[tor-talk] WSJ- Google- Sonic Mr. Applebaum
Here's how Google is a compliant slave. You still use Gmail?! http://online.wsj.com/article/SB10001424052970203476804576613284007315072.html#ixzz1aMoq8l2i -- http://www.fastmail.fm - The professional email service ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] WSJ- Google- Sonic Mr. Applebaum
On 2011-10-10 18:42 , Andre Risling wrote: > Here's how Google is a compliant slave. > > You still use Gmail?! Does not matter what service you use, they all fail under the pressure of organizations that want access to it, be that legal or illegal. (The bigger problem with the context of the article is the 1984'ish behavior of an apparent legal entity). As long as you make sure you properly encrypt your messages (PGP or if it is available for your medium OTR; and don't let your keys fall in the wrong hands, but then again rubberhose anyone?) and use Tor to access the service so that figureing out which IP you came from is useless as it is an exit, you should be pretty fine. PGP + email's prime weakness is the fact that the from/to/subject are passed in the clear and that rubberhosing you or planting a bug on your person/computer yields those precautions futile. Then again, it also depends on what your adversary is and what you are trying to protect, note also that not everybody has just one single email address. Greets, Jeroen ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] WSJ- Google- Sonic Mr. Applebaum
On Mon, Oct 10, 2011 at 07:07:35PM +0200, Jeroen Massar wrote: > On 2011-10-10 18:42 , Andre Risling wrote: > > Here's how Google is a compliant slave. > > > > You still use Gmail?! > > Does not matter what service you use, they all fail under the pressure Use your own servers at the co-lo. Use TPM and tamper-proof systems. I used to store crypto secrets on USB smartcards, and have streaming video in the rack, all on UPS. Nowadays, it's even easier. No point to make it too easy. Mallory should earn his keep. > of organizations that want access to it, be that legal or illegal. > (The bigger problem with the context of the article is the 1984'ish > behavior of an apparent legal entity). > > As long as you make sure you properly encrypt your messages (PGP or if > it is available for your medium OTR; and don't let your keys fall in the > wrong hands, but then again rubberhose anyone?) and use Tor to access > the service so that figureing out which IP you came from is useless as > it is an exit, you should be pretty fine. > > PGP + email's prime weakness is the fact that the from/to/subject are > passed in the clear and that rubberhosing you or planting a bug on your > person/computer yields those precautions futile. > > Then again, it also depends on what your adversary is and what you are > trying to protect, note also that not everybody has just one single > email address. -- Eugen* Leitl http://leitl.org";>leitl http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] WSJ- Google- Sonic Mr. Applebaum
On 2011-10-10 22:27 , Eugen Leitl wrote: > On Mon, Oct 10, 2011 at 07:07:35PM +0200, Jeroen Massar wrote: >> On 2011-10-10 18:42 , Andre Risling wrote: >>> Here's how Google is a compliant slave. >>> >>> You still use Gmail?! >> >> Does not matter what service you use, they all fail under the pressure > > Use your own servers at the co-lo. Use TPM and tamper-proof systems. Does not matter, given enough power/money/force your adversary can walk into that colo and use vampire taps to replug (both power and network) your box without you noticing anything and monitor the rest from there on. As for TPM, who build that piece of hardware and are you sure that a copy of your keys are not kept elsewhere? > I used to store crypto secrets on USB smartcards, and have > streaming video in the rack, all on UPS. Nowadays, it's even easier. > > No point to make it too easy. Mallory should earn his keep. At one point or another they just apply rubberhose crypto thus don't make it too difficult. Greets, Jeroen ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] WSJ- Google- Sonic Mr. Applebaum
On Mon, Oct 10, 2011 at 11:20:05PM +0200, Jeroen Massar wrote: > > Use your own servers at the co-lo. Use TPM and tamper-proof systems. > > Does not matter, given enough power/money/force your adversary can walk Au contraire, it does matter very much in practice. By controlling your hardware instead of relying on vendors or even "teh cloud" you're raising the bar for attacks considerably. Consider that nobody can know which exactly security measures you've taken. > into that colo and use vampire taps to replug (both power and network) Did you catch the part with the video, also streamed off-site? If there's a convenient temporal lacune on multiple probes, you know your hardware is no longer trusted. > your box without you noticing anything and monitor the rest from there on. They are welcome to tap the network. It's what they already can do, by mirroring the incoming switch port and packet capturing there. This is not relevant to accessing secrets locked in hardware, or present at runtime. > As for TPM, who build that piece of hardware and are you sure that a > copy of your keys are not kept elsewhere? Because you generated the key itself, of course, and using a physically secured TPM token you installed yourself. It can be rather hard to access a piece of hardware hotglued into an internal USB port, with hardware with live IPMI monitoring, including chassis intrusion detection, including motion-detected streaming video streaming to cryptographically secured local filesystem and also off-site. It is all doable, but it won't be done in practice or ordinary threat models. > > I used to store crypto secrets on USB smartcards, and have > > streaming video in the rack, all on UPS. Nowadays, it's even easier. > > > > No point to make it too easy. Mallory should earn his keep. > > At one point or another they just apply rubberhose crypto thus don't > make it too difficult. Why do you bother breathing? You'll die, anyway. -- Eugen* Leitl http://leitl.org";>leitl http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] WSJ- Google- Sonic Mr. Applebaum
On 10.10.2011 23:20, Jeroen Massar wrote: >>> Does not matter what service you use, they all fail under the pressure >> Use your own servers at the co-lo. Use TPM and tamper-proof systems. > Does not matter, given enough power/money/force your adversary can walk > into that colo and use vampire taps to replug (both power and network) > your box without you noticing anything and monitor the rest from there on. If the box is at a place under your control, you will at least know. Replugging can be noticed (packet drops, changes in voltage) and the system can be shut down/wiped. BTW, I want to set up a scalable mail server like that, so if anyone has useful input, please let me know. -- Moritz Bartl https://www.torservers.net/ ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] WSJ- Google- Sonic Mr. Applebaum
On 11/10/11 09:07, Eugen Leitl wrote: >> At one point or another they just apply rubberhose crypto thus don't >> make it too difficult. > Why do you bother breathing? You'll die, anyway. I think you missed the point Jeroen was making there. If Mallory *really* wants to compromise your server, there will be a level of security beyond which a gun to your children's heads is the most cost-effective attack. In most people's threat models, they'd rather take their chances with compromised data than with their kids' lives. In such a model, making the server too secure can itself be a risk. Julian -- 3072D/D2DE707D Julian Yon (2011 General Use) signature.asc Description: OpenPGP digital signature ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] WSJ- Google- Sonic Mr. Applebaum
On 2011-10-11 10:07 , Eugen Leitl wrote: > On Mon, Oct 10, 2011 at 11:20:05PM +0200, Jeroen Massar wrote: > >>> Use your own servers at the co-lo. Use TPM and tamper-proof systems. >> >> Does not matter, given enough power/money/force your adversary can walk > > Au contraire, it does matter very much in practice. By controlling > your hardware instead of relying on vendors or even "teh cloud" > you're raising the bar for attacks considerably. Consider that > nobody can know which exactly security measures you've taken. Of course you are raising the bar, but that is the only thing you are doing, as the adversary can still walk in, be that with a warrant making it legal, or just by going in. Criminals don't ask for your Ok. >> into that colo and use vampire taps to replug (both power and network) > > Did you catch the part with the video, also streamed off-site? How exactly does that matter? It will already be too late and your full hardware will be off site in a location that you don't control, still running fully and no way for you to stop them from doing what they want to do with it, be that freeze the memory or any component needed. Or do you watch that video screen 24/7 like in the movies with the guards on duty being shown a replay? :) Yes, nice things like mercury switches, glueing the whole thing together and other such tricks can even deny physical access, but really, what are you trying to protect there? :) > If there's a convenient temporal lacune on multiple probes, you know > your hardware is no longer trusted. I am surprised if you are that paranoid that you trust the hardware in the first place. You do realize where the designs come from and where they are built right? :) Yes, you will know that your hardware from that point is untrusted, but who says it was not before? >> your box without you noticing anything and monitor the rest from there on. > > They are welcome to tap the network. It's what they already can do, > by mirroring the incoming switch port and packet capturing there. > This is not relevant to accessing secrets locked in hardware, or > present at runtime. Nope, but that is why a vampire tap can also do power, so they can remove the box from the rack/location that you have as 'secure' and then they can do whatever time consuming things you want. Unless you have a full remote kill switch in there packed with some C4 or so. But that is why I mention rubberhose: if they want to get the info in there, they will politely ask you for them instead. >> As for TPM, who build that piece of hardware and are you sure that a >> copy of your keys are not kept elsewhere? > > Because you generated the key itself, of course, and using a > physically secured TPM token you installed yourself. Did you build that TPM token? I am just trying to give obvious hints here and above etc... For that matter, did you write and audit 100% of the code, oh and not to forget the compiler that you are using for that code? And what about that little video camera just behind your screen, did you notice it already? ;) Like everything in live, it just depends on how much you care. For most people though, unless you are doing super secret evil stuff, just using a Gmail account with PGP in combo with SMTP/IMAP is good enough(tm) a security measure. > It can be rather hard to access a piece of hardware hotglued into > an internal USB port, with hardware with live IPMI monitoring, > including chassis intrusion detection, including motion-detected > streaming video streaming to cryptographically secured local > filesystem and also off-site. Local filesystem does not matter, as you won't see it. Thus if the video cuts, the only lesson you learned is that the box is not to be trusted anymore, but then it is already too late in most cases as they also likely know who is footing the bill, just follow the money and thus where your bed lives. > It is all doable, but it won't be done in practice or ordinary > threat models. > >>> I used to store crypto secrets on USB smartcards, and have >>> streaming video in the rack, all on UPS. Nowadays, it's even easier. >>> >>> No point to make it too easy. Mallory should earn his keep. >> >> At one point or another they just apply rubberhose crypto thus don't >> make it too difficult. > > Why do you bother breathing? You'll die, anyway. I don't have to bother breathing, not everybody is Darth Vader, it happens automatically more or less as a reflex for most people and there is so much fun in the world without having to consider conspiracy theories ;) Greets, Jeroen ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] WSJ- Google- Sonic Mr. Applebaum
On 2011-10-11 13:48 , Julian Yon wrote: > On 11/10/11 09:07, Eugen Leitl wrote: >>> At one point or another they just apply rubberhose crypto thus don't >>> make it too difficult. >> Why do you bother breathing? You'll die, anyway. > > I think you missed the point Jeroen was making there. If Mallory > *really* wants to compromise your server, there will be a level of > security beyond which a gun to your children's heads is the most > cost-effective attack. In most people's threat models, they'd rather > take their chances with compromised data than with their kids' lives. In > such a model, making the server too secure can itself be a risk. That describes my point perfectly, thanks! Greets, Jeroen ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] WSJ- Google- Sonic Mr. Applebaum
On 2011-10-11 13:18 , Moritz Bartl wrote: > On 10.10.2011 23:20, Jeroen Massar wrote: Does not matter what service you use, they all fail under the pressure >>> Use your own servers at the co-lo. Use TPM and tamper-proof systems. >> Does not matter, given enough power/money/force your adversary can walk >> into that colo and use vampire taps to replug (both power and network) >> your box without you noticing anything and monitor the rest from there on. > > If the box is at a place under your control, you will at least know. > Replugging can be noticed (packet drops, changes in voltage) and the > system can be shut down/wiped. Google for Vampire Taps. You won't notice a thing unless you have very very sensitive voltage etc measurements happening. > BTW, I want to set up a scalable mail server like that, so if anyone has > useful input, please let me know. Like everything else (eg how many locks you have on your house), it all depends completely who your adversary is and how much protection you require against it. In the end it will come down to a delay for the adversary and annoyance on your part with the problem that if the adversary wants your information hard enough they will 'nicely' ask. Greets, Jeroen ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] WSJ- Google- Sonic Mr. Applebaum
On Tue, Oct 11, 2011 at 12:48:53PM +0100, Julian Yon wrote: > I think you missed the point Jeroen was making there. If Mallory > *really* wants to compromise your server, there will be a level of > security beyond which a gun to your children's heads is the most I think he missed my point: there is a wide spread in threat scenarios and capabilities. What we care most is preventing easy, undetectable and hence scalable information vacuuming by way of forcing cloud operators to provide convenient access APIs. This is what dominates the volume. None such are available at the co-lo hosting own hardware or freedom boxes on home broadband. Sure Shabak ninjas could abseil through the skylights, garotte the cat and compromise my NIC, but if I'm worried about these I shouldn't be relying on Tor, anyway. > cost-effective attack. In most people's threat models, they'd rather > take their chances with compromised data than with their kids' lives. In > such a model, making the server too secure can itself be a risk. This is not the threat model we're looking for. Move along. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] WSJ- Google- Sonic Mr. Applebaum
On 2011-10-11 16:42 , Eugen Leitl wrote: > On Tue, Oct 11, 2011 at 12:48:53PM +0100, Julian Yon wrote: > >> I think you missed the point Jeroen was making there. If Mallory >> *really* wants to compromise your server, there will be a level of >> security beyond which a gun to your children's heads is the most > > I think he missed my point: there is a wide spread in threat > scenarios and capabilities. We actually fully agree with that and it is also what I am writing. Though with the added point that the deeper you dig yourself in, the quicker your adversary might just use the mighty rubber hose technique instead to get to your so dearly protected secrets, depends all on your adversary of course and how valuable that data is for them and you. > What we care most is preventing > easy, undetectable and hence scalable information vacuuming > by way of forcing cloud operators to provide convenient access > APIs. This is what dominates the volume. Thus your threat model involves not trusting any service where software is running of an external organization. Though as stated before, I do really hope you verify 100% of your code, including the compiler, not forgetting about the microcode in CPUs According to the above statement having a box in a co-lo thus is mostly fine unless you don't trust the hardware that is. Why are you then arguing for live video streams and glueing everything tight? Then again, if you think you need to do all of that, go ahead. > None such are available at the co-lo hosting own hardware or > freedom boxes on home broadband. Sure Shabak ninjas could > abseil through the skylights, garotte the cat and compromise > my NIC, but if I'm worried about these I shouldn't be relying > on Tor, anyway. Speaking of that NIC, ever wondered how much code runs inside that PHY in there? :) *wink* >> cost-effective attack. In most people's threat models, they'd rather >> take their chances with compromised data than with their kids' lives. In >> such a model, making the server too secure can itself be a risk. > > This is not the threat model we're looking for. Move along. Of course that is not the one you or anyone else wants as it will inflict personal injury. Fortunately it tends to be the last resort and you must have pissed off the adversary first before they take this step. Greets, Jeroen ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] WSJ- Google- Sonic Mr. Applebaum
On Tue, Oct 11, 2011 at 02:30:01PM +0200, Jeroen Massar wrote: > Of course you are raising the bar, That's the main idea. > but that is the only thing you are > doing, as the adversary can still walk in, be that with a warrant making If they have to dispatch a warm body to a remote physical location my job is done already. If it has to be a warm sentient body who has to analyze an unfamiliar situation and attempt an undetected physical layer attack I've already succeeded wildly beyond all expectations. > it legal, or just by going in. Criminals don't ask for your Ok. Sure, the Shabak will garrote your cat. Or maybe your cat is quite safe, after all. > >> into that colo and use vampire taps to replug (both power and network) > > > > Did you catch the part with the video, also streamed off-site? > > How exactly does that matter? It will already be too late and your full Have fun with your slippery slope of absurdities. Yes, there's a nuke triggered to a dead man's switch. > hardware will be off site in a location that you don't control, still Do you see the difference between Gmail or Amazon cloud rendering upon Caesar what is his and my logless postfix running on you own hardened box, with mail residing client-side on a crypto filesystem? > running fully and no way for you to stop them from doing what they want > to do with it, be that freeze the memory or any component needed. Do you have the slightest idea how much that would cost, especially if I'm not to notice? > Or do you watch that video screen 24/7 like in the movies with the > guards on duty being shown a replay? :) My thinking is that I wouldn't hire you as a security consultant. > Yes, nice things like mercury switches, glueing the whole thing together > and other such tricks can even deny physical access, but really, what > are you trying to protect there? :) I am really illustrating a number of distinct, staged models with progressive costs both to Alice and to Mallory. You can consider them each, one at a time. It's not out of question. > > > If there's a convenient temporal lacune on multiple probes, you know > > your hardware is no longer trusted. > > I am surprised if you are that paranoid that you trust the hardware in You seem to have poor reading comprehension and security analysis skills. > the first place. You do realize where the designs come from and where > they are built right? :) You do realize that you're trying to teach your grandmother to suck eggs? > Yes, you will know that your hardware from that point is untrusted, but > who says it was not before? Always titrate your paranoia to functional levels. If you think your entire toolchain is compromised and Really Care(tm) then bootstrapping from scratch including synthesizing your hardware from a minimal Forth core is quite possible. > >> your box without you noticing anything and monitor the rest from there on. > > > > They are welcome to tap the network. It's what they already can do, > > by mirroring the incoming switch port and packet capturing there. > > This is not relevant to accessing secrets locked in hardware, or > > present at runtime. > > Nope, but that is why a vampire tap can also do power, so they can > remove the box from the rack/location that you have as 'secure' and then My boxes are already on an UPS. That's the whole point, or provider can simply cut power, and simulate an outage. The point is that they would have to physically approach the rack, at which point there will be a triggered recording. You have no idea where the recording goes and which out of band channels it might use. If you're smart, you'll back off when you see the LED glow. If you can see NIR, I mean. We can play this game ten times to Sunday, and I can assure you that with a minimal amount of planning you can make the traceless extraction of tamper-proof hosted secrets arbitrarily difficult. > they can do whatever time consuming things you want. > > Unless you have a full remote kill switch in there packed with some C4 > or so. It's lead azide, actually. I see you've been reading my stolen design documents. > But that is why I mention rubberhose: if they want to get the info in > there, they will politely ask you for them instead. > > >> As for TPM, who build that piece of hardware and are you sure that a > >> copy of your keys are not kept elsewhere? > > > > Because you generated the key itself, of course, and using a > > physically secured TPM token you installed yourself. > > Did you build that TPM token? I am just trying to give obvious hints > here and above etc... You're being out ouf your depth and not realizing it. > For that matter, did you write and audit 100% of the code, oh and not to > forget the compiler that you are using for that code? And what about > that little video camera just behind your screen, did you notice it > already? ;) > > Like everything in live, it just depends on how much you care. > > For most peo
Re: [tor-talk] WSJ- Google- Sonic Mr. Applebaum
On Tue, 2011-10-11 at 17:29 +0200, Eugen Leitl wrote: > If they have to dispatch a warm body to a remote physical > location my job is done already. If it has to be a warm sentient > body who has to analyze an unfamiliar situation and attempt an > undetected physical layer attack I've already succeeded wildly > beyond all expectations. A thousand times this. People in this thread don't seem to understand the concept of quantification. The trend seems to be lots of people saying "X can be attacked, and Y can be attacked, and an attack equals an attack, so you should rend your garments in despair." They're missing that cost(X) >>> cost(Y). My cell provider has a website where, if given a valid law enforcement ID, it will yield arbitrary text messages and location data for customers. I'm certain Google, Microsoft, Yahoo, and AOL all have roughly the same interface. Which is more expensive: raiding a colo, or clicking the "Get hotmail emails" bookmark and reading? signature.asc Description: This is a digitally signed message part ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] WSJ- Google- Sonic Mr. Applebaum
On Mon, 2011-10-10 at 18:42 +0200, Andre Risling wrote: > Here's how Google is a compliant slave. > > You still use Gmail?! > > http://online.wsj.com/article/SB10001424052970203476804576613284007315072.html#ixzz1aMoq8l2i > This thread has exploded into a tangent, but I'd like to hijack this to express solidarity with Jacob Applebaum. An injury to one of us is an injury to all of us. Is there anything the Tor community could do to stand together with someone who has helped us so much in the past? I'd gladly donate to whatever fund Applebaum selects, or republish a statement, or do whatever else I can. I'm sure others would as well. signature.asc Description: This is a digitally signed message part ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] WSJ- Google- Sonic Mr. Applebaum
On 11/10/11 16:29, Eugen Leitl wrote: > [lots of stuff] There's valid points being made in this thread but also a lot of name calling. Not sure it really helps. Julian -- 3072D/D2DE707D Julian Yon (2011 General Use) signature.asc Description: OpenPGP digital signature ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] WSJ- Google- Sonic Mr. Applebaum
On 2011-10-11 17:29 , Eugen Leitl wrote: > On Tue, Oct 11, 2011 at 02:30:01PM +0200, Jeroen Massar wrote: > >> Of course you are raising the bar, > > That's the main idea. > >> but that is the only thing you are >> doing, as the adversary can still walk in, be that with a warrant making > > If they have to dispatch a warm body to a remote physical > location my job is done already. If it has to be a warm sentient > body who has to analyze an unfamiliar situation and attempt an > undetected physical layer attack I've already succeeded wildly > beyond all expectations. I fully agree, it is all about delay and cost. >From that perspective the cheapest way in is to send that not so sentient warm body directly to you though. But we are running in circles here don't you think ;) [..] >> How exactly does that matter? It will already be too late and your full [..] >> hardware will be off site in a location that you don't control, still > > Do you see the difference between Gmail or Amazon cloud rendering upon > Caesar what is his and my logless postfix running on you own hardened box, > with mail residing client-side on a crypto filesystem? The only difference is that for your hardened box it is way more expensive (your hardware+hosting costs money and gmail costs nothing), very noticeable as being 'special' as you likely don't share it too much with others and especially not the 'sheep' that are so good to hide traffic in. Yes, your setup will be way more secure, but at which cost and to protect exactly what? The original thread & threat point was about 'is gmail safe for email', where my point was 'if you do GPG then they can only see the src/dst email address' (and obviously other SMTP headers). Your threat point seems to be to safeguard every single bit at a very high price, while that is completely valid, that is not for everybody though. >> running fully and no way for you to stop them from doing what they want >> to do with it, be that freeze the memory or any component needed. > > Do you have the slightest idea how much that would cost, especially if > I'm not to notice? The fact that you will have such a hardened box is already easily noticeable and it will cost you a lot too. The gmail + PGP setup is free, and if they compromise one, well, just set setup a new one. Heck, jump to Yahoo or GMX or every other one. >> Or do you watch that video screen 24/7 like in the movies with the >> guards on duty being shown a replay? :) > > My thinking is that I wouldn't hire you as a security consultant. You are clearly thinking of hiring one, I guess you need one too. Note that I am not a security consultant in any way, thus I can't help you with even if you wanted me to. >>> If there's a convenient temporal lacune on multiple probes, you know >>> your hardware is no longer trusted. >> >> I am surprised if you are that paranoid that you trust the hardware in > > You seem to have poor reading comprehension and security analysis skills. Ever considered that you are the one who diverted completely from the original subject? ;) I'll skip over the even more silly bits which have no technical merit at all. [..] >>> They are welcome to tap the network. It's what they already can do, >>> by mirroring the incoming switch port and packet capturing there. >>> This is not relevant to accessing secrets locked in hardware, or >>> present at runtime. >> >> Nope, but that is why a vampire tap can also do power, so they can >> remove the box from the rack/location that you have as 'secure' and then > > My boxes are already on an UPS. And then there is a cable between the UPS and your hardened box, that cable can be clamped too. Or did you cement that all in? :) > That's the whole point, or provider > can simply cut power, and simulate an outage. The point is that they > would have to physically approach the rack, at which point there will > be a triggered recording. You have no idea where the recording goes > and which out of band channels it might use. If you're smart, you'll > back off when you see the LED glow. If you can see NIR, I mean. Must be an awesome datacenter that nobody ever approaches that rack of yours. > We can play this game ten times to Sunday, and I can assure you > that with a minimal amount of planning you can make the traceless > extraction of tamper-proof hosted secrets arbitrarily difficult. Difficult and very expensive. I don't think that is what people who just want to have a bit of privacy for their email want to go all the way for. >> they can do whatever time consuming things you want. >> >> Unless you have a full remote kill switch in there packed with some C4 >> or so. > > It's lead azide, actually. I see you've been reading my stolen design > documents. Every 10 year old who watched a silly movie can come up with that one. [..] >> Did you build that TPM token? I am just trying to give obvious hints >> here and above etc... > > You're being out ouf your depth
Re: [tor-talk] WSJ- Google- Sonic Mr. Applebaum
On Mon, Oct 10, 2011 at 1:42 PM, Andre Risling wrote: > Here's how Google is a compliant slave. > > You still use Gmail?! > > http://online.wsj.com/article/SB10001424052970203476804576613284007315072.html#ixzz1aMoq8l2i > "The secret Google order is dated Jan. 4" January 2011. Seriously? By then I'm sure his gmail account was already full of non-secret/non-important emails and pictures of trollfaces. His secret email address maybe doesn't even use DNS and Julian email him directly to j@203.113.128.15 or something like that. His secret data is probably in a box with a TrueCrypt hidden volume, hosted somewhere in Vietnam. Right now he's laughing at the feds. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] WSJ- Google- Sonic Mr. Applebaum
- Original Message - From: Jeroen Massar Sent: 10/11/11 07:34 PM To: tor-talk@lists.torproject.org Subject: Re: [tor-talk] WSJ- Google- Sonic Mr. Applebaum On 2011-10-11 13:48 , Julian Yon wrote: > On 11/10/11 09:07, Eugen Leitl wrote: >>> At one point or another they just apply rubberhose crypto thus don't >>> make it too difficult. >> Why do you bother breathing? You'll die, anyway. > > I think you missed the point Jeroen was making there. If Mallory > *really* wants to compromise your server, there will be a level of > security beyond which a gun to your children's heads is the most > cost-effective attack. In most people's threat models, they'd rather > take their chances with compromised data than with their kids' lives. In > such a model, making the server too secure can itself be a risk. That describes my point perfectly, thanks! Greets, Jeroen "In > such a model, making the server too secure can itself be a risk." Sorry, is it just me? I am amazed at what this sentence is acquiesing to. Eventually one cannot run faster, find another place or way to hide nor dodge any longer. Just had to get that out of my chest. ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] WSJ- Google- Sonic Mr. Applebaum
On 13/10/11 13:30, Achter Lieber wrote: > "In such a model, making the server too secure can itself be a > risk." > Sorry, is it just me? I am amazed at what this sentence is acquiesing > to. Eventually one cannot run faster, find another place or way to > hide nor dodge any longer. Just had to get that out of my chest. I'm not acquiescing to anything, just tried to help clear up a misunderstanding. I have my own thoughts about appropriate levels of security which I don't intend to bring into this rather tangential discussion. Julian -- 3072D/D2DE707D Julian Yon (2011 General Use) signature.asc Description: OpenPGP digital signature ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] WSJ- Google- Sonic Mr. Applebaum
- Original Message - From: Julian Yon Sent: 10/13/11 10:00 PM To: tor-talk@lists.torproject.org Subject: Re: [tor-talk] WSJ- Google- Sonic Mr. Applebaum On 13/10/11 13:30, Achter Lieber wrote: > "In such a model, making the server too secure can itself be a > risk." > Sorry, is it just me? I am amazed at what this sentence is acquiesing > to. Eventually one cannot run faster, find another place or way to > hide nor dodge any longer. Just had to get that out of my chest. I'm not acquiescing to anything, just tried to help clear up a misunderstanding. I have my own thoughts about appropriate levels of security which I don't intend to bring into this rather tangential discussion. Julian -- 3072D/D2DE707D Julian Yon (2011 General Use) OK ___ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
