Slashdot Mirror
US CTO Tries To Wean the White House Off Floppy Disks
schnell writes: MIT grad and former Google exec Megan J. Smith is the third Chief Technical Officer of the United States and the first woman to hold the position created five years ago by President Obama. But, as a New York Times profile points out, while she fights to wean the White House off BlackBerries and floppy disks, and has introduced the President to key technical voices like Tim Berners-Lee and Vint Cerf to weigh in on policy issues, her position is deliberately nebulous and lacking in real authority. The President's United States Digital Service initiative to improve technology government-wide is run by the Office of Management and Budget, and each cabinet department has its own CIO who mandates agency technical standards. Can a position with a direct access to the President but no real decision-making authority make a difference?
"I'm trying to get the president to stop using floppy disks."
Wat?
It's high time to launch the "Don't floppy that copy!" campaign aimed at White House staffers.
Ezekiel 23:20
The impact she can have depends on the attitude of the President and those around him.
So this position is much more show than substance. No wonder she's the third with the title in five years.
Jed will be able to pick up where George left off.
What's wrong with BlackBerries? I know they aren't in style anymore, but what do they have in mind as a replacement that is powerful and secure enough for government? iPhone? WP8? Don't make me laugh!
Well, I was using floppies well into the 90's. CD-ROMs were nice for large chunks of data but until I had broadband, sneakernet+floppies was usually a lot more efficient. Really the modern replacement is USB sticks, although they're not quite cheap enough to give away as floppies were.
wait... floppy disks are a particularly coarse-grained media, meaning that they are quite likely to survive (in storage) for a very long time. also, they don't contain silicon ICs. does anyone remember the great idea of SD Cards with built-in OSes and a WIFI antenna, and how those have been used as spyware tools? likewise USB sticks could have absolutely anything in them. so i don't think it's such a good idea for the whitehouse to move away from floppy disks.
blackberries on the other hand, i heard a story back in 2007 that the entire email infrastructure at the time ran off of *two* machines (two physical machines). one for the US, one for the rest of the world. i trust that the whitehouse email doesn't go through a single server. that would be... bad.
For a security sensitive place, like the US govt, I think lack of networking, and using floppy disks to transfer files is a good thing. It is harder to sneak out large amounts of data undetected. Doesn't the Kremlin use typewriters now?
There is a chance that the Whitehouse is using obsolete technologies because that's the way that things were always done. Yet there can be other reasons behind it.
Consider that floppy diskette. Assuming the OS is properly configured, a disk is a disk. Contrast that to a USB flash drive: is it behaving as a flash drive, or is the firmware causing it to behave as something else? Contrast that to a network connection: properly handled physical media has a clear chain of responsibility, while network connections (even internal ones) may be managed by many more people and have more access points. Yes, there are ways to deal with security in such situations. No, they are not foolproof. That's particularly true with high-stakes institutions like the Whitehouse.
Another consideration is the providence of the technology. It is bad enough when you have to go through a single vendor (e.g. Blackberry or Microsoft) or are dealing with contractors. Many modern technologies make things worse by being a service. Products become property of the government when purchased. Contractors can be replaced when contracts come up for renewal, or in the intervening period if terms are violated or appropriate clauses are added. Services are a different issue though, and that's exactly what a lot of modern "technologies" are. Does the Whitehouse want to create a situation where another party has control over their data. Even if they could guarantee the security and portability of the data, it could be difficult to find or create a replacement. Businesses take advantage of this difficulty all of the time, and literally milk the government because of it. In most cases it is because of the cost of complying with government regulations. In the case of services, it could simply be because there is no alternative.
Competent CTO - check.
White House CTO - check
MIT and Google - check.
Woman - check. Cue misogyny on all sides.
Parent - check. Cue incredulity that she can combine work and family life.
Lesbian - check. Oh, that's OK - her marital status gets a mention as does the fact that she's separated (so presumably her estranged wife is looking after the kids for her.)
Any chance of a sensible in depth, hard hitting article detailing how well she's doing in the teeth of opposition, lack of mandate and innate technical conservatism?
No, she can't. And it doesn't matter if you replace "President" with "CEO", the job of CTO is incredibly frustrating.
The reason is the "business side" in north america and the UK have great distain for technical people, and the CTO is often seen as that annoying guy who (stupid) customers seem to connect with. In Germany, China and Japan, the technical side actually does have authority for technology (imagine that!).
Back in 6th form college (16-18 UK education) the only place with fast internet was the college. As such we would turn up with huge sports bags filled with floppies to download big files and the files were often split into how many ever floppies was needed. There were some funny ones where 1gb files were split into hundreds of floppies. Invariably when you joined the file back together one of the floppies would be corrupt. Anyway I'd say that it is MUCH harder to smuggle large amounts of data out using floppies than SD cards and therefore it is probably strange but semi effective security system.
Floppy disks did not survive in storage or in everyday use. They were an unreliable temporary way to store data. They often developed bad sectors. Those of us around back then will remember people bringing disks to us that they could not longer read files off of, and having to use things like Norton Utilities to try to recover data, which was often as not unsuccessful.
I had a huge number of floppy disks in storage in the 1990s, and copied them to more reliable media - what I could of them - a lot of them had errors.
Where do they get drives for their floppies? Laptops no longer have them. I haven't had a tower with a floppy drive this century. Mobos no longer have the floppy connectors, it's all SATA now. Does every government employee get a USB floppy drive?
I have a Z10 running 10.2.X. It's a very nice phone and a good replacement for the piece of garbage my iPhone 4S turned into when I made the mistake of switching to iOS 7. Cost me $200 for a well-designed handset that has user-replaceable batteries, a mini-SD card slot that cheerfully takes a $25 64GB card and runs plenty of Android apps. Personally, I even find the OS to behave much like how I WISE iOS would behave (hint: UI is very similar, but has some nice Androidish features like a file manager that is very well designed).
What's the argument? Not a lot of apps? That's an argument in its favor with the federal government. Enterprise management is very easy and straight forward for the federal government too. BYOP has absolutely no place in the federal government.
If you read the article, she took her brother's bike apart to see how it worked when she was 14, then left the parts in a bucket. A REAL MECHANICAL ENGINEER (her degree from MIT??) would have been able to reassemble it. IMHO, like most managers, she lacks any technical know how. But that's not a problem if you have minions to wok out the details.
Floppies get a bad rap as unreliable due to the junk China-made disks and drives manufactured @ the mediums end of life from 1998+.
I have to use these things everyday in computer-controlled machine tools, and media/drive quality matter 100%.
IME, 20 year-old 3M-branded floppies from Ebay paired with drives made from cast aluminum frames are reliable (old school Teac/Sony/Panasonic drives).
Remeber, this was the mainstream distribution media for software for ~30 years (how often did you have to return original SW due to a bad floppy?). It only started to go down hill after the push to obsolete the floppy by Apple. By this point, it was just a race to the bottom and a checkmark option offered by the x86 PC manufacturers.
I am going to go ahead and assume she is pretty competent at her job.
She is likely to wield power as a subject matter expert. My boss and others ask and act on my opinion on a number of topics. I have no "authority" but still exert influence by controlling the flow of information. Here, controlling means ensuring that the information is accurate and relevant.
I was using boot floppies until about 2006. Currently CDs and USB thumb drives. I can see how govt would hate using thumb drives (a rogue thumb drive could mimic any USB device), but all the optical drives should be fine. Securely erasing them is impossible, so shred & melt...
Her main concern should be security. Protect computers and communication service providers owned or used by the government, military, banks, power stations, emergency responders, water companies, and grocery stores. I hope she's trying to convince Pres. Obama of the need protect them from break-ins, and from disasters like getting hit by a massive EMP.
Protecting grocery stores might sound unimportant, until you imagine what would happen if people couldn't buy groceries.
j/k
To be fair, it depends on the context. A few years ago I was working for a company whose bank still required the large amount of end-of-month transactions for automated processing to be submitted via a 3.5" disk instead of an encrypted connection. Part of the reason why the company eventually switched to a major bank with a decent infrastructure.
All of the FBI's case files are stored on 8" floppy and used with some type of CP/M workstations connected to a PDP/11.
There was a push a few years back to modernize the FBI's system, but the controactor ran over budget by something like 100+ million dollars, and they eventually scrapped the whole thing. FBI is back to 8" floppies again.
Not a troll, and I don't know if they ever modernized their systems yet. Probably get their 8" floppies from the same place the Air Force command get them (government warehouse filled floor to ceiling with 8" floppies guarded by snipers and attack dogs).
After all, hardly any computers comes with floppy drives anymore ... so unauthorized access is almost completely prevented, better than any software encryption ... :)
There isn't enough money that Uncle Sam could pay me to be the US CTO. Imagine dealing with that squeaky wheel. It's so old and poorly oiled that it's practically seized. Only the most career-masochistic people would want something like that!.
I went back to school to learn computer programming on a part-time basis from 2002 to 2007. Assignments were turned in on floppies for the first few years. Emailing assignments and online classes became common towards the end. I turned in my final project -- creating an XML parser from scratch in Java without using any existing XML APIs -- on a CD because the source code, executable and documentation file were too big to email as a zip file. After five years of attending classes while working full-time, the dean handed back a floppy that I submitted for my very first class that he forgot to give back and found in his office. A month after I graduated with my A.S. degree, I made the president's for maintaining a 4.0 GPA in my major.
Now is probably not a good time to continue to use a medium developed by Sony for storing critical information.
Where did you go to school? My school had an automated submission system in 1988.
-Unresolved symbol? Byte me!
San Jose City College in the heart of Silicon Valley. When I graduated in 2007 with a second associate degree, the Records & Admission office were still scheduling classes on the same mainframe and 9600 baud serial terminals from when I went there in the early 1990's.
Next question?
Windows 2000 - from the guys who brought us edlin
Remember all the fans adoring Candidate, President-elect, and even President Obama for his use of Blackberry? While mocking McCain for his inability to even use keyboard (because his hands were repeatedly broken by the People's Torturers in North Vietnam)?
In all likelihood, Megan J. Smith was one of the fans... Possibly, even with a special female twist to it...
Well, maybe, the job of running the Executive government's bureaucracy is just too difficult? TFA certainly suggests that... But that's exactly the job, Obama was hired for, darn it. There were people pointing out his shortage of executive experience — he never ran things (other than a failed charity — once), but this was countered, incredibly, by how he ran his election campaign...
Well, here we go — either he was never as advanced technologically as he and supporters portrayed him, or he has no ability to execute — to run things... Certainly not enough of it to affect the oft-promised change. Management is hard, let's go golfing.
In Soviet Washington the swamp drains you.
Sorry, but she is more of a he. She built things in her childhood, went to a technical U, then married a woman.
And you still live in your mom's basement.
One IT director to rule them all, one floppy disk to bind them.
Hopefully the CTO is aspiring to get the white house off of floppy disks for a solid reason beyond just the age of the technology. There is likely a good reason why floppies are still being used and that needs to be taken into mind when trying to replace them with newer technology. After all, we saw an article not that long ago that the nuclear missile sites in the US still use 8 inch floppies, but there is no solid reason to get them away from that.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
Or maybe just an agency under the supervision of a department....but both would require an act of congress. It is the only way to get authority under a CIO position that can affect the entire government through policy...Frankly it should be done from a security aspect alone.
Nonsense. All they need to do is label the floppies accordingly, and all manner of fun could be had.
"We've lost our 'WMDs.'"
"'North Korea' has proven incompatible with current reforms."
The jokes write themselves.
We've surpassed floppies by CD-ROM, DVD, Dual-layer DVD, HD-DVD, and Blu-Ray, but the US Government is still stuck in the 1980s using floppy disks? No wonder they're screwed.
For developing small toy operating systems a floppy diskette is still the best target medium provided you can find a computer supporting floppy diskettes these days.
and use Magneto-Optical, like I do.
I like them. I like phones with a touch-type keypad like the old Palm Treo PDAs. I must be missing something.
Isn't "CTO" a corporate term? Since when does our republic have corporate leadership?
Screw the floppies, I'm more concerned about the basically open announcement that our government is now fascist, in the most literal sense of the word.
An enigma, wrapped in a riddle, shrouded in bacon and cheese
That tech should be bought every six months. The truth in the real world is that once a system is put in place and works, it is kept for as long as it works. The USPS is using many sorting machines that are twenty years old and use ICs from the 70s-80s. Why? Because they work and they have been paid for many years ago. They do the job. At they same time, in the recent decade, the USPS bought and installed a billion dollars worth of flats sorting machinery. Keep what gets the job done. Buy new when the need changes.
E Proelio Veritas.
Lack of trusts and/or connections between networks
duplication of services between agencies
love is just extroverted narcissism
They are about 10x the cost of floppies for one about 10x the size. If you want to "give" information, the CD is still the cheapest way (even cheaper than floppies for most people). And if you go to a convention, training, or anything like that, chances are the material will be provided on USB stick. It may cost more than a floppy, but is cheaper than paper, and cheaper than floppies (for the amount of information stored). Plus, unlike floppies, people will be able to use them when they get home.
Learn to love Alaska
I can see how govt would hate using thumb drives (a rogue thumb drive could mimic any USB device),
The government is large. A demand that any driver be signed by the maker (with the proper key loaded into the government PKI) would eliminate 99% of such attacks. All USB storage must have a key.txt in the root with a valid key.
Problems getting manufacturers going along with it? You are the US government. "Do what I ask, or we'll eliminate your stuff from procurement for someone that does. And if you complain publicly, we'll refuse to buy from anyone who uses your stuff."
Security doesn't happen until someone demands it (and pays for it). The government should be leading the charge, not NSA-style trying to hold everyone back. Double DES is good enough for anyone.
Learn to love Alaska
remember government computing has a lot more security issues than say Sony does especially the president ad his advisors security - at least they haven't employed a female version of Steve Bong http://www.theregister.co.uk/A...
I was using boot floppies until about 2006. Currently CDs and USB thumb drives. I can see how govt would hate using thumb drives (a rogue thumb drive could mimic any USB device), but all the optical drives should be fine. Securely erasing them is impossible, so shred & melt...
The reason the government hates thumb drives is because they are very small, and can store LOTS of data. Even in unclassified areas, the government tends not to want them around anything even the slightest bit sensitive. I would be surprised if they're permitted anywhere near the white house, and wouldn't be surprised if most of the computers in the white house are configured to disallow them. A floppy is harder to smuggle, and carries less per disk. Enough floppies to store a gigabyte of data is nearly impossible to hide from the secret service (well, so one would hope, but then . . . )
I do not know where you are. But my government secure hole in the ground does not allow you to use floppies, cd, usbs, ect. If it needs to go off the network are be move to another system you need to have a security officer do it for you.
Thumb drives have been banned on Air Force networks - even Nipernet - for 4 or 5 years.
If you want news from today, you have to come back tomorrow.
I'm still using boot floppies, but they're virtual and mounted via an HP ILO... Not touched an actual floppy since, no, I can't remember when. They were great until you got pocket fluff/grit behind the gate and transferred it unto the drive. SD cards are a suitable replacement, though easily lost and are perhaps on par bad block wise.
One thing we should commend though, well done on keeping your files small enough to fit on floppies. That's pretty much impossible after a few revisions of a Word document after it collects all that system information.
Why UNIX?
This gets trotted out, but it isn't the reason. Small and stores lots of data is GOOD.
Here's the problems with thumb drives. This is why they can't be trusted:
1)- NO READ-ONLY MODE
Unlike CDs, which are read only without giant hoops to jump through, there's no write-protect switch for thumb drives, or ability to trivially make them read-only.
2)- USB drive, or viral keyboard?
Nothing inside a USB drive can make sure it's actually a damned USB drive. An infected CD won't run without autorun, but an infected USB stick could reasonably and actually become a keyboard and launch a binary itself by TYPING IN ITS OWN COMMANDS (this can really happen, easily). Since the U in USB is universal, and there's no reasonable way to force it to behave as a passive drive in a physically inspectable manner, it can't be trusted.
3)- Terrible OS design (mostly gone)
For whatever reason, most OSes properly treat removable media as removable, but often have a soft spot in their hearts for USB sticks. This is mostly fixed by now, but was absolutely an issue for years and until the older conception is gone, who knows.
tl;dr: Thumb drives being small and holding a lot isn't the issue, the idea of them secretly being generic USB devices (aka, absolutely anything) that are generally auto-trusted and can reasonably press OK to their own confirmation dialogs is, as is their entire lack of hardware accountability. Unlike a floppy or a CD, a USB stick can always be written to and can actually be any goddamned thing at all.
And I should clarify that by "infected" I don't mean just software, like a boot sector virus. I don't think a commercially purchased USB stick can act like a keyboard via viral infection (though the fact that this is even theoretically considerable is a flaw too), but a custom hardware piece can absolutely do this.
There are to many Contractors / sub Contractors in gov IT. Some of are picked based on how much of a kick back they give out.
And they add a lot of over head as well adding walls of PHB's that get in the way of one team talking to an other team.
1)- NO READ-ONLY MODE Unlike CDs, which are read only without giant hoops to jump through, there's no write-protect switch for thumb drives, or ability to trivially make them read-only.
That's a very good point. Floppy disks had write protect tabs, and the 3.5" ones had a little write protect slider switch. I don't know why thumb drive manufacturers don't include a similar feature on their drives. I think there'd be a real market for such a thing.
If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
I went to San Jose State University for a year before I got kicked out and stuck with a $2,500 student loan for ten years. I spent my scholarship money on setting up a Wildcat! BBS to be the beginning of my online media empire. And then something called the Internet became really big in 1995. I was a dot com bust before the dot coms existed.
Uncle Sam picked up the tab to learn computer programming with a $3,000 tax credit after the dot com bust in 2001. I made a successful career transition from being a video game tester to being an I.T. support technician. No regrets, no student debts.
They did years ago but probably cut it for more profit.
Because you live in a corrupt fascist nazi's wet dream and the USA is nothing more than a corporation.
The following fundamental security features are missing:
IDE/SATA/SAS/USB: Write protection, physical.
IDE/SATA/SAS/USB: Write light (NOT read/write light, access light, or "I have power" light) with minimum duration of half a second per write
USB: Physical switch to force mode (media only, keyboard/mouse only, etc. on a given physical USB switch)
While I agree with the sentiment, the Tea Party will whine and complain it is government pushing around the private sector, and then the effected companies will lobby their favorite Tea Party members for special exemptions. The cry will be that it should be the industry response to competitive conditions that produces security, blah, burble, furble, yadda, yadda, yadda.
I put security in the same bag as clean air and water. It requires a government mandate and constant vigilance. Companies are still trying to get Congress to allow them to pollute to their little black hearts' content all the name of "jobs" or whatever gas Limbaugh is passing this week.
That's why they need brilliant people in the government.
I can see how govt would hate using thumb drives (a rogue thumb drive could mimic any USB device),
The government is large. A demand that any driver be signed by the maker (with the proper key loaded into the government PKI) would eliminate 99% of such attacks. All USB storage must have a key.txt in the root with a valid key.
USB keys don't contain drivers. The attack is that when you aren't looking your thumb drive presents itself as a Logitech USB keyboard and then proceeds to type in a rootkit or whatever. Since the government probably does buy Logitech USB keyboards the computer already has the signed logitech driver installed. Sure, the drive can only do things that you could do with a keyboard, but you'd be amazed just what you can do with only a keyboard.
Floppy disks have a un-hackable audible sound/alarm when a program accesses them.
While I agree with the sentiment, the Tea Party will whine and complain it is government pushing around the private sector,
Why is it that those who claim they want the most efficient government do all they can to make the government as inefficient as possible?
Learn to love Alaska
USB keys don't contain drivers. The attack is that when you aren't looking your thumb drive presents itself as a Logitech USB keyboard and then proceeds to type in a rootkit or whatever.
To be an HID, it must announce itself as one (called "driver" even when it just announces itself and requests the default OS driver). To do so, it must authenticate with the host OS. If not, the HID functionality will be disabled.
Sure, the drive can only do things that you could do with a keyboard, but you'd be amazed just what you can do with only a keyboard.
I've been told the problem is when the USB drive is actually a storage device, but leaches power (but no connectivity to the host computer) to broadcast the contents of the device on WiFi to a listening attack machine outside (but in WiFi range). That would be theoretically undetectable, unless you have scanners and Faraday cages up all over the place. And my thought for signing is to sign per device, not that one keyboard would allow anything that announces itself as that keyboard (but without authentication) would get "root" access.
Learn to love Alaska
Well, 3.5" disk(ette)s on very old IBM test PCs to boot off to use Ghost.
Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
What is it about mistaking a government that fulfills the contract needed to provide, and sustain stability with a cry for efficiency ?
The article never mention weaning off of blackberries, yet your link features it prominently. I for one prefer the blackberry for work purposes, after trying various other devices. To each their own. Just don't state what an article is about, when it has nothing to do with it. State facts. Stop opinionated posts.
So you are asserting that the Teabaggers don't want an efficient government? That's consistent with their actions, but I don't think that's consistent with their statements.
Learn to love Alaska
McDonalds in Canada already scan for rogue Wi-Fi networks and send an alarm if one is found trying to mimic the RFID of the restaurant. In such a closed environment, you could easily adapt this to search for any network that isn't white listed and solve this particular attack.
USB keys don't contain drivers. The attack is that when you aren't looking your thumb drive presents itself as a Logitech USB keyboard and then proceeds to type in a rootkit or whatever.
To be an HID, it must announce itself as one (called "driver" even when it just announces itself and requests the default OS driver). To do so, it must authenticate with the host OS. If not, the HID functionality will be disabled.
As far as I'm aware USB does not have any kind of strong authentication built into it. It can announce itself as an HID, and label itself as whatever it wants to.
Even if they did authenticate, the necessary private keys would be in every logitech USB keyboard out there, to use my example.
As far as I'm aware USB does not have any kind of strong authentication built into it. It can announce itself as an HID, and label itself as whatever it wants to.
No, it doesn't. But if the US government announced the standard it would accept, and it was backward compatible, it would become the de facto standard. If the Government OS required auth, and the auth present on the device in no way stopped it from working with any previous USB controller, then auth would be pervasive in a few years. Then it's a question of market, for whether the consumers would demand it.
Even if they did authenticate, the necessary private keys would be in every logitech USB keyboard out there, to use my example.
Yes. Is that a problem?
Learn to love Alaska
her position is deliberately nebulous and lacking in real authority
So, just like every other CTO, right?
Well, I was using floppies well into the 90's. CD-ROMs were nice for large chunks of data but until I had broadband, sneakernet+floppies was usually a lot more efficient. Really the modern replacement is USB sticks, although they're not quite cheap enough to give away as floppies were.
CD's always seemed impractical. Probably because they are in a way more fragile.
I still use ZIP drives for some backups ( say my password manager ).
USB sticks are OK but I really don't like their form factor.
microSD cards in an SD card adaptor ( if needed ), seem best. and most easily stored. I just wish they had binder inserts similar to the ones they had for floppies.
What on earth are you talking about? 99% of attacks stopped by a txt file. No such thing mate you know nothing about usb technology or drivers.
They do. I buy them on amazon all the time. This is nothing new, the general public just doesn't see a need for it.
McDonalds in Canada already scan for rogue Wi-Fi networks and send an alarm if one is found trying to mimic the RFID of the restaurant.
The RFID of the restaurant, eh? You don't have a fucking clue what you are talking about.
You can open powershell and enter, compile, and run a program with just a keyboard.
I object to power without constructive purpose. --Spock
To be an HID, it must announce itself as one (called "driver" even when it just announces itself and requests the default OS driver). To do so, it must authenticate with the host OS. If not, the HID functionality will be disabled.
What? USB devices in general, and HIDs in particular, do not authenticate with the OS when plugged in.
You plug it in, and it negotiates with the host controller automatically. The host controller notifies the OS that the device is there, and then the OS queries the device for its properties. The device is perfectly capable of lying about what it is and what it does.
If the device identifies as a keyboard, mouse, Smart Card reader, or removable storage, by default the OS will load its native drivers and handle the device seamlessly. The device could have nefarious functionality, but the OS has no way of knowing about that.
Various OS security tools and third-party utilities can attempt to restrict the use of USB devices. None of them are pleasant to use---from the standpoint of either the administrator or the end user.
I've been told the problem is when the USB drive is actually a storage device, but leaches power (but no connectivity to the host computer) to broadcast the contents of the device on WiFi to a listening attack machine outside (but in WiFi range).
Not terribly practical or interesting. This idea probably came from someone who watches too many "hacker" movies. Anyone who is concerned about restricting USB devices probably already has a solution for detecting rogue Wifi clients and APs. If not, they can buy one off the shelf. This is something I would expect to see in a Hollywood movie.
Rogue USB devices are not something a hacker is going to use against some random citizen in hopes of scoring access to their checking account. This is something enterprises and governments are going to be worried about, and they have options for mitigating the threat.
---
According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
Yes. Is that a problem?
If you don't see a problem with PRIVATE KEYS being distributed inside mass-produced hardware, I do not even know where to begin criticizing your position.
Every piece of equipment would need significant anti-tampering measures because as soon as the keys are retrieved from one device, it is game over.
This is why DRM software keeps getting cracked over and over in spite of the billions of dollars being spent on developing it. If your scheme requires a secret that the user needs to operate the device, it will be compromised.
People crack stuff like this for fun. We've seen it happen year after year. Do you think there will be more or less cracking attempts when there are serious espionage or financial incentives?
---
According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
You certainly can, but you'll be wrong — twice.
There is nothing automatically wrong in what Bush did, as you describe it. Maybe, as Libertarians believe, taxpayers should not be (re)building any stadiums at all — this would prevent politically-connected businessmen from profiting from any such projects. This approach would not help you indict Bush, however — as long as public policy provides financing for stadium-repairs, there is nothing wrong in taking part — even if the policy is in error...
Or you can remain in your Statist comfort zone and claim that, although some stadiums should be repaired by the taxpayer, that particular one should not have been. That's what I referred to as "some stadiums being more equal than others". This would make it possible for you to accuse Bush of wrong-doing, but you'll need to explain, why "his" stadium in particular should not have received public money. "Being owned by a Republican" is not a good enough reason.
You can also do both — claim, there should be no tax-funded stadiums at all and that the funding Bush received back then was especially improper. You still need to explain why, of course.
And then you'll still need to substantiate your earlier claim, that this — profiting from taxpayer-funded projects — is an especially Republican "style". Put up or shut up...
Please, don't hate. Thank you.
In Soviet Washington the swamp drains you.
What? USB devices in general, and HIDs in particular, do not authenticate with the OS when plugged in.
I said that. I also said that if the US government required it, then USB devices would authenticate when plugged in.
The device is perfectly capable of lying about what it is and what it does.
Not if the host OS has some means to authenticate it. Or did you get the point and decide to go all Devil's advocate?
Learn to love Alaska
If you don't see a problem with PRIVATE KEYS being distributed inside mass-produced hardware, I do not even know where to begin criticizing your position.
It's clear you don't know where to begin criticizing it. DVDs do it (very poorly) and Blu-Ray do it (less poorly). A similar system would be trivial. As would be putting the PRIVATE KEYS on the mass produced hardware (encrypted and signed, of course). You do know how PKI works, don't you? You don't send someone your private key for them to authenticate you. You encrypt their public key with your private key and send that encrypted PRIVATE KEY derivative. So, burn that encrypted key into the USB device as part of the driver.
That you are too dumb to understand an idea doesn't mean the idea is dumb.
Learn to love Alaska
It's clear you don't know where to begin criticizing it. DVDs do it (very poorly) and Blu-Ray do it (less poorly).
You identify two systems as examples of your new "security" feature, but both of them have been laughably compromised. Neither scheme lasted more than a year in the wild, and with a PC security standard you'd need to manage a bit more than that.
A similar system would be trivial. As would be putting the PRIVATE KEYS on the mass produced hardware (encrypted and signed, of course). You do know how PKI works, don't you? You don't send someone your private key for them to authenticate you. You encrypt their public key with your private key and send that encrypted PRIVATE KEY derivative. So, burn that encrypted key into the USB device as part of the driver.
I bolded the part that is problematic. How does one burn a key into the device as part of a driver, exactly? With security, the devil is in the details, and your proposed system sounds no better than similar systems which have failed in the past.
That you are too dumb to understand an idea doesn't mean the idea is dumb.
Nice ad hominem, but maybe you should have provided a substantive argument instead.
I believe your explanation rather than my intelligence is at fault here. You identify two systems as functional examples of your new "security" feature---neither of which is effective in practice. AACS has been compromised repeatedly, which shows that simply revoking the exposed keys and hoping new equipment fares better is not an effective strategy.
Can you explain, clearly, how your system differs in such a way as to render it immune to similar attacks? If not, then there is absolutely no reason to take your proposal seriously.
---
According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
You claim it can't work. I claim it can. Since you can't prove it can't, there's nothing to day. You are assuming the worst possible implementation and indicating that wouldn't work. Obviously. Captain Obious called, he wants his uniform back. That you are too dumb to imagine a system that could work doesn't mean it can't. It just means you have no imagination or problem solving skills.
Also, you forget. In the case of the DVD/Blu-Ray, the user didn't want the system to work. For someone getting safe USB, both the manufacturer and user want it to work. That you don't know the difference further proves your incompetence. Since you've said nothing substantive that contradicts anything I've said...
Learn to love Alaska
So the WH is still using floppy disks. That is what happens,when Harvard professors, long on philosophy and short on the real world, are in charge.
That's why they need brilliant people in the government.
The problem is that brilliant people don't want to work with mind-numbingly-stupid people... you know, the kind that are typically attracted to government work?
So "signed drivers" don't exist?
Learn to love Alaska
The problem is that the people elect based on a popularity contest, rather than evaluating the people running. It's like I'm back in the 8th grade voting dot student body president. At the time, I though it a joke popularity contest that was a warning for when we were adults voting. Now I now it was actual practice, and more like reality than anyone would like to admit.
Learn to love Alaska
It's clear you don't know where to begin criticizing it. DVDs do it (very poorly) and Blu-Ray do it (less poorly). A similar system would be trivial.
DVDCSS was cracked ages ago, largely due to a poor design. The Blu Ray system had a better design, but every Blu Ray player contains a key that can be used to read any Blu Ray disk. The only reason they aren't routinely cracked is that nobody cares to bother - there are a bazillion other ways to do it. If a country doing espionage wanted a Blu Ray key they'd just go to the local Walmart, buy one, and extract the key from it.
As would be putting the PRIVATE KEYS on the mass produced hardware (encrypted and signed, of course). You do know how PKI works, don't you? You don't send someone your private key for them to authenticate you. You encrypt their public key with your private key and send that encrypted PRIVATE KEY derivative. So, burn that encrypted key into the USB device as part of the driver.
Your valid USB device needs to authenticate itself. That means that ALL the necessary credentials necessary to do so MUST be stored on the USB device. That means it can be duplicated. That is all there is to it. You can certainly make it tamper-resistant, but against something like an intelligence agency I would not trust that to work.
Sure, you can encypt the key on the USB device, but then how does the USB device use that key? If the key needs to be decrypted to use it, then the device has to have the decryption keys burned into it as well. If the key doesn't need to be decrypted to use it, then the attacker doesn't need to decrypt it either.
Public key cryptography is about protecting messages from interception. We're talking about protecting the keys from interception.
There is nothing wrong with the drivers. The problem is with the device impersonating another device. If I plug a keyboard into your computer and it uses the signed RedHat keyboard driver it doesn't help you when I type rm -rf /* into an open shell. The same is true if I plug a USB flash drive and then after 10 minutes it disconnects itself, reconnects as a USB keyboard, and does the same thing.
You can open powershell and enter, compile, and run a program with just a keyboard.
Absolutely. Back in the days of DOS Laplink let you clone a PC onto another by just connecting a null-modem cable between them and typing "stty COM1:" into the remote computer. That simply redirected the DOS prompt console to the serial port, and laplink would install a receiving program via keyboard input and then have it do the copy. I don't know how it did it - could have used debug.exe to hexedit the file in, or for all I know it it just did "copy CON: filename" and just sent the binary over the wire.
The same is true if I plug a USB flash drive and then after 10 minutes it disconnects itself, reconnects as a USB keyboard, and does the same thing.
When it connects as a USB keyvoard, it would be challenged for its driver. If it doesn't have one, it must authenticate with a null driver, properly signed, or the OS will disconnect it.
That's easy. Most OSs already handle signed drivers. It's just a change to *require* them for USB devices used by the federal government. When that happens, your problem goes away.
Learn to love Alaska
So, is the tl;dr "if you just copy the key from one USB to another, that will let you authenticate an insecure device".
I want to make sure the question is clear when I answer. I'm amazed by the number of people who say "security is hard, it's better to not even try."
Learn to love Alaska
The same is true if I plug a USB flash drive and then after 10 minutes it disconnects itself, reconnects as a USB keyboard, and does the same thing.
When it connects as a USB keyvoard, it would be challenged for its driver. If it doesn't have one, it must authenticate with a null driver, properly signed, or the OS will disconnect it.
That's easy. Most OSs already handle signed drivers. It's just a change to *require* them for USB devices used by the federal government. When that happens, your problem goes away.
USB devices don't contain drivers - the OS does. The device just identifies itself.
But, if USB devices did contain signed drivers, then somebody would just copy the signed driver from a valid device. Encryption doesn't prevent copying - a copy of valid encrypted data is just valid encrypted data.
So, is the tl;dr "if you just copy the key from one USB to another, that will let you authenticate an insecure device".
I want to make sure the question is clear when I answer. I'm amazed by the number of people who say "security is hard, it's better to not even try."
So, the tl; dr of your proposal is: "put the device driver on the USB device instead of in the OS, and put a signature of the driver on the device as well" if so, then the tl;dr of my response is "fine, just copy the driver and the corresponding signature, that will let you authenticate an insecure device"
If I'm misunderstanding your proposal, feel free to state it clearly so that I can answer clearly. I'm amazed by the number of people who think that public key cryptography is some kind of magical thing that lets you give somebody a physical object that is impossible to copy.
USB devices don't contain drivers
Reality proves you wrong. The HP I use has a read-only flash drive in it with the drivers for the printer on it.
Besides, your arguement is invalid anyway. "It can't be done because it is currently done differently" has been said millions of times by millions of people. Everyone one of them proved wrong by progress.
Oh, and if you are wondering, the drivers in the printer are signed.
Learn to love Alaska
So, the tl; dr of your proposal is: "put the device driver on the USB device instead of in the OS, and put a signature of the driver on the device as well"
The driver for my USB printer is already on the USB device and already signed.
, then the tl;dr of my response is "fine, just copy the driver and the corresponding signature, that will let you authenticate an insecure device"
Sure, you can get an insecure printer running on that driver, but when it starts sending HID commands, the OS will turn it off.
If I'm misunderstanding your proposal, feel free to state it clearly so that I can answer clearly. I'm amazed by the number of people who think that public key cryptography is some kind of magical thing that lets you give somebody a physical object that is impossible to copy.
You are correct only if a signed printer driver will work with a keyboard, as its only driver. Otherwise your objection is "swap stuff, and magic happens". Encrpytion ensures that the driver authenticates (already in use). So why can't you encrypt the UID of the device as well? Sure, a well crafted attack could get you fake devices with UID/driver from a real one. But at that point, you are in the "hide an AP and USB drive inside a keyboard" level, which is 100% allowed today on any system that allows USB keyboards. Or should the government use AT keyboards only? Or is PS/2 more secure than AT? After all your PS/2 mouse could send keyboard commands, right? And with AT for keyboard and serial for mouse, you are more secure. Unless your serial mouse contains a serial modem, and serial killer.
No, I haven't given this 5 years of thought and put it to committee. It was an off-the-cuff response that eliminates 99.9% of the attacks being described. But 0.1% of the attacks could still work, so we should never attempt security is the number one response. The rest are "when I deliberately mis interpret your statements, they sound silly."
Learn to love Alaska
Floppies will be a new trick in securing data since the majority of folks has no longer access to floppy drives. Heck, many governments even go back to purely mechanical typewriters because they cannot be spied on by US intelligence.
USB devices don't contain drivers
Reality proves you wrong. The HP I use has a read-only flash drive in it with the drivers for the printer on it.
Besides, your arguement is invalid anyway. "It can't be done because it is currently done differently" has been said millions of times by millions of people. Everyone one of them proved wrong by progress.
Oh, and if you are wondering, the drivers in the printer are signed.
And if I had the money I could duplicate that USB device, signed drivers and all. Signatures don't prevent copying, only tampering. There is no need to tamper with the drivers to do the kinds of exploits that have been discovered for USB devices. The modified HP printer will connect using the signed HP printer driver and work just fine as a printer. Then in the middle of the night when you aren't at your PC it will disconnect and connect using the signed logitech keyboard driver and work just fine as a keyboard, and use keyboard input to run a rootkit on your PC. Then it will disconnect and connect as a printer again so that you never realize what happened.
Sure, locking your PC at night or turning it off would mitigate that particular attack, but you get the general idea.
, then the tl;dr of my response is "fine, just copy the driver and the corresponding signature, that will let you authenticate an insecure device"
Sure, you can get an insecure printer running on that driver, but when it starts sending HID commands, the OS will turn it off.
The printer will disconnect from the USB bus. Then it will reconnect using a signed keyboard driver which the OS trusts. Then it will send keyboard input (the driver doesn't create the keystrokes - the user does - so a keyboard driver HAS to accept arbitrary input from the hardware). The OS has no way to know that the plug wasn't physically removed from the bus - the hardware can just disconnect and reconnect electronically.
It would be possible to mitigate this using a sensor on the plug to test for physical insertion/removal. Of course, that wouldn't work if you plugged a hub in unless you trusted the hub to tell you the truth. Plus, I could see that sensor wearing out like disk drive change sensors tended to ages ago.
The thing you're missing in your replies is that these attacks have hardware-level support. They actually disconnect electronically from the host and re-connect. That means that they can re-authenticate as an entirely different device. It could even emulate a USB hub and connect as 14 different devices at various times - some simultaneously.
There is no question that when it is connected as a printer that the OS would reject keyboard input (not that keyboard input would really be possible - the driver wouldn't interpret anything sent as keyboard input anyway).
The thing you're missing in your replies is that these attacks have hardware-level support.
Yes, and if the person who wins the contract to deliver the computers is attacked by Al Qaeda, and they replace all the computers with identical ones, save one minor intentional "flaw", that would be undetectable under today's process.
Your argument is "because security is not 100%, there's no reason to try."
I'm saying "it's better than today" which you are leaving unargued.
Learn to love Alaska
Then in the middle of the night when you aren't at your PC it will disconnect and connect using the signed logitech keyboard driver and work just fine as a keyboard, and use keyboard input to run a rootkit on your PC. Then it will disconnect and connect as a printer again so that you never realize what happened.
With USB hubs, the printer could identify as a hub, and then you wouldn't need to disconnect the printer to "plug in" the Logitech keyboard.
That attack should work no more than once, once discovered. You revoke the signature for those keyboards. And get more security than doing nothing.
Learn to love Alaska
Then in the middle of the night when you aren't at your PC it will disconnect and connect using the signed logitech keyboard driver and work just fine as a keyboard, and use keyboard input to run a rootkit on your PC. Then it will disconnect and connect as a printer again so that you never realize what happened.
With USB hubs, the printer could identify as a hub, and then you wouldn't need to disconnect the printer to "plug in" the Logitech keyboard.
That attack should work no more than once, once discovered. You revoke the signature for those keyboards. And get more security than doing nothing.
If you do that a ton of keyboards stop working. Then you have to buy all new keyboards. Then the attacker just updates their hacks to identify itself as the new keyboard.
It is about as likely to be effective as trying to revoke HDCP keys if somebody extracts a key from a TV set. You tick off a bunch of TV owners, and the pirates just switch to a new key.
The thing you're missing in your replies is that these attacks have hardware-level support.
Yes, and if the person who wins the contract to deliver the computers is attacked by Al Qaeda, and they replace all the computers with identical ones, save one minor intentional "flaw", that would be undetectable under today's process.
Your argument is "because security is not 100%, there's no reason to try."
I'm saying "it's better than today" which you are leaving unargued.
They already have this level of security today. You can configure most OSes to only accept USB devices that identify themselves with acceptable identifiers. You just want to make the length of the identifier longer (the length of a signed driver file). Either way you can identify yourself as something else.
As you point out, you're fine if you only plug in USB devices from trusted sources. However, I doubt anybody paid to safeguard IT for the US government is going to be satisfied with that.
It is about as likely to be effective as trying to revoke HDCP keys if somebody extracts a key from a TV set. You tick off a bunch of TV owners, and the pirates just switch to a new key.
They do it today, not with DHCP but with game keys. If you register a game and your key has been used, then you can't register your game. I had to take one back when that happened once. Not a big deal. Some cracker who guessed a valid algorithm for keys had a collision for the "unique" one that came with my game. And again, you are comparing a system to get users who want DRM and hardware makers who want DRM with the consumer DRM where the hardware makers want DRM, but nobody else does. Consumer DRM is not wanted by the user. Secure hardware is wanted by the user. Businesses and such want it enough that Intel and others have already done it. But then, the consumers didn't want it to the point it never got implemented, becuase it broke home user's ability to tinker. What I'm proposing is doing it the other way, so that the home user can still tinker, but someone who wants a locked-down PC can get it.
You are so opposed to hardware verification that you are deliberately taking the obtuse and argumentative stance.
Learn to love Alaska
They do it today, not with DHCP but with game keys. If you register a game and your key has been used, then you can't register your game
Sure, but that is fairly different to what you initially proposed. It would only work with online verification, so the first time you plugged in a keyboard with a unique ID your laptop would have to go out to some trusted server to authenticate it. That wouldn't stop somebody from later cloning that specific keyboard, but it would prevent them from cloning another keyboard and plugging it into your PC. Then again, if they only cloned any particular keyboard once it probably still wouldn't help unless you only authenticated any keyboard once. If you did that then if you took a legitimate keyboard and tried to use it on two laptops it would fail.
Keep in mind that if you're a government then your adversaries are likely to be foreign intelligence agencies. Do you think it would really be that hard to get your hands on one keyboard/printer/etc and clone it without it being reported missing so that you could target one computer for hacking?
Also, none of this is consumer-grade capability. That means that instead of buying $20 logitech keyboards the government is now buying $1000 secure keyboards, and no doubt the next Ronald Regan will come along and point that out. I was chatting with somebody who worked for a defense contractor and a bunch of brass was wondering why they couldn't have an "app store" for military phones, instead of huge bricks that had fixed firmware and multi-year upgrade projects.
I'm not trying to say that security is impossible to achieve. I'm just saying that a significant increase in security isn't just an incidental bolt-on to existing consumer hardware. If you're going to re-design interfaces, register individual pieces of hardware with special authentication modules, and all that stuff, then sure, you can improve on things. Just don't expect to be buying that stuff at Staples.
Sure, but that is fairly different to what you initially proposed.
I don't see it as any different that what I initially proposed. You took what I said as the worst possible implementation, rather than trying to figure out how to do it best.
The general idea is - authenticate USB devices. Somthing that isn't done today. The rest is first guess as to a possible manner. You are complaining about the color of the USB device, rather than addressing the general idea.
Also, none of this is consumer-grade capability
Also, none of this is consumer-grade capability
You are wrong. Not even close. When you think of something, you think of the worst possible way only. That makes you and only you wrong, and not me. I mentioned drivers, because I was expecting your inane and irrelevant response. All USB deviced identify themselves to the OS today. So a "key" of some kind to unlock the device is well within the capabilities of consumer-grade devices today.
That you are still listing reasons why it's impossible just shows you have no imagination, not that there's anything wrong with the idea. As you are uninterested in discussing the idea, but instead just "proving" me wrong in every post, I give up. You win. USB is impossible. Nobody will ever make USB work (hey, that's no more off topic/non sequitur than any of your responses so far).
Learn to love Alaska
Yikes, don't take it so personally!
Are you uniquely whitelisting devices or not? Right now every logitech keyboard model 123 on the planet identifies itself in the same way. If you can impersonate one of them, you can impersonate all of them. Your solution to that was to uniquely identify and authenticate each keyboard. I just pointed out that for this to work you now need to keep track of which logitech keyboard model 123s you're using, and ensure that only one of them works at a time. That means a central server keeping track of who is using which keyboard. That simply can't work at a consumer level. If you don't track who is using which keyboard then sure I might only be able to impersonate one keyboard, but it doesn't matter because every device on your network still trusts that one keyboard and you have no way of knowing that there are now two of them on your network.
You might think there is a trivial solution to these problems, but which seems more likely to you? Either you're right and I'm wrong and there is an easy way to secure USB peripherals and collectively every IT organization on the planet is just too lazy to implement it, or I'm right and the reason that it doesn't happen is because the potential solutions to these problems have so much complexity and so many trade-offs that they're just not great candidates for widespread adoption. Only governments have the kinds of money to throw at this problem that you'd need, and the problem there is that their adversaries have just as much money to throw at circumventing their solutions.
Are you uniquely whitelisting devices or not?
Yes.
You might think there is a trivial solution to these problems, but which seems more likely to you?
Yes. Trivial. The reason I said "encryption" in the first place is that most of these would be going on Windows computers. Windows servers come with CA included. So it's trivial to authorize every device. Now, identifying all of them individually and ensuring no duplication would require an authentication step that doesn't exist today. But it's still trivial.
Either you're right and I'm wrong and there is an easy way to secure USB peripherals and collectively every IT organization on the planet is just too lazy to implement it,
You are asking the wrong question. It's impossible to secure USB today. It's trivial to do it if you wanted to (and had the hardware makers on board). And if the US governemnt said "if you don't do it, we'll never buy another of your devices, and make sure any grants to organizations will never be used to buy your stuff" you'd have 10 or so makers fight to get in on the program (at zero hardware cost to the government). After that it'd be free and trivial for IT departments to secure USB (while still generally allowing it).
The system must uniquely identify all USB devices. Just passing a UID would be sufficient to identify every USB device separately, but would run into the problem of trivial cloning.
Certificates are a white list. My computer knows *every* valid certificate. It may not store the necessary answer to all locally, but will go up the cert chain, which is an explicit white list. There is no "allowed" certificate that isn't recorded right not, explicitly. And for millions of unique sites. So the scale isn't an issue. We do more complex today.
Only governments have the kinds of money to throw at this problem that you'd need,
It's not the amount of money, but the willingless to spend it. Securing USB for all is a noble goal. Once the government is on board, then private IT can decide if it's worthy, and if so, adopt it for trivial cost. They are already running a CA server (in their Windows server), even if they just have that functionality turned off. The cost is to the hardware makers. And if they willingly accept the cost as a cost of doing business with the government, then everyone can benefit from it.
Trivial and cheap/free (to the users).
Learn to love Alaska
The problem with what you propose is that the only way to prevent cloning of devices is to have a central registry that tracks them. Even that doesn't completely prevent cloning - you could swap out a device with a clone without any issues in such a design - the only thing you couldn't do is add a clone without getting rid of the original.
This is how online copy-protection schemes work - the game phones home with its serial number and the server keeps track of usage.
However, this system requires that any device to be tracked is basically always online, which is a constraint that doesn't always work. It requires establishing a server to keep track of everything. You have to be able to trust the server to do its job, and you also need to trust the server owner with knowledge of all the devices you're using (which might or might not be sensitive - do you really want some VIP's bluetooth keyboard phoning home to some server introducing the possibility of tracking? how about a spy's?).
A corporation might set up its own tracking system for items it procures via controlled sources (still a lot of admin overhead to check in every device, or get your vendors to do it for you). The average consumer or small organization wouldn't benefit from this at all unless the manufacturer ran a central server. Do you really want every peripheral you own phoning home all the time? Oh, and just wait until Apple determines that your audio cable isn't genuine. :)
But, yes, if you're willing to work at it you can certainly authenticate individual devices such that introducing a strange device into your environment requires replacing a legitimate one with a tailored replica. That would be pretty tricky to pull off unless the device is one that won't be noticed if it goes missing for a while (and if you're super-paranoid just having it go missing might be noticed by your central server).
I don't disagree it would be hard to do right. I do disagree it's impossible. Logitech supplies a list of serials in the shipment, and they are entered on the list. You can even lock it down as much as to have windows for the "first install" of the device, and the serials allowed. You could lock it down more or less, as you see fit.
Learn to love Alaska
I do disagree it's impossible.
I never claimed that it was. I just think that it is completely impractical for consumer use. I'm not even sure what the point of it would be for consumer use - when was the last time you bought a device for personal use via a controlled supply chain (ie you had a high level of assurance that from manufacture to your hands that it couldn't have been tampered with)?
I just think that it is completely impractical for consumer use.
I said that it would be easy for the government to require it, and then have the manufacturers support it. It takes almost nothing (if not nothing) in the hardware to support it, just changes to the way the (already existent) identification to the OS is applied to the hardware. The *only* one I said would use it initially would be the government. And that everyone who sells to the government would sell the same stuff to the people, who could use or not use the "extra" feature, with no down sides.
I never said that consumer use would take advantage of any or all of the feature uplift, just that they "could".
Learn to love Alaska