idea for a fun little security project

Werner Almesberger werner at almesberger.net
Mon Nov 17 23:11:20 UTC 2014


hellekin wrote:
> *** Going a step further, you could have a wireless keyboard that you
> flash with your firmware,

... if have access to the necessary information or can reverse-engineer
it.

>           ____________________
> _   _____/                    \_   _____.---------.
>  | |                            | |                \_____
>  | | USB  Secure Hardware Key   | | USB to Keyboard _____
> _| |_____                      _| |_____,----------|
> ^.       \____________________/         `----------'

Nice :-)

> The USB Secure Hardware Key

I.e., something like the critters made by: Ugoos, Rikomagic,
Tronsmart, FXI (Cotton Candy), Inverse Path (USB Armory), etc.

> would offer 3 functionalities:
> 
> 1. bootable Tails system
> 2. wireless keyboard connection
> 3. cabled keyboard connection
> 
> Both 2. and 3. would provide the encryption capability.

If the wireless keyboard encrypts, you'd also have it in case 1.
And yes, that's an entirely feasible scenario. Differences to the
simple USB-to-USB encryptor I described:

- considerably more complex and harder to make (but you can try to
  use a pre-built system, see above),

- more expensive,

- does not protect input going to the PC if the "sandbox system"
  is compromised. But yes, Tails is probably a good deal more
  secure than the pandemonium the average person keeps on their PC.

The Keyboard -> USB computer -> PC -> Internet -> Secure remote case
is a bit weaker than the keyboard -> USB-to-USB-encryptor -> PC ->
Internet -> Secure remote case irrespective of the condition of the
PC because the USB computer has a much larger attack surface.

> And if you remove the wireless part, and use micro-USB instead, you can
> have a fully featured encrypted keyboard for your mobile phone, which is
> probably a good thing to have given that we have more fingers than two
> thumbs.

May get a bit fumbly, though: smartphone + USB stick + keyboard.

> [ James Bond is after you ]

Here's an easy trick: wait until he lets himself be caught by your
henchmen. You can count on this happening, it's one of his little
rituals to never do something that would seriously upset you before
you had a chance to kill him.

When you have him in your fireproof holding cell, skip the sermon
and fancy death machines, and surprise him with the sheer simplicity
of a quick kill by revolver, knife, or a baseball bat, items you will
not have taken from him or any of his companions, but that you have
acquired and safely stored well before the occasion.

Then have your henchmen cremate his remains on the spot. Do not leave
the execution in the hands of your trusted if perverted lieutenant
but oversee it personally for the whole duration. Bring a large sieve
and shovels, to make sure no man-sized pieces wrapped in
fire-resistant bulletproof cloth somehow remain in the ashes.

Since you will be filming this, before uploading to YouTube, make
sure no blood or soot is seen on the flawlessly white fur of your
cat. People would never forgive you.

- Werner



More information about the discussion mailing list


interactive