New Post: Bootstrapping Trust with Anti-Interdiction

How do you bootstrap trust when you have to order a trusted computer from an untrusted one? One way is with our anti-interdiction services and in this article I will talk through how that works.

There are many different reasons why customers add our anti-interdiction services to their phone or laptop orders. When you sign up for anti-interdiction, I work with you personally to identify your threats and talk you through the different measures we can put in place. As a result I have seen a full spectrum of reasons for anti-interdiction. Some (arguably most) customers aren’t facing a particular threat, but instead just want some peace of mind that their device hasn’t been tampered with in shipping so they can start with a clean, secure computer. On the other end of the spectrum are customers who have past experience with tampering and reason to believe that their new computer will be tampered with in transit either by local governments, couriers, neighbors, stalkers, or even family members.

Yet one of the most challenging threat models is when a customer has reason to believe their current computer, email, and other devices are compromised. Even more challenging, their devices have been compromised by someone with some level of physical access, whether as a family member, an abusive ex, or a stalker. Interdiction is a real concern, and they are ordering Purism devices so they can start with a clean slate.

Read the rest of the post here:

Anti-interdiction is a good step but if this is taken further… what if the interdiction happens at, or before the order is made? I mean, we still need to use some computerized device to make the order and that could be messed with. This relates to the point made in the text about compromised current device. Why not take the services in this area further and offer a chance to buy one via a separate channel - by (snail)mail and/or phone (one or two channels used)? Also, the Librem key un-syncronous delivery is good but, just to be sure, shouldn’t a device be flashed with a hash confirmed software before taken into service? As in, deliver HW and SW separately (kinda already is possible but not instructed or recommended)?

Anti-interdiction is only aimed at protecting against interdiction after the order is made. To tamper with an order before it was made you are talking about mass-tampering of all of the devices in our inventory, as an attacker couldn’t know which device would get used for which order.

We don’t want to deliver HW and SW separately, as you want the customer to start with a trusted device. Otherwise they couldn’t trust the software that is currently on the device to then flash it with trusted software. Instead we flash everything with our gold images ourselves in our trusted environment, and use PureBoot to ensure that hashes match once the customer receives both the Librem Key and the computer. At that point they can trust the computer, and our Getting Started Guide walks them through the first boot and first reboot process, and the process of changing the PIN to something only they know.

I may have mis-framed that. I was more looking at it from the customer side: tampering with making the order, as in, prevent making it or tamper with order details (like delivery address) - or that that it’s even known by opposition that an order is made, if all customer’s current electronic devices could be suspect.

To me the “trust” part falls on the anti-interdiction measures, like nail polish visual identification, which I see analog to having a hash verified of the SW that you are flashing. The visual identification of close to similar polish might be difficult but a hash goes very bad from slightest alteration. Then there are the challenged of process and channels that those need to be transferred, which both have. But the conclusion of this idea is, a trusted device, as you suggest, is a good starting point, and may well be enough for some, but it’s not an either-or proposition, as some could prefer to overwrite as they may (for whatever reason) trust the hash more than their eyes.

If you assume that the device that is making the order is completely compromised then I guess it could suppress anti-interdiction from the order and tell the customer that anti-interdiction was temporarily unavailable (ran out of nail polish ). This is in effect a classic “downgrade attack”.

If all interaction between the customer and Purism is via the compromised device, it seems unlikely that the process can hold up.

I think if I were actually in this situation, I would pick a random non-close friend, leave my phone behind, drive to said friend’s house, explain the situation, and place an order there. (“Close” here is used in both senses of the word. You don’t want to be predictable.)

I understand that if someone is actually in this situation, it is not funny at all - but I do smile when I imagine the reaction I might get in the situation envisaged in the previous paragraph. Unfortunately, there is much greater awareness and familiarity with device compromise these days - so maybe it wouldn’t be hard to convince someone that the situation is real and the need real, compared with, say, 10 years ago.

Why it’s certainly not impossible, it would be challenging for an attacker, even with full control of a device, to completely prevent the owner from browsing our website and placing an order with anti-interdiction. They would have to actively be awake and monitoring the system (and remotely controlling things like the mouse, or otherwise write software that specifically was Purism shop aware). Yes they could have fun with DNS and block the customer from seeing our site I suppose, but again that’s a specific attack just against us, and the attacker would have to know ahead of time that the customer intends to buy hardware from us. Again I’m not saying it’s impossible, but there is a balance with threat modeling where you do need to factor in what attacks are practical for a given situation.

Now what they could do is, given they have access to the customer’s email, is tamper with the order after it is placed by having us change the shipping address etc. Situations like this is why I still manage the customer interactions for anti-interdiction orders personally, so once the customer and I have our initial discussion and I understand their threat model, we become extra careful and suspicious of these kinds of changes.