HavenCo moved all customer servers to London sometime after I left, in 2003. Supporting evidence for this, besides traceroutes, is that the big fire, which destroyed generators and other equipment on sealand, did not affect the servers at all. Either you believe they had enough UPS capacity to ride out a multi-month power outage, or...
(the 1ms pingtimes from routers in London is also a good sign...)
I've been pretty disappointed with flash on linux from version 7 through most of the 10 betas, but the latest 10 release candidate (out for a week or so) has actually been stable and fairly speedy.
The main thing I'm looking forward to is Speex encoding on the client; death to NellyMoser Asao!
Yeah, you're right about them using commercial resources where appropriate.
An individual traveler just takes the DIRECT United flight in C/F from IAD-KWI, then does a military hop, unless he's a top VIP, in which case he flies on a VC aircraft, dedicated, to a base in Kuwait, Doha, or Bahrain or somewhere and then switches to a tactical aircraft. (also, someone with an entourage is more likely to use a VC, or otherwise conduting meetings/business enroute)
I really don't see a VIP taking a C-17, even in a luxo-box onboard, from CONUS to the CENTCOM AOR (with 1-2 fuel stops) all the way to a base in Iraq.
Wrong. Troops fly military charter (airlines like World Airlines, ATA, etc....flying B747/767/etc.) to Kuwait, and then C-130 or C-17 from Kuwait to Iraq.
It is illegal for US troops to fly on foreign-flagged aircraft (DOD policy). It is also illegal for US-flagged commercial/charter operators to fly into Iraq (FAA policy)).
I've personally flown on just about every kind of aircraft in and out of Iraq/etc., including non-US flagged crappy old Russian charters, commercial non-US airlines, and all manner of military aircraft.
It's true that charter is about cost savings OUTSIDE Iraqi airspace. It's also about limited tactical aircraft asset availability, and keeping them for cargo and other critical missions.
(military cargo ALSO/often flies in on Russian aircraft, operated by charter carriers; it's just PAX and special cargo (munitions, sensitive items, bodies, etc.) which have to fly on US flagged aircraft)
I use a blackberry 8820 with BES, and the rove mobile/idokorro ssh. With tmobile, for $65/mo, you can have unlimited GLOBAL roaming. Plus, use an 8820 and have 802.11g and gps. I use the BES (device to my-network AES crypto) to do IP-acling, and use ssh keys on the phone for access control, plus passphrases.
The blackberry now supports a smartcard bluetooth reader so you could fairly easily rig it to deauthenticate when removed from a short radius of your body. 88xx screen and keyboard are decent -- not perfect.
I'm looking forward to android phones with external bluetooth keyboards, and either a numberpad with context-sensitive predictive input, or a qwerty keypad. The rollup bluetooth keyboards seem pretty reasonable as input devices. Not sure how many more generations before going straight to a wearable -- 5 tops, maybe 1-2 for early adopters, I think.
I think I could put enough capacitor power inside a USB shell to zeroize. The problem is having enough power to continuously monitor, AND protect those batteries well enough that they themselves are not a point of failure.
DS did this with the iButton, and that can fit inside the USB key form factor.
You might be able to get an ultracapacitor now which would power tamperdetect/destroy circuits for a few days at a time, and recharge when on USB. I'd be fine with a device which needed to be plugged into USB every few days or it would zeroize.
You can protect your passphrases with one-time passwords, but can't really protect the data:) If you're viewing your secret mission plans or whatever on a bugged monitor, obviously the secret mission plans might be compromised, even if the one time password is no longer valuable.
It's a little more difficult to keep changing passphrases for bulk encrypted data stored locally, and a lot of the value of a USB drive vs. network storage is offline or limited-bandwidth use. (otherwise, just store all your sensitive files on an encrypted-disk remote server). There might be an interesting hack to this device where you use S/Key to authenticate to the security IC to unlock the drive each time.
One of the "swipe" fingerprint readers would be great for this. I think I've seen them in USB key form factor, maybe 1cm3, and compatible with USB power.
There's a market for a secure input/output device, logically isolated from the host CPU. If you could put even 2 capacitative switches (top + bottom of a split case) and a tricolor LED on the device, it would be possible to do a lot of interesting stuff. Obviously a pinpad + LCD would be a lot more interesting, but something USB key or at most pager sized which was tamper-evident, had limited CPU/memory, and direct user I/O, plus host I/O, would be great.
You can kludge this now by using a cellphone + bluetooth + laptop, but as far as I know no one really makes a secure (x9.9 would be great) device like this. The pinpads for POS applications are close, but not generally designed for mobile use, or for end users, and no one has put interesting security apps on them.
We're pretty good at depotting, and attacking even salted ICs:) (really, anyone who does design/test on milstd devices or avionics gets good at this just from debugging, but there are people who specialize in extracting keys from devices...)
Any info on which foundry/process/etc.? I assume at the $149 price point it's a custom chip.
If you'd provide some subset of your TOR servers for the general public TOR network as well, I'm sure you'd get a lot of community goodwill. If you put them all in the same "family" you could assume no one outside of ironkey users will use SOLELY ironkey servers, so your bandwidth impact should be fairly acceptable. Maybe also have a different exitroute policy for ironkey users (I'd pay extra for SMTP/IRC/etc. access)
It's epoxy potted, which means you need to break out the dremel and some acid to get to the chips, so I wouldn't reliably say I could get the data off a SINGLE instance of this device, at least not without practicing on some spares first.
There's a big difference in attacking a one-off device vs. recovering something like the decoder keys from a bluray player where ANY single device is sufficient.
(I wonder if they potted it more for mechanical durability than for security, however)
Basically, if it's not FIPS 140-2 Level 4, it's crap. No solely bus-powered device will meet 140-2 level 4.
I agree. The best security is to have your own trusted CPU/display/input (i.e. a laptop or pda). This is getting easier all the time -- a PDA or cellphone is close to sufficient for most non-data-entry tasks.
Failing that, I'd go with something which uses commodity, standard, and commonly available technology at the lowest level possible. It's PROBABLY the case that a DVI monitor is not bugged; much less likely that a random DVI monitor at a net cafe is itself secure than that the host OS is secure.
The host OS and applications installed are by far the weakest link. I carry a laptop everywhere, but the next step down from that is a bootable USB flash drive with your choice of secured OS installation on it. It's easy enough to implement disk encryption.
It is also fairly straightforward to use "write only" public key cryptography (i.e. each time you save your work, encrypt it with a public key, the private key for which is held on trusted hardware at home).
The only customization I'd do to the USB dongle would be for protecting the keying data -- some way to mount a / partition, but have a data partition which is encrypted with PKC held on the USB device, with only the passphrase being entered into the local PC, rather than an actual key entered via the host PC. This in practice only gives you marginally better security, as if you used a hardware-trojaned PC (or vmware installation...) to boot your USB device, that trojaned machine could just copy the relevant data out of your USB key.
There are a lot of "procedural" ways to improve security with this USB boot thing. Maybe have multiple partitions, each with different keys, per project or security level. If you're at a machine belonging to client A, and need access to client A files, you can stick your USB in a client A machine, boot, and then only unlock the client A partition on the USB. Or if you just need basic secure computing, but not access to your stored files, you could just unlock the OS partitions, leaving your own data partitions encrypted. Or, just buy multiple USB keys, and stick the least important key into the machine that is needed to accomplish your task.
Geostationary satellites don't have coverage at the poles, as you'd need a negative elevation angle (it'd work if you built a many hundred mile high pole for the satellite dish)
Only LEO constellations (Iridium being the only commercial one which does comms operational today) or polar orbit satellites are suitable.
Inmarsat is almost entirely GEO-based. Their high speed data service, RBGAN, is only available in certain regions, too. (roughly the same as Thuraya coverage area, since they use the same satellites)
Basically, they compare flyer programs, current promotions, and often have discount codes, including ways to get elite tiers on various flyer programs without actually traveling much (such as discount codes offered by a car rental program for gold status, intended for elite-tier members of a partner airline, but which do not check applicants for membership in the airline program)
I've saved thousands of dollars on car rentals, airfare, and hotels, as well as had much more enjoyable trips (renting infinity g35 for $16/day, for insrance) thanks to these sites.
I have an early gmail account, and have used it a little.
The most serious concern is the privacy policy itself.
http://gmail.google.com/gmail/help/privacy.html
Specifically: As a standard email protocol, when you send an email from your Gmail account, Gmail includes your email address and user name in the header of the email. Beyond this, we do not disclose your personally identifying information to third parties unless we believe we are required to do so by law or have a good faith belief that such access, preservation or disclosure is reasonably necessary to (a) satisfy any applicable law, regulation, legal process or governmental request, (b) enforce the Gmail Terms of Use, including investigation of potential violations thereof, (c) detect, prevent, or otherwise address fraud, security or technical issues (including, without limitation, the filtering of spam), (d) respond to user support requests, or (e) protect the rights, property or safety of Google, its users and the public.
"governmental request" means pretty much they'll turn over any information withouut a subpoena. I suppose for a free service, you get what you pay for.
DMCA. CoE requires criminialization of copyright violation and circumvention technology, which is righly a civil matter. The "information sharing" provisions are also quite disturbing.
RSA is a great algorithm. RSA is an evil company. Witness the Jim Bidzos threats to Phil Zimmerman, etc. RSA the *company* has set back practical, deployed internet security almost as much, if not more, than Rivest, Shamir, and Adleman advanced it with their algorithms. The whole reason we have fractionalized PGP with 2 vs. 5 is the software patent on RSA (in the US)
I strongly advocate all those who value liberty boycotting CSI and all member companies.
Any organization which advocates ratification of the CoE's Convention on Cybercrime is an extreme threat to free speech, liberty, and commerce online.
Specifically, boycott: # BindView Corp. # Check Point Software Technologies Ltd. # Computer Associates International Inc. # Entrust Inc. # Internet Security Systems Inc. # NetScreen Technologies Inc. # Network Associates Inc. # PGP Corp. # Qualys Inc. # RSA Security Inc. # Secure Computing Corp. # Symantec Corp
Thankfully it is easy to boycott all of these companies, since they tend to be evil to begin with.
It is a big problem, honestly...I'm worried particularly about keeping customer information private during all this to the extent possible...which ironically was one of the proximal causes of this mess.
Re:What a way to kill a career
on
HavenCo In Trouble?
·
· Score: 4, Interesting
There is fraudulent business activity to the extent of criminality, which is why it is made public.
The information I have made public is entirely from public sources, so please read the defcon talk before making assumptions.
I've certainly had no shortage of work since leaving HavenCo, and am well respected in the security and networking communities.
Re:Why the sudden reversal from Ryan Lackey?
on
HavenCo In Trouble?
·
· Score: 4, Interesting
Different YEAR.
My Defcon 11 talk describes the problems and why I've gone public (I have more responsibility to the public than to HavenCo, once management begins to engage in fraud)
I'll be at Linuxworld Expo today, if anyone wants to talk about this...should be easy to spot. (I'm on BART right now)
I'm posting an in-depth story for slashdot in a day or so, using objective proof of my claims, so there won't be any more "it is this way" "no it isn't" "yes it is" press release communication:)
Slashdot Mirror
HavenCo moved all customer servers to London sometime after I left, in 2003. Supporting evidence for this, besides traceroutes, is that the big fire, which destroyed generators and other equipment on sealand, did not affect the servers at all. Either you believe they had enough UPS capacity to ride out a multi-month power outage, or ...
(the 1ms pingtimes from routers in London is also a good sign...)
I've been pretty disappointed with flash on linux from version 7 through most of the 10 betas, but the latest 10 release candidate (out for a week or so) has actually been stable and fairly speedy.
The main thing I'm looking forward to is Speex encoding on the client; death to NellyMoser Asao!
Yeah, you're right about them using commercial resources where appropriate.
An individual traveler just takes the DIRECT United flight in C/F from IAD-KWI, then does a military hop, unless he's a top VIP, in which case he flies on a VC aircraft, dedicated, to a base in Kuwait, Doha, or Bahrain or somewhere and then switches to a tactical aircraft. (also, someone with an entourage is more likely to use a VC, or otherwise conduting meetings/business enroute)
I really don't see a VIP taking a C-17, even in a luxo-box onboard, from CONUS to the CENTCOM AOR (with 1-2 fuel stops) all the way to a base in Iraq.
Wrong. Troops fly military charter (airlines like World Airlines, ATA, etc....flying B747/767/etc.) to Kuwait, and then C-130 or C-17 from Kuwait to Iraq.
It is illegal for US troops to fly on foreign-flagged aircraft (DOD policy). It is also illegal for US-flagged commercial/charter operators to fly into Iraq (FAA policy)).
I've personally flown on just about every kind of aircraft in and out of Iraq/etc., including non-US flagged crappy old Russian charters, commercial non-US airlines, and all manner of military aircraft.
It's true that charter is about cost savings OUTSIDE Iraqi airspace. It's also about limited tactical aircraft asset availability, and keeping them for cargo and other critical missions.
(military cargo ALSO/often flies in on Russian aircraft, operated by charter carriers; it's just PAX and special cargo (munitions, sensitive items, bodies, etc.) which have to fly on US flagged aircraft)
I use a blackberry 8820 with BES, and the rove mobile/idokorro ssh. With tmobile, for $65/mo, you can have unlimited GLOBAL roaming. Plus, use an 8820 and have 802.11g and gps. I use the BES (device to my-network AES crypto) to do IP-acling, and use ssh keys on the phone for access control, plus passphrases.
The blackberry now supports a smartcard bluetooth reader so you could fairly easily rig it to deauthenticate when removed from a short radius of your body. 88xx screen and keyboard are decent -- not perfect.
I'm looking forward to android phones with external bluetooth keyboards, and either a numberpad with context-sensitive predictive input, or a qwerty keypad. The rollup bluetooth keyboards seem pretty reasonable as input devices. Not sure how many more generations before going straight to a wearable -- 5 tops, maybe 1-2 for early adopters, I think.
True. Depends on price point, really.
There's also "designed to meet" vs. "certified". I'd be fine with level 3 cert, designed to meet 4, at least in most areas.
I think I could put enough capacitor power inside a USB shell to zeroize. The problem is having enough power to continuously monitor, AND protect those batteries well enough that they themselves are not a point of failure.
DS did this with the iButton, and that can fit inside the USB key form factor.
You might be able to get an ultracapacitor now which would power tamperdetect/destroy circuits for a few days at a time, and recharge when on USB. I'd be fine with a device which needed to be plugged into USB every few days or it would zeroize.
You can protect your passphrases with one-time passwords, but can't really protect the data :) If you're viewing your secret mission plans or whatever on a bugged monitor, obviously the secret mission plans might be compromised, even if the one time password is no longer valuable.
It's a little more difficult to keep changing passphrases for bulk encrypted data stored locally, and a lot of the value of a USB drive vs. network storage is offline or limited-bandwidth use. (otherwise, just store all your sensitive files on an encrypted-disk remote server). There might be an interesting hack to this device where you use S/Key to authenticate to the security IC to unlock the drive each time.
One of the "swipe" fingerprint readers would be great for this. I think I've seen them in USB key form factor, maybe 1cm3, and compatible with USB power.
There's a market for a secure input/output device, logically isolated from the host CPU. If you could put even 2 capacitative switches (top + bottom of a split case) and a tricolor LED on the device, it would be possible to do a lot of interesting stuff. Obviously a pinpad + LCD would be a lot more interesting, but something USB key or at most pager sized which was tamper-evident, had limited CPU/memory, and direct user I/O, plus host I/O, would be great.
You can kludge this now by using a cellphone + bluetooth + laptop, but as far as I know no one really makes a secure (x9.9 would be great) device like this. The pinpads for POS applications are close, but not generally designed for mobile use, or for end users, and no one has put interesting security apps on them.
We're pretty good at depotting, and attacking even salted ICs :) (really, anyone who does design/test on milstd devices or avionics gets good at this just from debugging, but there are people who specialize in extracting keys from devices...)
Any info on which foundry/process/etc.? I assume at the $149 price point it's a custom chip.
If you'd provide some subset of your TOR servers for the general public TOR network as well, I'm sure you'd get a lot of community goodwill. If you put them all in the same "family" you could assume no one outside of ironkey users will use SOLELY ironkey servers, so your bandwidth impact should be fairly acceptable. Maybe also have a different exitroute policy for ironkey users (I'd pay extra for SMTP/IRC/etc. access)
It's epoxy potted, which means you need to break out the dremel and some acid to get to the chips, so I wouldn't reliably say I could get the data off a SINGLE instance of this device, at least not without practicing on some spares first.
There's a big difference in attacking a one-off device vs. recovering something like the decoder keys from a bluray player where ANY single device is sufficient.
(I wonder if they potted it more for mechanical durability than for security, however)
Basically, if it's not FIPS 140-2 Level 4, it's crap. No solely bus-powered device will meet 140-2 level 4.
I agree. The best security is to have your own trusted CPU/display/input (i.e. a laptop or pda). This is getting easier all the time -- a PDA or cellphone is close to sufficient for most non-data-entry tasks.
Failing that, I'd go with something which uses commodity, standard, and commonly available technology at the lowest level possible. It's PROBABLY the case that a DVI monitor is not bugged; much less likely that a random DVI monitor at a net cafe is itself secure than that the host OS is secure.
The host OS and applications installed are by far the weakest link. I carry a laptop everywhere, but the next step down from that is a bootable USB flash drive with your choice of secured OS installation on it. It's easy enough to implement disk encryption.
It is also fairly straightforward to use "write only" public key cryptography (i.e. each time you save your work, encrypt it with a public key, the private key for which is held on trusted hardware at home).
The only customization I'd do to the USB dongle would be for protecting the keying data -- some way to mount a / partition, but have a data partition which is encrypted with PKC held on the USB device, with only the passphrase being entered into the local PC, rather than an actual key entered via the host PC. This in practice only gives you marginally better security, as if you used a hardware-trojaned PC (or vmware installation...) to boot your USB device, that trojaned machine could just copy the relevant data out of your USB key.
There are a lot of "procedural" ways to improve security with this USB boot thing. Maybe have multiple partitions, each with different keys, per project or security level. If you're at a machine belonging to client A, and need access to client A files, you can stick your USB in a client A machine, boot, and then only unlock the client A partition on the USB. Or if you just need basic secure computing, but not access to your stored files, you could just unlock the OS partitions, leaving your own data partitions encrypted. Or, just buy multiple USB keys, and stick the least important key into the machine that is needed to accomplish your task.
Geostationary satellites don't have coverage at the poles, as you'd need a negative elevation angle (it'd work if you built a many hundred mile high pole for the satellite dish)
Only LEO constellations (Iridium being the only commercial one which does comms operational today) or polar orbit satellites are suitable.
Inmarsat is almost entirely GEO-based. Their high speed data service, RBGAN, is only available in certain regions, too. (roughly the same as Thuraya coverage area, since they use the same satellites)
I guess it's "automated but not driverless", then, if a driver is present in the train and normally not doing anything driverly.
BART is not driverless.
The SFO airport airrail thing is driverless.
The London Docklands Light Rail is driverless.
I've found some sites which have really useful information for travel (air, car rental, hotels mainly):
http://www.flyertalk.com
http://www.webflyer.com
Basically, they compare flyer programs, current promotions, and often have discount codes, including ways to get elite tiers on various flyer programs without actually traveling much (such as discount codes offered by a car rental program for gold status, intended for elite-tier members of a partner airline, but which do not check applicants for membership in the airline program)
I've saved thousands of dollars on car rentals, airfare, and hotels, as well as had much more enjoyable trips (renting infinity g35 for $16/day, for insrance) thanks to these sites.
I have an early gmail account, and have used it a little.
The most serious concern is the privacy policy itself.
http://gmail.google.com/gmail/help/privacy.html
Specifically:
As a standard email protocol, when you send an email from your Gmail account, Gmail includes your email address and user name in the header of the email. Beyond this, we do not disclose your personally identifying information to third parties unless we believe we are required to do so by law or have a good faith belief that such access, preservation or disclosure is reasonably necessary to (a) satisfy any applicable law, regulation, legal process or governmental request, (b) enforce the Gmail Terms of Use, including investigation of potential violations thereof, (c) detect, prevent, or otherwise address fraud, security or technical issues (including, without limitation, the filtering of spam), (d) respond to user support requests, or (e) protect the rights, property or safety of Google, its users and the public.
"governmental request" means pretty much they'll turn over any information withouut a subpoena. I suppose for a free service, you get what you pay for.
DMCA. CoE requires criminialization of copyright violation and circumvention technology, which is righly a civil matter. The "information sharing" provisions are also quite disturbing.
RSA is a great algorithm. RSA is an evil company. Witness the Jim Bidzos threats to Phil Zimmerman, etc. RSA the *company* has set back practical, deployed internet security almost as much, if not more, than Rivest, Shamir, and Adleman advanced it with their algorithms. The whole reason we have fractionalized PGP with 2 vs. 5 is the software patent on RSA (in the US)
I strongly advocate all those who value liberty boycotting CSI and all member companies.
Any organization which advocates ratification of the CoE's Convention on Cybercrime is an extreme threat to free speech, liberty, and commerce online.
Specifically, boycott:
# BindView Corp.
# Check Point Software Technologies Ltd.
# Computer Associates International Inc.
# Entrust Inc.
# Internet Security Systems Inc.
# NetScreen Technologies Inc.
# Network Associates Inc.
# PGP Corp.
# Qualys Inc.
# RSA Security Inc.
# Secure Computing Corp.
# Symantec Corp
Thankfully it is easy to boycott all of these companies, since they tend to be evil to begin with.
It is a big problem, honestly...I'm worried particularly about keeping customer information private during all this to the extent possible...which ironically was one of the proximal causes of this mess.
There is fraudulent business activity to the extent of criminality, which is why it is made public.
The information I have made public is entirely from public sources, so please read the defcon talk before making assumptions.
I've certainly had no shortage of work since leaving HavenCo, and am well respected in the security and networking communities.
http://www.metacolo.com/papers/dc11-havenco/
Different YEAR.
:)
My Defcon 11 talk describes the problems and why I've gone public (I have more responsibility to the public than to HavenCo, once management begins to engage in fraud)
I'll be at Linuxworld Expo today, if anyone wants to talk about this...should be easy to spot. (I'm on BART right now)
I'm posting an in-depth story for slashdot in a day or so, using objective proof of my claims, so there won't be any more "it is this way" "no it isn't" "yes it is" press release communication