Working with an Online and Offline Computer when using GnuPG - Best Practice?
Robert J. Hansen
rjh at sixdemonbag.org
Tue Oct 10 03:57:37 CEST 2017
> I think perhaps this is a little low-bandwidth for security updates for
> your OS. By the way, you could use a USB-to-serial converter and use a
> serial cable. The problem with USB is sharing the same USB device
> between multiple computers. If you always use the same converter in the
> same computer, it's not an infection vector. But this is still very low
> bandwidth. Many USB-to-serial converters can go to 0.5 Mbit/s. I think
> the max I've seen is 2 Mbit/s. So it's not as low as the ol' 115k2 anymore.
In '07, my research group developed some really low-tech data transfer
with admirable characteristics: it was provably one-way data transfer.
Get a serial cable and cut it in half. On one end attach a laser; on
the other end attach a photoreceptor. Mount the two. You now have a
data diode -- a "cable" over which data can only flow in one direction.
We had to write custom drivers for it, but it wasn't hard.
If memory serves we weren't able to go over about 300 baud. This was by
design: our photoreceptor was ***old*** (like 1960s tech) and had a
relatively long cycling period after each pulse. The point of using the
old photoreceptor was that way we were dead certain there was no
exploitable integrated circuit in the photoreceptor...
> I haven't read about SD cards being infection vectors
Yep, they are. Seen them myself in the malware lab. No further comment
available, as I'm bound by NDA-of-doom. But yes, SD cards have been
known to be infection vectors. If you think about it for a while I'm
pretty sure you'll figure out how, but I unfortunately cannot connect
the dots for you.
> I do know about subverting SATA harddisks, but haven't heard about it
> actually being used, unlike USB. SATA sounds reasonable as well.
Yep! Been done. SATA firmware has been exploited via the JTAG
interface, new firmware loaded onto it, and been used as a vector.
More information about the Gnupg-users