From a security perspective, it's my feeling that OSS is a better starting point if you really want security for the simple reason that you can browse and compile the source code yourself from scratch.
True, but I think the OP was talking about something that was connected to the outside world/internet.
I was. Thank you for reading between the lines.
For instance, you can disable the USB ports and remove the CD and floppy drive from your machines. Then just and run them as terminals. No issues with flash drives or CDs. Then you can of course nuke all internet browsing.
Does anyone actually do this on their day-to-day workstation? It's been my experience that one must constantly browse the web to browse documentation, to seek support from tech support or forums, to send email, etc.
I was rather hoping for information like "to get clean, exploit-free mother boards, buy from special Vendor X" or "to check for malware on a Pen drive perform procedure Y".
In any case, the security folks have often told us that binary-only software should always be treated as insecure. If you want any sort of security, you only install software for which you have the source, and which you've compiled yourself. And yes, this includes the compilers. (And yes, I've read Ken Thompson's classic article on the topic. If you haven't, you don't understand software security.;-)
This sounds reasonable. Do you have a link to the Thompson article?
I've seen many folks saying "the user is the problem" but do we have more than just the assertion to back that up? I.e., does anyone have actual stats on the nature and frequency of these various possible attack vectors:
* hardware hack (e.g., physical system access and hardware alteration, counterfeit chips with back door, etc.)
* software exploit
* social engineering
You do have a good point -- namely that the enterprise of creating all the hardware necessary for a single computer is just too much for any one person to reasonably accomplish and still be productive at whatever their day job happens to be. With that in mind, it would probably be wise to create some kind of risk profile for the various aspects of computer security -- address the gaping holes before you start worrying about the really difficult exploits.
I've asked this question before and the answers I get usually refer me to really simple instructions for technically illiterate types:
* don't click on sketchy links in email messages
* pick a good password
* install antivirus software
* use a firewall
Does anyone know where to find good stats on attack vectors? Something like this, but which also quantifies hardware and social engineering risks:
http://cwe.mitre.org/data/index.html
Noticeable by whom? When a chip arrives at your door, it could be delivered by anyone -- and to inspect the circuitry would require you to take the IC apart, wouldn't it?
I think it's entirely reasonable to question whether one's CPUs are safe or not -- and this is what I meant to do in the original question. What I was hoping to learn is how we might assess this risk and develop steps to mitigate or avoid the risk e.g., by choosing certain manufacturers or by funding experts to validate circuit design.
I'm not sure I follow your post exactly. I'm guessing that you are talking about the futility of using software to scan for exploits in a circuit design. And yes, it might be hard to find an exploit in a circuit design that has billions of transistors. It would be nice if we could at least come to some understanding of the relative risk of software exploits vs. hardware exploits. I think we'd all agree that software exploits are much more common. On the other hand, a nation state with the resources of the US or China might be able to hide an exploit in the 1.2 billion transistors on an 8-core chip.
I think this post contributes a lot to the discussion -- especially your point about it being difficult to even get an IC working. A couple of things occur to me:
* The designer might be the one attempting to insert the exploit
* Most folks are not circuit designers and could not make heads or tails of the circuit diagram or the circuit itself.
I would agree that building an exploit into hardware sounds really tough and expect that it would be easily detected as a large ROM on the IC. I further agree that firmware/software are much more likely to contain an exploit. Is there any way we might quantify this relative risk? Or establish some criteria to evaluate the trustworthiness of a hardware manufacturer? You may recall this link from the original article: http://www.cnbc.com/id/49032374/Computers_in_China_Sold_PreInstalled_With_Malware_Says_Microsoft
While some might call you paranoid, I appreciate the pragmatism expressed in your post. I agree that we shouldn't live in a shoebox. Is there any way that we can begin to rank the security of hardware vendors? That no such "trust ranking" exists seems surprising to me. It's one thing to damn all the risk involved, another to suggest solutions.
Yes. (The U.S. government can do anything. Your only recourse if they do something wrong is to sue them. Suing them typically takes years of time and hundreds of thousands of dollars for you. Thus, in a practical sense no one really has any firm rights any longer because the system in charge of correcting breaches to those rights is not accessible or swift for an average citizen using it.)
It may not cost you hundreds of thousands of dollars if you can get the EFF or the ACLU on your side, but you are basically correct. Do you have any advice about how to secure data loaded into the cloud? Obviously, encryption comes to mind, but it would be helpful to have some discussion about techniques. If you are using compute instances allocated by a cloud (e.g., Amazon EC2 or Rackspace, etc.) then the means of decryption may also exist in the cloud which doesn't provide you any protection. Got any tricks to share?
Use FreeBSD or other extreme minority operating system.
I've seen numerous people recommend FreeBSD. What's so special about FreeBSD that makes it more secure than anything else? Keep in mind that OSX is based on FreeBSD so the "extreme minority" concept may not apply to it.
Not any, but likely most
Do you have any detail to back up your assertion that it is safe to buy a PC from any manufacturer? From what I've seen, DELL and HP and Gateway and various other PC builders load every system up with crapware -- that doesn't sound particularly secure to me.
Again, usually it would be. It seems like software is typically the vector of attack. Hardware much less often comes with built-in vulnerabilities.
Got any backup? I find your comment encouraging but unless it's backed up with some sources, I'm inclined to be skeptical.
The parent's point is about the millionth time that same joke is made and provides no useful advice to address the real world. Here's one of the original questions:
Is it even safe to buy individual computer components and assemble one's own machine?
solidraven makes his poor (and unoriginal) joke without actually providing any useful detail about how to insure hardware security. It really bothers me how people should "PARANOIA!" and then make the same joke as everyone else without actually trying to provide any useful advice.
In the end, if the computer has human accessing it -> that's your weakest link most likely.
While I appreciate there are a lot of folks here on/. that consider the security of the facility itself, my intent was to learn more about preventing exploits in a networked computer workstation -- and ignoring for a moment the possiblity that someone might appear in my office and tamper with the machine. I agree that "social engineering" is a substantial threat--especially when the users are your typical technically illiterate types like my parents -- but am not sure that it is the weakest link in my case. I'm more concerned about insuring that my hardware and drivers and operating system are completely free of exploits and reasonably free of security holes.
I don't know. We were told it was, and checking it wasn't my job. I observed that it was a metal door with a flexible metal seal all the way around. Other than that, I didn't think about it.
See, that's the funny bit I think. In practice, nobody considers the details beyond their purview. Personally, I don't expect I'll be writing any motherboard firmware to acquire security. I do hope to understand what security-minded folks do at certain stages to gain a practical understanding of end-to-end security. It's kind of like learning what a transistor or flip-flop is in a computer science course. I have never once since college built a logic circuit using ICs, but it is helpful (and profitable) to understand how they work.
Thanks for this anecdote. It's a lot more interesting (and useful) than all the jokers talking about unplugged computers.
How did data come "out" -- obviously USB drives can present significant risk these days. Also, were there any protocols in place to validate your hardware? Any special operating systems in use that are considered more secure than others? Any details you can provide would be much appreciated.
The question is only rhetorical if you make the same assumptions as an autistic person or a pedant. Obviously the computer will be used for something. You are correct in that I did not specify that I want the machine to be networked. Please use these assumptions:
* computer has to be ON (I cannot believe I have to specify this)
* computer will be used for software development and will handle sensitive data
* I'm hoping for answers that apply both to server and workstation environments
* Computer will be networked and, where possible, will use secure versions of required protocols (e.g., HTTPS, SSH, etc.)
FINALLY! A helpful post with some reasonable, practical advice.
Potentially use hardware where you can review the firmware/bios if possible
Any thoughts on where one might obtain such hardware? I've heard folks suggest Arduino.
HW firewall "integrated" to the motherboard, motherboard network connectors are removed and hardwired to this HW firewall, so that even a skilled person would require atleast 20mins to bypass the HW Firewall
Never heard of a HW firewall -- can you suggest any vendors or places to purchase such a thing?
Disk drives and CPU needs cooling, so CPU heatsink could use heat transfer glue to the CPU and super epoxy from the sides on to the motherboard. Disk drives can have little spacing with the super epoxy.
Is it too much of a stretch to assume that I might want to use this computer for something useful involving sensitive information? Or that I might need to network said workstation for the purpose of interacting with the Internet? I realize the original question doesn't say this, but the fact that there's not a single post yet that assumes this is more than a little frustrating.
Make sure your computer has a "trusted bootloader" that only runs "trusted applications" and that nothing is installed on it that is not needed.
So far, this is the only useable response I've seen to my initial question. On the other hand, I did say "truly secure" which is what likely triggered all these useless responses intended as comedy. Garbage in, garbage out.
If I could reformulate the question, it might be something more like, "How do you secure a workstation when you know you will be connected to the Internet for the purpose of developing internet-enabled applications?" I was rather hoping for reasonable and practical advice rather than "unplug the computer" or "put it in a Faraday cage" etc.
Having asked this question a few different places, it occurs to me that I'm wondering first about one's hardware. I like to build my own PCs from ASUS mobos and other components I buy from newegg. Can anyone suggest any reasonable, practicable procedures to make sure one's hardware is at least safe?
mod parent up. if people want to do genetic experiments, let them experiment on themselves, not us salmon-eaters.
Reminds me of a story by the way. A girl I met claimed that she met Jimmy Page and Robert Plant in a bar in Cambridge, MA ("Shay's) and, doubting that she even knew who they were, I told her I didn't believe her. I said, "how did you know it was them?" and she related the following conversation:
Girl: OMG! Jimmy Page and Robert Plant?? What are you guys doing here?
Robert Plant: Would you believe me if I told you we were fishing for salmon?
Girl: Um, I guess but I don't think you are going to catch any salmon in here.
Robert Plant: What if I told you we were fishing with very long rods?
FUD my ass. FUD is typically propagated by some political or corporate entity to undermine an opposing idealogy or business. In this case, I fail to see any political or business entity that would oppose such a move. I think you might be better off calling us naysayers luddites or technophobes or something. FUD is a tool of enfranchised groups. E.g, people who can genetically engineer fish.
Given the fact that it causes vastly accelerated growth, I can't wait to hear about epidemics of pituitary problems, gigantism, and diabetes that follow in human species years after this fish appears in supermarkets. Or perhaps the fish cause havoc to related ecosystems when *one single female fish becomes fertile* and starts to have fertile offspring.
This is a fucking piss-poor idea. What the hell is wrong with ordinary fish?
Slashdot Mirror
From a security perspective, it's my feeling that OSS is a better starting point if you really want security for the simple reason that you can browse and compile the source code yourself from scratch.
True, but I think the OP was talking about something that was connected to the outside world/internet.
I was. Thank you for reading between the lines.
For instance, you can disable the USB ports and remove the CD and floppy drive from your machines. Then just and run them as terminals. No issues with flash drives or CDs. Then you can of course nuke all internet browsing.
Does anyone actually do this on their day-to-day workstation? It's been my experience that one must constantly browse the web to browse documentation, to seek support from tech support or forums, to send email, etc.
I was rather hoping for information like "to get clean, exploit-free mother boards, buy from special Vendor X" or "to check for malware on a Pen drive perform procedure Y".
Hm....any suggestions on where one might find trustworthy flash memory? I have this unshakeable suspicion that USB pen drives are trouble.
In any case, the security folks have often told us that binary-only software should always be treated as insecure. If you want any sort of security, you only install software for which you have the source, and which you've compiled yourself. And yes, this includes the compilers. (And yes, I've read Ken Thompson's classic article on the topic. If you haven't, you don't understand software security. ;-)
This sounds reasonable. Do you have a link to the Thompson article?
I've seen many folks saying "the user is the problem" but do we have more than just the assertion to back that up? I.e., does anyone have actual stats on the nature and frequency of these various possible attack vectors:
* hardware hack (e.g., physical system access and hardware alteration, counterfeit chips with back door, etc.)
* software exploit
* social engineering
You do have a good point -- namely that the enterprise of creating all the hardware necessary for a single computer is just too much for any one person to reasonably accomplish and still be productive at whatever their day job happens to be. With that in mind, it would probably be wise to create some kind of risk profile for the various aspects of computer security -- address the gaping holes before you start worrying about the really difficult exploits.
I've asked this question before and the answers I get usually refer me to really simple instructions for technically illiterate types:
* don't click on sketchy links in email messages
* pick a good password
* install antivirus software
* use a firewall
Does anyone know where to find good stats on attack vectors? Something like this, but which also quantifies hardware and social engineering risks: http://cwe.mitre.org/data/index.html
Thanks for the link! Schneier is the man.
Any addition of logic will be noticeable.
Noticeable by whom? When a chip arrives at your door, it could be delivered by anyone -- and to inspect the circuitry would require you to take the IC apart, wouldn't it?
I think it's entirely reasonable to question whether one's CPUs are safe or not -- and this is what I meant to do in the original question. What I was hoping to learn is how we might assess this risk and develop steps to mitigate or avoid the risk e.g., by choosing certain manufacturers or by funding experts to validate circuit design.
I'm not sure I follow your post exactly. I'm guessing that you are talking about the futility of using software to scan for exploits in a circuit design. And yes, it might be hard to find an exploit in a circuit design that has billions of transistors. It would be nice if we could at least come to some understanding of the relative risk of software exploits vs. hardware exploits. I think we'd all agree that software exploits are much more common. On the other hand, a nation state with the resources of the US or China might be able to hide an exploit in the 1.2 billion transistors on an 8-core chip.
Who watches the watchers?
I think this post contributes a lot to the discussion -- especially your point about it being difficult to even get an IC working. A couple of things occur to me:
* The designer might be the one attempting to insert the exploit
* Most folks are not circuit designers and could not make heads or tails of the circuit diagram or the circuit itself.
I would agree that building an exploit into hardware sounds really tough and expect that it would be easily detected as a large ROM on the IC. I further agree that firmware/software are much more likely to contain an exploit. Is there any way we might quantify this relative risk? Or establish some criteria to evaluate the trustworthiness of a hardware manufacturer? You may recall this link from the original article:
http://www.cnbc.com/id/49032374/Computers_in_China_Sold_PreInstalled_With_Malware_Says_Microsoft
While some might call you paranoid, I appreciate the pragmatism expressed in your post. I agree that we shouldn't live in a shoebox. Is there any way that we can begin to rank the security of hardware vendors? That no such "trust ranking" exists seems surprising to me. It's one thing to damn all the risk involved, another to suggest solutions.
Yes. (The U.S. government can do anything. Your only recourse if they do something wrong is to sue them. Suing them typically takes years of time and hundreds of thousands of dollars for you. Thus, in a practical sense no one really has any firm rights any longer because the system in charge of correcting breaches to those rights is not accessible or swift for an average citizen using it.)
It may not cost you hundreds of thousands of dollars if you can get the EFF or the ACLU on your side, but you are basically correct. Do you have any advice about how to secure data loaded into the cloud? Obviously, encryption comes to mind, but it would be helpful to have some discussion about techniques. If you are using compute instances allocated by a cloud (e.g., Amazon EC2 or Rackspace, etc.) then the means of decryption may also exist in the cloud which doesn't provide you any protection. Got any tricks to share?
Use FreeBSD or other extreme minority operating system.
I've seen numerous people recommend FreeBSD. What's so special about FreeBSD that makes it more secure than anything else? Keep in mind that OSX is based on FreeBSD so the "extreme minority" concept may not apply to it.
Not any, but likely most
Do you have any detail to back up your assertion that it is safe to buy a PC from any manufacturer? From what I've seen, DELL and HP and Gateway and various other PC builders load every system up with crapware -- that doesn't sound particularly secure to me.
Again, usually it would be. It seems like software is typically the vector of attack. Hardware much less often comes with built-in vulnerabilities.
Got any backup? I find your comment encouraging but unless it's backed up with some sources, I'm inclined to be skeptical.
Thanks for your comment.
Is it even safe to buy individual computer components and assemble one's own machine?
solidraven makes his poor (and unoriginal) joke without actually providing any useful detail about how to insure hardware security. It really bothers me how people should "PARANOIA!" and then make the same joke as everyone else without actually trying to provide any useful advice.
In the end, if the computer has human accessing it -> that's your weakest link most likely.
While I appreciate there are a lot of folks here on /. that consider the security of the facility itself, my intent was to learn more about preventing exploits in a networked computer workstation -- and ignoring for a moment the possiblity that someone might appear in my office and tamper with the machine. I agree that "social engineering" is a substantial threat--especially when the users are your typical technically illiterate types like my parents -- but am not sure that it is the weakest link in my case. I'm more concerned about insuring that my hardware and drivers and operating system are completely free of exploits and reasonably free of security holes.
I don't know. We were told it was, and checking it wasn't my job. I observed that it was a metal door with a flexible metal seal all the way around. Other than that, I didn't think about it.
See, that's the funny bit I think. In practice, nobody considers the details beyond their purview. Personally, I don't expect I'll be writing any motherboard firmware to acquire security. I do hope to understand what security-minded folks do at certain stages to gain a practical understanding of end-to-end security. It's kind of like learning what a transistor or flip-flop is in a computer science course. I have never once since college built a logic circuit using ICs, but it is helpful (and profitable) to understand how they work.
Thanks for this anecdote. It's a lot more interesting (and useful) than all the jokers talking about unplugged computers.
How did data come "out" -- obviously USB drives can present significant risk these days. Also, were there any protocols in place to validate your hardware? Any special operating systems in use that are considered more secure than others? Any details you can provide would be much appreciated.
Thanks for the completely useless (and not particularly original) post!
The question is only rhetorical if you make the same assumptions as an autistic person or a pedant. Obviously the computer will be used for something. You are correct in that I did not specify that I want the machine to be networked. Please use these assumptions:
* computer has to be ON (I cannot believe I have to specify this)
* computer will be used for software development and will handle sensitive data
* I'm hoping for answers that apply both to server and workstation environments
* Computer will be networked and, where possible, will use secure versions of required protocols (e.g., HTTPS, SSH, etc.)
Potentially use hardware where you can review the firmware/bios if possible
Any thoughts on where one might obtain such hardware? I've heard folks suggest Arduino.
HW firewall "integrated" to the motherboard, motherboard network connectors are removed and hardwired to this HW firewall, so that even a skilled person would require atleast 20mins to bypass the HW Firewall
Never heard of a HW firewall -- can you suggest any vendors or places to purchase such a thing?
Disk drives and CPU needs cooling, so CPU heatsink could use heat transfer glue to the CPU and super epoxy from the sides on to the motherboard. Disk drives can have little spacing with the super epoxy.
How does this relate to security? Please explain
Thank you for the thoughtful, practical advice.
Is it too much of a stretch to assume that I might want to use this computer for something useful involving sensitive information? Or that I might need to network said workstation for the purpose of interacting with the Internet? I realize the original question doesn't say this, but the fact that there's not a single post yet that assumes this is more than a little frustrating.
Make sure your computer has a "trusted bootloader" that only runs "trusted applications" and that nothing is installed on it that is not needed.
So far, this is the only useable response I've seen to my initial question. On the other hand, I did say "truly secure" which is what likely triggered all these useless responses intended as comedy. Garbage in, garbage out. If I could reformulate the question, it might be something more like, "How do you secure a workstation when you know you will be connected to the Internet for the purpose of developing internet-enabled applications?" I was rather hoping for reasonable and practical advice rather than "unplug the computer" or "put it in a Faraday cage" etc. Having asked this question a few different places, it occurs to me that I'm wondering first about one's hardware. I like to build my own PCs from ASUS mobos and other components I buy from newegg. Can anyone suggest any reasonable, practicable procedures to make sure one's hardware is at least safe?
mod parent up. if people want to do genetic experiments, let them experiment on themselves, not us salmon-eaters.
Reminds me of a story by the way. A girl I met claimed that she met Jimmy Page and Robert Plant in a bar in Cambridge, MA ("Shay's) and, doubting that she even knew who they were, I told her I didn't believe her. I said, "how did you know it was them?" and she related the following conversation:
Girl: OMG! Jimmy Page and Robert Plant?? What are you guys doing here?
Robert Plant: Would you believe me if I told you we were fishing for salmon?
Girl: Um, I guess but I don't think you are going to catch any salmon in here.
Robert Plant: What if I told you we were fishing with very long rods?
[sarcasm] Let the market handle it [/sarcasm]
FUD my ass. FUD is typically propagated by some political or corporate entity to undermine an opposing idealogy or business. In this case, I fail to see any political or business entity that would oppose such a move. I think you might be better off calling us naysayers luddites or technophobes or something. FUD is a tool of enfranchised groups. E.g, people who can genetically engineer fish.
Given the fact that it causes vastly accelerated growth, I can't wait to hear about epidemics of pituitary problems, gigantism, and diabetes that follow in human species years after this fish appears in supermarkets. Or perhaps the fish cause havoc to related ecosystems when *one single female fish becomes fertile* and starts to have fertile offspring. This is a fucking piss-poor idea. What the hell is wrong with ordinary fish?