Schneier on Security

Clive Robinson • June 6, 2016 9:50 PM

@ Yoshi,

To me the BIOS/firmware is probably the most important part of the system, and yet it’s given the least amount of care by some tech supporters/manufacturers.

It’s not just the main BIOS/firmware to consider, there is a whole load of other “hidden” computers in I/O devices as well including the keyboard. Most of these can be messed with these days. Oh and don’t forget the “Smart batteries” like those found in Apple portable equipment.

But it also goes lower than this, there are CPU “microcode upgrades” to consider as well…

@ All,

The base assumption to work from these days is that you do not in any way own your computer, those days went at the turn of the century. Likewise your router etc.

Thus you have to consider how you are going to behave at the physical OpSec level.

Complaining and moaning about OS XXX is a little bit like arguing the shape of the hole below the waterline in the side of your boat is important when you are sinking.

As with the boat you need to “beach it” and make sure it’s “ship shape” from the lowest levels up. Only you can’t…

Due to the way every body gave a pass to “bells and whistles tommorow marketing” instead of insisting on “security today engineering”, and likewise with the hardware we have grown the computer industry of our current nightmares one purchase at a time for the last thirty or so years. And it is to late to scurry off backwards to do anything about it, you can now nolonger wind that clock back.

That is the reality of it so accept it and make your plans based on the fact you don’t own your computers at any level the majority of people can understand let alone control.

For instance it is known that the PC architecture has had a security flaw in the original design which is certainly still there today in Win 10 operation. It was put in for good reason so that “added hardware” via interface cards could add software to the computer so they could work. This feature was a “direct steal” from the Apple ][ design that preceded the PC by a long way, and was the most popular computer of it’s time back at the 1970s and early 80’s.

It was only a short while ago that a Chinese laptop manufacturer got “rapped over the knuckles” for using this mechanism for hiding advertising type malware in the BIOS image, thus this backdoor into your PC is well known about. So even taking out the harddrive and installing a new OS was not going to stop the malware getting up into the freshly installed MS Win OS.

Thus as has been described on this blog before, you have to develop an entirely different strategy. So you have to ask how do use PCs to get your required degree of privacy and security…

In essence you need an “off line PC” and an “On line PC” and a way to securely transmit data between the two PC’s in a mediated way, to have any chance of a little privacy.

However as always with ICTsec and OpSec in general “the devil is in the details”… And if your particular demon has state level resources and a picture of your face on their wall with “cross hairs” then you have a harder problem on your hands. Which means you have to take your security further than just the “Off line PC”. It needs to go back before the PC and through your eyes head and hands (see previous posts about securely athenticating transactions).

However for the majority a little change in behaviour will get them a lot of privacy and some security. Firstly remember everything you type, every picture you post, and nowadays every word you utter close to your computers microphone will be whisked away to the likes of Google then onwards to some US Government agency etc etc. George Orwell might have expressed it in a more dystopian way, but he was not wrong about the technology, or the politics, when he wrote 1984 back in 1948.

So treat your computer not as a confident but as a potential mugger on the street, would be step one.

Thus for most of you “give up both the faux and real convenience the PC may give you if you need “security”, or if you must use the PC and only want some measure of privacy and a little security then practice sensible OpSec and don’t bleed every drop of your private and financial life through it…

Clive Robinson • June 7, 2016 5:03 AM

@ Winter,

I was wondering whether such an approach could be used between the hidden computer components inside a PC?

Probably not.

We used to call it “air gapping” but more strictly it needs to be called “energy gapping”. As energy in one form or another will travel through just about any medium you can think of, one of the best defences is distance, because signals tend to fall off or antenuate between the square and qube of distance.

Whilst shielding does work, you have to know what it is you are shielding against. For instance you decide it’s EM radiation, so you put things in a nicely made metal box with internal metal partitions that are nicely welded / braised and silver plated. It does not work if in fact you have magneto constriction in one coil causing mechanical vibraton that gets coupled into the box that then gets mechanicaly coupled to another coil that picks it up via the process of microphonics… Infact the more solid the metal construction the more likely it is to happen.

Similar arguments go for ventilation slits/holes and acoustic energy.

There is a lot you have to know when doing security engineering that most engineers don’t get to think about normaly. Our host Bruce calls it “thinking hinky”, whist that does come into it you need to understand what to “think hinky about”. To do this you need a very good grounding in “test and measurment techniques” as well as a deep understanding of what a transducer is and why.

But a good rule to remember is “distance” be it real or synthetic is usually good.

Clive Robinson • June 7, 2016 11:41 AM

Oh darn…

@ Who?,

In my above I mucked up the blockquote tags when pasting in part of your post, thus this,

Hopefully NIST has some good advice that has been followed by most manufacturers on the last years:

Got left out between “With regards,” and “Have you actually read…” at the start of the indent for the rest of my comment back to you.

Note to self :- Remember to use Preview… 🙁

Clive Robinson • June 8, 2016 2:39 AM

@ Yoshi,

Surely you aren’t advocating for the abolishment of checksums and signatures etc just because of Stuxnet types of attacks? The whole internet isn’t Stuxnet.

No I’m saying, as I’ve said for a very long time, that code signing is not an indicator of the quality of code, or the security of code at any time. All it realy says is thst a collection of files were hashed and the overall hash was signed by a private key. Further that as we know hashes can be vulnerable to falsification and likewise so can the signing keys that can also be stolen. Further we know from other attacks on CA systems that it is possible to hide from a user the fact that a signing key is nothing what so ever to do with the organisation the user is mislead to belive.

Put more simply “Code signing is not fit for it’s stated purpose as currently implemented”.

If we are going to make code signing more fit for purpose we need to sort out as a first step the CA issues, which as we know significantly effect security in other areas. Yet a quater of a cenrury down the road nobody has addressed the CA issues, in fact they have scurried in the direction of making it worse in nearly all cases, under the excuse of either making it easier for users or not scaring users with details. Need I say that security is all about the details? Especialy those the devil hides in.

Go and read NIST SP 800-147 (it only takes about twenty minutes) then see what it actualy does (very little) and what it’s weak points are (many) and how you might attack it…

So just to reiterate I am saying code signing does not currently do what people think it does, and worse it is based entirely on known to have failed assumptions.

Clive Robinson • June 8, 2016 8:08 AM

@ Figureitout,

The fundamental flaws in your advice is a) use older computers (they’ll all be dead in 10-15 years regardless) and b) how to develop your offline PC w/ a PC that has verifiably never been connected to another PC that has malware.

As you well know I have solutions to these problems BUT they are not practical for most people. For instance, have you ever taken a microcontroler development board with two serial interfaces and made a “Guard” from it? I know that you have access to the resources and some of the knowledge, but would you consider it a practical project? Not just for you but 99.8% of computer users who don’t have the resources, or for that matter the knowledge / ability to code it all up…

So odd as it might seem it’s kind of a more practical suggestion for most to work with, and as old computers can be purchased for as little as $10, it does not carry a finacial risk for most people.

But lets examine your two points in a little more depth.

a) use older computers (they’ll all be dead in 10-15 years regardless)

Whilst newer computers do die alarmingly fast, the older ones were often built to a better build quality. I’ve a couple of 386 HP computers that are not only going strong, their level of EMC shielding means I can use them inside an RF cage and not mess up readings on the other instruments. Admittedly they run my own wierd OS and C compiler but they do their jobs admirably. Importantly though, they are –compared to modern surface mount computers– fairly easy to repair the PSU and motherboard, and I have plenty of spares of old serial and display cards, some of which I’ve already made “socketed” for easier repair.

As for storage, they use floppy and QIC tape drives which you can still get hold off that work off the old floppy drive interface. I also have another with a cheap well known NE2000 “knock off” network card (the chips of which are still very much being manufactured) which has a PXE boot NetROM on in a 27C128 of which I have bucket loads of.

Whilst this does sound very “hobby shack” there are loads of older Ham Radio guys still using and cherishing such kit, rather more of them than I suspect can write guard code on a modern microcontroler.

b) how to develop your offline PC w/ a PC that has verifiably never been connected to another PC that has malware.

It depends on the vintage of the motherboard and cards, but there are lots of boards that never had Flash PROM or EEROM on them. Thus after you make them run on floppies or CDROM only, the fact that in a previous life they were connected with out protection to that festering disease pit of the Internet does not actually matter.

Thus the main concern with vintige kit is the one you did not mention which I’ll add,

C) How do you get conectivity

The answer is via several methods SneakerNet might be old and venerable but still works, and direct conectivity such as serial, Parallel or Ethernet ports, with SLIP/PPP, PLIP, if you need IP connectivity or Kermit / Xmodem etc if you don’t. Supprisingly if you know where to look on the Internet it’s all described in excruciating detail and usable source code that an individual can get to grips with all nicely presented.

D) Performance of old kit
The important point to note with even computers a couple of generations old is you will get a performance hit, it’s unavoidable. However the reality is that for most things you might want to do in terms of “productivity” not “entertainment” performance is not an issue, and it’s possibly the most important consideration to think about.

For instance I still use WordStar a version of which including the spell checker fits happily on a 1.44Mbyte floppy and will run within 64K of memory on an 8086 machine I have. Likewise I’ve older K&R style C compilers, and more modern ANSI compatible Turbo C that all run off of floppies including the IDE. As for lower level code DEBUG can be used to write assembler code in and will import text files from the likes of Edit/Basic. You can with a little hunting find all of those for free on the Internet as well as Forth (yeh I know you don’t like it but it’s got many advantages when considering Privacy and Security).

As for OS’s you can still find MS Dos 5 and earlier if you look, there are also “Free DOSs” out there you can find out about, one works well not just on it’s own but in WINE or Qemu etc. And there are early versions of Linux and similar *nix that will run off of either a CD or striped down on a floppy or two and will mount what else you need read only via NFS etc across SLIP at 9600baud. You can get these early verisons of Linux on a CD out of the back of older second hand books (Slackware being a notable early contender). Which gives you a certain degree of confidence that any bugs, are bugs not builtin backdoors.

E) The modern Approach
But if you do want to go down the modern route and want to avoid the security madness that is modern Intel / ARM hardware, you do have the option of the microcontroler route. For instance there is a copy of RetroBSD for PIC32 chips (MIPS core) that even though SMD can be purchased on “break out” boards for the PicKit Explorer 16 etc. Which is about the cheapest way I know of getting *nix up on the cheapest of microcontrolers, without getting your soldering iron out.

Though you might want to look up MMbasic ( http://geoffg.net/Maximite_Story.html ), it will give you the full GWbasic experience on a PIC32. The guy that developed it alows people access to the code to extend it in various ways, so a crypto extension or two would be of interest to him. But perhaps more importantly there is another person with a crowd funded project to produce a rather nifty little computer with kby, screen and an electronics break out prototype area ( http://www.theverge.com/circuitbreaker/2016/6/1/11829996/ello-2m-retro-computer-crowdsupply ).

So yes there are options which cater for most skill / risk / productivity points. But I will leave you with another consideration.

On the assumption your modern PC is owned by MicroSoft, Google, GCHQ, NSA et al, that does not make it unusable. Providing your “entertainment” requirments are not particularly “moral offending” then you can use it for that. And to be honest, how many people realy do “productivity” at home?

That is you by and large don’t need MS Office/365 or Google equivalent on an entertainment box. Thus it’s no great loss to not have them on it. Especialy when you consider they are slurping up every key stroke back to the “Corporate Motherships” and thus to the NSA, GCHQ et al, in transit, thus you will hemorage any privacy / secrecy if you use them.

By and large most “productive” work on a computer is destined to be “human readable” print outs, or text files for the likes of Emails etc. This means old and slow tools that were more than usable in the mid to late 1980’s are still more than adiquate nearly a third of a century later. The only real issue is “file formats”. Which unless you realy need leading edge fancy effects can be a non issues if you use standard “old as the hills” human readable file formats.

As a matter of habit I only generate “human readable” files so CSV, RTF, PostScript, which I can check with text based tools (occasionaly converting to early HTML if I do need to pull in pictures and graphics).

Whilst it’s not impossible to hide malware in such files –source code is human readable after all– it makes such attempts more obvious to the eye and various tools I’ve developed over the years.

Thus your “productive” private secure machine can be quite old and not realy slow you down. The only difficulty left to solve is printing. To which I say get yourself a PostScript Level 2 printer with a network interface, most will directly print out plain text files or earlier levels of PostScript (if it won’t directly print text, you can find online a PostScript wrapper you can hand edit into a text file in seconds).