
Air gaps never exist (2011) - cba9
http://gse-compliance.blogspot.com/2011/09/air-gaps-never-exist.html
======
tlrobinson
Doesn't "air gapped" imply physical separation? Putting a firewall, even if
it's totally locked down, between two networks does not make it "air gapped".

~~~
delinka
You _can_ get physical separation with WAPs, too...

~~~
kinghajj
Technically that's not physically separate, as photons are physical entities.

------
jimrandomh
> "How do you think I got the firmware updates? We just made an SSH tunnel
> over TCP 53 and proxied HTTP to the Sun website."

Sounds like the real problem was they didn't have a better mechanism for
getting things like that in. If a security system stops people from doing
their jobs, they'll poke a hole in it unless you provide a better option.

~~~
AnimalMuppet
> Sounds like the real problem was they didn't have a better mechanism for
> getting things like that in.

 _Any_ mechanism for getting things like that in is a break in the air gap,
_by definition_. (Well, by a strict definition.) But at least a better
mechanism would be managed by security policy, not by underlings' need to get
their job done. (That is, the security policy would have to take into account
the need for updates as well as the potential security implications of
importing new executable code from outside.)

------
elchief
Pedantically, not a "gap" if there's a network cable going to another
network...

~~~
jis
Years ago I was told by a colleague that he was required to setup an
administrative system that was NOT connected the network, but also had to be
able to send and receive e-mail.

The inherent contradiction was lost on the people giving the orders. So...

~~~
Nadya
Well he _was_ an expert.. wasn't he?

[https://www.youtube.com/watch?v=BKorP55Aqvg](https://www.youtube.com/watch?v=BKorP55Aqvg)

(Draw seven perpendicular red lines)

~~~
jib
That sketch annoys me. Sure, marketing/sales/PM/design guys are idiots,
whatever.

Here are 11 things "I can't do it" can mean:

I don't have time

I don't want to

I don't have anyone who knows how to

I want someone else to do it

I don't want to maintain it once built

I want to work on this other thing

Doing it would take away job security for me

I think it is beneath me

You're not going to use it anyway

I don't think it is worth doing

I think it is too expensive

I think it would be easyish to fill out another 10 reasons for what "can't"
really means that are more common than "it is flat out impossible regardless
of budget/resources".

~~~
Nadya
_> I think it would be easyish to fill out another 10 reasons for what "can't"
really means that are more common than "it is flat out impossible regardless
of budget/resources"._

Yes. But the skit isn't _about_ that.

I often get impossible tasks from managers. Luckily when I tell them why they
actually _listen_ and aren't purposefully obtuse like the team from the skit.
But the obtuse manner of the meeting is part of the comedy. Sometimes the
management/sales/marketing team just doesn't get it.

The most _common_ request?

"Please enhance this 92x92 .jpg logo x5-x10 its current size without lowering
the quality of the logo."

My most common pushback?

"Sure. Get with their designer and get me the original file, be it .psd or .ai
so that I can work with a larger resolution copy of the image. If they don't
have the original file for their logo, you are asking for one of two things:
1) Recreate their logo or 2) The impossible. If (1) my answer is no. If (2) my
answer is with modern technology, I can't."

I've also been asked to _uncrop_ photos. Not as in "restore a backup from
before we saved over it with a cropped version" but literally _uncrop_ a
photo.

I don't necessarily blame these people or get angry with them. I blame CSI and
other investigative shows where they "enhance" a blurry photo to 4k crystal-
clear resolution and read the reflection off of a button of a guys' jeans to
read the licence plate of his car. They've been told this shit is possible by
TV shows that use just-enough real tech to make the fake tech seem real to
people outside of the loop.

~~~
kbenson
The crazy thing is that the fake tech is also often actually _real_ , but real
in the sense that there's a recent academic paper where in certain specific
conditions they were able to do what is being asked ask by using lots of math,
domain knowledge, and custom programming, at a total cost of hundreds of
thousands to millions of dollars when it's all done.

Does that help you in any way in a commercial setting? No, unless you are
Google or Apple or the like and it's not a simple request but the basis of a
new business division.

~~~
Nadya
Are you talking about the paper where they replicate keys from the roof of a
building across the street when the keys were on the floor some several
hundred feet away from a photograph? :)

~~~
kbenson
Not specifically, more just the occasional paper you see posted where they've
found a way to recover missing data from surrounding context. I.e. something
like reverse engineering redaction boxes from JPEGs by reversing a non-
lossless algorithm twice, once to get the lossy image in raw form with
redactoin boxes, and at that point again to determine what was likely under
those boxes from the surrounding lossy compression as it existed before.

------
alkonaut
I thought "air gap" meant a machine or network that is physically separated
(these days also without any radio connection) to other machines.

How can those not exist?

~~~
cba9
Perhaps you should read the submission. The larger point here is that even if
you set up a network in the first place which is genuinely airgapped, as time
passes and systems evolve there will be constant pressure from within and
without to re-establish a network connection _somewhere_ in order to make
everyone's lives easier and eventually, whether deliberate or inadvertent, a
connection will be made (and of course, we know that the NSA has a variety of
infiltration and exfiltration methods to get across air gaps, such as dropping
flash drives and waiting for an insider to be foolish enough to bring it
inside).

Believing that an air gap exists or will continue to exist indefinitely is
hence setting yourself up for some unpleasant surprises in the future, and
encourages weak security designs where the network/system is crunchy on the
outside and all delicious and soft and gooey on the inside. (Which is more
secure, to have your local WiFi set up with WPA or whatever and have employees
telnet into servers, or just go Google-style and have fully encrypted end to
end links without requiring any belief in security of the links?)

~~~
vonmoltke
> Perhaps you should read the submission. The larger point here is that even
> if you set up a network in the first place which is genuinely airgapped, as
> time passes and systems evolve there will be constant pressure from within
> and without to re-establish a network connection somewhere in order to make
> everyone's lives easier and eventually, whether deliberate or inadvertent, a
> connection will be made (and of course, we know that the NSA has a variety
> of infiltration and exfiltration methods to get across air gaps, such as
> dropping flash drives and waiting for an insider to be foolish enough to
> bring it inside).

The article is not well written, and I personally had to parse it several
times to figure out what he was trying to say. I'm still not even sure if this
is the correct interpretation.

> Believing that an air gap exists or will continue to exist indefinitely is
> hence setting yourself up for some unpleasant surprises in the future, and
> encourages weak security designs where the network/system is crunchy on the
> outside and all delicious and soft and gooey on the inside. (Which is more
> secure, to have your local WiFi set up with WPA or whatever and have
> employees telnet into servers, or just go Google-style and have fully
> encrypted end to end links without requiring any belief in security of the
> links?)

That depends on your physical security. A facility like the one he described
should have had regular security audits to verify that no hard lines were
placed where they should not be. All hard lines and ports should have been
marked with identifying information. Nobody should have been able to keep a
line open for any significant period of time unless these processes broke
down.

~~~
cba9
> The article is not well written, and I personally had to parse it several
> times to figure out what he was trying to say. I'm still not even sure if
> this is the correct interpretation.

I thought it was perfectly clear. He was telling a funny story about how
systems and technologies evolve, giving two examples of that (latter, the
watch, former, the system's airgap springing a leak), and furnishing an object
lesson in the need for regular thorough audits to ensure that systems and
controls thereof are still in place and still working the way that the owners
_think_ it's working.

> A facility like the one he described should have had regular security audits
> to verify that no hard lines were placed where they should not be.

Exactly. In fact, I believe at the time he wrote this blog post, OP was an
active auditor for BDO. In some of his other posts, he analyzes observations
he made while auditing a variety of companies/organizations; unsurprisingly
standards across the board are very poor. He would be the first to say that
this sort of thing is what an audit should prevent and why audits are needed
(although I'm not sure I agree with his venom against pentesting; which I see
analogous to fuzzing).

------
genericresponse
That's why you commit to multiple layers and types of defensive and recovery
measures. Intelligence, preparation, prevention, prevention, prevention,
monitoring, adaptation, more monitoring, effective response, well planned
recovery.

~~~
kbenson
I'm pretty sure you missed another 2-3 prevention layers. Shit's pretty dire
after you're past that layer.

------
hackuser
> the blue cables in gas filled tubes

Cat5/6 cables? Why would they be in gas-filled tubes?

~~~
cba9
Good question - I have no idea. But if I google 'gas-filled tube ethernet', I
get a number of hits like [http://en.tdk.eu/blob/174150/download/5/smd-surge-
arresters-...](http://en.tdk.eu/blob/174150/download/5/smd-surge-arresters-
pb.pdf) and [http://www.first-
electronic.com/uploadfile/2010989552637708....](http://www.first-
electronic.com/uploadfile/2010989552637708.pdf) which suggest that these
products are sold for networking purposes to prevent surges. Since this is in
a military context, I would hazard a guess that this may be some sort of
standard hardening requirement to try to protect the datacenter against
lightning strikes, EMPs (such as from nuclear strikes), and general accidents.
This may sound paranoid, but then again, so do Faraday cages, and it _is_ the
military - it's their job.

~~~
dkbrk
The wording didn't sound like he was talking about a gas-discharge tube for
surge protection. Also, that wouldn't have anything to do with security.

I think what may be happening is the ethernet cable runs are in sealed tubes
running at either positive or negative pressure so that if someone tries to
breach the tube and splice onto the cable it would be detected by a pressure
sensor.

~~~
AnimalMuppet
My interpretation was that the gas tubes were TEMPEST shielding, but if so, I
don't understand how it works...

------
w8rbt
Air gaps can also be bridged by using radio or sound waves. There could be a
bunch on non-networked computers in a secure lab all talking to each other.
This assumes trojaned hardware and/or operating system software in the systems
that can send and receive data and commands.

Finally, technology such as Morse Code is still useful in these scenarios.
Dits and dahs. Zeros and ones. That's all you need to be able to send and recv
data.

[http://www.jocm.us/index.php?m=content&c=index&a=show&catid=...](http://www.jocm.us/index.php?m=content&c=index&a=show&catid=124&id=600)

[http://www.wired.com/wp-content/uploads/2014/11/air-
hopper-m...](http://www.wired.com/wp-content/uploads/2014/11/air-hopper-
malware-final-e-141029143252-conversion-gate01.pdf)

------
wallaceowen21
Back in the early days of Ethernet there were fiber to AUI widgets, that used
2 multimode fibers, one for TX, one for RX. We used these on classified
systems with ony RX connected - we could send data in to these systems over
UDP, and it was truly a one-way path.

------
munin
> I have seem so many kludges connecting SIPPER and NIPPER networks

I don't know how much I trust someone who can't even get the acronym for SIPR
and NIPR right
([https://en.wikipedia.org/wiki/SIPRNet](https://en.wikipedia.org/wiki/SIPRNet)
[https://en.wikipedia.org/wiki/NIPRNet](https://en.wikipedia.org/wiki/NIPRNet))

~~~
andreyf
from the link: "SIPRNet and NIPRNet are referred to colloquially as sipper-net
and nipper-net (or simply sipper and nipper), respectively"

~~~
munin
when you pronounce them, sure, but why capitalize them like an acronym, but
mis-spell the acronym?

