, transfer files by, displaying them on one computer and then using a camera and OCR.

Figureitout October 11, 2013 11:24 PM

gonzo
–I like it. I have a spare copy of XP, but I’d prefer to learn linux/bsd better. It’s not overly paranoid either; these insane scenarios are no longer really funny, it’s the truth and there are people out there dealing w/ and experiencing it everyday.

Dv
–I actually really like that strategy. Basically, attackers won’t find your system of much use (while still being a lot of fun and of interest to you, b/c I like to think about the gates and I want to be able to trace all the activity by hand); and now maybe they will find out about counterattacks, one of my all-time favorite strategies against all attackers.

Bruce
–Seriously, this is not going to be good for your health. But I think this is your calling. They’re going to study your lifestyle and basically all your nightmares will come to life. I would trash your iPhone too, but that something that sounds like you’re not going to do. I’ve managed to put up a fight by taking this fight to the extremes very few here would ever do, I know this for sure. Funny enough, the agents are pretty similar to me, just slightly different situations led to me being bullied and I’ve had enough of that and will fight it to extreme levels.

But, Bruce, you’ve really gained a lot of respect and trust in doing this; b/c you’re putting yourself at risk. And the derp train would just keep rolling if something drastic doesn’t happen.

Michael Moser October 12, 2013 12:13 AM

I would use restricted account on air gap machine for reading PDF documents; also use Mozilla with PDF.js – it is an pdf viewer implemented in javascript; it should be a bit harder to exploit than regular pdf viewers.

Axon October 12, 2013 12:44 AM

@ Nick P, @ AVee

Qubes is a nice project. It tries to air gap computers virtually. Physical air gaps are *much* better for security, though.

Actually, that depends on how you use the physically air-gapped machine. If the machine is permnanetly air-gapped, in the sense that it never sends or receives data to other computers (not even via sneakernet), then of course that’s true. But the behavior Bruce describes actually makes a physical air gap riskier in some ways. One example is the use of USB sticks. Even if you disable all the autorun mechanisms, the OS will always still have to attempt to parse the partition table on the removable storage device, at the very least to create devices (device files) symbolizing each partition or volume (e.g. /dev/sdbX). This means that malware can write a malformed partition table onto a perfectly legitimate USB stick. Suppose, then, that you have two physically air-gapped machines, belonging to two different security domains, and you want to transfer files from one to the other. You insert the USB stick into the first machine, copy some files, and then insert it into the second machine. If the first machine was compromised, it could have altered the partition table on the USB stick. Now, when the stick is inserted into the second machine, its malformed partition table might exploit a buffer overflow in the code used by the second OS to parse the stick’s partition information. And now your physically air-gapped machine has been compromised. (Incidentally, Qubes completely bypasses this attack vector by using a special inter-domain file copy mechanism that doesn’t require any metadata parsing.)[source]

And since a Xen-based solution has Linux in its TCB it means Qubes might have issues because it depends on it. (Unless they somehow removed all influence on secure operation the Linux and Xen code might have. Somehow.)

No offense, but this comment suggests that you don’t really understand what Xen and Qubes are or how they work. Xen is a bare-metal hypervisor, which means that it runs in a more privileged CPU state than any other software on the machine. (So it literally doesn’t make sense to suggest that the “influence” of the Xen code might somehow be “removed.”) The most privileged VM is called dom0 (sometimes called the “host domain” or the “control domain”), and although this is often a version of Linux, it need not be (see below). (So, no, Xen doesn’t necessarily have Linux in its TCB.)

There’s also very few Dom0 host platforms, thereforce easier for a major adversary like NSA to target.

This, of course, depends on what number you consider to be “very few.” Linux, BSD, and OpenSolaris can all be used for dom0. (That seems like quite a variety of choice to me, personally.)

This one is worth highlighting [@ AVee]: “Frankly, I don’t get the fuzz about the choice of OS for the airgapped system. You use the airgap because you assume the OS isn’t secure enough in the first place.” Excatly! The separation, input validation and sharing mechanisms are where the real effort should go. All those non-Intel architectures I mentioned come with OS’s that probably have plenty residual flaws. It doesn’t matter, though, because the whole point of using them is that the enemy doesn’t know what you’re using due to variety & that you never live connect them. If the transfers are careful (esp one way) & you regularly clean slate the trusted machine, there’s little to nothing their fire-and-forget attacks will accomplish. Even if it’s Windows 95.

This would be true if the physically air-gapped machine were permanently air-gapped. It doesn’t take any special technical knowledge to understand this. If a computer never comes into contact with the outside world, then it doesn’t matter what’s going on inside of it, since no adversary is ever allowed to interact with it. The problem is that what Bruce and almost everyone who wants to set up an air-gapped system are doing isn’t setting up a permanently air-gapped machine. They still do things like transfer files to and from the “air-gapped” machine using USB sticks. But this means that the “air-gapped” machine isn’t isolated from the outside world. It’s still in contact with the outside world; it’s just that its method of communication with the oustide world is a lot slower than usual. An adversary is still able to interact with such an “air-gapped” system, as Stuxnet, agent.btz, and the example above all show.

If you have the discipline to set up and maintain a permanently air-gapped machine, that’s fine. But such a machine will be severely limited in its functionality, which is why almost no one has a use for one. A pseudo-air-gapped machine (by which I mean a sneakernet-connected machine like the one Bruce describes), on the other hand, is often worse for security because it’s almost never set up correctly, and it gives the user a false sense of security. (“This computer isn’t connected to the Internet. Therefore, it’s safe from people who try to attack me through the Internet.” Well, no, because you essentially bring the threats of the Internet to that machine every time you plug a USB stick into it which was previously plugged into an Internet-connected machine.)

Axon October 12, 2013 12:45 AM

As an example of what I mean when I say such systems are almost never set up correctly, consider what Bruce said in point 1:

The ultra-paranoid way to do this is to buy two identical computers, configure one using the above method, upload the results to a cloud-based anti-virus checker, and transfer the results of that to the air gap machine using a one-way process.

We’re talking about a world-famous computer security expert here, who thinks that this procedure is for the “ultra-paranoid,” and yet it doesn’t even fit his threat model. Bruce states that his goal is “to try to stay secure from the NSA.” But as we all now know, and as Bruce himself was instrumental in showing, the NSA works to create and stockpile zero-day malware, which is by definition incapable of being detected by anti-virus software (until it is later discovered, which we should assume to be after it has been used against a relatively valuable target like Bruce). In other words, what Bruce thinks is an “ultra-paranoid” (and presumably therefore ultra-secure) security measure is in fact entirely useless given his threat model, in much the same way that his advice about using an “air-gapped” machine negates most of the benefits of the physical separation (and in many cases creates new vulnerabilities to be exploited).

I could go on all day, but I’m going to stop myself here. Bruce: I like your blog, and I like you. But frankly, this is just bad.

patricia October 12, 2013 12:59 AM

The properties of my airgap system:

  1. It is inexpensive.
  2. It is not require much technical know how (not reverse engineering your BIOS to verify its integrity or trying to debug rootkits).
  3. The overhead involved is scalable to the amount of security required. That is, many shortcuts can be taken without weakening the overall system.
  4. It is an unambiguous set of steps that don’t require judgment to be performed.
  5. It is fault tolerant (many components can get pwned, and it still is very secure).
  6. It is effective against a variety of threat models, up to and including a nation-state which has full knowledge of your setup, a team of hackers working to pwn you individually, and a black bag team that can enter your home without your knowledge.

Let’s call our adversary Eve. I believe unless Eve can bring to bear the resources described in item 6, your setup is perfectly secure. Any feedback on the protocol I describe would be appreciated.

The threat models we will consider:

  1. A targeted attack in which the Eve has perfect knowledge of your setup and unlimited resources to craft an attack over the internet.
  2. Same as 1, but they will attack using malware which infects your hardware (BIOS, NIC, etc.) before you purchase it (the supply chain attack).
  3. Side channel attacks
  4. Black bag/ physical access to your home and computers.

  5. Untargeted attacks

I assume the reader can acquired uninfected software. One method for doing this is documented on the TOR website. The basic idea is to download from multiple sources, from multiple internet connects, compare the hashes, and verify downloads with PGP signatures.

Here’s the setup:

The first computer (which I’ll call CannonFodder) connects to the internet via TOR, ideally with PORTAL between the computer and the internet. PORTAL is the grugq’s open source project which installs on Raspberry Pi and acts like a proxy forwarding all your traffic to TOR. Recently a hidden service was discovered on TOR which hacks the browser and phones home through the user’s non-TOR internet connection the actual IP address and MAC address of the user. PORTAL prevents this attack by only allowing traffic to route through TOR, and blocking any other traffic.

The purpose of CannonFodder is to receive PGP encrypted messages and send PGP encrypted messages. It’s what connects to the internet so the rest of the equipment doesn’t have to. While it will be assumed to be hacked into and rootkit’ed, it is not going to be an easy target.

On CannonFodder install whatever personal security products you can get your hands on. Anti-virus, anti-persistence software, software that whitelists good processes and blacklists bad processes, EMIT… anything and everything possible. Make sure the OS and all software on it is patched regularly. What OS runs on the host is up to you. The host will run a VM and nothing else. What virtualization software you use is up to you, but the OS you run in the VM should be different from the host. So if the host is windows, the VM should be some flavor of linux or BSD.

The VM is going to run another VM. That VM will be a third OS, different from the other two. It’s only job is to run a browser that can connect to TOR. Whether that means the TOR browser bundle, or Chrome connecting through PORTAL, it is up to you. Chrome is a good choice, since it auto-updates itself, making patching mindless. Once the VMs are set up, snapshot them. After every use, revert to the most recent snapshot. When new patches become available, revert the VMs, apply the patches, and take a new snapshot.

Make sure the browser has NoScript installed (meaning no javascript). Do not whitelist any websites in NoScript. Make sure the browser has no plugins installed besides NoScript. That means no Java, no silverlight, and certainly no flash.

The idea of all of this is if someone tries to exploit your browser, they might not get a rootkit on your host, because Eve may not have realized you are in a VM, and therefore might not be prepared to escape your VM. She may not even have a VM escape. If she does, she will still need to have a variety of exploits and be willing to use them against you. She may be unwilling because you are not a noob, a complicated setup like your’s could trip up her exploits, and maybe expose them in a way that you can steal them. Think about it: Eve needs VM escapes for two different pieces of software, code that can run in all flavors of Linux, Windows, and BSD, possibly privilege escalations for each of those OS’s, and most likely the ability to navigate PORTAL before phoning home. You are a complicated target relative to most people on the internet. Patched software ensures Eve must throw 0day at you. Personal security products can trip up her exploits or mean she’ll have to invest even more individual attention in crafting exploits that sidestep your protections.

If CannonFodder is running on Sparc or MIPS or ARM, even more bonus points, because now even fewer people have the expertise required exploit and rootkit you.

CannonFodder is only used for visiting email, saving email, sending email, and burning CDs. No other browsing is allowed. A different email account is used for every different pen pal. In between logging into each email account, a new TOR identity is generated– in the TOR browser bundle just click the generate new identity, using PORTAL it is a little more complicated. Messages should move from public email addresses tied to real identities to burner email accounts as quickly as possible. You should register a new email address for each new pen pal you correspond with. The email address should have no information that ties your real identity or your pen pal’s real identity to the address.

CannonFodder can either be a laptop (which has had the camera removed, the mic destroyed, etc.) or a desktop. A laptop has the advantage that you can take it to different restaurants and connect to a different wifi access points every time CannonFodder connects to the internet. A desktop has the advantage of convenience (driving to a new access point every time you want to send an email eats up a lot of time). The downside to the laptop is other users of the wifi access point can attack your laptop. The downside to the desktop is your IP address is easy to obtain from your internet company, and with your IP address it is not far fetched that Eve can hack your router, and then your desktop.

Every day (or every other day, or every week) check the email accounts. Each email account gets its own CD. Any messages received from Alice are burned to CD A, any messages received from Bob are burned to a separate CD B, and so on.

By using TOR, not browsing the internet, and using random email accounts the hope is that you will be harder identify as someone to target and harder to locate once you are targeted. The VMs and other mitigations will ideally tip you off once you are targeted since your unusual setup could cause their attack to fail in a loud way. Even if it doesn’t tip you off, it may be effective in preventing your computer from being rootkit’ed indefinitely, since Eve may not have the techniques readily available to breakout of your VMs.

Even given all these precautions, we will always assume CannonFodder is owned and has a rootkit which is recording every keystroke, the MAC addresses of all wifi access points in proximity, and whatever other information your computer might be privy to.

Now for the airgap. The second computer, which I’ll call IvoryTower, is air gapped. If the only secrets you are trying to hide are your private PGP keys, the cleartext of your messages, and the cleartext of your pen pals” messages, IvoryTower should be a raspberry Pi with a USB CD (read-write) drive. If you also want to read PDFs, I’m unsure if a raspberry pi can handle this, so you might have to use a desktop. The raspberry pi has several advantages when it comes to side channel attacks and black bag attacks. We’ll discuss these later. It also has the advantage of being ARM architecture instead of x86 and x64. The architecture matters because in depth knowledge of x86 and x64 are much more abundant than knowledge of ARM. You increase the cost of attacking you by using a more unusual architecture.

IvoryTower is our most privileged machine, because private keys are used to decrypt messages on it. If we can prevent it from being rootkit’ed, our secrets are safe (except from black bags, more on this later). However, we should always assume IvoryTower is pwned and take steps to guarantee none of the secrets it protects leak onto CannonFodder and from there onto the internet.

Backing up for a moment, IvoryTower is where the PGP keys you use to correspond with your pen pals’ are generated. The first day IvoryTower is set up, when it has the lowest likelihood of being rootkit’ed, generate a ton of PGP key pairs and burn them to CDs. If you are very security conscious, IvoryTower should be shutdown in between each key you generate. This is to clear the RAM of the device (always use an OS which overwrites RAM at shutdown). Many rootkits can’t survive a reboot. A shutdown could clean the machine. If a rootkit does infect the computer, and private key material from other pen pals is still in memory, the malware can compromise more of your private keys than it would have been able to otherwise.

If IvoryTower is a desktop, it should have no hard drive, and it should boot from a live CD in a CD-ROM (no write) drive. The CD containing the new messages from Alice can be put in a separate CD drive. When the encrypted messages are copied to the desktop, they will be put in RAM on the device. Insert the CD containing the private key corresponding to the public key you gave to Alice, and decrypt the messages. Read then, then reboot. Write a new message to Alice, encrypt it with her public key. You can retrieve her public key either from the same CD that holds the private key you use to communicate with her, or by requesting she append it to the messages she sends. Burn your encrypted message to a new CD, and destroy the CD that transfered Alice’s messages from CannonFodder to IvoryTower.

Part of Alice’s message should be a new email address she created just to receive your next message. Similarly, your new message to her should contain the email address you’ve registered to receive her next reply. In the message you are sending should be an email address that they can send their next message to. This protocol, of always sending to a new email address, means Eve has fewer selectors to key in on when she taps the internet backbone, and she can’t use your old email address as a selector to serve an exploit to you when you visit the old email account. If she gets your key, the messages are not all aggregated in one place for her to decrypt. Since the next email address is encrypted in each message, she will not know the next place a message is being sent.

Now for a trick. Write down the exact size (in bytes) of the encrypted message that is destined for Alice. Open the encrypted message in a hex editor (still on IvoryTower). Write down the first 5 bytes of the file. Write down the last 5 bytes. Pick a random offset (or 2 or 10) and write down 5 bytes there along with the offset. Reboot.

Repeat the procedure on IvoryTower for every correspondence that sent you a new message.

Now another trick. Using a public-key/private-key pair you’ve kept reserved for testing purposes, encrypt a fake message. If can say anything, just make sure you’ll recognize your fake message when you decrypt it (more about this later).

You have destroyed the CDs with the messages your pen pals’ sent you, you have a bunch of CDs with messages you’d like to send on CannonFodder, and you recorded some metadata about each of the encrypted messages (i.e., filesize, the first five bytes).

We have now reached the most dangerous part of the process, because if IvoryTower is rootkit’ed, any of the CDs could contain information about your secret key, information about the cleartext of your message or your pen pals” messages. For example, if GPG on IvoryTower has been subverted by malware, the malware could have used the Eve’s key to encrypt your message instead of Alice’s public key. Then, when you transfer the message to CannonFodder, malware on that system could use Eve’s private key to decrypt the message, send it to Eve, and re-encrypt the message with Alice’s public key. You would have not idea you were compromised, because from your perspective Alice got the message OK.

To guard against this, we have a third computer, which I’ll call DoubtingThomas. This is the one computer who’s integrity is important. Luckily, it too can get rootkit’ed, as long as it is rootkit’ed by an untargeted attack. If Eve and her minions target yo and get on DoubtingThomas, you’re in trouble.

DoubtingThomas is a raspberry pi. This is a nice choice because it can be physically hidden, making physical tampering by a black bag team more difficult. It also uses much less power than a desktop, meaning many side channel attacks don’t apply. Also, electronic devices (bugs) that could be hidden on a desktop computer’s motherboard or PCI peripherals stand out much more on a raspberry pi.

The most important thing about DoubtingThomas is simplicity. We want very little surface area on DoubtingThomas. IvoryTower runs a full fledged OS with lots of code and lots of surface area, making it easier to own. DoubtingThomas, however, just needs to have a hex editor, GPG, and the ability to read from a CD. Ideally the CD has filesystem, since a filesystem is more surface area for an exploit, so a raw filesystem that can be read with would work well, especially if that meant ‘dd /dev/[cdrom]’ would have identical output to the encrypted blob IvoryTower produced.

DT has a CD-ROM (no write) drive connected by usb so it needs a USB driver as well. The OS on DoubtingThomas would be custom coded to be minimal and only have what is needed for this task. On DT we open the encrypted messages from IT in a hex editor so you can visually inspect the file is unchanged since being on IT. It is important also verify that the file size is the same, and that the rest of the disk is empty.

What does this buy you? If the hex editor on DoubtingThomas shows the same values as the hex editor on IvoryTower, you know you can trust IvoryTower’s hex editor and burner. However, you cannot know for sure what key actually encrypted the message. Eve could easily have encrypted the payload if she was on IT and subverted GPG. Basically, you can trust the burning software and the hex editor, but you still don’t know if you can trust the install of GPG on IT.

This is where the message you encrypted with a public key for which you have the private key comes in. Decrypt it on IvoryTower, and if it decrypts correctly, you know you can trust GPG on IvoryTower. Why? Because if malware has subverted GPG on IvoryTower the fake message won’t decrypt correctly. If your message is encrypted with the Eve’s key, there’s no way to tell just by looking at the encrypted file.

After the test on DoubtingThomas, you know you can safely put the CDs in CannonFodder, and email your messages to your pen pals’.

That’s the procedure, now how does it stand up to our threats, and are there any other things we can do to make it even more secure?

1) Attack from the internet.

If CannonFodder is pwned, when you burn a CD of messages addressed to you, an filesystem exploit or an exploit that targets any of the other code that is required to read from a CD could be burned to the CD too.  This is the only way IvoryTower can be rootkit'ed if Eve limits herself to attacking over the internet.  If IvoryTower is rootkit'ed, you can't trust the output of any of the software on that system.  IvoryTower could:

a) encrypt with the Eve's public key when it says it's encrypting with Alice's public key (they get cleartext of your message to Alice)
b) append your private key, encrypt with the Eve's public key (they get your private key for corresponding with Alice, and your message to Alice).
c) Write your private key and any cleartext left in RAM to slack space on the CD.

DoubtingThomas verifies the work of IvoryTower as described earlier. However, there are ways malware could get around this. The first that comes to mind is maintaining a whitelist of keys that it will subvert and your fake key is not on the list. But that would be so targeted, and require such perfect knowledge it’s not believable.

Make sure to generate plenty of private keys as soon as you get IvoryTower setup. Once it’s subverted it could be generating weak keys. Also register lots of email accounts on CannonFodder.

2 and 3) Your equipment was pre-pwned with BIOS malware before you bought it and side channel attacks

This would have to be general purpose malware that didn't target you specifically (because you were careful enough to buy hardware in person from a big store and not online with your credit card, where it could be messed with in a targeted way).  There are a couple threats here.  The first is that IvoryTower's key generation is weakened.  This is a serious flaw that I don't know a good way around.  The second is the computer is modified to transmit data through side channels.  So, for example, it flickers the screen at a frequency imperceptible to the human eye, and it just scans through RAM constantly doing this, so that a sensor picking up the flickers would have a dump of RAM.  Or it scans through RAM and modifies the power unit to transmit data (using the power cord to create an antenna, or to communicate with another device on the same power circuit, perhaps CannonFodder).  Or it blinks an LED faster than humanly perceptible.  Or it uses the wire that wraps around the perimeter of the monitor that connects to the LED and forms an antenna to ex-filtrate data.  Or it produces auditory signals by the making the processor hum.  It can control the frequency of the hum with the type of operation it has it do.  Or Eve uses Van Eck Phreaking to reconstruct your monitor display by the radiation it gives off.

Side channel attacks are real. They are very hard to defend against. On the positive side, I assume they are expensive to deploy. But since our assumption is we must be resistant to expensive attacks, we must consider side channel attacks.

First I’ll point out that the only computer in our setup that must be resistant to a side channel attack is IvoryTower. If IvoryTower is a raspberry pi, it draws such little power that the power cord attack is not feasible. Any form of radiation attack (the antennas, Van Eck phreaking) can be mitigated by only running IvoryTower in a local restaurant’s walk-in freezer (the poor man’s faraday cage). A Raspberry Pi is portable enough to take to a walking freezer. For Eve to pull off the visual and auditory based attacks she presumably requires a black bag team to place sensors in your workspace (more on this in a minute), but a raspberry pi based system could be set up in a different location every time you use it (meaning it’s much harder to ‘bug’ in this way).

Note that the cords for keyboards and mice should have shielded cabling. Every cord in your setup for IvoryTower should. Peripherals should never be shared amongst computers since they could be infected with malware.

All LEDs should be disabled in all your computers/ monitors/ peripherals by digging out the LED.

4) Blackbag team visits your house while you aren’t there

You are going to have to have a good place to stash the CDs containing your private keys as well are your raspberry pi(s). They are the prize you are trying to defend.

One threat is Eve’s henchmen break into your house and replace your keyboard with a duplicate that has a key logger, or that infects your device with malware when you plug it in. For this reason, put distinctive scratches into all your peripherals, take a photo, and regularly check that the scratches are identical to the photo. This is how weapons inspectors ensure the seals protecting weapons caches have not been tampered with. The seals are scratched in a distinctive way that can’t be forged, then check periodically. Use tamper evident tape on your devices to slow down a burglar that wants to plant a keylogger in your keyboard.

If IvoryTower is infected in its BIOS and it is capable of stashing private keys (in the BIOS or in the firmware of PCI peripherals on the system), then a black bag team could get your keys this way. This is another argument for IvoryTower being a raspberry pi and being stashed somewhere. If IvoryTower is hidden and the burglar can’t find it, they can pull the private keys from the BIOS. On a desktop, the fewer PCI peripherals, the less space the malware has to stash keys if it is in fact using this strategy. So make sure you have no PCI peripherals. If you have a desktop, put super glue in all the USB interfaces so they aren’t functional. Do the same to any interface on the mother boards that could attach removable media. Try to make the case impossible to open (bonus points for encasing it in cement except for the fan, CD tray, cables for keyboard/mouse, power cable and power button). Your attack surface for a burglar becomes what they can modify with a liveCD and maybe the drivers that handle input from your monitor (minimal).

5) Other threats
Most other threats won’t get past your browser, because it’s fully patched, and it they do, they’ll be destroyed by reverting your VM.

Questions:

Is it easier to verify raspberry pi’s embedded code than a desktop’s BIOS?

What if IvoryTower is pwned before you buy it and produces weak PGP keys?

What to put for full name, email address in PGP key?

How long should keys stay valid for?

Aspie October 12, 2013 1:56 AM

FWIW all this talk of being careful with updates and such – which to my mind is the weak link in any trustworthy system – brings to mind something. Has anyone considered hiving off “sensitive” data to a Plan-9 system?

Besides being able to use the fossil archival filesystem (which is pretty neat) plan9 is completely open-source and, for what it is, the source isn’t that big or complex. The system is surprisingly simple, easy to set up and efficient.

People here can judge its security for themselves but because of its simplicity battening down the hatches on plan9 is more like setting-fast a dinky sailboat than the ocean-liner that is Linux or Windows (ptui).

Most of it runs as servers so although it’s not technically a microkernel it can be understood as one. Also, the plan9 community is very smart and helpful and the full source is provided.

I recommend a look for those adventurous souls who seek alternatives to update-driven bleeding-edge “what’s this update gonna break this time” stuff.

mcjtom October 12, 2013 2:08 AM

Would having 2 air-gaped computers be practical: one for reading, one for writing?

The information flows only one way for each: from internet to the reading one and from the writing one to internet. 2 different sets of fresh USBs are used.

The operator decrypting and reading on one, then writing and encrypting on the other breaks the circuit: even if the reading computer is infected by maleware contracted from the internet, stolen keys or actual files will have hard time to move back to internet if the one-way USB transfer is reasonably hygienic (though I’m not sure what such hygiene would have to entail: certainly not mixing the two streams, but new USB every time? nuking the USB after each use, but on which computers?).

Avrg Joe October 12, 2013 4:14 AM

DVD live system might be a good and pretty safe thing even for everyday’s use but it is terribly slow. How about creating a live system on a write protected (external or internal) hard disk (using hardware jumper settings)?? However the existing live systems that are tailored for DVD or USB stick use probably will need some changes so that they work on write protected hard disks. Does anyone know if such systems exist already or how this can be done?

Goldry Bluszco October 12, 2013 4:50 AM

Well, I’m surprised no one’s mentioned paper tape for data interchange. It’s still around – though the last I heard of it was in relation to CNC mills. Then one could always link the Internet box via serial to one of those 8-bit Amstrads or the like, save ASCII to tape, then take to another Amstrad serial-linked to the non-Internet box, and read it from there. Amstrad tapes aren’t big; you can’t fit your average 20-100MB PDF on it. But wonderful for ASCII text files.

As far as THEM listening to the radiation overflow of the PC set-up, what’s wrong with mutilating a perfectly good superheterodyne valve/tube receiver – you can still find the circuitry diagrams around the place – so that it superheterodynes in a particularly superheterodynish manner. If THEY’re listening in, give THEM a head-ache and ringing ears for THEIR trouble.

And as for listening in via the power system – it’s hard being green, as one singing Frog will tell you, but better that than being caught by an OpSec that didn’t quite work out. Get yourself set up with solar and wind power, and cut the links to the grid. Let THEM listen to the sound of THEIR own farts.

Petar Maymounkov October 12, 2013 6:04 AM

Hi Bruce. You say you use Tor.

As a security analyst, you are surely aware that Tor provides absolutely no provable anonymizing properties and is a system that is largely based on “security by obscurity”. To be precise, I am referring to the well-known fact that Tor is vulnerable to the Sybil Attack and furthermore that this has been demonstrated in practice, multiple times by now, as well as in papers, multiple times by now.

With this in mind, I wonder: Why are you using Tor?

Thanks
Petar

Clive Robinson October 12, 2013 7:37 AM

It’s funny reading this page as most of the suggestions here have been said befor by RobertT, Nick P and myself and one or two others some of whom nolonger post to this blog.

As I’ve said in the past always consider my meme of “Paper, Paper, NEVER data” it’s about the easiest way to redact hidden metadata. Failing that old Computers and single chip microcontrolers are one way to limit your risk of transfering malware across an air gap. Likewise building them into safes solves other problems and eases the use of more spectacular protection of the sort used by the NSA et al (As RobertT notes above “THERMITE is fun” as are “flashbangs” and sub-sound and ultra-sound that play havoc with human sense and nerve systems 😉

But fun though this sort of thing is it’s “Putting the cart before the horse” big style. It belongs a long long way down the list of things you need to do to have a secure system for data and communications.

The First step is the “WTF am I doing it for?” question
At the very least doing the technical side of ICTsec of this sort of security anywhere close to properly throws you back to user functionality levels of ed/sed on the command line on a Glass teletype…

So not even the niceties of VT100 or other screen addressable VDUs and luxury editors like vi… Whilst I’m sufficiently “old school” not to be phased by this it’s not a plesant experiance for those “born to windows” and WYSIWYG presentation tools. However the upside of old school is controling both visable and hidden metadata that might conceal nasties.

But as they say “no pain, no gain”, and speaking of pain it comes in many forms physical emotional and psychological and most adversaries will use any and all of them against you directly or indirectly through your family, friends, work colleagues and governmental agencies…

So first you need to consider what it is you are actualy trying to protect and from who and importantly why and are you prepared for the pain for what might be very little gain in the great scheme of things?

Political and emotional affiliations and sentiments and the related soul searching asside –but which you will if you are sensible revisit over and over through the process as your life and others may well depend on it– you need a methodology to work by.

A simple start point to get your thoughts in gear is an “asset dependancy list” and a matrix of the “CIA” triad aginst the “adversary levels” first sugested by Ross J. Anderson for each and every asset known or identified (such “method models” exist in most ICTsec ROI risk analysis books etc).

Thus you first have to know what the assets are which in many cases is not at all obvious due to issues with primary assets and associated assets and their life cycles and types.

If you take a 20,000ft view at what Bruce is trying to do the primary asset is a large collection of documents which he is going to view, interpret and publish results.

However these documents are (I assume) encrypted in one or more archives and in various formats frequently graphical in nature, which gives rise to a secondary dependancies of the crypto software and keys, the software to display the documents and various other sub dependancies (OS to support software, Hardware to support software etc) all to enable just the viewing of the primary asset. Similar dependancies ocure for the interpretation and publication steps.

The main threat against the primary asset Bruce should be actually woried about with a level III adversary is not loss of confidentiality or destruction but actualy “modification”. Because if the NSA can modify the data on which he bases his comments and articles it’s his reputation that gets a hit and in turn “poisons the well” of Ed Snowdens revelations, thus discrediting all involved in the public eye, which in effect stops future publications of further “secrets”.

However the next level of threat from Level III adversaries is non technical and from Bruce’s point of view is a lot more serious and it’s “personal liberty and safety” of him, his family etc etc. To some extent Bruce is lucky in that the “Bruce Persona” acts as a limiting factor which the majority of us just don’t have. If Bruce had an accident or disappeared it would be very quickly noticed and news would get out and conspiracy theories asside this would bring the public eye back on the Ed Snowden revelations and activly encorage further revelations. As was quite well illustrated by the stupidity of the UK Home Office on detaining Mr Greenwald’s partner at London Heathrow Airport, this “human level refocus” and gets front page position, which is not what the politico’s want as it keeps the cauldron heating up beneth them…

Any personal/physical attacks on those involved are in effect a “political suicide pact” for any politician, directly or indirectly in a line of authority to those carrying out the attacks. Which is probably why Barrack ‘the control freak’ Obama and the rest of the Whitehouse have very much distanced themselves from the NSA and DNI. But leaving the intel community as some journalists have said feeling like “they’ve been hung out to dry” or worse “feeling they are now the enemy” which prompted the open Alexander letter to all NSA staffers which turned into another long runing PR gaff (as was once said “Don’t try to defend the indefensible promote it”).

My view is the NSA staff chose to take the Government schilling, they were not forced or coerced. Thus they should have read the contract and worked out the downside liabilities and not cry about the consiquences. Military personel who enlist know that “death” is part of the T&Cs, it’s the same for spooks. The analysts and those related to them even though they may be REMFs, are ethicaly and moraly just as liable as are the self serving politicos. Engineers had this debate out in the “cold war” and quite a few refused to work on even tangentaly related to the military projects.

Thinking about the downsides is very important as most of the readers of this Blog don’t have the sort of “Public Persona” that would give us protection of our personal safety and liberty so we should take serious consideration to the non ICTsec asspects as a first real step.

Just to remind you why you should think about over and above the ethics and morals,

Personal Safety First
We know from the likes of Gerald Bull of “super gun” fame and M.Vanunu who wistleblew on the Israeli nukes, and more recent events, the likes of Mossad and Russia will quite happily send out “hit squads” to perform assasinations and “snatch squads” to take people away and torture them.

We also know the US operated snatch squads for rendition so that quite often innocent people would be tourtured and pressumably in some cases “disappeared”. Others as we know face an indefinate future of wearing orange jump suits and being “force fed”, “force face wshed” and otherwise tourtured at Gitmo on a daily basis.

And some people still don’t get why Julian Assange is apparently half mad and holed up in an Embassy in London with the UK Home Office spending millions of pounds each year keeping him bottled up there…

Putting it simply “S41ting on a Gov doorstep” carries a lifelong world of hurt or early death for those who don’t take sufficient personal security seriously, such is the power of level III adversaries.

But the same applies to level II & I adversaries, we know that “SWATing” and seting up with drugs and other socialy abhorant materials has happened to journalists like Brian Krebbs just for investigating cyber-criminals. And if stories about the Silk Road founder and operator are true (and I’m slightly skeptical) aranging “Hit men” to permanently remove threats likewise happens.

So only once you have given serious thought and preperation and protection to your personal safety and that of your loved ones you can get back to the ICTsec issues…

Stage two identify assets life cycle and types
Whilst you might think you know what the ICT assets are you are trying to protect you also need to identify what their life cycle is and what protections are needed at each stage as their types change.

If you don’t know this for the entire life cycle of an asset then you are in all probability wasting your time and other resources. As well as deluding yourself about the protection you’ve implemented. We’ve seen and laughed at “encrypted backups with the key postit noted to the tape”.

You also need to consider not just the primary assets but the assets that get applied to them such as Key Material (KeyMat) life cycles and storage life cycles all from generation through to destruction and waste disposal and the attendant managment and auditing required and thus the sanitation and protection of those processes as they in turn become assets.

Put simpley if it’s data or communications or both you are trying to protect, you need to know what they have touched and been touched by and the entire life cycle of all these associated assets and thus assess what sort of attacks an adversarry might deploy and to what effect, duplication, disclosure, modification, destruction etc and importantly how…

This also harks back in part to personal safety, put simply if I know you have the only copy of something that incriminates me, burning your house down to destroy it might be the simplest attack vector for me to use and I might not care if you or anyone else is at home at the time… As we know the French Government were more than happy to send out a “hit squad” to very publicaly blow up a ship in a foreign harbour and commit murder in the process just to avoid having anoying environmental protesters around. Russia has just done something similer to the same environmental protest organisation but used a “snatch squad” and are now levying false charges of Piracy on the high seas against the protestors and journalists…

But from the technical side you need to remember that data frequently changes it’s type during it’s life cycle apart from starting or ending in tangable human usable form such as notes or print outs data files have formats, with metadata and the files themselves have metadata in the file systems. Often however the metadata and file formats themselves are not in human readable form and are often a good aproximation to obscure binary representations of pictures or graphics.

That said most software products, even MS Office and other similar proprietry software products, will produce files and output in “human readable” form. Word Procs tend to support Rich Text Format (RTL), spread sheets and DBs support “comma seperated lists” (CSV) and most graphics or similar software supports “PostScript” (PS).

Many OSs also support “Print to file” where the file is saved in PostScript format. And whilst I don’t recomend you learn PostScripts inbuilt programing language there are various utilities like ps2txt and other similar tools to strip out the text from the “code”. It’s worth investing in doing this along with an appropriate software developers repository such as Git or earlier to save documents in post script format and ps2txt then into an inverted database format to build your own fully searchable eFileCabinate.

But why put everything in these human readable “text formats” well as I’ve indicated in the past one way to bridge an “air gap” is via a serial link (RS232C over V24) and put the equivalent of “data diode” or “data pump” into a microcontroler to do “sentry duty” over the serial data. If you use “V24 signaling” as opposed to RS232C data flow control the “control codes” in use are minimal and any others should raise a RED flag in the diode/pump. You can make the pump considerably more sophisticated I’ve one that actually uses a spell checker on files that also RED flags on certain formats such as “encoded binary” of various forms.

One “filter” I’ve written takes RTL format files and strips out various undesirable codes and puts in safe data where “embedded” data that might contain “hidden data” as a replacment. To do this yourself you need to get various forensic and redacting documentation. However this task is considerably simplified if you convert propriatry formats into Open / Standard formats first.

Unfortunatly many productivity tools such as MS Office and their ilk have support for programing by embedded interpreters. You need to watch out for this as you don’t want a WP file actually being malware.

If push comes to shove remember my frequently given advice of “Paper, Paper, NEVER data”, print off documents look at them walk them across the air gap scan them in and then use suitable destruction techniques on the paper print out [1]. This process is very effective at destroying hidden metadata as well as some “canery traps”. It also works well to stop data leakage even if your air gapped machine does get “owned” by malware at some point. However it’s not a practicaly system once the transfer rate exceads a certain volume.

I could go on about the technical details in depth including KeyMan, TEMPET/EmSec, secure destruction and anti-personnel systems, however two point arise, firstly I’m not writing a book here and secondly I’ve said much of it before on this blog.

[1] Solid fuel stoves if used properly work well, the trick is not to have them burn to vigerously other wise burning scraps may go up the flue into the great outdoors, also don’t overload the fire or the paper won’t burn fully. I’ve recently been looking at mixing paper with other dry fuels such as wood chips and “stable sweapings” including the animal muck and putting into a “gasifier” the output of which drives a generator. The residual ash when mixed with other animal muck makes reasonably good fertilizer for growing food crops.

Tony October 12, 2013 8:51 AM

For anyone recommending a POSIX-compliant OS, and you aren’t running it from read-only media, create a minimal read-only root partition to boot from. Union mount a RAM disk overtop partitions like /var, /tmp, etc. If you need to make temporary config changes, union mount another RAM disk over the root partition or /etc. (And use some software to scrub the RAM clean before and after using the machine).

If you must connect to the Internet for initial configuration or software update, stick your machine behind a firewall with extremely paranoid ingress/egress filters. Block outgoing access for DNS lookups and hard-code known-good hostname to IP mapping in the /etc/hosts or equivalent file (yes, even Windows has one). You may even be able to change your MAC address from the hard-coded value to something random when connected to avoid leaking information about the hardware – though the firewall’s MAC address would be seen from the outside world instead of the to-be-air-gapped machine’s.

For non-plain text files, consider converting them into HTML or loading them into a web browser and use an automated tool to take a set of screen shots of the content. Then scrub any meta-data or unneeded info in the image files and/or run other cleanup/compression tools on them.

For any files being transferred, run their known-good(-and-safe) contents through an HMAC with a strong key. Use the output of the HMAC to rename the file. Before accessing the contents on the air-gapped machine, run the same HMAC on the file contents and compare the result to the filename. If they don’t match, don’t access the file.

And in case nobody already mentioned it, fill any unused ethernet, USB, firewire or other ports with superglue.

There has been research about reading key-strokes via the sounds each key makes. So at minimum run a white-noise generator nearby and find a laptop with the quietest possible keyboard. Use an on-screen keyboard program and click each key to enter passwords instead of using the keyboard. Open a text editor and type random gibberish every once in a while. Hunt-and-peck, slowly.

NJW October 12, 2013 10:18 AM

I don’t know if this has been said, there are now too many comments for me to read in the 10 mins that I have, but wouldn’t it just be easier to buy a new usb stick from a store, buy a new PC from a store with no OS installed, download and burn a Linux live CD (Ubuntu et al.).

Only ever use the new PC booting from the live CD and never connect a wireless/networking device to it.

Mike the goat October 12, 2013 10:54 AM

Personally I would use very old hardware (80386) and the simplest OS which will fulfill the tasks required (this would probably be some variant of DOS, which can successfully run PGP). The only ‘required equipment’ is your encryption/decryption program and a text editor. Why old hardware? We have to assume that modern hardware is ‘born compromised’ in some shape and form.

Now, as it’s airgapped we can rule out remotely exploitable issues (i.e. a satanic packet that will cause the ethernet card to do something crazy, a BMC that does who knows what when commanded to do so, etc.) but there are still things that a L3+ adversary could do like maximizing compromising emanations without making it patently obvious that this is deliberate.

It wouldn’t be too difficult to make a faraday style cage to encase a laptop. A glass screen with a metal mesh on the inside would certainly minimize the emanations from the only area that needs at least some exposure (taking a leaf out of the ‘honeycomb’ vents they have in commercial chambers for HVAC).

But Bruce knows as well as we do that they aren’t that interested in him. The material has been archived all around the world on bittorrent as insurance files and they have no way of knowing who the sleepers are that possess the decryption keys. Perhaps one group holds one half of the keypair and another the other part to avoid a single person leaking for an unwarranted reason. I imagine that only a subset of documents have been released to Schneier so the information they’d glean (presumably they’d want to determine how much data Snowden has actually stolen) isn’t complete or particularly illuminating.

That said, it’s safe to say that an online attack would be the most likely vector. It isn’t unreasonable to think that they could, for example use WSUS to push a ‘special’ update to only computers phoning from Schenier’s netblock that gives them a remote shell. Ditto on his cellular phone (I disabled Android Market/PlayStore on my phone for this reason. Yes – no confirmation is given if they don’t want to ask for it – e.g. the update that caused the apperance of the “Google Settings” menu about six months ago.)

So airgapping will (hopefully) mitigate that scenario provided that the media that goes between his red and green zones doesn’t somehow contaminate it. Even though he’s disabled AutoRun with Windows being what it is – and ‘sploits in PDF,PS,DOC,etc. existing in the past and being conceivable in the future despite NX and other technologies supposedly being implemented in later Windows releases I would be wary of anything that could be a vector for such a threat.

Personally I wouldn’t have used Windoze. You can’t even start to fix something with such a wide attack surface. Linux is better – depending on distribution and default configuration but still not ideal. OpenBSD would be great if there wasn’t a big cloud hanging over De Raadt and what his dealings have been with three letter agencies (I’d at least compile it from source).

Personally I think Aspie’s suggestion of plan9 is a good one. It’s security by obscurity, sure – but it’s security nonetheless. FreeBSD is a viable option – compile out linux binary compatibility though.

I personally use a Sun SPARCSTATION running NetBSD as my ‘super secret’ station. I used to have a VAX also running NetBSD but it was just too expensive to run 24/7 when a raspberry pi could do its job 😉

Strange OS, strange architecture (and don’t reveal it) means that their custom crafted spolits for win32 or linux x64 will likely fail.

But – realistically if they wanted your data they’d break in and hit you with a lead pipe until you gave it to them or dropped dead.

Bruce Perrry October 12, 2013 10:57 AM

air gaps aren’t possible in the newest computers. I saw it. I was able to surf freely without being connected to my ISP through either wireless or electric wire (remember they were going to serve internet through power lines a few years back).

Mike the goat October 12, 2013 11:05 AM

Wael: reminds me of an old friend whose apartment door had about six different locks and a large plate glass window right next to it.

Theo October 12, 2013 11:08 AM

as alot of people commented before: you are making a BIG mistake using windows in the air gap computer.
you can well assume that windows contains NSA backdoors that WILL ATTEMPT to leak any information you have on your airgap computer by any means possible.
i would strongly recommend you use a security focused 64 bit OS (ASLR is alot more effective on 64 bit systems) such as OpenBSD or hardened gentoo.

Wael October 12, 2013 11:10 AM

@ Mike the goat,

Good analogy, but missing one thing! There is also a SWAT team determined to go through the door!

Mike the goat October 12, 2013 11:18 AM

Wael: indeed. When I visited the home of an individual who is now very famous in the IT world after being persecuted by authorities in the early 2000s he pointed at the door and asked, “notice anything about it?”. I didn’t. He pulled up the carpet and showed me two small wires running into a hole in the floorboard and insinuated that it was a degaussing coil which would destroy any magnetic media that went through the door. I commented that it may be true but what would happen if they just took the entire PC… The HDDs would almost certainly be shielded.

such is the nature of humans. They think that they have covered all the bases. Just because you can’t work out a way to break it doesn’t mean someone else won’t be able to do just that. A bit like how authors say to never edit your own work.

Wael October 12, 2013 11:38 AM

@ Mike the goat

These degaussing wires would not work either. How do I know? His credit cards never stopped working, have they? 😉 you need a huge EM field to degauss media at that distance with a fraction of a second exposure. Best advice? Avoid being a target. If you are targeted, you will lose. Data can also be planted and one can be framed…

Mike the goat October 12, 2013 12:02 PM

Wael: of course I knew the chance of it working was remote. The wires were about 1/8″ thick and two in number. Even if you consider that it’s possible then what about the power consumption and heat generation of such a thing running constantly? I would assume it wasn’t a coil covering the entire area as there was no coil going under the carpeted area so we have to assume there were small coils placed on either side of the thoroughfare at the height you’d approximate a person to carry media at. Even if it did work – optical media was already quite popular back then, and it would have not affected that. Re credit cards – he didn’t carry them. In fact he was responsible for one of the biggest CC thefts in that era so I guess he didn’t trust them. If this was a secure forum I would tell you who it was I am speaking of. The fact he is a diagnosed skitzophrenic explains his behavior. This phreaker went on to do something that was an international controversy.

Mike the goat October 12, 2013 12:20 PM

GentooAndroid: if I cared about security enough I would not be using a distribution at all but compiling everything from scratch and administering everything like we did in the late 80s – by careful change logging after each make install. Of course you can argue that by delaying updates you are trading one risk for another but I think if you just keep your eyes on the CVE database, bugtraq and the vuln disclosure lists you could roll out your own fixes pretty quick.

Personally I use FreeBSD on my ‘low security’ machine, compiled from source and with a custom kernel. I am very careful about what ports I install and have just one service that is partially exposed (to my cell company’s netblock by necessity) – ssh with key auth, keyboard interactive and password with are disabled in sshd.conf. On top of public key I require an OTP for all remote logons.

My ‘high security’ machine is SPARC/NetBSD. It is not on my local ethernet but I do have a RS232 connection between the two boxes. I used an ATMega and two RS232 shields I made a sort of ‘hardware firewall’. It strips high ASCII characters and acts as an intermediary between the two hosts. I have a toggle which controls it – ingress,egress,bidirectional and a second off/on which powers down the microcontroller. If I have to transfer a binary I uuencode. Not foolproof but pretty good. Problems? Data transfer is slowish as the microcontroller isn’t exactly fast.

I often leave it in ingress and have my syslog piped into it in the hope that if someone hacks one of my boxes I can get some intelligence from the logs.

I used to keep my PGP key on a smart card (using the pkcs gpg module) but since moving to 4096 I don’t have a card that big.

Uberparanoiac October 12, 2013 12:37 PM

Bruce:

With due respect, wasn’t there something about all the latest Intel chips in the i5 – i7 family being manufactured with a 3G chip, so that the computer could be activated and the disk read even if you thought you had powered off and/or disconnected from the Net?

RSaunders October 12, 2013 12:44 PM

I’m a little old-school. I’m a big fan of USB floppy drives. For <$20, you get only 1MB of storage and a hardware write lock. The disks cost about $1 and break in your hands down to a plastic disc that shredders love. (Don’t try to shred the metal bits.) The perfect device for high => low air gap transfers. For low => high you might need to use CDs as a lot of bloatware is too big to fit on a stiffy disk.

RSaunders October 12, 2013 12:50 PM

OK, my bad, I promise to use preview even with quick posts. Let’s try again without angle-brackets that can be confused as HTML tags.

I’m a little old-school. I’m a big fan of USB floppy drives. For less than $20 you get a device with 1MB of storage and a hardware write-lock. Disks are less than $1, and break up in your hands to a plastic disc that your shredder would love. (Don’t try to shred the metal bits). Perfect for high-to-low air gap transfers. For low-to-high you might need to use CDs as a lot of bloatware is too big to fit on a stiffy disk.

Mike the goat October 12, 2013 1:06 PM

Gweihir: you totally stole my idea. I have been using an Arduino with two RS232 shields to do just that for the last few years!

Mike the goat October 12, 2013 1:13 PM

Gweihir: I got the inspiration for my setup after seeing this guy’s paper “RS232 Data Diode” from 2006. Originally I figured I would just turn flow control off and bridge CTS/RTS but there are problems with this approach. I didn’t go the full Monty (one of his designs uses optoisolators IIRC) but just made a little proxy that enforces directional control when the toggle is set. It does significantly degrade connection speed and adds a touch of latency but it works as advertised. I didn’t use the Arduino b/s IDE and just wrote it in machine code. Very simple logic really.

Mike the goat October 12, 2013 1:47 PM

Anony: everything. It is published by a shadowy group called “The TrueCrypt Foundation” and there are rumors that the weblogs of truecrypt.org are a honeypot providing TPTB with Intel on “who’s got secrets”. I dunno about it. I would trust it for, say using on a wondoze laptop that might get stolen when you are travelling (you’ll need to make sure it is powered off and not just sleeping) as well you are trusting a commercial OS created by a company which is known to be in the pocket of the alphabet soup agencies. But I wouldn’t trust it with actual secrets. And if I were to trust it I wouldn’t download the binary version.

Nick P October 12, 2013 3:36 PM

@ Axon

“Actually, that depends on how you use the physically air-gapped machine. If the machine is permnanetly air-gapped, in the sense that it never sends or receives data to other computers (not even via sneakernet), then of course that’s true. But the behavior Bruce describes actually makes a physical air gap riskier in some ways.”
(Goes on to describe USB stick attack vector)

Yes, it can be risky in some ways. Yet, your evidence/example is a strawman to my posts as I don’t advocate using USB sticks. Matter of fact, I specically criticized memory sticks in my last comments. USB sticks have the extra problem of issues with handling at PCI level. Then there’s executable subversion possibilities. Invisible Things Lab even wrote a nice blog post on USB issues, with a partial solution to problems.

My proposed air gap methods were:

(1) simple, non-DMA hardware links with drivers easy to custom implement on many OS’s/microkernels (eg serial, IDE);
(2) one-way hardware;
(3) a highly robust guard;
(4) read-only storage like floppies or CD-ROM’s where malware might be detected;
(5) a dedicated high assurance transfer device a la’ NSA key fill machines.

(1-5) Very, very strong security on the Untrusted Transport machine to further reduce risks. OpenBSD, Linux with MAC, a CMW, a virtualized offering like Qubes, etc. are all nice here. Just some extra difficulty for the attacker is all I’m saying here.

Each of 1-5 is designed for different situations and different tradeoffs, but all minimize risk. My original link to the recommendations did [briefly] mention HD’s and USB sticks with a physical write protect switch for people who are going to use those devices despite my recommendations against them. Might make it a little safer for them.

“Xen is a bare-metal hypervisor, which means that it runs in a more privileged CPU state than any other software on the machine. (So it literally doesn’t make sense to suggest that the “influence” of the Xen code might somehow be “removed.”) The most privileged VM is called dom0 (sometimes called the “host domain” or the “control domain”), and although this is often a version of Linux, it need not be (see below). (So, no, Xen doesn’t necessarily have Linux in its TCB.)”

I think you’re misunderstanding the concept of a TCB and how systems are attacked. The TCB is anything that can compromise the security policy. I know my concern about Xen’s TCB is valid because even XenSource says so. Think of it like an equation: Hardware + Xen + Dom0 + any extra middleware supporting guest interactions = huge, complex TCB. There are many groups of bright security researchers working on this problem (e.g. XenSE). That alone says there is a problem. 😉

Note: the “remove Xen from TCB” was a sarcastic reference to the fact that it and a Dom0 combo are always in the TCB of any Xen solution. I can see how that might have made you say “huh?”

“permanently air gapped… complete air gaps… plug USB sticks in… Stuxnet”

More on USB attack vectors. Then a “trusted stranger plugged in trusted USB stick into insecure Windows PC led to its compromise” story. Already addressed USB. Then a new strawman called “permanently air gapped”. I’ve never mentioned a system where data never moves in or out b/c that would be useless for our discussion so why is 1/3 of your comment dedicated to them?

My air gap architecture does the following:

  1. Keep the system’s state, running software, etc. obscured from enemy.
  2. Remove continual, direct access by keeping it disconnected 99%+ of the time.
  3. Greatly reduce risk during connection points at hardware, driver, and software levels with tradeoffs allowed.

As for the trusted machine itself, there are two options:

  1. A strongly, highly assured OS with POLA and stuff using state of the art chips for their hardware features. Untrusted machine would likewise be highly assured with dedicated hardware like a Network Pump or Data Diode for transfers. Might protect against almost every threat vector except NSA and such.

  2. Use of a diverse array of hardware and OS’s for trusted machine to [probably] prevent NSA type subversion, although w/out strongest resistance to other types of attacks.
    (Note: Xen Dom0 you said can be 3 OS’s right now. Option 2 allows for any hardware and OS combination ever invented with proper preprocessing on untrusted node. That’s why I call a Xen-based solution one with few options for Dom0.)

If user chooses 1, this air gap solution can be made provably stronger than any virtualization solution. If the user chooses 2, then they can stop the subversion that might happen for users running on Intel hardware stateside (incl Xen solutions). They get to choose the threat model, then my architecture reduces their risk from there. The final configuration can be anywhere from standard to high security depending on user’s preferences.

Craig October 12, 2013 3:45 PM

@ManInATux,

The point isn’t that you do it yourself.

Linux uses a hierarchical development model, where a given set of patches will be reviewed and signed off by at least 2-3 people before it even reaches the sub-tree maintainer (“Lieutenant” in LKML-speak). How do you propose to get a nasty patch past that kind of decentralised scrutiny? Then, if you do, how do you make sure that no other reviewer/auditor finds it before a merge or at some later date? Most Lieutenants and major contributors meet at conferences and sign each others public keys (in-person), to form a strong network of trust. Real world identities are mostly verifiable (at least the people reviewing and signing the commits, if not the author) and each and every change is recorded in history (via git).

Sure, it’s still possible to subvert this kind of system, but if you think Windows can even hold a candle to it in terms of security, transparency or auditability, you’re either an amateur or being completely disingenuous. I know you introduced yourself with a litany of credentials, but the Dunning-Kruger effect is a very real thing.

tl;dr Windows is an appalling operating system and no one should even humour it for security-critical uses. I’m shocked and somewhat disappointed that Bruce does.

Nick P October 12, 2013 4:08 PM

@ Mike the Goat

Excellent design. I’ve noticed its very similar to mine and quite old school in its simplicity. 😉 NetBSD is a nice choice due to its portability, obscurity relative to Linux, and its internals are easy to modify compared to most Unices. Helpful community and runs Linux apps too.

@ RSaunders

+1 to floppies. I mentioned them in my original air gap link esp as they have write protect (IIRC), there’s tons of OS software/hardware combos with floppies, and you can hear them if anything tries to write to them. And they’re extremely cheap like you said.

There’s also the possibility of using the “super floppy” formats or other obscure media to throw the attackers off. If there’s a guard between trusted and Internet PC, the guard’s higher security might even prevent attacker from figuring out what media is being used. Harder to subvert that way. What you think?

@ Craig

Nice assurance argument for Linux’s superiority to Windows in subversion detection. 🙂

@ Goldry Bluszco

“Well, I’m surprised no one’s mentioned paper tape for data interchange. ”

I brought that up maybe a month ago here. I looked at old paper punch tape, high capacity barcodes, and the possibility of encoding info as a high-res pic printed on paper. Essentially, the safest ones have horrible capacity and those with better capacity take complicated hardware + software expanding risk. CD-ROM’s, floppies, serial ports, IDE, and restricted Ethernet are those with simplicity + usable capacity + many suppliers (reduce subversion).

So, I just ditched paper as a storage medium unless I’m storing text (aka printing). 😉

RobertT October 12, 2013 8:08 PM

I have not completely read all the comments but I’ve noticed one big difference with my typical file transfer flow between the airgapped and internet computer.

Always fill ALL available space on the transfer medium.

If I use a floppy for file transfer than I create a file of pseudorandom data known to both host and target computer where the size of the file is trimmed to EXACTLY match the available space on the target medium. I then XOR the target file with the pseudo-random file and write the resultant file to the floppy.

Since XOR with random is random it acts like OTP encryption. I dont need to be so paranoid about safe disposal of the used floppy AND I know it is impossible for any compression applied at the Internet side to squeeze some space to make room for a virus load to tag along.

Small point I realize but in these matters I find good Opsec is usually more important than perfect theoretical security.

Personally I don’t use modern USB sticks because they often contain lots of hidden space and extra so called “wear leveling” space, you just cant ever really know what you’ve got. Some modern sticks even incorporate read/write hardware to support Multibit-per-cell (3 or even 4 bits of information per Flash bit cell), you just cant know the real size of the device.

I’ve also played around with wired /wireless fie transfer where the transfer period is strictly controlled and AGWN is added to the link until a transfer is just possible using the most complex modulation possible and suitable Forward error correction. This is basically a form of file transfer at the Shannon limit.

Nick P October 12, 2013 10:21 PM

@ RobertT

What you’re describing is similar to my recommendation for mitigating covert channels for link encryption. I say use fixed sized chunks, fixed transfer rate. For efficiency, the channel is usually maxed out because who wants to use a slow rate, eh? So, both what’s on the line and what the CPU is doing always looks similar to the eavesdropper. Your proposal might have a similar effect compared to normal transfer methods.

Goldry Bluszco October 13, 2013 1:39 AM

I just had the weirdest OT thought about the “celebrated” behavior of border guards in the States and the UK taking travelers’ USB sticks.

Given a suitably capable stealth programmer and the state of knowledge of Microsoft Windows vulnerabilities and the market penetration of Microsoft products, border guards constitute an attack vector.

Maybe the border control that stopped David Miranda are even more stupid than they imagine. Just imagine: a USB stick with stuff hidden in the interstices. Border guard inserts stick; ET builds phone, phones home; much bigger ‘sploit (probly NSA-certified rootkit) visits to stay; infects network; PROFIT!

USB sticks of the required capacity are hardly expensive; suitably NSA-certified rootkits are probably available, though the NSA is probly not saying much about that. And NSA-certified ‘sploits aka backdoors are embedded into the fabric of ‘Net.

Having had that thought I think it’s so obvious that it’s likely to have happened already.

Mike the goat October 13, 2013 2:16 AM

Goldry: also off topic but I purchased a brand new USB stick, mounted it and found a few files on it. Okay so it was a manual PDF, a RECYCLER/ directory (hidden) and an autorun.inf. I got curious and rather than newfsing the disk immediately looked at the autorun which ran explorer.exe from the recycler directory.

Yup. Virustotal confirmed it. A new shrink wrapped packaged USB stick had a Trojan on it.

iwre0 October 13, 2013 3:13 AM

You guys, how much time do you spend to read one email?
Once you read it, how much time to deliver the answer to the sender?

then, after send it,….beep, another email, and begin again…

i think you get tired..don’t you?

Mike the goat October 13, 2013 3:17 AM

Nick: I had to use the ATMega164P as it has two UARTs. You’ll need two MAX232 to convert the levels too. Not too difficult a project. Unfortunately I can’t do any faster than 9600 bps reliably.

RonK October 13, 2013 6:27 AM

I see a lot of people talking about using Arduino and its ilk for serial communication. Why not program a Teensy 3.0 board with an SD card adapter (http://www.pjrc.com/store/sd_adaptor.html) to present the file system on the SD card in various ways depending on the state of some extra jumpers.

Depending on the state of the jumpers it could (just some examples):
* Only display filenames of files on the SD card but pretend they are empty
* Replace contents of files with hashes
* Display partially garbled filenames (kind of like 8.3 on Windows)
* Refuse to present files with blacklisted names
* Present the SD files but as an EncFS filesystem with a preprogrammed key
* Just present the SD files in regular form

Assuming your attacker doesn’t know which setting you will use to defend yourself via inspection of the SD card before use, he runs a considerable risk that his exploit will be caught — something which we know is to the NSA like garlic is to vampires…

Mike Acker October 13, 2013 8:08 AM

the intensity and ferocity of the attack on our communications is interesting in and of itself.

the one thing that works against the attackers though is the great number of people working in the business. it is not possible to keep close and reliable tabs on all the help all the time and as a result I have at least some hope that the evil secrets will be exposed

nastyness baked into our chips is a considerable concern. those of us who have been interested in and following open source software have put our faith in the idea that to keep anything honest the best plan is to get everything out in the open where everyone can look at it. this seems to have gained a lot of steam with the early releases of PGP.

this seems to to have extended to open source O/S systems, particularly Linux.

I’ve been using Linux — first Ubuntu, now MINT — for the last year. When I get my Linux system — I don’t get root access. (I know how to get it — but — having read the Security Notes on Linux — I know that this is not necessary and definitely not what I want to do ) .

this is important: Initially when I power up my Linux box and log on I am the ONLY user on the system. However when I open a web browser — either Firefox or Chromium — I am no longer the sole user of the system: when I read a Web Page — the Web Author joins me at the chair…

The Web Author can’t update the Linux O/S: you have to use sudo and have the admin password to do that. to get a key logger into the system that could transfer the admin password from one application to another requires root access and the Web Author can’t do it. so It’s unlikely that the web author is going to compromise the Linux system itself.

there’s other mischief available though,– the web browser has pretty much un-restricted access to the assets owned by the logged on user. as do most other app programs. this is not a Good Thing. I need to do more work with APPARMOR– learning to restrict what an app program can do. this wouldn’t apply to every app program — just those having net access. it might be well to create an app armor profile for every program — and — if general access is allowed — then restrict net access to nothing. example Nemo, or Nautilus (known as file manager to windows users) . such programs should not have net access. OTH a file transfer program — such as FileZilla for Linux — needs net access and thus should have access to directories other than the local copy of the remote directory restricted.

an air-gap can probably help but if a windows system is used as an air-gap the it is critical to disable auto-run. i find it incredible that auto run was used as recently as the STUXNET incident to infect computers. autorun is a total beginners’ mistake dating back to the floppy disk and such treasures as the Pakistani Brain, STONED, Falling Letters, and the like… Win7 leaves it disabled by default.

On net, I think air gap is most likely un-necessary for a Linux system particularly if AppArmor is used. Remember as you think about this: as soon as you harden your PC/Workstation — the attacker will put other resources into play. Particularly Traffic Analysis. ToR can help make traffic analysis more difficult, but it is also true that using ToR — is going to be a flag in and of itself. which would lead to the next elements: physical security.

Mike the goat October 13, 2013 8:09 AM

RonK: RS232 is good because the protocol is simple, well documented and universally supported. I think people like to avoid flash based media for a variety of reasons, some of them unrelated to the ubiquitous presentation of these devices via the USB mass storage like for example extreme difficulty in confirming erasure as a result of wear levelling. Using, say a CDRW would give you the ability to visually confirm erasure, for example.

vas October 13, 2013 8:19 AM

Dear Mr. Schneier,

For over a decade, we have been using UUCP over modem for transferring files to and from isolated FreeBSD (Taylor UUCP) and Windows NT (Kendra UUCP) hosts. Do you think UUCP makes a good airgap?

Mike the goat October 13, 2013 8:22 AM

vas: I use uuencode to move files from my workstation to my secure machine via a serial link as my data diode setup enforces 7bit ASCII. Of course it adds overhead on an already slow link but for the amount of data I actually transfer it is more than suitable.

Clive Robinson October 13, 2013 8:49 AM

@ Mike the Goat, Nick P,

I’ve been doing the serial port “data diode” and “security pump” since way before they were called data diodes. It was back when I was working for a Far East FMCE / telco manufacturer, many moons ago.

The problem they had was communicating to HQ from world wide offices, they used fax machines that would burn dial-up phone charging units at an extrodinarly painful rate. The HQ engineering dept also had a 75/1200 baud BBS used for dishing out errata and change orders and I got permission from the MD to try an experiment in that we would dial-in and download text files instead of faxes from them for our office, and they would then dial back and get text files from us (hence the download was always on the 1200 baud channel).

The MD was impressed with the initial cost savings (aprox 95%) and gave the go ahead for a better system. Unfortunatly he was not so impressed with later much lower saving, untill we pointed out just how much traffic increase there had been and that some people were sending rastor as oposed to vector graphic engineering files. What he did like a lot was it was all electronic and thus software and hardware fixes were way faster.

However on examing just what was being sent he became a little alarmed about dial-in security so I thought up a way of making it more secure. It used two Unix boxes at each end and the inside one was used as the collector of files from the office PC’s via a serial print switch and Kermit. A cron job then “printed” the files via serial cable to the second box which then used traditional Unix comms software to deliver them on.

The reason to go this way was Demon had just started offering what we would now consider “normal” Internet conectivity and we migrated over to it (yup it was that long ago when 33MHz 486SX’s were the hot thing to have).

I briefly described the “old equipment” setup I use several days ago on a thread in this blog, and I mentioned I used serial air-gap crossing and PIC microcontroler diodes / pumps / sluices to filter and check traffic as well as displaying it up analyser style (which one or more posters appear to have latched onto).

If you look at the Miicrochip PIC controlers the PIC24 series offer parts that easily rival those early PC’s and Unix boxes in terms of memory and IO, the real problem with them is a lack of “software interupt” but there is a simple trick to get around it. I’ve built tiny micro kernals for them and given them command line interfaces and ported chunks of Unix code across (less any complex file system support which you can fake-up inmost cases). And Microchip have the rather handy Explorer16 prototyping board along with extender cards for memory cards etc. They also now offer gratis USB and IP stacks along with FAT16 file systems so it’s relativly easy using their available code and a couple of books to hack a quite powerfull little system together.

One PIC24 related book I would recomend is by Lucio Di Jasio called “Programing 16bit Microcontrlers in C : Learning to fly the PIC24” from Newnes. And for those wanting to cut their own RTOS there is Jean J. Labrosse’s “MicroC/OS-II : The real time kernel” to give a head start. And a quick trundel around the Internet will give several hobby RTOSs etc for the PIC family. But why bother for the PIC24/dsPIC/PIC32 there is FreeRTOS which is available under GPL or commercial and there is a commercial “safty” version available with some of the hardest to get safety ratings ( http://www.highintegritysystems.com/safertos/ ).

There are also PIC32 chips that have replaced the internal traditional GI-Programable Interface Controler CPU core with a MIPS-M4K based one and in the process decoupled the core from Flash mem and IO hardware speed constraints. It also has a “poor mans” MMU which is a real advantage when doing your own OS. It will likewise run in an Explora16 board and has the tradition IO rich Microchip PIC IO structure that makes porting earlier PIC code fairly painless. As far as raw performance goes it will give the likes of 486’s a run for their money and probably quit a bit of legacy Digital hardware as well (when I’ve time I might try porting an early version of PDP Unix just to see if it can be done 😉

There is of course a cheaper way to get Linux on a Chip these days and thats the Rassberry Pi. However we know the Broadcom chip it uses has one heck of a sight more bits than is publicaly known. I suspect most are harmless but the chip was designed for smartphone usage which might raise a few eyebrows.

Mike the goat October 13, 2013 9:04 AM

Clive: yeah I considered using an embedded PC like a pc104 or a raspberry pi like device but figured it was a dumb idea as I was basically introducing more untrusted hardware into the mix. Hence using an 8-bit AVR. The code is pretty damn simple. Check the state of the gpio pins for my toggles on startup (if I want to change settings I restart rather than implementing code to change it on the fly.. Just for simplicity). 1,0=ingress 1,1=egress 0,1=bidirectional 0,0=disabled. In bidirectional mode it just acts like a synchronous proxy. In ingress/egress modes it will just silently drop any data that is going in the ‘wrong’ direction (that is – not pass it on to the other UART). Given the speed of the microcontroller I find that 9600 bits/sec. is the maximum baud rate I can sustain reliably. This may not be a limitation of the AVR – maybe just be my crummy overly simplistic coding.

Matthew October 13, 2013 9:16 AM

The problem with using non Microsoft file formats and no macros is that the files on Bruce’s air gapped machine are Microsoft PowerPoint files that originated inside the NSA.

How do you export a PowerPoint File to plaintext?
What do you do if the source files have macros necessary for them to properly show you the data you want to read?
What if the NSA starts embedding malware macros in their own files, on the chance that those files leak?

Remember: Bruce has binary data that originated with his potential attacker…

Nick P October 13, 2013 3:16 PM

@ Matthew

You’re going to laugh but there’s an easy answer for this: bitmap images. You can export each slide as a picture, convert each pic to a bitmap, and put them in a zip file. Have any idea how many different setups can view that and with little complexity? Many. Almost every step can be automated using tools from open source code, too.

(Note: any speaker text or other sections can go in separate files, text files or otherwise, as necessary. They just need to reference the slide’s image filename in them so you know what they applied to.)

Clive Robinson October 13, 2013 3:49 PM

@ Mathew,

    How do you export a PowerPoint File to plaintext? What do you do if the source files have macros necessary for them to properly show you the data you want to read? What if the NSA starts embedding malware macros in their own files…

As I’ve said above and many times before “Paper, Paper NEVER data”.

If you either print it out to paper or print to file in Postscript format you can rip out what you need. For paper you can scan the printout back in on the other side of the air-gap or data wise use a utlility like PS2TXT or equivalent.

The down sides are the length of time the vastly increased storage and most importantly securely destroying any print outs. All of which I’ve covered above.

Craig October 13, 2013 9:41 PM

I won’t go into detail, but you’ll have to dig deeper than that list if you need real paranoid security. The first 3 of those 4 are tightly controlled by companies with either a very poor track records of integrity, very close relations to the U.S., or both. Novell have a very suspicious relationship with Microsoft, Mark Shuttleworth is one of the most slimy, double-dealing jerks in the business and Red Hat are very much in bed with the NSA.

Debian are more independent but have a pretty awful history when it comes to security. Their SSH key generator had a critical security vulnerability for over 2 YEARS and in my experience, owing to their lax standards, Debian packagers are, on average, quite inept.

The best you can do would be to use something like Arch or Gentoo, where frivolous patching is kept to a minimum, most dependencies are optional and over-engineering is met with scorn. These kinds of distros are far from straight forward to set up though.

Mike the goat October 13, 2013 10:08 PM

Craig: this is why I like FreeBSD. You can look at the ports collection and see what patches are applied. But yes, I like the idea of gentoo – I believe they have a ports like thing called portage.

Anon October 13, 2013 10:09 PM

@Craig

I need the system to run some COTS engineering design tools, and there’s really not much on the market designed for outside those four distributions. “IP theft” is as big or bigger than the NSA in my threat model.

Mike the goat October 13, 2013 10:28 PM

Anon: despite the key debacle if you were forcing me to choose out of those four I would choose Debian.

RobertT October 13, 2013 10:52 PM

@ Anon 10:09
The first question you need to answer is:
Do I need more than one physical site to have access to a secure database at any one time?

If real-time access is required from all parts of the world all the time, then you have a very difficult problem to solve.

If there is only one air-gapped system with no comms required between different air-gapped entities then he problem is manageable.

We might have to talk about this offline if you have real commercial interest because I have real world experience with exactly the problems you’ll likely face.

BTW one of the biggest issues is likely to be the license server for the software tools authorization. You might want to make a small stand-alone setup first and see if it can even run the desired tools in airgapped mode i.e. without “phone-home” authorization.

name.withheld.for.obvious.reasons October 13, 2013 10:54 PM

@ Anon

The trick to locating a decent Linux distro is a selection process (for the sake of brevity I’d skip some of the “features” distros.

  1. Evaluate distribution network (if all the mirrors are listed as were.sneaky.bastards.nsa.gov, odni.mil, disa.mil, or *.ch all bets are off)
  2. Properly enumerated iso images with check sums
  3. Non-GIT source iso availability, not likely to find hash values for them except the ISO images themselves
  4. Strength of the developers community and its record for diligence (fedora, redhat share core for example, SuSE is followed by many ex Novell types–the own it, Ubuntu I believe was purchased by a chinese firm).
  5. The comfort level with the platform (for me Slackware fits the bill for light weight. I still run a 486 with it on 16 Megs and can safely run motif).
  6. Points for any campus that hosts a mirror that is close to you, walk over to there academic department and explain your situation. Someone will probably be interested in your quest.

RonK October 14, 2013 2:59 AM

@ Mike the goat

RS232 is good because the protocol is simple,
well documented and universally supported.

“Universally supported”? I’d say exactly the opposite, nowadays — it’s been a long time since I’ve seen serial ports on off-the-shelf consumer-oriented hardware, especially portable hardware.

I think people like to avoid flash based media for
a variety of reasons, some of them unrelated …

If you are using my idea to transport encrypted files only (which is anyway the only reason you could justify the OPSEC overhead), none of the reasons you list is applicable.

GentooAndroid October 14, 2013 3:06 AM

@Mike Acker: “On net, I think air gap is most likely un-necessary for a Linux system particularly if AppArmor is used.”

This is a very bad idea, when NSA is after you (e.g. if you are Snowden, Petrobras, or any other company), even if you are used to AppArmor. All the applications are running on the same back-doored processor, including the suspect ones.

The problem with the suggestions below is that if these files are encrypted and you don’t want NSA to be able decrypt them. The obvious solution is, after transfering them, to send back to the one who built the document, that you prefer a tar archive with images, or output of ps2txt/pdftotext.

@Clive Robinson: “If you either print it out to paper or print to file in Postscript format you can rip out what you need. For paper you can scan the printout back in on the other side of the air-gap or data wise use a utlility like PS2TXT or equivalent.”

pdftotext will give better results that ps2ascii ; I did not have tested ts2txt.

@Nick P: “You’re going to laugh but there’s an easy answer for this: bitmap images. You can export each slide as a picture, convert each pic to a bitmap, and put them in a zip file.”

The zip format may have been backdoored. Prefer tar format.

GentooAndroid October 14, 2013 3:08 AM

Typo in above post: replace “who built the document” by “who encrypted the document”.

Q October 14, 2013 3:08 AM

The same concepts are already operational since 2007 in the Freemove Quantum Exchange System, using datadiodes. Examples can be eg. found on wuala.com/FreemoveQuantumExchange/Aspects/Security/Programs/ChannelCodingExamples

GentooAndroid October 14, 2013 3:15 AM

@Craig: “The best you can do would be to use something like Arch or Gentoo, where frivolous patching is kept to a minimum, most dependencies are optional and over-engineering is met with scorn. These kinds of distros are far from straight forward to set up though.”

You need an update on Gentoo: it is easier than before, use the LiveDVD. And if you need a Gentoo installer even closer to Ubuntu, you may use Sabayon; after installation, stop using Sabayon packaging system, and use the Gentoo packaging system installed by Sabayon; use emerge world to automatically get a vanilla Gentoo.

Mike the goat October 14, 2013 3:37 AM

RonK: my comment re universal support was directed at the fact that all kinds of platforms have RS232 support. Given that those who are ultra paranoid will be using old hardware for their super secure machine then this becomes important. An old VAX or an old SPARCStation, an acorn RISC PC, etc… All of them have serial ports. You may as well use a deprecated architecture as they’ll likely be targeting Intel.

The good thing about RS232 is that I don’t need to run a CD or a USB stick backwards and forwards. I just tar up the files I want to move, uuencode it and then pump it into /dev/cuad0 after first pushing my toggle switch into the “ingress” position and turning on my data diode (and running a cat /dev/cuad0|uudecode|tar -zxv on the other side). The cool thing about uuencode is it will work when going from systems of different endianness too.

RonK October 14, 2013 5:14 AM

@ Mike the goat

It’s pretty clear that the discussion here is “all over the place”, so I accept your explanation about “universal support”. My proposal was more designed to help someone like Bruce, whose use case, it seems, doesn’t fit into the “ultra-paranoid” thread which the RS232 stuff fits into.

Mike the goat October 14, 2013 5:33 AM

RonK: yeah, it diverged from discussions way back about how the only hardware that could be truly trusted is about twenty years old. Someone remarked that 80386 was the last Intel chip that could be audited with standard electronic shop tools as it exposed everything and didn’t cache etc “inside the black box”. That wasn’t quite my point – more I was suggesting that pre-9/11 hardware would be more trustworthy from a political point of view, and I guess if you go a bit further back then the chip construction was such that a “backdoor” wouldn’t even be feasible to implement (not to mention that the dies were ‘big’ enough to inspect with a light microscope). Even if subversion was possible you wouldn’t expect, say an 80486 was made well prior to ubiquitous TCP/IP networking – chances are it (some kind of remotely exploitable hardware based ‘bug’) wouldn’t have even be considered. If you go back further – example being a DEC VAX – which are still quite usable today then I think it is safe to assume that you don’t need to worry too much about your hardware.

That said my RS232 solution isn’t /that/ secure. Clive’s suggestion of paper is much nicer. I guess another option would be a telecine style setup where the secure machine has a camera attached trained on a small display. Of course even an ultra paranoid person has to stop somewhere.

gonogo October 14, 2013 6:50 AM

Well, now that you have all secured your off-line PC to the point that there is no way to hack it from the outside, you are a prime target for a “TEMPEST” or rather a black bag operation.
And you may no like the idea because the safety of your relatives and yours may be at stake.

Clive Robinson October 14, 2013 7:07 AM

@ gonogo,

    … you are a prime target for a”TEMPEST” or rather a black bag operation And you may no like the idea because the safety of your relatives and yours may be at stake

I mentioned these aspects on my first comment on this thread. And if you search this blog agains my name and Nick P you will find I’ve said a lot about TEMPEST and in more general EmSec, including not just the usual passive attacks, but active attacks including “fault injection on EM carrier”.

But as I said at the end of my first post on this thread,

    I could go on about the technical details in depth including KeyMan TEMPET/EmSec, secure destruction and anti-personnel systems, however two point arise, firstly I’m not writing a book here and secondly I’ve said much of it before on this blog

Clive Robinson October 14, 2013 7:27 AM

@ Mike the Goat,

Nice as thee “Paper Paper” idea is it has some downsides. One of which is “how much paper” it’s said that the Ed Snowden trove has 58,000 GCHQ documents in it (see UK authority section nine witness statments over Mr Greenwald’s partners detention and confiscation of electronics).

Assuming that is true you are probably looking at three to five times that number of documents which all have multiple pages, so we could easily be looking 2-3million pages…

Now at a rough gestimate that’s aroom high (8ft) stack for each 10,000 pages or upto 300 stacks… Which at the very least is a big bonfire by any bodies standards…

I tried a small experiment the other day to scan an standard PC type LCD display, and it did not come out well, however an electronic “paper white” display found in many eReaders did… What I don’t have is one of those combined LCD screen / Overhead projector units to see how well they perform.

Mike the goat October 14, 2013 7:31 AM

Clive: yes, I was thinking along the lines of a telecine – a camera coupled to a VDU, taking snapshots and if necessary running it through OCR on the other end.

mike acker October 14, 2013 8:39 AM

@GentooAndroid

This is a very bad idea [] even if you are used to AppArmor. All the applications are running on the same back-doored processor, including the suspect ones.
~~
if the machine is rooted — you are toast. with a Linux system that’s a bit tougher than it is on others: the attacker probably needs to have had physical access to your box.

once you switch to Linux, and particularly if you implement apparmor, you have probably hardened you system to the point when you need to focus on the other aspects of security,– laywers, courts, ….and goons.

Nick P October 14, 2013 9:52 AM

@ GentooAndroid

@Nick P: “You’re going to laugh but there’s an easy answer for this: bitmap images. You can export each slide as a picture, convert each pic to a bitmap, and put them in a zip file.”

“The zip format may have been backdoored. Prefer tar format.”

That… doesn’t make any sense. Zip’s a file archive format. It can’t be backdoored. The programs working with it can be backdoored or attacked via poor handling of zip files. The same is true for tar format, though. Either can be used for air gaps. I mentioned zip because more people are familiar with it and it can compress. Compression is very important if you’re using non-DMA, slower than average transport. I see most tar users agree, though, as their files typically have a .z at the end. 😉

MarkH October 14, 2013 11:08 AM

“I see most tar users agree, though, as their files typically have a .z at the end. ;)”

Or even a 2!

Christian October 14, 2013 12:28 PM

My thoughts are less about the technical and more about the human aspect.

Bruce is an expert in cryptography, and disciplined enough to run a reasonably secure air gap system. But going against the NSA, the odds are still heavily against him. There are attacks that he can’t defend against (physical security seems to be the obvious one), the agency has vastly more experience and resources, it can afford to make mistakes, and its agents go home at the end of the day (or their shift) with impunity. The conservative conclusion can only be that they will get what they want.

They also have the power to affect his life and the life of loved ones (as discussed by Clive) in subtle and not so subtle ways, directly and via other agencies of the state. His status might protect him from drastic measures, but not from softer ones. And the harassment can go on long after the Snowden revelations come to an end.

Given that the NSA can get what they want, and do what they want, what kind of process led to your decision to take part in the Snowden revelations anyway? Do you nevertheless think that you can successfully defend the documents and your personal security? Was it a fully informed decision, taking into account even worst case consequences, but “doing the right thing” outweighed them all? Or was it at some point an impulsive decision, which stopped further deliberation?

BJ October 14, 2013 5:48 PM

Even a Windows computer NEVER needs to be connected to the internet.

I recently setup a Win8.1 (MSDN) system, and I didn’t want it to ‘activate’ the OS key and Office key, etc. until I was sure I was happy with it, so I did not plug it in to a network.

I downloaded all the needed drivers from the hardware manufacturer with another computer, and if needed, I could have downloaded MS patches from MS.

If I didn’t ever want to plug it in, activation can be done over the phone with MS.

Dirk Praet October 14, 2013 7:14 PM

@ Patricia

(Is this you, Valerie ?)

I like your concept a lot and appreciate the time you have taken to describe it in so much detail. The one thing I don’t like about it is the rather cumbersome moving back and forth of messages between systems using a CD/DVD. So I was wondering:

  1. Is this a real setup you are doing yourself, and – if so – are you using Raspberry Pi’s for both the IvoryTower and DoubtingThomas machines ? And possibly another one as your Tor portal (FYI: the network config is pre netctl and needs to be updated).
  2. If yes to 1., are you running Raspbian on them or something else ? On IvoryTower, it could be interesting to consult/manipulate documents from a CD/DVD because it has xpdf and you can also put Libre Office on it.
  3. Have you looked at integrating serial communication between CanonFodder and IvoryTower ? It’s definitely possible (Broadcom UART appears as /dev/ttyAMA0 under Linux). Some added security using a data diode as described by other commentors would of course be even more interesting.

Although I have some old 486’s and even a Sparc workstation left, I find the Raspberry Pi solution a tad more elegant and practical. That is of course assuming that it hasn’t been backdoored, but I don’t think anyone so far has gone through that trouble since mosts analysts initially thought of it as a completely unsellable product.

andy October 14, 2013 8:19 PM

@patricia:

Unfortunately your advice to use RPi is quite risky. The BCM2835 CPU/SoC used on RPi has a large binary blob and proprietary GPU, which have complete control over the ARM running Linux. It’s quite likely that there are bugs and/or backdoors in the GPU or its software.

Additionally, the ARM Linux kernel has some shortcomings compared to the x86 kernel. For example, some ARM systems are missing a high-resolution timer (I believe the RPi is one of these), which means that entropy problems in /dev/urandom are much more severe than on modern x86 systems (which have RDTSC). Some devestating RNG attacks are enabled when you don’t have any entropy to feedback into the pool; a highres timer provides significant entropy.

Broadcom SoCs have a history of security issues inside the chips, as well. If you can find a leaked copy of the BCM4704 errata list you’ll see some really amazing ones, and I don’t know any particular reason to believe they’ve gotten significantly better over time. Their design goal is to get a super-low-cost chip to market in the minimum time possible; security against a determined attacker is not part of their threat model.

Axon October 15, 2013 1:20 AM

@ Nick P (October 12, 2013 3:36 PM)

Yes, it can be risky in some ways. Yet, your evidence/example is a strawman to my posts as I don’t advocate using USB sticks. Matter of fact, I specically criticized memory sticks in my last comments. USB sticks have the extra problem of issues with handling at PCI level. Then there’s executable subversion possibilities. Invisible Things Lab even wrote a nice blog post on USB issues, with a partial solution to problems. [Explanation of air gap proposal.]

You’re confused. I didn’t commit a straw man fallcy because I wasn’t purporting to be arguing against your air gap proposal. I was arguing against your general claim that “Physical air gaps are much better for security.” As a matter of fact, I never said anything about your particular air gap proposal. I also never suggested that you advocated using USB sticks, and I never objected to your criticisms of memory sticks. In this case, you’re guilty of misreading (or failing to carefully read) my post. Look at the last sentence of mine which you quoted. I said, “But the behavior Bruce describes actually makes a physical air gap riskier in some ways.” I then went on to give an example of this. I was talking about the behavior Bruce describes in his original post as a basis for my example, which was a counterexample to your general claim that “Physical air gaps are much better for security.” (As my example shows, they’re not always better, let alone “much” better, for security. In some cases, they’re worse!)

I think you’re misunderstanding the concept of a TCB and how systems are attacked. The TCB is anything that can compromise the security policy. I know my concern about Xen’s TCB is valid because even XenSource says so. Think of it like an equation: Hardware + Xen + Dom0 + any extra middleware supporting guest interactions = huge, complex TCB. There are many groups of bright security researchers working on this problem (e.g. XenSE). That alone says there is a problem. 😉

No. You’re still the one who’s misunderstanding things here.

OK, let’s go through it step by step. You wrote:

And since a Xen-based solution has Linux in its TCB it means Qubes might have issues because it depends on it. (Unless they somehow removed all influence on secure operation the Linux and Xen code might have. Somehow.)

I quoted this and responded:

No offense, but this comment suggests that you don’t really understand what Xen and Qubes are or how they work. Xen is a bare-metal hypervisor, which means that it runs in a more privileged CPU state than any other software on the machine. (So it literally doesn’t make sense to suggest that the “influence” of the Xen code might somehow be “removed.”) The most privileged VM is called dom0 (sometimes called the “host domain” or the “control domain”), and although this is often a version of Linux, it need not be (see below). (So, no, Xen doesn’t necessarily have Linux in its TCB.)

So, let’s be clear: I was objecting to your claim that Xen has Linux in its TCB. And I was right to do so, because this claim of yours is false. The presentation you linked in no way supports it. It does not say or suggest in any way that Xen has Linux in its TCB. In fact, it doesn’t even mention Linux, so I really wonder why you think that it constitutes evidence in your favor.

More on USB attack vectors. Then a “trusted stranger plugged in trusted USB stick into insecure Windows PC led to its compromise” story. Already addressed USB. Then a new strawman called “permanently air gapped”. I’ve never mentioned a system where data never moves in or out b/c that would be useless for our discussion so why is 1/3 of your comment dedicated to them?

You don’t understand what the straw man fallacy is. This may come as a surprise to you, but you’re the one who’s committing it. You’re representing my argument as an argument against your proposed system when it’s not. I never even mentioned your proposed system, let alone argued against it.

Don Martin October 15, 2013 7:16 AM

Bruce,

You don’t need air gap. Try getting to http://spxdemo.com – someones Red Team tried for 3 months and failed. Once you are connected, the data is encrypted and bit randomized across 3 tunnels (three ports). We use three x.509 certificates and for the severely paranoid, a certificate on the client side for the server to validate. Any compromised certificate gives the adversary a channel of noise. This means no man-in-the-middle, no playback, no DNS redirect and no need for VPN. It is ready for iOS and Android too. There is a Sharepoint server sitting behind this URL.

This is another technology that resulted from the World’s Most Secure File Transfer I mentioned above. Please look at this 1.5 minute video:

http://www.youtube.com/watch?v=vUCLo-f5UNY

Dirk Praet October 15, 2013 10:09 AM

@ Andy

Some devestating RNG attacks are enabled when you don’t have any entropy to feedback into the pool; a highres timer provides significant entropy.

Hence my question in the more recent Insecurities in Linux /dev/random thread. It would seem that at least Raspbian can be tweaked to use the Raspberry pi’s 1Mb/s on-board HWRNG.

It’s quite likely that there are bugs and/or backdoors in the GPU or its software.

I can live with the BCM2835’s odd bug and even security issue given its intended use as a dirt cheap air-gapped system with a minimal attack surface. Low power signature, no Intel/AMD inside, no remote “anti-theft” technology (TPM et al), no soldering off bluetooth/wifi/microphone/camera, no Microsoft/Apple stuff and no legacy hardware required.

Although it cannot be precluded that Broadcom is in bed with the NSA too, I haven’t seen or heard anything tangible to that effect just yet, although – as pointed out by @ Clive – it was initially designed for smart phones, which is not reassuring. Note that the VideoCore IV firmware can be reverse engineered and examined. This may not satisfy the ultra-paranoid, but IMHO still is a reasonable trade-off, especially for those who lack the resources and/or technical skills to pull off some of the more secure but also more complex setups as detailed by @ Nick P and others.

An additional advantage is its portability and a better protection against black bag attacks. Replacing a seized pi is far cheaper than buying (yet) another laptop/macbook, and hiding/destroying the SD containing your OS, software and working documents a lot easier than swallowing a DVD or hard disk (remember Saul Berenson in Homeland Season 2). I imagine your place getting raided and your systems seized being even more dramatic for those among us using legacy hardware such as 386’s, Vaxes, or Sparcs for their ultra-secret machine.

All in all, I believe a Raspberry pi solution to be a better trade-off between security and usability than the one @ Bruce is using right now. Raspbian has xpdf, you can install Libre Office onto it and even compile Truecrypt from source. It’s low tech, easy to set up, dirt cheap, portable and has a much smaller attack surface than a traditional laptop/macbook while also offering better black bag protection.

@ Patricia (and others interested)

I just came across an alternative to thegrugq’s Raspberry pi PORTAL solution. Adafruit has something similar called Onion Pi. Looks totally neat and they also have a great step-by-step guide to set it up.

Jose October 15, 2013 11:29 AM

Use two computers, one with internet conection the second with no conection to the web… second transfer data only with DVD/RW in and from the isolated computer, obviously use OTP encryption… Ahhhh oh yes take the blue pill…. and continue your life, remember you are in the matrix…. LOL

BJ October 15, 2013 1:41 PM

re Windows Repairs…

And he/it (bot) probably filled in the URL with a link to a business.
But it’s not shown here, so it’s wasting time.

Nick P October 15, 2013 7:34 PM

@ Axon

I think the wording of my original comment may have caused much of this argument. So, I’m going to work on the phrasing in this one and get to the actual issue I have with Qubes for this. Remember that our threat model here is TLA’s, mainly the NSA.

My claim about Qubes is that they purport to be built on Xen to inherit its maturity, features, security level and hardware support at their foundation. Xen platform’s Dom0 has privileged access to protection domains (guest VM’s) so it must be trusted not to violate the security policy. That makes it a potential attack vector and therefore part of the TCB. The presentation mentions the Xen TCB problem on p7 and Dom0 issues specifically on p8.

So, if Dom0 is in a Xen solution’s TCB and Dom0 is Linux, then Linux code is in the solution’s TCB. That simple. If Dom0 is something else (X), then “X” is in the solution’s TCB.

Using this magic formula, then QubesOS’s TCB consists of the Qubes team’s trusted software additions (if any), the Xen hypervisor, and whatever is in their Dom0. Maybe they use something other than Linux in their Dom0. Whatever it is, it’s trusted software that can be used to break isolation and therefore part of TCB.

I did include this qualifier in orginal comment:

“Unless they somehow removed all influence on secure operation the Linux and Xen code might have. Somehow.”

That means that, lacking the specific inside details of Qubes, one of my claims about Xen-based solutions might be wrong about Qubes. Maybe they fixed the Dom0 problem I was talking about. They’re good problem solvers. Here’s a few possibilities.

  1. They have no Dom0 at all. Pure microkernel type system on top of the Xen hypervisor. Somehow.
  2. They put OpenBSD in Dom0 and stripped all unneeded functionality from it user and kernel mode.
  3. They at least stripped the Linux code to the minimum in every part of it and rewrote any complicated part that was hard to analyse.
  4. They used cutting edge techniques to enforce memory, control flow, and info flow protection on all code that is in Dom0 and Xen.

They might have done something like that. If they did and its robust against TLA adversaries, then my overall claim about Qubes is false. If it’s built on Xen and Dom0 with mainstream OS code in it, then that OS code is in the TCB attack surface. It’s 0-days waiting to happen if our opponent is a TLA. NSA reportedly has a large stockpile. They might be sitting on one right now for systems built on Xen as that stack is quite popular.

(Note: All this resource sharing also creates covert channel problems. I’ve read at least one paper using them against Xen.)

My original solution was to use physical separation, a very hard to subvert transport, older/foreign components for trusted machine, a very strong LiveCD system for untrusted Internet machine, and optionally protection on transmission like a one-way link or guard node. This kind of situation has both low backdoor likelihood and strong air gap properties. My solution can also provably prevent or allow detection of covert storage and timing channels.

Altogether, it’s a superior alternative to Qubes against the adversary in our threat model who can probably subvert a Xen-based solution at will due to its TCB issues. Qubes is quite suited to dealing with the threat of vanilla malware, but it’s not as appropriate against a TLA backdooring and hacking all kinds of popular software/hardware.

Peter T October 16, 2013 12:00 AM

“Note: the first company to market a USB stick with a light that indicates a write operation — not read or write; I’ve got one of those — wins a prize.”

the early USB flash drives used to have a hardware write protection switch on their sides to make them read only.
however I haven’t seen such a stick in many years, I guess the manufacturers have dropped this feature because it would cost them an additional 10 cents per piece. with some luck, on ebay we might find a few good old 32 MB flash drive with read-only switch

John Hasler October 16, 2013 10:52 AM

It most certainly is possible to install an operating system on an isolated computer without connecting it to the Internet. You can easily download and burn (or purchase) a set of Debian DVDs and use them to install Debian on an isolated machine. I can easily believe that this is not possible with Windows, but I find it puzzling that anyone would go to the trouble of setting up an air-gap protected machine and then install Windows on it anyway.

Gecko October 17, 2013 9:21 AM

Bruce underestimates tempest. You can switch on bluetooth from a huge distance for example, see blue sniper rifle. So you really have to destroy all antennas – and hope that there or no additional secret ones.

Bruce underestimates widows. The NSA owns windows. This means they can read from RAM, manipulate all kryptographic functionality, write data into file systems and so on. Even the best exploit for open source Linux should not provide the same rootkit power, at least not without being fully undetectable.

Bruce underestimates siphoning out. 1 GB on a USB stick is really a lot. Can’t you write a radom file of complementary size to a virgin write-once disk on a third computer (not the one with the secrets, not the internet computer) and then write your encrypted secret on the remaining space – this way absolutely minimizing the chance of additional data being written to that disk?

…I just have the feeling that bruce is not really concerned. I understand this as the leaks are in the semi-public domain. But if a secret service from a DIFFERENT country is getting the data then this still might affect national security?

Craig October 17, 2013 5:53 PM

“You need an update on Gentoo: it is easier than before, use the LiveDVD. And if you need a Gentoo installer even closer to Ubuntu, you may use Sabayon”

@GentooAndroid

I have no interest in using Gentoo, nor in installers “closer to Ubuntu”. My needs are already satisfied. My comment was just an aside, as a “reader beware”. There are many Windows users out there who are beginning to understand the benefits of using Linux — not all of them can stomach an arduous installation process as a first taste.

anonymous October 19, 2013 11:18 AM

Hi, Bruce.

I’m wonder that you walk away Tempest attack.

You can watch an example of the government security container http://www.ets-lindgren.com/TIPS Tempest Shielded Enclosure.

You really should have one for your air-gapped network.

About Snowden’s documents. Could you share full list of titles of files that you have?

I’m read this article:

http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security


Without attention, the 2010 GCHQ document warned, the UK’s “Sigint utility will degrade as information flows changes, new applications are developed (and deployed) at pace and widespread encryption becomes more commonplace.” Documents show that Edgehill’s initial aim was to decode the encrypted traffic certified by three major (unnamed) internet companies and 30 types of Virtual Private Network (VPN) – used by businesses to provide secure remote access to their systems. By 2015, GCHQ hoped to have cracked the codes used by 15 major internet companies, and 300 VPNs.

I can’t realize why reporters do that. They say: “30 types of VPN”, but there are no names, what kind of VPNs compromised?

What really NSA can do with VPN A or with VPN B. For whom does reporters submit such great leak, I don’t know. Could you share real names of broken software/hardware?

Cheers!

anonymous October 25, 2013 7:05 AM

By the way, are anybody know where to get cheap ATX case with embedded Faraday Cage or any other EMI shields against TEMPEST?

Clive Robinson October 25, 2013 9:34 AM

@ Anonymous,

You don’t say where in the world you are so suggesting most suppliers of “built systems” is not going to help you.

However building your own is actually not that difficult the hardest part is probably getting access to perfed mild steel plate that has been zinc or equivalent coated, and the tools that will give a proffessional look to your finished system.

You can get all the other bits such as EMI / EMC filters from the likes of Digi-Key, and construction notes and ideas from either ARRL or RSGB published home constructors guides for Ham / Amature Radio operators.

One hard to source item is “RF Gasget” and it’s not cheap. However what you do is “make your own” by stripping out the woven braid from RF Coax like RG58 and use that instead. Or if you can find it “de-soldering braid” but this is usually covered in rossine (pine) flux that will need cleaning off. If you need to have a “spongy inner” then have a look at TV antenna down feed coax.

I’ve had built a number of “cages” like this at quite modest cost where the side pannels were solid sheet steal, I told the company making then they were to stop desktops being stolen and they didn’t look surprised.

If you are going to encase the screen (and you should do) this is where your problems are going to be. The solution is cloth woven from very very fine wire sometimes called “RF Cloth” it’s not easy to find. alternatives that are nowhere near as good are types of “chicken wire” fencing material. I got lucky in that I managed to find some anti-glare screens that had a metal coating on the glass that much to my surprise gave around 30db lossthrough HF / VHF / UHF bands. Not surprisingly microwave oven doors provide reasonable shielding but are generaly crap to look through.

Keyboard shielding can be done if you know what you are doing, the hard part is finding a keyboard where you cn get the keycaps off and put a thin metal sheet across with holes for the key sprues the caps go back on. I made a template using “baco-foil” and some foam. Basicaly put the foam down on a flat surface and lay a sheey of foil across it. Having removed all the key caps turn the keyboard sprue side down and press gently and evenly so all the sprues leave a mark on the foil. Lift the foil of lay on a pice of card or a cutting mat and then using a 5mm leather punch (or fired .22 cartridge) cut out the sprue marks. Gently drop the foil template back on the keypad sprues to check it. If it’s OK use this template to punch out thin brass plate model makers use. Then build this into the keyboard case the details of doing this are very keyboard type selective so your out on your own there.

suspected October 27, 2013 7:18 PM

2Openmoko, could you provide with a secret of all this open smartphones, why peoples called it “Open”?

According to wikipedia article: CPU Samsung S3C2442 SoC @ 400 MHz

http://www.samsung.com/global/business/semiconductor/product/application/detail?productId=7119&iaId=836

“Thus, an SoC designed for a mobile handset would include front-end GSM RF functionalities on-chip, which would be absent in an SoC designed for deployment in a digital still camera.”

“For more details about product specifications or technical files, please inquire through ‘Contact us’ Some information may be limited to the authorized person or company.”

I’m not sure, but looks like this GSM may be enabled actually in digital cameras with this CPU.

Openmoko October 28, 2013 5:33 AM

@suspected: “I’m not sure, but looks like this GSM may be enabled actually in digital cameras with this CPU.”

I don’t know.

They pretend that there is no proprietary driver for GSM. Only for Wifi+Bluetooth, and 3D acceleration; both are optional to me (ethernet over USB is a good replacment).
http://lists.goldelico.com/pipermail/gta04-owner/2012-February/001532.html

This page pretends to compile a GSM driver: http://bb.osmocom.org/trac/wiki/OpenMoko

There a bugs http://projects.goldelico.com/p/gta04-kernel/issues/ but you can fix them!

Various howto: http://projects.goldelico.com/p/gta04-kernel/doc/

Aaron November 22, 2013 10:03 PM

To mitigate TEMPEST, use a laptop with a metal chassis for one, two, no RF at all going on, three, power from a full sine continuous UPS, four, run an old CRT tv in the room. Another good one is a brushed motor fan. Consider metal bearing paint under the latex on the wall if you can stand being in a cell dead spot while working. Prolly best to leave the cell phone out of the room anyhow.

gary barnes November 27, 2013 9:46 AM

The length of time a person has been using an airgap is an indicator of their “cryptosavvy,” where cryptosavvy is a measure of mathematical crypto ability and common sense. Anyone who did not use an airgap prior to Snowden-2013 is clearly a cryptoidiot.

Dave December 2, 2013 1:07 PM

Air gap is a start, but unless you remove wifi card from offline computer you are doing yourself no good against a serious adversary. (That button you push to turn it off? that is merely a suggestion to an operating system).
I air gap the data collected on the offline computer as well:

If you research a variety of actors, you may want to remove hard drive from offline computer and keep data air-gapped from each other on plugin storages instead.

I boot from immutable CD, use external hard drives, and transfer data to/from the web using one-shot dvds.

even if they get me, they only get the research on themselves. They don’t get my family photos, associated metadata, and other pii, like who I am, who I love, where I live. Anyone can be gotten to. Aks me how i knowz.

oh — and do NOT use an HP, unless you have some special knowledge for how to flash the graphics card. Lulz can infect you here, and so could other bad guys, but ones you might never know about, ie, ones who don’t spit raspberries at you like Lulz tends to do. I have multiple systems infected like this, and they’ve never been picked up by any anti-evil vendor out there.

Clive Robinson December 19, 2013 2:22 PM

@ Doc,

Tthe page you link to says rather less than in the comments above. Forinstance have a look at,

    Ben • October 11, 2013 9:23 AM

He proposes the same “serial” solution (only using Xmodem not Ymodem). Looking down from there you will find many comments about using RS232 serial data diodes pumps and sluices.

mike December 31, 2013 4:11 AM

You can also use a text scanning software(OCR – optical character recognition) so the only way your computer receives data is from printed and then scanned into the computer. You could even do that with pieces of code and then compile them as well. I would even go as far as removing any wifi chips, removing USB or filling the ports with glue, remove microphone/speaker. There is also very crazy ways for a monitor and even a keyboard to emit a frequency that could possibly be picked up as well, not sure how to protect against that, but I am sure there are methods if you wanted to get to that level of paranoia.
If you went that far, and your data was wanted bad enough, you would probably be stuck in Guantanamo and be tortured worse than any documented classified cases have shown ;o

Black Panther January 9, 2014 10:22 PM

A commenter above suggested not buying “off the shelf” but building a computer. They completely missed the security implications of ordering specific parts for a custom build vs. buying off-the-shelf where you can pick-up in store right that minute.

In a nutshell: if you order parts (online inevitably), the NSA have the chance to intercept the package and compromise it, knowing exactly who ordered it. If you buy very common off-the-shelf hardware (a complete computer system) from a major store where they have the computer ready for immediate collection, there is an extremely low to zero chance that the hardware was compromised before collection.

An older user March 3, 2014 8:52 AM

Excuse my potentially stupid question, but I seem to have missed something. How would it be possible to have external access on my pc if the pc has no device to send out data, i.e. no wireless lan et cetera? Asked differently, why is not enough to simply ensure that the pc can’t connect anywhere? What I mean is: even if I got some spy ware on my pc, what does it matter when the gathered information cannot be sent to the interested parties anyway?
I assume no-one will walk in my house and manipulate my pc…
I would be very grateful for an answer

Nick P March 3, 2014 9:46 PM

@ An older user

The essence of security is controlling the flow of information. You have to keep your sensitive information from getting to the enemy. You have to keep their malicious information from getting to you. The information itself is just electrical signals moving through various devices in your box. So, when building an “air gap,” what could go wrong?

  1. The attacker might get physical access to your system on site (popular with spies) or by intercepting it in transit (popular with NSA/FBI). With physical access, they can bypass the security, backdoor it, and implant tiny hardware that has built-in communications.
  2. Your machine might have connectivity built-in that you didn’t know about. Typical examples are chips with built-in WiFi, bluetooth, or 3G. Vendors often re-use existing chips or intellectual property without telling you. If they spent millions to build an integrated smartphone chip that costs $50, why not use it in as many devices as possible to recover costs?
  3. The method you use to move data to or from the air gapped machine naturally bypasses the protection. Enemy might use that method against you. Canonical example: using USB sticks to move files means they just got to infect your USB drive. Some also air gapped their machines with very expensive firewalls. With firewalls weakest link, the opponents just developed bypasses for that firewall. And so on.
  4. There’s things in your machine that you might not think of as communication devices. A recent, exotic attack allowed air gapped machines to communicate over the sounds the speaker made in a range that human ear couldn’t hear.

  5. Every machine emanates electromagnetic radiation all around it for a certain distance. With right equipment, a person nearby can capture that and possibly piece together the original information. That field of security is called EMSEC. The equipment that prevents leaks of such signals is “TEMPEST certified” in US. This equipment is ugly, often bulky, expensive, and restricted in availability by government.

(I stated on this blog years ago that the US govt might keep us from having TEMPEST defenses so they have a sneaky way of spying on us. Leaked NSA catalog shows they use passive and active emanation attacks that TEMPEST might stop. Sneaky, sneaky.)

So, there’s quite a few ways an air gap can be made to connect or leak information. Dealing with these a step at a time, you must first determine who you don’t want spying on you and who you don’t mind. Buy the security critical tech or hardware at least from those you don’t mind. Use embedded boards as you can choose which features they have (eg wireless support). Many can run an open source firmware or Linux. That’s part of your problem solved right there.

The next step is how you connect things to it. The US govt uses “guards” that sit between networks, inspecting and controlling whatever flows between them. Your best bet is to use a simple embedded device, Linux or OpenBSD maybe, connected to trusted and untrusted systems with a serial port on each side. Serial ports are simple, easy to program, widely available internationally, and have less hardware attack surface. The guy I know who uses one says it’s about the slowest way you can move a file. Have fun with that. 🙂

(Note: floppy drives are also potentially useful because floppies are cheap and have a physical switch to prevent writing the disk. Potential attack I see, though, is the floppy firmware or driver has a bug that they exploit. Idk the odds which is why I gave serial port as main option.)

You also must protect the hardware in whole lifecycle. If you are being targeted, you will have to get someone else to buy the hardware for you. Inspect it on arrival looking for anything that’s not in the picture of the board. Embedded boards are nice again as they only have so many chips and the board’s picture is often on the web site. When you have it, you must physically secure it 24/7 from modifications. For emanations, no wireless devices, weird looking antenna, or people in suits with no evidence of personality should be in a 100-200 yd radius of the machine.

So, there’s a few steps on your journey down the rabbit hole that is information security. Enjoy the trip and try not to loose your mind to paranoia. 🙂

Figureitout March 3, 2014 11:59 PM

Nick P RE: older user’s question
–Good post; the blog’s been lacking from a real “Nick P” post for a while now…Just have a couple nit-picks which I know you love…

Barring a highly militarized environment, physical security can be compromised by a janitor (no disrespect, never elevate myself, just stating a fact; in fact I was able to test some “access violations” in a landscaping job). The rarity of it also means that an attacker will have mostly smooth-sailing…

There are now beginning to be a lot of tools which people of low ability (again, not elevating myself. In fact I can’t be 100% sure in radio b/c it’s so “jiggly” and sporadic) can begin setting up SDR’s to a dedicated computer (which can still be compromised yes, but for $35 you got a Pi, which you still need to flash a smart card on a computer that may be infected) which will capture wide bands.

USB is nice and easy, and I’ve got an infected USB which I continue to use to spread infections so eventually the malware will be found; but regarding a “serial connection”, what needs to be clarified more is what code is analyzing the data. If the peripheral controller is hacked, then you still will have potentially “goodies” being slipped in and you won’t see it. Or if you’re physically approving each byte, that’s just highly impractical, only for crypto keys is that doable for the most people possible.

Hopefully soon, I’m going to get an OpenBSD box set up, but so far all the computers in my house so far that I’ve looked thru are infected w/ the same infection. This laptop…it’s so infected I don’t know how it still functions…Seriously what can someone do at this point?

Protecting hardware thru the whole lifecycle is impossible and you know that. Someone would need a lot of cash and a year following their computer from the metal-mining to the all the fabs…even watching someone work they could be installing an “ASM” virus or even worse malicious circuits to be noisy or route information to a hidden chip tucked away in a “benign component”, that is disgraceful engineering.

People that want to solve these problems…they will succumb to paranoia or just accept some malicious code stealing your CPU or blurting out to bluetooth receivers. Check out Kali linux w/ all the bluetooth attack tools; wireless attacks are extremely trivial now.

Figureitout March 4, 2014 12:27 AM

An older user
–To answer you’re question, no one really knows. The security field has really been torn open lately where there’s literally nothing you can trust anymore. This is a problem b/c now a wise assumption is basically all software is can be compromised on the internet. Want to get a copy in the mail? Interdiction. NSL’s force people to lie to your face or they go to jail. It’s such a clusterf*** that the NSA, this supposed superior group of eagle-eyed machines…they got socially-engineered and even worse they wouldn’t have noticed massive amounts of data leaking from their network. So we’re stuck in this stupid loop and we need to cut the “features”, kill a lot of functionality and get back to the core of computing whereby even if you do get hacked the attacker[s] won’t be getting jack in return.

That’s my ultimate lesson, making sure the attacker won’t get jack, in fact s/he may get a little lesson that they can get owned just like the rest of us.

Nick P March 4, 2014 10:18 AM

@ figureitout

“physical security can be compromised by a janitor”

If you let them into your house, which I assumed was his use case. Maintenance men, support techs, “that guy from the utility company,” etc. are classic ways that both black hats and red teams get access. I mentioned physical security as a requirement. It’s hard enough that I didn’t care to give a guide on it.

” but for $35 you got a Pi”

That’s a common myth. A Pi is not $35. It’s so batteries not included that one must buy extra stuff to get it usable. End cost is usually closer to $70. A used laptop can be had for $80-100 so I don’t find Pi’s total cost of ownership to be so great. Great for hobbyists for other reasons, though.

At least until the $99 Parallela is available. 🙂

“Or if you’re physically approving each byte, that’s just highly impractical, only for crypto keys is that doable for the most people possible.”

The better route is to use memory and IO protection to designate a specific area for it. Then, the processor pulls from network/storage into that area using PIO. Then, a carefully written program checks it for input sanity or a hash if you have one. If it passes the checks, it’s moved into the next stage by yet another program. Any attempts to escape that area or otherwise do weird crap get caught by basic memory protection. This can be done on many simple and old processors as it was main way they operated before complex virtual memory became the norm.

And segmentation, much hated by mainstream, kicks the crap out of paging for building stuff like this. Good thing that the CHERI processor has a simple instruction set, open code, and a segmentation engine.

“Protecting hardware thru the whole lifecycle is impossible and you know that. ”

Depends on what protecting means. There’s always a cutoff point. Many people don’t think they control the fabs and have made good arguments for that. Many, myself included, think they only backdoored things that are modern and widely used. Obscure or old stuff just has the typical problems. And interdiction is a targeted attack whereas most people aren’t targeted that way. So, one can get pretty far on hardware assurance without fabbing something.

“Hopefully soon, I’m going to get an OpenBSD box set up, but so far all the computers in my house so far that I’ve looked thru are infected w/ the same infection. This laptop…it’s so infected I don’t know how it still functions…Seriously what can someone do at this point?”

An OpenBSD box is nice. If your attacked by a sophisticated threat, you are unlikely to escape it by choice of OS. I’ve been operating under the assumption that my stuff is someone else’s property. Truly private stuff has to be done in person with trusted people in relatively random meeting places. Until the new architectures are designed and fabbed, there’s no way to build secure mainstream PC’s. Even my designs for that which I used in the past cost ludicrous amounts of money and have high maintenance. That I’ve recently been looking into NUMA and MPP machines hints at that cost.

Your situation will be easier if you decide on a use case first. You wanting to do video, web, crypto, programming, etc on same machine? Unlikely. You’re better off getting an old, obscure, air gapped machine for your secret stuff with one of the transfer schemes I mentioned. Anything truly not critical just assume it’s hacked and make backups onto write-once media that you check before storing.

For your fresh start, which you will need, go buy a new system. You might be better off buying several netbooks or desktops instead of a laptop. This is because you need physically separate machines plus lower cost (laptops ain’t cheap). A KVM switch is good if you get desktops. You need to go physically buy the systems from someplace with cash as enemies can’t interdict that. Get an open firmware for them, esp with trusted boot, that you check on another machine. If no changes (rootkit sign), install the firmware on the new machines. Disable wireless and anything you don’t need in firmware. Then, install a Linux or BSD on them. Follow hardening guides.

It’s a start. Of course, it’s so much trouble and one mistake will get you hacked. At least your PC’s will be more reliable, though.

Figureitout March 5, 2014 9:19 AM

Nick P
That’s a common myth.
–True, the peripherals add a real and security cost; and if you use 2 usb devices you need a usb-hub to have an external usb.

you will need, go buy a new system
–I really don’t want windows 8 preinstalled into roms I can’t kill w/o physical destruction and all the bloatware that makes me want to…burn this mother down.

I’m having a hard time imagining code sufficient to analyze all incoming serial data. I would guarantee malware slipping by.

An older user
–Please, it’s a blogpost not an actual useable product. Just need simplified tutorial which no one can give b/c they don’t follow one and thus holes galore.

anonymous March 11, 2014 4:20 PM

I have found some Faraday Cages:

1) 28 Cu Ft Portable Faraday Cage Screen Room double copper mesh
$995.00
http://cavlon.com/zcstore/index.php?main_page=product_info&products_id=10705

2) Small portable Faraday Cage Screen Room double copper mesh
$1,995.00
http://cavlon.com/zcstore/index.php?main_page=product_info&products_id=10704

1-2k$

I’m also discovery EM Tents:

1) Cost effective instant Faraday tent:
http://www.hollandshielding.com/158-Shielded_tents-en.htm

strong and highly conductive textile

2) Ultra-Lightweight and Portable RF Shielded Tents:
http://cryptome.org/bema-se.htm

Monsanto’s Flectron metallized material

I don’t know how to buy it.

And governments enclosures:
1) The Raymond EMC QuietStation:
http://www.raymondemc.ca/products/products1a.htm

2) DEI Enclosures for Government:
http://www.ets-lindgren.com/DEI-Screen

Exterior Shield: Copper Screen

I don’t know, are a mere mortal can get one?

Could you folks describe me, what is the best?

I’m looking for the cheapest comfortable way to build TEMPEST std Air Gap.

For example, I can’t realize how Computer can be situated inside the Faraday Cage. I’m afraid to bring even a magnet to the HDD.

Tux April 20, 2014 10:02 PM

Isn’t it open office/libre office’s dependency is java? I hear a lot of bad words when it comes to java.

TPhilly May 1, 2014 12:12 PM

AirGap by spikes security gave us an air gap with web access!!! Thanks Spikes:) No malware… full anonymity… what more could you ask for… and its reasonably priced. I have been recommending it to my colleges as well.

"Yoshi2" March 17, 2016 5:45 PM

The NSA and/or FBI is not necessarily the type of organization(s) to guard against.
It’s other types of traversers that might be more worrisome.

Also, there are other reasons to keep a system offline besides just security issues.
Some types of preferred computer configurations are possibly more efficient without unneeded software, firmware, and hardware installed or enabled.

Your toaster oven doesn’t need a wifi connection. It’s just supposed to be a toaster oven. And you might not even want to own a toaster oven if you’re cooking all the nutrients out of your own bread. And why even have bread if you’re gluten intolerant.

This is why the “Internet of Things” movement is a nightmare.

Sonya April 1, 2017 11:46 PM

Okay, so I’m reaching out here hoping that someone here can help me air gap a windows 10 pc. I have disabled everything I can possibly think of… I have no connection to it in fact disabled all the internet services. It still sends out bytes, these are not loop back or bounce back and appear to be “datagrams.”

I am a designer, and I’d like to be able to have the option to keep my designs on my own device, no cloud services – in fact do not even use my Microsoft account.

I am constantly killing remote services that I have already disabled, I am constantly killing telephony (another service I have disabled). I have to end kill the processes for the background apps that I have gone out of my way to turn off.

I just did yet another clean install of windows trying to solve the issues but nothing works not one of their updates allows me to feel as though I have control over my own pc.

I have one program installed other than the graphics card driver… But these issues start before I even installed those.

I just want to be able to stop everything from going out, I do not want to see any thing displayed in “Network Other” in process explorer anymore. No one else has been able to help me so hopefully someone here might have some more solutions?

Clive Robinson April 2, 2017 8:00 AM

@ Sonya,

hoping that someone here can help me air gap a windows 10 pc. I have disabled everything I can possibly think of… I have no connection to it in fact disabled all the internet services. It still sends out bytes, these are not loop back or bounce back and appear to be “datagrams.”

What are you trying to “air gap” the actual PC or a network it is connected to?

Because what you are describing sounds more like “hardening” your PC than “air gapping” it.

Banana November 30, 2018 10:31 AM

Great post! However, maybe a better term thab paranoia can be used to describe a common motivator?paranoid adjective

para·​noid | \ˈper-ə-ˌnȯid, ˌpa-rə-\
variants: or less commonly paranoidal \ ˌper-​ə-​ˈnȯi-​dᵊl , ˌpa-​rə-​ \
Definition of paranoid

1 : characterized by or resembling paranoia or paranoid schizophrenia a paranoid psychiatric patient

2 : characterized by suspiciousness, persecutory trends, or megalomania behaving in a paranoid manner with accusations of persecutions

3 : extremely fearful was so paranoid that he was afraid to walk the streets

J January 13, 2020 8:19 PM

TAILS has come quite the way since your article was posted, and continues to lead the way for privacy minded users.

Came across your article via Robert Fisk’s post – https://globotron.nz/blogs/news/needs-more-blinky – who also saw it upon himself to accept your challenge and create a USB storage device with a write LED.

Hope he’s scored himself a sweet prize. Lol

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.