Schneier On Safety
Public Group active 3 years, 2 months ago2. It is not require much technical understand how (not reverse engineering your BIOS to verify its integrity or attempting to debug rootkits). 3. The overhead involved is scalable to the quantity of safety required. That’s, many shortcuts can be taken without weakening the general system. 4. It’s an unambiguous set of steps that don’t require judgment to be performed. 5. It’s fault tolerant (many parts can get pwned, and it nonetheless could be very safe).
6. It’s efficient in opposition to quite a lot of threat models, as much as and including a nation-state which has full information of your setup, a crew of hackers working to pwn you individually, and a black bag crew that can enter your house with out your data. Let’s name our adversary Eve. I believe until Eve can carry to bear the resources described in merchandise 6, your setup is completely secure. Any suggestions on the protocol I describe can be appreciated. 1.
A targeted assault through which the Eve has good data of your setup and limitless assets to craft an attack over the internet. 2. Same as 1, however they are going to assault utilizing malware which infects your hardware (BIOS, NIC, crypto-markets and so on.) earlier than you buy it (the provision chain assault). 4. Black bag/ physical access to your house and computers. I assume the reader can acquired uninfected software program. One methodology for doing this is documented on the TOR website.
The essential concept is to obtain from a number of sources, from multiple web connects, compare the hashes, and confirm downloads with PGP signatures. The primary pc (which I’ll call CannonFodder) connects to the web by way of TOR, ideally with PORTAL between the pc and the web. PORTAL is the grugq’s open supply venture which installs on Raspberry Pi and acts like a proxy forwarding all your site visitors to TOR. Recently a hidden service was discovered on TOR which hacks the browser and telephones home by way of the user’s non-TOR web connection the actual IP tackle and MAC deal with of the user. PORTAL prevents this attack by only allowing traffic to route by TOR, and blocking every other visitors.
The purpose of CannonFodder is to obtain PGP encrypted messages and ship PGP encrypted messages. It’s what connects to the web so the rest of the gear doesn’t need to. Whereas will probably be assumed to be hacked into and rootkit’ed, it isn’t going to be a straightforward target. On CannonFodder install whatever private security products you can get your palms on. Anti-virus, anti-persistence software, software that whitelists good processes and blacklists unhealthy processes, EMIT… Be certain that the OS and all software on it is patched often.
What OS runs on the host is up to you. The host will run a VM and nothing else. What virtualization software you use is as much as you, but the OS you run within the VM must be completely different from the host. So if the host is home windows, the VM should be some flavor of linux or BSD.
Members
-
joined 3 years, 2 months ago
