How to create a *totally* secure development environment?
 

Aside from the obvious vectors like spam containing phishing scams, links to drive-by download attacks or infected attachments, we've seen increasingly creative ways for bad guys to compromise your system like "losing" infected pen drives, selling computers preloaded with malware, selling mobile phone apps with hidden trojans and viruses, and, most recently, a $300 app that can sniff out your private key even when your computer is encrypted.

On top of the obvious malware threats, there are also lingering questions about the integrity of common operating systems and cloud computing services. Do Windows, OSX, and linux have security holes? Does Windows supply a backdoor for the U.S. or other governments? Should you really trust your linux multiverse repository? Do Google and Apple data mine your private mobile phone data for private information? Does Ubuntu's sharing of my data with Amazon compromise my privacy? Can the U.S. Government seize your cloud data without a warrant? Can McAfee or Kaspersky really be trusted?

Naturally, the question arises of how to establish and maintain an ironclad workstation or laptop for the purpose of handling sensitive information or doing security research. DARPA has approached the problem by awarding a $21.4M contract to Invincea to create a secure version of Android. What should we do if we don't have $21.4M USD? Is it safe to buy a PC from any manufacturer? Is it even safe to buy individual computer components and assemble one's own machine? Or might the MOBO firmware be compromised?

What steps can one take to insure a truly secure computing environment? Is this even possible? Can anyone recommend a through checklist or suggest best practices?

The only way to have a totally secure computer is to unplug it, lock it in a safe, fill the safe with concrete, and drop it in the Marianas Trench while keeping your fingers crossed.

These recommendations from Indiana University might help; they seem to be Windows-oriented, so you might have to adapt them:

http://kb.iu.edu/data/akln.html

Here's a similar document from Rutgers:

http://rusecure.rutgers.edu/best

Here's a document from CERT:

http://www.us-cert.gov/security-publications/

If you search for "best practices computer security" you will find a number of other links, including a white paper from the US National Security Administration.

Thanks for your comment.

Ha! Still not safe from James Cameron.

Thanks for the link, but that stuff sounds mostly like common sense information for your average non-savvy user. I especially don't like that they tell you to install still more random software to sniff out your vulnerabilities. I.e., they focus on fixes after the fact. I'm more interested in making sure everything is clean BEFORE the computer gets used for anything. I.e., how can I be sure the beast is clean before I even hook it to the internet.


This also seems like common sense stuff -- and has broken links. Useful inasmuch as it has a lot of sensible instructions.


The CERT stuff looks pretty useful, but does not address the possibility of hardware-borne exploits that may come into play before the OS is even installed.

I feel like my ability to keep a running computer clean is pretty effective. I'm wondering more about how to be *extra super duper sure* that all hardware, firmware, peripherals, and initial OS install are secure.

E.g., is there some way to scan a motherboard's firmware for potential exploits before you bother installing an OS on it? Obviously, you can't use wireshark until much later.

It depends on how you define security. If you quarantine the physical access, is that secure? Pull the network when developing. (makes it a bit hard to develope network applications). Keep your source code on an external drive that you physically disconnect during any times that a network is connected (if ever). None of which ensures secure, but should make it harder for anyone without any physical access.

It's all an illusion anyway. My current debian install is over 10GB with most of a development and desktop environment. And I know I have not audited each and every opcode or line of script that it contains. And probably couldn't in my lifetime if I wanted to.

I fully realize that security admits of degrees and that we must define things and proceed under certain assumptions, but I'm hoping that we might nevertheless get some useful information and viable techniques kicking around here. My goal in this thread is to start at the *very* beginning and understand all the assumptions I make about security.

Let's start at the beginning with a simple question. Ignoring for the moment which operating system I ultimately choose to install, let's first address this question:
What steps can I take to acquire computing hardware that whose devices and firmware are free of exploits, trap doors, trojans, viruses, etc?

Note that I'm not asking if the hardware & firmware are exploit-proof but rather asking if they are "clean" -- meaning they don't already have some sneaky dude's back door installed? As Shadow pointed out, we'd probably have to read the firmware's source code to be certain -- but then again how do we know that is really the source code of the assembler/binary code that is actually stored on the MOBO's flash memory or ROM? Can anyone recommend steps one might take to insure a clean hardware build? Or is this totally hopeless?

The reason I'm starting with hardware is because I buy a lot of products from ASUS -- a Taiwanese company. Given that most of the spam I've encountered on my forums and inboxes is from China, it tends to make one wonder.

The is an open hardware movement.

http://www.arduino.cc/

I don't want to sound like a smart-aleck, but you seem to be assuming that there are super-secret security strategies that somehow are kept hidden from average users. There are not. It's just that many average users don't pay attention to security, other than using (and never updating) the AV that came on their computer when they bought it.

Heck, with a little bit of research and a handsome investment in hardware, you can build your own SCIF.

Effective security practices involve keeping up with vulnerabilities (and perhaps even discovering and revealing them yourself, if you have the technical skills) and taking common sense steps to plug them.

Following this thread, I have been driven to re-read the Evil Overlord list ... and what frankbell posted. Interesting stuff.

+1

Hiya sneakyimp, Always interesting to meet someone more paranoid than my self.;) The only way to be 100% sure of your hardware would be to build it yourself, Good luck with that. On the whole I'd be more suspect of anything coming out of " People's Republic of China" (Mainland China) Than I would Taiwan (Republic of China). Don't know offhand of any Mobo's made elsewhere beside the two though.
I'd say frankbell pretty much nailed it on the "secure computer" aspect of things, as you only have to know who Gary McKinnon is to prove that. Layered defenses is where it's at from what I've read also. A firewall, Host file, Not allowing remote access, Not allowing J$ on my browser unless actually needed, that sort of thing, and reading up on whats happening with Flash, is how I do my security. (my "control center" makes it easy to "tighten" things up)
With that I leave you with this nugget of wisdom "Endeavor to persevere" :D

You may wish to read unSpawn's " Security references" sticky at the top as well.

Thanks for that, Shadow. I've heard of Arduino but have not yet bothered to check it out. I will be doing so.

Don't sweat being smart-alecky. I like honesty in discourse and I appreciate the link. I know I might seem like a troll for even asking this question in the first place, but a while back unspawn spent a lot of time helping me to understand how to harden a server. His kind advice was a real eye opener for me and I do consider it a cut above the general advice available in some of the usual advice handed out to graphic designers and MBA grads by the IT guys. The other day I was look at an enormous list of processes running on a production linux box and it dawned on me that I know so little about all the software that is running on my machines. I'm about to set up a few sites to handle payments and, after revisiting the PCI Compliance Standards started to think I might want to burnish my security credentials and re-tool my knowledge and skills a bit. I'm kind of hoping to really understand from start to finish how I might best get security and, if I cannot be certain of security, I should have a good explanation why the heck not.

Based on the advice given to me by Unspawn, it occurred to me that I should probably start with the hardware. I find it surprising that there's no security rating system for hardware manufacturers. I'm tempted to call a few up and quiz them about the security of their firmware. Might be worth blogging about. I was also wondering what a world-class security expert might do to check a piece of hardware for exploits. Would we sniff the contents of memory? Can we scan the flash memory on a mobo and somehow analyze it? I'm genuinely curious about what a real pro would do. I've spent some time looking at assembler code and memory dumps before and don't expect I'll be doing this any time soon, but if anyone has anecdotal or actual experience sniffing hardware security, please do share.

I also found this which looks like pretty good advice. I've got Schneier's "Applied Cryptography" which is a truly good book.

First time I've seen that list. I love it.

weirdwolf, thanks for chiming in. I agree with your broad suggestions and heartily agree that a firewall in particular is kind of amazing. A lot of what Unspawn showed me in that other thread is about closing down unneeded services and tightening access to the machine. It has definitely been my experience that limiting access to critical services is the biggest boost by far in system security. It's hard to crack a machine that you cannot speak to.