Nick P • August 7, 2015 8:52 PM

@ Garrett

They’ve most likely applied one of the compiler-driven techniques for randomization or control-flow integrity from academia to Windows kernel or libraries. There were a few papers that did this for closed-source, Windows applications. There’s also projects that did it for Linux with minimal changes. So, I think it’s feasible to do even more on Windows by knocking off academics, doing reverse engineering, and lots of troubleshooting. Still wouldn’t be secure, though.

Best route with Windows is physical isolation or using separation kernels w/ hardware support (eg IOMMU). Treat it like a black box that might attack or lie to you at any time. Put as much critical processing as possible outside of it. Ensure trusted path (see Nitpicker GUI) to your critical apps or the untrusted, Windows functionality. Slowly migrate away anything you have on Windows to BSD or Linux where possible. Do the same with those in addition to tech like I referenced above (easy with FOSS).

Nick P • August 7, 2015 9:41 PM

@ Alien Jerky

“No, what bothers me is it’s reflecting everything but us.”

(swoosh) (screams) (opening credits of squid, horror movie)

Nick P • August 8, 2015 8:33 PM

@ tyr

“What is the technical debt of the current interNet incarnation ?”

You’re going to need a 64-bit variable for that one. Showing that formatted as $ to vendors supporting Internet compatibility should end the project immediately. 😉

@ 65535

To add to Clive’s conclusion, you can get very usable systems out of the x86 and RISC boxes built before power management or always-on were mainstream. All kinds of them on eBay with native OS installed, some communities maintaining modern libs for them, and actively-maintained Linux/BSD ports to them.

Nick P • August 8, 2015 10:56 PM

@ 65535

Should be fine as about anything they do will need the power-source outside of interdiction. I doubt your client is an interdiction target. So, making sure no power gets to the device at all should knock out CPU and most useful components. Only question is whether modern laptops have any functionality backed by an internal battery other than main battery. I can’t remember as I haven’t looked into one in a long time.

Remember, though, that we’re speculating on the rarest kinds of attacks. The computer is more likely to be hit by malware that circumvents the OS and lately firmware. The malware will phone home when or how it’s able. So, interface protection and app protection of whatever type you can do are quite important. Plus, have him regularly (eg weekly or monthly) restore from known-good backups on write-once media (eg DVD-R’s). Helps to separate system and data partitions so data can be protected with Truecrypt derivatives while system partition’s restore is faster & has less DVD’s.

Nick P • August 9, 2015 12:03 AM

@ 65535

I might have made a mistake there in how I said something. Regularly restoring from backups isn’t good enough. The thing is that you regularly restore from clean backup, apply updates, do any app/config changes, back that up immediately, and so on. In between these, you do your regular updates and incremental backups for more minor issues. These larger steps are to try to flush out bigger issues by making sure the system is in a clean state when it processes updates and full backup. Not sure if it’s absolutely necessary but it’s something I did on Windows machines. I used an Acronis Boot CD for it, too, so it didn’t happen under Windows’ control.

Nick P • August 9, 2015 1:59 PM

Sancho_P has a good point: we shouldve reminded you to put extra focus on router protection. Attacks on them are on the rise. Usually 0-days and config problems. So, best route is an OpenBSD router that you customize, do from a OBSD router distro, or get from vendor (eg Genua).

Nick P • August 11, 2015 6:07 PM

@ Clive Robinson

Hacker News posted a nice TRNG that aims at simplicity, anti-subversion, effectiveness, and decent speed. They rely on noise sources that aren’t affected by many variables with some minimal input from others. I like what I see. You should review it for flaws/effectiveness, post your thoughts here on its existing state, and send them suggestions to correct any problems you find.

Note: Here’s the How section for details. Very simple approach. Hopefully not too simple for its own good.

@ name.withheld

Feel free to chime in as well. I’m always up for any chance to review and maybe standardize a good version of something people often get wrong or re-invent.

Nick P • August 12, 2015 11:00 AM

@ Clive

That’s what someone else when it hit HN. I just emailed them suggesting:

1. They open and publish the circuits for review but not use w/out a license (cryptophone model)
2. They let select people (yourself included) review it under NDA, give a recommendation without too much detail, and submit any problems/fixes/improvements for them.

I suggested they also could license the circuits for use in custom boards or ASIC’s. I forgot to suggest they could patent it if they were worried about I.P.. I reminded them that even /dev/urandom provides pretty good entropy these days and can be audited unlike their design. Post-Snowden and from Australia, they better publish some details if they want to be trusted. 😉

Nick P • August 14, 2015 12:26 PM

@ Figureitout

Yeah, that was an advantage of Ottela’s work. Theirs seems better in a number of categories, though, with them doing a lot of work to get there. The man-years of work, ease of cloning, and lack of huge, legal team are why they haven’t published full schematics. They’re trying to recover the investment but aren’t pushing a mainstream product. Plus, they correctly pointed out that (a) most homebrew attempts out there are crap in one or more dimensions of TRNG design/performance and (b) inexperienced people trying to copy them usually make them worse. So, they tried to build something that works and facilitates easy verification by hardware hackers.

People worried about that can always feed a shoebox of die rolls or well-shuffled cards into hashes several times to seed an ISAAC CPRNG. Should work well enough. Alternatively, try to correctly build and use a TRNG described on the web by reputable source. (See how loaded with risk that sentence was?) Preferrably a combination of them. Still trusting third parties but design is more open. Choose your poison, I say. 😉

Nick P • August 14, 2015 12:45 PM

@ Clive Robinson, name.withheld

The BitBabbler team, esp lead engineer, responded to me. Should support my claim about real vs perceived INFOSEC in that he said I was the only one talking about a security review with specific concerns out of all the emails and visits they got. It was literally the only thing that people didn’t ask. (rolls eyes) Like me, he also doesn’t see the value of open specs given most people aren’t qualified to evaluate them and those that can “should” be able to evaluate the device itself. That plus a concern of cloned I.P. is why it’s closed right now with select reviewers.

Anyway, he gave me a long and thoughtful email that attempted to address many of my points. I’m going to ask him if I can forward you the whole email to keep us all on same page and save writing. Clive, I lost your address that tommy forwarded me when Hush locked my account due to inactivity. (assholes) However, I made a new, public one for my security consulting that aims to convey the right impression (marketing) while being easy to spell: digital kevlar (no spaces in between) on Google’s email service*. Interesting to see if the email scrapers will process that. 🙂

So, you two just send me an email with a few statements for me to do basic authentication. I figure all our public/private emails are compromised anyway so I’m not too concerned unless I see PDF’s or EXE’s in attachments. 😉 After you email me, I’ll send each of you my Swiss email and hopefully the engineer’s reply later.

*Note: Every variation of my name & INFOSEC function had been taken already. Probably scripted. Surprising that this one wasn’t. How do you like it?

Nick P • August 14, 2015 7:28 PM

@ Clive Robinson

That’s hilarious. A sneaky variation of the old, “fake AV,” scam. I particularly like how the “security” companies blindly trusted each others’ submissions without verification or concern for malice. It was probably done for economic reasons given huge volume of virii doing all kinds of different things. Worth someone’s Ph.D. to look into securely sharing and verifying signatures of malicious executables without similarly being poisoned. Props to Kaspersky, though, as that was some nice villainy in a market that’s full of [sh]it.

Good thing I used BitDefender on my few Windows boxes. (pauses) I… think… it’s a good thing I used BitDefender… (paranoia resumes) Oh hell, I figured they’d all screw me and it’s why I have a Linux desktop. 🙂 (pauses) Nevermind, gotta stop thinking… lol.

“With regards Email, I’ve got to set up a new giigle account just to get a few android apps so I’ll let you know the details.”

Cool. I’ll be checking the account periodically. I’m about done with my reply to the main engineer. I went ahead and asked for permission to forward his + my email to you or name.withheld when I get your addresses. As he covered a lot of ground, it will save him typing and keep us on same page initially.

I can’t tell from his description if it’s an ASIC or visible, analog circuits on PCB connected to SOC’s for MCU/USB-interface. I’ve asked for clarification. He did say they intentionally made implementation simple and price cheap so hardware people could analyze it easily. Can’t say anything further until I get his reply except to say his email was a pleasant read compared to most and the non-subversive reason the specs are closed is pretty believable. So far. 😉

@ Figureitout

“You didn’t however address their admitting that they could be selling snake oil b/c random is not defined. ”

It wasn’t an admission of anything, doesn’t prove anything, and didn’t merit a reply. It’s actually a symptom of their site’s (and email’s) extra amounts of honesty about risk. I can’t even remember where they mention it but the nature of randomness is still open to debate. So, they move to practical where you pick sources that physics & experience show have random noise. Then, they throw all kinds of tests at that in many configurations to determine the output. Then they use mixing functions that combine effectiveness of sources without as easily hiding faulty ones. Then they measured the output of many units over many months and allegedly let third parties do the same.

So, far from snake oil, the impression I had from the How site was that they were focusing on the right things. Simple mixes of well-known noise sources using simple circuits with extensive testing is about the best you’re going to get in assurance for TRNG’s. The others doing open, TRNG HW were doing same thing except usually with only one noise source, little environmental consideration, and less testing. So, my initial impression was that BitBabbler’s credibility and caution were ahead of rest.

And that leads me to see how they respond to questions and if they’ll let someone like Clive review the specs. If they won’t shoot their wallet with open spec, then having trustworthy and competent reviews along with on-site verification steps from those reviewers would help. Plus, the character assessment of how they acknowledge the risks and justify their decisions. Both are ongoing.

Remember, though, that others have posted links here to people who regularly break hardware open and analyze it for security. BitBabbler’s engineer told me it was specifically designed to make that easy. Still getting more info on that. My take so far is, like OpenBSD team, they built it for themselves after being disappointed by other solutions out there (esp open TRNG’s) and then made it available to others. They’re for-profit so they charge for it. Surprising part supporting this notion is they’re specifically not targetting mainstream audience: they prefer people who already realize a need for the tech and have skill to find its flaws to improve it. That is quite different from the response I normally get (“just trust us cuz we need the millions!”).

Most interesting thing was a claim that they didn’t expect flood of attention due to HN article. I was concerned about that being a ploy to generate intruige so I checked back on HN thread. There’s a bunch of negative speculation from commenters, with Thomas Ptacek (Matasano) saying HRNG’s are useless, but there is no reply from BitBabbler. They’re aware of the post and marketing opportunity given our emails. Yet, they’re clearly not interested in convincing that audience their product is worth it. Fits with their claim of trying to solve a hard problem for themselves and sell to people qualified enough to want/review it. So, I’m far from ready to recommend them but they’re operating exactly the opposite of most subversions. And I like their attitude as it’s the one I recommended, too. 😉

“Lol at “correctly build” too, it’s pretty straight forward if you’re not lazy or avoid actual hardware.”

Contradicts most of your posts here. You’ve described one set of headaches and up-hill battles after another. You run into more despite having good help. People double-checking a design vetted by competent people they trust isn’t lazy: just effective use of time. Can’t become an expert in the engineering of every single safety or security product one uses. It’s the whole point of reviewers or certification. Far as issues with those: I suggested two people here for a reason. 🙂

Nick P • August 14, 2015 11:47 PM

@ Figureitout

re malware

Yes, I did it for years with various protocols and formats. Detecting whatever Kaspersky’s people came up with would be tricky. Yet, the second the false positive problem became known, I’d probably implement a whitelisting program for common software (esp OS) to use as a check against potential false negatives. That by itself should catch many false negatives and quite a bit of Kaspersky’s scheme without knowing it.

I wouldn’t blame them for anything attacks really clever or far out. I just expect them to try to do something about those after they find out. All one can do there.

re PRNG

“Yeah, except you don’t know the circuit so you can’t say that besides “taking their word” b/c they smooth-talked you w/ an email. They attached a FTDI chip”

Actually, their email said they fought with various issues that crept in for years. The engineer said the greatest subversion risk was FTDI chip but there’s a diversity of suppliers for that sort of thing. Suggested if they found problems they’d swap it out. I guessed that it was a $$$ thing because they couldn’t price one at $35-150 with a whole ASIC development & no wide market. They’d literally have to be aggressively marketing it to get back an ASIC investment. This isn’t unusual as every “open” device uses proprietary SOC’s or standard cells to reduce cost + time to market. Would you drop $100k-$1m on one component in a system that hardly anyone might buy? Or just use a COTS chip for interface in early prototypes to see how market reacts?

“hopefully designed in some natural EMSEC based on just good clean design”

Maybe but I doubt it. Modern stuff leaks so much it wouldn’t make sense doing EMSEC on one component & a low-cost one at that. I think people should just use EMSEC safes & rooms with vetted, simple components. None of that stuff that probably has radios hidden in it, etc.

“I just want the damn circuit to see what it is”

Me too. They’re worried about a loss of “man years” worth of investment from piracy. Our old hardware guy talked about his endless battles with that with some copying them to transistors. So, I get their concern but I’m pushing to see what compromises might happen.

“And yeah tptacek is focused on ‘corporate’ security, not the homebrew stuff we do here meant to force physical attacks w/ the highest threat model”

Exactly. Corporate and mainstream. He’s yet to see how assurance activities (not paperwork) at EAL6+ can increase security of a design by systematically preventing, detecting, and recovering from weaknesses. He also reduced the problem to “high security” = “doesn’t support browsers.” Well, secure platforms not giving full privileges to insecure platforms? No shit lol. At same time, I linked to half a dozen or more strong architectures for web browsing with one or two implemented in high assurance direction. Told him to take his pick. Didn’t hear back lol.

“Problem needs quite a few more peripheral help/support team attacking the problem too and working as a team. I caught a surprising dumb mistake from an “expert” who even still does a ton of good work (as good as is practical) and works fast. I take a little longer to orient and adjust but I’m thorough and love the feeling of knowing where bugs will be.”

Sure. However, people watching a long time have seen that most amateurs can’t cut it in high-security engineering or hardware engineering. Takes too much accumulated knowledge and experience. They often try to tackle non-existent problems, suggest things that are obviously bad, or question what’s obviously good. In rare cases, they spot something others overlook because they’re set in their ways, in a hurry, make a mistake, or just luck. However, most of the time they post stuff on S.O., etc and an experienced person has to get them on the right path. So, it’s questionable if they can contribute to the big picture or hard stuff vs whether they’re a time sink.

Personally, I see the amateurs on a supporting role working on what they understand. This could be analyzing common threats, implementing functionality spec’d by experts, doing various analysis, and so on. Basically grunt work but important. In parallel, a chunk of their time is devoted to exercises solving new problems where some answers are known and some unknown. They’re mentored on this with peers or teachers helping them understand successes, failures, and so on. This further develops their skill so they can tackle harder problems while having foundational knowledge to do it. Over time, they become the leads on projects and the mentors for others. Takes a lot of time, though.

Note: Smart, well-educated amateurs with good mentors in academia or at home can take on hard problems if they choose. Many clever architectures and schemes came out of this. So long as it doesn’t hit production without expert review.

Of course, the general rule of thumb of mastery of anything is around 10 years. And security is like all kinds of fields put together plus specific mindset and domain knowledge. So, unsurprising the new people do what they do. I know because I was once one of them. I worked through old problems and solutions piece by piece, learning it bit by bit. Only regret is I majored in CS/IT instead of EE. Hardware turned out more important.

Of course, had I done that, I might not understand the system and software issues like I do. I might be able to farm out the hardware stuff to specialists once I have a good architecture in mind. Farming out the other stuff is more difficult as there’s fewer people understanding it. So, whether I made a wise decision is still open for discussion but more hardware design experience would’ve certainly helped. 🙂

“Figureout is not off in his comment about PRNG
–Thanks mate, we have to gang up on Nick P and show he’s wrong!”

That will be fine if we start talking about PRNG’s. Thing is that I’ve been reviewing a board that runs several TRNG’s through a mixing function in hardware. That’s not a PRNG. People have proven me wrong many times in life but talking about an unrelated, subject’s problems isn’t how they did it. 😛

Nick P • August 15, 2015 1:07 AM

@ Figureitout

“-Oh boy you’re up late tonight, must be having a sleepover at Wael’s (I know what you guys are doing…and it’s gross :p).”

It really is. Trying to fix this mess that people call hardware and software architecture working within their constraints is… frankly disgusting. Someone has to do it, though.

“No absolutely not from a small business perspective. You definitely have to be smart where you put your time/effort when you’re too small to devote teams of 5-10 people or more on each part of a system.”

Exactly. So, I don’t blame them for it. I just keep it in mind.

“Main point is to double check work”

It’s a good point and if the rookie is capable then by all means.

“I really enjoy programming in pairs, don’t care if I’m at keyboard or not, you catch each other and talk out problems much faster”

I might be proven wrong but still think that’s a bad idea. Relates to concept of flow: heightened productivity that only happens with minimal interruptions and noise. Good ideas and code practically flows without thinking. You go back to review it (or someone else does) later. The pair programming is distracting and has constant interruptions. I think there might be some kinds of people (eg you) that do work better that way but years of tests shows most don’t. Actually, most that thought they were doing good on multitasking actually were slower and they only perceived it. Lots of issues & research to be done in this space.

“Which is what every “TRNG” is since the science/methods of study as to what backs up these claims of true randomness are way too weak for engineering. So suck on that 8^P”

Nah, a TRNG uses physical phenomenon that always comes off as random or is random in physics to produce random numbers. Trick is extracting without issues that randomness for your system’s use. A PRNG is a mathematical function that pretends to be random, leverages a seed value, can be recreated with the seed, and might show how fake it is with its output over time. The CRNG’s are PRNG’s designed with cryptographic principles to eliminate that aspect. However, whatever randomness ultimately is, the TRNG’s appear to be much more the real thing unlike the PRNG’s that fake it. We can’t with current knowledge get the seed even if the Universe is really a PRNG underneath for all this.

And, besides, have you seen the equations for all the low-level phenomenon? Good luck cracking all that stuff at nanometer scale to guess any possible, initial state. Computer scientists can barely model the simple stuff they understand much less all that. So, there is certainly a world of difference between TRNG’s and PRNG’s.

“Yeah but do you like it? Sounds like you like CS field much much more (object oriented, bah I don’t like that lol). I like to be right in the middle of those 2 fields lol, so I’m friends w/ both.”

Good call. I certainly like turning my ideas into reality more than screwing with wires although my year or so worth of hardware studies showed it was interesting. I can totally see the allure. Even I’m digging through all kinds of hardware stuff, even general-purpose analog, trying to understand how to connect from concept to silicon in a correct and secure way.

Coolest part of systems is they’re practical and solve about all our problems leveraging the right combination of software, pre-existing hardware, and/or custom hardware. Coolest thing about software is you can endlessly build and modify it at no cost except time on pre-existing, hardware. Coolest thing about hardware is that… you get to hold the result in your hands knowing (if full-custom) you wired it up yourself and feeling ownership of it. 🙂

So, it’s all good in a different way with each building on the other if you learn it.