[Cryptography] Understanding state can be important.

Ray Dillinger bear at sonic.net
Mon Dec 28 14:45:31 EST 2015



On 12/28/2015 07:47 AM, Henry Baker wrote:
> At 09:05 AM 12/25/2015, Tom Mitchell wrote:
>> State considered harmful
>> A proposal for a stateless laptop
>> Joanna Rutkowska
>> December 2015
>>
>> http://blog.invisiblethings.org/papers/2015/state_harmful.pdf
> 
> Remove the hard disk/SSD from your laptop & execute Tails from a USB stick.
> 
> Not as good as Rutkowska's ideal, but it is an approximation.
> 

Remember systems where there was a physical write-protect slot on the
floppy disk?  And the hardware was physically constructed so that the
write head could not come down to write the media if the write-protect
slot was filled, so if you didn't trust something that was running you
could protect your stuff by just not letting anything get written to?

Maybe I've always been a suspicious bastard where software is
concerned, but I considered that ability fairly valuable.  Most of the
stuff I was running back in the day was from people I didn't trust,
including major software vendors and anonymous hobbyists - why should
I let those people have write access to anything I considered valuable?
Floppy drives came out a little later that simulated the physical write-
protect mechanism with code, but that seemed wrong to me; you needed
the write-protect in the first place exactly because you didn't trust
the code.  So I avoided buying those; When I shopped for floppy drives
I looked for the little lever that physically prevented the write head
from coming down instead.

So, way back in the way back, when I got my very first hard drive, I
was looking for the write-protect toggle switch.  A physical switch,
mounted on the face of the drive, that would cut the power needed to
write the drive when only reading was desired.  Simply to replace
the functionality lost, right?  Because hard drives were supposed to
be better, and let you do everything you could do with floppies?

Except nobody ever manufactured that.  And we have never stopped
needing it.

MFM hard drives still had stateless electronics and an LED that
would flash a red warning when anything actually performed a write.
So even if you couldn't stop running software from writing to
anything on the disk, you could still notice a write when none
was supposed to be happening, and if you suspected that something
had done something naughty, you could be sure of clearing it OFF
the disk if you popped the BIOS battery out of your motherboard,
rebooted from floppy, then re-entered the hard drive parameters
using DEBUG from ROM (which really WAS read-only back then) and
formatted the drive.  That was a huge pain in the neck compared
to having a write-protect you could engage when running an untrusted
program, but it was at least something.

Nothing since MFM has had even that capability.  We live now in a
world where our devices offer no physical security against being
written, and no physical certainty of the success of any erasure.

Running code can write things to permanent storage at any time
without us allowing it, and if we suspect that it has done so,
we can tell the code to erase it and the code tells us it's erased.
The very few drives that are still made with a write-warning
LED? That write-warning only lights up when the code tells it
to.  If we don't trust the code, too damn bad.

There is no physical basis for security we're truly certain of
to even be built any more.

And we allowed it to happen.


				Bear



-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20151228/dcc77263/attachment.sig>


More information about the cryptography mailing list