On 22 January 2018 at 07:33, Peter Todd <[email protected]> wrote: > On Sat, Jan 20, 2018 at 11:54:11AM +0000, Andrew Clausen wrote: > > I buy a fresh USB DVD device with every secure laptop I buy. I don't > reuse > > them, because I don't want a mistake made with one of them to contaminate > > another laptop. So I've got lots of them lying around the house! > > What exactly is your threat model there? > > Why not just use disposable USB keys, written on a secure system, then used > only with the target system? >
I see two problems with your proposal. (1) Chicken and egg. To make a secure machine, you need a secure machine. I think we ought to plan how to make a secure machines out of insecure machines. "Build on 1 machine, verify on n machines" is a powerful concept. (2) "Secure systems" don't exist. Even if you do everything right (run Qubes, keep your machine with you at all times -- including the bathroom, have good passwords, etc.), you can *still* get owned! We've seen a lot of Xen vulnerabilities, and now CPU vulnerabilities lately. Tempest attacks are getting more sophisticated, and can be used to remotely sniff your private keys and passwords by watching radiation emissions from your CPU. The update process for both the RPM and Debian ecosystems strike me as pretty fragile -- if a key gets stolen, it could be used to generate fake updates that are only ever seen by a small number of victims. Therefore, I think it's wise to assume that even if a machine starts out "secure", it won't stay that way forever. When you replace a secure machine, you don't want the the old machine infecting the new one. > At some point DVDs + DVD equipment might become impossible to buy (or with > > only very few suppliers, all of whom could be interdicted). I'm not sure > > what I will do then! > > Note that flash drives with physical write protect switches are available, > such > as the Kanguru FlashBlu30 line. > This sounds like a rather specialised device. What about interdiction? How does your supply chain work? If you have a favourite product that you buy from a favourite shop, then it becomes cheap for an attacker to tamper with anything you plan to buy. Kanguru could even be a front for some intelligence agency, or just some company that wants to sell out its customers. You shouldn't buy stuff targeted specifically at paranoid people, unless there is some way to verify that they are delivering what they claim they are delivering. I solve this problem with "random shopping". I have printed out maps of all of the major cities near me, with all of the computer shops marked. I always have the maps with me, so that an attacker can't watch my Google Maps searches, and figure out *when* I plan to go shopping, or *where* I might go shopping. I pick a random shop off the map, and buy a random machine that meets the Qubes specs from the random shop. I include second-hand machines in my shopping list, since as far as I know, modern malware from organised criminals that targets the masses is not a problem for Qubes. Thankfully, we only have to worry about targeted attacks for the moment. So, to re-iterate my original point: mass-market read-only media is a great way to ensure that your copy of the Qubes installer hasn't been tampered with. Kind regards, Andrew -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/CAAXZBWLUWwBHVwJxm0GPugSOOGb%2BoxmVFrYOX7WQgYv2__1ftw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
