I've got to wonder if its possible for the chipset to starve the kernel of randomness as well, by making the timing of data flows more regular. These days, the chipset maker is usually the same as that for the CPU.
It seems like that would be detectable (and would degrade system performance, too)... but would they try it?
...there's bigger issues at[sic] foot with things like microcode.
RDRAND is the bigger issue because trying to validate RNG output is essentially impossible. OTOH, most other types of CPU output are easily verifiable and any accidental triggering (easy to do in a general-purpose part put into thousands of different configurations and applications) of surreptitious behavior in some CPUs would eventually happen under the watch of people who know how to detect and single-out discrepencies (i.e. there's too high a risk that other types of tampering would show, especially when most environments are bound to have significant numbers of both compromised and non-compromised CPUs).
AES belongs in the verifiable category: Give different AES implementations the same (random-seeded) input, and you should get identical output. Its nothing like random number harvesting in that regard.
I agree with Linus' take that XOR'ing RDRAND with the rest doesn't compromise the kernel's random output--it can only push it toward more randomness, not less-- though relying on one reasonable assumption: That the chipset is not rigged somehow to reduce the randomness of the timings of data flows. I believe there is very little room for tampering here (after all, it would not do to cause large delays or even screw-up data in the process) and the difference in the raw data's quality should be detectable.
Also we have only scratched the surface of Snowden's claims. The pattern seems to be: Government denies, Snowden proves them to be liars, Government denies, Snowden proves them to be liars.
OK then, keep in mind Snowden is saying that properly implemented strong encryption is still safe. The OS it rests on might not be safe, but there you have it.
Popular choices for the group G in discrete logarithm cryptography are the cyclic groups (Zp)× (e.g. ElGamal encryption, Diffie–Hellman key exchange, and the Digital Signature Algorithm) and cyclic subgroups of elliptic curves over finite fields (see elliptic curve cryptography).
I don't know if that covers all of the widely-available EC algorithms.
Schneier says that discrete log-based ciphers are preferable for public key encryption.
I think that is a reference to ElGamal. The only reason I know this is because that is the public cipher used by I2P, which along with the 2048-bit key size makes I2P look a lot more secure than Tor right now.
Second is that the NSA have broken any common encryption scheme. So if you use the common ones they might as well be plaintext. But if you are able to use opensource obscure encryption schemes then you stand a chance.
No. You're painting with an overly-broad brush. There is a huge difference between "any common encryption" and 1024-bit RSA plus cellphone encryption schemes. 2048-bit RSA, El-Gamal, AES, Serpent, Twofish and others deemed "strong" show no signs of being cracked, not even in the recent NSA revelations.
There is a chrome plugin now, called Mailvelope, soon for Firefox. Complete gpg in client-side. Not by google, though. Seems to work but as ever, can you get all friends and family to use it?
Regular PGP over email still leaves the message metadata out in the open. The messages have to be transmitted over an anonymized layer using something like I2P-Bote if the who, when, where of the messages is to be secured-- at that point PGP becomes moot.
I2P is better for sharing media files than Tor or a VPN, and its included with TAILS. It has both iMule and bittorrent, and it has played an anti-censorship role in North Korea. You can also change the hops setting to improve the speed if you don't need as much anonymity; The full number of hops can be kind of slow.
That's why TAILS comes with I2P built-in... Like Tor it can get around censorship, but its more robust and can handle multimedia torrents and such. Mere VPNs are not a very smart way to share stuff because IPs can be so tightly linked with identity. On I2P, you can share stuff with friends, having the traffic-mixing benefits of both onion routing and P2P, and if the default isn't fast enough then you can reduce the number of hops for a speed boost and still have more anonymity than a VPN can provide.
And here I thought all the security through obscurity advocates had left/. a decade ago.
To be useful with networks and data from the outside world, I think an individual coder would make a lot of the same mistakes that were common in recent history. Don't bet on it being able to withstand a good fuzzing.
I think you're using an inanely narrow definition of trust. You can 'trust' yourself to the point of suffering delusions of grandeur; Its as much about capability as intention.
A person would have to be absolutely arrogant to trust themselves alone to effect a secure environment. No one is that good, unless we are talking about "secure" systems that are essentially non-functional.
That's why we have communities of open source developers. Many minds and eyeballs enable a more comprehensive view of security, especially when they are watching changes incrementally accumulate. I think it is much harder to get even subtly surreptitious malware past developers this way.
The other way, you're either coding a whole OS by yourself and are left with something too simplistic to be useful, or you're relying on proprietary vendors that are now known to be in the business of playing "Oops, we didn't mean to insert that hole... we'll have a patch for you in a couple weeks" on behalf of spies.
... and we know for a fact that those late-model systems don't have compromised hardware, because the CPU and platform system tapeouts are open source. Don't we?
We don't know this. But a scheme like QubesOS vastly reduces the number of components that require trust; both hardware and software.
And lets be clear here: By "trust", we are all referring not only to a lack of intentional betrayal, but also to the competence of people who write, engineer and distribute systems. Knowing that nothing is perfect, security is not a boolean so its a matter of who you trust to give you the greater degree of privacy and security.
Compartmentalize the high-risk parts of the OS (like network and X11) into separate VMs that each get access to only the hardware they need via the IOMMU.
Then you make it easy to use the hypervisor to graphically create separate color-coded domains: personal info, banking etc. go into one domain; work-related stuff into another; general browsing and other higher-risk stuff go into a third. The app windows from each of these "app domains" appears with the corresponding border color.
If your network stack becomes compromised, the infection goes away when you reset the netVM or reboot the system. Same goes for the display, and for the disposable app VMs. Theoretically, nothing should be able to touch your Dom0 hypervisor or your other domains... or at least that task becomes extremely difficult for an attacker.
You need certain late-model systems to take advantage of these security features, though.
It can be yourself or whoever. If none of the pre-printed choices on the ballot are satisfactory, then write someone in. That is the surest way to tarnish the establishment's democratic halo. Staying at home just tells the world you're lazy or apathetic.
And don't be fooled about the president's power. Why do you think Republicans have used their gerrymandered privilege to block him? They don't represent the people, and they want all the bad things the president wants and then some... under *their* banner and generating revenue and power for *their* lilly-white relatives and neighbors.
Gerrymandering needs to be abolished just about more than anything.
Don't just use Tor and I2P for meaningful data transfer.
A range of tools and approaches are needed to have a resilient movement against a police state.
FWIW, each I2P user does act as an onion router. That means lots of multiply-encrypted traffic from random people at different layers of the onion are flowing through your system alongside your own traffic.
One of self-interest. One based on the assumption that the other side to a data exchange is hostile. One assuming that intermediates can not be trusted.
We have onion networks like I2P and (weak) Tor for that. But you left out an important component...
The assumption of hostility/mistrust should be the default stance, but you must be able to use the network to build trust. It must also have strong pseudonymity to allow you to maintain a presence while controlling how much about yourself you want to reveal.
I2P-Bote is decentralized (unlike the now defunct Tormail) and doesn't expose metadata because it uses onion routing. Its end-to-end secure and anonymous.
The simple truth is: To avoid being caught up in mass surveillance, people need to specify to their associates to use such tools for contacting them.
Tor is good for web pages and little else. I2P is designed to handle everything from P2P filesharing to voice to email; IOW, its a secure+anonymous (really pseudonymous) layer for IP. If people want to conduct their personal lives and business without the online spying, they need to start articulating what tools are necessary to continue communications. I believe I2P is just such a tool (indeed, the one that the other privacy enhancing tools are based). Tell people you know to contact you through your I2P address instead.
The other major problem to solve is the OS re: how open and robust it is against network exploits. Qubes OS is currently the best of breed for desktops. Its a unique combination of Xen and Fedora Linux that marshalls some newer hardware VM features to keep threats at bay.
Slashdot Mirror
You're basically right. However...
I've got to wonder if its possible for the chipset to starve the kernel of randomness as well, by making the timing of data flows more regular. These days, the chipset maker is usually the same as that for the CPU.
It seems like that would be detectable (and would degrade system performance, too)... but would they try it?
...there's bigger issues at[sic] foot with things like microcode.
RDRAND is the bigger issue because trying to validate RNG output is essentially impossible. OTOH, most other types of CPU output are easily verifiable and any accidental triggering (easy to do in a general-purpose part put into thousands of different configurations and applications) of surreptitious behavior in some CPUs would eventually happen under the watch of people who know how to detect and single-out discrepencies (i.e. there's too high a risk that other types of tampering would show, especially when most environments are bound to have significant numbers of both compromised and non-compromised CPUs).
AES belongs in the verifiable category: Give different AES implementations the same (random-seeded) input, and you should get identical output. Its nothing like random number harvesting in that regard.
I agree with Linus' take that XOR'ing RDRAND with the rest doesn't compromise the kernel's random output--it can only push it toward more randomness, not less-- though relying on one reasonable assumption: That the chipset is not rigged somehow to reduce the randomness of the timings of data flows. I believe there is very little room for tampering here (after all, it would not do to cause large delays or even screw-up data in the process) and the difference in the raw data's quality should be detectable.
Aside from codename coincidence is there objective evidence RdRand is compromised?
Myopic much? The objective evidence points to American vendors intentionally compromising their crypto features.
Intel is somehow above this?! You--and Intel-- prove it to us.
Also we have only scratched the surface of Snowden's claims. The pattern seems to be: Government denies, Snowden proves them to be liars, Government denies, Snowden proves them to be liars.
OK then, keep in mind Snowden is saying that properly implemented strong encryption is still safe. The OS it rests on might not be safe, but there you have it.
From Wikipedia:
Popular choices for the group G in discrete logarithm cryptography are the cyclic groups (Zp)× (e.g. ElGamal encryption, Diffie–Hellman key exchange, and the Digital Signature Algorithm) and cyclic subgroups of elliptic curves over finite fields (see elliptic curve cryptography).
I don't know if that covers all of the widely-available EC algorithms.
Schneier says that discrete log-based ciphers are preferable for public key encryption.
I think that is a reference to ElGamal. The only reason I know this is because that is the public cipher used by I2P, which along with the 2048-bit key size makes I2P look a lot more secure than Tor right now.
Second is that the NSA have broken any common encryption scheme. So if you use the common ones they might as well be plaintext. But if you are able to use opensource obscure encryption schemes then you stand a chance.
No. You're painting with an overly-broad brush. There is a huge difference between "any common encryption" and 1024-bit RSA plus cellphone encryption schemes. 2048-bit RSA, El-Gamal, AES, Serpent, Twofish and others deemed "strong" show no signs of being cracked, not even in the recent NSA revelations.
There is a chrome plugin now, called Mailvelope, soon for Firefox. Complete gpg in client-side. Not by google, though. Seems to work but as ever, can you get all friends and family to use it?
Regular PGP over email still leaves the message metadata out in the open. The messages have to be transmitted over an anonymized layer using something like I2P-Bote if the who, when, where of the messages is to be secured-- at that point PGP becomes moot.
I2P is better for sharing media files than Tor or a VPN, and its included with TAILS. It has both iMule and bittorrent, and it has played an anti-censorship role in North Korea. You can also change the hops setting to improve the speed if you don't need as much anonymity; The full number of hops can be kind of slow.
http://geti2p.net/
No doubt, when there is another (non-sports) riot in the UK there will be a network clampdown.
That's why TAILS comes with I2P built-in... Like Tor it can get around censorship, but its more robust and can handle multimedia torrents and such. Mere VPNs are not a very smart way to share stuff because IPs can be so tightly linked with identity. On I2P, you can share stuff with friends, having the traffic-mixing benefits of both onion routing and P2P, and if the default isn't fast enough then you can reduce the number of hops for a speed boost and still have more anonymity than a VPN can provide.
And here I thought all the security through obscurity advocates had left /. a decade ago.
To be useful with networks and data from the outside world, I think an individual coder would make a lot of the same mistakes that were common in recent history. Don't bet on it being able to withstand a good fuzzing.
I think you're using an inanely narrow definition of trust. You can 'trust' yourself to the point of suffering delusions of grandeur; Its as much about capability as intention.
He was just comparing features, and didn't mean to imply that Apple's was better because its proprietary.
A person would have to be absolutely arrogant to trust themselves alone to effect a secure environment. No one is that good, unless we are talking about "secure" systems that are essentially non-functional.
That's why we have communities of open source developers. Many minds and eyeballs enable a more comprehensive view of security, especially when they are watching changes incrementally accumulate. I think it is much harder to get even subtly surreptitious malware past developers this way.
The other way, you're either coding a whole OS by yourself and are left with something too simplistic to be useful, or you're relying on proprietary vendors that are now known to be in the business of playing "Oops, we didn't mean to insert that hole... we'll have a patch for you in a couple weeks" on behalf of spies.
... and we know for a fact that those late-model systems don't have compromised hardware, because the CPU and platform system tapeouts are open source. Don't we?
We don't know this. But a scheme like QubesOS vastly reduces the number of components that require trust; both hardware and software.
And lets be clear here: By "trust", we are all referring not only to a lack of intentional betrayal, but also to the competence of people who write, engineer and distribute systems. Knowing that nothing is perfect, security is not a boolean so its a matter of who you trust to give you the greater degree of privacy and security.
http://qubes-os.org/trac/wiki/QubesArchitecture
Compartmentalize the high-risk parts of the OS (like network and X11) into separate VMs that each get access to only the hardware they need via the IOMMU.
Then you make it easy to use the hypervisor to graphically create separate color-coded domains: personal info, banking etc. go into one domain; work-related stuff into another; general browsing and other higher-risk stuff go into a third. The app windows from each of these "app domains" appears with the corresponding border color.
If your network stack becomes compromised, the infection goes away when you reset the netVM or reboot the system. Same goes for the display, and for the disposable app VMs. Theoretically, nothing should be able to touch your Dom0 hypervisor or your other domains... or at least that task becomes extremely difficult for an attacker.
You need certain late-model systems to take advantage of these security features, though.
Who are you talking about??
It can be yourself or whoever. If none of the pre-printed choices on the ballot are satisfactory, then write someone in. That is the surest way to tarnish the establishment's democratic halo. Staying at home just tells the world you're lazy or apathetic.
And don't be fooled about the president's power. Why do you think Republicans have used their gerrymandered privilege to block him? They don't represent the people, and they want all the bad things the president wants and then some... under *their* banner and generating revenue and power for *their* lilly-white relatives and neighbors.
Gerrymandering needs to be abolished just about more than anything.
Don't just use Tor and I2P for meaningful data transfer.
A range of tools and approaches are needed to have a resilient movement against a police state.
FWIW, each I2P user does act as an onion router. That means lots of multiply-encrypted traffic from random people at different layers of the onion are flowing through your system alongside your own traffic.
Think about that.
One of self-interest.
One based on the assumption that the other side to a data exchange is hostile.
One assuming that intermediates can not be trusted.
We have onion networks like I2P and (weak) Tor for that. But you left out an important component...
The assumption of hostility/mistrust should be the default stance, but you must be able to use the network to build trust. It must also have strong pseudonymity to allow you to maintain a presence while controlling how much about yourself you want to reveal.
I2P-Bote is decentralized (unlike the now defunct Tormail) and doesn't expose metadata because it uses onion routing. Its end-to-end secure and anonymous.
The simple truth is: To avoid being caught up in mass surveillance, people need to specify to their associates to use such tools for contacting them.
Conflating a "war" on poverty with real police and military assault is despicable.
Tor is good for web pages and little else. I2P is designed to handle everything from P2P filesharing to voice to email; IOW, its a secure+anonymous (really pseudonymous) layer for IP. If people want to conduct their personal lives and business without the online spying, they need to start articulating what tools are necessary to continue communications. I believe I2P is just such a tool (indeed, the one that the other privacy enhancing tools are based). Tell people you know to contact you through your I2P address instead.
The other major problem to solve is the OS re: how open and robust it is against network exploits. Qubes OS is currently the best of breed for desktops. Its a unique combination of Xen and Fedora Linux that marshalls some newer hardware VM features to keep threats at bay.
Maybe we need to bring back a modernized, encrypted UUCP?
Fiddle around with this: http://geti2p.net/