Rules for having an Air Gap

anvilfour · 05-05-2015 09:11AM #1

Dear all.

Just been reading this article from the almighty Bruce Schneier on how to maintain a machine with an air gap.

Most of these tips are just common sense. Don't install software you don't need or just use a live CD each time, only move files onto it using removable media etc.

I think that these steps are going to be necessary if you want to communicate with people securely e.g through encrypting the text of an e-mail offline with PGP, transferring it to a USB stick and then plugging it into a machine that is connected to the internet.

Although this would seem to be a lot of trouble, I think this would be the only way to communicate with people safely given that apparently there is no way of knowing if the NSA has compromised your hardware!

Just wondering if you guys had any further ideas on how to protect your air gapped machine?

anvilfour · 05-05-2015 09:18AM

From re-reading the article on Computing.co.uk re: burying spyware on hard drives... it would seem that using a live CD would circumvent this problem altogether!

This does beg questions though regarding where you would store your private key...! Maybe on a separate removable USB drive?

Khannie · 05-05-2015 10:03AM

anvilfour wrote: »

This does beg questions though regarding where you would store your private key...! Maybe on a separate removable USB drive?

It's a thing I don't see discussed much. If you're properly paranoid, the correct assumption is that if you don't have that USB key with you at all times then it's compromised (left it at your desk while you went to the toilet?). I store mine in an encrypted archive with a ridiculous password. It seemed reasonable as a starting point.

anvilfour · 05-05-2015 10:07AM

Khannie wrote: »

It's a thing I don't see discussed much. If you're properly paranoid, the correct assumption is that if you don't have that USB key with you at all times then it's compromised (left it at your desk while you went to the toilet?). I store mine in an encrypted archive with a ridiculous password. It seemed reasonable as a starting point.

Good call Khannie...! Of course if the USB is encrypted with a password there's only so much harm you can do!

Also my handy Yubikey supplies part of the password for the private key which never leaves my side, so am hoping this will be safe enough.

Sadly this means there's not many options to communicate with someone in real time securely. If you're worried about the firmware in your wireless card, then I imagine even something like ZRTP or OTR messaging wouldn't be enough?

anvilfour · 05-05-2015 02:11PM

Just been re-reading the article.

Some of the commenters have recommended using a live CD of Puppy Linux on your air gap computer, presumably it's so small that it can exist entirely within RAM.

Also in terms of using a removable drive, another commenter suggested using an SD card as they come with a "read only" switch... of course you'd need to turn this off in order to copy files to it from your internet enabled machine but it's a start!

dbit · 06-05-2015 08:55AM

Good Old Sneaker networks , god bless em.

0lddog · 06-05-2015 11:14AM

Any bids for my old golf ball typewriter ( made by IBM

, of course ) ?

anvilfour · 06-05-2015 01:57PM

0lddog wrote: »

Any bids for my old golf ball typewriter ( made by IBM , of course ) ?

Good man, I have an Olivetti one, although it seems that bugging typewriters is fairly trivial, you'd have to go to some lengths to do it.

I use my typewriter to write down the keys for my paper Bitcoin wallet, best way to keep them safe in my ever humble opinion!

Khannie · 06-05-2015 05:58PM

You'd better hope you didn't typo.

dbit · 06-05-2015 06:02PM

And you had plenty of "Light" in the room. Give a monkey a typewriter and he may type out the works of Shakespeare, but give an educated man a laptop and, odds are, he will look at naked women.

anvilfour · 06-05-2015 06:02PM

dbit wrote: »

And you had plenty of "Light" in the room. Give a monkey a typewriter and he may type out the works of Shakespeare, but give an educated man a laptop and, odds are, he will look at naked women.

Not just women! :-D

dbit · 06-05-2015 06:06PM

odss are , implies im LBGT friendly ....... i think .

dbit · 06-05-2015 06:07PM

No comments on bestiality folk.

dbit · 06-05-2015 06:11PM

Khannie wrote: »

You'd better hope you didn't typo.

Or cross contaminate your thought process moving from one network to the next and tipex the damn screen.

zanardi · 06-05-2015 06:23PM

anvilfour wrote: »

Just been re-reading the article.

Some of the commenters have recommended using a live CD of Puppy Linux on your air gap computer, presumably it's so small that it can exist entirely within RAM.

Also in terms of using a removable drive, another commenter suggested using an SD card as they come with a "read only" switch... of course you'd need to turn this off in order to copy files to it from your internet enabled machine but it's a start!

Just a point on the SD card.

I had an issue recently with a Raspberry Pi writing to a write protected SD card. Turns out that the Pi ignores the switch and writes away happily.

There's no circuitry on the switch to protect the data on the card, you're trusting the host system to honour the position of the switch.

anvilfour · 06-05-2015 07:14PM

zanardi wrote: »

Just a point on the SD card.

I had an issue recently with a Raspberry Pi writing to a write protected SD card. Turns out that the Pi ignores the switch and writes away happily.

There's no circuitry on the switch to protect the data on the card, you're trusting the host system to honour the position of the switch.

Well said zanardi, we should all take note!

Then again I imagine a Raspberry PI would be much less likely to have NSA firmware on it to begin with!

anvilfour · 08-05-2015 08:33AM

dbit wrote:

odss are , implies im LBGT friendly ....... i think .

Live and let live!!

I am wondering if using a Raspberry Pi would be any guarantee? The problem is that all the tutorials I have seen to build a wireless router require installing proprietary firmware to get your wireless adapter working!
This begs the question also about how you would connect to the Internet

anvilfour · 08-05-2015 03:55PM

bedlam wrote: »

That's not very airgapped is it? RaspberryPI has an ethernet port.

I meant by way of a wireless router, needless to say you'd need another device which was kept offline for your air gap!

anvilfour · 08-05-2015 03:57PM

dbit wrote: »

No comments on bestiality folk.

And they call it puppy love...

syklops · 08-05-2015 04:05PM

anvilfour wrote: »

Live and let live!!

I am wondering if using a Raspberry Pi would be any guarantee? The problem is that all the tutorials I have seen to build a wireless router require installing proprietary firmware to get your wireless adapter working!
This begs the question also about how you would connect to the Internet

This is a bit like a virgin asking how to have sex but keep their virginity. The minute an airgapped computer connects to the internet it stops being an air gapped computer. Doesn't matter how many trusted appliances you put between them and the internet.

anvilfour · 08-05-2015 04:09PM

syklops wrote: »

This is a bit like a virgin asking how to have sex but keep their virginity. The minute an airgapped computer connects to the internet it stops being an air gapped computer. Doesn't matter how many trusted appliances you put between them and the internet.

I am sorry if I am not making myself clear. I was suggesting the Pi as a way to reduce the likelihood of NSA firmware being on your router i.e using the Pi itself as a router.

You'd need to have a separate device naturally which doesn't connect to the internet at all to prepare your messages/e-mails!

dbit · 08-05-2015 10:17PM

I can see you sitting there stroking your air gaped messages . Pretty messages.

anvilfour · 11-05-2015 10:20AM

dbit wrote: »

I can see you sitting there stroking your air gaped messages . Pretty messages.

Do you think we should all grow goatees?

dbit · 11-05-2015 11:01AM

anvilfour wrote: »

Do you think we should all grow goatees?

Deffo yes from me .

dbit · 11-05-2015 11:02AM

syklops wrote: »

This is a bit like a virgin asking how to have sex but keep their virginity. The minute an airgapped computer connects to the internet it stops being an air gapped computer. Doesn't matter how many trusted appliances you put between them and the internet.

Let your fingers do the walking ? I know a few air gapped ladies if you are interested .

dbit · 11-05-2015 11:20AM

As previous guys have said its not airgapped if it has a connection to outside world regardless of the nights who say nigh and the long daisy chain of exhausting devices and de-forestation with herrings. ( African laden swallows also do not apply here)

Often had to answer that for airgapped clouds and our solutions , yes Sir you still have to put it on a pen , scan the sh1t out of the pen and then walk it to the environment .

anvilfour · 11-05-2015 01:16PM

In conclusion... air gap requires at least some erm... air...!

INPUT INNPUT · 15-05-2015 11:30PM

Secure yourself, Part 1: Air-gapped computer, GPG and smartcards

anvilfour · 17-05-2015 11:43AM

INPUT INNPUT wrote: »

Secure yourself, Part 1: Air-gapped computer, GPG and smartcards

This is very helpful, thank you INPUT! Did you write this yourself?

Rules for having an Air Gap

Comments