On Fri, 9 Dec 2011 17:29:33 -0500, Chris wrote: > >> [...] > >> Many users have a persistent local threat that they need to be > >> aware of. Leaving a server running is not an option as it could be > >> compromised by an adversary. > >> > >> Removable media can reduce that threat. > >> [...] > > I was not referring to zero day exploits actually. The key word here > was local real-world threats. Such as an adversary gaining physical > access to the server/machine running freenode.
If the bad guys have physical access, and care, it's game over. I suppose you can try setting secret tripwires that might notify you if the machine was tampered with (both in software, and in hardware.) Those might give you a fighting chance. Although you'll also need to make sure your room wasn't bugged with pin-hole cameras and other spy-ware. It's a lost battle, regardless. > Removable media may not eliminate the threat although there is less > opertunity for a more sophisticated targeted attack. A software > keylogger inserted into the MBR or similar would not be possible if > the boot medium is never available to the attacker. But it will be available if you ever decide to boot, happily recording everything. Again, if you think your machine was actually tampered with, you should assume it's unusable. > On the other hand a physical keylogger may still be possible and maybe > even a software based keylogger although more difficult to > disguise/install without being noticed. Of course. You should expect a variety of key loggers installed, in code, under your keyboard keys, acoustic key loggers stuck somewhere inside the machine (that can acoustically determine which key you're pressing), and a bunch throughout your room in pin holes in your walls and ceiling. > I can think of at least a few different ways of getting a keylogger > onto a system without having access to the boot drive or having to > install a physical device. I would still need physical access to the > computer. At least one method would not even require BIOS > modification and would work on any x86 machine. So you're already aware that there is not much hope if the bad guys get physical access? :p > [...] > Lets give a scenario: > > We have to assume that a persons Internet connection is being > monitored. This might be via a sophisticated non-governmental actor > (such as by breaking WEP/WPA) or by a government act such as > monitoring at the telco. The adversary should also be assumed to be > "unethical" in that there are no rules In that case, if you're using only opennet-mode, you should assume you're screwed :p. They can replace all your opennet peered nodes, and see exactly what you're doing, more or less. This is why darknet-mode was created -- they would need to physically infiltrate all your friend's computers, which isn't impossible, but MUCH more difficult. > and can physically modify or otherwise install a software based > monitoring solution on any boot media they have access to. Then you're *definitely* screwed, regardless, as explained above. > The first question is how many peers need to be compromised to > identify the content being transmitted? All of them, to be 100% sure. Compromising opennet peers is trivial -- with a dedicated-enough adversary. Compromising darknet is a lot harder. > If a few of your freenode peers can be compromised and the adversary > can monitor your Internet connection and local area network can they > identify the contents which are being requested/sent by you? This > assumes that they can't bug the physical machine that you are using > to run freenode. As long as you still have one uncompromised peer, I guess they can't be sure what traffic you're generating locally, and what you're simply relaying for that peer (or that peer's peers, etc). But if they're able to compromise all-but-one of your peers, it's pretty darn close to game-over :p. If I was an unethical bad guy, I'd arrest you and that peer, separate you into isolation-cells, and play psychological games until one of you confesses. Or perhaps torture. (Although, if that other peer doesn't have anything to hide, or isn't your friend, I'd easily jump to the conclusion that you're the one I'm looking for :). > If you add a server with freenode (which can be bugged) to your local > LAN that is then added as one of your peers does this compromise the > security? The point of adding a server with freenode to peer with on > the local LAN would be to speed up requests since the machine that is > actually used for browsing freesites (such as a laptop) can't be left > on all the time (as doing so gives an adversary opportunity to bug > it). This means it has to run from a removable boot medium that can > be accounted for at all times. Overlooking the above points about physically-tampered machines (we *really* shouldn't overlook them), I think this setup essentially means that you can expect one of your lan peers to be compromised. But, as long as your router isn't bugged, and as long as that peer isn't the only one you're connected to, you should be relatively safe. (But if you suspect any of your peers are bugged, you should *really* be considering other options.) _______________________________________________ Support mailing list Support@freenetproject.org http://news.gmane.org/gmane.network.freenet.support Unsubscribe at http://emu.freenetproject.org/cgi-bin/mailman/listinfo/support Or mailto:support-requ...@freenetproject.org?subject=unsubscribe
