Awesome Stuff: Security Hardware For The Masses
from the stay-safe-now dept
Securing your computer and phone are something that is increasingly important, especially in light of all of the stories about privacy intrusions we’ve been discussing the past few months. For the most part, the average person has tended to rely on software-based security offerings, rather than hardware. While company may invest in hardware solutions, that’s always seemed to be a bit too much for the average consumer. However, perhaps that’s changing. This week’s awesome stuff covers three crowdfunding campaigns, looking to build different types of secure hardware for the mass market.
- First up, we’ve got the amusingly named, Don’t Snoop Me Bro (or DMSB for short). It’s a VPN in a box. You hook it up to your network and turn the key (literally, it has a physical key) and it turns on a VPN tunnel via a VPN service routing your data through another country. These guys sent me a prototype to check out, and it looks interesting (though won’t work with my network setup). They’re still deciding what VPN service provider it will use, and it seems like that’s something that could make a difference in terms of overall usefulness. Of course, you can already pay for a VPN service that just runs on your computer (I’ve got a couple), but the DSMB guys properly note that those aren’t always the most user friendly and they only secure the one device, rather than the entire network (of course, they also work outside of your home/office). Still, if you’re looking to VPN tunnel your home network, this is an interesting project to check out:
- Another project with a great name is the Tuit mobile security ring. With all the talk of Apple trying to make security easier via their fingerprint ID reader, lots of people have pointed out that it’s dangerous to have a security token that can’t ever be changed — such as your fingerprint. Of course, plenty of people like the general ease of use of the fingerprint reader over a pin or password. The tuit project seems to be an interesting attempt to offer a better solution overall, creating a ring that uses NFC (near field communication) to unlock your (Android only, it appears, though there are stretch goals for Windows) phone just by touching it with the ring on your hand. In other words, the theory is that if you’re holding your phone, it’ll unlock automatically, but no one else can do that, unless they take your ring or hold your hand up to it. It’s obviously not perfect security since someone could get the ring in some way, but it does seem like a nice idea in terms of good convenience for the user (since many people don’t use any lock screen at all because it’s too inconvenient) while still creating some security, especially if the phone is taken from you. Also, as they note, you can still use a password to lock the screen and make it much more complex, since you won’t have to type it in so often.
- Finally, we’ve got the not so wonderfully named Qi4BOX, which is a USB key that encrypts all your local documents and documents in your Dropbox account. I’d imagine it’s really only useful for those who are big time Dropbox users, but it’s an interesting approach as a way to try to make the documents you put on Dropbox even more secure, without making it more user-unfriendly.
That’s it for this week… stay secure.
Filed Under: awesome stuff, encryption, hardware, nfc, passwords, security, vpns
Comments on “Awesome Stuff: Security Hardware For The Masses”
VPN
PrivateInternetAccess already sells different routers with VPN built-in. Different prices and different speeds and capabilities. So what is new about “Don’t Snoop Me Bro” ?
Re: VPN
Keyed switches are cool?
Re: Re: VPN
Probably very easy to hack the switch so what’s the point?
While many of these seem well intentioned, the hardware is anachronistic. Truly secure hardware needs to be built from the bottom up, you can’t secure a system with accessories.
Re: Re:
True security is impossible, as it would require complete openness and transparency on every level – design, manufacture, assembly. You’d also need everything to be open-sourced on the software side, right down to the BIOS and all the firmware and microcode. And while you’re at it you better compile all that code yourself and have a way to get reproducible binaries from said code regardless of the build environment. And of course always keep the secure device in your windowless, soundproof, EM-shielded basement that you never let anyone else into. Then you should be fine, at least until they crack quantum computing.
Re: Re: Re:
On the software side those problems you describe have been solved by TOR and MAME.
MAME has a way to build binaries consistently over many platforms that is why every ROM they produce is exactly the same no matter what machine you use at least as SHA1 is concerned.
About EM-shielding, well you can always knit a bag with metal treads.
knitkitjewelry blog: Knitting with Wire
kobakant blog: Circular Knitting Machines
Open source firmware can be found already.
http://www.openfirmware.info/Welcome_to_OpenBIOS
http://www.coreboot.org/Welcome_to_coreboot
https://www.fsf.org/campaigns/free-bios.html
Open hardware
http://www.ohwr.org/
It is not impossible is just hard.
Still I agree 100% security may be impossible, but you can have high security using open source and open hardware.
All that hardware can be made at home except from the silicon, those still need some specialized equipment mainly optics and high vacuum quality chambers to be produced properly.
Because it is still difficult this could be a market where anyone with some electronics knowledge and capable of building things could start a business.
Still, people can be more secure if they really want to.
Re: Re: Re:
I can’t help but nitpick this a bit. You probably mean 100% security, and if so, then you’re right.
But effective security is totally possible, because whether or not something is secure isn’t a technological question. It’s an economic question: something is effectively secure if the cost of obtaining the information exceeds the value that information. It’s not a matter of “can they break in”, it’s a question of “is it worth the effort”.
The vast majority of information you wish to keep secret (personal correspondence, credit card numbers, medical records, etc., etc.) is actually fairly low-value in market terms. It’s high value to you, but not to anybody else. For example, your credit card # is only worth a buck or two on the black market.
It doesn’t take anything near 100% security to make it uneconomical enough to get that information that thieves wont’ bother.
If you have information that is high value to everybody, then you should be taking extraordinary measures to secure that information. For example, you should not be placing it on any device that is connected to a network, you should be paying attention to the physical security of it, etc. In short, there is no, zero, all-in-one technological solution for this sort of problem. Real security is all-encompassing, involved technological aspects (encryption, etc.), physical aspects (safes, guards, etc.), and behavioral aspects. Being weak in any of these means that your security as a whole is weak.
Third party VPN’s are not an option specially since the US has access to foreign countries that was the whole point of them “sharing” raw data with other agencies around the world.
When someone comes up with an anonymous P2P VPN now that would be a game changer.
Re: Re:
I’m not sure what you mean by “anonymous P2P VPN”, but VPNs that can accomplish both anonymity and don’t need a central server have been around for a very, very long time. I’ve been using one daily for about 10 years now.
Ah yes, capitalism strikes again! Privacy theater can be yours for only 10 easy payments of $19.99. We don’t need to bother providing pesky details like security protocols, implementation standards, source code, or VPN provider choice.
You can’t trust anyone, so Trust Us. We’ve put the key in your hands!
P.S. Here’s a random quote from Bruce Schneider that may or may not have anything to do with the product we offer.
Re: Capitalism
Like Communism has done anything better?
Re: Re: Capitalism
Those really aren’t the only two choices, you know.
“Don’t Snoop at Me Bro” produced in Somerville, Massachusetts, United States. Rigorously quality tested and approved by the best in the field, NSA. Privacy guaranteed every time, any time and at every man in middle point you can imagine.
See: It makes no sense to me to lock DSMB in to a specific VPN provider. Zero sense at all. It makes more sense to make it modular. All it has done is make a single point of failure for the whole system. Do they seriously believe the NSA wouldn’t jump at the opportunity to have everyone using a single system connected to a single service?
Honestly I would not trust any VPN right now including TOR. The NSA just has far too much power and if they’re tapping your connection at the ISP level no VPN will save you from that. I’d maybe trust it if the decryption was done via an alternate route. “Over the phone or whatever.”
Still that’s watched as well so it could never be 100 percent.
There has to be unencrypted communication fist or how else would you make the handshake? Magic? Akio, bum?
Plus tapping at ISP level allows them to directly inject malware without even having to open an infected site. It could be done anytime they feel like it as long as your connected.
Yes it could be safe, but what happens once the NSA forces them to start handing over their global keys that the software relies on?
Only a few things could happen-
1. They give the key up, shut the fuck up, and continue to run an unsafe services.
2. They refuse and keep their service running at the risk of some extremely serious charges based on absurd laws.
3. The refuse and close their doors.
Their price to keep us “secure” is just too high for me. I hate actual terrorist just as much as anyone. I’m sorry, but I do not fear their fake spoon fed confession terrorist that mostly consist of 40 to 50 year old borderline retards that can hardly take care of themselves.
Whoops I’ve veered off the orig topic. Did I mention I make a n awesome apple pie? 😉
Re: Re:
There is no reason to not trust the concept of encrypted communication over the internet. That is blind fear of black NSA magic which simply does not exist. The biggest fear to be had of the NSA is their political magic along with the big scary men holding guns that follow their commands.
Even they have admitted that standard implementations of encryption are generally secure. Their workarounds is to force everyone else to talk to them and circumvent you, the user. If your VPN provider isn’t playing their game, then there isn’t too much they can do about that except sick their gun-wielding goons at them. So the trick is to find a place where they can’t send their gun-wielding goons without international incidents occurring. And THEN you can start worrying about the VPN following proper protocol.
Which btw, proper protocol is using all those popular standards that you seem to feel are ineffective against their spying. Those popular standards are still mathematically difficult, and the NSA hasn’t found the spell they have to cast to make their computers able to break them in real-time. So it’s therefore logical to believe that as long as you can trust the VPN provider (The hardest part by far) and trust that you have the proper protocol in place (You’re using a program like OpenVPN) then you’re safe. Your communications are being watched, but there isn’t an easy way for the NSA to make any sense of them.
We all know it’s impossible to have 100% security, but it’s like a game of outrunning bears, you only have to be faster than the other 90% of people who are also running away.
The ring and Q4 box (I’m just going to call it that) seem like good ideas.
With the ring, I have problems trusting any security implementation that uses wireless no matter how weak the field supposedly is. It reminds me of the attacks on credit card RFIDs that were supposed to be about the same range as the ring. Where does one put their hand anyway? On doorknobs, on counters, they shake them with other people, the whole time waving around their half of the security token. I would almost prefer if it was in card form or QR code form that had to be visually recognized by the phone for it to unlock.
Re: Re:
A thousand times this. There is no signal so weak that it can’t be read at a distance. Radio astronomy is all about reading microvolt signals over vast distances. At worst, a weak signal means you need a bigger antenna.
Re:
LEt?s get off topic and take the tangent down infinity.
Don’t Snoop Me Bro and Qi4BOX look nice, but stay away Tuit. It, as stated by it’s Kickstarter page, uses RFID. RFID signals generally are not sourced very well and sometimes are not sourced at. Listen to (or read the transcript or) Security Now episode 278 or watch on it YouTube.
For Dropbox
For Dropbox (and Sky Drive and Google Drive), what’s wrong with Cloudfogger? Local 256 bit AES encryption.
Raspberry Pi or any compact computer plus stuff like Ipcop (standalone firewall) and you have the perfect security for very little. I’m imagining you would be able to set a vpn via such solution (maybe not using Ipcop but rather the full Linux installation with the proper software) before your router.
The first solution seems to be the best idea in my opinion. Poorly executed though, you could provide a dumb-proof ui so the person can set up a custom vpn.
DSMB
Am I the only one who looks at the DSMB tunnel and thinks about swapping out the letter S for U? Was this intentional? At least they didn’t call it the SWART tunnel.
Security
That ring seems like as good an idea as any. Although, it would make more sense to me if they were to create a component that can be stored on your person, at work or at home that can deactivate the ring. Maybe a phone number that could be called. Interesting idea, but the ring does seem like just another trendy security measure with no real value above any of the others.