[atlas] Reasons to celebrate - passed 1K active probes :)
- Previous message (by thread): [atlas] Reasons to celebrate - passed 1K active probes :)
- Next message (by thread): [atlas] Reasons to celebrate - passed 1K active probes :)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Simon Josefsson
simon at josefsson.org
Sun Dec 25 20:45:16 CET 2011
fre 2011-12-23 klockan 19:33 +0100 skrev Philip Homburg: > On 12/23/11 19:10 , Simon Josefsson wrote: > > One way to deal with that is to let the probes send in the hash value of > > its firmware or something similar, which can be used to detect problems > > like that. And you could prepare "official" reports based only on the > > probes running "official" firmware. > You want untrusted firmware to send a hash value of itself? How do you > know it is not lying? > > > I really think this is orthogonal to releasing source code though. If > > you haven't built in any security mechanism, people can already do what > > you appear to be afraid of today. > > > (From a technical point of view) releasing the source is not an issue. > The probes come with key material that allows them to connect to the > Atlas infrastructure. In theory you can get that out of the probe. But, > you would violate the agreement as a probe host and it would be quite > tricky to do. And, you can take over only one probe at a time which has > to be in your physical possession. > > If we would allow 'third party' probes to connect to the Atlas > infrastructure then all of that changes. No need to physically obtain a > probe. Just download the source, request a key. And start hacking away. How does this keying work today? I haven't seen this documented anywhere. If you embed a symmetric or asymmetric key in the probes, which sounds like what you are suggesting (and is more advanced than what I expected), there shouldn't be any threat to publish source code for the firmware: people will not have access to any private key that you will trust. I was assuming that your current threat model was that you aren't concerned about fake probes, but if you have embedded keys in the probes, that suggests a different threat model. Solving that is relatively complicated, and describing your setup would be a useful contribution. My proposed solution to send a hash of the firmware was to be able to diagnose on the server side which firmware sent what information and to do larger-scale data mining. It is not a solution to malicious probes. Sorry if anything I said implied that. Cheers, /Simon
- Previous message (by thread): [atlas] Reasons to celebrate - passed 1K active probes :)
- Next message (by thread): [atlas] Reasons to celebrate - passed 1K active probes :)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]