6 June 2014
“A secure computer is one that is powered down and not connected to any network.”
We’ve all heard that before, yeah?
I have a confession. I believe it.
I realized I believe it when a financial services firm asked me to install a password manager on my phone. On my android phone, which shares information with people whom I don’t trust on a regular basis, where every “upgrade” to anything asks for ever-more access to personal information, contact lists, location, etc. An application written by people I don’t know. Who don’t seem to give out any guarantees. And who are very reassuring that if my phone is lost, my passwords won’t be… meaning they’re storing a hell of a lot more than a hash.
And I said no. I understand that the current wisdom is that password managers are a good thing, but…. I just cannot trust the people who develop them and the environments they run on. The complexity runs off beyond the horizon and I just can’t say, for certain, that nothing else can see this thing in memory which this particular app is using.
I do business with that company now, on the basis of a sixty-character password, which is complicated and slow to type and not stored in any electronic form anywhere. It’s stored on a “computer that’s powered down and not connected to any network,” along with a bunch of my other important passwords. But maybe “computer” is the wrong word. It’s actually an iron box with a padlock. Also known as a computer whose security model is simple enough to understand and whose operating system is known completely enough to trust.
And when I log in using that password, the company sends my phone (which NEVER syncs on my computer) a nonce via SMS which I then enter to finish the login.
There is no automatic authentication when the stakes are high. That which is automatic, in an environment where complexity runs beyond the horizon, I just cannot guarantee will never admit someone else. There is no “password sync” between phone and computer… because I don’t want the attack surface that comes with any electronic script-detectable association between the two. I don’t want to have to secure phone information on my computer, and I don’t want to have to secure computer information on my phone. There is no “password wallet” in my browser, because I don’t want my browser to store passwords. Anywhere. Ever. Because I don’t believe I can keep anything accessible to, or especially managed by, a browser secure.
My cryptographic keys (to bitcoin savings, SSH tunnels, and some other high-stakes things) are no more complex than many of my other passwords, and I save them in the same way. With ink. On index cards. In the iron box. With a padlock.
I don’t worry about a trojan horse program or a worm stealing my passwords when I’m not using them, because I’m reasonably confident that the restricted computing environment inside a padlocked iron box with no power supply, no CPU, and an index-card memory isn’t complex enough for such a program to run.
I could worry about burglars, I guess. But a burglar would actually leave evidence – he might get something but I’d know he’d got it. Further, a burglar has to spend time and effort and personal risk on each and every target, instead of writing some program to rip off the thousands of people who didn’t patch the hole it exploits, leaving no visible evidence of the breach. And then launching it anonymously from some Internet cafe in a jurisdiction with no extradition treaties. It just seems to me like simple burglary is a more direct and detectable and therefore more acceptable risk than the activities of seven billion apes and software complexity that goes out beyond the horizon, out there somewhere in the universe.
That leaves me slightly worried about keyloggers when I’m actually entering passwords, but I have one trusted software source (linux distro) and seven applications in total that come from any other source. Of those seven applications, for five I have compiled from source and for two I have taken the trouble to obtain binary hashes of public repositories using machines in other places with separate connections to the network. And then I’ve brought those binary hashes home – on paper – to make sure they match the software I downloaded. And I run with the ‘bin’ directory mounted readonly, so I’m not all that worried about keyloggers.
Ultimately, I believe in security. But what I believe about security leaves me far from the cutting edge; my security environment is more like bearskins and stone knives, because bearskins and stone knives are simple enough that I can *know* they won’t do something I don’t want them to do. Smartphones and computers simply cannot provide that guarantee. The parts of their security models that I do understand, *won’t* prevent any of the things I don’t want them to do.
An iron box with a padlock on the other hand is a simple enough security model to understand, and does provide strong guarantees about what that environment won’t do.
Just a musing, I guess…. the point is that the industry is now building security models which want to provide collaboration, and single sign-on, and synchronization, and interoperation, and ‘cloud storage’ and so forth – but in doing so simply do not and can’t provide good reasons for trust nor solid mathematical proofs of how the things I don’t want them to ever do have been rendered impossible.
In fact, most of them simply refuse to enumerate things they render impossible. Security means guaranteeing that certain things are impossible. Nobody’s even trying to do that because doing the minimum to achieve meaningful guarantees that meaningful kinds of abuse are impossible, would also mean that features like password wallets where they can guarantee password ‘recovery’ are also impossible.
They’re selling the set of things that are enabled rather than the things that are prevented.
Good computer security could be built. But maybe it can’t be sold.
And because that’s what computer security is like these days … I’m forced to use an iron box. With a padlock.
From: Bear <bear[at]sonic.net>
Date: Fri, 06 Jun 2014 12:08:27 -0700
Subject: [Cryptography] Vote of no confidence.
The cryptography mailing list