[HN Gopher] Assume your devices are compromised ___________________________________________________________________ Assume your devices are compromised Author : _wldu Score : 116 points Date : 2022-04-17 19:39 UTC (3 hours ago) (HTM) web link (www.go350.com) (TXT) w3m dump (www.go350.com) | ur-whale wrote: | air gapped tails running on a 1999 x86 box ftw | | https://tails.boum.org/ | motohagiography wrote: | Been doing this a long time. _The device is the compromise._ | vmoore wrote: | I routinely prune /home of sensitive info, and often move secrets | into a Cryptomator or Veracrypt vault. I also compartmentalize my | workflow. One for NSFW stuff, another for work, another for | playing games, and the list goes on...I do this because a | compromise of one system does not mean a compromise of my entire | system. Virtual machines are great for this alongside | Chrome/Firefox profiles for different things. How you slice and | dice up your own system(s) is entirely up to you. | uxcolumbo wrote: | How do you compartmentalize? | | With VMs or setting up different profiles? | walterbell wrote: | For workloads which don't require persistence (e.g. web | browsing), you can boot a PC from an external storage device with | write-blocking firmware. Kanguru sells flash, SATA and NVME | drives with a physical write-protect switch. | | Are there good tools for anomaly/intrusion detection on Linux? | Even something as simple as comparing current resource usage with | a baseline record of disk/network/CPU utilization. | CameronNemo wrote: | Bought a desktop recently. Thought about setting up verified boot | and disk encryption, but... | | _[M]y biggest takeaway was that all of this was quite | complicated and did not really have anything to do with what I | bought this system for. So I decided to throw in the towel and | flip SecureBoot off._ | | (See last section here, on trust): | https://cameronnemo.gitlab.io/posts/lagomorpha/ | vorpalhex wrote: | I struggle a lot with this. | | Secure isn't a binary state, it's a spectrum. | | At the same time, what is my risk model? Are my NSFW activities | THAT interesting? What about my personal notes that contain | health details? | | I keep an inventory of stuff in my home. Is that ok to keep in | Dropbox? Sure the government can access it.. but even if a remote | attacker does, is that useful to them? | | And of course, as things get more secure they become less | accessible. My "very secure" documents archive almost never gets | updated.. cuz it's a pain to update it. My daily notes are just | chucked in dropbox and get updated all day long... | digitallyfree wrote: | If this is the kind of protection you want you should be running | everything in seperate VMs and containers. Preferably you would | run the hypervisor (perhaps a hardened bare-metal hypervisor) on | your server and remotely connect to the instances with your | client. The client is solely used for connecting to those | instances. | | The hypervisor itself will need to be well protected and you do | not want that accessible from your client or the VMs and | containers - use a seperate NIC or VLAN. This is the reason why | you want a seperate server - the only things the client will see | are the shared containers. Let's assume here that VMs and | containers are secure - if they aren't, you can replicate this | with seperate physical machines. | | On the server you can set firewall rules to control access | between the different containers. Network storage etc. can also | be setup for the containers that need it, with different | permissions depending on the situation. | | Depending on the stuff you are running, you may want to go the | VDI or SSH route. Also there are other options like XPRA, etc. | depending on your requirements. The more segmentation you do | (i.e. one VM for the dev envionment for a specific app, another | for chat and email, etc.), your security will increase at the | cost of usability. | | I personally do this in a limited fashion (I have secure | workstations and VDIs for handling of private/financial | information), but do not go the full route of seperating | everything out for day-to-day computing. | privacyking wrote: | Or just use Qubes OS | Havoc wrote: | While true on a theoretical level this is largely impractical. To | quote House | | >Cuddy: "How is it that you always assume you're right? | | >House: "I don't, I just find it hard to operate on the opposite | assumption." | | If you're on a personal desktop at home you've got to place some | level of trust in it. | | Same with local LAN. | | Once you get to more sophisticated server microservices then you | can start thinking of the various components as mutually | untrusted (until proven otherwise) | smitty1e wrote: | To that point, how many people run browser proxies in the cloud | to obfuscate their location and minimize the blast radius if | compromised? | | One could filter much of the crapology somewhere safe, and then | have a relatively tidy local browsing experience. | | I'm too busy to take this idea past the handwaving stage, but it | seems like someone should have already done the homework. | gruez wrote: | > I'm too busy to take this idea past the handwaving stage, but | it seems like someone should have already done the homework. | | Indeed. https://www.mightyapp.com/ | megous wrote: | I run the browser under different OS user accounts, and make my | display manager display the user account in the window title | bar. | | https://megous.com/dl/tmp/8eaa15e187fa9a2e.png (ff1 being the | user) | | I trust it more than browser's internal isolation solutions, | like tab containers, which I like to use for other things, like | testing web apps using different login sessions at once. | | I'd hate a remote solution. ;) Though this is not for privacy | but more for protection and better low effort isolation. | daenz wrote: | These are fun thought experiments, but I think having a personal | Disaster Recovery plan is a far more applicable security | exercise. What would you do if you lost your phone? If you were | locked out of your google account? If you forgot your password | manager master password? If your home was destroyed in a fire? | Having a secure plan for quickly recovering from these scenarios | is more important than trying to keep state actors or cybergangs | out of your system, unless you are a VIP. | CameronNemo wrote: | _If you forgot your password manager master password?_ | | Short of brain damage, I don't think that would ever happen. | | It would be a hassle for my family if I died, though. I'm | young, but I should still get that scenario worked out. | bbarnett wrote: | With a death certificate, you don't need passwords, or even | account numbers, to access savings, accounts at fiscal types | of businesses. | | It helps pf course, to have account info, but just knowing | the place of business is typically enough. | | For clarity, living people lose account numbers and access | all the time. The death cert. gives you this same power. | philjohn wrote: | Not for, eg, lastpass. | | Your master password is the key that decrypts your password | vault. | | Some sort of escrow would be good, that unlocks a document | with access instructions upon receipt of a valid death | certificate. | CamelRocketFish wrote: | Yes but lastpass contains your password to something like | your bank account. You don't need your password for your | bank account if you have a death certificate is what the | poster is saying. | inglor_cz wrote: | When I am on a longer vacation and I do not use a certain | password, I struggle remembering it. | | If I were chucked into a prison and let out after several | years with no computer use in between, I would likely forget | all my passwords in the meantime. No brain damage needed, | just disuse. | phphphphp wrote: | I debate this with myself often. Short of renting a security | box and telling people I trust about it, I haven't come up with | a strategy for the master password. At the moment, I've | resigned myself to the feeling that if I lose my memory, maybe | it'll be the opportunity for a fresh start, and so losing | everything is a feature not a bug. | chrisweekly wrote: | I wrote mine down and put it in an envelope containing a few | other secrets in a small fire-resistant, waterproof safe | which my wife knows how to open. | CamelRocketFish wrote: | Which safe did you get? | usrn wrote: | I publish or write down most of the things I want to keep in | that scenario. | jvanderbot wrote: | Just send four trusted family members half of the passphrase | in a sealed envelope and tell them what it's for. If your | family has a lawyer or safe deposit box trusting that instead | is a 1000x better option. | girzel wrote: | All of my passwords are in the "pass" command line utility, | where they're encrypted with gpg. I added my brother's gpg key | as an encryption target, and his ssh key onto the sever where | the git repo is stored, locked down to the git shell command. | In the event of my untimely demise, my wife tells him the url | of the git repo. | [deleted] | roastedpeacock wrote: | The lack of per-application isolation with desktops is one of | those ugly truths people try and sweep under the rug. | | I foresee two potential solutions to this. | | 1) Run everything in a VM like Qubes (essentially nerfs certain | application like 3D acceleration without major R&D) | | 2) Utilize some container runtime to provide isolation for legacy | applications and stub out features such as filesystem calls so | they do not to be aware of its existence. | | Microsoft tried to produce a crippled application runtime for | Windows (UWP) with more security, but considering its lack of | backwards compatibility and lesser feature-set it is not that | surprising that adoption has been an uphill battle. | megous wrote: | Per-application isolation sounds completely unworkable for a | developer. | | Maybe per-customer isolation, or per-usecase isolation. | | Isolating customer work (or use case like "production | deployment") into separate UNIX user accounts works fairly | reasonably. | mhoad wrote: | Fuschia from Google also looks to have a very good solution to | this problem but is probably still a couple of years away. | FabHK wrote: | They should really pick a name that's easier to spell... | | https://en.wikipedia.org/wiki/Fuchsia_(operating_system) | mhoad wrote: | I should stop posting while drinking wine too it seems :) | sva_ wrote: | FireJail does at least some isolation | greesil wrote: | Does chrome OS do this? | est31 wrote: | Chrome OS has sandboxed developer environments, which is | pretty neat: https://www.youtube.com/watch?v=pRlh8LX4kQI | Ameo wrote: | I think that the browser is going to eat the desktop/OS and | that most apps will eventually be browser-based. | | PWAs are the initial movement in that direction. As browser | APIs expand and support more use-cases through WebAssembly, | WebGPU, native filesystem APIs, etc. more and more apps that | were primarily or only available as native can be supported in | the browser. | | I know that many people hate web apps because they're often | slow, clunky, bloated, etc. but a lot of that is changing as | the frontend ecosystem embraces new and more efficient | frameworks and technologies. The browser provides everything | one needs to build fast and responsive applications - It's an | issue with incentives and culture more than anything to do with | the fundamental tech. | slimsag wrote: | UWP has also been deprecated[0] | | [0] https://www.thurrott.com/dev/258377/microsoft-officially- | dep... | walterbell wrote: | Apple will likely launch Armv9 CPUs (iDevice A16 and MacBook | M2) this year. If they don't enable CCA and memory tagging, | then we have to wait for Armv9 support in QEMU and a future | Qualcomm SoC, https://www.anandtech.com/show/16584/arm- | announces-armv9-arc... | | _> CCA introduces a new concept of dynamically created | "realms", which can be viewed as secured containerised | execution environments that are completely opaque to the OS or | hypervisor. The hypervisor would still exist, but be solely | responsible for scheduling and resource allocation. The realms | instead, would be managed by a new entity called the "realm | manager", which is supposed to be a new piece of code roughly 1 | /10th the size of a hypervisor. | | > Applications within a realm would be able to "attest" a realm | manager in order to determine that it can be trusted, which | isn't possible with say a traditional hypervisor. Arm didn't go | into more depth of what exactly creates this separation between | the realms and the non-secure world of the OS and hypervisors, | but it did sound like hardware backed address spaces which | cannot interact with each other._ | KMag wrote: | That's great! The processor's hypervisor-like firmware should | handle task switching, page table manipulation, etc, and the | OS kernel should use upcalls to the firmware instead of | needing to have various special-case paths for various minor | hardware variants. Had the x86 BIOS been a bit better | designed (and a bit more performant), we likely would have | seen OS kernels leaning much harder on firmware that shipped | with the processor instead of having to make as many | assumptions about the hardware and special-case checks. | | Besides allowing for more easily isolated security domains, | this allows things like (if properly designed) not needing to | wait for kernel improvements to take advantage of more/wider | vector registers or other changes that change the amount of | processor state to serialize/deserialize when task switching. | | The DEC Alpha AXP worked somewhat like this with its PALCode | firmware. The Tru64 UNIX (and Linux, *BSD, etc.) and VMS | kernels actually were unable to execute the privileged CPU | instructions. The OS kernel needed to make upcalls to the | PALCode, which then could use privileged instructions and | could see model-specific registers, etc. The PALCode version | used for Tru64 emulated two protection rings, and the PALCode | version used with VMS emulated more (I think 4) rings of | protection by just keeping an extra integer around for each | task, and using that to determine which tasks could currently | make which upcalls. One could (and probably should) extend | this ring emulation to a bit vector of per-task revokable | capabilities that could be passed to child | tasks/processes/threads. | | Hopefully we see something like this for RISC-V, using seL4 | for the "realm manager". This would probably require an extra | userspace driver process running to intermediate realm setup | and manipulation, but wouldn't be in the critical path for | system calls or other userspace drivers. | | We're already running hypervisors so many places that it | makes sense to run a formally verified separation kernel | everywhere, and run hypervisors and OS kernels as userspace | daemons. This avoids the hypervisor needing to emulate | hardware as an ad-hoc upcall mechanism and instead simplifies | both the hypervisor and the OS kernel. The overhead of modern | microkernels is so low that your cell phone's baseband | processor is likely running an L4 microkernel. It's called | paravirtualization when the OS kernel is modified to use | upcalls to the hypervisor instead of trying to perform | privileged operations that will be trapped (and then | emulated) by the hypervisor. Paravirtualization improves VM | performance and potentially sidesteps hypervisor emulation | bugs, but it would simplify the kernel (and potentially make | it easier to optimize) if OS kernels ran paravirtualized even | when there is one guest OS per physical computerp | | Edit: Of course, there's a small performance hit in the | single guest OS case, but if that's the common code path, | presumably both hardware and the kernels could be better | optimized. Also, if you're supporting OS-opaque realms, | you're already paying this hypervisor cost all the time | anyway. | md_ wrote: | Er, I'm confused. Is the point of this essay that endpoints might | be compromised? | | I mean, yeah? I agree, I guess? But also, that's not an | interesting observation, is it? | cf141q5325 wrote: | It runs counter to popular belief. The author makes however a | good case for it going the way of "deleting cookies / using | VPNs ... anonymizes you" soon. You get a while of "this is only | theoretical" till one day its common knowledge. | | I blame complexity btw. Burn it all down and we might be able | to start over in rather acceptable digital stone age. | benlivengood wrote: | While it's quite likely to have a device I own compromised at | some point it's less likely for everything to be compromised at | once. My phone can access some backends, my laptop can access | some others. Full backups are accessible from either. 2-factor | authentication makes compromise of _all_ accounts less likely. | | It should be possible, for someone who wants a very low chance of | losing all their data, to remember 2 or 3 passphrases and | compartmentalize access to servers and backups such that most | backups are pull instead of push (or have restricted permission | ala 'zfs allow') and compromising everything requires attacking | multiple platforms all at once. | | Make sure it's possible to access everything starting from fresh | installs on fresh hardware; once it's clear that one device has | been compromised it's best policy to begin fresh on all devices | as soon as possible and then start restoring from backups. Have | some offline backups. | | To be fair, convenience trumps some of these guidelines. Security | is hard and only organizations can achieve a high level of | resilience since brain backups don't exist yet. | tagrun wrote: | Sandboxing without any overhead is pretty accessible on any Linux | distro, so I don't see why QubesOS should be the go-to choice. | For example, I use firejail for all internet facing applications | that I use (also for Wine and any proprietary software): | https://wiki.archlinux.org/title/firejail#Using_Firejail_by_... | The setup takes just a couple of minutes. | gz5 wrote: | Add network isolation to your defense in depth strategy. Close | all link listeners and inbound firewall ports. Open authorized- | only, outbound-only, ephemeral sessions. | walterbell wrote: | DNS and HTTPS are wide-open ports. Would be nice to have a | subscription service that maps popular web services to known- | good destination IP address ranges for firewall rules. | | Is Suricata a good option for network intrusion detection? | gz5 wrote: | I like that Suricata is open source but haven't used it. You | can close all your inbound ports and link listeners, e.g. | locally resolved DNS and outbound-only https, only for | authorized sessions. | hsbauauvhabzb wrote: | I see a lot of trust in VMs, but jailbreaks exist, in the future | I anticipate more spectre/meltdown type vulns, or even physics | based attacks like rowhammer. Assuming my threat model was | infinite, can I really trust vms? | jsnell wrote: | > If you're not a cyber criminal or don't have a lot of crypto to | steal, this will probably never happen to you... | | This is a misunderstanding of the threat in two ways. | | First, malware is not purely, or even primarily, a targeted | threat. It's actually a shockingly easy attack to scale, and by | far the most victims are not any kind of high profile target. | They are either unsophisticated or careless computer users, who | installed something they shouldn't have. And the thing is, from | most malware authors' perspective it doesn't matter that much | whom they compromise. All victims can be monetised to some | extent, and there is an elaborate ecosystem to make sure that | monetisation happens in practice, not just in theory. | | Second, the list of high value targets is definitely not limited | to criminals and cryptocurrency owners. They might be the only | people for whom the risk model is specifically the theft of a key | file from the local disk. | | But you know what else is a file on the local disk? The browser | cookie jar, full of bearer tokens granting access to all your | online services. Have a short Instagram name? An established but | not particularly popular YouTube channel? Do your banking online? | Have an account on Steam with some bought games? All of that is | worth money to an attacker, and them realising that value will | hurt you. | | As for what to do about it? Hardware crypto is the technical | answer, but it will take ages to move the ecosystem there. Until | then, segregate the things whose compromise would be really | harmful to separate devices from the day to day, ideally ones | that are actively supported and have a good security model (e.g | an iPad or Chromebook). | walterbell wrote: | The workstations of software developers and | system/network/CI/AD admins are also high value targets for | supply chain attacks. ___________________________________________________________________ (page generated 2022-04-17 23:00 UTC)