wiki:org/meetings/2012SummerDevMeeting/Notes/S1OpSec

Operational Security Notes


02/07/12 15:30

OVERALL POINTS:

  • compartmentalization
  • should make a best practices list
  • hardware

BUILD TOOLS

Build tools so that people can verify software:

  • Can't require people to "downoadl GPG and verify"
  • Debian solved with doesn't install if sig doesn't check

HARDWARE

Build/dev machines for Tor devs which are separate from personal machines

  1. Should this be second laptop or common build infrastructure?
    • If latter, there is still problem of personal laptops getting p0wned and id-rsa getting stolen.
    • If former, PITFA. But what if they are something smaller, like raspberry pis or torbox/torouter?

WINDOWS BUILDS / BUILD VERIFICATION

Authenticode
  • Windows users should have authenticode sigs, even though these have a CA crutch.

TOR DEV SEC

GPG

Tor devs need to keep their code signing keys safe, preferrably offline ===

  • Separate "role" keys for each task, i.e.:

0xdeadbeaf "Ooni Release Key" 0xc0ff3333 "Ooni Nightlies Key"

  • There can obviously be different sec prof for each role key

Ubikeys/SmartCards

  1. Make Offline Master Keypair (OMK), and print out and store only offline.
  2. Use OMK once a year or two years or whatever to create new keypair(s), keypair assigned to dev goes on dev's SmartCard, and Project "role" keys should be stored offline.

Canary System

  • Sign some NYT article every N days to show that you still own the key.

COMMON SECURITY ISSUES

  • Tor devs need to follow basic procedures like "don't ing open .pdfs unless in a VM"
Last modified 6 years ago Last modified on Jul 2, 2012, 2:48:20 PM