Re: [Cryptography] Using Raspberry Pis
On 26 August 2013 22:43, Perry E. Metzger pe...@piermont.com wrote: (I would prefer to see hybrid capability systems in such applications, like Capsicum, though I don't think any such have been ported to Linux and that's a popular platform for such work.) FWIW, we're working on a Linux port of Capsicum. Help is always welcome :-) ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Using Raspberry Pis
On 09/07/2013 12:04 AM, Ben Laurie wrote: On 26 August 2013 22:43, Perry E. Metzger pe...@piermont.com mailto:pe...@piermont.com wrote: (I would prefer to see hybrid capability systems in such applications, like Capsicum, though I don't think any such have been ported to Linux and that's a popular platform for such work.) FWIW, we're working on a Linux port of Capsicum. Help is always welcome :-) ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography I implemented a lightweight, tightly-focused (well, it started out that way), capabilities-like system for Android kernels last year. It was a monumental PITA largely due to interior kernel-side APIs changing so frequently across kernel versions. We had mechanisms for binding capabilities to ELF binaries in a way that the kernel could verify. The project failed, largely because it kept being dragged around by marketing so often, that we never got it really nicely robust in any given direction. This week, it's a floor polish. Next week, it's a turbine maintenance system. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Using Raspberry Pis
Custom built hardware will probably be the smartest way to go for an entrepreneur trying to sell these in bulk to people as home gateways anyway Meanwhile, while Phill may have spent $25 for a USB Ethernet, I frequently see them on sale for $10 and sometimes $5. ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
[Cryptography] Using Raspberry Pis
I really like RPis as a cryptographic tool. The only thing that would make them better is a second Ethernet interface so they could be used as a firewall type device. However that said, the pros are: * Small, cheap, reasonably fast, has ethernet and even a monitor output * Boot from an SD card which can be preloaded with the OS and application build. So it is really easy to use RPi as an embedded device controller. The main con is that they are not so fast that you want to be routing packets through them unnecessarily. So they are a great device to make use of for connection brokering, not such a great idea to tunnel video packets through them. It is entirely reasonable to tell someone to get an RPi, download a config onto an SD card, plug it into their network and apply power and ethernet. And they take so little power that we could even tell them to install a pair so that they had a fault tolerant setup (although they are low enough power, low enough complexity that this may not be necessary or helpful). In the home of the future there will be hundreds of devices on the network rather than just the dozens I have today. So trying to configure security at every point is a non starter. Peer to peer network configurations tend to end up being unnecessarily chatty and are hard to debug because you can't tell who is meant to be in command. The approach that makes most sense to me is to have one or two network controller devices built on something like RPis and vest all the trust decisions in those. So rather than trying to configure PKI at hundreds of devices, concentrate those decisions in just one logical point. So I would like at minimum such a device to be my DNS + DHCP + PKI + NTP configuration service and talk a consistent API to the rest of the network. Which is the work I am doing on Omnibroker. Putting a mail server on the system as well would be logical, though it would increase complexity and more moving parts on a trusted system makes me a little nervous. -- Website: http://hallambaker.com/ ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Using Raspberry Pis
On Mon, Aug 26, 2013 at 4:12 PM, Phillip Hallam-Baker hal...@gmail.com wrote: I really like RPis as a cryptographic tool. The only thing that would make them better is a second Ethernet interface so they could be used as a firewall type device. Two things to look at. Onion Pi turns one into a WiFi hotspot Tor input node: http://learn.adafruit.com/onion-pi/overview Freedom Box is working on low-power home servers with goals overlapping yours. They use a different machine as their reference server, but it should work on Pi. There is some discussion in their mailing list archive: http://freedomboxfoundation.org/ ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Using Raspberry Pis
On Mon, Aug 26, 2013 at 5:43 PM, Perry E. Metzger pe...@piermont.comwrote: On Mon, 26 Aug 2013 16:12:22 -0400 Phillip Hallam-Baker hal...@gmail.com wrote: I really like RPis as a cryptographic tool. The only thing that would make them better is a second Ethernet interface so they could be used as a firewall type device. You can of course use a USB ethernet with them, but to me, they're more a proof of what you can do with a very small bill of materials. If you're designing your own, adding another ethernet (and getting rid of unneeded things like the video adapter) is easy. Custom built hardware will probably be the smartest way to go for an entrepreneur trying to sell these in bulk to people as home gateways anyway -- you want the nice injection molded case, blinkylights and package as well. :) I don't think the video adds much to the cost. I do have a USB ethernet adapter... but that cost me as much as the Pi. Problem with all these things is that the Pi is cheap because they have the volume. Change the spec and the price shoots up :( -- Website: http://hallambaker.com/ ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Using Raspberry Pis
I was pointed to this list by a friend of mine who thought I'd be interested in this discussion, and indeed I am. I intended to lurk for a while before posting, but this discussion so perfectly fits with a SkyTalk I gave at DefCon last year (DC20, not just a few weeks ago) where I proposed this very thing: A small home-router type device that contains everything that I do on-line, such as Email, IM, DNS, my node in that mythical federated social network that doesn't really exist, etc. (I'm kind of embarrassed now that I was promoting Diaspora at the time. *sigh*) Unfortunately, the realities of my life are that I haven't done anything about this, but I did get a few emails after my talk from people saying they were. 'course, I haven't heard anything SINCE then so who knows. Anyway. In case any of you are interested, my talk is available here: https://archive.org/details/skytalks_defcon_20_taking_back_our_data_smitty_2012_07_27 I'd be interested in hearing your comments or thoughts. If anything strikes you as a good idea, by all means use it. While I'm interested in seeing this happen, the realities of my life are that I'm unlikely to be the one to do it. Specifically, I'd love to be told why something like NameCoin distributing both DNS server and domain-limited CA certs would NOT work. There is the issue of scale with block-chain technologies like that, but is that the ONLY thing? Or is there a fundamental problem with the technology? -Mark On 08/26/13 14:43, Perry E. Metzger wrote: On Mon, 26 Aug 2013 16:12:22 -0400 Phillip Hallam-Baker hal...@gmail.com wrote: I really like RPis as a cryptographic tool. The only thing that would make them better is a second Ethernet interface so they could be used as a firewall type device. You can of course use a USB ethernet with them, but to me, they're more a proof of what you can do with a very small bill of materials. If you're designing your own, adding another ethernet (and getting rid of unneeded things like the video adapter) is easy. Custom built hardware will probably be the smartest way to go for an entrepreneur trying to sell these in bulk to people as home gateways anyway -- you want the nice injection molded case, blinkylights and package as well. :) The main con is that they are not so fast that you want to be routing packets through them unnecessarily. So they are a great device to make use of for connection brokering, not such a great idea to tunnel video packets through them. Not sure that's really true for normal home networks. The current average home NAT box is, in fact, a CPU in this class running Linux, so we have proof of concept of them pushing packets fast enough running in millions of homes. The processors in question are also quite cheap, and only getting cheaper and more powerful -- multicore will be universal before long. So I would like at minimum such a device to be my DNS + DHCP + PKI + NTP configuration service and talk a consistent API to the rest of the network. Not an unreasonable goal -- particular details of what software is running depend on what one's final application mix is. Putting a mail server on the system as well would be logical, though it would increase complexity and more moving parts on a trusted system makes me a little nervous. Modern Linux systems have pretty good MAC and similar security hardening available. They're a pain in the neck to configure, but if you're handing people firmware, that only has to be done once. It isn't perfect but it is better than what almost anyone has at home now or what they rely on elsewhere. (I would prefer to see hybrid capability systems in such applications, like Capsicum, though I don't think any such have been ported to Linux and that's a popular platform for such work.) In the long term, of course, I'd like to see the work in seL4 extended to open source systems, but that's a very long term goal. 0xD4217DB1.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
Re: [Cryptography] Using Raspberry Pis
On Tue, 27 Aug 2013 12:06:47 +1200 Peter Gutmann pgut...@cs.auckland.ac.nz wrote: Perry E. Metzger pe...@piermont.com writes: Custom built hardware will probably be the smartest way to go for an entrepreneur trying to sell these in bulk to people as home gateways anyway -- you want the nice injection molded case, blinkylights and package as well. :) In that case why not just get an Alix embedded system, http://www.pcengines.ch/alix.htm, and drop pfSense, http://www.pfsense.org/, on it? Someone else has already done all the work, all you need to do is configure it however you want it. I'm not going to disagree as such (I have no idea what the wholesale cost of these machines is but I assume it is fine, or if it isn't that someone else sells one that is cheap enough.) I think that we can stipulate that quite inexpensive machines are possible, and concentrate on discussing what they might run (which is a much wider discussion -- see the last couple of days of discussion...) Perry -- Perry E. Metzgerpe...@piermont.com ___ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography