The World's Most Secure Home Computer Reaches Crowdfunding Goal

"If the PC is tampered with, it will trigger an alert and erase the PC's encryption key, making the data totally inaccessible." Last month Design SHIFT began crowdfunding an elaborate "open source, physically secure personal computer" named ORWL (after George Orwell). "Having exceeded its $25,000 funding goal on Crowd Supply, the super-secure PC is in production," reports PC World, in an article shared by Slashdot reader ogcricket about the device which tries to anticipate every possible attack: The encryption key to the drive is stored on a security microcontroller instead of the drive... The ORWL's makers say the wire mesh itself is constantly monitored... Any attempts to trick, bypass, or short the wire mesh will cause the encryption key to be deleted. The unit's security processor also monitors movement, and a user can select a setting that will wipe or lock down the PC's data if it is moved to another location... The RAM is soldered to the motherboard and can't be easily removed to be read elsewhere...

Your ORWL unlocks by using a secure NFC and Bluetooth LE keyfob. Pressing it against the top of the ORWL and entering a password authenticates the user. Once the user has been authenticated, Bluetooth LE is then ensures that the user is always nearby. Walk away, and the ORWL will lock.

... formerly most secure computer

[damn_registrars]

They can't really expect to hold on to that title when they are willing to send it out with Windows 10 preinstalled.

Re:

[blind biker]

Holy shit, they come with Windows 10? All the good will that the video I just saw generated in me, has been removed in one fell swoop. Screw Windows 10, screw Microsoft and screw any computer that comes with Windows 10 preinstalled.

Re:

[damn_registrars]

To be fair, they offer it with multiple OS choices; Windows 10 just happens to be one of them. You can opt for a less-terribly-insecure OS if you want. I just find it comical that they present it as secure when Windows 10 is an option - particularly considering how many Windows users are always logging in as administrator (admittedly some without even realizing it).

Re:

[K. S. Kyosuke]

I bet a Raspberry Pi with some obscure BSD mutation would be safer, and for much less money, too.

Re:

[archi1]

does not compare in performances. This is much much more powerful. 4k video, Wifi AC dual band, full x86 compatibility, SSD drive... check the spec this is another level of performances. Product spec and datasheet are here : https://www.orwl.org/wiki/inde... [orwl.org]

Re:

[K. S. Kyosuke]

Have you ever heard of the law of diminishing returns? What do you achieve with 40 GIPS in personal computing that you can't achieve with 10 GIPS? Now it would be nice to have, say, something A73-based with better IO, but hardly at the cost of making the system as baroque as the current PC world is. Security-wise, that's a disaster.

Re:

[lgw]

Does Ubuntu still send your local searches back to the mothership? Do we know what other lines they've crossed? I only feel secure about the BSDs these days.

Anyway, we know there is NSA gear to deal with this: unless the keyboard is inside a Faraday cage, they can log your keystrokes. Unless the monitor is inside a Faraday cage, and you have no windows (or Windows) they can see your monitor. And Bluetooth? Forget about it.

If any TLA is actually worried about these, they'll be intercepted in shipment (o

Re:... formerly most secure computer

[Orgasmatron]

The headline is crap. The linked article is better, and the wiki [orwl.org] has more details. This is a physically secure computer, not generally. The goal is that when you unlock it, it should either be in the same state it was in when you locked it earlier, or it should be obvious to you that it is not.

It has no ethernet or wifi (nor, for that matter any busses capable of reading memory by DMA), but you can add them with USB3, which gets disconnected when you lock it. The case is designed with very little room between the security shell and the glass or plastic case, making it very difficult to add things without you noticing. Opening the secure shell inside wipes the drive encryption keys, so you'll notice if someone does that. And when you first get it, you can open it up to inspect the insides to make sure that nothing was added before it gets to you.

This would be ideal for running a small Certification Authority, for example. The signing key would be well protected inside the shell without you having to wear it on a USB stick around your neck for the rest of your life. Ditto a bitcoin wallet.

But it isn't, nor was it intended to, let you run Windows fresh off the DVD while you browse porn sites in IE and download warez off of shady torrent sites without antivirus.

Re:

[lgw]

Well, maybe I can buy their "99.9%" secure - it'll be safe from the neighbor's kid, I guess. Seems like they're trying to make something FIPS 140-2 level 3, but without certification it's just another homebrewed security device, and those have a very poor history of actual security.

Re:

[StefanC.]

We are planning for FIPS review and have gone through the 1st review process with Penumbra already. Collecting their inputs and tweaking the design.

Re:

[lgw]

It will do wonders for credibility, as well as making it clear to the knowledgeable what the point of the device is.

Re:

[lgw]

That's a whole lot of words to sort-of say "FIPS 140.2 level 3". It's supposed to be tamper-proof, at least for physical attacks (really, only the key store is of concern). That's an avenue of attack that concerns some people. It's not particularly secure against other areas of attack, but that's (possibly) OK if it's clear what the point is.

Re:

[im_thatoneguy]

I don't see how this would protect a bitcoin wallet since it would self destruct taking all of your money with it. I guess if you had redundant systems spread all over the place it would be ok but it's hard to maintain an offsite system and keep it powered and running perfectly.

Re:

[Orgasmatron]

Since bitcoin is irrevokable, it couldn't be the sole copy of any keys in use. You would still need to either print/burn copies of the keys generated inside it for secure storage, or you'd need to generate them elsewhere and import them.

The advantage here is that you'd only need to do that once per tamper, instead of every time you wanted to use it.

The keys to the root CA certificate in my other example might be like that too, or it might not, depending on how hard it is for you to push out new certs. A s

Re:

[arglebargle_xiv]

One thing I'm puzzled about is how they're going to build this for $25K in funding. I've worked on highly-secure computing devices and $25K was the down payment on the FIPS eval, not the development budget. OK, I realise FIPS is a waste of money so it doesn't make for a good benchmark, but you still can't get much engineering out of $25K, particularly not the specialised stuff they're doing.

Re:

[StefanC.]

You are correct, It will take much more that $25k to get all this done, it took much more than that to get to where we are today. We have working prototypes today that we use to finish the development. The Crowd Supply campaign for us is to get attention and get a number of devices into peoples hands, to play and develop on them before anyone else at a lower cost than retail later.

Re:

[arglebargle_xiv]

Oh cool, a developer. Do you have a means for people to submit what-about-X attack questions? Your Security section is a bit too incomplete for me :-). For example it looks like the tamper mesh only covers the two shells that surround the circuit board, what if I penetrate the side of the circuit board, inject PU foam under pressure to lock the switches, and then separate the halves? What if I use a targeted magnetic field to lock the switches? What if I use oil-well perforators to knock out the switch

Re:

[StefanC.]

To clarify, ORWL has WiFi and Bluetooth connectivity that is accessible to the OS, Ethernet you can get through RJ-45. There is NFC and another BT available only to the secure element for authentication purposes. Out of Box, you will need to go through 1st authorization process, that verifies that the device has not been tampered with and you receive what we sent. Exactly.

Re:

[Orgasmatron]

Sorry, I must've missed those on the specs. I see the wifi now, on the electrical design page, but still don't see ethernet.

Re:

[StefanC.]

Need to clarify! >>a setting that will wipe or lock down the PC's data if it is moved to another location... So, if there's a bug in the security program, or in the operating system, or in the sensors, it wipes your data. >> I think there is a misunderstanding in which events trigger a loss of all SSD data. any tampering with the device HW, like drilling the protective shell (not the glass), prying the shells off the PCB, freezing the pcb+components, the backup battery runs low on juice (after

Re:

[Reziac]

Friend's dad worked for NASA and his offsite PC was the Cold War version of this gadget: a laptop with RAM but no HD, everything loaded from tape every day. Idea was if it got lost or stolen, there was no data left.

Single point failure

[Geoffrey.landis]

Uh, nobody else sees this as a series of single point failures queued up to happen?

If the PC is tampered with, it will trigger an alert and erase the PC's encryption key, making the data totally inaccessible."...

Any attempts to trick, bypass, or short the wire mesh will cause the encryption key to be deleted....

... a setting that will wipe or lock down the PC's data if it is moved to another location...

So, if there's a bug in the security program, or in the operating system, or in the sensors, it wipes your data.

Re:

[unixisc]

Does this computer have the option of PC-BS... er, TrueOS?

Re: ... formerly most secure computer

[Anonymous Coward]

What are you talking about?!?! Windows 10 is the MOST secure OS to date. If any hacker breaches your system he or she is bound to commit suicide within 2 minutes of using its ass ugly GUI.

Re:

[Maritz]

Not shiny enough? Like your gradients do you? ;)

Re: ... formerly most secure computer

[archi1]

You can select QubesOS too or Ubuntu.

Re:

[geekmux]

They can't really expect to hold on to that title when they are willing to send it out with Windows 10 preinstalled.

Agreed.

Building the world's strongest front door is an exercise in futility when you leave the fucking Window open.

Literally.

Re:

[geekmux]

You can select the OS of your choice or build your own system. This device brings a TONS of Hardware security. You need secure HW to run and trust the SW above or you have no guarantee your system has not been changed. Memory dump, BIOS attack, USB key... its all open on any other machine.

Great. So this device will help protect the 0.001% of information that is stolen today from a local attack on the hardware.

In the meantime, that great sucking sound coming from the very network people will expect to "securely" connect to is still sucking.

Does this hardware have an application? Sure. In the basement of a three-letter agency, offline and behind a shitload of other physical security.

Re:

[mlts]

At least it can ship with Ubuntu by default. If W10 is needed, it can be run under VMWare, VirtualBox, or one's virtualization utility of choice. That way, Windows 10 can be run, but it is isolated from the hardware.

As for options, I would go with the M7, 480GB SSD, and glass case. One can't argue with a beefier CPU (assuming cooling isn't an issue), and more disk space. The glass case is useful for tamper resistance.

My only wish is if the device had a port for a Kensington lock slot, with some mechanis

Earthquake

[fox171171]

The unit's security processor also monitors movement, and a user can select a setting that will wipe or lock down the PC's data if it is moved to another location...

Might want to set it to be fairly insensitive if you live in an area likely to have earthquakes.

Re:

[I'm New Around Here]

One of my customers lost a system that his cat pushed off the shelf it was on. The shelf was the top of the computer hutch in his office.

Lesson learned, tower computers tip over too easily.

Re:

[Hognoxious]

Alternative hypothesis: it's fucking difficult to fall off the floor.

Re:

[archi1]

The secure controller on the board monitor the temperature and physical integrity. It will shut down and wipe the key if frozen or opened. see here https://www.crowdsupply.com/de... [crowdsupply.com]

Re:

[Computershack]

* don't run Windows or OSX

Or Linux or Unix as both of those have exploits both local and remote as well. Might get away with BeOS if you're wanting something with a GUI but as its over a decade and a half old hardware support may be an issue.

Re:

[Raenex]

Might get away with BeOS

Security by obscurity. Nobody bothers looking for exploits in unused operating systems.

Re:

[Scarletdown]

Does the Timex-Sinclair 1000 that I have sitting in one of my "stuff boxes" count as most secure computer? It is just the console by itself. No RAM expansion module, cassette interface cable, or even power supply at the moment. Don't think a computer can get any more secure than that.

Re:

[Alypius]

Yep, just like my Apple //c that's been in the closet for 30 years!

Re:

[khallow]

Does the Timex-Sinclair 1000 that I have sitting in one of my "stuff boxes" count as most secure computer?

As long as you never power it on, you should be safe.

Re:

[lgw]

* are locked in a gun safe when not being used.

There's your flaw. They've already had keyloggers added. Did you really think your gun safe was tamper-evident against an advance persistent threat?

Re:

[Maritz]

Your computers don't do anything. Well done. I have an exceptionally secure lump of coal here.

But can it handle DOS attacks?

[Vlad_the_Inhaler]

What is the market for this?

Re:

[Anonymous Coward]

Up to DOS 6.22.

Re:

[BarbaraHudson]

This is marketed to paranoid dummies who don't realize that they will irrevocably lose all their data if someone chills it with a spray can of freon. Or stick it in the office freezer.

The microcontroller in the ORWL monitors temperatures and any drastic change can trigger an alert and nuke the encryption key.

Or just microwave it. That should really go over well with the mesh screen. Also, powering down the USB ports isn't going to save the machine - a good wack of 120v will fry the port anyway, and again, the machine will go "omg - time to self destruct."

Re:

[bagofbeans]

So anyone actually using this for real work will need a script backing up data every 10 second to somewhere... insecure. I remain uninspired by the product definition.

Re:

[Jeremi]

Aw, c'mon, you're not being nearly cynical enough. This is actually an NSA/KGB/TLA/Illuminati honeypot -- they fund this, market it, see who buys one, then they know who to watch in the future. If they can sneak some actual backdoors into it, so much the better, but even if they don't, it's served its purpose.

Most secure?

[YrWrstNtmr]

The VIC-20 in a box in my garage.
And yes, it actually still works.

Re:

[zenlessyank]

No one should need more than 5k RAM.

Re:

[AJWM]

Well, 3.5k if you were using BASIC.

But you could get an expansion memory cartridge (fit the same slot as the game cartridge). I got an 8 k one and soldered in 4 more 2k (static) RAM chips to bring it up to 16k. Luxury!

Re:

[zenlessyank]

I'm a young whippersnapper so the C-64 is what I had 1st. I wondered what the actual available RAM was on those things. My Commodore had 38k available using BASIC. I always felt like the VIC-20 guys got screwed over by not waiting on the C-64 but no one can tell the future.

One problem with this computer

[the_humeister]

It's using Intel's Skylake processor. That requires a chipset that has IME on it, unless they were able to strike a deal with Intel and make their own chipset without IME, which is not likely.

I commented on this on the red site...

[Anonymous Coward]

While all the *PHYSICAL* technical measures are excellent, they make a gross presumption about the security of the electronics inside. Electronics which are running firmware which due to the lack of public scrutiny and method of replacement could easily be used to backdoor this device and exfiltrate the security keys and/or believed secure data from the device whether or not the device was authenticated, or be used to disable the aforementioned security measures before they could inactive the contents of th

Re:

[archi1]

WiFi can be disabled. Also you can use Qubes OS and configure VM to protect each resources of the PC. You don't need a custom chip. check the update they posted https://www.crowdsupply.com/de... [crowdsupply.com] there is a lot of details.

Re:

[ffkom]

Indeed, using Intel CPUs and MicroSoft software, you can be sure that your data is "secure" only in the sense of being backed up by all kinds of government agencies using the backdoors built into these CPUs and Windows.

Re:

[AHuxley]

Thats why projects like the Lemote Yeeloong laptop got interest. Been understood down to the hardware level was very important e.g. building on a a free software boot loader.
Free software laptops (Dec 18, 2009)
https://www.fsf.org/bulletin/2... [fsf.org]

Re:

[AmiMoJo]

The IME can only be accessed via Ethernet or USB. It doesn't have the former and the latter is physically disabled (data lines disconnected) when the machine is locked. So there is no way to exploit the IME externally.

Software security is your own problem and outside the scope of what they are doing, but no one is forcing you to connect it to the network.

Interesting concept, but...

[Striek]

It's an interesting concept, but it goes too far... it would be trivially easy to have this thing delete the encryption key - just shake it around a bit and it, and all its data, become useless. The risk of data loss when using this "secure" computer would be so high, even by accident, that you'd need a backup close by somewhere.

So anytime someone is seen with a computer this secure, just target their backups instead. Considering the relatively high likelihood of accidntal erasure, they're sure to have them.

Besides, although the data stored on this is extremely secure, it isn't very available. It's opens up a huge attack surface by making it far to easy to destroy the data on this thing, limiting its effectiveness and market considerably.

Re:

[Striek]

And hell, you don't even need an evil maid to ruin your day. You turn that setting on, and then a maid picks the thing up to dust the desk. Poof!

Re:

[SensitiveMale]

So anytime someone is seen with a computer this secure, just target their backups instead. Considering the relatively high likelihood of accidntal erasure, they're sure to have them.

The classic example is the bank with impenetrable security. Just kidnap the manager's daughter and you have free access everywhere in the bank. There's always another way.

Re: Interesting concept, but...

[Lussarn]

I have used this computer for weeks without any problems whatsoever. I wouldn't worry one bit about data loss. Mark my wor#$Ã(+#NO CARRIER

Re:

[StefanC.]

I think there is a misunderstanding in which events trigger a loss of all SSD data. any tampering with the device HW, like drilling the protective shell (not the glass), prying the shells off the PCB, freezing the pcb+components, the backup battery runs low on juice (after ~6months without power connection) If the device is moved while the KeyFOB is out of range, the device will shut down but not wipe your data. It's nothing but a forced shut down.

vectors.

[Anonymous Coward]

the nfc controller, the bluetooth controller. that is assuming nothing is plugged into it. and don't even get me started on intel chips.

How is physical security important, when the device is practically made out of NDA's, undocumented API's and chips with un-auditable encrypted firmware?

"Any attempts...will cause"

[YrWrstNtmr]

So I can brick your drive by attempting to connect via bluetooth? Cool!

Why would you want one again?

[mschuyler]

This computer is SO SECURE that if you make one tiny mistake, like walking away from it, it will be secure FROM YOU! You can't move it. You can't move from it. If you screw up just once a tiny bit, then you are definitely screwed. I'm all for a good dose of paranoia to keep you vigilant and all that, but I'd be scared to use this thing.

Re:

[mark-t]

Indeed... because of all of the precautions it employs in the so-called interests to "protect" your data, it seems like the only thing this would be good for having on it is content that you don't care if you lose... and if that is the case, it is unlikely anyone else would be interested in trying to attack it in the first place.

Re: Why would you want one again?

[archi1]

He range before the device locks is about 30 feet. (10m) plenty to move around.

Perhaps they could learn something from...

[Xenna]

The world's most secure bomb:

https://en.wikipedia.org/wiki/... [wikipedia.org]

A virtually tamper-proof bomb used to extort $3 million from a casino. It could not be moved. The FBI tried to disable it with a shaped charge but failed and blew up the hotel.

Re:

[mark-t]

Wow.... I hadn't heard of that before. Did insurance cover the damages, or was the owner basically fucked?

Re:

[Xenna]

I don't know really, but I think a business would normally be insured against damage from fires or explosions, but probably not against extortion damage.

So perhaps the choice to let the FBI guys have a try was actually a sound business decision ;-)

External power adapter connects to usb?

[Joe_Dragon]

Why not have a power only port?

and no e-net with only 2 usb ports?

They should get some funding

[rossdee]

from the C;inton Foundation

Obligatory xkcd

[93 Escort Wagon]

I'm not a huge xkcd fan, but I can't believe no one has brought up this one [xkcd.com] - it's quite literally the first thing I thought of while reading the description of this silly computer.

The context is pretty much identical.

Re:

[Shane_Optima]

Nice try but, I have to say that's a fairly poor XKCD and a mediocre invocation.

XKCD didn't invent the concept of the rubber hose cryptographic attack (or wrench variant) and he rather bungles the joke by the RSA reference. No one uses RSA for full disk encryption. He's also overlooking the multiple cryptographic solutions (most famously, the overrated but noob-friendly Truecrypt) that used multiple nested containers so that (if you set it up properly) the attacker can't know whether you've decrypted t

Security: GOOD, Vandalproof: ZERO

[petes_PoV]

The other side of corporate espionage is denying a company access to its own databases, research, customer lists, ledgers and everything else that is required to keep a company going.

While this device is very good at preventing other people fromgetting that data, it's the worst design possible for preserving it in the face of adversity. All that a bad person would have to do to put you out of business, if you relied on this device, is to say "Boo!" and all your data disappears.

Of course, if you have a b

3.5" hard drive filled with Thermite

[Ransak]

Realistically all one would need is a 3.5" hard drive with the guts replaced by Thermite. Installed above the storage medium and RAM and wired to a pressure switch so when the PC is lifted it ignites, it's hard to see how this can be countered unless the ne'er-do-wells know about it ahead of time. And it's cheap.

Re:

[petes_PoV]

I would like to see your fire insurance claim after you admitted to bringing a bomb into your house.

Pyrotechnics look impressive in bad films, but in real life? hardly.

Re: 3.5" hard drive filled with Thermite

[Ransak]

Thermite isn't explosive on its own, it's just a high temperature redox reaction. Arson would probably stick in court if it were law enforcement attempting to seize it, along with at a minimum destruction of evidence and some type of assault charge. But the data is destroyed and it's low cost and low tech. Putting the whole thing in a fireproof enclosure (a safe, concrete/center blocks, etc) and it lowers the odds of torching the average house; depending on the person and the data that might be an acceptabl

Re: 3.5" hard drive filled with Thermite

[Ransak]

I have read a brief article on it but I haven't watched a video of the talk. I'd sincerely like to know the details of why it wouldn't work, such as the type of oxidizer used, stoichiometry of the reaction tested, etc. as this idea is not new and it's been tested and shown to, with the right ratio of chemicals, turn the hard drive bays and anything in them to slag. I'll look for the article and reply to this post with it if someone is interested, or if someone kindly posts the Defcon talk refuting this meth

Overkill

[ElectricHellKnight]

I know I will likely take a lot of flak for this, but what is the real, practical use for a device like this? I'm not even trying to be sarcastic, can somebody please explain it to me?

Buying one of these will do little more besides possibly get you put on some sort of watch list, if the NSA even cares enough about you to do so. Just simply carry your private data on a flash drive that stays on your person, and only plug it into a special system that is offline, running a live OS with no data saved to the ha

Re:

[archi1]

Carrying a flash drive is really not safe and certainly not protected from reading later. Even if tampered. The point of ORWL is to provide dual factor authentication as well as tamper proof. So YOU only can access the data and always know the computer is 'safe' to use, including FW, BIOS and other HW element have not been modified without your knowledge

Already possible

[Tolvor]

Having good system security is already possible. It just requires good software and good security practices.

First get some really good encryption software that can be trusted (no, Microsoft's (aka 'Apple should have weak encryption and build in back doors') BitLocker is *not* trustworthy). BestCrypt or DriveCrypt Plus Pack both seem reliable and better still neither are based in United States.

Good security practices includes having a kill key that will wipe the internal memory where the key is kept, which

Soldered RAM is pointless.

[drinkypoo]

If you imagine that the RAM can't be desoldered and powered at the same time, boy are you a sucker. Although, that's not how I'd do it. I'd paint all the contacts with that conductive epoxy that only conducts once you smash it, and jump off the top.

What is needed is encrypted RAM, and if you don't have that, you're not secure. Sorry!

Re:

[archi1]

Encrypted RAM is a question of OS. It really depends of how you configure the machine. The active shield on ORWL will prevent you to get to the RAM. As soon as the mesh is broken or the device opened, the PC is shut down and the SSD key is lost.

Used One 55 Years Ago In Kindergarfen

[tmjva]

Chalk and black board in a sealed room Erase when done.

O rly?

[InfiniteZero]

"Sensations and feelings", really?? Nothing wrong with them and we all have them, but they are almost the antithesis of "intellectual capacity". Also, the all lower-case sentences really don't help, especially when complaining about teenagers. The irony...

Re:

[Ol Olsoc]

Also, the all lower-case sentences really don't help, especially when complaining about teenagers. The irony...

Hey! it took us years to teach him to not use all caps!

Re:

[mark-t]

I have a problem with your post.

If you have horse-drawn buggy traffic, then you are living in a time before computers, and would not be able to nostalgically reflect on the days of bbsing of yore, let alone slashdot's better days.

Have some goddamn continuity, man.

Re:

[Scarletdown]

I have a problem with your post.

If you have horse-drawn buggy traffic, then you are living in a time before computers, and would not be able to nostalgically reflect on the days of bbsing of yore, let alone slashdot's better days.

If you have horse drawn buggy traffic, there is a good chance you live in an area with a lot of Amish. And last I checked, our Amish communities still live in the 21st Century. If you are not Amish but are living among them, you can still fully take advantage of the modern conveniences and technologies we have here in the future.

Re:

[mark-t]

Oh... my bad. Good call.

Re:

[BarbaraHudson]

Well, you sure must like slashdot enough to keep shit-posting this same comment in different threads.

Re:

[InfiniteZero]

To continue on my previous post... It's a relevant and fun article. I clicked it and expected the Slashdot audience to tear the whole concept apart from the technical standpoint, and was not disappointed.

Re:

[StefanC.]

If you are motivated to read the one side of the story, I want to invite you to read the other side too. Our update to Joanna's assessment. https://www.crowdsupply.com/de... [crowdsupply.com] Enjoy and be critical. While we put a lot of thought into this machine, we by no means pretend to have it all figured out. Community and collaboration will make this product better and will allow you to trust it, when it is all done.