Monday, April 4, 2016

Perspectives on computer security and encryption from Apple, the FBI and I : my use

My perspective on computer security and encryption

This is a second article in a series that started with discussing the FBI and will end with discussing Apple.

I have worked in this industry since the early 1990's, administering Internet network connected computers.  I have worked for companies that produced firewalls, as well as worked in government departments where implementing security policies were critical.  Encryption is a critical part of what I do for clients and/or employers, as without it we could not build the services we are able to offer.

Local vs Remote Control

One of the hardest concepts to grasp with modern technology, including with fairly technical people, is the need to separate the concepts of geography and control.  With simpler technology the person who possessed something was the one who controlled it, but with modern computing this is not the case.

A big part of my current job at Canadiana is to manage a network of computers.  While some of the computers are located in the building I normally work in, most are not.  We currently have computers in Ottawa, Montreal, Toronto and Edmonton, with plans to continue to expand across the country as we grow. I control all of these computers from wherever I am at the time, whether that is physically in our main Ottawa office or when I am working from remote (I am in Sudbury as I type this).

We use Virtual Private Networking (VPN) technology to connect these computers together, and a variety of other encryption technologies used for authentication and privacy.  In order to connect to any of these computers I must possess both the required cryptographic keys as well as passphrases required to unlock those keys.   This is required to ensure that it is only authorized individuals like myself that can gain administrative access to these computers, and we need to ensure that nobody can eavesdrop on this communication and learn anything that might allow them unauthorized access.  We often are working with multiple layers of cryptography: secured ssh command-line access through VPN encrypted connections to network interfaces which don't have publicly routable addresses.

It is modern computer security and cryptography which makes this critical feature possible.  It is what allows us to know that we are able to have exclusive control over these devices regardless of their location. Any weakening of computer security, either to benefit law enforcement or some third party special interests (device manufacturers, etc), opens the technology up to other unauthorized access and makes my clients at risk.  I am not alone, and much of the modern economy and politics of society is built upon the need to continuously improve computer security and encryption.

Hardware assistance for security

We plan to expand our services beyond what we currently offer in two important ways that will impact security policies.

Currently we host our servers in partner organizations that we trust, as well as a commercial service provider. As we expand we may want to physically locate computers on networks and in server rooms of organizations that we have less trust in.  We will want security features which will protect us even from people who have physical access to the computers, to ensure that the most they could do is disable a node and not be able to abuse keys/etc stored within that node to attack other nodes in our network.

As we move from hosting digitized images towards the data which the digital humanities community need, we will have reasons to offer these communities the ability to author apps which run on our servers with faster access to the data and only need to communicate the results of complex queries to remote computers. These apps will run on our computer, but we will want to ensure that nothing that these apps can do can impact the rest of our network.  While there is a wide variety of software based virtualization technologies, we may have reason to harness hardware assistance to implement security policies.

One example is ARM architecture manufacturers which offer SecurCore and TrustZone technologies.   This allows combinations of multiple physical CPUs as well as multiple sections within a CPU being separated, allowing one to secure the other.  This can be used in conjunction with UEFI secure boot, which if implemented correctly can ensure that only software digitally signed by the owner can run on the computer.

Using separate System on Chip (SoC) technologies, the firmware loaded into a secure SoC can be instructed to erase local keys if it detects tampering.  This way encrypted data on the system could not be accessed even if the computer itself was physically compromised.  Keys could be stored in that secure zone, meaning that even if disks were removed from the server the data on them would be inaccessible.

While some companies will be able to afford to manage the software stack on each CPU within each zone, many will simply hire this from other companies.  Ideal in these environments is if the hardware vendors and software authors of the different components consider each other hostile, providing the same types of checks-and-balances within a computer that we need in our public policy spaces.  In this way the operating system might detect hostile secure zone firmware in the same way that the secure zone firmware may detect a hostile operating system, with both working together to protect the computer owner from hostile applications.

For some of us we will only put our trust in transparent and accountable FLOSS.  Genode provides good documentation on their TrustZone implementation. Open Virtualization provides a great ARM TrustZone FAQ, which describes the relationship between TrustZone and the Trusted Platform Mobile (TPM).  These are both commercially supported projects which offer both FLOSS and non-FLOSS licensing options for software which is open and accountable.

The limits of physical access

Once a computer is fully secure, there are only a few things that someone with physical access can do that is not under the control of the entity with all the security keys.
  • They can disconnect the device from the network.  This doesn't grant the person with physical access control, but it does deny the remote owner the ability to issue new commands to the device.  The device can only act on instructions it already has on it, in the form of installed software.
  • They can disconnect the power to the device.  This also doesn't grant the person with physical access control, but denies the ability of the remote owner to execute any commands whether the software was already installed on the device or not.
  • They can destroy the device.  This also doesn't grant the person with physical access control, but denies the ability of anyone to ever control the device again.
This means that while it is possible for someone with physical access to disrupt the operations of the device, it doesn't grant them control over the device.

The Law

When I am controlling a distributed set of computers on behalf of my employer, I and my employer should not be considered above the law.  If evidence of a crime was stored on our computers, and we were served with a valid court order to present this information to law enforcement or the court, we would obviously do so.

I would not consider it a reasonable course of action to deliberately configure computers under our control to destroy evidence.  As much as we might claim we are protecting the "privacy" of our clients, I don't consider that to be a valid reason to ignore a court order.  I would consider this an example of vigilantism that would be contrary to the public interest.  When a government makes harmful demands this should be something that is fought in the courts and debated in parliaments, not something that individual citizens or corporations take on themselves.   While we might agree or disagree with any specific government in any individual case, it makes us all unsafe if we condone individuals or governments ignoring the rule of law.

When a law is wrong we work hard as citizens to fix the law, not ignore it.  While I agree there are many buggy laws deployed in every country, I consider this a reason to get politically engaged as any trustworthy citizen or corporation should.

Law enforcement and courts need to modernize their understanding of technology, most importantly the question of control in a networked computing environment.  They need to understand that the physical location of the computer is not the most important factor to determining who controls the computer, and thus who to serve warrants to.

If we deployed fully secure hardware with hardware assistance, and had security put in place to protect us against attacks by unauthorized persons with physical access (IE: wiped keys if unauthorized physical access detected), then law enforcement must be aware of this advancement.  If in the pursuit of evidence to convict a user of our services they served a warrant against the physical hosting company rather than us then they risk destroying the evidence they are trying to collect.     The warrant must be served against the entity that controls the computer, not the entity that physically houses the computer.

It must never be considered the fault of the computer owner that evidence was destroyed by law enforcement.  The current technology illiterate or technology neophyte politicians, judges and police officers are making all of us unsafe.  Technology literacy must become a requirement of those who will be trying to make or enforce laws impacting technology.


Keep reading: Apple's use of computer security and encryption

No comments: