Hardware security is the only real security

I just came across the epic hack that Wired‘s Matt Honan had perpetrated on him. A hacker added a credit card number to his Amazon account. The next day they called Amazon and said they lost the password. “What is the number of the credit card on the account?” asked the helpful Amazon employee. Once they were in the Amazon account they got into his Google accounts, all helpfully linked by Matt himself, and then the Apple accounts. The hacker was some sociopath kid. He was not interested in money; he just wanted to hurt someone, so he wiped out all the pictures and data on Honan’s phone, computer, and yes, the precious precious cloud. Yes, my precious, one cloud to rule them all.

Just like the Ring in The Lord of the Rings, the cloud can be your worst enemy in the hands of a bad person.

Now initially Honan lamented that he lost all the pictures of his new baby and a bunch of other stuff. The next article showed how he got it all back in a couple days. He says he believes in the cloud even more now. Beats me why he thinks that. If he had not inadvertently left his 1Password account password in his Dropbox on his wife’s computer it might have been much more difficult to recover control of his accounts.

As to all the wiped data, well it was lost forever on the precious cloud, but the nice folks at DriveSavers got his SSD (solid-state drive) in his mac mostly recovered at a cost of $1,690. So since the whole thing gave him half a dozen popular articles to write-up, you could argue getting hacked was the best thing that ever happened to his career. It reminds me of when King Louis XIV’s minister Colbert asked a bunch of writers “What can France do for you?” One shouted back—“Throw us in prison.” It would give them something to write about and the time and solitude needed to write it.

DriveSavers have a full cleanroom to save hacked, damaged, or corrupted hard drives. They can also do forensic hardware analysis on solid state drives (SSDs) as in Matt Honan’s case.

What astonishes me is that this hack happened to a technically astute denizen of San Francisco. Maybe he should move to Silicon Valley, we know a lot about security here and Atmel’s group in Colorado knows even more. Not only did Honan misplace his trust in online accounts and the precious cloud, he kept no secure data backup. He courageously accepts the blame, but also tries to deflect some blame onto Apple and Google. Sorry, your data is your responsibility. Apple and Google quickly closed the social-manipulation hacks the sociopath used, but it is not their job to accept responsibility for your data. That is your responsibility.

This is what we keep harping on here at Atmel. Security is a key pillar in the Internet to Things, and the best security, the only real security, is hardware security. You don’t want these malicious hackers changing your thermostat, or running up your electric bill, or stealing your security camera feeds. Atmel has inexpensive tiny chips you can use to secure these gizmos. Some of our chips use symmetrical authentication. The security chip is programmed with your secret key, and you know the secret key. The microcontroller, and it doesn’t have to be an Atmel microcontroller— it can be anyone’s, sends a random number to the Atmel security chip. The Atmel chip does a mathematical operation on the random number using the secret key, and sends that result back to the microcontroller. The host microcontroller has a local Atmel security chip to do the same mathematical operation on the same random number and then it compares the two results. If they don’t match, the code stops executing. That way no-one can put in bogus code and take over your gizmo. It gives you secure boot and secure downloads and upgrades. You can also use Atmel security chips to verify a battery or accessory is genuine and not some knock-off product.

Atmel’s CryptoAuthentication™ system uses hardware and extreme security to protect your system.

Now since the microcontroller is connected to the Atmel security chips by way of a common SPI port, you might fear a hacker could snoop on the communication and learn the random number sent to the Atmel chips or the mathematical result sent from it to the micro. That’s the beautiful part of this. The micro generates a new random number every time. If the host micro is too small and simple to generate a reliable random number, the tiny Atmel security chip has its own true random number generator (TRNG). So the micro can query the Atmel chip for the number, then query for the result, then do the same operation using the same secret key. So snooping on the serial port will only give you the last serial number and the result. You will have no idea of what the operation was that produced the result. Its like snooping and seeing the number 12 transmitted, but you still don’t know if that was based on 2 time 6 or 3 times 4. Now imagine that problem with numbers hundreds of bits long, and you can see how secure this makes your system.

This USB memory stick has a keypad to unlock it. You can store all your passwords or love letters on it and no one can get in without the code.

So it’s great to have services like 1Password, which is a browser extension combined with a remote server that generates and stores different passwords for all your needs. If, however, you need to use two computers, and who doesn’t, now you get to involve Dropbox so that you can store the master password there so you can get your 1Password even if you are at a Kinkos computer. Thing is, I just feel better with hardware security. In this case, it would be using a USB stick with hardware keypad or fingerprint sensor. Those are great since you don’t need a program on the computer of Surface Pro tablet to run it. You swipe your finger or type in a code and the stick unlocks and you can cut-and paste passwords as you need to. Thing is, there I worry about Windows saving some temporary file. I looked into this a few years ago, and sure enough, even a text file seemed to get cloned somewhere once you opened it off a stick. So the real hardware security is two-factor authentication like you get with an RSA dongle or a YubiKey. Once again, the essential element is a real physical piece of hardware that makes the system secure. I love the YubiKey since it emulates a keyboard, so unless someone infected your computer with a keylogger, there is no record that you used it. And, like the RSA SecurID, even if they do keylog it, the same code never works twice. They are just like that Atmel security chip and just as uncrackable.

The YubiKey is a two-factor authentication system accepted by more and more sites for login. The Nano model is as small as the USB contact pins. Pressing a little button on the device makes it send the one-time log-on code as though it was a USB keyboard.

Wayne Yamaguchi on file storage and project management

I had lunch with my buddy Wayne Yamaguchi last week. He showed me the latest upgrades on an Atmel-powered nightlight he has designed. I met Wayne when I was consulting at HP in the late ‘90s. He took an interest in LEDs and left Agilent when he started making more money selling kits to convert your Maglite into an LED flashlight. Wayne was the guy that got me on OrCAD 7, and I still use OrCAD 9.2. Love those free vias.

Wayne Yamaguchi holds his prototype LED nightlight at the Pho Kim Long restaurant in San Jose.

Anyway, Wayne wrote me an email about how he stores files and manages all his projects. He was the guy that told me about 1Password as well. Wayne writes:

I stick with Microsoft Windows PCs and laptops.  I find most engineering-related tools run under this environment. Other people seem to know every word of every datasheet they read.  But I need a way to handle large volume of data, notes, documents, images, PDFs, and everything else related to a project or task.

I use Dropbox for key data storage and sharing.  I have access to all my design files from any system or laptop I use.  In conjunction with Dropbox I use Evernote and my primary note/task/organizational tool.  There are many cloud storage solutions like box.com, Google Drive, and others.  But, Dropbox and Evernote work together. With Evernote configured correctly I have all my projects documentation, notes and current status in Evernote.  I can easily start or stop a project, and I can resume a project with the minimal effort.

I can access Dropbox files or Evernote from any pc, notebook, cellphone or tablet that I have.  I rarely use a USB stick to carry data or project info from one PC to another. That goes for my Orcad schematic and layout files, Solidworks design files, spreadsheet, pdfs and everything else related to a project. I keep them either in Dropbox (schematic, PCB, Solidworks) or in Evernote (notes, status, links, web site clips).

Once you have one or two tablets and a desktop you should have a central location for data. If you don’t do hardware or software development this is still important.  It makes sense to store files of extreme importance it so they are accessible on more than computer.

This has helped my writing Atmel code in the house while simulating and testing it in the garage.  When I am ready I can walk out to the garage, fire up the laptop, and burn and debug with the same files without having to transfer them in any way.  By the time I re-compile inside the house and walk into the garage the new files are already synced and ready to burn by the time I get to the garage laptop.

The same is true for my CNC mill.  I can edit my 3D file and generate new G-code and then have direct access to them on the PC that drives the CNC mill.  No transferring of files manually.  It’s all automatically synced.

Now as for me, I am a lot more scared of keeping my stuff in the cloud. I tend to side with GNU founder Richard Stallman, who says cloud computing is a trap. With the recent relations about PRISM, and the fact that the next world war will be a cyberwar, with foreign countries stealing our data and files, well, have a slightly more paranoid data storage method. I keep everything on a mirrored NAS (network-attached storage). I use Synchromagic to duplicate the data on my CAD machine, my audio-video production machine, and my home-theater laptop.

I also duplicate the one terabyte of my life’s work on a little USB hard drive. I keep one hidden at home and one in my safety deposit box in case the house burns down. I update them once a month. I don’t try to synchronize the files; I just use the program to make sure all the copies are coherent with the NAS. I keep my Thunderbird email profile on the NAS, so that I can read email from any of my home computers. I tried to do that with my Firefox profile, but it is a pain since the upgrade status can be different and then you break the profile. So I just keep a “master” Firefox on the NAS and copy the latest bookmarks and such to it.

And back to passwords, I asked one pal what he does, and he advises to just make an encrypted USB stick. He makes different 15-digit passwords for everything he has, and keeps them all on the USB stick. He then plugs it in and does a cut-and-paste into the applications, with another cut and paste of anything handy to push the password out of the buffer.

I really like the YubiKey, a 2-factor hardware system that my FastMail email service supports. With this type of system, the user needs to be in physical possession of the USB key, and he has to go to the bank website or application that supports it. Then when you press the button on the YubiKey, it sends a one-time password, that changes every time, to the website taking your password. Even if someone is key-logging you, they can’t get in using the same password.