| 1 |
On Wed, Aug 22, 2018 at 12:13 AM Andrew Savchenko <bircoph@g.o> |
| 2 |
wrote: |
| 3 |
|
| 4 |
> Hi! |
| 5 |
> |
| 6 |
> On Mon, 20 Aug 2018 21:59:22 -0400 Alec Warner wrote: |
| 7 |
> > On Mon, Aug 20, 2018 at 7:26 PM, Andrew Savchenko <bircoph@g.o> |
| 8 |
> > wrote: |
| 9 |
> [...] |
| 10 |
> > > The problem is that people are considering a token as a silver |
| 11 |
> > > bullet protecting them reliably. While protection will be indeed |
| 12 |
> > > improved a bit, this is all the gain; and relaxed state of false |
| 13 |
> > > security may prove to be more dangerous than not to have tokens at |
| 14 |
> > > all. |
| 15 |
> > > |
| 16 |
> > |
| 17 |
> > In security, the goal is to protect an asset valued at Y. We may spend X |
| 18 |
> to |
| 19 |
> > protect that asset. Generally X << Y; if you spend more than the asset |
| 20 |
> was |
| 21 |
> > worth in protection, it would be a waste of resources. So my goal here is |
| 22 |
> > not to "build a system no one can hack into" that is a silly idea. |
| 23 |
> |
| 24 |
> Sure. The only question here is how much is they value of Y? How |
| 25 |
> much all work hours spent on Gentoo cost? How much its reputation |
| 26 |
> acquired over ~20 years costs? I have no easy answers for these |
| 27 |
> questions, but I assume Y is not small. |
| 28 |
> |
| 29 |
|
| 30 |
My point is perhaps less the size of Y, and mostly that the size of X is |
| 31 |
small. The Foundation has about 120k in the bank, so the security we can |
| 32 |
fund is limited. E.g. below you discuss supply chain attacks, but the |
| 33 |
foundation cannot afford to build a secure supply chain for the hardware it |
| 34 |
might purchase; and developers use hardware outside of this supply chain |
| 35 |
anyway. This basically leads to an security assumption: |
| 36 |
|
| 37 |
- Our supply chain is not secure (because we don't really have one.) |
| 38 |
- Attackers who can attack the supply chain can attack Gentoo. |
| 39 |
|
| 40 |
Note that this is no different than most companies; so I don't think we are |
| 41 |
*worse* off for having this stance. Is it not ideal? Sure. But its what we |
| 42 |
can afford. |
| 43 |
|
| 44 |
|
| 45 |
> > This is true throughout the industry. Security is a series of cost |
| 46 |
> benefit |
| 47 |
> > tradeoffs. For example, car keys are generally fairly high quality with |
| 48 |
> > extra security features (e.g. an Immobilizer and encrypted or rotated |
| 49 |
> > codes) vs a set of housekeys. Housekeys can typically be made for < 5$ |
| 50 |
> per |
| 51 |
> > key at a machine in a store, and the locking mechanisms range from about |
| 52 |
> > $20 to $400+. All of these features are moot if the attacker wants to be |
| 53 |
> > loud. The CIA lockpicking manual[0] for instance has a conclusion that is |
| 54 |
> > basically "you can probably drill out the lock and replace it faster than |
| 55 |
> > you can pick it." |
| 56 |
> |
| 57 |
> There are plenty of doors and locks with protection from drilling |
| 58 |
> out locks or cutting hinges protection :) And they are not that |
| 59 |
> expensive at all. |
| 60 |
> |
| 61 |
|
| 62 |
I'm not aware of anyone selling an unbreakable door. Even the 'protection' |
| 63 |
you mention is not full proof. What it does is requires more noise (bigger |
| 64 |
saw, for locks, typically) and more time for the attacker to spend; and |
| 65 |
more noise for the attack. These are all good attributes as they increase |
| 66 |
attack risk. The security key is IMHO, similar. Attackers have to spend |
| 67 |
1000$, they need to find someone who can extract the material (maybe the |
| 68 |
attacker lacks this capability in house, etc.) |
| 69 |
|
| 70 |
|
| 71 |
> |
| 72 |
> > Safes are similar[1], and are rated for various 'times it takes a skilled |
| 73 |
> > person to break into"; many of the higher ratings require anchoring as |
| 74 |
> its |
| 75 |
> > unlikely for attackers to gain lots of time with a safe unsupervised, so |
| 76 |
> > they steal the safe and work on them offsite where time is more easily |
| 77 |
> > available. |
| 78 |
> |
| 79 |
> The only goal of every physical safe is to give some *time* if an |
| 80 |
> attack (either break-in or fire) is ongoing. This doesn't apply to a |
| 81 |
> repository or infrastructure protection we're discussing — unless |
| 82 |
> we're discussing how long it will take to break through good |
| 83 |
> symmetric encryption, but apparently we want to protect from other |
| 84 |
> attack vectors. |
| 85 |
> |
| 86 |
|
| 87 |
|
| 88 |
|
| 89 |
|
| 90 |
> |
| 91 |
> > So when you make a counter argument like "well the attacker could |
| 92 |
> > physically come take your token and spend 1000$ extracting the key" my |
| 93 |
> > assertion is not that "well that is impossible" my assertion is that |
| 94 |
> > "Great, the attacker has to *physically steal my key* and commit a crime, |
| 95 |
> > then spend 1000$." The whole point is to make the attack annoying and not |
| 96 |
> > worthwhile, not to literally make it impossible. |
| 97 |
> |
| 98 |
> One may loose a key accidentally or it will look like an accident, |
| 99 |
> especially after a social event. It will be hard to impossible |
| 100 |
> prove any criminal intent if someone will just find your token. |
| 101 |
> |
| 102 |
|
| 103 |
Again, this is a very expensive attack. I'm not worried about it, because |
| 104 |
people willing to spend money can already break into Gentoo. |
| 105 |
|
| 106 |
|
| 107 |
> |
| 108 |
> Furthermore tokens may be busted during shipment or production. |
| 109 |
> This will almost nullify their security. These are very vulnerable |
| 110 |
> operations easy to backdoor and hard to make them secure. |
| 111 |
> |
| 112 |
|
| 113 |
The computer I generated my keys on also lacked a secure supply chain...so |
| 114 |
I'm not sure how this is any worse. At some point you must accept risks; |
| 115 |
otherwise building anything becomes too expensive. |
| 116 |
|
| 117 |
|
| 118 |
> And last but not the least: laws are quite different in different |
| 119 |
> areas and it is dangerous to rely on them for information security. |
| 120 |
> Usually they are the last line of defense when technical means fail. |
| 121 |
|
| 122 |
|
| 123 |
I'm seeing a lot of 'security keys are bad' and FWIW I appreciate the |
| 124 |
skepticism of the idea. However, I am looking for a bit more constructive |
| 125 |
feedback here. Lets say we don't buy keys; do you have any ideas on how we |
| 126 |
can improve the security of our GPG infrastructure? |
| 127 |
|
| 128 |
-A |
| 129 |
|
| 130 |
|
| 131 |
> |
| 132 |
> Best regards, |
| 133 |
> Andrew Savchenko |
| 134 |
> |
Archives