Building a Secure Computer System

[Rezz]

I am interested in building a secure computer system based on the OpenBSD OS. I would like to hear thoughts on how to make the system as secure as possible. Here are some of the ideas I have considered:

1. Using a removable media drive, such as the Castlewood Orb, in lieu of a standard hard drive. Thus, sensitive data could be stored in a secure location when the computer is not in use.
2. Shielding the computer enclosure to prevent the hard drive signature from being monitored from a distance.

3. Scheduling a hard drive military deletion utility to randomly overwrite the unused portion of the hard disk.

4. Employing the use of an external smart card device with an encryption/decryption algorithm programmed into the card, thus preventing the need for the encryption system to be compromised by existing on the hard disk.

5. A hardware-based secure login system using a fingerprint reader.

Please let me know if you can expand on these ideas or volunteer new ones. Has anyone had experience constructing a highly secure system using the OpenBSD operating system? Thank you in advance for any input you can offer.


[Rezz]

 

[Shalmanese]

Build a Tempest shielding around the screen and use a low powered LCD to prevent somebody on the street seeing your screen.

Some sort of power smoother device because (aparently, though Im not sure of the BS factor), your keystrokes can be monitored through very tiny changes in voltage in your AC power.

Use a secure password, changing daily (duh!) employing a mix of upper case & lower case letters, numbers, punctuation symbols and unprintable symbols (those which do not appear on your keyboard but need you to got Alt + XXX to type).

In addition to Fingerprint require face and eye recognition as well although biometirc systems have been proven to be a weak form of security.

Use one of those screen lock things which prevents viewing of the screen from any angle except perpendicular.

Work in a room with no windows and alwyas keep the door closed to prevent cameras.

Regular EM screening of the room to find bugs

One of those new bluetooth necklace thingies which locks down your computer whenever your more than 5m away.

Of course, all those things are moot if you have stupid users on your system which inevitably happens whenever you have more than one user.

 

[NuclearFusi0n]

Originally posted by: Shalmanese
Build a Tempest shielding around the screen and use a low powered LCD to prevent somebody on the street seeing your screen.

Some sort of power smoother device because (aparently, though Im not sure of the BS factor), your keystrokes can be monitored through very tiny changes in voltage in your AC power.

Use a secure password, changing daily (duh!) employing a mix of upper case & lower case letters, numbers, punctuation symbols and unprintable symbols (those which do not appear on your keyboard but need you to got Alt + XXX to type).

In addition to Fingerprint require face and eye recognition as well although biometirc systems have been proven to be a weak form of security.

Use one of those screen lock things which prevents viewing of the screen from any angle except perpendicular.

Work in a room with no windows and alwyas keep the door closed to prevent cameras.

Regular EM screening of the room to find bugs

One of those new bluetooth necklace thingies which locks down your computer whenever your more than 5m away.

Of course, all those things are moot if you have stupid users on your system which inevitably happens whenever you have more than one user.

<enemyofthestate>remember, rig the entire building with explosives. in the event of a compromise, you're better safe than sorry :Q</enemyofthestate>

 

[Shalmanese]

Oh, yeah, you might want something to shield those network cables & other misc cables as well, I had a really freaky incident where a cat5 cable was running alongside a wall which had a doorbell reciever on the other side and it kept triggering the doorbell.

NO wireless networks of course.

I would be wary of your removable HD idea, the fact that you want to move the HD to a "secure" location implies that the computer would be in an unsecured one. How are you going to move the HD around? How far away is this secure location going to be? What if you get mugged on the way there?

Also, I would consider complete incineration of the HD once every project is finished and a fresh HD per project. HD's are cheap enough now that it wouldnt be an absolutely insane idea.

If your not planning any net connections out of this room, OpenBSD is a waste of time, even Win95 will do. If you are, then I would suggest SecureBSD (i think thats what its called) and see if you can get a quantum encryption link going. Of course, the biggest problem then is making sure the person on the oter side has not recieved $1 million to reveal whats being said.

 

[cerial]

As was stated last, make sure all the cabling is in conduit, and you can view the conduit from room to room so you can inspect it often. I believe the NSA uses plexiglass to run the conduit between room so you can actually view the connections.

Moving the HD poses a security threat when it is moved (as has happened already in Nevada I believe). Keep it locked in the server until done with the project at which time you wipe it with a military grade deletion utility, then destroy the HD.

Also, a extremely tight fw, router and IDS that is monitored very often. If this server is on any network, then Physical Access is only 1/4 of your security battle...

HTH,
-Cerial

 

[Cuda1447]

Excuse my newbieness but....


Are you all extremely sarcastic, or are you for real?!?!?!?! WTF ARE YOU DOING THAT NEEDS THIS KIND OF SECURITY?




omg I must be a newb, or this is extremely sarcastic and Im not picking any of it up.

 

[m0ti]

cuda,

they're dead serious.

How secure is "too secure" for things that MUST be kept confidential (think military, intelligence, etc)?

Doesn't exist.


These people aren't making stuff up. It all exists. And it exists because there's a use for it.

As an added suggestion:

Place the system in a farady cage (I'm guessing where you're at doesn't have it built into the walls). Don't want EM escaping the vicinity.

 

[Cuda1447]

If it is something that important, what is this guy doing on AT?!?!? If you really have something so important that you need to destroy a HD after every single project, burn it eat it and poop it into outspace. Then have it in a capsule that is only opened by fingerprint verification then has a code that can only be cracked by the most autistic genious in the world.



Wow...

 

[NuclearFusi0n]

Originally posted by: Cuda1447
If it is something that important, what is this guy doing on AT?!?!? If you really have something so important that you need to destroy a HD after every single project, burn it eat it and poop it into outspace. Then have it in a capsule that is only opened by fingerprint verification then has a code that can only be cracked by the most autistic genious in the world.



Wow...

this is all hypothetical, for fun mostly

I had an idea of a hard drive cage made of thermite with a trigger switch. That should liquidify the hard drive if the need ever arises. Or just make a thermite pit and liquidify every drive when you are done with it.

 

[J.Zorg]

Burn you OS onto a CD-R so that noone can change you os or install any trojan horses or keyloggers.....In case of emergency throw it in the microwave on full power for a minute , or simply equipp it with a thermit charge..
/var and /home should be on an encrypted harddrive (above 1024 Bit secure Algorithm) equipped with a termite charge that goes off if anyone tampers with your pc , you don´t reset the autodestruct sequence every day oder if you hit the autodestruct button.
No Network connection
Encryptet Keyboard to PC connection.
EM shield the system.
No windows in the room.
Solid concrete walls. (makes it harder to hide observation equipment)
Regulary scan for observation equipment.
No additional equipment in the room.

Watch Enemy of the state and get some more ideas

 

[Mr.IncrediblyBored]

Originally posted by: J.Zorg
Watch Enemy of the state and get some more ideas

and Mission Impossible.

 

[Shalmanese]

The suggestions are, of course, extremely over the top but in no way sarcastic. THe question asked for the ULTIMATE secure system which is what were suggesting. There probably arent too many uses for a system that secure but all the applications suggested by me have (AFAIK) been implemented in one system or another.

Encryption and thermite isn't the be all and end all of security, encryption can be easily cracked if someone installs a camera above your keyboard and thermite doesn't work if you dont know somebody is in the room. Remember, somebody might just as easily disrupt your work by erasining everything as stealing it. If your going to have thermite, be damn sure you have the trigger in a secure location and theres no way anybody else can set it off.

 

[capybara]

about the OS: the most secure is SELinux (security enhanced linux) invented by the
NSA (national security agency) check out http://nsa.gov
it requires re-compiling the linux kernel to add a linux security module (lsm)
ps:: free download from nsa!
there is a mailing list you can subscribe to [for free] from nsa - i do!

 

[Chaotic42]

Originally posted by: capybara
about the OS: the most secure is SELinux (security enhanced linux) invented by the
NSA (national security agency) check out http://nsa.gov
it requires re-compiling the linux kernel to add a linux security module (lsm)
ps:: free download from nsa!
there is a mailing list you can subscribe to [for free] from nsa - i do!

I would think that the NSA has some kind of back door into this that the higher ups can use.

 

[Stercus]

There could be the compiler backdoor in this OS. That is that in a compiler there can be built in a backdoor since you never know the source code of the compiler unless you make it yourself you don't know if the backdoor is open. GCC for example has to be compiled so GCC might not have the backdoor but the compiler that was used to compile GCC might have one.

 

[idgaf13]

The NSA actually publishes info on how to make a computer secure based on the OS it is using.
Last I checked had specs for 4 OS's on its website.

They had a utility at one time on-site that would erase drives to their spec's,
cannot find it anymore.

 

[Sunner]

Originally posted by: Chaotic42

Originally posted by: capybara
about the OS: the most secure is SELinux (security enhanced linux) invented by the
NSA (national security agency) check out http://nsa.gov
it requires re-compiling the linux kernel to add a linux security module (lsm)
ps:: free download from nsa!
there is a mailing list you can subscribe to [for free] from nsa - i do!

I would think that the NSA has some kind of back door into this that the higher ups can use.

I would think that if they were stupid enough to add a backdoor into an opensource addon for the Linux kernel, at least 50 paranoid kernel hackers would be all over it within hours.
Oh the wonders of open source

 

[dkozloski]

A pencil and some rice paper. Do your computing on the paper with the pencil. When completed, chew the paper thoroughly with lots of water and swallow. This procedure has withstood the test of time for centuries.

 

[Shalmanese]

What if somebody poisons the pencil?

 

[dkozloski]

Then your secret is really safe!

 

[IaPuP]

THe biggest thing that bothers me about modern encryption is that it requires you to enter a password or fingerprint or whatever.


Pretty damn easy to set up a sniffer on your keyboard/fingerprint scanner and just sniff the bits that come off it and then duplicate them later.


I want to know a way to encrypt something that can't be sniffed. My best idea has to do with using data that's already in the system... using your password/fingerprint as a "hash" to do a lookup through a variety of selected files on the drive to pull characters out and place them into the encryption engine.

Password can only be generated if you enter your password AND point it to the correct files. *Shrugs*

You could just have a complete works of Shaespeare in text and copy and paste a few phrases from it. Doesn't the government usually just put keysniffers on your computer when they want to know your passwords?

All they see is *click* *click* *click* <enter>

nice password.

Eric

 

[ProviaFan]

Since you're talking about clicking things with the mouse (and this idea wouldn't work if there were anyone behind you, because they could see what you're doing), why not just make password entry to consist of entering a keyboard password, then clicking a row of buttons in a sequence (i.e. there would be buttons 1 - 9, and you click various ones after entering the password to unlock the computer). Sound good?

 

[wellerdball]

I recomend RSA security

 

[dejitaru]

Brain chips are not quite on the shelf, but are an option. You could store your 2097152-bit encrypted password, the computer's ROM chips, or an entire hard drive on it. You could also operate the machine entirely by this means. I'm not certain of the resolution, but it is reliable.
Ask the right people and you could have one implanted.
You would need to shield the wiring coming from your body, of course.

 

[lukatmyshu]

I remember reading a book where called Cryptonomicon where the guy suspected someone of using Van Eyke hacking on him (where the 'read' your screen remotely) and he got around it by using the LEDs on his laptop to to read data (i.e. he turned Caps lock on and off, scroll lock, and num lock as well ... u can make 8 numbers that way) ... kind of interesting.