Could there be a backdoor?

13»

Comments

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    Hi @LosInvalidos,

    I haven't specifically addressed your points in this discussion thread, but many of them have been explicitly discussed elsewhere. Ultimately there is a judgement that each person has to make for themselves, but it is important to make that judgement based on what we do know along with what we may be able to reasonably guess at.

    It simply isn't possible to meaningfully discuss what is vulnerable and what isn't without doing some math. It's also very important to weigh lines of attacks. Attackers, whether the NSA or anyone else, will tend to take the easiest avenue available to them.

    I sincerely believe that the NSA cannot break the cryptography in 1Password. But I don't know if they can break 1Password's security. Please note that those are not contradictory statements.

    Breaking 1Password crypto

    I've outlined why I believe that the NSA can't break 1Password's cryptography elsewhere. It's a technical discussion. If we'd been using RSA with 1024 bit keys (we don't use RSA at all; so this is moot) we would definitely be moving to 2048 bit RSA keys. (Note that key length requirements for things like RSA are very different than key length requirements for something like AES). Similarly, if we'd been using some of the "arbitrary" NIST EC curves, then we would also be looking to moving to different curves for EC cryptography. (Again, 1Password doesn't use elliptic curve cryptography at all; so we don't need to review them.)

    In a separate post, I outlined all of the crypto primitives that 1Password uses and outlined why I consider those safe (with the one exception that we are still looking at). Ultimately it comes down to what Bruce Schneier said, "trust the math". If you have any questions about any of that math, I'll try to address them, but please understand that doing so may be referring you to documents that are already posted.

    There is one other thing to note. If the NSA really does has the capability to break the crypto used in 1Password, then it is equally likely that they could break any alternative cryptographic primitives and constructions.

    Breaking 1Password security

    Breaking security systems (involving cryptography) is much easier than breaking the crypto unless the crypto is done wrong. Finding a bug in the software that allows an exploit is the typical approach. Obviously there are no such bugs that we know about, otherwise we would have fixed them. But statistically, there will be bugs. Some of which may be exploitable to break security, and some of those might be known to the NSA.

    Note that this is true of every system you use. We know that the NSA has been finding and acquiring "zero days" in many systems. My guess is that 1Password, as popular as it is, is not something they would specifically go after for the simple reason that it isn't generally used for communication. But that is just speculation on my part. You need to form your own judgement.

    Breaking the environment 1Password runs on

    Ultimately, 1Password's security depends on the security of the operating system it runs on. While something like badBIOS (as @manny mentioned) couldn't be used directly to go after 1Password, it could (if this things turns out to be real) be used as a way to compromise an operating system to evade the security mechanisms of the operating system.

    For example, 1Password performs a number of checks to ensure that it only updates genuine versions from us. And it also makes it easy (and encourages) the operating systems to ensure that you only run legitimate copies of 1Password. But those mechanisms rely on things outside of 1Password itself. Windows and Mac OS X both check that 1Password is properly signed, and won't run a replacement that someone drops in. But that check depends on those security functions of the operating system. We know that the NSA has broken Windows Update security in at least one occasion.

    Again, I don't think that if they were to do that kind of thing to your Mac or PC they would go after 1Password. They could get far more bang for the buck by simply monitoring all traffic in an out of your computer "before" it is encrypted (SSL added and remove here ˙ ͜ʟ˙).

    Assume that they can get data from iCloud & Dropbox

    We have always assumed that entities like the FBI and the NSA could get data from things like Dropbox or iCloud. The "news" is just how broad that data collection is. With Folder Sync (currently available for 1Password for Mac 4 only) users can pretty much set up their own sync systems as they see fit.

    I don't think that I can "resolve" the argument going on here. But I would request that people to be nicer to each other. At the same time, it is important that those who are concerned are willing to go beyond headlines and try to "check the math". There still will be a certain level of unverifiable trust required. But a look at the math and a sober view of relative threats should reduce those levels.

    Cheers,
    -j

    –-
    Jeffrey Goldberg
    Chief Defender Against the Dark Arts @ AgileBits
    http://agilebits.com

  • Uno_Lavoz
    Uno_Lavoz
    Community Member
    edited November 2013

    @manny He came in here and erected an ignorant wall of text without knowing what he was talking about, without checking the thread's prior discussion to make sure he wasn't beating a dead horse, without reading AgileBits' blog posts about the crypto strength, without reading/understanding Bruce Schneier's posts (despite linking to them), and best of all - everything he said just repeated things that had already been discussed to death in this exact thread.

    It was a clear attitude of just wanting to get some ignorant things off his chest - "everyone else and the facts be damned." He just wasted everyone's time. Why should we be tolerant of someone that doesn't even respect the rest of us enough to even do the bare minimum reading required to know what he was talking about? It's up to the rest of us (so far me and @jpgoldberg) to sweep up his mess and re-iterate things that were already said previously in the thread and in linked articles and posts.

    He could have educated himself before posting and saved us all time. And if you're thinking me and Jeff didn't have to waste our time responding, you'd only be partially right - by allowing ignorant statements to stand as the last word, new visitors would be getting the same plain-wrong ideas, and it would just keep spreading like wildfire. Suddenly those ignorant statements become gospel in more than one person's mind. So it has to be dealt with swiftly to prevent collateral damage. #-o

    The only thing of value that came out of his post was that, since he was mixing everything up, I got to clarify that you can't compare RC4 with AES with RSA, etc. Perhaps that helps someone in the future. My analogy sums it up nicely:

    Mathematically speaking, RC4 is terrible. But that has absolutely zero to do with AES. That would be like me saying "My front door has no lock (RC4), therefore all other front doors (including AES) are unsafe."

    AES is one of the most beautifully designed algorithms out there. The math is really clear and has stood up to scrutiny for decades. This is why you can "trust the math" (a phrase coined by Bruce Schneier, ironically), because AES really is that good - anyone that wants to break it (whether criminals/NSA or aliens >-) ) has to do the math. Cryptography is a mathematical problem and there is no way around doing the math. In the case of AES, that math has stood up to decades of looking for loopholes and shortcuts.

    Compare that with things like RC4, where things are convoluted, and where a recent attack was discovered which halves the required searchspace with some simple statistical analysis. There were already lots of other attacks on RC4, and by combining all of them, you can break RC4 very quickly. It's completely dead as a cryptographic algorithm. But, as I explained in the post, it's currently used for internet HTTPS (SSL/TLS) encryption because of the BEAST attack. So a very weak algorithm (RC4) had to be used instead. That is how the NSA "breaks all encryption on the internet - it only applies to web traffic. In fact, even that statement overstates the problem: Every individual visitor to a website has their own private key, so the NSA doesn't decrypt "all encryption". They decrypt targeted people. If a particular IP is on their watchlist, then they'll see which IPs he's exchanging encrypted information with, and will only decrypt it if it's something of interest, such as the IP to his internet bank, or whatever. They also target all traffic to/from extremist webserver IPs. Regular people never have their RC4-encrypted web traffic decrypted by the NSA, because there's just too much of it going on and none of it is of value to the NSA. So while they have the potential to crack RC4 easily, they only bother throwing the compute-power at the problem for specific people that they are already watching, and the can only crack it on a session-by-session basis.

    And most importantly of all - none of the above has anything at all to do with the AES algorithm, which is what 1Password uses.

    @jpgoldberg But I would request that people to be nicer to each other. At the same time, it is important that those who are concerned are willing to go beyond headlines and try to "check the math".

    I would love to be nicer, just as I would love them to go beyond headlines. Perhaps even reading the thread they're posting in before posting, to make sure they're not just wasting our time. That would be a good start. But people are lazy... b-(

  • Uno_Lavoz
    Uno_Lavoz
    Community Member

    @manny Anyway, as for your "badBIOS" article, I am well aware of Dragos Ruiu. He organizes and speaks at several security conferences, particularly the Pwn2Own conference which I always follow with interest to see what Mac exploits they come up with, and I trust his word. The attack on his machine has only infected him, and nobody else in the security community has ever come into contact with it. Therefore it sounds like a U.S./Israel-developed malware that was either directly or inadvertently targeted at Dragos. Stuxnet was a U.S./Israel-developed worm which infected via USB sticks in order to get into "airgapped" machines in Iran's nuclear silos and reprogram controllers to stop operations. Stuxnet did everything in a much more primitive way than what Dragos is describing. But everything that he says about USB controller buffer overflows and BIOS overflows is doable - if there were such exploits in the hardware - which is possible.

    The government is the biggest buyer of 0-day exploits from security firms. The thinking is this: "Why should I publish this exploit for free for a little bit of fame and zero money, when I could get $100,000 or $500,000 from the government by selling it to them and keeping my mouth shut about it?"

    And with that thinking, the NSA has been able to create a highly advanced infection system where they have a huge array of exploits to cherry-pick from when they need to infect one of their targets. They always pick the lowest-value exploits first. They don't want to lose the most valuable ones.

    So, with that back-story, it becomes believable that Dragos Ruiu has come into contact with the most advanced of the most advanced tools, which rewrites programmable USB stick controllers to in turn infect BIOS (Windows/Linux) and UEFI (Mac) via various buffer overflows/similar exploits, to in turn reprogram the BIOS/UEFI to always execute their payload before control is even given to the OS itself. If their payload truly runs before the OS, then it's in complete control to do anything to the machine. It could then sit there and watch the loaded OS and install further higher-level tools, communicate with other nearby machines to infect them as well (via other 0-day exploits), etc. That is why he would be seeing all of those registry tools failing, etc.

    Here's the deal: What he is seeing is way above the known state-of-the-art, but none of it is far-fetched. If someone was determined enough and had enough 0-day exploits, they could pull this off.

    The question instead becomes "How did he get infected?" - If this is government-developed (and it must be, considering the sheer number of 0-days used in concert), then why send it to one of the world's greatest security experts? Government-developed malware becomes useless the moment it is detected, and sending it to him is like trying to sell Marijuana to a cop - you just DON'T do it.

    Therefore there are 3 possibilities: 1) Dragos is lying (possible that he's doing this for a laugh), 2) He was accidentally infected and now jeopardizes the secrecy of the most powerful worm in the world by making it famous, 3) He was targeted so that "they" could go through his machines and steal all of his 0-day research notes.

    I'll be watching the developments with interest. He's getting some USB analysis hardware and will see what's going on with the USB sticks that are carrying the infection. We'll either hear that it's all real, or that he was just kidding all along.

  • Uno_Lavoz
    Uno_Lavoz
    Community Member

    @manny / Everyone else:

    I forgot to mention the most important thing: "badBIOS' will never hit your computer. If it's even real, then it is intended for government enemies and spying on specific targets. Things like this are never meant for general world-wide infection. The moment it's discovered, the jig is up and countermeasures and patches will be deployed that render it harmless. Unfortunately for its creator, it has now been discovered. :))

  • Uno_Lavoz
    Uno_Lavoz
    Community Member
    edited November 2013

    @manny Well, new developments are out and it appears badBIOS is actually a case of Dragos Ruiu losing his mind to paranoia. That's really sad if it's the case, but it appears to be true. He sent out BIOS dumps, hard disk dumps and process monitor logs to other researchers, adamantly insisting that they proved the infection. The other researchers (including me) agree that what he's saying is entirely doable by an attacker with enough 0-day exploits to pull it off - but, inspecting the forensic data he provided actually shows zero infection. The BIOS image was consistent with the official firmware for that motherboard, and all of the other logs and data just showed regular computer activity.

    Quote:

    http://arstechnica.com/security/2013/11/researcher-skepticism-grows-over-badbios-malware-claims/ "As every student in an intro to logic course learns, the absence of proof is not proof of absence. I continue to agree with Triulzi and other security researchers when they say it's perfectly feasible for a determined attacker to develop malware as advanced as badBIOS and unleash it wittingly or otherwise on Ruiu's machines. At the same time, extraordinary claims require extraordinary proof. If badBIOS is real, there should be no reason researchers can't independently verify its existence, especially if, as Ruiu says, it has infected more than a dozen computers and USB drives over a three-year span."

    Dragos also tweeted that someone had tampered with his uploaded forensic files and removed sections, but he then deleted that tweet.

    Too many things are just plain weird. He has apparently "battled" this malware for three years in secrecy and only recently went public with it. That's a very long time. He says that if he takes hard drives out of "infected" machines and analyses them via clean machines, he sees no signs of infection, yet he insists that they're just hiding the infection in some clever way. And he says that his computers are communicating via ultrasonic sounds if he unplugs the network - which is technically doable, but still a bit strange, and everything now points to one of the greats having completely lost his mind. Mental illness is no laughing matter and geniuses are not exempt from developing it. :|

    On his Google+ page, someone said that this reminded them of his paranoid chase of a rootkit 3 years ago: https://plus.google.com/103470457057356043365/posts/bop8ufrMp7s. Dragos replied: "This was the same incident as that one. I've been chasing it since then. Sorry no breaks with owned systems, I go until they're clean, even if it takes years." - Yikes...

    I just thought I'd mention this news for manny's / completeness sake: Everything now suggests that badBIOS is a figment of Dragos' imagination and this update seems to be the end of it. With the lack of any infection in his "grand" forensic evidence, I don't think we'll suddenly be hearing that it was real after all. It's very unlikely at this point.

    Speaking of ends of things, I'm done here as well. It's been interesting, but there's nothing left that needs saying.

    If I were to try and sum up the thread, it'd be in the wise words from The Hitchhiker's Guide to the Galaxy:

    Don't panic, and always carry a towel. Oh, and pick a good Master Password. 1Password (AES) is fantastically strong and will keep you cryptographically safe regardless of where your encrypted database is stored, but it all falls apart the moment your password is ... "password." ;)

    Take care, everyone.

  • Everyone
    Everyone
    Community Member

    Take care, everyone.

    Thanks, you too. :P

  • manny
    manny
    Community Member

    Thanks for the update, @Uno_Lavoz. That's sad news indeed, if he really suffers from paranoia. I hope he recovers.

  • Uno_Lavoz
    Uno_Lavoz
    Community Member

    @manny Same here. I really hope the story ends well for him.

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    I've been following badBIOS. Had the report initially come in from almost anyone else, I would have been extremely skeptical. It is all too common for people to jump from "my computer is behaving in a way that I don't understand" to "I've been hacked." Dragos' initial set of announcements had all the hallmarks of that kind of thing, but because it was Dragos, I (and many others) gave him the benefit of the doubt.

    There was also a technical reason to doubt his analysis, though it was beyond my technical competence to judge. Others who've worked extensively on UEFI have presented good cases that a major part of what Dragos was claiming isn't feasible.

    The fact that no-one has been able to see anything, even though we now know what to look for, makes this all feel a bit like cold fusion.

    Being wrong, even stubbornly wrong, about something like this isn't sufficient to diagnose paranoia in a clinical sense. It's disappointing that someone who has the experience and expertise to know better would fall into the "It doesn't make sense, so I must have been hacked" mode. But if treated everyone who makes that kind of mistake as paranoid, there'd be nobody deemed sane enough to research. Pretty much everyone has made a form of that mistake from time to time, though few so dramatically.

    There is no question that governments, and certainly including the US government, have an arsenal of 0days. Some of them will certainly be more advanced than the kind of thing that's been seen in the public. And following a summer in which we learned that the "tinfoil hat" crowd had been right about a lot for stuff. But where I have had to adjust my own level of "paranoia" over the past months has not been in what the NSA is capable of doing, but in what they are willing to do.

    It's not as if the cryptographic community was under the illustion that SSL as commonly implemented is unbreakable. Sure there was new cryptography that went into Flame, but nothing radically new. The possibility of tampering with Dual_EC_DRBG had been spotted years ago. The (likely) taps on Google and Yahoo fiber certainly doesn't reveal radically new abilities. The hints that 1024 bit RSA keys are within the reach of the NSA is "news" but its hardly radical that they are a couple of years ahead of what conservative opinion had held. The ability to coerce, bribe, or break into telcos to collect massive traffic isn't a technical surprise.

    So my assessment of the NSA's actual ability to break crypto hasn't changed much. My assessment of what they are ready and willing and "authorized" to do go around crypto has changed. All of this is why I still "trust the math" even as I trust various institutions less.

    When it comes to badBIOS we don't have the "math" to trust. But I think that the analogous situation holds. Sure they have 0days that would surprise me (or people who actually know about those sorts of attacks), but I just don't think that they have a radical advantage outside of their power and resources. They break into network gear with a court order or a bribe. That's where they have the huge advantage.

  • Uno_Lavoz
    Uno_Lavoz
    Community Member
    edited November 2013

    @jpgoldberg That's a very thoughtful and well-written summary and pulled me right back in for at least one more comment.

    To me, the reason that badBIOS caught my interest was that it had so many elements that were beyond the known state of the art yet completely plausible. That nagging plausibility-level is why so many other researchers were drawn into the story as well. In fact, even though it seems to be over, it still nags at me how plausible it all is. Let's have a look at the claims:

    Ultrasonic communication:

    Speakers usually trail off around 18-20kHz, beyond which they're unable to produce any sound. At that frequency, it sounds kind of like really faint tinnitus, if you can even hear it at all. Knowing that speakers can often produce that frequency range, it would be possible to nearly inaudibly transmit network packets by modulating high-frequency audio in the same way that modems modulated audio in the past over telephone lines.

    This would allow crude, low-speed transfers between infected computers. You wouldn't be able to infect nearby computers in this way, but you could let two infected computers talk to each other to forward brief commands from the Command&Control server. Indeed, after seeing this badBIOS story, people quickly built prototypes that verified that high-frequency audio transfers are very doable if you want your malware to communicate over airgaps.

    Infection via just plugging in USB drives:

    If there was some previously unknown buffer overflow in the USB protocol or common controllers, then this would be completely doable. Part of me had high doubts that such an exploit existed, since so many people have studied USB, but the thing about exploits is that they tend to crop in the most unexpected places. I was willing to accept that there might be an exploit in the most common USB controller brand, or perhaps even in all of them. Stranger things have happened before.

    BIOS/UEFI/Boot infection:

    I don't think anyone believed it was the main component of the infection (I certainly didn't). Instead, I thought it was an OS-level exploit that then sunk its claws deeper by flashing the BIOS with a tiny bit of critical code - enough so that the infection could stay resident no matter if you formatted the hard disk. This BIOS code would be running as soon as the computer boots, and could then tell the OS (via directly performing kernel system calls by their physical memory address) to do things like downloading and executing payloads that would re-infect the machine at the OS-level.

    For instance, one way of infecting any BIOS in a very universal manner might be to make it automatically dump the current BIOS of the machine it's on, and then patch its code into the unused sections (there is always unused space on the chip), and then just re-route the firmware's entry point so that it passes through the new, injected BIOS code, fix the checksum (which is just a basic binary addition, not CRC32), and finally flash everything back into the hardware chip.

    Another way would be to just simply ignore BIOS/UEFI altogether and write itself to the bootloader on the harddrive instead, which is guaranteed to be the same on every computer regardless of hardware. Lots of viruses have done that in the past, since it requires very little effort. Heck, anyone that uses a cracked version of Windows actually uses this exact thing; it installs a cracked bootloader which runs before the OS itself loads, and patches the activation tables. Viruses staying resident via bootloaders is not a new thing at all.

    Having an infection that fights back (and disables regedit and things like that):

    This is completely normal and can be achieved by any rootkit that re-routes kernel calls into its own versions that simply disallow certain operations, such as disallowing the user from launching files called "regedit.exe", or similar actions that you want to prevent.

    In fact, pretty much all antivirus software works in the exact same way as rootkits, except that they do it for a good reason: They install their own kernel drivers that re-route certain critical kernel functions and then monitor the usage of those calls to protect the system from suspicious, virus-like activity. This same power is available to evil kernel drivers. So, it would be trivial for an NSA-developed rootkit to hide itself and disable the system components required to disable it, by simply installing a kernel driver rootkit.

    "It's Dragos":

    It all came from Dragos Ruiu, a very respected security researcher and organizer of multiple hacking events.

    So you see, every individual statement is plausible - and that's why we were all pulled in by the story. It contained enough of both science fiction and plausibility to tickle our "that's so cool!" radars, because pretty much all of it is plausible.

    The reason that it all seemed so feasible has a lot to do with Dragos himself - he is a smart man and knows about the inner workings of operating systems, so all of his claims had a lot of technical understanding behind them.

    However, if it had actually been real then it WOULD have showed up in the BIOS dumps, hard drive dump and procmon logs that he has now provided. There's no way to hide a BIOS virus. If evil code was really there, it would show up in a BIOS dump. Likewise for the OS-level of the infection: It would have showed up in his provided hard disk dump.

    Instead, all of his "evidence" came up clear.

    It was also news to me that he has been chasing this "for 3 years," which is not healthy and means that it unfortunately appears that we have a case where paranoia has made him see patterns where there were none.

    Jeff used a great analogy. Think of it as the next level of a grandma going "my computer is slow... ergo, viruses!" - except in this case it was a security researcher who noticed what he believed to be odd behavior, and then he began putting 2+5 together in his head and coming up with 239 for an answer...

    Basically: The cogs in his mind tried to explain what he was imagining, and in turn his technical background ended up giving us lots of cool ideas for future rootkits - the audio-based networking idea was one of the coolest things I've seen in years - but... his computers are actually clean.

    Fascinating story. I really hope he's not actually mentally ill - but working on non-infected systems for 3 years does seem absurd.

    This story really grabbed me, because on some level I think we all wanted it to be true just because it was all so damn cool. ;)

    It'll still be worth following the story. Hopefully we'll have a definitive answer soon, but everything so far points to it being as real as the Easter bunny.

    Anyway, I've got to go as promised. Farewell for real. :) :!! This is my last post on the forum. Take care, everyone!

  • manny
    manny
    Community Member

    @Uno_Lavoz Feel free to come back, your insights into security are surely appreciated. :-)

  • onepassword_user
    onepassword_user
    Community Member
    edited November 2013
    • @Uno_Lavoz: I gotta be going on.
    • @manny: Why, Shane?
    • @Uno_Lavoz: A man has to be what he is, Joey. Can't break the mould. I tried it and it didn't work for me.
    • @manny: We want you, Shane.
    • @manny: Shane!

  • benfdc
    benfdc
    Community Member
    edited November 2013

    Part of the reason that folks worry about back doors in TrueCrypt is that the developers are anonymous. AgileBits’s public presence here is very important (but not a perfect substitute for a security audit).

    Kickstarter campaigns for the TrueCrypt audit and the Dark Mail initiative may be heralding the dawn of a new era in security software.

  • Sacred_Brindle
    Sacred_Brindle
    Community Member
    edited November 2013

    Just catching back up on this. My hope is that the forums, while obviously focusing on the questions/comments directed towards the folks at 1Pass and the forum community, can stay light hearted on occasion.

    @UNO - I take offense (not really, I'm not a fan, but not easily offended), to being referenced w/ Alex Jones and 9/11 "Truthers", just because I pointed to historical data that was hidden, denied, uncovered, everyone scattered, before someone finally owned up. All while the publics attention was LONG gone. I know there is more to it all, but I truly dont car, its just a fun thought experiment.
    Based on your replies, it also seems like you have more of a complete picture than I had initially given you credit for, so mistake is on me for assuming. :)
    **

    @jpgoldberg - a slight turn from the actual product technology, into a broader security question So they just release the that NSA's younger sister across the ocean provided a very welcoming concierge service to many government officials for years (as I assumed we have as well). With that said, if the execs travel and are "hosted" be this team of 5 star waiters, how much info could they theoretically grab using whatever audio/video/? means they have setup in the suite prior to their arrival and monitored during their stay.
    I worked at Microsoft, so I'm aware of the technology that is involved (to a degree, I'm obviously not very technical, especially whenit comes to security/encryption as I've stated before). For this example, they have (or had) complete access to everything the exec (or lets be real sys admin has in their possession on the trip), as well as what they see/type. Now,
    I realize that this would be highly unlikely, but in a sense of the physical security of those who have some access into the systems, would this still just be the same encrypted info that resides on the system and that's it, or would be be possible to use that in a way to gain/find/create a way into the system?

    I apologize if this is slightly off topic and boring/redundant to some of you, but I feel its a valid question and I'm curious.

  • benfdc
    benfdc
    Community Member
    edited November 2013

    @jpgoldberg writes—

    My guess is that 1Password, as popular as it is, is not something they would specifically go after for the simple reason that it isn't generally used for communication.

    • My keychain contains all of my email and chat passwords, most of which I have not memorized. Also my cell phone provider login and PIN, meaning that an attacker could implement an equipment change and hijack my phone number. Also the passphrase for my PGP key (not that I ever use it, but still …). Heck, I couldn’t even post here as benfdc without it!

    • The raison d’être of 1Password’s new "shared vault" feature is secure communication.

  • jpgoldberg
    jpgoldberg
    1Password Alumni

    Hi @Sacred_Bindle,

    You are raising what is called the "evil maid" scenario. Where someone has temporary physical access to your computer. The danger in these cases is that even if you use full disk encryption and a firmware password, the evil maid may have replaced the BiOS on your computer, so that the "pre-boot" is to an already hacked system that then recovers the disk encryption keys.

    It's cool that you mention Microsoft as they have been working on a system called TPM (Trusted Platform Module) which works to have deeply built in "signatures" of various parts of the system. However, one of the difficulties with TPM is that because crucial parts of the system are digitally signed and those signatures need to be checked, there is a fear that this can be used for tracking. A year ago, I would have said that I don't share those particular worries (particularly because there are far easier ways to track people), but today I am less dismissive of those concerns about TPM. But I haven't studied the issue and have no informed opinion.

    Full disk encryption and firmware passwords really are going to defend against most evil maids. At least it will very substantially raise the cost and time needed by the attacker. So this goes back to the whole point about threat model. Do you thing that an attacker is going to put in significant resources just to get your data?

    This notion of what resources an attacker will put in is something you need to consider. And when asking that question, you have to break that down into "fixed assets" and "marginal resources". That is, if you already have the skills (fixed assets) to replace the BiOS on someone's computer in a hotel room, then launching each individual attack might only take a few thousand dollars).

    What I'd like to know is how much it cost to break into the European Commission fax machines, or Chancellor Merkel's phone. We know that this is possible (not really news) and that they are willing to do it (more newsworthy). But those may be expensive attacks to launch.So what can I do to raise the cost of launching a successful attack on me that will simply make it not worth the trouble.

    And to answer that question, I need to consider how much they would dedicate to attacking me. In some urban areas, grocery carts require that you pay a deposit to get one. The Tesco that I used to frequent near Milton Keynes required a 1 GBP deposit. The actual replacement cost of one of those carts, however, was on the order of 60£. The point is that while my data may be very valuable to me (and it is), it may not be as valuable to them.

    This returns to the general overall point, they will attack at the weak (cheapest) points, not at the strongest ones. Or when they break a "strong system", it will be for catching lots of data not just yours.

    As @benfdc wrote:

    My keychain contains all of my email and chat passwords, most of which I have not memorized. Also my cell phone provider login and PIN, meaning that an attacker could implement an equipment change and hijack my phone number.

    Well the NSA already has access to your email unless you are using PGP or S/MIME, and why should they break into your 1Password data to get your cell phone provider password when they can get everything that the want from the phone companies themselves?

    So unless you are already using fairly extreme operational security, then they have much easier ways to get at your secrets than by sabotaging 1Password.

    However, and this is something that should come through loud an clear. You have to form your own judgement. I think I'm right, based on my assessments, about why I think it is unlikely that they would come after 1Password. I've given those reasons, but many of those reasons are based on very limited information. For example, I am assuming that they already have an "in" at my email provider and so don't need to my email password. But I don't know that. We have frustratingly little information to go on.

    Cheers, -j

This discussion has been closed.