On Wed, May 29, 2013 at 03:21:45PM -0700, [email protected] wrote: > I appreciate your feedback and your bluntness, Rich. > > But you are providing far more guidance about what to avoid than what to > use. If journalists and other users should avoid all commercial based > operating systems including Macs, or any system requiring anti-virus > software, then what operating system should they use? Linux maybe? Or > something else? > > Similarly, if they shouldn't use GUI-based email clients, what email > should they use?
See below, I'll try to address these questions. That's actually not my blunt voice. That's my exasperated voice, because I've grown exceedingly weary of listening to people explain how to secure a closed-source OS/application environment. Can't. Be. Done. The evidence supporting that statement is already piled so high that one could spend a lifetime examining it and not finish. And more arrives all day, every day. Yet there are STILL people trying to claim that yes, you can secure your Windows desktop if only you use anti-spyware anti-virus anti-malware anti-anti-anti-whatever. If only you spend enough money. If only you use IDS/IPS/firewalls/yadda yadda yadda. No, you can't. Not for any reasonable value of "secure". (Yes, yes, I'm well aware that nothing is absolutely secure, I'm using the term in sense of "adequate to stop attacks it might plausibly face".) People do all those things and spend ferocious amounts of money on them and yet they are STILL routinely 0wned. It never seems to occur to them to step back and consider that they're doing something fundamentally wrong; it always seems to occur to them that throwing more money at the problem will fix it. It won't. And for your use case, where we can presume that the users' systems will come under scrutiny from governments, criminal gangs, and other unsavory people with substantial resources, including possibly the implied or overt threat of physical force, it's absurd to even consider that approach. You need to discard it entirely and try something that has an appreciable chance of working -- NOT something that's guaranteed, as I don't think that exists, but something that at least gets you into the game and gives you a fighting chance. Is Linux the best choice? Maybe. Maybe FreeBSD is. Maybe something else. We could argue (and we *have* argued, for many years) about their relative merits and drawbacks. I'll propose that for this purpose it may well be entirely reasonable to create a custom Linux or BSD distribution that has only the essentials required for reporters/editors in the field to do their jobs. Perhaps it should be based on something that already exists, e.g., Tails. But what all of those alternatives have in common is that they raise your probability of success from zero to something non-zero. That's not enough, of course. Reasonably secure software environments only stay that way if they're used appropriately: procedures are as important as code. So if someone equipped with one of those is so insanely stupid as to log onto Facebook [1] or some other scam site, then they're probably neatly undercut themselves. Using these tools properly takes discipline, restraint and thoughtfulness. For example: users need to actually look at URLs before they follow them and they need to know enough to realize that google-com.com is probably not Google and that CIT1BANK.COM is probably not CitiBank. [2] Yes, that's tedious. Sorry. But it's not as tedious as being locked in a cell for six years while the State Department tries to negotiate your release. Anyway, my point is that a judicious combination of careful procedures and minimal software applications on a robust operating system will yield something that has a much higher level of operational security than anything you can build around a closed-source base. Or to put it another way, all the discipline/restraint/thoughtfulness in the world will not help you if you insist on using Adobe Acrobat, thus making yourself a member of the Ginormous Acrobat Security Hole of the Month Victim's Club. [3] Or if you choose to use Outlook instead of mutt (see http://mutt.org), which is a pretty robust full-featured email client that trained users can use far more efficiently than many others. So a constructive approach to this might be ("might be"): 1. Write a functional specification. What computing tasks do reporters/editors/etc. in the field have to do? 2. Determine what applications can perform those tasks. 3. Figure out which OS those applications will run on. 4. Figure out what the minimal installation looks like. (No point in having FrozzleBlah 1.7 installed if it isn't used. Less software = less attack surface, to a first approximation.) 5. Set the onboard firewall to bidirectional default deny. Then start figuring out what holes need to be punched in it to make (2) feasible. 6. Think about network services, VPNs, encryption. Revisit (5). 7. Build an alpha release and give it, plus some training, to a dozen working journalists. It will break horribly. That's a good thing. 8. Revisit 1-6 and built a beta release. Repeat step 7. 9. Get someone (or better, a group of someones) with devious and ingenious minds to attack it. It will break horribly. That's still a good thing. 10. Revisit 1-8 and repeat 9 until either (a) sufficient confidence exists that a serviceable product has been created or (b) it becomes apparent that something about the approach is irrevocably wrong and can't be fixed without starting over. If (a), then move on. If (b), start over. (I'm a huge fan of the development philosophy that you should always write one to throw away. Sometimes two. Development efforts that aren't willing to do that often don't survive well in the field.) I submit that this outline, crude and incomplete as it is, has a much higher probability of generating success than anything one could possibly do using closed-source software. Yes, it's a lot of work. Sorry. There's no shortcut. As tempting as it is to take something like MacOS and adapt it: you can't. It's like trying to turn a 1975 Ford Pinto into a tank by bolting armor plate onto it. Yeah, it kinda sorta vaguely looks like a tank, but it's still a Pinto and always will be...and you would not do well in battle with it. As to the one of your remarks that I elided, in re electronic communications in general: I certainly think that they should make *every* effort to minimize their footprint. E.g., if their laptop can be switched off: it should be. If it can be disconnected from the wireless network via the hardware switch: it should be. If their mobile phone can be turned off and the battery removed: it should be. Every minute that these devices are connected provides potentially actionable intelligence to the adversary, so I think it's sensible to minimize those minutes. (And of course, VPNs, encryption, and other techniques should be used to reduce the quantity and quality of information available to an adversary.) ---rsk [1] Some people may not consider this insanely stupid. Okay. Fair enough. If you're one of those people, please explain to me EXACTLY why you think that Facebook (or one of its freelancing employees) would not cheerfully sell every scrap of data they have on you to country X's intelligence service/secret police or to one of country Y's indigenous criminal organizations. To borrow a line from Feynman, what is the source of this fantastic faith in the machinery? Once you've finished that explanation, please also explain to me EXACTLY why you think that an operation with a long, long history of massive security holes has now managed to close the last one, thereby rendering itself impervious to attackers -- even though that same organization has almost no motivation to do so. It's not *their* data, after all. [2] I say "probably" because it's possible the real operations have acquired those typosquatted domains by now. [3] I see that Adobe is shifting PhotoShop to "the cloud". How very nice. Now when some tinpot dictator wants to see if there are any incriminating photos being prepped for publication, it's not necessary to break into laptops and desktops and such; just break into Adobe's cloud (or, perhaps more readily, pay off an Adobe employee) and it's one-stop shopping. I suppose Adobe wasn't content with merely having one massive security hole a month and wanted to create something whose very existence is a massive, ongoing, perpetual security hole. -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at [email protected] or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
