
Air Gaps - bostik
https://www.schneier.com/blog/archives/2013/10/air_gaps.html
======
wikiburner
Is there an effective way to "mostly" airgap, if you need Internet
connectivity for your work? This is a comment I posted on a similar thread a
few weeks ago.

=========================================

Just curious, how would airgapping be practical if you need Internet
connectivity for your "real work"? For example, let's say you run a quant
trading firm and the algorithms you're concerned about being stolen need
connectivity to download live trading info, and then after processing that
info they need to communicate buy/sell orders to the outside world. Are there
any methods that could be used that would prevent all communication with a
secure system (with an airgap level of certainty) besides the strictly defined
data you need to do your "real work"? \-----

gaius 19 days ago | link

Sure, you would just use Radianz, and that is in fact what everyone does. This
is a very solved problem! Bloomberg also operates a private network, and there
are others too. These systems can operate perfectly well without access to the
public Internet. A couple of jobs ago I worked at a financial services firm
with 2 networks and 2 PCs on everyone's desk. Rednet for outside connectivity,
and an internal network for real work, and never the twain shall meet. NO-ONE
needs the Internet for real work, let's be honest, just for goofing off. Time
we all started to prioritize security over mere convenience. \-----

*

wikiburner 19 days ago | link

Yep, maybe trading wasn't the best example, although they are still
effectively at the mercy of the security of their data providers network -
which admittedly is probably quite good. Let's say you're a P.I., journalist,
researcher, law enforcement, or intel agency, and need to automate news or
people searches for some reason. If you were able to very strictly define the
data you're expecting to receive, isn't there any way you could automatically
pass this data on to a secure system without opening yourself up to exploits?

~~~
Spearchucker
I've not played in this space for a looong time but...

There are four things you want to do -

1\. Get a herd of cash together. The stuff that follows is not cheap.

2\. Set up a hardware data diode (an appliance that only allows data to travel
in one direction). [1]

3\. Set up an air gap like Whale Comm's appliance used to do (two 1U rack-
mount servers, back-to-back, which [dramatization alert] automates plugging a
USB stick into one server, copying data onto it, pulling it out, sticking it
into the other server, and coping the data onto it - at ~10Mb/s, if memory
serves). [2]

4\. Any time anything traverses the trust boundary, convert from one format to
another, so PDF becomes RTF, DOC becomes TXT, PNG becomes GIF, and so on. The
point is that converting attachments into other formats drops malicious
payloads, or stops them from exploiting vulnerabilities in the apps that open
the original formats.

[1] Tenix used to do one, but they cost crazy money (millions). I don't know
much about this space anymore, but this might provide some pointers:
[http://en.wikipedia.org/wiki/Unidirectional_network](http://en.wikipedia.org/wiki/Unidirectional_network)

[2] Whale Communications was acquired by Microsoft. The product is now called
ForeFront Unified Access Gateway, and while still a good application firewall,
no longer provides that air gap
([http://en.wikipedia.org/wiki/Microsoft_Forefront_Unified_Acc...](http://en.wikipedia.org/wiki/Microsoft_Forefront_Unified_Access_Gateway)).
I've no idea who else can do this.

~~~
JoachimSchipper
My employer (Fox-IT) sells a data diode ([https://www.fox-
it.com/en/products/datadiode/](https://www.fox-
it.com/en/products/datadiode/)). List price is "call us for a quote", but the
quote won't be anywhere near $1 MM.

Using a "proper" diode instead of hacking something yourself gets you a
guaranteed-good solution - how much do you trust your firmware? - plus some
software that automates "I want to send X through this machine" for many
common and/or high-value instances of X. That said, custom hardware plus
custom software plus certifications plus enterprise sales is indeed (a lot)
more expensive than snipping the tx wire/fiber.

Automatically copying USB sticks doesn't seem particularly useful to me.

~~~
Spearchucker
The air gap (copying data out of band, as it were) is useful in that the
connection can be physically broken by software on the system high side, using
a software kill switch, automated schedule or other rules.

------
leephillips
Knuth on his air gap: "I currently use Ubuntu Linux, on a standalone laptop—it
has no Internet connection. I occasionally carry flash memory drives between
this machine and the Macs that I use for network surfing and graphics; but I
trust my family jewels only to Linux." :
[http://www.informit.com/articles/article.aspx?p=1193856](http://www.informit.com/articles/article.aspx?p=1193856)

~~~
jonlucc
In a post-Stuxnet world, can we trust flash drives? If I remember correctly,
that virus would jump onto flash drives to spread to the next few computers it
touched. I think I might prefer an ethernet wire connection without the
outgoing wires.

~~~
dublinben
As long as you wipe and format the flash drive from the secure computer every
time you use it, there shouldn't be any risk. I don't think even Stuxnet could
have infected a linux machine that didn't mount or autorun the partition.

~~~
sneak
Flash drives are not dumb. I know that Travis Goodspeed has had some success
in reflashing their microcontrollers to speak corrupt USB to attack USB stacks
of host machines (which of course run in kernel mode).

~~~
lesterbuck
A fascinating talk by Travis Goodspeed on the mayhem possible by reprogramming
the USB controller in a disk:

[http://www.youtube.com/watch?v=D8Im0_KUEf8](http://www.youtube.com/watch?v=D8Im0_KUEf8)

Writing a Thumbdrive from Scratch: Prototyping Active Disk Anti-Forensics

------
nlh
I find it somewhat amazing that a few months ago, I'd have read an article
like this and thought "Man, talk about paranoid."

But today, after all that I've read and learned recently, it makes perfect
sense.

~~~
easytiger
I read a comment just like this a couple of months ago. Someone saying that
until this point they thought Richard Stallman was a complete paranoid nutjob
but it turns out he was completely correct. I guess that's why he will be seen
as a visionary in so many areas.

And speaking of stallman and airgaps: [http://stallman.org/stallman-
computing.html](http://stallman.org/stallman-computing.html)

> I generally do not connect to web sites from my own machine, aside from a
> few sites I have some special relationship with. I fetch web pages from
> other sites by sending mail to a program (see
> git://git.gnu.org/womb/hacks.git) that fetches them, much like wget, and
> then mails them back to me. Then I look at them using a web browser, unless
> it is easy to see the text in the HTML page directly. I usually try lynx
> first, then a graphical browser if the page needs it.

~~~
xanderstrike
While I admire his dedication to free software and security, I find it sad
that he who has done so much for the internet and modern computing eschews
most of it.

~~~
ygra
You could have said something similar about Dijkstra, who most of his life
didn't even use a computer.

~~~
easytiger
Ihad a formal methods lecturer who insists that no computer scientist should
be allowed to use a computer until they are 40

------
beagle3
I've been setting up networks since 2002 the following way:

Internal network, NOT connected to the internet. External (small network) is
connected to the internet, and has "terminal server" (Windows Terminal Server
if I must, Xrdp if I can let the external servers be Linux).

Firewall between outside world and external network, configured to allow
reasonable work on that network. Firewall between external network and
internal network only allows internal network initiated connections to the RDP
port (3389) on the external network.

Also, an rsync setup that allows some controlled transfer of files between
inner and outer networks (preferable to USB drives - the USB ports should be
disabled logically and physically, although I didn't always get to do that).
This rsync setup goes through a different port, with a cable that is usually
not connected (the air in "airgap"). When files need to go in or out, I plug
the cable for a few minutes, and unplug when not needed.

From experience, this lets you keep a network reasonably secure, without
having to put two PCs on everyone's desk.

Of course, there's risk: There might be a way to root the inside machines
through a bug in RDP, after rooting the outside machines. However, it will
work well, against "standard" attacks and malware that assume internet
connectivity. Even if they get in (through a USB drive, as schneier says was
done in the Iranian and US army facilities), they can't just call out to the
internet.

~~~
j_s
RDP makes it easy to access drives, devices, etc. from the the client... do
you do any additional configuration to disable these features?

[http://geekswithblogs.net/DesigningCode/archive/2010/04/19/f...](http://geekswithblogs.net/DesigningCode/archive/2010/04/19/file-
transfer-using-rdp.aspx)

~~~
beagle3
Yes, drive sharing was disabled server side (though, if the external RDP
server is compromised, one could turn this back on). On the client side, we
set up the connection not to try to share anything.

------
zactral
It is completely possible that mentioning Windows in the article was meant to
be only a smokescreen. I'm sure a person in his position would absolutely not
want to publicly declare the exact solution he is using. In reality, it might
as well be something completely else, like Slackware or some USB-bootable
distro. Yes, this might be security through obscurity but considering that he
admitted that he isn't familiar with the inner workings of Truecrypt etc, it
is the safest bet. Not disclosing what exactly you are using doesn't allow an
adversary with unlimited resources to adapt and optimize to break this
specific scheme.

~~~
hyperpape
That doesn't seem plausible. He could non-specifically say "don't use Windows.
Ideally use [some stock linux distro] or investigate other unix operating
systems that can be configured for safety." That wouldn't really give away
anything.

~~~
aliakbarkhan
It's not about giving things away -- it's about delaying your adversary. If
the NSA takes Schneier at his word and targets him accordingly, then (assuming
this is a diversionary tactic) any 0days or other attacks they attempt to send
his way will fail. Now obviously that's not a long-term strategy, but it does
provide an extra layer of protection against naïve attacks based on his public
statements. To be clear, I'm not sure I buy the smokescreen idea, either, but
your reason for disbelieving is flawed.

~~~
hyperpape
It's fair that this would make some difference. But it's not as "he's not on
Windows, but we have no clue what he is on?" is a recipe for quick success. He
doesn't have to say what linux distro he uses, just give a placeholder for a
decent one, and he doesn't even have to use Linux.

In any case, is it worth potentially misleading a lot of people for the sake
of such a marginal increase in his own security? He could have an even more
secure setup if he didn't talk about instituting an air gap. He's already
giving away information.

------
kephra
Windows is a bad choice for an air gapped system. A much better would be
Slackware, where its even simple to maintain an air gapped system. Maintaining
a Linux with a package manager, e.g. Debian without internet is much more
trouble.

I had scripts to maintain an air gapped Debian 10 years ago, but can no longer
recommend them, as Debian now has signed archives, and the script breaks the
sign.

~~~
claudius
You can still use optical media (CD/DVD) or USB keys to install packages with
APT, so I don’t see how Slackware would have any advantage over Debian there.

There’s even a apt-offline[0] to create a list of ‘needed’ packages on one
system, then download these packages on another one and transport them to the
air-gapped system. Of course, you will still have to decide whether to trust
these downloaded packages, and unless you trust at least some Debian
Developers to do the right thing, this will be hard to do even with GPG
signatures on all packages.

[0] [http://packages.debian.org/wheezy/apt-
offline](http://packages.debian.org/wheezy/apt-offline)

~~~
vezzy-fnord
Slackware is generally more secure by default, such as explicitly requiring
root (not sudo) for package management and at least sudo for utilities that
prompt the kernel. This is much in the vein of the *BSDs.

Also its conservative nature, constant security advisories and eschewing of
bleeding edge are a bonus.

~~~
claudius

      $ dpkg-query -W -f '${Status}\n' sudo
      unknown ok not-installed
    

IOW, it is perfectly possible not to use (or even install sudo) on Debian. I
don’t want to argue whether Debian or Slackware have a more ‘conservative
nature’ nor whether that’s an advantage, but there are of course also security
advisories for Debian (e.g. today for the systemd packages…).

> at least sudo for utilities that prompt the kernel

Basically everything ‘prompts the kernel’ in one way or another, could you
expand on how exactly Slackware manages to run when every syscall needs sudo?
(Or what you mean by ‘prompt the kernel’.)

I guess at the end of the day, you can configure a Debian installation to be
more secure than any given Slackware installation and you can configure a
Slackware installation to be more secure than any given Debian installation –
this, of course, depends on your skills and experience with any of the two, so
you should use with whatever you’re more comfortable :)

------
csandreasen
> 1\. When you set up your computer, connect it to the Internet as little as
> possible. It's impossible to completely avoid connecting the computer to the
> Internet, but try to configure it all at once and as anonymously as
> possible.

There's no technical reason you can't keep your airgapped computer completely
off the internet for its entire life cycle. I'd even go so far as to commit
heresy say that this is just plain bad security advice that Mr. Schneier is
giving out here. Instead, you should probably get your install media from a
trusted source and use that to install the OS and any initial updates (maybe
that's a manufacturer's install CD or a Linux ISO that you burned yourself -
avoid anything that isn't write-once). If the OS on your airgapped machine has
a unpatched remote vulnerability, you're already putting that system at risk
by connecting it to the internet even once.

Don't discard that trusted install media - if you need to create another
airgapped machine, you're using the same airgapped data to perform the
install. I realize that Bruce was discussing setting up a stand-alone
computer, but I thought I'd share my experience: Years ago, around the same
time that Blaster was a nuisance, I managed a network of airgapped machines.
If any one of them had been hit because I chose to just let it download
updates off the internet, the entire network would have been compromised. This
would be much worse if you were worried about a targeted attack - every time
you connect a fresh computer to the internet with the intent of moving that
box over to the secure network, you're giving the attacker another opportunity
to gain access.

For transferring data back and forth, I've used CDs in the past, but toyed
with the idea of using a dedicated serial cable for transfers instead. Tar up
the files, connect the cable, tell the remote machine to listen, shoot them
over, then disconnect the cable. The connection has no network stack to worry
about independent programs sending data across the channel; if extra data is
added, the result on the other end likely won't untar; there's no auto-
execution of programs to worry about. The only thing I have to worry about
being compromised are my copies of tar and cat. Removeable media in general
has issues - Schneier mentions a few examples in the article of successful
compromises using USB sticks.

~~~
pdonis
_If the OS on your airgapped machine has a unpatched remote vulnerability, you
're already putting that system at risk by connecting it to the internet even
once._

Even if it's behind a NAT firewall with no external ports open? And you only
connect via SSL (or SSH) to specific known hosts?

~~~
csandreasen
There are whole bunch of things you can do to mitigate the risk, and whole
bunch of other variables regarding the network environment that you're setting
it up in. The network behind that NAT might be compromised, and depending on
the operating system there may be ports open by default that could be
compromised before you can close them or there could be some other remote
vulnerability. I remember about a decade ago having a Windows box that I was
wiping/restoring for a family member infected with Blaster after its first
reboot before all of the system updates were finished downloading.

Something with a good reputation for security, like a clean OpenBSD install
with no ports open, is unlikely to get hit on its first round of updates. Even
so, if you're going to go through all of the hassle to set up an airgapped
system anyways, why bother taking the risk?

------
john_b
For the _really_ paranoid, to the extent that your data can be represented as
a text file, you can print it on paper from your internet connected machine
and OCR it into your air gapped machine, and vice versa. In this case, you
only have to worry about your printer or scanner having a backdoor. If you are
very confident in your OCR accuracy, you can encrypt it prior to printing and
decrypt it after scanning.

Just remember to burn the paper afterwards.

------
keyme
"Don't worry too much about patching your system; in general, the risk of the
executable code is worse than the risk of not having your patches up to date."

Not good advice. If you plan to open anything other than text files on the
machine, un-patched software is almost as big a risk as transferring
executables. The only difference is that it seems less dangerous to you.

~~~
tptacek
I came here to say the exact same thing. The problem with complicated file
formats isn't that they contain "macros"; it's that the code that parses and
interprets those files is prone to memory corruption.

------
notacoward
I'd do two things differently.

First, instead of using removable media from which data could still be
recovered, I'd get a second Ethernet switch. Whenever I wanted to move data
from my regular machine to my secure machine, I'd have to move the cable on my
regular machine from one switch to the other. Thus it would be physically
impossible to be connected to both internal and external networks
simultaneously, _and_ I wouldn't be leaving any persistent physical data trail
like a USB stick or CD-ROM.

The second thing I'd do is a _double_ air gap. Think of it as an airlock: you
can't open the inner door until you're sure no contaminants got through the
outer door. The intermediate host would have a single purpose: run malware
checks. Thus, only data that had already been checked in a secure environment
would even be allowed to touch the real secure machine.

~~~
mseebach
You're assuming that the only way to compromise a computer is through a direct
internet connection. This is wrong. Pre-internet viruses spread on diskettes.

The point of the air gap is to assume that any computer that has ever been
connected to the internet is infected in an undetectable manner and that this
infection is capable of spreading autonomously. Only by _physically_ denying
the infection the means to spread can you protect against it. Secondarily, you
want to deny the infection the means to communicate back home, but sometimes
the point of an infection isn't to steal data - see Stuxnet.

~~~
notacoward
"You're assuming that the only way to compromise a computer is through a
direct internet connection."

I'm assuming the exact opposite. I recognize, as does Schneier, that infection
can occur without such a connection. Any mechanism that facilitates transfer
of data also facilitates infection. That includes USB sticks and CD-Rs, which
have the _additional_ problem of leaving artifacts around for others to pick
up later. It's the "we can secure USB sticks better than we can secure
networks" belief that's magical.

"Only by physically denying the infection the means to spread can you protect
against it."

As soon as you physically move a USB stick from one machine to another, you've
effectively created a network. A really crappy one with high latency, but that
doesn't make it any more secure _as you yourself illustrate_ with the diskette
example.

~~~
mseebach
A network connection, even brief has an enormous attack surface. The
corresponding surface when using physical media is much smaller.

~~~
notacoward
Bull. A network connection _on a physically separate network_ subject to
proper inspection/monitoring has a very small attack surface. The
corresponding attack surface for a USB stick is larger, with new exploits
being discovered every day. The separate switch is functionally identical to
the USB stick. They both allow transfer of data. They can both potentially be
attack vectors. They both (in this construction) require manual intervention
to complete the data path. The only difference is that it's a lot easier to
get a copy of someone's data on a USB stick, after someone conveniently
recorded their data transfer on a readily purloined bit of media.

You can't acknowledge the exploits that have occurred via diskettes or USB
sticks, and then also say they're fundamentally better than an isolated
network. It's illogical. In fact, it's stupid.

------
acomjean
I worked on an "Air Gapped" network. We didn't call it that. As the internet
and open source took off it became more and more painful.

To get files over to the network, we'd have to download from internet and then
burn to dvd and bring it over. The thinking was that DVD's with their write
once capability would prevent unwanted files from hoping aboard. This didn't
help if the file you were transfering was infected, but files were virus
checked before burning.

Oddly files went Windows->Dvd->HPUX machines meaning the virus scan on windows
was somewhat useless.

But having no access to cpan or online research on your main work machine was
hard.

------
kbart
This article misses the most important security tip: _do not_ use any
proprietary software, especially the ones starting with "W" made by MS.

~~~
skrebbel
Are you sure? How much more difficult would it be for an intelligence agency
to get an open source hacker to "accidentally" inject a vulnerability
disguised as a bug, than to pressure MS to write a backdoor? (or to get MS to
hire a mole)

~~~
kbart
Yes I'm sure. It would be much more difficult, because that vulnerability
could be possibly detected by many people reviewing the code, so it must be
more sophisticated and hidden than the one buried in the precompiled binary.
Also I haven't seen any discovered backdoor/vulnerability on widespread open
source product yet, contrary to the countless examples of products by big
names. Not saying that open source is 100% secure, but it's still _much_ safer
than proprietary programs.

[EDIT] Thanks for pointing out Debian SSL example, I wasn't aware of that. But
it still doesn't deny the key point I mentioned - that there are more
discovered backdoors and vulnerabilities in proprietary software than the open
one.

~~~
DanBC
All those people reviewing the code took two years to discover the Debian SSL
bug.

[https://www.schneier.com/blog/archives/2008/05/random_number...](https://www.schneier.com/blog/archives/2008/05/random_number_b.html)

[https://wiki.debian.org/SSLkeys](https://wiki.debian.org/SSLkeys)

~~~
sneak
Now how long would that have taken WITHOUT source code?

Would we _ever_ have known (without keyfiles on disk to analyze)?

------
scott_karana
Man, Bleachbit sure took no time at all to put up his "testimonial" blurb on
their site!

> "Since I started working with Snowden's documents, I have been using [...]
> BleachBit" \-- Bruce Schneier _

~~~
nivla
haha I was thinking the same when I noticed it. Has anyone here used
BleachBit? From the description it looks like ccleaner + eraser mix.

~~~
scott_karana
I'd try it out if I weren't a Mac guy these days. Looks decent, and nicely
minimalist.

------
mrpdaemon
What about isolation? With heavy use of virtualization one can make the air
gapped machine even more secure:

\- Only open documents in a virtual machine \- Only interface with the
document transfer media (cd/dvd etc.) through virtual machines. Don't ever
mount or use this media on your host. \- Clone a new throw-away virtual
machine for opening EACH document and delete it after reading the document

About his points:

1) This is nonsense. It's possible to set up an OS (for example linux) with
zero internet connectivity, just download the ISO on another computer, verify
checksums and signatures, burn onto optical media and you're set.

8) Also, use one-time media. Write once on the internet host, fill up and
finalize media, read once on the air gap host, destroy media.

Also, I don't think Schneier is recommending to use Windows for this task.
He's just assuming that most people out there is using Windows and can use
these tips to improve their security. For his own high security setup(s) I'm
pretty sure he'd have the common sense to not use Windows.

------
jeanjq
Surprised that he decided to use Windows.

~~~
Zigurd
If you assume your connected machine is going to get p0wnd, and you rely on
the air gap to prevent your secure machine from being penetrated, you could
run any OS you like, no matter your opinion of how much the vendor cooperates
with the NSA.

~~~
vacri
Given that he's going to the level of preferring a store-bought USB stick over
one found in a parking lot, it shows he's concerned about transferring
malware. Not using the OS for which the most malware exists seems like a
sensible choice.

After all, if you're going to all this trouble and inconveniencing yourself in
the name of security, what's a touch more inconvenience with using an
operating system that you're less user-friendly with?

~~~
danielweber
Who is your threat? Are you worried about a spray-and-pray attacker who just
dumps a bunch of malware out there? Or are you worried about being
specifically targeted by someone who wants your stuff?

In the first case, a USB key bought at a big box store might be full of
malware. In the second case, the big box store is the perfect place to buy
something, as long as it's not the store where you always buy stuff, because
the APT wants to keep his profile small.

------
7952
Ironically it is a result of modern encryption that separating things from the
internet is so difficult. If every app sends data over an encrypted channel it
makes it much harder to audit what exactly it is doing. You can't impose rules
if you don't know what the data is or where it will end up.

------
paul
He forgot to mention keeping the computer in a faraday cage. If he has Snowden
info, it seems likely that intelligence agencies would be monitoring him
closely enough to use Van Eck phreaking to spy on his laptop display (or other
part of the computer that leak info through rf, which is all of them).

~~~
elq
Schneier explicitly mentioned tempest
([http://en.wikipedia.org/wiki/Tempest_(codename)](http://en.wikipedia.org/wiki/Tempest_\(codename\)))
in the article.

~~~
jedunnigan
Wild stuff!

[http://lasecwww.epfl.ch/keyboard/](http://lasecwww.epfl.ch/keyboard/)

------
gluejar
"the first company to market a USB stick with a light that indicates a write
operation -- not read or write; I've got one of those -- wins a prize".

Get to work, people!

~~~
chiph
There are sticks out there that have hardware write-enable switches (I keep my
medical records on one), so that you can at least control when writes occur.

~~~
sneak
Nothing is stopping a compromised host system from flashing the
microcontroller on the USB stick to make it lie to you. They aren't
appliances.

~~~
jessaustin
What you propose is probably possible for many USB sticks, but I don't think
it's possible in general. Flashing a microcontroller often requires access to
a serial interface like SPI, I2C, or JTAG. That's typically on different pins
than USB (which pins can be buried in potting or otherwise inaccessible to
compromised hosts). In addition some models can have particular pins connected
to disable flashing.

~~~
fest
Some microcontrollers I've been working with, that had USB capability also
supported DFU- flashing new firmware via USB.

I have also resurrected a write-broken flash drive, by re-flashing it's
firmware (a tool for which was provided by microcontroller vendor, which I
found out by looking at VID/PID values and googling them).

~~~
jessaustin
Oh definitely it's possible for many microcontrollers. DFU is very handy
during development. I was just reacting to this statement:

 _Nothing is stopping a compromised host system from flashing the
microcontroller on the USB stick to make it lie to you._

Nothing, that is, except possibly a complete absence of such a facility! It
depends on the microcontroller and how it has been wired into the USB device.

------
danso
Schneier is not as paranoid or as particular as I thought he would be:

> _1\. When you set up your computer, connect it to the Internet as little as
> possible. It 's impossible to completely avoid connecting the computer to
> the Internet, but try to configure it all at once and as anonymously as
> possible. I purchased my computer off-the-shelf in a big box store, then
> went to a friend's network and downloaded everything I needed in a single
> session. (The ultra-paranoid way to do this is to buy two identical
> computers, configure one using the above method, upload the results to a
> cloud-based anti-virus checker, and transfer the results of that to the air
> gap machine using a one-way process.)_

A friend's house is not "anonymous". If you have the need for an air gap, then
you probably should assume that your attackers have the ability to suss out
your off and online social network. In a not-too-distant future, it's not hard
to imagine a surveillance operative being able to expand their examination of
network traffic to not only include you, but associates of yours, and then to
detect when an online-installation routine was run. At that point, the fact
that that computer's fingerprint (however it may be calculated) was never seen
again from that friend's home might be one flag of several in a comprehensive
surveillance flag.

Though I guess if Schneier is talking about a off-the-parts computer, I'm
assuming he means a desktop computer that can't be assembled in the Starbucks
two states away to connect to the Wifi. OTOH, I think I would prefer a Linux
laptop as my air-gapped computer

------
avn2109
I'd actually be interested in hearing from Tptacek on this topic, but he's
absent for once. Weird.

------
guard-of-terra
Also you can boot from livecd each time. You can use livecd boot on your
internet-enabled device. Imagine fellow rootkiter's frustration when he
realises root filesystem is read only.

Of course you're still vulnerable to BIOS/firmware malware.

------
derekp7
There is another backchannel that can be used if your air-gapped computer ever
does get compromised, which I haven't seen anyone discuss yet. If your
internet-connected computer and air-gapped computer both have audio speakers /
microphone, then that seems like a perfect covert way for a compromise to set
up wireless communications between them An audio signal can appear to be
similar to fan noise, or outside of human hearing range. I wonder if this has
ever been exploited before.

------
gknoy
Bruce gives a good collection of tips, but in his specific case it probably
matters little. If he is a target of surveillance, I would be thoroughly
surprised if he did not get "black bag" intrusions (as he puts it). He is a
target that is definitely high enough priority ("I have Snowden's documents!")
that dedicating assets to investigation is more likely, and at that point an
air gap seems more like an inconvenience to the attacker than true protection.

------
CurtMonash
I ordered a new desktop computer last night, and a number of the options from
which I chose did NOT seem to have Wi-Fi built in. Rather, they sold low-cost
USB devices for Wi-Fi connectivity. I didn't actually check all the
motherboard specs to confirm this, but it seems pretty accurate.

So getting an air-gapped computer without Wi-Fi would seem to be the least of
the problems.

------
Sami_Lehtinen
I've been using serial cable with data leds and gpg ascii armored data over
it. Very easy to visually inspect all data before further processing. Only
attack vector remaining is gpg ascii armored parser, signature verification &
decryption.

Afaik, this is quite safe.

This computer has not been connected to the internet ever, and it won't be in
future.

Don't forget physical site security.

------
logicallee
Secure Linux air gap.

Here is a real secure Linux air gap:

1\. From a friend's computer, burn two copies of your favorite Linux liveCD.

2\. Hold the two identical discs so that you can see the reflection of the
document in front of you in one (mirror writing) and the reflection of the
reflection in the other. (normal writing.)

3\. You now have a secure Linux air gap with which you can read any document.

------
MarkMc
I'd like to sign my executable files on an air-gapped machine. Problem is, the
code-signing tools for OS X and Windows (ie. codesign and signtool.exe) seem
to require access to my private key to generate the signature AND and an
internet connection to generate the timestamp.

Is there any solution here?

------
ChrisNorstrom
What about using a Linux CD? You can get online and use it for what you need
without it downloading or installing software. Every time you re-boot it's
guaranteed to be the same OS without any spying malware on it... I guess you'd
have to save files on a USB drive though.

------
spindritf
> if you're using optical media, those disks will be impossible to erase

I pop the old optical disks I'm tossing away into a microwave oven for 10
seconds at 1000 watts. How recoverable is the data stored on them? (And how
cancerogenus the stench?)

~~~
venomsnake
More than you would like. The amount of surface area left is substantial so
something could be recovered. The best way is to melt them with thermite. If
it is legal in your area.

~~~
chii
wait, thermite is illegal?

~~~
venomsnake
I have no idea. Chances of a mix that violently burns at 1300 degrees being
under regulation somewhere in the wide world are not that slim.

~~~
angersock
It's useful for fixing cracks in cast iron and joining rails, so I don't see
why it'd be regulated.

~~~
jlgreco
Something being regulated does not mean that it can't be used industrially.
Many types of explosives are regulated even though they are used industrially
every day in quarries and mines.

Still, restricting thermite would be silly and ineffective. As a chem-lab
assistant, I made the stuff in highschool. Aluminum powder is widely available
and rather cheap, as is iron oxide (obviously ;). I also made cupric oxide
thermite, but that didn't work as well.

------
Shivetya
this reminds me a lot of what a lot of radio personalities who deal with
personal finances recommend, the system which you do your banking on should
only do that and nothing more.

While such a system is obviously still connected to the net, you reduce your
risk by running a discreet set of software.

To be totally safe you would need a room which protects from emissions
escaping it. Back in my service days we had system isolated as such simply
because you could be monitored through walls.

~~~
g8oz
_discrete_

------
BrianYesh
"Note: the first company to market a USB stick with a light that indicates a
write operation -- not read or write; I've got one of those -- wins a prize."

------
apaprocki
Isn't this an example of poor OPSEC? If he is in fact using the procedures
spelled out in this post, he's giving his potential attackers a clear picture
of all of his security measures so that they can focus effort on exploiting a
weakness.

------
Grue3
He forgot that the computer must be wrapped in tinfoil.

------
macca321
How about conducting all IO by webcam OCR?

------
antocv
Schneier is kind of disappointing more and more...

Be cautious of this advice dear readers.

" (The ultra-paranoid way to do this is to buy two identical computers,
configure one using the above method, upload the results to a cloud-based
anti-virus checker, and transfer the results of that to the air gap machine
using a one-way process.)"

No, the ultra paranoid would buy two computers, perform install 1 from friend
1s internet connection, downloading everything keeping a copy and check-sums,
then perform install 2 on a friend of a friends connection, then compare the
results of both the downloaded check-sums and the installation. (For certain
flavors of Linux it should be the same).

There is no point in uploading to a cloud-anti-virus checker if the NSA is
after you, its not like they are going to use Slammer or some other known
virus against you.

Jesus christ, and he is using Windows !? WTF. He is going against his own
advice - to use public/free software as often as possible.

For the step of moving files between air-gapped computer, he suggests using
USB sticks. _He forgot to say that you must encrypt the entire usb-stick as
well_ , You dont write a file-system to it! Only an encrypted blob. As
"viruses" can be transferred on the NTFS he is probably using. Even Linux fs
had a vulnerability - when the kernel tried to mount the fs it would privilege
escalate to root and run code - code that can be hidden in the NTFS alternate
(hidden) streams.

EDIT: For the NSA-agent wishing to leak, a good idea is too look into HaikuOS,
MenuetOS etc and use those instead of GNU/Linux, or ArchHurd. Something very
rare, something unexpected. Modify the installation from the default as much
as you can. Hm, we should make an Ask HN thread - what is the best ingenious
methods for current NSA employees to leak again, now that they have to share a
computer with a partner?

~~~
Lagged2Death
_No, the ultra paranoid would buy two computers..._

The ultra-ultra paranoid might use their popular and widely read blog - a blog
which is almost certainly read by more than one or two people at the NSA - to
post an enormous boat-load of misdirection that is nevertheless also helpful
advice for people who are actually stuck attempting to secure Windows
computers. Advice that happens to highlight what a nigh-impossible task that
really is. (TEN rules? Good luck.)

I can't think of any reason for someone in Schneier's position to publicize
his _actual_ security arrangements at this time.

Then again, maybe he feels he has a duty, as a security expert, to use and
thereby remain familiar with the most popular systems around.

~~~
dublinben
>Then again, maybe he feels he has a duty, as a security expert, to use and
thereby remain familiar with the most popular systems around.

I think this is the case for security experts like Schneier and Krebs. Most of
the threats they're interested in affect Windows. Most of their readers run
Windows. They would be a less useful resource if their first recommendation
was always "ditch Windows" even if that's accurate.

~~~
joe_the_user
Maybe he needs to use Windows but whether or not his single air-gap-ed
computer runs Windows or not isn't going to determine whether he's going to be
running Windows in general.

I don't know how maintaining a full off-Internet computer isn't much more
extreme than switching OSes. If he is recommended an off-Internet machine, it
seems clear he'd want to recommend the hard steps as well as the easy steps.

I mean, he says he's running open office so Linux should be able to work great
for him.

------
fit2rule
I'm not sure air-gaps are as safe as we think they are.

Yes, its tinfoil time: the NSA and various other Defence agencies have
deployed satellites capable of tuning into any CPU built since 1998.

Air gap in a deep, deep hole. Or maybe on the other side of the Sun. These are
the only really safe places fur humans subjects of the new Tech Overlords to
to stash data...

~~~
qwerty_asdf

      [citation needed]

~~~
fit2rule
I don't have a desire to provide a citation because I'm exploring,
conjecturing .. I mean, after all its not infeasible that the satellite-
launches that the NSA has been progressively making, over and over, are to
support a network of CPU-sipping listening posts. This had been discussed even
in the 80's, in certain circles ..

