Talk:End-user Computer Security/Appendix/Example set-ups & implementations

Notes on example set-ups that probably ought to be filed under this Appendix part (in main content)
  the Pi device would be used to log-in to cloud-hosted DaaS (Desktop as a Service) services, meaning that the Pi's limited computing power would not really be much of a concern—the end-user’s Pi computer would act as a thin-client computer for the user. Such a thin-client set-up also helps with security in the sense that the end-user’s computer then becomes more “barebones” with the (client) software used probably being very trustworthy. There would then be a shift of security concerns from the end-user’s site to the DaaS provider—reliance would then be made on the DaaS provider’s security. The security of the DaaS—normally speaking—would be expected to be quite high; they would generally have much more resources for ensuring this.   such a set-up would rely on the security of the "TLS cryptographic security certificate" system. Because certain certification authorities would likely be less trusted than others, perhaps only a select few security certificates would be regarded as trusted and used for computing over the internet. In order to stay up-to-date with the certificates in the case of accidental power loss, new certificates would be saved to removable media, perhaps at the end of each day or each week. If using a mutli-session write-once DVD, then probably would be a good idea to record somewhere else, the location (in terms of tracks, sectors, etc.) on the DVD of the last write. That way, if an adversary made additional writes, it would be detected. The record could be kept on paper, in a safe, etc.   A USB cryptographic security-key token would be used in conjunction with a password, to log-in to the DaaS services. Passwords would be changed every now and then.   The method of firmware reinstallation mentioned above for reinstalling the DVD drive’s firmware so that the DVD drive can remain trusted, can be used on other devices and peripherals again in order to maintain trust in such devices/peripherals (such devices and peripherals might be the computer screen, mouse, keyboard, etc.)   The low cost and high availability of the Pi device is desirable. The high availability makes the methods described earlier concerning thwarting MITM attacks targeted on the path between first supplier and end-user, stronger and easier to employ. The low cost means that if it really is needed, a new unit can be bought as a replacement, probably in those cases where security may have been compromised in a significant way (perhaps every time your intrusion-detection system “goes off”, for example).   The non-integrated nature of the set-up (by, for example, not having the keyboard, screen, mouse, DVD drive, DVDs, and SD cards integrated into one unit), can improve security, it would seem (see here).   To be even more sure that the Raspberry Pi hardware has not undergone tampering, or been maliciously replaced with a deceptive fake, certain physical-property authentications can be made of the hardware. For example, using visual inspection, the device can be compared with downloaded photos of how it is supposed to look. Other measurements might be weight, X-ray images, etc.   The equipment would be locked-up when not in use, and other non-computer measures would be used for things like tamper evidence and prevention of illegitimate password capture (capture done perhaps by means of hidden cameras). </li> <li STYLE="padding:0.75em;"> EEPROM on Rasp Pi devices is a point of attack, but adversaries need to have physical access, or somehow infect the system with malware-laden software, to get at it. The firmware can be write-protected with a software mod and hardware-config mod. Doing so will thwart software-based attacks. Physical access to the device should be adequately secured with the other details of the set-up. Encasing the EEPROM chips, jumpers, and input pins with removable transparent glue containing unrepeatable patterns, could provide particular tamper-evident security aimed specifically at protecting the firmware chips and firmware code. It appears there is no user-writable EEPROM on the Rasp Pi 3B+. Since the EEPROM is a point of attack, that if it were not used would seem to make the whole set-up generally more secure, perhaps using the 3B+ device instead of the 4 device might be a good idea. Probably, there is essentially no changeable firmware on the 3B+ model (instead firmware is permanently burnt into the SoC), and since firmware is considered a particular point of attack, using the 3B+ model may be a good idea. However, the firmware code permanently burnt into the 3B+ has known bugs. Admittedly, they are patched in the booting of the OS (normally off an inserted SD card) for newer versions of the boot file (`bootcode.bin`), but still such vulnerabilities might be significant. Risks (such as backdoors and malware) in the Pi device’s firmware (which could be due to the use of closed-source blobs in the firmware) can possibly be mitigated by disabling unneeded functionality through removal of code from the firmware, and by doing certain kinds of sandboxing whether at the firmware level, OS level, or the level of applications running over the OS. </li> <li STYLE="padding:0.75em;"> It might be a good precautionary measure to RF shield the Pi device completely, and to connect to the internet via a USB-connected WiFi dongle or an ethernet connection. This could perhaps be achieved by placing the Pi device in a steel box, where there is a small cut-out hole for any USB dongle cable or ethernet cable. If the shielding worked, it would ensure that none of the components on the Pi device would be able to communicate wirelessly of their own accord, which could be a particular mode of attack/theft. Instead of a steel box, shielding could perhaps be implemented by the Pi device being water-proofed and then submerged in a water solution having high electrical conductivity. Not sure which would be cheaper: the water solution approach or a metal-box approach. Metal reflects RF signals and so can actually sometimes amplify wireless capabilities. So in such regard, the water-solution approach might be better. A water solution approach also potentially has the benefit of permitting visual inspection of the internals of the Pi device, which can make detection of physical tampering easier; this can then, as a consequence, also indirectly help with the prevention of such tampering (by making such attacks less attractive to adversaries). </li> </ul> See this Raspberry Pi forum topic for the original seeds of this set-up idea, that were eventually grown to become the greater detail of the idea (as present here); the set-up was developed somewhat within the just-mentioned Raspberry Pi forum topic. ☞  Using a separate inexpensive but safe computer/device for doing internet things, where the main device has been stripped of communications capability (by removal of hardware) appears like a good security idea; it can be particularly good for budgetary reasons. Perhaps it is an extension of the "Having intermediate device for internet connection might be more secure?" idea already present in the talk pages of the book (see https://en.wikibooks.org/wiki/Talk:End-user_Computer_Security/Main_content/Wireless_Communications#Having_intermediate_device_for_internet_connection_might_be_more_secure%3F ). Internet tethering to main device may not be a good idea, because malware can then potentially piggy-back over internet connection so as to do much damage to the computing conducted on your main device; strong separation, as suggested by this idea, can overcome this. The internet device only needs to be able to do internet things required to be done by the user; all other things can instead probably be safely done on the non-internet main computing device (where greater computing resources are likely available) [so long as the main device isn't hooked-up at all to any communications potential, {such potential perhaps being through the internet}]. ☞  Trying to use a SIM-enabled smartphone/tablet/smartwatch as a conventional kind of laptop computer, by connecting it to a conventional kind of keyboard with trackpad, and an external screen, might be a good security set-up (a USB-C hub can probably be used for making such multiple connections, a "USB-C to HDMI" adapter or HDMI socket on the mobile device, might be required for external display). The Samsung Dex app can be used on "Samsung Dex"-capable smartphones, to give a desktop form-factor experience even though powered by a "mobile-phone form factor" device, with such a set-up--it's not just a magnification of the smartphone screen, but an adaption of the display so that it is suited to desktop screens/interfaces. Huwai have similar functionality with at least some of their smartphones, called desktop mode (see https://www.coolsmartphone.com/2018/08/08/huawei-desktop-mode-in-depth/). For budgetary and security reasons, this set-up can be good because rather than having a netbook or other kind of laptop for the internet, as well as a mobile device (such as a mobile phone), you can instead just use one device for both use cases--such a system can be more barebones. Using a smartwatch might be particularly good in respect of it being more difficult to steal it when worn on your wrist; you could perhaps add a lock mechanism so that without a key or unscrewing a screw, it is difficult or impossible to remove the watch from your wrist; bear in mind though that a smartwatch at present, will likely be more expensive than a smartphone. If using such a set-up, you could perhaps use a second-hand monitor, screen, or TV, if wanting to cut down on costs. The only thing about using a second-hand screen, is that hidden espionage technology might be in such hardware, however, so long as illicit screen capture is the only security threat, that level of security weakness might be acceptable and tolerable. You can perhaps trim off some unneeded functionality (and become more barebones) by not having mobile SIM capability in the set-up; instead communications that would otherwise be done over a SIM network, can instead be done simply through the internet, such as by using Skype (Skype can be used to receive calls from, and make calls to, landlines, mobile phones, etc.) Skype uses end-to-end encryption at least for Skype-to-Skype calls, meaning spying on Skype-to-Skype calls is probably very unlikely; mobile networks might not do such complete encryption, probably spying on mobile calls is possible at call centres, and might be particularly worrying due to phone networks being sprawled over different countries; such differences can further incline one towards removing SIM functionality. A user may choose to use a SIM but only for mobile internet; in such cases, the end-to-end encryption offered by communications tech like Skype, over such mobile internet, should still retain its security benefits. To be even more barebones and cheap, instead of connecting the single computing device to an external display, an optical screen magnifier (simply something like a magnifying glass) can be used to make the device's display appear large. You can also get projectors (like cinema projectors), that can optically project the device's display on a wall or something similar. Both projectors and magnifiers are quite cheap; they also probably never contain microprocessor tech. meaning the attack surface posed by such tech is perhaps unlikely to be there (you could probably buy such things over the internet, second-hand, and not worry about tampering attacks that are generally possible with computing devices). ☞  Purchasing second-hand Blackberry Curve 9720 device for acting as a WiFi hotspot connected to the internet over mobile broadband is okay because of the nature of the security on such Blackberry devices? I managed to buy 3 (three) second-hand Blackberry Curve 9720 phones at a total cost of just £15 (for all three); one of the sellers appears to have been representing a very professional business heavily invested in mobile phone recycling and reuse. It also appears to be that there are plenty of such phones available at similar prices, in used-goods market on Facebook marketplace. Using a smartphone for the internet over a mobile SIM, appears to be a relatively cheap way to get the internet. If buying from private seller, probably have to make extra checks to make sure phone is genuinely Blackberry phone; could instead be a clone with weak security; it is theorised that second-hand Blackberry phones can be trusted because of Blackberry's high security, such security engenders trust in the use of the factory-reset function of their phones; the same doesn't seem much true with other brands of phone (see https://www.blackberry.com/us/en/products/secure-smartphones for more info). Some days have passed since my purchase of 3 (three) second-hand Blackberry Curve 9720 phones. I have discovered a flaw in this proposed method of securely acquiring phones. Whilst I still believe that this model of phone is good for going some way towards ensuring no tampering that can't be easily remedied through invoking the standard factory-reset function, I can't be certain that the phones in my possession are genuine Blackberry Curve 9720 phones&mdash;they could be good fakes. Not only do I not trust my suppliers, I also can't trust that the standard mailing of the items was not compromised along the way of their transit from the supplier to myself (the buyer). I had thought that there would be some mechanisms for easily ensuring that the phones were genuine, but none of the methods I've found through online research&mdash;which actually hasn't brought-up much information for dealing with such checking (which is perhaps a bit telling of itself)&mdash;appear to be particularly secure. Things like the IMEI number appear to be easy to fake; for example, an adversary can buy a genuine Blackberry Curve 9720, then copy the IMEI number to a deceptive fake Blackberry Curve 9720, and then simply keep the original true Curve phone out-of-service unused.

Reorder parts in Appendix so that this part comes first?
Such reordering would appear to make sense, as this part is closer to the content of the chapters of the book (such chapters make up the main body of the work).