Hi Andrew,
On 01/27/18 15:31, Andrew Clausen wrote:
Hi Ivan,
On 27 January 2018 at 12:57, Ivan Mitev <[email protected]> wrote:
I don't see the benefit of using a DVD (we're talking about USB DVD
readers here) but maybe it's only me being thick...
If the machine used to copy or checksum the payload/iso is compromised,
then IMO it's already "game over" so I don't see how using a true read-only
medium vs a regular flash drive would help.
The idea is that you use many machines to checksum the payload. Each
machine would have its own DVD device.
Ah, I see; in this case I agree that a DVD should give you greater
("reasonable" ?) confidence that the install iso is legit compared to
writable medias, provided you have enough machines and readers to test.
Re-reading the whole thread I'm not sure that the other parent posters
had this idea in mind though...
Assuming the machine is not compromised and the payload/iso is legit,
But I was assuming the opposite! The challenge is: how can you make a
secure machine out of insecure machines?
the only way for the bad USB device to modify the data would be on-the-fly:
- when writing the iso to the medium (in which case using a
write-once-then-read-only doesn't help at all vs using a writable medium)
- when reading it, for instance at boot, presenting different data to
different machines like you mentioned.
But:
1- How really feasible is it to implement this attack ? It would require
tremendous processing power to properly alter the payload when it's been
copied to the medium; it would also require tailoring the attack to qubes'
isos, thus making it a targeted attack; I imagine that if you get to that
point you probably have more important problems.
In a targeted attack by the local government, I would think it's a moderate
fixed cost (e.g. one engineer spending about 3 months on it), with a low
marginal cost for each victim to be attacked. If it's a foreign government
or organised crime, then interdiction becomes more expensive. So they
might need to add in a physical surveillance element as well, e.g. some
kind of radio signal to tell the USB stick remotely that it should activate
the attack. Much cheaper than the 24/7 physical surveillance that many
activists and some journalists are under at sensitive moments.
I wrote "tremendous processing", not "tremendous manpower": whatever the
manpower and time spent by clever minds, I don't see how the USB
hardware of a DVD reader or a flash drive could cope with on-the-fly
analysis and modification of the data "passing by" at full read speed.
The attack mentioned by Sebastian - presenting different data to the
host at boot time - is likely within the realm of USB hardware/firmware
resources because there is enough time to analyze only a small amount of
read data. In case you managed to get reasonable confidence that your
medium is legit with the technique you describe, you could assume that
it won't contain a "bad" alternate image so the attack above won't work.
Your host's USB hardware could still be compromised though.
I now see what your setup achieves so thanks for your reply - it's
always interesting to see what other people are doing even if I don't
need to be that paranoid - fortunately !
Best,
Ivan
--
You received this message because you are subscribed to the Google Groups
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-devel/45fd78e8-f45c-33ea-8e58-d84e08d13b9b%40maa.bz.
For more options, visit https://groups.google.com/d/optout.
