Among the BSD users
I went to SFOBUG this evening to hear Ryan Lackey speak. He talked a lot about techniques for running secure applications in other people's colocation facilities. He has different solutions for different threat models and levels of paranoia. One example is using transparent disk encryption with keys stored only in RAM. If the machine reboots at all, it won't be able to access its disks; the person who knows the keys has to supply them again over an SSH session and can investigate the cause of the reboot before doing so. (It's somewhat hard to get keys out of RAM or subvert security policies, even given physical access, without a reboot. Having keys only in volatile RAM makes it likely that a reboot will be remotely visible.)
Ryan seemed to describe this mechanism as the lowest level of security precautions he had deployed recently when colocating a server.
We had an interesting discussion about trusted computing. Ryan likes having components capable of remotely proving their identity and integrity to him, because he can colocate them far away and protect them against all sorts of attacks. That doesn't mean he's a fan of initiatives like TCG and NGSCB, however. In fact, he's a skeptic. To overstate and oversimplify my case slightly, he's also only concerned about having machines he owns prove their integrity to him. He isn't trying to deploy applications with security models in which other people's machines prove their integrity to him or his machines prove their integrity to other people; at least, he didn't mention any such applications.
That superficially suggests that (contrary to some skeptics) trusted computing systems, even including attestation, are genuinely useful to security, and that (contrary to other skeptics) if they are, having attestations useful only to the computers' owners or their agents does not destroy the utility of the attestations. Of course, this is oversimplifying. For one thing, the attestation capabilities of a deployed TCPA TPM simply do not meet Ryan's needs; he's already buying more elaborate hardware for this purpose.
One thing I hadn't realized is that EFF's new sysadmin is the president of SFOBUG. I remarked that you can work with someone for weeks and not realize what he's president of.
- Links from other weblogs:
Sat Feb 24 11:34:52: XQhaYJuxJmVf from OjZiDBhFg
dqVmaWLmLuv MYJVkT [URL=http://xindnsy.com/]sjEhjmkM[/URL]
