Ahem, well, there have been some complaints of too much impractical
philosophizing and ranting of late, so here's my penance. Notes on how
to protect alias files, ideas on digital money, and an excerpt on
computer raid techniques from The Hacker Crackdown by Bruce Sterling.
(Disclaimer: In no way should any of this be contrued as encouraging or
advocating destruction of evidence.)
self-Encryption time bombs
--------------------------
Some lost soul asked an excellent question about a week ago regarding
how to protect things like the alias file of an anonymous server from
attack, possibly using encryption. This is actually a very interesting
and difficult problem, and I've been rolling it around in my brain a
bit, and some things are now rattling out onto the keyboard. The
question applies really in general: how do you simultaneously use and
protect data from prying eyes? I don't think there are really any
simple and ingenious approaches, or they might have been suggested by
now. Actually, the silence on the topic assures me that its indeed rather difficult.
One idea is to keep the only the encrypted version in permanent
storage. Keep the usable copy in something volatile like memory (e.g. a
Ramdisk). This makes it much less solid.
Another idea is to have a `time-bomb' encryption device. Here's the
idea applied to a remailer. Every few hours the remailer asks for the
owner to type a password. If the meow isn't answered, it panics and
locks up everything, electronically `burning' anything important and
encrypting stuff that needs to be kept around.
This of course is problematic because if someone grabbed the server
they could utilize it in the time window. Ok, so imagine that the
server can somehow `sense' whether its real owner is present and
typing. This could mean that the owner types in a certain way or runs a
dummy command at least once an hour or whatever, or has his foot on a
footpedal or whatever. Again, the server panics if it sees something awry.
Also, note that usually computers are switched off and cables unplugged
when confiscated. If the interesting stuff is in only in RAM, no
problemo. This gives other ideas though. When a certain cable is
unplugged, *poof* goes certain data or whatever. Ideally there would be
a daemon that is always alive (even with switched off power) that could
deal with the signal that something bad has happened.
Another idea is to check for operator signals at boot time. When the
confiscator boots the computer (assuming they do, and not unplug the
hard drive for analysis) the computer could look for the cue and say
something like ``one monent, loading system'' while it is in a mad dash
to encrypt everything important (but it must delete the password used
for this at the end, of course!). Then it could give a regular login
prompt and even let in the infiltrator.
Finally, note that in raids usually the operator is taken away from the
computer immediately (see attached notes) while the confiscators (I'm
trying to stay neutral here) grab all the hardware. Hence, a `direct'
signal to the computer that requires the operator to do something and
the computer to respond is difficult in these situations. But the
possibility of rigging panic-encrypt buttons in surreptitious places
all over your house (flush!!!) is not completely outlandish.
digital $$$
-----------
There seems to be a lot of interest in this topic. Now, unfortunately I
think anyone who wants to set up a *real* bank on the internet right
now and handle transactions via email would really swiftly arouse the
fearsome ire and wrath of vast segments of the net. Whatever, I'd like
to point out that it is entirely feasible *right now* using *credit
cards*. There are obviously automated credit card machines that can
make transactions solely electronically based only on that lovely
*data* cypherpunks love so much (card # and exp. date). Maybe some
even have RS232 interfaces! (for the brain dead, that means they'd be
as trivial and familiar to interface to a computer as MODEMs!).
Imagine this scenario: a banking server! user registers with the server
by giving card data. He can then let other businesses make debits
through the server to his account, with all the
cryptographic/authentication assurances that this can only happen when
he permits, of course.
Anybody who ever started doing this, I think there should be at first
*huge* amounts of verification, like email sent to the user asking for
confirmation of every transaction, monthly statements, ceilings, etc.
But *wow* think--its all entirely doable right now! If the banker
wanted to he could even deal with requests to open real accounts with
regular money. But this is probably much farther off--the idea of the
server as nothing but a link to credit cards is very convenient and
more accessable, it seems to me. (The case could be made, if initially
the service was free, that no commercial service was being performed.)
Imagine being able to write programs that send mail to a server to bill
users for services. Neat! But OOH the phreakers would have a field day
with this kind of thing if it wasn't AIRTIGHT SECURE.
* * *
Now a little transcription gift to the net. I found the following
account of the typical `hacker raid' interesting. It comes from the
book `The Hacker Crackdown' by Bruce Sterling (1992 Bantam books). p160
The account is mostly based on U.S. police tactics during the
Operation Sun Devil raid in the early 1990s.
A typical hacker raid goes something like this. First, police storm in
rapidly, through every entrance, with overwhelming force, in the
assumption that this tactic will keep casualties to a minimum. Second,
possible suspects are removed immediately from the vicinity of any and
all computer systems, so that they will have no chance to purge or
destroy evidence. Suspects are herded into a room without computers,
commonly the living room, and kept under guard--not *armed* guard, for
the guns are swiftly holstered, but under guard nevertheless. They are
presented with the search warrant and warned that anything they say may
be held against them. Commonly they have a great deal to say,
especially if they are unsuspecting parents.
Somewhere in the house is the `hot spot'--a computer tied to a phone
line (possibly several computers and several phones). Commonly it's a
teenager's bedroom, but it can be anywhere in the house; there may be
several such rooms. This `hot spot' is put in the carge of a two-agent
team, the `finder' and the `recorder.' The finder is computer-trained,
commonly the case agent who actually obtained the search warrant from a
judge. He or she understands what is being sought and actually carries
out the seizures: unplugs machines, open drawers, desks, files,
floppy-disk containers, and so on. The recorder photographs all the
equipment, just as it stands--especially the tangle of wired
connections in the back, which can otherwise be a real nightmare to
restore. The recorder also commonly photographs every room in the
house, lest some wily criminal claim that the plice had robbed him
during the search. Some recorders also carry videocams or tape
recorders; however, it's more common for the recorder simply to take
written notes. Objects are described an numbered as the finder seizes
them, general on standard preprinted police inventory forms.
Even Secret Service agents were not, and are not, expert computer
users. They have not made, and do not make, judgments on the fly about
potential threats posed by various forms of equipment. They may
exercise discretion, they may leave Dad his computer, for intance, but
they don't *have* to. Standard computer crime search warrants, which
date back to the early 1980s, use a sweeping language that targets
computers, most anything attached to a computer, most anything used to
operate a computer---most anything that remotely resembles a
computer--plus most any and all written documents surrouding it.
Computer-crime investigators have strongly urged agents to seize the works.