[Cryptography] Using Raspberry Pis

Mark Smith mark at halibut.com
Mon Aug 26 18:04:44 EDT 2013 

I was pointed to this list by a friend of mine who thought I'd be
interested in this discussion, and indeed I am.  I intended to lurk for
a while before posting, but this discussion so perfectly fits with a
SkyTalk I gave at DefCon last year (DC20, not just a few weeks ago)
where I proposed this very thing:  A small home-router type device that
contains everything that I do on-line, such as Email, IM, DNS, my node
in that mythical federated social network that doesn't really exist,
etc.  (I'm kind of embarrassed now that I was promoting Diaspora at the
time. *sigh*)

Unfortunately, the realities of my life are that I haven't done anything
about this, but I did get a few emails after my talk from people saying
they were.  'course, I haven't heard anything SINCE then so who knows.

Anyway.  In case any of you are interested, my talk is available here:

https://archive.org/details/skytalks_defcon_20_taking_back_our_data_smitty_2012_07_27

I'd be interested in hearing your comments or thoughts.  If anything
strikes you as a good idea, by all means use it.  While I'm interested
in seeing this happen, the realities of my life are that I'm unlikely to
be the one to do it.

Specifically, I'd love to be told why something like NameCoin
distributing both DNS server and domain-limited CA certs would NOT
work.  There is the issue of scale with block-chain technologies like
that, but is that the ONLY thing?  Or is there a fundamental problem
with the technology?

-Mark

On 08/26/13 14:43, Perry E. Metzger wrote:
> On Mon, 26 Aug 2013 16:12:22 -0400 Phillip Hallam-Baker
> <hallam at gmail.com> wrote:
>> I really like RPis as a cryptographic tool. The only thing that
>> would make them better is a second Ethernet interface so they could
>> be used as a firewall type device.
> You can of course use a USB ethernet with them, but to me, they're
> more a proof of what you can do with a very small bill of materials.
>
> If you're designing your own, adding another ethernet (and getting
> rid of unneeded things like the video adapter) is easy.
>
> Custom built hardware will probably be the smartest way to go for an
> entrepreneur trying to sell these in bulk to people as home gateways
> anyway -- you want the nice injection molded case, blinkylights and
> package as well. :)
>
>> The main con is that they are not so fast that you want to be
>> routing packets through them unnecessarily. So they are a great
>> device to make use of for connection brokering, not such a great
>> idea to tunnel video packets through them.
> Not sure that's really true for normal home networks. The current
> average home NAT box is, in fact, a CPU in this class running Linux,
> so we have proof of concept of them pushing packets fast enough
> running in millions of homes. The processors in question are also
> quite cheap, and only getting cheaper and more powerful -- multicore
> will be universal before long.
>
>> So I would like at minimum such a device to be my DNS + DHCP + PKI
>> + NTP configuration service and talk a consistent API to the rest
>> of the network.
> Not an unreasonable goal -- particular details of what software is
> running depend on what one's final application mix is.
>
>> Putting a mail server on the system as well would be logical,
>> though it would increase complexity and more moving parts on a
>> trusted system makes me a little nervous.
> Modern Linux systems have pretty good MAC and similar security
> hardening available. They're a pain in the neck to configure, but if
> you're handing people firmware, that only has to be done once. It
> isn't perfect but it is better than what almost anyone has at home
> now or what they rely on elsewhere.
>
> (I would prefer to see hybrid capability systems in such
> applications, like Capsicum, though I don't think any such have been
> ported to Linux and that's a popular platform for such work.)
>
> In the long term, of course, I'd like to see the work in seL4
> extended to open source systems, but that's a very long term goal.
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20130826/385db7c8/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0xD4217DB1.asc
Type: application/pgp-keys
Size: 2974 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20130826/385db7c8/attachment.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20130826/385db7c8/attachment.pgp>

More information about the cryptography mailing list