Malicious trojanized apps

We were discussing in another thread about the inhackability of MaidSafe, regarding to the typical techniques that would be rendered obsolete in this atypical new environment (SafeNet).
But I wondered if this new environment would introduce some new native attack vectors.

For instance would it be possible to introduce a trojanized app, or each app would be compartmentalized? I still don’t have a deep grasp of how the Apps work in the SafeNet.

Let’s say there is a new text editor, I guess that you will need access to the documents in your LifeStuff drives.
I guess we can’t really protect against social engineering attacks, but I would like to have a clear picture of these type of scenarios.

1 Like

Check this out.

2 Likes

What about trojanizing the App Launcher?
Btw, does anyone see any other potential vector beyond Apps?

You mean putting a trojan in the app launcher itself? Well obviously this would be possible, but whats the difference between any other applications you run on the bare metal OS? The same amount of trust is needed.

1 Like

SAFE Network is very vulnerable to hardware trojans and advanced persistent threats. Fortunately hardware trojans and advanced persistent threats are not cheap to pull off which means it’s likely something a government will try to do but not script kiddies.

So I would safe SAFE Network could be extremely secure provided you use a secure operating system to access it along with secure hardware. The secure operating system is probably easier to find than secure hardware because there isn’t any way to detect hardware trojans (some are undetectable).

2 Likes

I can’t wait for SAFE OS. Someday hopefully

1 Like

SAFE OS written in rust.

But what you are saying is even with approved open hardware and tools that attempt to verify the hardware is what it says it is, there is no way reliable way to know a piece of hardware doesn’t have a physical free loader installed, maybe a key logger apparatus. Might not even be the unit in question, could be the iphone sitting in the pocket that is using its positional sensors to convert typing vibrations into a map that can result in key logging with high accuracy. ((?))

Hmm its like betting the NSA couldn’t hack a manufacturing process. But the same routines that makes SAFE work in software might be applicable to the manufacturing process?

I’m saying if the NSA or any other government wants to hack the manufacturing process it’s going to be much more expensive and difficult for the end user and for manufacturers.

Now you have a central point of failure which are the trusted foundries. You can’t trust the hardware manufacturers nor can you know with 100% certainty that the hardware doesn’t contain a hardware trojan unless you’ve made the hardware yourself and inspected every step of the process.

I would say it’s possible to do it but the hardware would then be much more expensive than ordinary hardware so that poor people cannot afford it. The truth is that any motherboard you have could be vulnerable and you’d have no way of detecting it.

For this reason it’s not realistic to think SAFE Network will protect you from the NSA. It’s not going to protect you from the NSA or similar agencies. What it will likely do is protect your privacy to the point where the NSA would be afraid to act on their capabilities due to the fact that if they do it would reveal their capabilities.

Programs which are already known about the NSA is more likely to act on. So everything Snowden leaked the NSA can now act on that because the world knows about it. On the other hand if there are some secret undetectable vulnerabilities in hardware or in software then its in their best interest or the best interest of any similar agency not to let the world know their capabilities.

The fact is that it’s possible to make undetectable hardware trojans and barely detectable software trojans. The undetectable hardware trojans are so undetectable that even if you have specialized equipment you wont be able to see it. The barely detectable software trojans are only detectable if you know exactly what to look for and most of the time no one will know how to look for it.

So my own opinion on security is that you cannot trust your hardware or your software. Open hardware will not help unless you control every step in the manufacturing process because the design of the hardware isn’t the only issue. And then even if you were to use open hardware, open software, and all of it were secure, what you have connected to your USB ports could frag you.

These issues will go beyond the capability and resources that the Maidsafe team has to address them unless Safecoins are worth a whole lot.

@Luckybit

One way to help smooth that might be open blind raspberry pi type units linked to open anonymous SAFE accounts that get randomly passed around and traded without reciept. Also systems that donate free used memory sticks and pi type systems and those being linked to open anon accounts on SAFE, its creates the flexibility for expression that pre-paid phones, cash and even unregistered guns.

Interesting points but it seems:

  1. SAFE and the people working on similar efforts have to come together and do this even if its seemingly impossible- sorry I don’t see a way around this, its not like we can give up its a knife to the throat.

  2. What you are saying does suggest an NSA bad apple or equivalent from other similar agencies might be able to dump the global economy in a few heart beats, scramble all the banking servers and enough back ups to bring things down.

Reminds me of the spooky stuff on this forum when there was talk about all these rapid breakthroughs on fundamental algebra results that prior took thousands of years that might make prime factor key type stuff too weak to be useful. And besides what would have allowed that except some freak or group of them or freak plus scary hardware.

Come to think of it William Hertling talked in his Scifi “AI Apocalypse” about deploying a web of mesh boxes with hardwired chips but they were snuck into society by an AI as part of the IOT or at least marketed as something else.

1 Like

The technologies you should research are disruption tolerant networking and opportunistic encryption.

SAFE boxes in theory could be scattered around a city, in orbit, or tied to balloons which people connect to from their laptops if your goal was to disassociate the hardware from the user.

Of course this wouldn’t stop triangulation attacks but seriously if the agencies are going to go through those lengths then there isn’t a lot that can be done. It’s more it wouldn’t be very easy or cheap.

SAFE Network will change the game. It’s unknown if it will change it for the better or for worse. If I had to guess it’s a combination of both. We will have a better world in some ways and a worse world in others.

Now let me say this much, just because you use opportunistic encryption it doesn’t mean you’re not going to be vulnerable to side channels. Many side channel attacks will exist and the targeted individual will be susceptible. Opportunistic encryption merely protects individuals from passive surveillance such as a situation where the NSA violates the law and decides to spy on American citizens. Opportunistic encryption would make that scenario impossible forcing the NSA to ask the FBI to specifically target persons of interest.

1 Like

Very good. So part of the solution is making sure it breaks down before they can generate a person of interest for focus and retaliation.