[Cryptography] Vote of no confidence.

[Bear]

"A secure computer is one that is powered down and 
not connected to any network."  

We've all heard that before, yeah?  

I have a confession.  I believe it.

I realized I believe it when a financial services 
firm asked me to install a password manager on my 
phone.  On my android phone, which shares information 
with people whom I don't trust on a regular basis, 
where every "upgrade" to anything asks for ever-more 
access to personal information, contact lists, location, 
etc.  An application written by people I don't know.  
Who don't seem to give out any guarantees.  And who are
very reassuring that if my phone is lost, my passwords
won't be...  meaning they're storing a hell of a lot 
more than a hash.

And I said no.  I understand that the current wisdom
is that password managers are a good thing, but.... 
I just cannot trust the people who develop them and 
the environments they run on.  The complexity runs 
off beyond the horizon and I just can't say, for certain, 
that nothing else can see this thing in memory which 
this particular app is using.  

I do business with that company now, on the basis 
of a sixty-character password, which is complicated 
and slow to type and not stored in any electronic form 
anywhere.  It's stored on a "computer that's powered 
down and not connected to any network," along with a 
bunch of my other important passwords. But maybe 
"computer" is the wrong word.  It's actually an iron 
box with a padlock.  Also known as a computer whose 
security model is simple enough to understand and whose
operating system is known completely enough to trust.

And when I log in using that password, the company sends
my phone (which NEVER syncs on my computer) a nonce 
via SMS which I then enter to finish the login. 

There is no automatic authentication when the stakes 
are high.  That which is automatic, in an environment
where complexity runs beyond the horizon, I just cannot
guarantee will never admit someone else.  There is no
"password sync" between phone and computer...  because
I don't want the attack surface that comes with any 
electronic script-detectable association between the 
two.  I don't want to have to secure phone information
on my computer, and I don't want to have to secure 
computer information on my phone.  There is no "password 
wallet" in my browser, because I don't want my browser 
to store passwords.  Anywhere.  Ever.  Because I don't 
believe I can keep anything accessible to, or especially
managed by, a browser secure.  

My cryptographic keys (to bitcoin savings, SSH tunnels,
and some other high-stakes things) are no more complex 
than many of my other passwords, and I save them in the 
same way.  With ink.  On index cards.  In the iron box.  
With a padlock.  

I don't worry about a trojan horse program or a worm 
stealing my passwords when I'm not using them, because 
I'm reasonably confident that the restricted computing 
environment inside a padlocked iron box with no power 
supply, no CPU, and an index-card memory isn't complex 
enough for such a program to run.  

I could worry about burglars, I guess.  But a burglar 
would actually leave evidence - he might get something 
but I'd know he'd got it.  Further, a burglar has to 
spend time and effort and personal risk on each and 
every target, instead of writing some program to rip 
off the thousands of people who didn't patch the hole 
it exploits, leaving no visible evidence of the breach.
And then launching it anonymously from some Internet
cafe in a jurisdiction with no extradition treaties.  It 
just seems to me like simple burglary is a more direct 
and detectable and therefore more acceptable risk than 
the activities of seven billion apes and software 
complexity that goes out beyond the horizon, out there 
somewhere in the universe. 

That leaves me slightly worried about keyloggers when 
I'm actually entering passwords, but I have one trusted 
software source (linux distro) and seven applications 
in total that come from any other source.  Of those 
seven applications, for five I have compiled from source 
and for two I have taken the trouble to obtain binary 
hashes of public repositories using machines in other 
places with separate connections to the network.  And
then I've brought those binary hashes home - on paper - 
to make sure they match the software I downloaded.  And 
I run with the 'bin' directory mounted readonly, so I'm 
not all that worried about keyloggers.  

Ultimately, I believe in security.  But what I believe 
about security leaves me far from the cutting edge; my 
security environment is more like bearskins and stone 
knives, because bearskins and stone knives are simple 
enough that I can *know* they won't do something I don't 
want them to do.  Smartphones and computers simply cannot
provide that guarantee. The parts of their security models 
that I do understand, *won't* prevent any of the things 
I don't want them to do. 

An iron box with a padlock on the other hand is a simple 
enough security model to understand, and does provide  
strong guarantees about what that environment won't do. 

Just a musing, I guess....  the point is that the industry
is now building security models which want to provide 
collaboration, and single sign-on, and synchronization, 
and interoperation, and 'cloud storage' and so forth - 
but in doing so simply do not and can't provide good 
reasons for trust nor solid mathematical proofs of
how the things I don't want them to ever do have been 
rendered impossible.  

In fact, most of them simply refuse to enumerate things
they render impossible.  Security means guaranteeing that
certain things are impossible.  Nobody's even trying to do 
that because doing the minimum to achieve meaningful 
guarantees that meaningful kinds of abuse are impossible, 
would also mean that features like password wallets 
where they can guarantee password 'recovery' are also 
impossible. 

They're selling the set of things that are enabled rather 
than the things that are prevented.

Good computer security could be built.  But maybe it can't 
be sold.

And because that's what computer security is like these 
days  ...  I'm forced to use an iron box.  With a padlock.

			Bear