Monday, November 10, 2014

I’m afraid I can’t do that, Dev (Patel)

Finding a topic for this week’s blog is sometimes challenging, but this week, HBO was kind enough to give me something to talk about.

Those who watched yesterday’s episode might have noticed how Neelamani Sampat (a.k.a. Neal), the Indian “computer genius” played by Dev Patel needs an “air gapped” computer to receive some sensitive files from someone. Will McAvoy proceeds to hand over a credit card to Neal and tells him to go buy such a computer.


The concept of “Air Gap” may sound familiar to those who dealt with UAG, Microsoft’s reverse proxy and application publishing product (which I used to be a part of until a few years back). Indeed, Whale Communications, which was later acquired by Microsoft, originated a product called “AirGap” and used it when creating super secure gateway device for connecting two networks. In reality, the AirGap concept is not more or less secure than any good firewall, but it was developed specifically to meet some poorly worded security policy set forth by the Israeli government and some Israeli military and defense industry related organizations.

While I have to appreciate Aaron Sorkin and his team trying to educate the public about security, I’m also uncomfortable by the way they do it, which can end up misleading rather than teaching. Let me explain a bit more about this.

While Neal describes this as “literally a gap of air between the computer and the rest of the world”, this is not literal in any way. What’s really going on in this episode is that a person wants to provide Neal with sensitive documents, and they are concerned that if Neal opens them on a regular computer (one that has an internet connection), the government might be able to know of this because they might be bugging Neal’s regular computers in some way.

One fallacy in this plot line is the fact that there’s no such thing as an “air gapped” computer any more than an “HBO-less” television. If you want a computer that isn’t connected to the internet, just disconnect it from the internet! (pull out the network cable or disable the Wi-Fi network card). Even if we went to an extremely paranoid state of mind that the government is somehow capable of overriding this, then the Laptop Neal buys at Best Buy would certainly not be immune to this sort of high-level espionage, and the only thing to do would be to go into a faraday-cage, which would block any radio signals coming in or out.

Another fallacy is the claim that Neal needs to setup a higher level of encryption above his regular AES encrypted mail because his opponent is capable of 3 trillion guesses per second. A fast super-computer is indeed capable of about 1 trillion guesses per second as part of brute-force attack to decode an encrypted message, but even then, it would take many billions of years to crack even a lowly 128 bit encryption (1,000,000,000,000,000,000 years).

I probably can’t go into each and every error in that episode right here, so here’s a quick summary:

1. any store-bought laptop cannot be, by definition, “air gapped” because they all contain wireless networking.

2. An “air gapped” computer would be a specialty item, one you wouldn’t find in a regular store like Best Buy

3. Any computer can be air-gapped if you rip out the networking equipment

4. Any computer that has networking hardware built in cannot be fully air-gapped, because it might be remotely-controlled

5. Even a computer that doesn’t have networking hardware might still be tracked via concealed networking hardware (just like a phone can be bugged without the user’s knowledge)

6. Even a computer that has NO networking hardware of any kind can still be eaves-dropped on upon by external cameras, which can see what’s showing on the screen or being typed on the keyboard

7. Even when there’s no external cameras, a computer can be eaves-dropped upon using radio signals it emits as part of normal operation. The only way to block that is with a faraday cage

8. An AES encrypted message is so secure, that it’s infeasible to break within a person’s lifetime even with the best super-computers in the world (like those used by the NSA)

9. If Neal’s computers are monitored or controlled by the government (necessitating the air-gapped computer), then they could easily read the encrypted message as it’s being decrypted or shown on-screen, and any level of encryption would be useless. Same if they can access the buildings security cameras.

10. Stashing the USB drive in a public bathroom as opposed to a personal delivery would violate ALL the other security steps taken prior. Really??? In the Toilet tank?!?! (BTW…Ewwwww!)

11. Leaving the “air-gapped” computer in the room and walking out, like Neal did, without locking it down or securely-wiping it is also a terrible idea.

12. Discussing this with his peers in an open-air place like the balcony is a big no-no. In fact, I would say that after the issues they had with the government recently, not to mention their high-profile as a news source, they should not be discussing ANYTHING secret anywhere near their building.

Now…if you, dear reader, are a journalist, or script-writer, or anyone else who would like to deliver or receive secret info, here are some rules to help you out:

1. Do not start the conversation on a computer of any kind…not even if the message is encrypted. Follow the person and grab him at a public and noisy place like Starbucks. Even if the person is followed, the noise reduces the chance of successful eavesdropping even with directional microphones.

2. Stay away from Windows, so lip-reading can’t be used

3. If either of you need to use a computer, build one from scratch using parts. Lock the computer case with a high-security lock and check it daily for modifications. Install the operating system yourself, from a secure source (an original DVD, not from a downloaded copy). Enable storage encryption (like Bit Locker).

4. On the computer, enable passwords on the BIOS, The drive (bit locker), the operating system, and any software that supports password-protection. Make sure every password is unique, long, complex and not written anywhere.

5. Turn off the computer when not in use, and pull out the power cord.

6. When not in use, lock the computer itself, as well as the keyboard and screen in a physical locker (these can be implanted with a bug too)

7. When using the computer, do so in a metal cage (a Faraday cage)

8. Make sure you’re not in an environment where there are security cameras, Windows or other people.

9. If you can, install a security system in the room/house, or at least tamper-evident safeguards (for example, gluing a hair on the doorframe can tell you if it’s been opened)

10. If you need to transfer data from or to the computer, use floppy disks or CD-ROM discs (nor USB drives). Destroy them with fire after use. If you have to use a permanent storage device like a USB drive, buy the small and cheap ones, and destroy them with heat after use, or at least encrypt their content.

Finally, keep in mind that a person or group with sufficient resources can tap into ANYTHING, and even professional spies get caught. If you’re dealing with stuff that would get the NSA or CIA interested, your chances of avoiding them completely are virtually zero…just don’t do it.