CDR: Re: Lions and Tigers and Backdoors, oh, my...

[Tim May]

At 3:03 PM -0400 9/28/00, David Honig wrote:
>
>One very common security model is that the security perimeter includes
>the PC and you're only concerned with transmission interception. 
>
>MS is swiss cheese but most OS have some weakness in many configs.
>
>How many people actually look at the source of the code they
>install on *nix machines???  How many of those who do are actually qualified
>to do security reviews?  Cf. recent PGP bugs.
>
>If you're really worried you'd use a sealed PDA (that you can control at
>all times) to capture/render and the PC is just for transport.  [This
>applies Tim's modularity argument to hardware.]

I'm somewhat surprised that this PDA approach is not more 
available..we talked about when some of us had Newtons, oh, six or 
seven years ago. Then the Palm came out, and a bunch of folks use 
that (I have a Visor, which is Palm OS-compatible).

The Bluetooth wireless developments of the next few years should be 
interesting. It should be quite feasible for secure local 
transmissions to be used. (Yeah, IR is available now, and USB, and 
serial, whatever. But having a small PDA or WebPad communicate 
seamlessly with a "transport machine" (PC, workstation) opens up new 
options.

An obvious niche product would be this: a wearable (necklace, 
wristwatch, etc.) security product with low-power processing and with 
Bluetooth links to nearby devices. Zero knowledge approaches, so that 
this dongle would authenticate without ever actually providing 
passwords. A small keypad could be included for the user to 
periodically punch in passwords; or a fingerprint (or retinal print, 
down the road) system.

Probably a more realizable product would be incorporating this into a 
PDA like the Palm, Visor, iPAQ, etc. Then the user could read and 
compose messages on his PDA without ever using the local PC or 
workstation.

(And, frankly, I expect that by the 2002 games nearly every athlete 
or journalist at the games will have his own wireless solutions with 
him, so the point is moot. Certainly any would-be terrorists will 
have thought about security issues and will have taken steps. 
Catching terrorists by tapping their public kiosk messages seems 
far-fetched.)

There are several levels of physical security:

1. Secure PDA, or dongle, or necklace (with something like Dallas 
Semicon. chips). Ideally, running a zero knowledge authentication 
system (so keys are never in the transmission channel).

2. Less secure, but still common: PC or workstation under the control 
of one person. This is the model most of us, probably, are using. (I 
say "less secure" than #1 only because it is likely easier to 
surreptitiously install backdoored software or sniffers than with the 
more limited options for PDAs and dongles. Though even PDAs and 
dongles could be affected.)

3. Less secure still: PC or workstation is accessible to others. 
Others who could install keyboard sniffers, altered versions of 
software, etc.

4. Least secure: "Olympic Village Convenience Stations" and similar 
sorts of public access terminals and kiosks.

That _anyone_ is blathering about how these Olympic Village kiosks 
will expose users to key and passphrase snatching is symptomatic of 
how people just don't get it. No doubt some are going to be pushing 
for "laws to protect users at public kiosks."

(Which will be supported by Law Enforcement and their allies, as this 
plays right into their hands.)

--Tim May
-- 
---------:---------:---------:---------:---------:---------:---------:----
Timothy C. May              | Crypto Anarchy: encryption, digital money,
ComSec 3DES:   831-728-0152 | anonymous networks, digital pseudonyms, zero
W.A.S.T.E.: Corralitos, CA  | knowledge, reputations, information markets,
"Cyphernomicon"             | black markets, collapse of governments.