Threats to secushare

Threats to secushare

Threat Model

Assumptions:

  • The science upon our cryptographic and architectural choices were made is sound;
  • Each participating device bears a genuine installation of the secushare and GNUnet protocol stack without mass-exploitable backdoors and executes the code correctly;
  • The person operating one or several devices maintains her or his master key material in a safe location.

What an attacker in physical vicinity can achieve:

  • An attacker can subvert a device physically to undermine the anonymity or secrecy of its owner. This must not exceed a constitutionally meaningful amount.

What a local network attacker can achieve:

  • A local network attacker can see who is participating in the GNU Internet;
  • The attacker may be able to block some communication routes into the network, forcing the person's device to find other routing options such as mesh networking or to stay disconnected.

What an attacker with a global or regional overview of the network traffic can achieve:

  • The attacker can see who is participating in the GNU Internet;
  • Eventual deanonymisation of a person given
    1. the ability to observe communication patterns;
    2. persistent long-term pattern analysis;
    3. the person having preferred a configuration of convenience rather than ensuring anonymity;
    4. the person making extensive use of low-latency applications.

What an attacker can achieve upon social acceptance and infiltration:

  • Gain access to social data that the person has chosen to make available to the attacker including social data that other persons have made available for social redistribution.
  • Temporary disruption of the person's user experience by unsolicited messages and/or data exchanges (The person can however quickly clean the attacker and his or her data out of his or her user experience upon unsubscription).
  • Attempt to engineer the targeted person into executing dedicated malware, however producing a social trail back to the origin.
  • Attempt to mark the person's device as corrupted, which will only have consequences depending on the achieved social status. The person would then have to reconfirm her identity using her master password, then revoke the attacker's warning with social consequences for the attacker.

What a random attacker can achieve from a distance:

  • Nothing.

What a malware developer can achieve from a distance if the person employs "broken old Internet" technology on the same device with secushare:

  • Malware specifically designed to attack secushare installations and distributed via conventional means (e-mail trojans, web browser vulnerabilities) can produce a remote controllable access to all current data both generated by the targeted person as data made available to the targeted person by the social vicinity.
  • The remote controlled secushare instance can be abused to send content in the name of the person or any of its pseudonyms.
  • The remote controlled secushare instance can be abused to talk other people into unpacking and executing malware as secushare would not allow the distribution of obviously executable code. Should the victim recognize the social engineering attempt, she or he will be enabled to mark the person's device as corrupted.
  • The malware developer cannot access the master private key and will lose all access to the person's data anytime the person executes the necessary recovery procedures detailed below.

That's it. Everything that is not said should not be possible, for example to successfully exercise a sybil attack on the person's GNUnet router in an attempt to make it expose information to malevolent nodes.

About the Malware Threat

We diagnosed the biggest threat to our secushare plan to be malware that specifically targets secushare installations.

When your local device private key has gone bad

Notes on "hacked private keys," when malware gets a hold of parts of your identity:

  1. people mark your bad keys as corrupted and tell their peers about it
  2. depending on the trust and the number of people confirming the corruption of the key, the majority of your social network understands and accepts the invalidation of some of your keys.
  3. malware can therefore not abuse your identity for sending out SPAM, at least not for very long
  4. you lose one or a few public keys
  5. fix your setup and generate new keys
  6. distribute them with your higher priority keys that you kept in a safe place
  7. retroactively cancel all messages that have been sent over your channels in your name that weren't actually yours (effectively cleaning up "the mess" you made in a distributed way)
  8. if you didn't store high priority keys, your identity is broken. you have to restart from rendezvous.

Malware is illegal

This may sound obvious, but it isn't. We take legal measures to ensure that distributing malware for secushare is illegal, so if we catch anyone doing so, we can send Mr Stallman to haunt him in his dreams.

Malware does not work over secushare

secushare will not allow the distribution of executables directly, and should anyone trick anybody else in accepting executable code wrapped into harmless looking formats, then there still is a clear social trail showing who is to blame.

See also

  • How secushare isn't itself a threat to society
Top