Setting up PGP

Stefan Claas sac at 300baud.de
Mon Oct 12 09:18:03 PDT 2020 

Karl wrote:

Hi Karl,

> > Another approach I am currently playing with is to play with NFC tags and
> > a reader/writer device, which can be used offline as well.
> 
> I don't know why you would ever consider an NFC radio secure, where
> did you get this idea?  I'm probably getting into a state of mind
> where I assume I know more than you (when I might not) because you
> mentioned plugging a radio into an airgapped device and using it to
> communicate.  Really, it's possible to make that very secure, but with
> the radio chip likely being closed source, it doesn't sound easy to my
> kinda limited mind.

The range of these little NFC tags is only a few centimeters/inches.
and I guess if someone could (in theory) listen to your offline device,
then it does not make any difference IMHO if you use and additional
NFC reader/writer and your offline device.

The reason why I mentioned NFC tags is that they fit nicely on postcards or
in letters (and can be protected with covers), can be password protected
and also allow encryption, depending on the type used.
> 
> I'm inferring by FTDI USB to USB cable, you mean a serial cable with
> FTDI USB serial converters (which I've had occasion to run into but
> don't know well) at both ends.  That sounds pretty reasonable and
> shows you have a clue; i don't know whether people still consider
> systems to be airgapped when they are networked with a serial cable,
> or not.  If we fast forward to emissions a bit, a serial cable is a
> long wire, so it's going to broadcast the stuff transmitted over it
> like an antenna, and pick up electromagnetic effects like one too.
> 
> I don't know a lot about FTDI converters, but I know that most things
> you buy from a corporation are not secure by default.  My biggest
> poorly-informed worry is that voltage glitching from the connected
> device could be used to compromise the 'airgapped' device in some
> obscure way.  Additionally it can be hard to find FTDI converters
> locally.  Sounds pretty airgapped in this day and age, though.

Well, a while ago I looked for options to work with an air-gapped
computer, but was not sure if one should use a secure USB stick,
for example and found this FTDI solution. I ordered such cable
relatively cheap from alibab.com, because here in Europe these
cables are only sold to companies, which can re-sell them and
the price tag is much much higher.
> 
> While tumbling through this ordeal I once made this software, which is
> a small program to communicate ascii text by bit-banging one or two
> wire connections:
> https://github.com/xloem/openemissions/tree/master/tincanterm

Nice, will take a look.
 
> One of the best solutions for low-latency communication would seem to
> me to be writing your own bit-banging or communication software on the
> fresh linux installation, so that no installation of new software is
> needed, preferably using a visual or audio connection so that voltage
> glitching is impossible, although these channels can still be high
> bandwidth unintentionally.  But if you understand the communication
> system and security concerns in depth, go right ahead with any of it.

With audio cables I have also experimented and with HTML based software
run in a browser. But this was error prone and the transmission speed
was to slow. IIRC correctly the popular FOSS software minimodem can do
this too, but is unfortunately not cross-platform.
> 
> Something I value is very high latency communications.  For example,
> using CDRs was a very secure thing that corporate progress has almost
> done away with.  Burn your information to a CD, then load it on
> another computer.  The CD has no microchips, the information is there
> for easy review, it doesn't alter the voltage between any electrical
> terminals on your system, and if you don't reuse cds then even if your
> airgapped system is compromised, there is no obviously related way to
> quickly send reply messages back to the system to alter its behavior.
> High latency is good.  Only communicating when the user tells it to is
> crucial.

Yes, but can nowadays devices (Raspberry Pi for example) handle CDs?

> Here's a piece of software I tried to make for transmitting QR codes:
> https://github.com/xloem/qrstream

Will check that out too.

Regards
Stefan

-- 
NaClbox: cc5c5f846c661343745772156a7751a5eb34d3e83d84b7d6884e507e105fd675
  The computer helps us to solve problems, we did not have without him.

More information about the cypherpunks mailing list