Hi Ivan, On 27 January 2018 at 12:57, Ivan Mitev <[email protected]> wrote:
> I don't see the benefit of using a DVD (we're talking about USB DVD > readers here) but maybe it's only me being thick... > If the machine used to copy or checksum the payload/iso is compromised, > then IMO it's already "game over" so I don't see how using a true read-only > medium vs a regular flash drive would help. > The idea is that you use many machines to checksum the payload. Each machine would have its own DVD device. A "physical write protect switch" is only going to be routed into that chip >> through a GPIO, so it does *not* protect against this attack. Write-protect >> on or off, most of the USB protocol logic inside the controller must be >> working in order to serve read requests. >> >> DVDs fare better in this scenario. Even though you could also attack the >> reader firmware, the attacker has only one (large) static payload read by >> the firmware (the DVD). In case of the USB drive, the attacker has an >> interactive session over a complex, multi-layer protocol presenting much >> more attack surface. >> > > Assuming the machine is not compromised and the payload/iso is legit, But I was assuming the opposite! The challenge is: how can you make a secure machine out of insecure machines? > the only way for the bad USB device to modify the data would be on-the-fly: > > - when writing the iso to the medium (in which case using a > write-once-then-read-only doesn't help at all vs using a writable medium) > > - when reading it, for instance at boot, presenting different data to > different machines like you mentioned. > > But: > > 1- How really feasible is it to implement this attack ? It would require > tremendous processing power to properly alter the payload when it's been > copied to the medium; it would also require tailoring the attack to qubes' > isos, thus making it a targeted attack; I imagine that if you get to that > point you probably have more important problems. > In a targeted attack by the local government, I would think it's a moderate fixed cost (e.g. one engineer spending about 3 months on it), with a low marginal cost for each victim to be attacked. If it's a foreign government or organised crime, then interdiction becomes more expensive. So they might need to add in a physical surveillance element as well, e.g. some kind of radio signal to tell the USB stick remotely that it should activate the attack. Much cheaper than the 24/7 physical surveillance that many activists and some journalists are under at sensitive moments. So overall, I think lots of attackers -- including big companies (e.g. oil, mining, pharma), organised crime, local and foreign governments -- would find this attack promising. We know from Snowden that at least one big agency likes targeting developers and system administrators. I would expect that everyone on this mailing list is a target, just because they are on the list. 2- both the DVD reader and flash drive have a USB firmware, so how would > the DVD reader's firmware be more "secure" than the USB flash drive's one ? > Because you never plug the DVD reader into an insecure machine, only the fresh new one. Kind regards, Andrew -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/CAAXZBWKdtAeB5j9Hqf0jNTwEUWgJRAweqO_KwEEJjahyQLST8A%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
