How Do YOU Establish a Secure Computing Environment?

sneakyimp writes "We've seen increasingly creative ways for bad guys to compromise your system like infected pen drives, computers preloaded with malware, mobile phone apps with malware, and a $300 app that can sniff out your encryption keys. On top of these obvious risks, there are lingering questions about the integrity of common operating systems and cloud computing services. Do Windows, OSX, and Linux have security holes? Does Windows supply a backdoor for the U.S. or other governments? Should you really trust your Linux multiverse repository? Do Google and Apple data mine your private mobile phone data for private information? Does Ubuntu's sharing of my data with Amazon compromise my privacy? Can the U.S. Government seize your cloud data without a warrant? Can McAfee or Kaspersky really be trusted? Naturally, the question arises of how to establish and maintain an ironclad workstation or laptop for the purpose of handling sensitive information or doing security research. DARPA has approached the problem by awarding a $21.4M contract to Invincea to create a secure version of Android. What should we do if we don't have $21.4M USD? Is it safe to buy a PC from any manufacturer? Is it even safe to buy individual computer components and assemble one's own machine? Or might the motherboard firmware be compromised? What steps can one take to ensure a truly secure computing environment? Is this even possible? Can anyone recommend a through checklist or suggest best practices?"

Simples!

[realitycheckplease]

If you want a secure computing environment, don't connect your computer to anything! Also keep it in a faraday cage, and make sure the power supply lines are filtered so they can't carry signals out through the cage.

Re:Simples!

[Bryan+Bytehead]

No, to be truly secure, you put it in a room with no windows, make sure the computer is unplugged, lock the door with a lock that has no key, and you're done.

This sounds harsh, but when you consider that the biggest problem of securing computers is the user that uses it, accidentally or purposely, just say no to the user.

Re:Simples!

[v1]

No, to be truly secure, you put it in a room with no windows,

It's well-known that removing Windows makes your computer more secure.

Re:Simples!

[jc42]

It's well-known that removing Windows makes your computer more secure.

And if you don't replace it with any other OS, you've pretty much maximized your security.

Re:Simples!

[AK+Marc]

Secure is powered off and disconnected from any cables, power, network, or otherwise. Security isn't possible. You always trade off security for usability. The question is rhetorical nonsense unless you also answer the question of "what level of usability do you want - what are you going to do with it?"

Re:Simples!

[Razgorov+Prikazka]

>> If you want a secure computing environment, don't connect your computer to anything!
>> Also keep it in a faraday cage

Put that in a lead (at least 1" thick) box, and fill that with epoxy resin or concrete, remove M$ and replace with OpenBSD, have the disk 265bits AES encrypted with the separate home folders encrypted as well. Make sure that there is a BIOS password, get REALLY drunk and chance all the passwords so you cant remember the next day, ship it to Mercury and bury there ten feet deep.
Not great for doing some facebookin, but it is SAFE!

Re:Simples!

[darkHanzz]

Don't forget to wipe out the BIOS, or disable netbooting... Security ain't easy

Re:Simples!

[ubrgeek]

The computer or the user?

Re:Simples!

[roc97007]

If you want a secure computing environment, don't connect your computer to anything! Also keep it in a faraday cage, and make sure the power supply lines are filtered so they can't carry signals out through the cage.

When I did military contracting, we did exactly this. (The room was also windowless.) The machines were used for code generation, so most often the data would *leave* the room rather than enter, (and there was an entire security protocol for that) so no LAN or portable storage was required. On the few times when data had to enter the room, it did so on disk packs (this was awhile ago) that had been vetted through a fairly complicated process.

Exactly once, the computers in the sealed room had to be connected to computers in the cage where we were setting up the customer's equipment. After some discussion, we carefully disconnected the cage from the company network, ran a network cable out the armored door and into the cage, ran the tests, then disconnected afterwards. Of course, that is technically not sufficient to avoid contamination, (viruses et al) but was the best we could do under the circumstances.

Re:Simples!

[johnsnails]

Than that avatar dude will find it

Re:Simples!

[grantspassalan]

How about simply having a computer that has nothing stored on it that anybody else can use for something nefarious? The reason that hackers want to break into people's computers is to obtain information that can be used for personal gain or to hurt someone else. If there is nothing worth stealing, then it won't be stolen.

Re:Simples!

[roc97007]

When I did military contracting

So ... how does it feel, knowing you were Satan's Little Helper?

(the military-industrial complex is the closest thing to an actual Devil in existence. marketing is a close second. i assume your Dark Master rewarded you well?)

I did ok.

Re:Simples!

[roc97007]

And was your "faraday cage" truely a functioning faraday cage ???

I once sat next to a guy who told me something similar as you tell it and he said to me the "cleaners" would use some crap walkie-talkie to communicate. Apparently the "faraday cage" was more a dog-and-pony cage to impress idiots and shaft the taxpayer.

Hello to John M.

Frank G.

I don't know. We were told it was, and checking it wasn't my job. I observed that it was a metal door with a flexible metal seal all the way around. Other than that, I didn't think about it.

Re:Simples!

[roc97007]

And was your "faraday cage" truely a functioning faraday cage ???

I once sat next to a guy who told me something similar as you tell it and he said to me the "cleaners" would use some crap walkie-talkie to communicate. Apparently the "faraday cage" was more a dog-and-pony cage to impress idiots and shaft the taxpayer.

Hello to John M.

Frank G.

Shrug. It could have been. Stuff like that definitely occurred.

Re:Simples!

[mysidia]

No, to be truly secure, you put it in a room with no windows, make sure the computer is unplugged

It's not truly secure though. You will never own a perfectly secure system.

A computer system is only secure if it provides sufficient assurance of required confidentiality, availability and integrity of the data; if any of the 3 criteria are not able to be sufficiently assured, then the system is insecure.

Unplugging the computer, addresses the 1st standard criteria for assessing security: confidentiality cannot be easily breached remotely, because the machine has been turned off, and made unable to communicate.

However... unplugging has issues, regarding availability. Data that is not available to the required users is (by definition) not secure. And when the computer is unplugged, there is also no way of ensuring that the data does not become altered without permission (eg, by subversion of the media, or by bit rot).

Ensuring data availability via Backups and disaster recovery also become problems. How do you ensure you have a backup of an unplugged computer behind a door whose lock you don't have a key to? You break down the door... well, if you can break down the door, someone else can to.

Re:Simples!

[Skal+Tura]

Not sufficient. No computer is secure if it's in any way accessible, operable, even a computer buried underground, with no direct access is secure.

In practice however?

Just operate within a reinforced concrete and steel building, ie. a warehouse, signals get so weak that barely modern cell phones work, and you can forget data for the most part, even if there is just 1 layer of blockade. If you have physical security around no one can get close enough to get reliable signal through, especially if you place couple of scramblers.

Yet inside off the building you can even utilize wireless communication within the network - tho i wouldn't allow that, scramblers all around.

In the end, if the computer has human accessing it -> that's your weakest link most likely.

Re:Simples!

[Skal+Tura]

By far not sufficient when you get to that level of required security.
If there is no alarms, monitoring etc. and reinforced walls, a thief can potentially get inside without anyone noticing through another wall, ceiling or floor.

Practical security:
  * Use linux with GRSEC
  * All network daemons turned off
  * Firewall all ingress, don't even allow ping etc.
  * Firewall all egress, only make sure what's ultimately needed is accessible, potentially building a whitelist if possible
  * No excess software what-so-ever, just what is ultimately needed
  * ROOT account: No logins, create another account which can only be locally logon to, which can sudo. Password 16 chars, potentially automatically rotating. Possibly also having 2 factor authentication. You can trivially create this step by even creating a PHP Script as the shell :)
  * USER account: Limited to only what is required, potentially chrooted to the exact data which is required to be accessible etc. Depends on the usability required
  * Watch logins: More than 2-5 failed logins, shut the system down immediately using "magic" SYSRQ, wrong username? Instantly
  * Full disk encryption, on top of which potentially using a bit obscure filesystem to make it that much harder to break. The required data should have 2nd level encryption unless doing that creates a potential attack vector on the first level encryption

Hardware:
  * Potentially use hardware where you can review the firmware/bios if possible
  * HW firewall "integrated" to the motherboard, motherboard network connectors are removed and hardwired to this HW firewall, so that even a skilled person would require atleast 20mins to bypass the HW Firewall
  * HW Firewall configured in the same sense as the SW firewall, potentially with additional protections.
  * Super Epoxy glue all connectors, modules etc. including the HW firewall buttons and it's mainboard into the motherboard etc. -> Stops quick tampering.
  * Disk drives and CPU needs cooling, so CPU heatsink could use heat transfer glue to the CPU and super epoxy from the sides on to the motherboard. Disk drives can have little spacing with the super epoxy.
  * The whole case is epoxied together/welded. No connector should be accessible, but peripherals mounted permanently with super epoxy to avoid inserting capturing devices directly.
  * Braided stainless steel sleeves for all cabling to make splicing in harder.
  * Epoxy on the other side of the peripherals as well ;)

FW Config: Potentially disabling all unencrypted connections, verifying against known certificates, no other connections allowed, if possible. Potentially also limiting data transfer rates so that if anyone tries to transmit data outside -> it will take long enough for security to take notice.
GRSEC configuration is very involved, but can be teached.
Process list should be verified and checked against.

This will create a secured SW + HW environment.
If you cannot use a motherboard/devices which firmware you can verify, the extreme FW measures taken (both SW + HW) should ensure no data gets transmitted without permission. It is highly doubtful that same organization can be behind a security hole in the motherboard AND the HW FW, but you can also create your own HW FW using things like Arduino where you would be the person creating the firmware as well.

Epoxy: Modern cars are glued together, so just use similar industrial strength epoxy.

In the end it's all about making accessibility slower if it's a highly skilled attacker with knowledge about the system upfront, which can potentially stop the attempted attack all together if it's deemed too secure.
BUT Security via obscurity is still not security, i see people changing their SSH ports, blocking Ping etc. but that doesn't really add to security, as the information can still be gathered very quickly.

Re:Simples!

[lindi]

* ROOT account: No logins, create another account which can only be locally logon to, which can sudo. Password 16 chars, potentially automatically rotating. Possibly also having 2 factor authentication. You can trivially create this step by even creating a PHP Script as the shell :)

The only advantage of this is that it is harder to guess the username?

* Watch logins: More than 2-5 failed logins, shut the system down immediately using "magic" SYSRQ, wrong username? Instantly

Sounds like a nice way to disable your system remotely :)

* Full disk encryption, on top of which potentially using a bit obscure filesystem to make it that much harder to break. The required data should have 2nd level encryption unless doing that creates a potential attack vector on the first level encryption

How does the machine boot after a power outage?

Re:Simples!

[jandersen]

If you want a secure computing environment, don't connect your computer to anything!

I do realise that you are joking, of course; but it strikes me that people always think that technology is the main ingredient in securing a system.

I have been a UNIX system manager for the last ~10 years (and I was a developer for many years before that, so I actually DO know how software works, unlike many others in my line of work), and I have seen many times that no matter how much you weigh your environment down with virus checkers, firewalls etc, there is always a gaping hole left open: people's stupidity.

These are my very simple, basic rules, that have kept my part of the world in good shape:

1. UNIX: not so many attacks in the first place.
2. Only I have the root password, and I don't give it away. It doesn't matter whether you are a VP or CEO - you won't get it from me.
3. I install all systems that go into my network, and I wipe all harddisks first.

We do have things like firewall and virus checks on all Windows desktops; but we have also had one or two virus outbreaks over the years - mostly because there are idiots who allow HTML emails without restriction, or who click 'OK' on pop-ups and open attachments without thinking.

Re:Simples!

[sneakyimp]

Is it too much of a stretch to assume that I might want to use this computer for something useful involving sensitive information? Or that I might need to network said workstation for the purpose of interacting with the Internet? I realize the original question doesn't say this, but the fact that there's not a single post yet that assumes this is more than a little frustrating.

Re:Simples!

[sneakyimp]

FINALLY! A helpful post with some reasonable, practical advice.

Potentially use hardware where you can review the firmware/bios if possible

Any thoughts on where one might obtain such hardware? I've heard folks suggest Arduino.

HW firewall "integrated" to the motherboard, motherboard network connectors are removed and hardwired to this HW firewall, so that even a skilled person would require atleast 20mins to bypass the HW Firewall

Never heard of a HW firewall -- can you suggest any vendors or places to purchase such a thing?

Disk drives and CPU needs cooling, so CPU heatsink could use heat transfer glue to the CPU and super epoxy from the sides on to the motherboard. Disk drives can have little spacing with the super epoxy.

How does this relate to security? Please explain

Thank you for the thoughtful, practical advice.

Re:Simples!

[sneakyimp]

The question is only rhetorical if you make the same assumptions as an autistic person or a pedant. Obviously the computer will be used for something. You are correct in that I did not specify that I want the machine to be networked. Please use these assumptions:
* computer has to be ON (I cannot believe I have to specify this)
* computer will be used for software development and will handle sensitive data
* I'm hoping for answers that apply both to server and workstation environments
* Computer will be networked and, where possible, will use secure versions of required protocols (e.g., HTTPS, SSH, etc.)

Re:Simples!

[sneakyimp]

Thanks for the completely useless (and not particularly original) post!

Re:Simples!

[sneakyimp]

Thanks for this anecdote. It's a lot more interesting (and useful) than all the jokers talking about unplugged computers.

How did data come "out" -- obviously USB drives can present significant risk these days. Also, were there any protocols in place to validate your hardware? Any special operating systems in use that are considered more secure than others? Any details you can provide would be much appreciated.

Re:Simples!

[sneakyimp]

I don't know. We were told it was, and checking it wasn't my job. I observed that it was a metal door with a flexible metal seal all the way around. Other than that, I didn't think about it.

See, that's the funny bit I think. In practice, nobody considers the details beyond their purview. Personally, I don't expect I'll be writing any motherboard firmware to acquire security. I do hope to understand what security-minded folks do at certain stages to gain a practical understanding of end-to-end security. It's kind of like learning what a transistor or flip-flop is in a computer science course. I have never once since college built a logic circuit using ICs, but it is helpful (and profitable) to understand how they work.

Re:Simples!

[sneakyimp]

In the end, if the computer has human accessing it -> that's your weakest link most likely.

While I appreciate there are a lot of folks here on /. that consider the security of the facility itself, my intent was to learn more about preventing exploits in a networked computer workstation -- and ignoring for a moment the possiblity that someone might appear in my office and tamper with the machine. I agree that "social engineering" is a substantial threat--especially when the users are your typical technically illiterate types like my parents -- but am not sure that it is the weakest link in my case. I'm more concerned about insuring that my hardware and drivers and operating system are completely free of exploits and reasonably free of security holes.

Re:Simples!

[roc97007]

The thing is, you can't know every single detail for a big project. I designed the cpu board and wrote software (in assembly language) to control various things. There were certain things I was supposed to do to ensure security, but the details were someone else's job. This is often the case.

I have some knowledge of the sail area of dish antennas, because it was interesting, and there had been a spectacular failure when someone didn't do the calculations right for typical weather in the deploy area. But that really wasn't my job either.

Re:Simples!

[roc97007]

The OS was VMS, and as I recall, data exited the room via tape cartridges for the most part, and RM05 disk packs occasionally. This was quite a bit before USB drives were even a concept. Validating the hardware wasn't in my area of influence, so I'm sorry to say I don't know much about it except that there were protocols in place. There were levels of security -- "the room" was seriously sequestered, (you needed a particular badge and know the door code) "the cage", where the equipment controlled by the software resided had slightly higher accessibility, (a particular badge would do) and then there were work areas outside the cage that had less security (any company badge but no visitors). The entire installation, though, was fenced and patrolled and had active guard stations 24 hours a day, so one could say that the building itself had a fairly high degree of security.

About transporting data -- funny story -- I worked on a slightly less secure project, which still used computers that had magnetic core memory, because that's what had been specified back when it was originally designed, and you know how the military will cling to a technology. Although this was awhile back, core memory was obsolete even then, but one of the advantages was that you could shut off the sequestered development machine, pull the memory board, walk out to the cage, slap in the memory board, and run the program. Just as you can do now with thumb drives. I designed boards with static memory, and later dynamic memory, and it seemed to me that in some respects we were going backwards. :-) With flash memory we finally had persistence like we used to have decades ago.

Re:Simples!

[sneakyimp]

You do have a good point -- namely that the enterprise of creating all the hardware necessary for a single computer is just too much for any one person to reasonably accomplish and still be productive at whatever their day job happens to be. With that in mind, it would probably be wise to create some kind of risk profile for the various aspects of computer security -- address the gaping holes before you start worrying about the really difficult exploits.

I've asked this question before and the answers I get usually refer me to really simple instructions for technically illiterate types:
* don't click on sketchy links in email messages
* pick a good password
* install antivirus software
* use a firewall

Does anyone know where to find good stats on attack vectors? Something like this, but which also quantifies hardware and social engineering risks: http://cwe.mitre.org/data/index.html

Re:Simples!

[sneakyimp]

Hm....any suggestions on where one might find trustworthy flash memory? I have this unshakeable suspicion that USB pen drives are trouble.

Re:Simples!

[AK+Marc]

4th assumption 1st clause. No. That removes security. It *can't* be "secure" if its required to be "open" to various well-known protocols. And no, HTTPS is no more secure than HTTP. You can authenticate the client, and ensure that the data was not tampered with in the middle, but a mal-formed request that generates a breach is no more or less likely when you employ encryption.

If it's for "development" as you state in #2, then build a single machine with multiple VMs. One being the server, open to ports and such, and only connected with a virtual switch to the other VMs, which are test clients. You build test protocols and have users submit use cases and test them.

Alternatively, you ignore security. What do you need security for to test software development (sensitive data or otherwise)? Put dummy data on it, and put it on the Internet completely unprotected. Who cares if it ends up serving kiddie porn, you'll lose nothing, unless the feds confiscate your servers.

No input, no net connection.

[Kenja]

That's what I did last time I needed a super secure environment. Local network only, KVM extension to put the user interface far away from the locked up computer. Granted that's not what the article is looking for, but that was the best solution I could find at the time.

Re:No input, no net connection.

Secured and monitored a single site 24/7 using
motion and a wireless camera. Uploaded images live to a cache on the LAN
through which the data immediately went to
redundant cloud storage services in countries
with redundant systems of legal process.

Separated data streams in the local network and the clouds to inform me of unscheduled motion. Used email and one cloud service over G3 with fallback to GPRS and WiFi.

On a daily basis Reaffirmed that the system continued to operate. Monitored and secured the site 24/7. Processed the record generated for redundant archives. Slept well.

Re:No input, no net connection.

[fisted]

> Monitored and secured the site 24/7
> Slept well.

wait.

Make it yourself

[solidraven]

Get the necessary equipment and make your own CPU. Also make the lithography masks yourself to ensure your paranoia score reaches a maximum level! Next proceed to make your own motherboard (making all the components yourself as mentioned earlier). Also you'll have to create your own CRT monitor (imagine if they intercepted the signals between the graphics card and the monitor!!!). And you might want to sit in a faraday cage made out of mu metal with your own personal lemon battery based power supply.

Re:Make it yourself

There's no need to go this far to avoid virus attacks --- just devise a means of randomizing
certain aspects of a system through software, such as (very lightly) encrypting Windows
API calls (and the implicit links to them in all binaries).
Or a CPU could be made that assumes all data it loads from RAM is lightly encrypted
(added to a 32-bit key for example) and therefore decrypt all data it loads and consequently
scrambling any malicious code.
Attackers would have no way of writing a virus which could spread, although they might
get to single systems now and then.

Re:Make it yourself

[Metabolife]

You forgot the part about digging a secure bunker 2 miles below the surface.

Re:Make it yourself

[Subjective]

The parent's point was that the virus attack occurred at the CPU factory. You can't protect against that by demanding anything from the API (CPU instruction set) - the thing implementing it is compromised

Re:Make it yourself

[sneakyimp]

The parent's point is about the millionth time that same joke is made and provides no useful advice to address the real world. Here's one of the original questions:

Is it even safe to buy individual computer components and assemble one's own machine?

solidraven makes his poor (and unoriginal) joke without actually providing any useful detail about how to insure hardware security. It really bothers me how people should "PARANOIA!" and then make the same joke as everyone else without actually trying to provide any useful advice.

Optical TEMPEST

[cpghost]

A faraday cage is not enough. Make sure no optical signals can get out of the room.

Ninjas

[davidwr]

Nobody but me gets to my abacus!

Re:Ninjas

[pakar]

You have to check out those full-HD abacus'es now... 1920x1080 makes them real nice for working with really big numbers... :)

Easy...

[erp_consultant]

I've got a VM that I run on Windows 2000. That OS is no longer patched by Microsoft so I don't want to expose it to the internet. I turned off all the networking protocols and shut off all the services that have to do with I/O. If I open a browser the only site it will connect to is a server I have running inside the VM, which requires a password. I turned off the network shares so there's no chance of getting an infected file from the host machine. The only way to write a file to it is via a USB drive and I scan those before I connect it.

The OS runs great and, with all those unnecessary services turned off, quickly as well.

Re:Easy...

[DaMattster]

Also, someone might be able to compromise the VM Hypervisor and get in that way. The lesson here is that nothing in an interconnected environment is fully secure. The most "secure" thing you can do is quit using technology altogether but that would make things incredibly cumbersome in the modern era.

Re:Easy...

[Teun]

It's a honey pot.

Weigh your options

[Sparticus789]

You have to achieve a personal balance between functionality and security. Security and functionality are inversely proportional. For the average user, having a login password will be enough. If you are storing private data, like tax returns and financial documents, encryption is a good idea. A Truecrypt container with a strong password (16+ characters, upper and lower case letters, numbers, and symbols) will suffice.

If you are of the moderately paranoid group (like me), then FDE, private browsing, and a SSD with TRIM capable motherboard/OS will be enough. If you believe the NSA is watching you, then try taking your meds and refer to the moderately paranoid measures.

Re:Weigh your options

[Xugumad]

> If you believe the NSA is watching you, then try taking your meds and refer to the moderately paranoid measures.

In the unlikely event that the NSA or other similar organisation is watching you; if you have to ask /. for security tips, you've gone terribly, terribly wrong somewhere.

Re:Weigh your options

[Marillion]

I agree whole heartedly. The security curve is an asymptotic one. You'll never reach secure. The biggest security risk in any system (computer system or non-computer system) is the person sitting at the desk. This is why secretive government agencies like the US DoD don't let anyone use a DoD computer until they've background checked and taken the requisite training classes.

This is Slashdot. Naturally, there will be amazing advice about elite encryption and protecting your most secretive plans from government spooks. Government? Really? Frankly, I'm more worried about the data that Visa and MasterCard have about me than the government stealing pictures of my kids marching band contests.

The original poster asked valid questions about reasonable outside threats - Malware. I'm a fan of free (as in beer) scanners that detect known threats disguised in innocent looking payloads. That adorable icon that Aunt Betty says is adorable could be an installer for a malware program. Also, subscribe to CERT bulletins or a similar organization that publishes information about emerging threats and vulnerability.

Re:Weigh your options

[Sparticus789]

In regards to DoD security, it is a complete joke. While their sensitive networks are (relatively) secure, their public network security is a joke. So is the training. Here's why.

A few years back my unit had to complete some mandatory online computer training. First, the Platoon Sergeant had the answers printed out that would give you a passing grade. Second, the computers went down a few days before the deadline, and came back up on the day of the deadline. So I received the order from my Commander, figure out a way to generate these certificates so his superiors would be happy.

I broke down the certificate generating script for the training. Isolated the parts of the URL that inserted name, rank, date, etc, which were all stored in a hexadecimal format at the end. Once I had the formatting down, I was able to manually generate the certificates without taking the test. Scary part was that the certificates were also inputted into the DISA system after I manually generated them, so each forged certificate was seen by the main server as legitimate. 130 certificates later, my unit was up to standard and nobody was the wiser.

Re:Weigh your options

[White+Flame]

Odds are that the NSA is already "watching" you. They're just not paying attention to the collected data until you spark their interest.

Re:Weigh your options

[mysidia]

> If you believe the NSA is watching you, then try taking your meds and refer to the moderately paranoid measures.

The NSA watching and you hoping to evade is a no-win scenario. The NSA watches everyone's comms, possibly. But if they have a reason to want to watch you specifically, as a government agency, their vast resources are sufficient that you are not going to hide.

I this day and age, they are likely able to deploy insect-sized drones to video your every move.

One or two commonl fly shaped things fly in, slip into your computer, attach to a few circuits, or you suddenly one day get a "special" spam message, with a payload that your CPU responds to, and loads custom firmware on the TPM chip, and suddenly your computer is a surveillance appliance, recording and reporting everything to your NSA masters.

Re:Weigh your options

[Xugumad]

People make these things so complicated.

They'll pick the lock on your door, replace your whole motherboard, and leave. Flying bugs would be an incredible overcomplication.

Re:Weigh your options

[sneakyimp]

I've seen many folks saying "the user is the problem" but do we have more than just the assertion to back that up? I.e., does anyone have actual stats on the nature and frequency of these various possible attack vectors:
* hardware hack (e.g., physical system access and hardware alteration, counterfeit chips with back door, etc.)
* software exploit
* social engineering

"Secure enough" is "good enough"

[davidwr]

The Ninja post was a joke with a point: It's practically impossible to do "secure computing" unless you are an island unto yourself.

The better question is:
What level of security is "cost effective" for you?

I'll give my answer as a reply.

"security"

[eexaa]

The term "secure" here is used in a bit misleading manner, there's nothing that could possibly be absolutely "secure" in this world, ever.

We should always ask only what amount of security the environment provides. In terms of money.

Re:"security"

[Plekto]

True, but I think the OP was talking about something that was connected to the outside world/internet.

The truth, though, is that nothing connected to the outside world will ever be secure. At best you minimize your damage. But you can absolutely ensure that users don't do as many stupid things. For instance, you can disable the USB ports and remove the CD and floppy drive from your machines. Then just and run them as terminals. No issues with flash drives or CDs. Then you can of course nuke all internet browsing.

The solution that my last employer provided was an open wi-fi connection for everyone to share that was for phones and such only and 100% not connected in any way (separate ISP and hard line even) to the main server. They could do all of their idiocy on that connection and sure, it was slow and sucked, but there was no way into the servers. Only the IT department's machine had outside access. Not perfect, but far better than letting every employee use the same system.

Re:"security"

[donaldm]

Well you could use a terminal (ah the old command line) or an X Terminal. Oh wait the 1980's just called saying they were right in the first place and "we told you so". :)

Of course the biggest problem most corporations face even going back to the start of computing is do you trust your administrators? If they don't then I suggest a couple of bricks and a nice cave (paintings optional).

Re:"security"

[Plekto]

Heh.

But the old idea of keeping work and pleasure separate is still the right one. If you keep both computer systems from each other, you keep most of the problems from happening.

The only potential issue might be email, but that's usually simple enough to deal with as an IT administrator.

Re:"security"

[sneakyimp]

True, but I think the OP was talking about something that was connected to the outside world/internet.

I was. Thank you for reading between the lines.

For instance, you can disable the USB ports and remove the CD and floppy drive from your machines. Then just and run them as terminals. No issues with flash drives or CDs. Then you can of course nuke all internet browsing.

Does anyone actually do this on their day-to-day workstation? It's been my experience that one must constantly browse the web to browse documentation, to seek support from tech support or forums, to send email, etc.

I was rather hoping for information like "to get clean, exploit-free mother boards, buy from special Vendor X" or "to check for malware on a Pen drive perform procedure Y".

Re:"security"

[Plekto]

One way that they did this at one company that I worked for had every machine was in a metal cage/box. It covered the floppy and CD drives, but the cover over them could be opened with a key.

IT had physical access, but users had none. Just the machine and the files on the server. Zero security issues in the time I was there. Keeping the employees off of the internet was all that was really required. (plus everyone now has phones so let them do their own wi-fi)

Computer Security Rules

[yenrabbit]

To ensure you have a secure computing environment: 1) Don't buy a computer and 2) Don't turn it on -the first line of pretty much every book on information security...

Unplug

[gtirloni]

It's very hard to live in a constant state of fear and paranoia. Better to unplug and relax.

Re:Unplug

[ArsonSmith]

I'm pretty sure unplugging gets you put on one of the extra special lists.

linux

[blackC0pter]

i actually run linux on the desktop to help stay secure and don't pirate software. Add some ufw firewall rules and a router based firewall and you can survive most non-local (in the room) attacks.

Re:linux

[MysteriousPreacher]

Where did he say it would?

Re:linux

[Psicopatico]

My experience as well.
So far, in the last 8 years it gave me excellent results.

We all know 99%+ of the generic malware out there is crafted to break in Windows setups.
The amount is so vast it's only a matter of time, you *will* be hit.
But once you take the target out of the equation, the rest is much much more easy to manage.

Once I realized this, I stopped recommending Linux to random folks: the more people keeps using Windows, the more *I* am secure.
And, at the end of the day, this is the only thing that matters to me.

Re:linux

[jc42]

Oh right linux makes you immune from things like buffer overflows or user assisted attacks.

Nice strawman there. ;-) Of course it doesn't. But its open-source nature greatly increases the chances that 1) backdoors will be discovered by interested geeks and removed, and 2) people other than employees of the vendor will be able to fix problems quickly.

I ran across a case of this a while back, when I got a message from one of djb's team telling me how to exploit a security hole in a program used by one of my web sites. I tried it, the exploit succeeded. I opened up the code, found the problem (and a couple more related to it), fixed them, verified that the exploit no longer worked, and sent a letter thanking the guy for the info.

With closed-source software, I couldn't have done any of this. I'd have had to report it to the code's owners, and try to talk them into fixing it. If they decided to fix it (which isn't guaranteed), it would typically take months, during which time my site would have been vulnerable.

I also sent a description of the exploit, along with my patches, back to the code's author, who sent me a letter of thanks, and a day later I saw the message he'd sent to all his known users announcing the "security upgrade" that fixed the problem. The total time for this was under 3 days, which is orders of magnitude faster than most security fixes from commercial closed-source vendors.

Yeah, unix/linux and other open-source systems are vulnerable. But they're so much better at fixing problems that you'd have to be rather gullible to depend on software that doesn't supply this sort of response capability.

(And yes, I understand that most of the buying public is rather gullible. The commercial world depends on that, y'know. I also understand the argument that most people wouldn't know what to do with source code, but I consider this argument bogus. It means that you deny access to people like me, who are able to understand the code and fix it. I've done this many times during my career. You should be encouraging people like me, by making sure we can get at the code to your software. ;-)

Re:linux

[dkf]

Your argument that open source means faster patch turnaround is becoming somewhat of a straw man as time progresses.

The shortest OSS turnaround that I'm aware of personally for a security fix was on the order of 20 minutes (and the limiting factor there is probably the time it takes people to understand problems, so I don't expect a huge drop below that when people are involved at all).

That said, it was traditionally the case that OSS was better at security and commercial development was better at user experience. There seems to have been more cross-fertilization of approaches over the past 5–10 years though; commercial is improving the security practices (with most of the remaining turnaround time probably now due to different testing regimes) and OSS is improving the usability side. That's Good.

Re:linux

[sneakyimp]

From a security perspective, it's my feeling that OSS is a better starting point if you really want security for the simple reason that you can browse and compile the source code yourself from scratch.

Critical Security Steps

[Synerg1y]

1. Write your own OS, that way the government can't backdoor your OS's manufacturer without prior knowledge.
2. At a minimum flash your motherboard's firmware to something trusted or written yourself
3. Write your own anti-virus
4. Run ethernet wire to trusted locations (make sure it's outdoor grade wire)
5. Install security cameras at trusted locations and filter everything from them via DPI.
6. Surf mass pron off a random trusted location.

Re:Critical Security Steps

[mrmeval]

You should write the OS and firmware in such a way as to mitigate the need for an anti-virus. I'd suggest you use commodity FPGA solutions and load up a system on chip coupled with external DDR3 ram and external GPU for heavy lifting. There's an open hardware solution if you can trust the chip makers. Your OS should run on those fine.

Blocking ingress by anything that can carry a viral payload.

Tempest is your friend learn it, nothing goes in or out without encryption, shield it all.

You can no longer use google for porn that might offend someone somewhere, feel the pain of having to use Bing's superior porn search.

Re:Critical Security Steps

[Ceriel+Nosforit]

You are China.

Re:Critical Security Steps

[Synerg1y]

Pretty much...

Re:Critical Security Steps

[sneakyimp]

Write your own OS, that way the government can't backdoor your OS's manufacturer without prior knowledge.

I'll get right on that...

At a minimum flash your motherboard's firmware to something trusted or written yourself

I've had tremendous success with dd-wrt for my wireless router. Is there any similar such beast for motherboards? Any resources would be much appreciated

Re:Critical Security Steps

[sneakyimp]

What is this TEMPEST of which you speak?

Re:Critical Security Steps

[mrmeval]

https://en.wikipedia.org/wiki/Tempest_(codename)

An example, when I was very young, terribly young learned that the neighbor was watching porn on his TV. By a happy chance they'd wired it up to their antenna and their TV so were broadcasting their porn. With a hand made low noise amp which I had for other reasons I was able to watch. ;)

I was just a throw in to make the paranoids twitch. :-P

I had an IBM tempest certified PC case and keyboard I bought salvage. Massively constructed. The keyboard was very good and very heavy. I sold it to a ham radio guy as it is very good at shielding the PC from interfering with the ham radio setup.

Safe Computing....

...involves condoms on the cables.

There is no security against paranoia

[Peter+(Professor)+Fo]

1 What are the threats? 2 Why do you care? 3 Expose as little as possible 'publicly' with as few people even knowing you have diamonds in your safe. 4 Have 'CCTV' so you can detect intrusions (and possibly a honeytrap) 5 Assume anyone with $$$ to spend technically will first spend $ on more basic intelligence. 6 [This list goes on and on]

Woah... sit down dude.

Breathe into this paper bag. If you still feel dizzy, lie down..

Re:I Don't Use Computers

[Glock27]

Kudos to you AC! Not many of us have paranormal means of posting to /.!

I lie about everything

On the other hand, perhaps there's another explanation.....

lock it down, scan everything

[alen]

lock all your computers down. physically check them before they connect to the network. install DLP and other software to disable all ports. kill any unused port on your switches. allow only approved TCP ports in and out of your network. scan everything with application layer appliances and switches

Re:lock it down, scan everything

[sneakyimp]

Got any suggestions for DLP (is that Data Loss Prevention)? Also, if this comes from a package repository, how do we know it's safe?

At some point there is no escape of trust

[ZorroXXX]

There is no way you can avoid putting trust on something outside your own control, be it the C compiler, firmware on the motherboard or the CPU itself. So what you really are asking is "where should I put my trust level". That depends extremely from person to person and is next to impossible to answer, almost like asking "what car should I buy". You cannot expect good answers to what you ask without providing good indicators about what threats you consider important. However, the slashdot crowd usually does not pay any attention to the original question in any case, so maybe it is not that important :)

Re:At some point there is no escape of trust

[ZorroXXX]

Good point and I agree. There are for instance a few people I would trust telling very personal things although I would never, ever do that over email for instance. There are just way to many ways for such information to leak out in some way, even if the receiving person would handle things perfectly confidentially.

Re:At some point there is no escape of trust

[sneakyimp]

There is no way you can avoid putting trust on something outside your own control

I'm aware of this and did not intend to ask "what should I do" but rather what other folks tend to do. Sadly, most responses here are something like "forget about it" which is decidedly unhelpful. It's like a common sense question is being addressed by Descartes or something. Seems to me there is plenty of good advice that could be kicking around. How about these questions:
* If you ever get thumb/pen USB drives, where do you get them from to make sure they are *safe*
* What settings do you use for your linux package management? Do you trust multiverse? universe?
* Are there any motherboard manufacturers or component manufacturers (or builders of systems) that are particularly detail-oriented when it comes to security?

Sadly, this whole thread seems like a pedantic pissing contest in most respects. There are, however, some informative posts. I'm still looking for a link to the Thompson article everyone keeps talking about.

Re:At some point there is no escape of trust

[sneakyimp]

Thanks for the links. I'll be checking this out. Maybe those dudes have some ideas about security.

set up two systems....

[3seas]

one as a decoy and the other where you have your security.

Mind the mine

[sdinfoserv]

"Do Google and Apple data mine your private mobile phone data for private information?"
Really? You ask that question? Eric Schmidt stated a couple years ago that "Google isn't free- the cost is your information".

Even the US Govt considers your data no longer yours once it leaves your possession. Meaning, no search warrants are required for cloud based data. It's like taking garbage to the curb, it's a free for all.

Not only is your data not secure in the cloud, it's much more attractive target. Little me, "joe smith" is not a target at home, nobody gives rats rump about me... but Google or yahoo or hotmail... that's an exciting target for hackers. If you're data is there, you are now attractive via proxy. They get hacked, your data is compromised.

The problem is, laws haven't in any way kept up with technology. Unfortunately, mega global corporations now generate huge revenue off this broken model.. Thus, in the US anyway, it's now impossible to fix. It takes money to run for office, companies have money, therefore most elected officials are puppets of the corporate world. That's just fact in the US. Laws are not to protect people anymore.. just protect revenue.

Re:Mind the mine

[sneakyimp]

All good points. Perhaps you have some advice about how to protect one's data in the cloud? Encryption comes to mind, but what if your virtual machines are also allocated in the cloud? In this case, the encryption and decryption schemes might also be at risk because they too are in the cloud.

Also, how might one protect one's mobile phone from Google/Apple snooping? I've wanted to put a hosts file on my Android phone for some time but haven't gotten around to it.

Can't answer that without a threat model.

[John+Hasler]

My "computing environment" is quite adequately secure against my threat model which is limited to criminals who might want my secret banking information. Yours might include the NSA or even Bruce Schneier.

Re:Can't answer that without a threat model.

[sneakyimp]

This is a good answer. My threat model would include anyone who wants access to my banking information but also access to anywhere I spend money and ALSO anyone who might want to sniff out my server passwords, etc. I doubt the NSA or Bruce S. care about what I do.

My answer Re:"Secure enough" is "good enough"

[davidwr]

This is about my personal computing, but I would apply the same general principles to other non-critical environments.

What's the worst thing that could happen to my computers? Someone sneaks into my home and installs a hidden camera to catch everything that's on the screen and all keyboard input, AND they somehow install something to log all network traffic and become the man in the middle when they want to.

How likely is this? Unless the feds confuse me with a terrorist and do this with a warrant, it's exceedingly unlikely.

What are some other "high-loss" risks?
* Virus that encrypts my computer and holds it ho$tage
* Virus installs a keylogger that captures an email login, banking credentials, etc. and uses them to impersonate me in a very bad way. "Hi, this is your bank. Your wire transfer to OFFSHOREBANK was processed this morning. This is just a call to remind you of a low-balance fee if sufficient funds are not deposited by the end of the day. Thank you."
* Fire or other calamity that physically destroys my computers, and things a lot more important than my computers.

So here's the big question:

What are the security vulnerabilities I can mitigate cheaper than the "cost" of just not having a network-attached computer at all?

* Fire/theft/physical loss. Mitigated/prevented by backups, casualty insurance, fire extinguishers, etc.
* Theft: Good encryption and good passwords. Pray the thief or his buyer isn't a forensics expert.
* Malware. Mitigated/prevented by backups, low-cost ("$50+tax with $50 mail-in rebate!") security software, "safe-surfing" habits (script-blocking, etc.), 2-way firewalls on the computer and network gateway/router, etc.
* Legal government intrusion: Mitigated/prevented by living in a relatively free country. Cannot be eliminated.
* Illegal/rogue government or ISP intrusion: Mitigated/prevented by living in a relatively free country that can and sometimes will throw individuals responsible in jail. Work on the assumption that this cannot be eliminated.
* WiFi intrusion on my home net: Mitigated by strong encryption and a good pass-phrase and a WiFi Router vendor that I trust.
* WiFi spoofing: Unknown risk.. Other than keeping the password secure and avoiding algorithms that are known to be vulnerable, I don't attempt to mitigate or prevent this.
* Public WiFi hotspots: Compute with care, avoid using them unless absolutely necessary. Prefer my cell phone's "G3/G4" instead of an unsecure or secure-but-untrusted hotspot.
* WiFi- and Bluetooth-based attacks: Turn off WiFi when not in use. Don't allow connections in or out without my permission.
* Backup failure: Test backups. Have multiple backups in multiple formats from multiple points in time.
* File format obsolescence: Have really important stuff in formats that will likely outlive the usefulness of the data. .TXT, TAB- and comman-delimited simple spreadsheets, .GIF and .JPEG images, and some versions of PostScript and PDF files are among the many formats that will likely be easily readable 10 or 20 years from now assuming the media is still readable or that the file has been copied to new media before it became unreadable. Human-readable paper printouts, photographic slides, and photographic negatives are also pretty much immune from becoming technologically obsolete in my lifetime, but they require large amounts of space and a certain amount of care. Paper and especially film also decays over a 10-100 year time frame.

Bottom line:
* If I lose everything I have on my computer, it won't drive me to suicide.
* The very important stuff is backed up in multiple places including offsite and in multiple formats.
* The medium-important stuff is backed up.
* If I can prevent a large amount of likely damage at a low cost, I'll do it.
* If I can't afford to lose it, I can't afford to NOT insure against loss.

Re:My answer Re:"Secure enough" is "good enough"

[davidwr]

Yeah.

Anyone asking a "how can I secure NEW_THING" needs to ask it in the context of this question:

Is your {house|car|child|elderly relative|bank|worksite|road to work|neighborhood} completely secure from harm, invasion-of-privacy, or other loss? How secure is it? Am I okay with that level of security or am I willing to SPEND_RESOURCES to improve security, and if so, what kind of "bang for the buck" am I looking for when I spend my "security dollars" and what will I do if I can't get it?

Move to a Democratic country

[onebeaumond]

and work to keep it that way. Security is a political state, according to most experts (Schneirer et al). And yes, "reducing the size of government" in a democracy means reducing that democracy.

Answers and better questions

"Do Windows, OSX, and Linux have security holes?" Of course they do. A better question is, "Are they likely to have security holes that are known only to malicious actors that remain secret over time?" The usual answer for Linux is "NO WAY READ THE SOURCE!!!@!" In practice, not many people are qualified to review source for bugs, although backdoors inserted into widely reviewed and read code are likely to be detected before backdoors inserted into a code base with few people looking at it. As for backdoors in common OSes in general, the best answer is "probably not." Even without direct access to the source code, behavioral analysis of network traffic should show something's odd. Besides, large conspiracies are hard to keep secret. On the flip side, if your adversary really is the U.S. government or a similarly funded and capable entity, OS security holes in common OSes are the least of your concerns.

"Does Windows supply a backdoor for the U.S. or other governments?" I'm guessing you mean the NSAKEY. Again, network behavioral analysis is your friend in detecting this. A better question is, "Does Microsoft provide a backdoor for themselves?"

"Should you really trust your Linux multiverse repository?" Maybe. A detailed explanation of what happened with the kernel.org compromise a while back was never forthcoming, at least not to the extent that FreeBSD has been with their own recent compromise. A better question is, "Do my adversaries have positive control over [insert resource here] in a way that is undetectable to me and others of [resource] over a sufficient time period to adversely affect my security?"

"Do Google and Apple data mine your private mobile phone data for private information?" Probably. What's "private information" in the context of your user agreement with them for use of their products? Unless expressly forbidden by law or contract (and sometimes not even then), you can expect a company to do what's best for itself. If that happens to also benefit you, great. If not, too bad. Better question: "Does [device] purchased from [company] have the obvious capability of making my data available to [company] should they have an interest in it?" Follow on: "Is it in [company]'s interest to protect my data? If not, is there a way I can make it so, or limit the access [company] has to my data?"

Does Ubuntu's sharing of my data with Amazon compromise my privacy? Maybe. See that part above about contracts, law, and corporate motivation.

"Can the U.S. Government seize your cloud data without a warrant?" In some cases, yes. I'm not completely current on court cases, but I think e-mail left on a service provider's system for >= 6 months can be read without a warrant. I think there's also some provision for mail that's been "opened," too. There have been numerous reports, however, that service providers have provided information to the government upon request, without requiring a warrant. I personally think the telecom industry is all too cozy with the government, and think the telecom immunity bill Congress passed is evidence of that. There are also some interesting correlations, e.g., Qwest was the only large telecom to NOT cooperate with the warrantless wiretaps, and their CEO was convicted of fraud. Better question: "Do I have data sitting around on a system over which I do not have positive control which I should've stored locally or deleted because it was no longer relevant?" Current law is much more protective of personally owned things (where the law agrees that a normal person would have some expectation of privacy) than it does of cloud services (where you have deliberately handed your data over to a third party, thus weakening the expectation of privacy that the law assumes a normal person would have).

"Can McAfee or Kaspersky really be trusted?" Assuming you don't mean John McAfee or Eugene Kaspersky personally, they can if being trustworthy is in their corporate int

Re:Answers and better questions

[sneakyimp]

It's a shame this is an anonymous post as it is so totally thoughtful and reasonable.

I'm not interested in participating in any nation-state-threatening behaviors. I am totally interested in protecting sensitive data related to finances and other totally legal behaviors. I'm also interested in enhancing privacy in any way possible.

I realize the questions in my original post are poorly formulated if I was after detailed techniques and procedures. I am still hoping to construct an overview of helpful behaviors from the construction of a workstation or laptop through to the process of software development in a networked environment. There are a lot of very informative posts here, but also a big bunch of people who think they are funny.

To clarify, the goal is to try and formulate a useful overview of all the facets of computing to try and identify salient threat points and mitigate them. I'd ideally like to realize what major threat vectors are (user actions, hardware back doors, software exploits, etc) and what the overall relative risk is.

Old Questions.... off my lawn!

[TheCarp]

What this gets down to, even starts heading down that path right in the question, was covered by Ken Thompson in the classic paper "Reflections on Trusting Trust": http://cm.bell-labs.com/who/ken/trust.html

There are some good questions in there but, the rathole its starting to go down is not helpful. You need to look at what secure means to you first. What are the use cases for the environment? What does the environment need to allow? What should it not allow? Why? Answer those, and the path forward will become more clear.

Re:Old Questions.... off my lawn!

[sneakyimp]

POW! I've been looking for this oft-mentioned Thompson article. Thank you.

If you're paranoid enough to ask those questions

[Kjella]

If you're paranoid enough to ask those questions, then I'd suggest an air-gapped computer. Anything you want to install on it use a USB stick, so what if it has or installs a backdoor? There's no way to talk to that backdoor anyway. Unless you think somebody is going to create a custom trojan to infect the machine, extract whatever it wants and store it on the USB stick, then upload it to the mothership next time you plug it into an Internet-enabled computer. But if that's a concern you should probably put your computer in a Faraday cage in a vault too, because then you must have a three letter agency on your tail.

Using a separate computer just for on-line banking

[AmongTheBoulders]

I have thought about possibly using one computer just for on-line banking and another computer for everything else. That way the computer that is used for on-line banking would most likely never have been exposed any websites, email messages, or anything else which would be likely to contain malware. The computer that I would use for on-line banking would probably either use Linux or be a Mac.

I would not be 100% sure that that the computer used for on-line banking is clean, but that is probably about the best that I could easily do. I am not an expert on computers or computer security, but that seems like one possible resonable precaution.

My main desktop computer runs Linux, by the way, so if I were ever to add an on-line banking only computer, I would probably choose Linux for it too.

Re:I Don't Use Computers

[pakar]

I lie about everything

Infinite loop detected... failure...

Good grief...

[QuietLagoon]

If you are so unknowledgeable that you have to ask questions like the ones you asked, then the best way for you to compute securely is to use an abacus.

.
No matter how secure the OS is, no matter what security apps you are running; I am sure that you will find a way to bypass all that security and suffer an exploit.

Re:Good grief...

[sneakyimp]

The point of the questions was to generate helpful discussion. Your response reminds me of the computer programmer in the old joke:
Q: Why did the computer programmer get stuck in the shower?
A: The shampoo bottle said lather, rinse, repeat.

A lot of the questions were of course rhetorical. I apologize for not thinking them through more. I thought folks could read between the lines and offer useful information. Some folks have.

security? no.

[swschrad]

any machine that has been used can be compromised. just like your living room, if a thug REALLY wants to get in, they will.

your task, therefore, gentlemen, is to be as frikkin BORING as possible. please to start with best Star Trek captain. nobody will bother you then.

Seriously, this is a good idea for secure ops

[davidwr]

Have a "secure ops" room with a computer that is run off of stock "dumb" batteries delivering the normal voltages delivered by a power supply. Your normal laptop's battery is too smart for the job.

Make sure the room is EMF-proof when the door is shut and locked from the inside. Yes, that includes visible light, so you'll need a battery-operated light source.

Make sure the only input is the keyboard and mouse or equivalent. Make sure the only output is the screen and optionally a printer or equivalent write-only device. Make sure the storage is not only sealed inside the computer but that its contents can be destroyed at the touch of a button AND that the contents self-destruct if the door to the room opens while the computer is powered on. Make sure there is a strong power-on password or other authentication mechanism and that the data storage self-destructs after only a few failed attempts to gain access.

Oh, finally:

Make sure your computer has a "trusted bootloader" that only runs "trusted applications" and that nothing is installed on it that is not needed. Lock down the entire system so seemingly-non-malicious mistakes don't compromise the computer itself in a way that isn't immediately obvious. For example, it's okay if a malicious insider's buggy formula in a spreadsheet gives a mathematically incorrect answer, but it's not okay if that causes the spreadsheet to create a file that grows big enough to trigger a bug in the filesystem that disables the "trusted bootloader" mechanism so the next time the machine boots, someone can run a script that creates an EXE file that logs all future keystrokes for the malicious insider to view and memorize later. Of course, any computer you put in this room will have to be designed and built by someone you trust, using parts designed and built by someone you trust, etc. Alternatively, the computer can be simple enough that you can mathematically prove it is trustworthy.

Re:Seriously, this is a good idea for secure ops

[halo_2_rocks]

I think you are missing the point of disconnecting a computer from the net. By definition it is secure, even if was infected with a virus. All secure environments are designed this way and limit access to the machines secured like this. When people say they were hacked, it is because they are working on machines that are not in a secure environment.

Re:Seriously, this is a good idea for secure ops

[mysidia]

Make sure the storage is not only sealed inside the computer but that its contents can be destroyed at the touch of a button AND that the contents self-destruct if the door to the room opens while the computer is powered on.

Sounds like a built-in security weakness. You're forgetting, that security includes availability, not just confidentiality and integrity. If the system causes your data to become permanently unreadable, then that event is a breach of security, because availability of the data has been compromised.

Re:Seriously, this is a good idea for secure ops

[mikael]

Some military stuff was designed to do that - electronics on fighter planes as well as disk drives. You pulled a tab off, allowing oxygen into the disk drive and that would react with something like magnesium which would rapidly oxide and melt.

Re:Seriously, this is a good idea for secure ops

[sneakyimp]

Make sure your computer has a "trusted bootloader" that only runs "trusted applications" and that nothing is installed on it that is not needed.

So far, this is the only useable response I've seen to my initial question. On the other hand, I did say "truly secure" which is what likely triggered all these useless responses intended as comedy. Garbage in, garbage out. If I could reformulate the question, it might be something more like, "How do you secure a workstation when you know you will be connected to the Internet for the purpose of developing internet-enabled applications?" I was rather hoping for reasonable and practical advice rather than "unplug the computer" or "put it in a Faraday cage" etc. Having asked this question a few different places, it occurs to me that I'm wondering first about one's hardware. I like to build my own PCs from ASUS mobos and other components I buy from newegg. Can anyone suggest any reasonable, practicable procedures to make sure one's hardware is at least safe?

Re:Using a separate computer just for on-line bank

[bmo]

>use an entirely separate computer.

No. You don't have to. If you can boot from a USB port or CD/DVD, use a live read-only OS and boot from it.

An example of it is here: http://www.spi.dod.mil/lipose.htm

You can do the same thing with other live distributions like Knoppix, Trinity, Ubuntu, etc.

--
BMO

Layers

[llZENll]

Layer 1 (most secure): strictest confidential information, for storage purposes only. system locked metal room with no windows and no internet, system locked in cage with access to display, keyboard, mouse, and drive, all data read/written to drive is permanently logged, connected to layer 2 via sneaker-net.

Layer 2: strictest confidential creation and reference. internal LAN only systems, user endpoints are read only and contain no drives or usb. server is in locked room with limited access and contains files accessed by users, as well as user endpoints with write capability, connected to layer 3 via sneaker-net.

Layer 3: confidential creation and reference. internal LAN with write ability to files, temporarily read only network connectable to layer 4 via password.

Layer 4: normal productivity with confidential read access. normal internet connected network, usb and drives on centrally located system controlled by admin, all io logged.

If seriously

[Max_W]

Most often than not computers and servers are intruded by spammers to install spam-sending bots. So, join spam reporting scheme on a regular basis, for example: http://blackhole.mx/ Only human smartness can counter human smartness.

Use at least 2 operating systems, at least 2 browsers, at least 2 office applications, etc. Because if there is one and only one monopoly software or hardware vendor, it is much easier for it to get corrupted. A realistic competition is the best measure against corruption.

You raised serious questions of the civilization's scale. As any serious problem the problem of security can be solved by a systematic work and communication, at least partially. It will always be a running battle between good and evil.

Re:If seriously

[viperidaenz]

Use at least 2 operating systems, at least 2 browsers, at least 2 office applications

So you spend twice as much managing it all?
So you have twice the attack surface?
So you have two OS's exploits to defend against?
So you have two browsers with different security issues to keep patched?
So you have two office suites to fix as well?
So you're a smaller customer to different vendors, so they care less about your complaints?

Please explain how the risk to Machine A is changed by Machine B having the same or different hardware or software.

Re:If seriously

[Max_W]

For example, one OS can be used for work, another for leisure. Or one in the office environment, another in a mobile environment.

The point is to keep afloat both. The fundamental principle of dualism.

Re:If seriously

[viperidaenz]

Can I have what ever it is you're smoking?

Re:Block optical signals with hostfile

[AK+Marc]

That's a silly post. Syn attacks aren't about "security" they are about usability (except for the edge cases where you can syn-flood a computer into a vulnerable state). Security is about data loss or exposure, and a syn flood makes your computer *more* secure. If it's down, you can't lose anything. But nobody can use it, either.

Not too hard..

[nurb432]

1 - Reload all computers that come in the door with *your* load.
2 - Lock down hardware to prevent things like USB from working
3 - GPO ( or equivalent on *nix) .. Lock down the OS users dont need to be installing things. that's your job.
4 - Monitor monitor monitor... Both at the PC level and network.
5 - No BYOD..

Re:Using a separate computer just for on-line bank

[Nethemas+the+Great]

Only useful if you can trust your firmware...

What's a through checklist?

[viperidaenz]

Is it anything like a thorough checklist?

Re:What's a through checklist?

[sneakyimp]

Congratulations, you have passed the Turing test.

Re:What's a through checklist?

[viperidaenz]

But am I a human or AI?

Re:erroneus (253617) FatASS needs PIZZA

[Nimey]

Your trolls are an enormous waste of time, but I still laughed because of your devotion to duty.

Re:I Don't Use Computers

[dkleinsc]

I lie about everything

On the other hand, perhaps there's another explanation.....

That's no explanation, because he'd clearly have to be lying about lying about everything, but that means he's telling the truth, but that means he lies about everything, but that means .... *does not compute* *does not compute* *head explodes*

Reasoned Paranoia

[bobdehnhardt]

You have to start with the position that no OS, network, or configuration is ever going to be 100% secure. If the system is accessible by someone via some means, it has at least one vulnerability.

This is why blanket questions as asked in the original posts are worse than useless. Asking is certain OSes have vulnerabilities (they do) is a waste of time. Looking for bogey-men like government backdoors or vendor/service providers is equally useless: either they exist and you can't do anything about them, or they don't and you're worrying about nothing.

But the biggest problem with blanket questions is that they lead to one-size-fits-all thinking. And with designing a secure environment, there is no one size that fits all. What works perfectly is one environment is a huge overcompensation in another, and woefully inadequate in a third. You have to look at your specific environment, including business processes (involving humans, not just electrons), resources, physical environment, everything. If you're considering setting up security, don't think in terms of "secure computing environment", think "secure environment." Limiting your scope to the computing environment only introduces blind spots (vulnerabilities).

I call this reasoned paranoia for two reasons: it serves a distinct purpose, and it stops short of tin-hat thinking. Your approach needs to keep what you can do as the focus. You can't close government backdoors, if they even exist. You can't stop hackers in Pyongyang from probing your firewall. You can't close (or even know about) every vulnerability that currently exists in your environment. But you can understand that they are there, take reasonable steps to close or manage the ones you know about, and have plans in place to respond when new ones are discovered or exploited.

Need a safe computer?

[na1led]

Find a used Commodore 64. Doubt any virus could fit in memory.

Ultimate security?

[Fellon]

Place computer in a blast furnace. Toast until all metal is in a liquid state. Poke with stick until computer no longer resembles computer. Allow to cool. (preferably with liberal application of cold water) Transport left overs to a old witches graveyard. Bury under the light of a full moon. Giggle about HOSTS files as you walk away.

I'll quibble with that definition

[davidwr]

A computer that is infected by a virus where the VIRUS ITSELF leads to output that is not a result of operator input + the programs the computer is designed to have on it may be "secure" in a narrow sense of the word, but not in the broader sense of the word.

Let's suppose that instead of STUXNET infecting the Iranian computers that were connected to the centrifuges through social engineering and/or USB memory sticks, they had been deliberately infected at the computer-manufacturing factory or during initial setup, before they were attached to the centrifuges.

While it is true that they would not in turn infect other computers outside of their "secure network," they would still not be trustworthy and therefore, in a broad definition of the word, they would not be a "secure computing device."

Re:I'll quibble with that definition

[halo_2_rocks]

That is a real stretch. STUXNET was designed and targetted at a specific environment. It was much the same as if someone broke in the facility and uploaded the virus themselves. It was only transmitted because of a break-down in security procedures. The designers knew about this vulnerability. An unsecured device was used much as a network device to transmit the virus. Most secured environments do not allow that to happen. I've worked on secured development and production environments (in fact, I have one I work on now) and know absolutely that they are unhackable other than by using very sophisticated means that is generally outside the means of most people other than countries. Of course, a country could use people to break into the facilities, have the resources to study the security procedures and assess vulnerabilities, and hack the machines to obtain the information or damage the facility. It just is rare and that is what makes these environments secure - NOT INVULNERABLE.

Re:Answers

[viperidaenz]

Can anyone recommend a through checklist or suggest best practices?
Step one: Put someone else in charge of security

Step two: Make that someone else liable for security breaches.

Re:security? no.

[viperidaenz]

That's why part of my home security system is a 70kg (150lbs for you yanks) CRT TV. A burglar would steal my neighbours LCD before they steal my antique.

Some custom design needed

[Casandro]

First of all start with parts which are proven to be reliable. For example Linux or OpenBSD.

Then think of your security risks. What is your problem. Do you not want your data to get out? Do you want to provide services even if the world ends? Thos are all different kinds of problems requiring different solutions.

Then get your processes straight. How do you install software? If it's google X free download, click on the first link and download it to install it, you might want to re-think them. Who has access to the machine.

Then make your system as minimal as possible. Don't install any services or software packages you don't need.

Then, and perhaps actually earlier, how is your physical security. Do you have multiple armed guards to prevent the attacker from entering? How secure are they against social engineering?

If that seems overblown to you, just get your average Linux distribution (like Xubuntu) and install it with software harddisk encryption. That should be good enought.

Re:Using a separate computer just for on-line bank

[bmo]

Then you know what?

Don't use a computer. Ever. If there is no end to what you can trust, not even a computer encased in concrete at the bottom of the Challenger Deep is enough.

Your response is ridiculous.

--
BMO

get psychiatric help

[onyxruby]

You don't need computer security, you need psychiatric help, seriously. I've known people with paranoid delusional conditions before. Talk to to Psychologist about getting help and make sure you take care of your mental health. You really, really, don't want to end up on the street where your mental health spirals out of control.

If your not willing to work with that than I suggest you keep a few practical thoughts in mind:

The FBI doesn't care about your porn habits unless they involve underage kids.
The CIA could care less about you unless your working on behalf of a foreign government and even then probably not.
The NSA consider you a civil matter.

If your in another country simply substitute your local government agency for the right one.

Frankly if you were working for anybody that the CIA, NSA etc actually cared about you would be getting professional advice from your employer, and not by asking Slashdot. You sound like a young person thinking about becoming a script kiddie or someone with delusion of prosecution over warez trading and porn surfing. The comment is quite sincere, you need to seek help from a mental health professional.

Re:get psychiatric help

[colordev]

I don't like your diagnose, doctor. Here's a second opinion. OP asked a valid "nerdish" question. And OP could be doing any number or projects that may require keeping information "safe enough". For example he could be helping out a dentist or a lawyer with safe-guarding some patient records or legal documents. Or OP may self have a need to design an ad for a new product or write a patent application - without having some unspesified FEAR of texts or designs possibly leaking to pastebin or hacker forums.

A couple of months ago I needed to write a patent application and probably faced the same kind of "safe enough" need as the OP. My solution was to temporarely have a non-networked XP just for writing the damn thing. As the patent application has now been filed and I know the process was "safe enough", I can contact any angel investor or VC and without "FEELING" any (unreasonable) uncertainty over possible leaks that may have happened.

Re:get psychiatric help

[onyxruby]

I take it you have never known someone that has paranoid delusions in your life. If you had experience with something like ADHD and met someone that was suffering for it you may well take a moment to talk to them about it. There's nothing funny about someone suffering from mental illness and not getting the help they need.

This wasn't a 'nerdish' question, this was someone who was so naive as to get people to start talking about making your own CPU's etc, etc, etc.

A 'nerdish' question along the same lines might have been something like:

"which OS is best for a live boot environment for internet cafe's? I need to travel and want to make sure my bank account doesn't get hacked. I know a little bit about Windows, however I'd love to try a Linux distro to learn something new."

That would have limited scope and you would find many people on this site who would happily answer a question like that with legitimate answers with a small fraction of the mocking of the poster.

Re:get psychiatric help

[bill_mcgonigle]

The FBI doesn't care about your porn habits unless they involve underage kids.

Maybe he's an Occupier.

A reasonable compromise

[nut]

I'm going to assume that this is a serious question, if slightly fuzzily worded. And that what you want is the best security position that is practical, and still have a computing environment that is useful to you.

So this is going to draw some fire I suspect, but maybe start by reading the PCI DSS Data Security Standard and apply as much as possible of the practical stuff to your environment.

PCI DSS has its issues and its critics and is most definitely not perfect. But it is an attempt by a group comprising of all the major credit and debit card brands to define how to secure a computing environment that is connected to the internet and contains sensitive information.

A lot of it won't be relevant to you. But if you're not trying to achieve compliance, you can throw out the bits you don't need.

Re:A reasonable compromise

[sneakyimp]

Thanks for your thoughtful response

I've read (and re-read) that and it is in part what has launched this paranoid post in the first place. I find the terms used in that document pretty vague -- and wonder if the jargon therein has more specific meanings that might be defined elsewhere. I was tasked with implementing a PCI-compliant payment page on someone's website to be hosted in the rackspace cloud and rackspace customer support discouraged the implementation of such applications on their Cloud Servers because they are "not PCI compliant." I was never able to get a satisfactory answer as to why they were not and thought it wise to begin exploring security features starting with the hardware.

Yes.

[neoshroom]

Do Windows, OSX, and Linux have security holes?

Yes.

Does Windows supply a backdoor for the U.S. or other governments?

Yes.

Should you really trust your Linux multiverse repository?

No.

Do Google and Apple data mine your private mobile phone data for private information?

Yes.

Does Ubuntu's sharing of my data with Amazon compromise my privacy?

Yes.

Can the U.S. Government seize your cloud data without a warrant?

Yes. (The U.S. government can do anything. Your only recourse if they do something wrong is to sue them. Suing them typically takes years of time and hundreds of thousands of dollars for you. Thus, in a practical sense no one really has any firm rights any longer because the system in charge of correcting breaches to those rights is not accessible or swift for an average citizen using it.)

Can McAfee or Kaspersky really be trusted?

No.

Naturally, the question arises of how to establish and maintain an ironclad workstation or laptop for the purpose of handling sensitive information or doing security research. DARPA has approached the problem by awarding a $21.4M contract to Invincea to create a secure version of Android. What should we do if we don't have $21.4M USD?

Use FreeBSD or other extreme minority operating system.

Is it safe to buy a PC from any manufacturer?

Not any, but likely most.

Is it even safe to buy individual computer components and assemble one's own machine?

Again, usually it would be. It seems like software is typically the vector of attack. Hardware much less often comes with built-in vulnerabilities.

Or might the motherboard firmware be compromised?

Less likely than the OS, but remotely possible from some manufacturers.

What steps can one take to ensure a truly secure computing environment? Is this even possible?

Don't connect your computer to the Internet. Even if the OS is hacked, the motherboard firmware is hacked and the hardware itself is hacked, it doesn't matter if nobody can access it but you.

Can anyone recommend a through checklist or suggest best practices?

http://lmgtfy.com/?q=secure+hardware+and+software+computing+checklist

__

Re:Yes.

[s.petry]

Is it safe to buy a PC from any manufacturer?

Not any, but likely most.

Is it even safe to buy individual computer components and assemble one's own machine?

Again, usually it would be. It seems like software is typically the vector of attack. Hardware much less often comes with built-in vulnerabilities.

Probably not at all, and it's one of those things I have spoken about for 2 decades. What we see in software attack vectors is just because it's easy and known to be easy. Outsourcing our hardware manufacturing to overseas has opened new doors to hardware compromise. This is in addition of course, to what your own government injects as back doors in to hardware.

Think of the simple: All NIC drivers see a specific code in a buffer and shut down. Do you realize how much damage this would cause if lets say China decides to hit the US with a cyber attack? Worse, all your CPUs go into overclock and burn themselves up, mother boards draw too much power and burn up. This of course could cause fires, as well as the obvious damage to the computer.

Thing is, we simply don't know what has been done to hardware. Just because you don't see hacks does not mean that they are there, just that you have not seen them.

Does that mean you should live in a shoebox? Hardly, at least in my opinion. Business as usual until something happens, no reason to live paranoid. But expect that even the hardware you buy opens back doors, fails, or starts fires if someone so wishes. Nope, I have no trust for anything under "government" control.

Re:Yes.

[Cyrus]

Consider Thompson's seminal paper on trusting trust. It is possible to conceive of embedding a backdoor in the software that translates your high-level UART design into layed out gates, P and N junctions, connections, etc., with the addition of a hardware backdoor that activates on a sequence of bits traversing the circuit. With a circuit of high complexity it might plausibly go unnoticed. Possibly it would be within the capabilities of nation states. Easier to envision for certain classes of hardware, but certainly a very hard problem. If you have the skills to write a recognizer for a hardware UART, that can add a backdoor, could you please also also write an agent that could Do What I Mean as I code my programs? :)

Re:Yes.

[Jherico]

Excellent summation. A more concise version can be found here, from whnce this quote comes:

I am regularly asked what average Internet users can do to ensure their security. My first answer is usually, "Nothing--you're screwed."

Re:Yes.

[Jherico]

Whoops.... that should have included this link: http://www.schneier.com/blog/archives/2004/12/safe_personal_c.html

Re:Yes.

[solidraven]

Testing software will capture such things easily if you're looking for it, if that isn't a distinguishing sequence then nothing is. And adding it in at the transistor level netlist would also be noticed easily. We don't really trust synthesis software so we often run programs that do reverse operations on it to extract parasitic effects and errors from the generated layout. If your RTL description doesn't match it'll throw a bucket load of errors at you. Design verification tools don't like such things... Combine it with hardware testing and you notice it's hard to slip in things unnoticed.

Re:Yes.

[Lorens]

All NIC drivers see a specific code in a buffer and shut down.

Not good enough. A nic driver that sees a specific code in a buffer, for the next hour sets that specific code in all subsequent packets passing through, and then shuts down after having fried the motherboard. Cue chaos.

Re:Yes.

[s.petry]

Who said it was easy? I never even insinuated a complexity level. It was recently suggested that MS had some government agents building in back doors in to Windows, which is how Stuxnet and flame were hitting Iran. Those back doors are anything but simple. Considering the lengths they are going to to muck with an OS, you think it's impossible for them to muck with hardware design? Think again.

Re:Yes.

[solidraven]

You have easy and just plain impossible without cooperation.

It's one thing to mess with a closed source operating system and hide something in millions of lines of code (even though I doubt Microsoft put in flaws intentionally). A hardware design on the other hand is very strictly designed, especially when it comes to complicated high speed logic like a processor or PHY. Any addition of logic will be noticeable. I just find it funny you assume you can do this automatically. We have trouble writing software that differentiates between several things as it is. A bus we can sometimes detect based on it being defined as a vector structure in HDL. Clocks are easy enough. But beyond that it gets tricky, especially if you wish to hijack I/O. You'd have to figure out a way to get to the bond pad without it being noticeable.

And assuming you avoid messing with it at the design level and somehow hijack it when it's on the way to the foundry. It's another thing to mess with a stack of masks that need to be made on special machines that are fairly rare and take ages to do their work. The mask set costs a few million euros. If somebody is caught messing with those... Nobody is going to be very happy about it.

Re:Yes.

[s.petry]

You have injected twice now that I stated it's easy, trivial, or simple to build a hardware hack which is absolutely not true. Is your point that you think building in hardware hacks is impossible? It's not impossible, and that fact has been proven over and over again.

Let me clarify a bit. Would it be harder to modify a CPU as opposed to adding logic to a board? Obviously the CPU mod would be much harder. Adding a sniffer circuit to a board is not impossibly complex. When you no longer control manufacturing, do you think it's impossible that it's done?

Now a valid argument would be that it would require a lot of resources to accomplish. Governments have those kind of resources. This is not about "you" hacking a component or two on to a board, we are talking about a few million dollars of research being able to do this.

Re:Yes.

[sneakyimp]

I like the tone of this post. Some nits to pick:

Yes. (The U.S. government can do anything. Your only recourse if they do something wrong is to sue them. Suing them typically takes years of time and hundreds of thousands of dollars for you. Thus, in a practical sense no one really has any firm rights any longer because the system in charge of correcting breaches to those rights is not accessible or swift for an average citizen using it.)

It may not cost you hundreds of thousands of dollars if you can get the EFF or the ACLU on your side, but you are basically correct. Do you have any advice about how to secure data loaded into the cloud? Obviously, encryption comes to mind, but it would be helpful to have some discussion about techniques. If you are using compute instances allocated by a cloud (e.g., Amazon EC2 or Rackspace, etc.) then the means of decryption may also exist in the cloud which doesn't provide you any protection. Got any tricks to share?

Use FreeBSD or other extreme minority operating system.

I've seen numerous people recommend FreeBSD. What's so special about FreeBSD that makes it more secure than anything else? Keep in mind that OSX is based on FreeBSD so the "extreme minority" concept may not apply to it.

Not any, but likely most

Do you have any detail to back up your assertion that it is safe to buy a PC from any manufacturer? From what I've seen, DELL and HP and Gateway and various other PC builders load every system up with crapware -- that doesn't sound particularly secure to me.

Again, usually it would be. It seems like software is typically the vector of attack. Hardware much less often comes with built-in vulnerabilities.

Got any backup? I find your comment encouraging but unless it's backed up with some sources, I'm inclined to be skeptical.

Thanks for your comment.

Re:Yes.

[sneakyimp]

While some might call you paranoid, I appreciate the pragmatism expressed in your post. I agree that we shouldn't live in a shoebox. Is there any way that we can begin to rank the security of hardware vendors? That no such "trust ranking" exists seems surprising to me. It's one thing to damn all the risk involved, another to suggest solutions.

Re:Yes.

[sneakyimp]

I think this post contributes a lot to the discussion -- especially your point about it being difficult to even get an IC working. A couple of things occur to me:
* The designer might be the one attempting to insert the exploit
* Most folks are not circuit designers and could not make heads or tails of the circuit diagram or the circuit itself.


I would agree that building an exploit into hardware sounds really tough and expect that it would be easily detected as a large ROM on the IC. I further agree that firmware/software are much more likely to contain an exploit. Is there any way we might quantify this relative risk? Or establish some criteria to evaluate the trustworthiness of a hardware manufacturer? You may recall this link from the original article:
http://www.cnbc.com/id/49032374/Computers_in_China_Sold_PreInstalled_With_Malware_Says_Microsoft

Re:Yes.

[sneakyimp]

I'm not sure I follow your post exactly. I'm guessing that you are talking about the futility of using software to scan for exploits in a circuit design. And yes, it might be hard to find an exploit in a circuit design that has billions of transistors. It would be nice if we could at least come to some understanding of the relative risk of software exploits vs. hardware exploits. I think we'd all agree that software exploits are much more common. On the other hand, a nation state with the resources of the US or China might be able to hide an exploit in the 1.2 billion transistors on an 8-core chip.

Who watches the watchers?

Re:Yes.

[sneakyimp]

Any addition of logic will be noticeable.

Noticeable by whom? When a chip arrives at your door, it could be delivered by anyone -- and to inspect the circuitry would require you to take the IC apart, wouldn't it?

I think it's entirely reasonable to question whether one's CPUs are safe or not -- and this is what I meant to do in the original question. What I was hoping to learn is how we might assess this risk and develop steps to mitigate or avoid the risk e.g., by choosing certain manufacturers or by funding experts to validate circuit design.

Re:Yes.

[sneakyimp]

Thanks for the link! Schneier is the man.

Re:Yes.

[neoshroom]

I like the tone of this post. Some nits to pick:

Yes. (The U.S. government can do anything. Your only recourse if they do something wrong is to sue them. Suing them typically takes years of time and hundreds of thousands of dollars for you. Thus, in a practical sense no one really has any firm rights any longer because the system in charge of correcting breaches to those rights is not accessible or swift for an average citizen using it.)

It may not cost you hundreds of thousands of dollars if you can get the EFF or the ACLU on your side, but you are basically correct. Do you have any advice about how to secure data loaded into the cloud? Obviously, encryption comes to mind, but it would be helpful to have some discussion about techniques. If you are using compute instances allocated by a cloud (e.g., Amazon EC2 or Rackspace, etc.) then the means of decryption may also exist in the cloud which doesn't provide you any protection. Got any tricks to share?

You are sort of personalizing the question to me, whereas I'm just using common sense. I don't have a particular care for security myself. For example, unlike most others around me (who are often completely untechnical) I don't even bother with a passcode on my smartphone. Well, that's not entirely true. I have enough of a care for security that I don't want to get a virus or malware, but I already use a minority operating system, so I don't get them. I also don't want people to gain easy access to my systems, so I use a decent password on them. Problem solved for me, but I'm just doing the equivalent of locking a door. The poster has a whole different level of security in mind.

So, again, I don't have any personal tricks, only ideas. If you want to encrypt data in the cloud used for computing one option would be homomorphic encryption, but it is more of an idea itself than a workable product. Slashdot ran an article on it previously:

http://tech.slashdot.org/story/10/06/11/2056235/the-beginnings-of-encrypted-computing-in-the-cloud

A more practical idea would be messing with the encryption key in clever ways. For example, you could store a encrypted key on a 3rd party site and only allow access to it from a specified IP range. Therefore, even if your application was stolen and all its data, that application run on another machine still couldn't access the key.

Truly, there aren't any great solutions because someone getting access to your cloud data is like someone rooting your home computer if your data was on your home computer. It's like saying "How can I secure my home data while a hacker has remote root access to my computer." Really, you can't.

Use FreeBSD or other extreme minority operating system.

I've seen numerous people recommend FreeBSD. What's so special about FreeBSD that makes it more secure than anything else? Keep in mind that OSX is based on FreeBSD so the "extreme minority" concept may not apply to it.

Most OS X hacks rely on the stuff built on top of BSD, not BSD itself. One of the big ones this year used Java vulnerabilities. That said, FreeBSD is a fairly security-conscious operating system and is a minority operating system. Hackers, both professional and script kiddies, tend to use known toolkits and so using a computing environment that is not mainstream is generally advantageous for security. It doesn't need to be FreeBSD.

Not any, but likely most

Do you have any detail to back up your assertion that it is safe to buy a PC from any manufacturer? From what I've seen, DELL and HP and Gateway and various other PC builders load every system up with crapware -- that

Re:I Don't Use Computers

[LordLimecat]

Does lying require falsehood, or merely an intent to deceive?

This is easy.

[Lumpy]

no physical access to the computer. it's in a locked case. Network is isolated and also locked up, running the network cables inside metal conduit is a plus, any long runs MUST be fiberoptic in armored cable if they exit the secure building or room and then the data traversing it must be encrypted.

No internet access at all. no local storage at all. All storage is on the server in encrypted volumes. No you cant print, no you cant save to a disk or anything but the server.

Final step, do what lockheed does. LCD screens have no polarizer on them. you must wear polarized glasses to see the screen. PLUS you have a 3m privacy filter on each screen.

you want email, you use your lower security computer that is outside the secure environment.

100% hacker proof unless they are able to compromise an employee that has access to the server room where the only place you can get a copy of the data is located.

Re:Using a separate computer just for on-line bank

[AmongTheBoulders]

Yes, booting from a LiveCD is another good alternative. But even if I used a Live CD, I would prefer to run it on a separate computer, so that I would not have to reboot everyday just for checking my online banking. Unfortunatley, that would actually require two reboots every day, once to boot up the live CD, and once to bootup back into the version of Linux that I normally use at home. Instead, I would prefer to leave my normal desktop computer running and then just boot up another computer with the live CD whever I need to use it.

If I ever actually do that, I might use a liveCD, or I might just install Linux on the banking only computer instead. If I were to unplug the hard drive, I could then probably assume that any ordinary Linux liveCD then had the extra security of being a read-only OS, although, Linux installed on the hard drive would have had more recent updates, including security updates.

I had not heard of the LPS-Remote Access liveCD that you mentioned, that sounds like a very good choice.

Back in 2009, Brian Krebs wrote these two articles that suggesting that small to medium-sized companies who lack fulltime IT/ security staff, use a Linux liveCD if they do online banking.

• E-Banking on a Locked Down (Non-Microsoft) PC
• E-Banking on a Locked Down PC, Part II

OpenBSD

[fatalexe]

Read the all the docs. Install from CD. Don't panic.

It's easyer than you might think

[V!NCENT]

If this is about a critical, large budget kind of thing, then this is so secure that I dare to claim that it is perfect, even though it theoretically is not.

1. Get some general hardware, supported by Coreboot;
2. Examine the code of Coreboot, then compile with a compiler release that is way older than the hardware;
3. Examine a microkernel codebase, newer than the hardware, then only compile what you need, simply because unneeded codepaths that are connected to other code can lead to a theoretical exploits;
4. Encrypt network communications, then bitflip for corruption, and include random noice (Rubberhose File System style);
5. Run a whitelist network packet checker, like Mandatory Acces Controll profiling, for communication.
6. Write application for functionality of computing device, compile for other CPU architecture, and emulate on CPU emulator lib.

Should be good enough, no?

Re:Using a separate computer just for on-line bank

[Nethemas+the+Great]

No, the notion of "secure" computing is ridiculous. The U.S. DoD is on both the giving and taking end of firmware exploits which made me smirk when you mentioned LPS.

On a side note. Has anyone ever mentioned to you that you come across as having a bit of a belligerent personality?

Re:the linux repositories are pretty good

[WaffleMonster]

There's no perfection to be found anywhere, but you can be about 10000X safer on Linux than on Windows

Are you sure it is 10000x and not 100000000x? How does one go about calculating the proper number of zeros?

There's a huge variety of software in the repositories and any malicious software would be quickly removed

It often takes people years if ever to find innocent bugs and remove these defects... yet whenever your faced with an advasary who has intentionally hidden an expliotable defect then of course it will be detected...and quickly where the innocent bugs have not...yes...sure... of course... this makes perfect sense.

Is this perfect? Of course not

Is this gyberish? Of course it is.

But it's WAY WAY better than the situation on Windows where people install random malware to see "dancing bears"

Are you saying it is not possible for users to install random malware to see dancing bears on a linux machine? If a user downloads and runs a linux program... does it not execute?

or where Windows will auto-run executables just because you put a USB key into your system. Seriously microsoft, WTF?

Seriously Linux... WTF?
http://www.youtube.com/watch?v=ovfYBa1EHm4

And I won't bother asking what happens when that random USB key emulates a HID device and opens its own shell.

So, set up a Linux machine, don't run javascript from web sites unless it's a well known trusted site like your bank, only use software from the repos, and you'll be secure for most practical purposes as a "normal person" who isn't the target of the KGB or something.

Being a "normal person" is no fun. I thought the whole point of TFA was cloak and dagger on the cheap?

Security is a Process

[ndrw]

I see that many comments have done a good job pointing out the paranoid mindset of the questions in this post. It's true, if you're absolutely worried about hiding your data from the FBI, CIA, and NSA, you are either doing something so illegal that I don't want to help, or you are delusional and paranoid. However, reading between the lines, I think you've just seen too much FUD about security. If you really just want security that's "good enough" then you can get it by following some of the simple best practices. Here's some things that have been found to help in most environments:

1) Passwords are pretty good. Use a different password (fairly long, somewhat complex) on each different site and use a password manager (put that on a non-networked system if you're concerned), instead of trying to memorize dozens of different passwords.
2) Separate important and unimportant systems - if you have an online banking account, don't access it from the same machine you surf the web for "warez" on.
3) Use virtualization technology to "sandbox" dangerous activities. If you're researching viruses or malware, or browsing unusual web sites, do that in a virtual machine with snapshots. Destroy the virtual machine or restore to a "known good" configuration frequently.
4) Turn on firewalls, run anti-virus, and use registry/configuration cleaners frequently. If you're blocking any inbound connections to your network, you're safer. If all files you download are scanned, you're safer. If you regularly scan for known exploits and malware, and remove infections or destroy the system, you're safer.
5) Use encryption for sensitive information. Full disk encryption on your traveling laptop would be a great start. Use disk or file based encryption on sensitive documents, and ALWAYS use SSL when transmitting over open networks (that means ssh instead of telnet, FTPS instead of FTP, etc.). Encrypt backups as well as primary data.
6) Keep your systems reasonably up to date and follow recommendations from your software vendors about best security practices.

I'm sure there's a thousand other tips that would help, but you're not paying me, so this is where I'll stop.

10 for style, 2 for brains

[TiggertheMad]

Um...clever hack, but should you really be bragging about bypassing a DoD security procedure on a public site with a registered login? If you were a civilian contractor, I would guess that sort of thing would probably be a Federal offense. Don't they come down ever harder on people caught doing that in the service? IANAL (civil or military), but I think that you should probably stop talking about this, like forever.

Re:10 for style, 2 for brains

[Sparticus789]

I still have the signed orders from the Commander, locked in a safe in an undisclosed location with other various pieces of interesting information regarding that same person. I'm no longer in, and I would have no problem seeing that Commander get in trouble.

And really, was it a hack? I was authorized to use the system, I only replicated the original function and intention of the server's web pages. Only a complete dolt like a news reporter would call that a hack.

Re:10 for style, 2 for brains

[jc42]

Um...clever hack, but should you really be bragging about bypassing a DoD security procedure on a public site with a registered login? If you were a civilian contractor, I would guess that sort of thing would probably be a Federal offense. Don't they come down ever harder on people caught doing that in the service? IANAL (civil or military), but I think that you should probably stop talking about this, like forever.

Unfortunately, you're probably right about all that. And that by itself tells us all we need to know about the actual security of such systems. There's an old tradition behind the "shoot the messenger" approach, and anyone with a bit of intelligence knows what it implies for security.

But it's not just a DoD problem. I've heard it describe by a number of "security consultants" as management not wanting to be told whether their systems are secure, but rather wanting to be told that their systems are secure. This attitude is rampant in most human-run organizations of all sorts, not just government agencies.

In any case, the security folks have often told us that binary-only software should always be treated as insecure. If you want any sort of security, you only install software for which you have the source, and which you've compiled yourself. And yes, this includes the compilers. (And yes, I've read Ken Thompson's classic article on the topic. If you haven't, you don't understand software security. ;-)

Re:10 for style, 2 for brains

[sneakyimp]

In any case, the security folks have often told us that binary-only software should always be treated as insecure. If you want any sort of security, you only install software for which you have the source, and which you've compiled yourself. And yes, this includes the compilers. (And yes, I've read Ken Thompson's classic article on the topic. If you haven't, you don't understand software security. ;-)

This sounds reasonable. Do you have a link to the Thompson article?

Take a CISSP to llunch

[mbstone]

There's not enough information in the OP's question. Is this a home or business environment? What do you want to protect? What do you perceive as the most likely threats? As to your questions about snoopy corporations and government agencies, do you have a particularized reason to be paranoid about such things, or are you merely a concerned citizen? I would start with NIST Special Publication 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems. You could also watch "Privacy Is Dead, Get Over It."

Re:Block optical signals with hostfile

[postbigbang]

Syn attacks might cause a buffer overflow and a root, but it's unlikely. It depends on the genre of the TCP stack, what service is being slaughtered in the stack, What it does do is chew up resources.

A Syn attack is just as much of a security issue as not parsing get/posts and blowing up an httpd. The job is to take someone offline or crash them intentionally, or root them, or make them cough data (that might be resold). Any DoS attack is a security problem because an asset is removed from production.

Syn attacks are indeed about security, just vastly less likely to make data vulnerable. There are theories about using other kinds of attacks to take down BIND or the DNS Services of Windows Servers, but that's a more onerous kind of attack.

Re:Using a separate computer just for on-line bank

[bmo]

"No, the notion of "secure" computing is ridiculous"

Security is a spectrum from "totally promiscuous and do anything to this machine" to "no, you can't even turn it on, and if you do, it will cost you your life" kind of horror-show.

Sane people, when they talk about secure computing, talk about something in the middle. The insane say it's an all or nothing false dichotomy. These are the same people who implement stupid password policies as administrators that ultimately result in the recycling of insecure passwords,for example.

>me being belligerant

Only because I've been around the block a few times and spot nonsense easily. Like this "not being able to trust the firmware" stuff.

If it comes to the point where you can't trust the firmware, then you have either become clinically paranoid, or you have angered the wrong people. In either case, you are royally screwed and have much larger problems than simply being able to visit your bank's website securely.

--
BMO

Re:security? no.

[PTBarnum]

I can see that a 70kg TV would make an excellent home defense system. Just suspend it above the door and rig it to fall on anyone who opens the door without disarming the trap first.

Re:I Don't Use Computers

[Glock27]

Clearly you are no master of fuzzy logic! In this case "I lie about everything" means "everything but lying about everything".

See, it's simple!

Qubes OS

[RR]

I can hardly believe that, so far, nobody mentioned Qubes OS.

In the theoretical sense, security is possible. It's just very hard. Especially if you want to spend your time doing something other than building a secure computer system.

In practice, most people live with a reasonably amount of security by installing a reasonable alternate OS such as Debian, not installing unnecessary software such as the Java plugin, and regularly installing security updates.

But if you really want security, what you should be doing is isolating, isolating, isolating. If a program has no business using a resource, then it should not be possible for it to access that resource. Qubes is one attempt to do this while preserving application compatibility, by having applications and services isolated to their own virtual machines. Even the network card drivers are in separate virtual machines.

For maximum security with Qubes, you really need a processor with support for VT-d, such as a selected subset of Nehalem and better processors, but the AppVM security mechanism at least should work.

Re:Block optical signals with hostfile

[AK+Marc]

Resiliency is about staying up when you want it up. Security is about securing information from leaks or equipment from intrusion that would increase the likelihood of future breaches. There is a natural tug o' war between security and usability, and preventing syn attacks (presuming there is no resulting overflow or process crash allowing for breaches) is about usability, and unrelated to data loss.

I don't consider uptime a security issue. I understand that's not a popular opinion, but lumping usability and security together confuses people as to what good security is, so I separate them out at all times.

Re:Block optical signals with hostfile

[postbigbang]

Which I believe your central fallacy is about. Systems produce work that serves a purpose, most often: making money.

When a system is unavailable, it's not doing work, probably not making money. Data also has an asset value, we'll both agree. Data theft is but one security problem, albeit a large one. Pushing systems offline or tying them up in DoS attacks of any kind, is also production loss.

There are many ways to foist an attack, and a few ways to get around them, depending on the nature of the attack. But security covers all that I've mentioned, and usability is an element of return on investment-- along with the cost of data acquisition and its intrinsic value both stored and lost (which are two different valuations).

Good security methods consider the productivity of the system as its ongoing ROI, and the asset value of the data in the same way that a profit/loss statement is different than a balance sheet. Both are differing views of the investment and its return, and the value of its assets. Security covers all of this, this is not confusing. Attempting to abstract leaks from intrusions are security disambiguations, as resiliency is a characteristic of the production, not the asset value of data processing.

Re:Answers

[egcagrac0]

Insightful

Ken Thompson's Trusting Trust

[utkonos]

Read it over. Understand it:
http://cm.bell-labs.com/who/ken/trust.html

You must decide what you trust unless you wrote it all yourself and built it yourself. You must also acknowledge that the system is insecure and work backwards from that trying to mitigate any damage and minimize risks.

Stability

[tsa]

I make sure I have a nice room with a more or less constant temperature and humidity, a sturdy table to set the computer on (I have an iMac) and a good chair to sit on. I always close the windows and lock the doors when I go out of the house. That's all I can do to make my computing environment secure.

Re:Block optical signals with hostfile

[AK+Marc]

Good security methods consider the productivity of the system as its ongoing ROI, and the asset value of the data in the same way that a profit/loss statement is different than a balance sheet. Both are differing views of the investment and its return, and the value of its assets. Security covers all of this, this is not confusing. Attempting to abstract leaks from intrusions are security disambiguations, as resiliency is a characteristic of the production, not the asset value of data processing.

Resiliancy is there to allow gains, security is there to prevent loss. That they look the same from the abstract level, and often have overlapping detail (a SQL injection attack would be able to do either or both, as would a rooting). But in practice, they are handled differently, from what I've seen. Some places put nines ahead of security (except where security overlaps availability), to the point it gets stupid. It would be trivial to throw a brick through a window and walk off with a server, but millions gets spent on power and cooling. As business generally separates out the two, even when they significantly overlap, I have tended to as well, and I find it works much better at budget time to be able to identify which of the groups some line item would fall under.

YOU WANT THE HACK? YOU CANT HANDLE THE HACK!

[TiggertheMad]

And really, was it a hack? I was authorized to use the system, I only replicated the original function and intention of the server's web pages. Only a complete dolt like a news reporter would call that a hack.

Only a complete dolt programmer would not know what the word 'hack' has multiple meanings. I suggest you look up all the definitions of the word before you go insulting people who are complimenting you. Way to parade your lack of knowledge, idiot...

hack 1 (hk) v. hacked, hacking, hacks v.intr. 1. To chop or cut something by hacking. 2. Informal a. To write or refine computer programs skillfully.

Also, those orders you have? Probably not the get out of jail free card that you think they are. I am pretty sure that if you knowingly break the law when ordered to do so, you are still guilty in the eyes of military justice.

Far simpler

[snadrus]

If you're the most important __ in the world, maybe. Otherwise,

• run Linux
• rely on the peer review for trust of highly-frequented software from cryptographically-good sources (meaning use the distro repos).
• Code-review rare software for networking calls (as that's the only likely data exit you have)
• Use open-source net drivers for USB eth devices. That way a card can only react to shutdown requests (USB reduces damage requests scope).
• Get a hardware router/firewall to allow those "dangerous packets" to happen only on requests you initiate
• Physically secure your hardware, don't create your own software security holes

Online banking

[tepples]

Then how do you prefer to communicate with a financial institution in another state?

"Trusting trust" is dead

[tepples]

There is no way you can avoid putting trust on something outside your own control, be it the C compiler

David A. Wheeler confirms it: the "trusting trust" attack is dead.

So what you really are asking is "where should I put my trust level". That depends extremely from person to person and is next to impossible to answer

Where should the median citizen of an industrialized country be expected to put his trust level?

No OS at all!

[Nefarious+Wheel]

...And if you don't replace it with any other OS...

Or, write your application in such a way that it doesn't require any operating system at all. Write and include your own device and I/O drivers, include them in the app. Boot up directly to the application. An OS isn't necessary to run a lump of code. Yes you'll be duplicating a lot of work and at great expense, but if you had a need to secure your system that tightly, you could conceivably justify omitting such frippery as a "start" button, a browser, or a file directory UI. And if security needs to be that tight, you can afford a dedicated computer to run it. Besides, you generally don't want to run anything else on a machine that is nailed to the floor with regard to security.

Re:Block optical signals with hostfile

[Linkreincarnate]

Or you could tape over the status led...

Total discouragement...

[Artsie_ladie]

Wow! After reading all the commenting posts, which most of the information is way over my head, because I am just the average computer user, my situation not just seems bleak to get anything done about it, but it IS bleak and likely impossible. :((( I have a serious problem with a person with a masters in computer science who is stalking me, invading my privacy, and has been doing so for nearing 6 years now. Not only has this person invaded my computerS, but is also accessing my "landline" phone! It's apparent and obvious that the person has some sort of perverse obsession with me. Ex: He sent an email to a close "male" friend of mine that was totally degrading, insulting, and slanderous against me and then very soon afterward, my male friend's email account was "mysteriously" deleted. Ex: If a male person online gets too friendly with me, things will happen, like getting told that I've blocked them, when I did not. Ex: When "male" friends on Facebook placed gifts on my Facebook wall, they disappeared; sometimes even the male friends! Meanwhile, gifts from female friends were left alone. He has threatened me a number of times with, basically, if I didn't shut my mouth about what I know, he would have me thrown off the Internet, that he would permanently slander my name all across the Internet, which he is now doing and has been for quite some time. I've filed reports with the FBI (IC3 - Cyber Crime Unit of the FBI) and with my state police. But because he lives in a foreign country, apparently doing anything about it would be more involved than anyone wants to take on. I've worked with several techs from: Dell Tech Service, iYogi Tech Service, Kaspersky, AOL Techs, Verizon/Verizon Wireless Techs, to name a few, and I've been told by all that I have a SERIOUS problem. I do not understand "how" he is getting into my computers and my phone, but I KNOW he is. Since I haven't been able to get any help with this, I've learned to be my own investigator and so, I've saved and documented MEGA amounts of data that points continuously to ONE very common, "common denominator", who IS this "person of interest". I've started to put some of this data out there, but because I'm so discouraged I don't avidly work at it. In regards to my phone, however, here's a tip of the iceberg: http://truth-time.elftown.org/

Re:If you're paranoid enough to ask those question

[sneakyimp]

I've had some luck using Knoppix for this purpose -- they have a nice CD-booting distro. But then it occurs to me that I don't know if I can really trust Knoppix.

Also, nobody seems to be able to tell me where I can get a trustworthy USB stick. I think this is where I am most unreasonably paranoid. I've heard so many stories about USB sticks being the source of viral infections. Is there some methodical, easy way to inspect the damn things for exploits?

Re:Using a separate computer just for on-line bank

[sneakyimp]

I like this idea, but the cost sounds a little prohibitive.

I'm also wondering how we know a given MOBO is safe -- or a given linux distro. I realize this is paranoid and a really broad question soliciting bazillions of possible responses, but would like to hear people's approach to verifying the security of hardware, firmware, and OS.

And, btw, what browser would you expect to use on this banking computer? I wouldn't recommend Chrome.

Re:Using a separate computer just for on-line bank

[sneakyimp]

But where do you get the trustworthy USB stick?

Re:Using a separate computer just for on-line bank

[sneakyimp]

Sane people, when they talk about secure computing, talk about something in the middle. The insane say it's an all or nothing false dichotomy. These are the same people who implement stupid password policies as administrators that ultimately result in the recycling of insecure passwords,for example.

It's like they say about a crowd getting chased by a bear: you don't have to be the fastest runner, you just have to be faster than the slowest guy. Security definitely admits of degrees and all of this all-or-nothing discussion is all well and good if we are talking theoreticals, but the binary mentality is not particularly useful on a day-to-day basis for ordinary developers.

That said, I think the firmware question has been overlooked a bit -- certainly as it relates to USB sticks. This seems like such a common (and obvious) exploit vector. Building USB sticks costs almost nothing and there seem to be so many cases where exploits have been propagated this way.

Re:Using a separate computer just for on-line bank

[bmo]

You *make* one, using known good disk images from an uninfected computer.

dd if=~/disk.images/knoppix.iso (or whatever you want) of=/dev/sdc1 (or wherever your usb thumbdrive is)
[return]

No, I don't use unetbootin. It seems that simply using dd to fling an iso at a thumbdrive is sufficient.

Done.

--
BMO

Re:Using a separate computer just for on-line bank

[bmo]

> Building USB sticks costs almost nothing and there seem to be so many cases where exploits have been propagated this way.

USB sticks have been vectors because people loaded them up with rootkits and threw them in the parking lot or left them at desks/reception areas, etc. It's not the firmware in the disk itself, which is just generic. It's the contents.

I know you're hinting at poisoned firmware, but that means a manufacturer has to poison an entire product line to make sure that some secret embedded firmware (like emedding stuxnet in the hardware instead as a bit of software) gets out to where it needs to go, and at this point, it's company suicide if this gets discovered.

It's unfeasible and involves too many people to be reliable as a way to infect machines to be kept secret.

"Three people can keep a secret if two of them are dead" - Franklin. And it still holds today.

--
BMO

Re:Using a separate computer just for on-line bank

[sneakyimp]

Unless I'm mistaken, the USB stick itself might present an exploit before you've written any data to it. I.E., it is not unheard of for USB memory sticks to arrive from the manufacturer already containing an exploit. There's another post somewhere in this thread about it. I seem to recall this happening frequently. E.g.,: https://isc.sans.edu/diary.html?storyid=4247

Re:Using a separate computer just for on-line bank

[bmo]

20 years ago I had a computer built by a company here in RI and it came pre-infected because they were using a drive cloner that cloned an infected drive (and they were reputable, too! - CR Bard got all their machines built by them). I always nuke drives when I get them. Always. It's just good practice.

If you have autorun turned off (as you should) , and you blast dd at the disk and zero it out or write an image to it, whatever was there is gone. "Because dd bears no doubt, cares not if you have prepared your way, and leaves crushed Zagnut nodules in the carpet. " - to paraphrase Blair (he was really talking about kill -9, but I love the quote so).

It's not magic.

--
BMO

first thing...

[Douglas+Goodall]

Don't tell complete strangers what arrangements you make to keep yourself secure. The more they know, the closer they are to getting past your defenses.