Qubes sw compartimentalization is a must, but non sufficient

Qubes uses virtual machines to let you manage separate “security domains”. A virtual machine (VM) is basically a tiny operating system running inside of your real operating system. If your VM gets hacked, the attacker is able to access the files and read keystrokes in that VM, but not in other VMs or on your host computer. In Qubes all software (besides the desktop environment) is running inside of VMs, and you can easily and efficiently make as many as you need for whatever purposes you need. It’s also designed in such a way that if one VM gets infected with malware, the malware won’t be there the next time you reboot that VM.

A most-likely main processor-level hack method by NSA

Rather than risk getting caught messing with everyone’s updates, my bet is that the NSA has compromised the microcode update signing keys giving the NSA the ability to selectively target specific computers. (Your operating system ensures security of updates by checking downloaded update packages against the signing key.) The NSA then can send out backdoors disguised as a Windows update for “security.” (Ironic but possible.)

That means you don’t need backdoors baked in the hardware, don’t need Intel’s buy-in, don’t have discoverable rootkits, and you can target specific systems without impacting the public at large.

Exodus Intelligence, exposing TAILS bugs, may be doing the best service to privacy after Snowden

They are finally making clear – to all to mainstream tech writers, privacy tech tools users and developers – that software should be much more audited relative to complexity, which means large investments and/or huge much expanded volunteer participation.

Sure a zero day market should not exist and but it always will and will keep growing as it cannot be stopped. No major country will make it illegal to kit disclose a discovered zero day because every other major country would continue to stockpile them.

We are fortunate some in that market see economic convenience in releasing such info (and apparently in responsible).

The only very major objection to Exodus Intelligence is that they haven’t gone nearly far enough as there are so many potential vulnerabilities at the firmware and hardware level which they do not mention.

I’d argue they know very well given their general competencies. But, possibly they haven’t because they cannot provide any services in that area, and it is in their best interest to underestimate such threat to increase the perceived value of their software-level zero-days for defensive purposes.

Unfortunately, we may never see a similar company coming out for hw-level zero-days as it would have to be upper echelons of US state security agencies or highest-clearance execs in dominant mainstream processor and hardware makers, as well as major world foundries.

To start moving to solve those vulnerabilities we’ll have to rely on their proven feasibility, the opinion of the world-highest experts persons and bodies, and other supporting evidence. We’ll look at that in a future post.

Snowden on privacy tech solutions and code verifiability

Snowden, in an interview with the Guardian 2 days ago, talks about (1) proper privacy tech solutions and the (2) importance of verifiability and free software licensing.

Our User Verified Social Telematics project seems quite aligned with what he said.

(1) About proper privacy tech solutions he said:

“Recently, I’ve been spending a lot of time thinking about press freedom issues in addition to the ordinary individual’s private communications, and I’ve been partnering with civil liberties organisations to see where we can contribute and try to create new tools, new techniques, new technologies that will make sure our rights are protected regardless of the status of law in a given jurisdiction.

Imagine an app or a cell phone or an operating system for a cell phone or a small device, anything that would allow people to have free and ready access to meaningfully secure communications platforms that don’t require sophistication to use and operate”.

By mentioning apps, he’s clearly trying to encouraged privacy innovation at all stack levels and overall investment. Proper encryption apps would make passive super-low-cost surveillance, in transit or on the cloud, difficult or impossible.

Nonetheless, if  “meaningful” protection from low-cost semi-automated targeted surveillance (at end-points, beyond point of encryption) could be provided by an app, he wouldn’t be talking about “operating systems“. This mention clearly supports to TAILS live booting OS on the desktop (that his chosen journalists use for their communications with him), and GSMK Cryptophone phones running free software apps and Gnu/Linux OS.

Furthermore, he mentions of a “small device” instead of “mobile device” or “portable device” clearly acknowledges the difficulty in protecting from unverified baseband processors, and other issues and complexities in securing a phone. It is very likely it refers to efforts such as those of Tomy (a alpha project of the TAILS team), meant to run on Wifi-only mobile devices, or mobile device where mobile network functionality can be reliably removed. It may refer to solutions such as R&S Top Sec or Secusmart phones with microSD solutions (used by Angela Merkel), if they were verifiable (and certifiably adequately verified) in their sw and hw, and transparent in their design.

The current approach of the Tomy project may not be optimal because:

  • It’s still be vulnerable to hardware and firmware vulnerabilities, such as those of the main processor and co-processor, including the USB used and its firmware. And each device will have its own (as in Tails).
  • Not clear at all to what extent it may be possible to reliably disable the baseband processor during
  • Has the inconvenience of having to reboot every time, and works only when WiFi is available.
  • Has no strategic plan to date to attract nearly the necessary resources to develop such solution to high enough levels of assurance and promote wide adoption of that solution.

(2) On free software and verifiability he said:

I think everybody has some exposure to proprietary software in their lives, even if they’re not aware of it. Your cell phones for example are running tons and tons of proprietary code from all the different chip manufacturers and all of the different cell phone providers.

We are moving very slowly but meaningfully in the direction of free and open software that’s reviewable, or, even if you can’t do it, a community of technologists [who] can look at what these devices are really doing on the software level and say, is this secure, is this appropriate, is there anything malicious or strange in here? That increases the level of security for everybody in our communities.

I’d argue he refers to the fact that many free software users, activists and experts often underestimate the importance of proprietary firmware, which render meaningless ALL control and freedoms from snooping and tampering they believe they gain by running only free software on OS and app layers. He also makes clear that free software is preferred, but that verifiability of source code may be initially sufficient for security assessment.

How Hackers Stole the Nasdaq – Businessweek

“What the investigators found inside Nasdaq shocked them, according to both law enforcement officials and private contractors hired by the company to aid in the investigation. Agents found the tracks of several different groups operating freely, some of which may have been in the exchange’s networks for years, including criminal hackers and Chinese cyberspies. Basic records of the daily activity occurring on the company’s servers, which would have helped investigators trace the hackers’ movements, were almost nonexistent”

Schneier and the need for bollot box type procedures like the CivicRoom

In this video Bruce Schneier (minute 33.21 till 36.00) makes direct reference to the need to deploy in-person “secret sharing” schemes inspired to ballot box voting procedures, such as the ones we have devised for the UVST CivicRoom , and we demonstrated with a physical installation in 2007 a major ICT event in Ara Pacis in Rome, in partnership with Progetto Winston Smith.

Such event was organized, as director of the Lazio Region IT Agency LAIT, by the newly-elected head of Agenda Digitale Italiana, Alessandra Poggiani. She also participated as a main speaker a few weeks later to our IPTV 2.0 event the next year.

DARPA’s Trust in Integrated Circuits standards, extended to software and end-user verifiable…

… is what we need as a society for our critical civilian and military uses. 
The nation(s) and/or companies that will standardise them first may well also benefit from the huge benefits of being first mover advantage in offering techs that are substantially more user-trustworthy than anything available today.