Du må være registrert og logget inn for å kunne legge ut innlegg på freak.no
X
LOGG INN
... eller du kan registrere deg nå
Dette nettstedet er avhengig av annonseinntekter for å holde driften og videre utvikling igang. Vi liker ikke reklame heller, men alternativene er ikke mange. Vær snill å vurder å slå av annonseblokkering, eller å abonnere på en reklamefri utgave av nettstedet.
  10 1784
Hei,


Hadde veldig lite liv og så mye på YouTube idag.
Da kom jeg over denne videoen fra Linus Tech Tips:

https://www.youtube.com/watch?v=sZKtHvbAk98

Hva synes folk? Er det noe dere kunne ha hatt.

Er dette en PC som kunne ha beskyttet mot politi beslag og uthenting av data etc.?
Sist endret av FreeMyKiwi; 14. februar 2018 kl. 22:05. Grunn: Tillegg av info
I have two of these, the M7 model with 480 GB, and the M3 with 120 GB.

The M7 is running Qubes OS 3.2, and the M3 is running Qubes OS 4.0 RC 4 (with some complications).

By design the USB-ports are not activated until after you have begun booting the operating system. You can change this to boot from USB by entering into the BIOS and rebooting twice.
With maximum security set up, you need to enter a six-digit pin to even be allowed to present the key-fob for validation. Move the key-fob away far enough - adjustable in the BIOS down to five meters I think - and as the presentation explains, the machine goes into sleep-mode.

And with qubes you can also set it up to use a yubikey for login. The USB-ports are hardened and the Intel Management Engine is pruned, it's running coreboot and so various attacks using BadUSB are not possible. Also of course Evil Maid attacks are impossible.

In fact there is no point in even encrypting the harddisk with software; it is already hardware encrypted. If you want though, you could also set it up with LUKS-encryption using the LUKS-NUKE option, so that if the wrong password is entered the LUKS-header is wiped and the HD becomes undecryptable.

This is the perfect device for keeping data private, in fact it is not even a "Personal" computer, it is a PRIVATE computer.

Want to make an external harddisk completely and utterly safe? Encrypt it with LUKS and put the header plus keyfile on the ORWL.
Congratulations, your external harddisk is now indistinguishable from a harddisk with completely random data, it isn't even possible to tell that it IS in fact encrypted.

I'm planning on setting these up with various solutions for various customers, depending on their threat model and custom needs & wishes.

Any questions, feel free to ask.
It comes with either windows 10 (lol), ubuntu, or qubes 3.2 preinstalled but you are free to install whatever you want on it.
Also you may wish to purchase some special hardware to make the most of the fact that there are only two USB-C ports, such as a USB-C splitter to 4 connectors, one USB-C power only, one USB-3.0, and two USB-1.0.
And a powered Anker USB hub for the other USB-C port which has a USB-C to USB-3.0 connector.
Sist endret av orwlr; 15. februar 2018 kl. 00:50. Grunn: Spelling
Queen of Blades
Jonta's Avatar
Crew
Thoughts on the "physically secure" ORWL computer av Joanna Rutkowska - 900 ord, verdt å lese
Sitat av Jonta Vis innlegg
Thoughts on the "physically secure" ORWL computer av Joanna Rutkowska - 900 ord, verdt å lese
Vis hele sitatet...
  1. ]Design Shift's response
  2. Criticizing Less Than Free Hardware

Key points raised by Oliver:
The secure MCU is proprietary to Maxim, just as nearly every integrated circuit (IC) is proprietary to its manufacturer - very few ICs are what anyone would call open.
As detailed in an earlier campaign update, the secure MCU is auditable so long as the auditor enters a NDA with Maxim. Far from ideal, but not impossible-to-audit.
Vis hele sitatet...
And by Byfield:
However, Joanna Rutkowska, the founder of Qubes OS, has criticized ORWL because it uses a proprietary microcontroller, Maxim Integrated's MAX32550 DeepCover Secure Cortex-M3 to verify firmware before boot and to control the power to the rest of the hardware. She does so with heavy sarcasm, quoting a statement from Design Shift, then supplying her translation. For example, she translates a statement about the microcontroller with "Our proprietary, impossible-to-audit, running nobody-knows-what firmware microcontroller (uC) has full authority over the boot process and execution of any system and apps running on our ORWL computer." Rutkowska goes on to mock Deep Shift's promise to release as much of the code as possible, explaining her tone as disappointment that ORWL is not completely free.

Dancing as Fast as I Can
The trouble with Rutkowska's comments is not that they are idealistic. After all, idealism built free software, and will probably build free hardware, too. At the absolute least, such idealism produces more satisfactory results than automatically settling for lower standards would.

The trouble is that the comments are not realistic. They are not the comments of someone with the responsibility for producing a product, presumably to a deadline, who may need to settle for less than perfection to stay on schedule. More importantly, they are apparently made without an awareness that free-licensed hardware is almost completely unobtainable.
Vis hele sitatet...
You do have choices, though.
There is the Talos II, the HiFive Unleashed, and of course the Librem 13 / 15.

But you have to, at some point, trust something. Spectre attacks show that not even the processors are trustworthy, so if you think somebody is after you with the resources of a nation state attacker... as Oliver aptly put it himself, "I think you should stop using computers altogether".
And that was over two years ago, when we didn't even know about these sidechannel-attacks.

Of which, frankly, there are many. TEMPEST-style attacks means you can order software defined radio boards and record your neighbour's keystrokes. Or, with proper antennas, see what's on their monitors.

The world is not perfect and criticism of imperfection is sometimes trivial as well as trite.
Sitat av orwlr Vis innlegg
But you have to, at some point, trust something. Spectre attacks show that not even the processors are trustworthy, so if you think somebody is after you with the resources of a nation state attacker... as Oliver aptly put it himself, "I think you should stop using computers altogether".
And that was over two years ago, when we didn't even know about these sidechannel-attacks.
Vis hele sitatet...
You do have to put your trust somewhere; the question you've missed is whether it should be put in proprietary technology or open source software. We all know open source can have problems, such as Heartbleed, but there we are able to verify a fix, and collectively learn. We are not as fortunate with proprietary soft- and hardware, as only a few people audit this, making it more a "security through obscurity" rather than giving a community of security minded people the ability to shred it to pieces.

So you've tried to make a point for security by "placing trust", but you did so at your peril, as you've asked people voicing for open software and the like, that because other propietary hardware failed as in Intel's case, we should trust you. I think I need not stress that you've made a false point in this.
Queen of Blades
Jonta's Avatar
Crew
Sitat av orwlr Vis innlegg
But you have to, at some point, trust something.
Vis hele sitatet...
I do.

To varying degrees.

If you tell me your name is Ksenia, I'll believe you. And I'll trust an unknown, sensible looking couple to protect my plate from being whisked away by a waiter at a café.

But if you tell me you've got a dragon that performs cold fusion in your garage, or the couple wants to keep my passwords safe: that's a different situation:

The first 2 situations are low-stakes, with a high probability of success

For number 3: I want science competitions with high prestige and monetary prizes, awarded to the teams that find the most flaws with your magical cyborg, confirmed by peer-review, openly publishing all findings, and tests to be performed beforehand, and other things that make for good science.

For number 4, I'll use a password-manager

And the scientists could be conspiring, and it's even more likely that there's something phishy about the password-manager

- We want to have to trust as few parties as possible
- Peer review etc. is more trustworthy than books from the bronze-age or the intel-lab

These things make me trust the contents and authors of your post less:
- "very few ICs are what anyone would call 'open'", is not elaborated on
- Something written using "heavy sarcasm" doesn't change the content's truth value, and mentioning the tone seems like a deflection
- "goes on to mock" cry me a river
- "They are not the comments of someone with the responsibility for producing a product, presumably to a deadline, who may need to settle for less than perfection to stay on schedule." - Joanna Rutkowska delivers Qubes OS
- "they are apparently made without an awareness that free-licensed hardware is almost completely unobtainable." - This was apparently written by a cry-baby who is pathetically grasping at straws, and wasting our time in doing so
_______

- Security is hard
- Important to get right
- You got critique from a prominent researcher in the field, for free
- Accept, thank, improve

wtb !TentPoleSecurityTheater
Well, we are at a little bit of an impasse when it comes to security now, because of Spectre-attacks.
Theoretical as they well be, depending on your threat model, pondering about their relevance may be... relevant.

Which the Qubes Bulletin (as of Jan. 11) does.

The two key take away messages, as I read them, is: Practice proper VM handling, such as:
1)
Don't run a higher-order security VM in Qubes OS whilst at the same time running a VM that is likely to be exposed to an attack (such as email phishing and spear-phishing).
2)
Get some expert advice if your operational status requires it, or build your own Raspberry Pi cluster. Airgapped.

Finally, it appears to me that the processor in question is doing well on the market: Embedded Security ICs Safeguard PCs and Payments
Til informasjon er det ingenting som tyder på at orwlr faktisk representerer produsenten av maskinvaren det vert diskutert her. Tvert imot er det ein del ting som tyder på det motsette.
Sitat av vidarlo Vis innlegg
Til informasjon er det ingenting som tyder på at orwlr faktisk representerer produsenten av maskinvaren det vert diskutert her. Tvert imot er det ein del ting som tyder på det motsette.
Vis hele sitatet...
That is correct, at the present time I do not represent Design-Shift as an authorized reseller.

I do however have some experience, and am also in possession of the specialized hardware that you need to reset an ORWL-machine that has been tampered with.

The video originally linked to may give the impression that if your ORWL experiences a tampering event (and wipes the hardware keys to the encrypted disk), it is broken, but no it just needs to be serviced (reset, basically) by somebody with the necessary equipment and skills to do so.

Currently that means either sending it to Taiwan, California, or me in Norway.

My apologies if chosing the username "orwlr" lead anyone to think that I represented that company.

For further information on the ORWL, please refer to https://wiki.orwl.org/index.php?title=Main_Page

It may be instructive in attempting to ask relevant questions.
Sist endret av orwlr; 17. februar 2018 kl. 13:03. Grunn: Automatisk sammenslåing med etterfølgende innlegg.
Sitat av orwlr Vis innlegg
The video originally linked to may give the impression that if your ORWL experiences a tampering event (and wipes the hardware keys to the encrypted disk), it is broken, but no it just needs to be serviced (reset, basically) by somebody with the necessary equipment and skills to do so.
Vis hele sitatet...
Skriv på norsk er du grei. Dette er så keitete formulert at det er umulig å lese det uten å høre stemmen og intonasjonen til Petter Solberg i hodet. Du lurer ingen; alle skjønner at du har norsk som morsmål.

Sitat av orwlr Vis innlegg
Currently that means either sending it to Taiwan, California, or me in Norway
Vis hele sitatet...
LOL!
Hvorfor i alle dager skulle noen sende utstyret sitt til deg?
Sist endret av Myoxocephalus; 17. februar 2018 kl. 14:44.
Queen of Blades
Jonta's Avatar
Crew
Kilde på at slikt utstyr i det hele tatt finnes?

Denne her er ganske så vag: https://wiki.orwl.org/index.php?title=Resetting_ORWL

Hvilke kvalifikasjoner har du?