Reverse Palladium?
How secure can I make a Java sandbox from the rest of the network I'm on? Can I make it so that my network administrator can't see what I'm typing? In other words, a secure environment that's sitting on an insecure machine. And of course, there's a short term 'solution' (which will work until they catch on) and then a long-term solution (which they can't very easily stop even when they know such a thing exists). Oh, and it helps to remember that a network admin AIN'T an engineer: If Microsoft or someone hasn't built an app for it, then they can't do anything about it. -TD
On 7/12/05, Tyler Durden
How secure can I make a Java sandbox from the rest of the network I'm on? Can I make it so that my network administrator can't see what I'm typing? In other words, a secure environment that's sitting on an insecure machine.
Although you asked about "Reverse Palladium" what you really want is Palladium itself. This is precisely the security model which has so many people upset: the system owner (the network admin) is giving up control over his machine, running software which he cannot control, molest or modify. You, a third party, are protected against the computer's owner. The ability for owners to voluntarily and verifiably give up a degree of control over their computers is anathema to Trusted Computing opponents, the height of evil and a threat to be fought at all costs. The fact that it is voluntary for all concerned means nothing to them. They don't want people even to have the chance to be tempted to utilize this technology, and they will stop at nothing to keep it from coming into existence. So far they have been extremely successful. See http://invisiblog.com/1c801df4aee49232/article/9d481af00c898ae91748f2f0cd97c... for discussion about how to use Palladium to add security to Internet voting applications, even for cases where people are voting on machines owned by others. This is very similar to the threat model in your situation. CP
At 11:47 AM 7/12/2005, Tyler Durden wrote:
How secure can I make a Java sandbox from the rest of the network I'm on? Can I make it so that my network administrator can't see what I'm typing? In other words, a secure environment that's sitting on an insecure machine.
There's the "network" and there's the computer. If you're on a computer you can't trust, you can't trust it. If you're the sysadmin for the box, and nobody else is, then you're only exposed to eavesdropping on the network. If you can't trust the sysadmins for the computer not to do keystroke logging and CarbonCopy your screen, you've got a much tougher threat model. If you've got a machine you're willing to trust, you can tunnel everything else you do through encrypted tunnels; the network administrator will be able to see where the outside of the outer tunnel is, if that bothers you. There are a number of SSL-based VPN tunnel products on the market, including some that just use the browser's SSL capabilities, some that use a browser with Java app clients, and some that use actual installed client software. Aventail is one vendor, Cisco's another, there are lots more, but I haven't seen any open-source server versions (e.g. Apache plugins), though some servers do at least run on Linux. Some of Aventail's products are made to run on a publicly-accessible machine, e.g. cybercafe model, and give you a "virtual desktop" that looks like your home system and clean up after themselves when you log off.
Well not with java ...? Any keylogger would catch what you type; or
any mouse-logger could catch what you click.
You could either attempt to remove/bypass keyloggers with a
lower-level language, or type in code.
...
-- Michael
On 7/13/05, Tyler Durden
How secure can I make a Java sandbox from the rest of the network I'm on? Can I make it so that my network administrator can't see what I'm typing? In other words, a secure environment that's sitting on an insecure machine.
And of course, there's a short term 'solution' (which will work until they catch on) and then a long-term solution (which they can't very easily stop even when they know such a thing exists).
Oh, and it helps to remember that a network admin AIN'T an engineer: If Microsoft or someone hasn't built an app for it, then they can't do anything about it.
-TD
Anonymous writes in favor of palladium arguing that it is optional, so all is ok. On Wed, Jul 13, 2005 at 12:15:21AM -0700, cypherpunk wrote:
This is precisely the security model which has so many people upset: the system owner (the network admin) is giving up control over his machine, running software which he cannot control, molest or modify. You, a third party, are protected against the computer's owner. The ability for owners to voluntarily and verifiably give up a degree of control over their computers is anathema to Trusted Computing opponents, the height of evil and a threat to be fought at all costs.
See I think it is entirely possible to get the benefits of secure compartments, which are secured from hostile software, without locking out the owner of the machine. All that is needed is to turn over control of the machine to the owner. Give the owner of the machine keys for ring-1; he can have a secured login to ring-1 where he gets to choose which ring-1 processes he can attach a debugger to, binary patch etc and which loadable things which are hashed for verification by remote attestation to lie about the hash of. In this way the owner can be sure he won't get valuable data hacked by viruses, trojans etc; (well as secure as he can be under the palladium model) but the evil remote non-optional control of your own hardware is removed from the picture. So the optionality anonymous is arguing about is your "option" to be refused service outright, or cede ring-1 level (compartmented) access to your machine. ie to allow 3rd party software to run that you are NOT able to debug, inspect, look at source or executable for, patch or fix to your liking. And how far this kind of optionality extends depends on the architecture choices of microsoft eg al in how deeply they embed this into the OS, their applications and programming frameworks, and how much other companies choose to use this stuff. So microsoft has already talked about software rental, etc etc; and has a history of increasingly intrusive and annoying license enforcement, so if you ask me you can bet your money that this will be used throughout the whole system to the point where you can have the option to switch off your machine, or give up control. The OS will become a container for rented, DRMed, uninspectable, unsniffable, unpatchable corporate-warez.
The fact that it is voluntary for all concerned means nothing to them.
It would if it was. But its not. If its voluntary, give me the keys to my own computer. If you're not going to do that then shutup about "voluntary". You have about as much control over your own machine under palladium as you do over a user account on a remote system you do not have root on. Except it's your machine! and you still don't get to control it.
They don't want people even to have the chance to be tempted to utilize this technology, and they will stop at nothing to keep it from coming into existence. So far they have been extremely successful.
You need to go read Richard Stallman's essay on the right to read. You and others proposing this software are trying to fast-track us to the scary but plausible future under Palladium that Richard presciently paints. http://www.gnu.org/philosophy/right-to-read.html Adam
participants (5)
-
Adam Back -
Bill Stewart -
cypherpunk -
Michael Silk -
Tyler Durden