librelist archives

« back to archive

snow: a new distributed secure virtual network

snow: a new distributed secure virtual network

From:
David Geib
Date:
2014-07-04 @ 17:59
I released a development version of a new piece of software today that may
be of interest to this list. If anyone is willing to try it and provide
comments or bug reports it would be appreciated.

http://www.trustiosity.com/snow/
https://github.com/zrm/snow

Re: [redecentralize] snow: a new distributed secure virtual network

From:
Odinn Cyberguerrilla
Date:
2014-07-07 @ 09:54
> I released a development version of a new piece of software today that may
> be of interest to this list. If anyone is willing to try it and provide
> comments or bug reports it would be appreciated.
>
> http://www.trustiosity.com/snow/
> https://github.com/zrm/snow
>
this is very cool stuff. thank you.

Re: [redecentralize] snow: a new distributed secure virtual network

From:
Paul Trevithick
Date:
2014-07-07 @ 14:08
+1

On Jul 7, 2014, at 5:54 AM, Odinn Cyberguerrilla 
<odinn.cyberguerrilla@riseup.net> wrote:

>> I released a development version of a new piece of software today that may
>> be of interest to this list. If anyone is willing to try it and provide
>> comments or bug reports it would be appreciated.
>> 
>> http://www.trustiosity.com/snow/
>> https://github.com/zrm/snow
>> 
> this is very cool stuff. thank you.
> 

Re: [redecentralize] snow: a new distributed secure virtual network

From:
Adam Ierymenko
Date:
2014-07-04 @ 18:06
Q: OMFG THE NAT IS THE FIREWALL YOU BROKE IT THE FIREWALL!!1
A: Please remain calm. Each device being addressable from one another is 
the way the Internet was designed to work and is the way IPv6 works, so 
this is something you will want to adjust to rather than resist. You will 
likely want to employ some kind of endpoint firewall, e.g. iptables on 
Linux. It is possible to identify traffic from snow based on the IP 
address range your device uses for it.

Hah!

Thank you. The firewall is an obsolete and ineffective security hack that 
needs to die. Apps and OSes should be secure. OSes should implement app 
and service isolation properly. Authentication should be done with crypto.

On Jul 4, 2014, at 10:59 AM, David Geib <trustiosity.zrm@gmail.com> wrote:

> I released a development version of a new piece of software today that 
may be of interest to this list. If anyone is willing to try it and 
provide comments or bug reports it would be appreciated.
> 
> http://www.trustiosity.com/snow/
> https://github.com/zrm/snow
> 

Re: [redecentralize] snow: a new distributed secure virtual network

From:
Joakim Stai
Date:
2014-07-04 @ 18:09
The FAQ was a great read, cool project overall :)

Amen to what Adam said.


On Fri, Jul 4, 2014 at 8:06 PM, Adam Ierymenko <adam.ierymenko@zerotier.com>
wrote:

> Q: OMFG THE NAT IS THE FIREWALL YOU BROKE IT THE FIREWALL!!1
> A: Please remain calm. Each device being addressable from one another is
> the way the Internet was designed to work and is the way IPv6 works, so
> this is something you will want to adjust to rather than resist. You will
> likely want to employ some kind of endpoint firewall, e.g. iptables on
> Linux. It is possible to identify traffic from snow based on the IP address
> range your device uses for it.
> Hah!
>
> Thank you. The firewall is an obsolete and ineffective security hack that
> needs to die. Apps and OSes should be secure. OSes should implement app and
> service isolation properly. Authentication should be done with crypto.
>
> On Jul 4 , 2014, at 10:59 AM, David Geib <trustiosity.zrm@gmail.com>
> wrote:
>
> I released a development version of a new piece of software today that may
> be of interest to this list. If anyone is willing to try it and provide
> comments or bug reports it would be appreciated.
>
> http://www.trustiosity.com/snow/
> https://github.com/zrm/snow
>
>
>

Re: [redecentralize] snow: a new distributed secure virtual network

From:
Adam Ierymenko
Date:
2014-07-04 @ 19:02
I sort of hate the infosec profession... it's full of cargo cult thinking 
by people who don't *really* understand the mechanics of what's going on 
on a network. I worked infosec for a bit and never saw one single real 
world threat that the firewall really did anything to protect us from. All
the malware I saw came in via HTTP "pull", e-mail, and file sync.

The only real-world threat the firewall still does anything to protect us 
from is the threat of a worm exploiting a true remote hole in a common 
local service. That threat could be mitigated if OSes did a better job 
running services in isolation... just kill the offending infected service 
container, and the system is left untouched. That threat could also be 
mitigated by smart firewalls that can respond selectively to attacks 
without just blanket-blocking everything.

Unfortunately the cargo cultists think the blanket-block-all firewall is 
(a) necessary and (b) effective and will shriek and scream bloody murder 
if you suggest dispensing with it.

On Jul 4, 2014, at 11:09 AM, Joakim Stai <joakimstai@gmail.com> wrote:

> The FAQ was a great read, cool project overall :)
> 
> Amen to what Adam said.
> 
> 
> On Fri, Jul 4, 2014 at 8:06 PM, Adam Ierymenko 
<adam.ierymenko@zerotier.com> wrote:
> Q: OMFG THE NAT IS THE FIREWALL YOU BROKE IT THE FIREWALL!!1
> A: Please remain calm. Each device being addressable from one another is
the way the Internet was designed to work and is the way IPv6 works, so 
this is something you will want to adjust to rather than resist. You will 
likely want to employ some kind of endpoint firewall, e.g. iptables on 
Linux. It is possible to identify traffic from snow based on the IP 
address range your device uses for it.
> 
> Hah!
> 
> Thank you. The firewall is an obsolete and ineffective security hack 
that needs to die. Apps and OSes should be secure. OSes should implement 
app and service isolation properly. Authentication should be done with 
crypto.
> 
> On Jul 4 , 2014, at 10:59 AM, David Geib <trustiosity.zrm@gmail.com> wrote:
> 
>> I released a development version of a new piece of software today that 
may be of interest to this list. If anyone is willing to try it and 
provide comments or bug reports it would be appreciated.
>> 
>> http://www.trustiosity.com/snow/
>> https://github.com/zrm/snow
>> 
> 
> 

Re: [redecentralize] snow: a new distributed secure virtual network

From:
David Geib
Date:
2014-07-04 @ 19:27
> Unfortunately the cargo cultists think the blanket-block-all firewall is
(a) necessary and (b) effective and will shriek and scream bloody murder if
you suggest dispensing with it.

The thing that amazes me about it is nobody seems to think about the
consequences.
1) Enterprise blocks everything at the firewall.
Result: Employees come up with hacky work-arounds that impair security just
so they can do their jobs, like using some unauthenticated proxy or VPN
server run by some anonymous third party.
2) App developers respond to everything but port 80 and 443 being blocked
by running their non-HTTP app over those ports and unnecessarily using a
central server to connect two endpoints.
Result: Central server becomes a single point of compromise for millions of
users' communications.
3) Enterprise starts using DPI to actually verify that something on port 80
is HTTP to block the people running other apps on it.
Result: All the apps start actually using HTTP, now your messaging app is
vulnerable to XSRF for no good reason. Meanwhile they add kitchen sink
support to the HTTP protocol in order to support all of this, increasing
the attack surface dramatically. Meanwhile in order to do DPI against HTTPS
the enterprise has had to install CA certs on all the endpoints and
establish a proxy server that actually has the CA private key on it *and*
has all the traffic going through it, which gives one target an attacker
can compromise and use to compromise all the communications in your entire
organization.

No part of this can be considered a security improvement.




On Fri, Jul 4, 2014 at 3:02 PM, Adam Ierymenko <adam.ierymenko@zerotier.com>
wrote:

> I sort of hate the infosec profession... it's full of cargo cult thinking
> by people who don't *really* understand the mechanics of what's going on on
> a network. I worked infosec for a bit and never saw one single real world
> threat that the firewall really did anything to protect us from. All the
> malware I saw came in via HTTP "pull", e-mail, and file sync.
>
> The only real-world threat the firewall still does anything to protect us
> from is the threat of a worm exploiting a true remote hole in a common
> local service. That threat could be mitigated if OSes did a better job
> running services in isolation... just kill the offending infected service
> container, and the system is left untouched. That threat could also be
> mitigated by smart firewalls that can respond selectively to attacks
> without just blanket-blocking everything.
>
> Unfortunately the cargo cultists think the blanket-block-all firewall is
> (a) necessary and (b) effective and will shriek and scream bloody murder if
> you suggest dispensing with it.
>
> On Jul 4, 2014, at 11:09 AM, Joakim Stai <joakimstai@gmail.com> wrote:
>
> The FAQ was a great read, cool project overall :)
>
> Amen to what Adam said.
>
>
> On Fri, Jul 4, 2014 at 8:06 PM, Adam Ierymenko <
> adam.ierymenko@zerotier.com> wrote:
>
>> Q: OMFG THE NAT IS THE FIREWALL YOU BROKE IT THE FIREWALL!!1
>> A: Please remain calm. Each device being addressable from one another is
>> the way the Internet was designed to work and is the way IPv6 works, so
>> this is something you will want to adjust to rather than resist. You will
>> likely want to employ some kind of endpoint firewall, e.g. iptables on
>> Linux. It is possible to identify traffic from snow based on the IP address
>> range your device uses for it.
>> Hah!
>>
>> Thank you. The firewall is an obsolete and ineffective security hack that
>> needs to die. Apps and OSes should be secure. OSes should implement app and
>> service isolation properly. Authentication should be done with crypto.
>>
>> On Jul 4 , 2014, at 10:59 AM, David Geib <trustiosity.zrm@gmail.com>
>> wrote:
>>
>> I released a development version of a new piece of software today that
>> may be of interest to this list. If anyone is willing to try it and provide
>> comments or bug reports it would be appreciated.
>>
>> http://www.trustiosity.com/snow/
>> https://github.com/zrm/snow
>>
>>
>>
>
>

Re: [redecentralize] snow: a new distributed secure virtual network

From:
Adam Ierymenko
Date:
2014-07-04 @ 19:31
But firewall! But security! But... umm... yeah.

(1) I call what you describe "everything protocols" -- SSH for example can
basically do everything. As a result of the firewall cargo cult we are in 
an arms race with ourselves to defeat our own security measures. We block 
things, then design protocols to get around that, then block those, rinse 
and repeat. It's so unbelievably dumb.

(2) Yup.

(3) Maybe infosec companies encourage this kind of thing to sell more 
complex and expensive products? Nah... probably just stupidity.

Nuke the infosec profession and start over.

On Jul 4, 2014, at 12:27 PM, David Geib <trustiosity.zrm@gmail.com> wrote:

> > Unfortunately the cargo cultists think the blanket-block-all firewall 
is (a) necessary and (b) effective and will shriek and scream bloody 
murder if you suggest dispensing with it.
> 
> The thing that amazes me about it is nobody seems to think about the 
consequences.
> 1) Enterprise blocks everything at the firewall.
> Result: Employees come up with hacky work-arounds that impair security 
just so they can do their jobs, like using some unauthenticated proxy or 
VPN server run by some anonymous third party.
> 2) App developers respond to everything but port 80 and 443 being 
blocked by running their non-HTTP app over those ports and unnecessarily 
using a central server to connect two endpoints.
> Result: Central server becomes a single point of compromise for millions
of users' communications.
> 3) Enterprise starts using DPI to actually verify that something on port
80 is HTTP to block the people running other apps on it.
> Result: All the apps start actually using HTTP, now your messaging app 
is vulnerable to XSRF for no good reason. Meanwhile they add kitchen sink 
support to the HTTP protocol in order to support all of this, increasing 
the attack surface dramatically. Meanwhile in order to do DPI against 
HTTPS the enterprise has had to install CA certs on all the endpoints and 
establish a proxy server that actually has the CA private key on it *and* 
has all the traffic going through it, which gives one target an attacker 
can compromise and use to compromise all the communications in your entire
organization. 
> 
> No part of this can be considered a security improvement. 
> 
> 
> 
> 
> On Fri, Jul 4, 2014 at 3:02 PM, Adam Ierymenko 
<adam.ierymenko@zerotier.com> wrote:
> I sort of hate the infosec profession... it's full of cargo cult 
thinking by people who don't *really* understand the mechanics of what's 
going on on a network. I worked infosec for a bit and never saw one single
real world threat that the firewall really did anything to protect us 
from. All the malware I saw came in via HTTP "pull", e-mail, and file 
sync.
> 
> The only real-world threat the firewall still does anything to protect 
us from is the threat of a worm exploiting a true remote hole in a common 
local service. That threat could be mitigated if OSes did a better job 
running services in isolation... just kill the offending infected service 
container, and the system is left untouched. That threat could also be 
mitigated by smart firewalls that can respond selectively to attacks 
without just blanket-blocking everything.
> 
> Unfortunately the cargo cultists think the blanket-block-all firewall is
(a) necessary and (b) effective and will shriek and scream bloody murder 
if you suggest dispensing with it.
> 
> On Jul 4, 2014, at 11:09 AM, Joakim Stai <joakimstai@gmail.com> wrote:
> 
>> The FAQ was a great read, cool project overall :)
>> 
>> Amen to what Adam said.
>> 
>> 
>> On Fri, Jul 4, 2014 at 8:06 PM, Adam Ierymenko 
<adam.ierymenko@zerotier.com> wrote:
>> Q: OMFG THE NAT IS THE FIREWALL YOU BROKE IT THE FIREWALL!!1
>> A: Please remain calm. Each device being addressable from one another 
is the way the Internet was designed to work and is the way IPv6 works, so
this is something you will want to adjust to rather than resist. You will 
likely want to employ some kind of endpoint firewall, e.g. iptables on 
Linux. It is possible to identify traffic from snow based on the IP 
address range your device uses for it.
>> 
>> Hah!
>> 
>> Thank you. The firewall is an obsolete and ineffective security hack 
that needs to die. Apps and OSes should be secure. OSes should implement 
app and service isolation properly. Authentication should be done with 
crypto.
>> 
>> On Jul 4 , 2014, at 10:59 AM, David Geib <trustiosity.zrm@gmail.com> wrote:
>> 
>>> I released a development version of a new piece of software today that
may be of interest to this list. If anyone is willing to try it and 
provide comments or bug reports it would be appreciated.
>>> 
>>> http://www.trustiosity.com/snow/
>>> https://github.com/zrm/snow
>>> 
>> 
>> 
> 
> 

Re: [redecentralize] snow: a new distributed secure virtual network

From:
David Geib
Date:
2014-07-04 @ 19:48
> Thank you. The firewall is an obsolete and ineffective security hack that
needs to die. Apps and OSes should be secure. OSes should implement app and
service isolation properly. Authentication should be done with crypto.

That's the idea with this project. Make it as simple as possible to
securely communicate with any device. All you need is the name because the
key names are self-authenticating which means they can be used to bootstrap
authentication of other information like the endpoint's current IP address,
and this can all be done transparently by the snow daemon so it doesn't
have to be reimplemented by every other application.

I just have to figure out how to get people to try it. So far nobody. I
think the "compile it from source" thing is putting people off. It's not
actually that hard, basically just install Debian, paste the commands from
the instructions into a terminal and edit a couple of config files. Or
maybe people are just too busy with hotdogs and fireworks today. I'm not
sure the symbolism of the arbitrary deadline I set for releasing this has
gone in my favor.


On Fri, Jul 4, 2014 at 2:06 PM, Adam Ierymenko <adam.ierymenko@zerotier.com>
wrote:

> Q: OMFG THE NAT IS THE FIREWALL YOU BROKE IT THE FIREWALL!!1
> A: Please remain calm. Each device being addressable from one another is
> the way the Internet was designed to work and is the way IPv6 works, so
> this is something you will want to adjust to rather than resist. You will
> likely want to employ some kind of endpoint firewall, e.g. iptables on
> Linux. It is possible to identify traffic from snow based on the IP address
> range your device uses for it.
> Hah!
>
> Thank you. The firewall is an obsolete and ineffective security hack that
> needs to die. Apps and OSes should be secure. OSes should implement app and
> service isolation properly. Authentication should be done with crypto.
>
> On Jul 4 , 2014, at 10:59 AM, David Geib <trustiosity.zrm@gmail.com>
> wrote:
>
> I released a development version of a new piece of software today that may
> be of interest to this list. If anyone is willing to try it and provide
> comments or bug reports it would be appreciated.
>
> http://www.trustiosity.com/snow/
> https://github.com/zrm/snow
>
>
>