Re: Security?

To: debian-user@lists.debian.org
Subject: Re: Security?
From: Zenaan Harkness <zen@freedbms.net>
Date: Wed, 11 Sep 2013 00:06:03 +1000
Message-id: <[🔎] CAOsGNSRkpxZ6cq8YYvrzvumap1uWbk6aicDRBss4h26jJ5Tbxw@mail.gmail.com>
In-reply-to: <[🔎] 522F05CB.7080806@gmail.com>
References: <[🔎] de7cc3548197dd8f3c4fbfaff4871435.squirrel@mail.vcn.bc.ca> <[🔎] 20130909200734.37d2af07@bonifac.skk> <[🔎] 1378750835.2970.8.camel@archlinux> <[🔎] 1378796239.2970.16.camel@archlinux> <[🔎] 522F05CB.7080806@gmail.com>

On 9/10/13, Kailash <listskailash@gmail.com> wrote:

> http://www.theguardian.com/world/2013/sep/05/nsa-how-to-remain-secure-surveillance
>
> We have some software solutions. Could a system be also compromised when
> using a generic hardware layer? And if so, what options exist?
>
> Any pointers would be appreciated.

Regarding Virtual Machines, it is simple logic, as follows:

Thought experiment: I assume your question is "virtual machine" (VM)
hardware layer:

That VM has a disk, that disk is provided by your VM supplier, that
disk is viewable by them, thus your private web/vpn keys are exposed.

If you use FDE (full disk encryption) then initial minimal kernel with
passworded decryption key must still be visible, and to boot your VM,
you will have to remote login to the minimal kernel (boot/serial)
console (this is often called a side-channel) to enter boot/FDE
password (to unlock the FDE key).

In either case, we can now get "in" to our VM by "normal" means - eg ssh.

Once the VM is running, it is running in memory, on VM manager, which
can view the VM memory and therefore access file mounts that way (if
you can competently hack such, which we assume here); this obviates
the usefulness (to a degree) of your FDE (although FDE still provides
some protection against VM image offsite backups, which may not be as
secure as one might think).

So, one way or another, we ssh into our VM to admin.

Now, we embed a tcplay or luks "loopback volume" in our VM.

So ssh in, loopback mount the loopback volume, entering decryption key
password through the ssh session.
Now chroot into loopback volume and run services (eg openvpn, apache)
from there.

This has advantage over FDE that we no longer need side-channel login
to reboot (which often can happen [un-]intentionally without your
knowledge, and the side-channel may well be "less secure", have more
monitoring on it etc.

Because we ssh in, the password is not kept on the VM and we can have
a short duration of that password appearing in memory on the VM.

BUT, the problem above still is: once eg openvpn private key is
unlocked, or apache is started (with its SSL/TLS/HTTPS private
certificate), in the chroot, these services are still now running in
the VM RAM, so now still accessible to the virtual-machine
infrastructure (memory) attack mentioned above.

Finally another problem!:
Whether using FDE at bootup, or an encrypted loopback volume
(containing chroots), in your VM, as mentioned above, some part of
your VM begins life unencrypted (eg the initial boot FDE decryption
code on startup (with sidechannel login problem above), and/ or the
non-FDE'ed operating system installation (normal non-encrypted
install) which contains some encrypted loopback volumes for chroot
usage,
AND
in either case, that initial non-encrypted code can be replaced by
your VM supplier with similar code which contains a keystroke-logging
trojan, which stores your entered password(s) on across the network on
some other machine, virtual or otherwise!

So, you are reliant totally on the VM supplier and their
trust-worthiness as to whether you have any privacy on that VM or not!

I hope no-one here deludes themselves otherwise.

Unfortunately, dependency implies trust.

As said on /., one of the greatest "sad" things in this NSA debacle is
the "destruction of trust" or somesuch.

But this coin has a flip side! A positive flip side! Long term, but
very good positive flip side!
</lots more religiously positive fervour for those who want it :)>

:
The real question is not "how much trust have we lost?" but "who can I trust?"

This is an excellent question to be asking.

And similar, "who shall I choose to be co-dependent on?" (Whether for
food, for energy, for computing, etc).

Such blatant disregard for human rights and human dignity as we have
seen by NSA, is just awareness possibility for those who were shocked
(many have been) - this is a good thing! They get reality pill so to
speak :)

So now is the time to encourage this global conversation of trust,
technology, surveillance, co-dependence etc.

Re co-dependence - we have illusion of independence in this modern
tech world! We in "modern" tech world have possibility to live like
kings of 300yrs ago - eat cheesecake every day, drive amazing chariot
(car), communicate instantly, etc etc., and we are intimately
inter-dependent (or "co-dependent") on the others in our society, for
our illustrious and indulgent way of life - mechanics, computer
technicians, supermarket operators, checkout persons, fuel stations,
manufacturers etc. the list is very long.

Is it possible to choose our inter-dependencies, our co-dependencies?
To some degree yes. We can foster relationships with individuals
rather than companies, we can choose to do business with those
companies who display greater ethics (or "utility" for those who decry
ethics - I'm looking at you Ralph :)

Long term, if we want infrastructure (host computers) we can trust (at
to some degree), we must run them ourselves, or work closely with
those who are trustworthy!

Long term, if we want a decentralised internet, we must build it -
build wifi or LAN links between our neighbours, so that we are not all
going through centralised everything!

And the beauty is, even small pockets of decentralisation (ie genuine,
in-this-physical-world localised decentralisation in particular for
communications networks), can be extra-ordinarily disruptive on a
global scale. The more localised co-dependencies/ independent
inter-dependencies that we build around the world, the greater the
privacy we achieve with tools like TOR!

Very small and local "independent" computer networks are exactly the
requirement for significant and broad disruption to the gorilla
network monitors (NSA).

While you build your local networks, choose small server platforms
(diversity is good), and run a small, physical, controlled-by-you
local network of server hosts;
more independence, more local inter-dependence, and
cryptographically/mathematically, very disruptive of the wanna-be
whole-network monitors (including NSA).

My expose of this manifesto is unfortunately verbose, probably
emotionally laden and clumsy. So I apologise. Please anyone put the
above togehter in a more coherent way. Own it by everyone. Live it by
many.

With every calamity comes great opportunity. (don't remember who this quote?)

A small group of thoughtful, committed individuals can change the
world, indeed it is the only thing that ever has. (Margaret Meade).

Good luck, and may inspiration, aspiration, persistence and joy be
with all of good heart,
Zenaan

Reply to:

References:
- Security?
  - From: latinfo@vcn.bc.ca
- Re: Security?
  - From: Slavko <linux@slavino.sk>
- Re: Security?
  - From: Ralf Mardorf <ralf.mardorf@alice-dsl.net>
- Re: Security?
  - From: Ralf Mardorf <ralf.mardorf@alice-dsl.net>
- Re: Security?
  - From: Kailash <listskailash@gmail.com>

Prev by Date: vanilla kernel + firmware
Next by Date: Re: Debian Testing/Jessie and OpenGL
Previous by thread: Re: Security?
Next by thread: Re: Security?
Index(es):
- Date
- Thread