log☇︎
753100+ entries in 0.51s
ninjashogun: you're on the couch on your iPad, want to sign something an email it. Are you going to keep your key on your iPad?
ninjashogun: BingoBoingo - I learned of this literally 20 minutes ago. My improvements already have something that can at least theoretically work with an iPad and iPhone, which loads of people do their surfing on in the evening, and certainly don't want to keep keys on.
BingoBoingo: Honestly the improvement from USB would probably be RS-232
ninjashogun: dignork - but then they could no longer treat it as a mass-storage device.
dignork: ninjashogun, alternatively, you could tunnel over usb
ninjashogun: Again, none of this is to take away from the design as I've already read about it here. I like it a lot.
ninjashogun: I don't think packet sniffing is a problem if you tunnel over it.
ninjashogun: Better than it can a usb subsystem, yes.
BingoBoingo: Sure, but your wifi broadcast traves how far from its point of origin?
ninjashogun: on an iPad and iPhone, you can copy the text, connect to the brick's wifi, paste it, copy the result, and then reconnect to your normal wifi. These things don't have a USB stack at all.
ozbot: Mozilla Firefox is exploited four times at HP's Pwn2own hacking contest- The Inquirer
BingoBoingo: For all of the "work" on Wifi and browser security neither is particularly secure
ninjashogun: I disagree, I think firefox running javascript is one of the simplest things to develop and target 100% of PC's with. Also it would work on some tablets, which have no USB subcomponent at all, but do have copy and paste and wifi connections.
BingoBoingo: Wifi and browsers are never the simplest things
ninjashogun: BingoBoingo - I always consider the simplest hting that could possibly work.
BingoBoingo: ninjashogun: Have you considered that rather than leveraging a complex behemoth of other people's work which was produced with the potential of malice towards your intended cause, you could just make something simpler.
ninjashogun: asciilifeform, if I can have up to a 3 year grace period I would accept that with the full $22.5K.
ninjashogun: on the $7-$22.5K?
ninjashogun: what is that APR?
mircea_popescu: i tihnk it's been enough for a day tbh.
asciilifeform: BingoBoingo, mircea_popescu - be so kind as to take care of our dear guest. i'ma lie down now.
ninjashogun: Fine, you can take advantage of that; you can make us of it; you can profit from it; you can be an indirect beneficiary of it; you can depend on it; you can rely on it; you can take it for granted
mircea_popescu: i despise the entire thinking process that got you there.
BingoBoingo: Like leveraged gambling... Until they come for your kneecaps
ninjashogun: what, do you not like the word?
BingoBoingo: asciilifeform: ninjashogun: remember to ground the faraday cage
ninjashogun: Overall I would suggest you consider it due to the amount of security attention that 1) the WIFI stack 2) browser communications, have received. You can leverage that.
asciilifeform: and to me they are not the least bit similar.
asciilifeform: i don't have anything against a man who eats turd. but i will eat, and serve my friends, sausage. not turd.
asciilifeform: 'browser'? 'javascript'? 'ssl'? no thanks
ninjashogun: (my hardware has future versions as well, that we haven't done any work toward)
ninjashogun: asciilifeform, this is not to take anything away from cardano - I like it.
asciilifeform: ninjashogun: cardano is optionally usable inside a faraday cage. put that in your pipe & smoke.
ninjashogun: dignork - hmmm.. Well, on Mac and Linux you could do an md5sum or sha1sum on the javascript before you run it. On Windows you can only use a custom certificate, signed by yourself, and know the issuer.
gribble: An Introduction to TEMPEST - SANS Institute: <http://www.sans.org/reading-room/whitepapers/privacy/introduction-tempest_981>; NSA TEMPEST Documents - Cryptome: <http://www.cryptome.org/nsa-tempest.htm>; NACSEM 5112 NONSTOP Evaluation Techniques - Cryptome: <http://cryptome.org/nacsem-5112.htm>
asciilifeform: ;;google NONSTOP TEMPEST
ninjashogun: the wifi connects either a) to your device or b) to a MITM that connects to your device
ninjashogun: it makes sense to me. You can always assume any computer will have javascript, and a wifi.
mircea_popescu: BingoBoingo bout a dozen in the bucharest residentura.
mircea_popescu: a javascript pki tunnel
BingoBoingo: I wonder how Many interns have been charged with reading trilema nao.
ninjashogun: dignork, it doesn't matter who firefox trusts. You can run a complete tunnel using javascript all the way to the final end-point. The whole point of PKI is that it doesn't matter who sniffs packets.
asciilifeform: but essence is: there is an amplifier. it takes a small signal, uses it to modulate a carrier wave
mircea_popescu: apparently somehow they still don't see me coming, it's fascinating.
asciilifeform: i wish i had the energy to explain here, for stone age man, how a radio works
diametric: mircea_popescu: I enjoy your style of writing, and I wonder if she was prepared for that kind of response. I'm highly interested to see if anything else comes of it
asciilifeform: (not to be confused with 'TEMPEST')
asciilifeform: our friends at ft. meade call this 'NONSTOP' ☟︎
asciilifeform: watch the output with a receiver, see the little fuzz on the wave?
asciilifeform: ninjashogun: suggested experiment. take a radio transmitter (a household walkie-talkie will do) and transmit, with a computer sitting nearby. ☟︎
dignork: ninjashogun, your Firefox will trust almost any certificate, unless you'd verify it manually
ninjashogun: However, the current version transfers files in the plain over the USB protocol. it is 100% vulnerable to a USB mitm - which could probably be made so small that it almost fits in a usb drive.
diametric: mircea_popescu: your email exchange with the "SEC" is fantastic.
ninjashogun: and it doesn't matter if there are devices in the way.
ninjashogun: asciilifeform, packet capture is not a concern because you can establish a higher secure channel from Firefox on the computer all the way to the final device. This is possible because hte device can have a known fingerprint.
asciilifeform: don't take my word for it
asciilifeform: ninjashogun: wifi mitm takes all of five minutes to set up.
ninjashogun: etely defeating the MITM.
ninjashogun: What changes with Wifi? Well, you can still have a man in the middle, but it would be much more prohibitive. It would need a complete access point that connects to the device masquarading as the computer, while exposing itself to the computer and hiding the true signal from the computer. It's possible, but more difficult. And in the end the computer can do a complete secure session (in javascript with the browser) compl
asciilifeform: BingoBoingo: but in that version, you lose the card crypto
ninjashogun: I mean it retains no knowledge of what it signed. The person can't go home and check everything they've signed.
ninjashogun: BingoBoingo, since this device as described does NOT retain the signed document in memory, it is therefore signing something without knowing what it is, if it has been transferred between the PC and storage medium.
asciilifeform: BingoBoingo: there is a version of the apparatus (exists on my desk only, for foreseeable future) with no cables. slide cards in/out.
ninjashogun: BingoBoingo, also, in my personal opinion as a security observer, a man in the middle attack with a PC (or laptop) being opened, and a second usb host being inserted between the real USB and the device, whose purpose is to subtlely alter what is being signed, is a very real risk.
BingoBoingo: ninjashogun: I mean why not some sort of cable that might only incidentally happen to function as an antenna, for which shielding is possibly. WHy demand an active antenna throwing your bits around?
ninjashogun: BingoBoingo, however, it is absolutely doubtless that wifi protocols get roughly 100x as much security research as the usb protocol does.
ninjashogun: BingoBoingo - you are right and for this reason I probably shouldn't ahve called it an "air" gap.
asciilifeform: BingoBoingo: our friend is either trolling - or slept in a cave for years
mircea_popescu: asciilifeform so what was so bad about independence ? (trying to educate myself)
BingoBoingo: ninjashogun: Doesn't Wifi violate the intent of an airgap even if there is "air" involved
ninjashogun: and I like the basic idea of not having your key on another PC.
ninjashogun: But this is not to detract from what you've done, asciilifeform (and mircea_popescu ?) Overall the device is a VERY good step.
mircea_popescu: how did that split ? 15/85 ?
asciilifeform: then we got on the plane.
ninjashogun: I think wifi security has more attention paid to it, yes. Even when it's broken. Many eyes make security deeper.
mircea_popescu: yes, there was a referendum neh ?
ninjashogun: I think there are a lot of unknowns over USB and it is a frequently underestimated attack vector, with very little security research being done.
mircea_popescu: but srsly, what are your politics on the matter ?
ninjashogun: :) I undrestand what you're doing with the USB thing. However, I, personally, do not consider USB stacks to be very secure.
ninjashogun: I think this would be an interesting application for using one's private key without having it in one's possession.
ninjashogun: mircea_popescu, in fact it could be set to ONLY sign/encrypt/decrypt the next 1 message or 2 messages. So that it can't be stolen off someone's body, as it's in theri home and will only sign the next 2 things.
asciilifeform: mircea_popescu: 'watch this video of Yanukovych’s snipers murdering unarmed protesters and tell me who the real fascists' << lol
ninjashogun: mircea_popescu, Why not? assume that the other end is in the person's home. Then the wireless key is truly unusable.
ninjashogun: mircea_popescu, let me think about this.
mircea_popescu: with the dongle as a central server
mircea_popescu: to further save costs, the entire thing could be done over the web, as an app
asciilifeform: trolling or total ignorance of the engineering realities. which?
ninjashogun: it could also come iwth storage, so that it could be used as a "wireless storage device" (thru the browser). rather than have to plug and unplug a usb stick.
ninjashogun: it would also save a connect and disconnect. And can be done unobtrusively at a computer, without having to insert a USB stick.
asciilifeform: ninjashogun: wifi. with ssl, right. troll much ?
asciilifeform: 'he crowds in Kiev, which can swell up to a million on a good day and are always in the hundreds of thousands, are there out of their own homegrown sense of outrage, not because some State Department bureaucrats willed them there' << author knows, or not, what it costs to feed & shovel shit for 1M-strong crowd ?
ninjashogun: this suggestion isn't for the current version, which as a piece of hardware is great.
ninjashogun: is more resilient than a USB stack against, for example, man in the middle attacks (if someone knows that you will use that usb drive they could put a fake USB controller in that MITM attacks it.
ninjashogun: asciilifeform, I have a suggestion for your next version. My suggestion is that the air gap with the computer be maintained, by running (a different brick) that is a wireless access point. You can connect to its wifi and use Firefox on localhost to upload and sign or upload and encrypt/decrypt files, which it would then serve back. This requires a computer with access to WIFI. However, I think in general a network stack
mircea_popescu: im starting to like pando
ninjashogun: So, I like the idea very much.
asciilifeform: used to just piss thing out into emacs orgmode but it helps when people harangue you to remember shit.
mircea_popescu: half why i even keep that blog, if i didn't write the shit up i'd end up forgetting it all.
mircea_popescu: me too
asciilifeform: mircea_popescu: the intro thing? one of us did