1 |
On Wed, Aug 22, 2018 at 12:13 AM Andrew Savchenko <bircoph@g.o> |
2 |
wrote: |
3 |
|
4 |
> Hi! |
5 |
> |
6 |
> On Mon, 20 Aug 2018 21:59:22 -0400 Alec Warner wrote: |
7 |
> > On Mon, Aug 20, 2018 at 7:26 PM, Andrew Savchenko <bircoph@g.o> |
8 |
> > wrote: |
9 |
> [...] |
10 |
> > > The problem is that people are considering a token as a silver |
11 |
> > > bullet protecting them reliably. While protection will be indeed |
12 |
> > > improved a bit, this is all the gain; and relaxed state of false |
13 |
> > > security may prove to be more dangerous than not to have tokens at |
14 |
> > > all. |
15 |
> > > |
16 |
> > |
17 |
> > In security, the goal is to protect an asset valued at Y. We may spend X |
18 |
> to |
19 |
> > protect that asset. Generally X << Y; if you spend more than the asset |
20 |
> was |
21 |
> > worth in protection, it would be a waste of resources. So my goal here is |
22 |
> > not to "build a system no one can hack into" that is a silly idea. |
23 |
> |
24 |
> Sure. The only question here is how much is they value of Y? How |
25 |
> much all work hours spent on Gentoo cost? How much its reputation |
26 |
> acquired over ~20 years costs? I have no easy answers for these |
27 |
> questions, but I assume Y is not small. |
28 |
> |
29 |
|
30 |
My point is perhaps less the size of Y, and mostly that the size of X is |
31 |
small. The Foundation has about 120k in the bank, so the security we can |
32 |
fund is limited. E.g. below you discuss supply chain attacks, but the |
33 |
foundation cannot afford to build a secure supply chain for the hardware it |
34 |
might purchase; and developers use hardware outside of this supply chain |
35 |
anyway. This basically leads to an security assumption: |
36 |
|
37 |
- Our supply chain is not secure (because we don't really have one.) |
38 |
- Attackers who can attack the supply chain can attack Gentoo. |
39 |
|
40 |
Note that this is no different than most companies; so I don't think we are |
41 |
*worse* off for having this stance. Is it not ideal? Sure. But its what we |
42 |
can afford. |
43 |
|
44 |
|
45 |
> > This is true throughout the industry. Security is a series of cost |
46 |
> benefit |
47 |
> > tradeoffs. For example, car keys are generally fairly high quality with |
48 |
> > extra security features (e.g. an Immobilizer and encrypted or rotated |
49 |
> > codes) vs a set of housekeys. Housekeys can typically be made for < 5$ |
50 |
> per |
51 |
> > key at a machine in a store, and the locking mechanisms range from about |
52 |
> > $20 to $400+. All of these features are moot if the attacker wants to be |
53 |
> > loud. The CIA lockpicking manual[0] for instance has a conclusion that is |
54 |
> > basically "you can probably drill out the lock and replace it faster than |
55 |
> > you can pick it." |
56 |
> |
57 |
> There are plenty of doors and locks with protection from drilling |
58 |
> out locks or cutting hinges protection :) And they are not that |
59 |
> expensive at all. |
60 |
> |
61 |
|
62 |
I'm not aware of anyone selling an unbreakable door. Even the 'protection' |
63 |
you mention is not full proof. What it does is requires more noise (bigger |
64 |
saw, for locks, typically) and more time for the attacker to spend; and |
65 |
more noise for the attack. These are all good attributes as they increase |
66 |
attack risk. The security key is IMHO, similar. Attackers have to spend |
67 |
1000$, they need to find someone who can extract the material (maybe the |
68 |
attacker lacks this capability in house, etc.) |
69 |
|
70 |
|
71 |
> |
72 |
> > Safes are similar[1], and are rated for various 'times it takes a skilled |
73 |
> > person to break into"; many of the higher ratings require anchoring as |
74 |
> its |
75 |
> > unlikely for attackers to gain lots of time with a safe unsupervised, so |
76 |
> > they steal the safe and work on them offsite where time is more easily |
77 |
> > available. |
78 |
> |
79 |
> The only goal of every physical safe is to give some *time* if an |
80 |
> attack (either break-in or fire) is ongoing. This doesn't apply to a |
81 |
> repository or infrastructure protection we're discussing — unless |
82 |
> we're discussing how long it will take to break through good |
83 |
> symmetric encryption, but apparently we want to protect from other |
84 |
> attack vectors. |
85 |
> |
86 |
|
87 |
|
88 |
|
89 |
|
90 |
> |
91 |
> > So when you make a counter argument like "well the attacker could |
92 |
> > physically come take your token and spend 1000$ extracting the key" my |
93 |
> > assertion is not that "well that is impossible" my assertion is that |
94 |
> > "Great, the attacker has to *physically steal my key* and commit a crime, |
95 |
> > then spend 1000$." The whole point is to make the attack annoying and not |
96 |
> > worthwhile, not to literally make it impossible. |
97 |
> |
98 |
> One may loose a key accidentally or it will look like an accident, |
99 |
> especially after a social event. It will be hard to impossible |
100 |
> prove any criminal intent if someone will just find your token. |
101 |
> |
102 |
|
103 |
Again, this is a very expensive attack. I'm not worried about it, because |
104 |
people willing to spend money can already break into Gentoo. |
105 |
|
106 |
|
107 |
> |
108 |
> Furthermore tokens may be busted during shipment or production. |
109 |
> This will almost nullify their security. These are very vulnerable |
110 |
> operations easy to backdoor and hard to make them secure. |
111 |
> |
112 |
|
113 |
The computer I generated my keys on also lacked a secure supply chain...so |
114 |
I'm not sure how this is any worse. At some point you must accept risks; |
115 |
otherwise building anything becomes too expensive. |
116 |
|
117 |
|
118 |
> And last but not the least: laws are quite different in different |
119 |
> areas and it is dangerous to rely on them for information security. |
120 |
> Usually they are the last line of defense when technical means fail. |
121 |
|
122 |
|
123 |
I'm seeing a lot of 'security keys are bad' and FWIW I appreciate the |
124 |
skepticism of the idea. However, I am looking for a bit more constructive |
125 |
feedback here. Lets say we don't buy keys; do you have any ideas on how we |
126 |
can improve the security of our GPG infrastructure? |
127 |
|
128 |
-A |
129 |
|
130 |
|
131 |
> |
132 |
> Best regards, |
133 |
> Andrew Savchenko |
134 |
> |