One of the more valuable tools in the arsenal of computer security is the Airgapped Machine.i
Thirty years ago everyone's machine was airgapped by default, there not being an Internet to speak of. Viruses for Ms-Dos still existed, spreading from one machine to the next through the services of rewritable mediaii, such as flexible diskettes. It is then incorrect to assume that an airgapped machine is immune to all threats by simple virtue of the gap. Airgapping a machine is just one step towards a solution for a particular problem, and by no means a complete cure.
That problem is the machine reading and writing outside of the control of its operatoriii. Removing the ability to Internet is an Alexandrine approach to the Gordian knot problem of how to properly secure Internet communication so that the machine actually obeys its owner - the simple fact of the matter is that there's absolutely no other solution, at least nothing available to the mass marketiv - but even with the Interknot cut, the machine will still need some help to remain secure. Let's look into all the details of that.
- You want all new hardware, don't reuse stuff that was already online.v
- You want old processors, and to a lesser but present degree old motherboards. Don't use stuff made after about 2006 or so.vi
- You don't want SSD hard drives.vii
- If you are able to brew your own set of hardware, such as for instance out of ARM processors, or FPGA boards which you program yourself, or soldered together Z80s or whatever else, it's a great idea to do so. Just as long as you actually know what you're doing, this sort of arrangement increases the costs of attacking your setup astronomically. It's not likely practical for most people, but if it's practical for you then by all means - and in any case the attempt will likely leave you a lot wiser.
- A laptop is better than a desktop, because battery operation increases your resilience to particular surveillance attacks.viii
- Ideally you want shielded displays. One way to go about this is correctly caging the monitor.ix Another way to go about this is buzzing the monitor.x The more common way is distance : if your battlestation is in the middle of an otherwise deserted acre of land it's somewhat unlikely that your waste em is being captured by an attacker.
- You don't want any extra hardware, such as for instance wireless adaptors or Bluetooth/infrared devices. Physically destroy them if present, preferably by dismounting their controller chip off the board.
- You must have good quality hardware entropy sources. Avalanche diodes marginally make that cut, but Geiger counters are the golden standard.
As you can see, some of these are difficult and some even contradictory. Such is life. In practical terms, the serviceable, mass market device would be an old laptop bought off of some anonymous marketplace (Craigslist, whatever), with its various wired, wireless and infrared connectors permanently disabled ; whereas the upscale device would be some FPGA concotion with massive shielding and retina scanners because why not.
It is unlikely that in any practical application the cost differential between the two is justifiedxi, much like the cost differential between a Honda Civic and a Ferrari roadster is not justified in the common usecase - you're going to be waiting for the same lights and in the same traffic jams regardless.
- You will use Linux, bitch.xii
- You will download a standard, well known and amply maintained package,xiii in that form intended for non-Internet installation on a reasonably secure machine, and proceed to burn it on a CD / move it to a stick after you've verified its checksums. You add whatever packages you conceivably need and want.xiv
- You will install these packages on your airgapped machine, low level formatting all disks in the process. You will immediately proceed to permanently remove all those packages you don't want. Such as for instance avahi and other hipsterish pieces of shit.
- You're not advised to use or rely on "full disk encryption". It is immature technology that as of yet does not work.xv Instead, use gpg on a per-file basis.
This is it. Really, it's very easy to do. Learn to awk and learn to vi already.
The correct way to use your airgapped machine is without electronics. Take the time to type whatever you want into it - if it's not worth typing it's not worth considering, seriously now.
Alternatively, you can use optical means. One way would be to attach a scanner to your airgapped machine, and read printed sheets of paper into it. Damned hard to hijack anything through a black-ink based buffer overflow, you know ? Another way would be to have a QR code reader attached to your airgapped machine, and to read whatever you need into it in the shape of QR codes. This works well if you mostly need small snippets moved back and forth, such as Bitcoin addresses. Damned hard to hijack anything through the crafty use of QR code dots.
Significantly less secure would be the use of sticks and CDs to ferry information back and forth. This isn't really much better than simply having an Internet connection, but even so non-rewritable CDs are marginally better than sticks for the purpose, as they're (mostly) read-only media.
Also bear in mind that the least secure of these (USB sticks) kept Osama off the radar for a decade, so consider footnote 11 again.
Once you're done with your airgapped system, either because you're done or because you have a new one,
- You want the hard drive cooked. Solid state will require a serious incineratorxvi, but a traditional platter system once removed from its protective casing can be safely disposed of by for instance boiling in tomato juice. I know that's how I used to dispose of diskettes twenty years ago, and basically that's what it is, a stack of diskettes.
- Replace the missing HDD with a new one, install some basic OS and leave the laptop behind in public, such as in a park. Mission complete & the end.
That'd be about it. Questions are welcome below.———
- If you wish to see my credentials by the way, here's an example of an airgapped box. [↩]
- Casettes, which mostly fed data into Z80s and their clones, required the user deliberately push a red REC button to allow the system to write out, and as such viruses simply didn't exist in that medium, as they couldn't replicate. Once rewritable media became common, the virus was born.
To fight this exact problem, 5 ¼ diskettes, made out of flexible plastic as they were, included a cutout, which one could cover with purpose-made sticks. If the cutout was covered up the diskette became read-only. 3 ½ diskettes had a movable tab in their rigid body serving the same purpose. The tab was not removed, but instead refined and incorporated because at the time one could simply not have sold user-uncontrollable hardware, as a testament and indication of the much better quality available in the userpool at the time.
And speaking of which, Schneier's "the first company to market a USB stick with a light that indicates a write operation — not read or write; I’ve got one of those — wins a prize" is pisswasser. What's needed is the original diskette tab, a switch you throw rendering the stick read-only in hardware. [↩]
- Law I - Obeys operator [↩]
- Microsoft is of course Microsoft and everyone involved should spend the rest of their life in jail, but even ubuntu, supposedly this heaven of niceness for the masses requires wget. Why would it require such a thing ? Ah, because connecting to the Internet may be useful, for the OS ? Ah, because hardcoding some quick behind the scenes phoning home is a "simpler" solution and "easier" to do ? Ah, because "users" want it anyway ?
Basically our modern security woes all boil down to a very definite issue with the current mentality of computer programmers - that the ulterior users are all whores, looking for nothing else but getting fucked, and certainly "asking for it".
For this reason I am not particularly interested in all the "women in IT" jazz being pushed these days - you may rape Adria Richards to your heart's content for all I care. What actually matters is changing this mentality that regards computer users as a flock of subservient, objectified, mindless women, the stuff of bad 1970s pornofiction.
We can count on scarcely any progress if over the past century overt sexism in the workplace has been "erradicated", only to be replaced with much worse, much more widespread, practically ubiquitous meta-sexism, embedded in the very design of the tools everyone uses all the time. I for one count myself wronged by all this "progress", as I personally wasn't liable to suffer from any sort of gender discrimination in 1913, but I am certainly going to be treated as a sort of Princess Leila in Jabba's hut should I make the mistake of walking into Windowstown. Or Ubuntu bar. [↩]
- One of the reasons is that many bits of hardware, such as hard drives or processors, come with identifiers embedded, such as serial numbers etc. There's no benefit for you from these being previously known to the world. Another reason is that inasmuch as you're trying to keep your daughter from getting knocked up, her never going for a nude swim with a bunch of classmates is a better bet than her going for a nude swim with a bunch of classmates. Irrespective of how "They never did anything. Honest!".
More generally, the sexual approach to the topic is quite likely to serve you well. There's this well documented inclination of the human brain to solve problems much better in familiar contexts, so that one is much more likely to spot an arithmetics error in his restaurant tab than he is to spot the same error in some general discussion of astronomy, with no direct impact to his pocket. Consequently, always think of your airgapped machine as this slutty teenager that's constantly trying to get pregnant so she can be a star on Jerry Springer. With the current state of computing this isn't even far off anyway. [↩]
- The reason is that we're pretty certain many if not most of the processors made after that date were intentionally manipulated at the behest of the NSA in order to weaken their cryptographic abilities. [↩]
- For many different reasons, such as for instance described in IV. Disposal. Also because the wear-levelling optimisation most SSDs natively employ makes it nigh-on impossible to actually delete anything you ever put on them. [↩]
- In many cases the power cord acts as an antenna, which to some degree broadcasts descriptions of what's going on inside the machine it feeds. [↩]
- A Faraday cage is basically one huge ground. The cheapest way to implement this is making a sheet metal box and hooking it up to the ground (third pin) of a power strip. A more advanced solution uses dedicated, good quality grounding (such as a few square feet of corrosive resistant steel mesh which you burry in your garden) and a visor (that's to say, an extension of the monitor cage towards you so that you rest your face on it when looking at the monitor). Any way you turn this it's going to be clunky and incomfortable, but on the other hand both CRT and LCD displays can be trivially read with a spectrum analyzer, even through walls. [↩]
- Have you ever noticed the effect of a cell phone call if the cell is right next to the monitor ? Basically to implement a good buzzer you'd have to study your equipment, see what frequencies it lets out, and place around it a few antennas making random noise in the same frequencies. [↩]
- It's important to remember that old lion joke :
Some guys are hanging out in the African savanna. Suddenly, there's a lion. Everyone starts running. One guy lagging behind asks the guy leading the pack "Hey, why are you running even ? A lion can run faster than any man.".
"I'm not trying to outrun the lion. I'm trying to outrun you."
- This point is non-negotiable. Unless you're writing your own OS, you're using Linux for this task. [↩]
- Such as for instance Debian Sarge, or a stable RHEL or CentOs or w/e. Pick something you know well. If you must, one of the Ubuntu LTS versions prior to the insanity - that means 10.04 or so is the last allowable. [↩]
- This absolutely includes gpg. This absolutely excludes "office suites" and "pdf readers" - get a convertor if you must. [↩]
- How to Defeat Full-Disk Encryption in One Minute, to get a rough idea of the software approaches - this is not even going into freezing and reading RAM etc. [↩]
- One hour spent at 1k Celsius or over should do it. [↩]