Intel Edison Project: Tardigrade, the portable secure server | Tek Syndicate

				</p>					





Never heard of Edison? Be sure to check out Part 1:


https://teksyndicate.com/videos/intel-edison-tiny-x86-dual-core-atom-com...


For this project, we'll be using the Intel Edison and Linux to power our personal digital assistant. This project is really just a proof-of-concept experiment on something that would be handy to me. I like the idea of a personal information manager or secure credential store but I want something I can tinker with perhaps at a cost of a bit of security.


I have also had a lot of fun experimenting with a portable Linux box that I can carry with me that I can access through my phone or laptop using my phone as an internet hotspot. It has also been a lot of fun writing scripts that check on the status of things and then report that status by talking to me through my headset.


I am experimenting with voice recognition through my headset, but this is challenging to do without using "the cloud" for voice processing.


What do you guys think about the project so far? Where should we go next?





This is a companion discussion topic for the original entry at https://teksyndicate.com/videos/intel-edison-project-tardigrade-portable-secure-server
5 Likes

Thanks for the video Wendell :) This looks like a versatile little device.

Okay so I have finally given in and created an account just for this. I would fund the hell out of this, and not just because I work in information security and this is a great idea, but because this seems so epically cyber punk.

1 Like

I really like this idea. It seems like a really convenient solution for accessing private resources from an untrusted system.

Interesting project. I look forward to seeing how it'll work for you. Regarding the hardware platform, have you also looked at the USB Amory? There's a talk about it from 31c3 and their website is here. You do lose the convenience of interfacing with it over WiFi though.

For voice recognition, I've been wanting to do something with Jasper for a while. Do you know if this is something that would work in your case @wendell?

I'd be interested in using it for secure storage too. Both as an encrypted flash drive you can access over SSH and as a way of carrying keys you use to unlock storage on other devices, such as your laptop.

Anyway, good luck with the project :)

Your not old fashioned that is the exact kinda thing I would do. I am actually going to look into getting one for a purpose that you spoke of in your video. Adding a buffer between sensitive data and day to day stuff is essential to good security :D

I would fund this on Kickstarter. This is certainly where I think the IOT is supposed to be going.

However, due to customs trolls when purchasing hardware from outside EU, I would very much like the option of purchasing the whole set of hardware myself - if it were to remain off-the-shelf hardware. Then perhaps also the casing could optionally be purchased as a 3D printer model? For me, the software distribution packaging with installation instructions is what I would be most interested in paying for, which should ideally cover the development expenses. I hope these suggestions can fit in the business model you have in mind.

1 Like

Really cool idea and I love the cyberpunk vibe, but I can't see it being practical.

  1. You're not really convincing me that this is significantly more secure than using two-factor auth w/ a phone. It definitely seems more secure, but the burden on the user to carry around this dongle thing makes it not worth it.
  2. The interface is lackluster, you know that frustrating feeling you get when you are trying to tell someone your phone number or spell out your email address over the phone? Yeah that, and that's talking to a human (I'm sure there are better text-to-speech utilities) but using audio as your UI device is going to be super super annoying to use (i.e. you'll probably hear it right about 80% of the time, the rest of the time you'll fail to authenticate and have to restart the process). Also in a noisy spot trying to authenticate? Good luck.
  3. Setting up another dedicated auth service is silly, even if it's 99.99% uptime, you're going to have users who want to authenticate and can't.
  4. Bringing an extra thing with you is fine for the office, but what if you travel a lot? Another thing to keep track of and keep charged. Not to mention if it fails when you're out, what then?

I know I might be coming across as harsh, I really want the world to be more secure, these are just my honest opinions (also forgive any mistakes I made about how this device is configured, I only watched the video once).

Personally, I think if you need something stronger than two-factor auth (password + phone) you should add a biometric (fingerprint).

Have you ever lost a private key due to malice? I've had to trash keys because they were accidentally committed but never due to an attacker. (i.e. is this such a problem it's worth trying to solve?)

1 Like

Awesome idea.

This is a great Idea. Could turn this into a opensource YubiKey?? More videos on linux please Windell.

I like the idea of your own personal authentication server/keystore. That being said looking at the use cases you are going through the focus seems to be about SSHing into some private server.

That is a good business use case but personally I don't have enough or any servers running I would connect to. I think this could be very useful as an addition to your browsers password manager where Edison holds all the keys. Since Edison would be on your person at all times it would stay secure. I'd imagine since Edison can do a reasonable amount of processing it would do the server authentication to login with Facebook or something and just pass an active session variable back to the browser.

This would be different than what you have currently since Edison would be a proxy between secure servers in your example. I think it would be much more effective as an authentication authority where there are a few trusted devices or one to two temporary devices. Here you validate yourself to Edison with a password and maybe a button press on Edison or something. Then Edison will connect to whatever service you are looking for.

The flow of this use case.

  1. Validate your browser/device to Edison with Bluetooth or WIFI.
  2. Login to Google or Facebook, whatever service you are looking for (don't login just go to the login page)
  3. Here Edison and your device will communicate and you will login to Edison not Google or Facebook.
  4. Edison validates you from login + possible button press on device (2nd factor authentication. Since Edison is never out of your reach)
  5. Here Edison goes to work authenticating with Google or Facebook login procedure and creates a session key to pass back to the device. This way your device has had no interaction with the password for said website.
  6. At this point you logged into your website with only your Edison password.

Note: I'd imagine Edison connecting to a phone or laptop through Bluetooth and accessing the internet through your device. Meaning in step 5 works in a public key scenario where the Google server has a public key and you can generate a private message from it. So you are safe passing it along to the "trusted device" without it being able to read the server password. I don't know enough about HTTPS to say this would work for sure.

Otherwise I think it still gives you that air gap you were looking for. Worst case scenario should be a keylogger gets your Edison password. To make any use of that they would still have to spoof your trusted device then walk up to you and press a button in your pocket.

This could probably have the device last for days since it is not a proxy but just a server for doing quick handshakes. Would probably be really cool if it saved temporary device session keys and did a logout immediately of open Google sessions after 30 minutes.

Theoretically this should be possible on a C.H.I.P., correct? Also, my apologies for resurrecting the something old, however, I do not have the $$ to drop on an Edison at the moment.

First, welcome to the forum!

You'd probably get better feedback by making a new thread about your idea, some people seem to automatically avoid old threads.

Anywho, I'm not super familiar with C.H.I.P., but I'd think most half decent computer devices should be able to do the same things. I bet a Raspberry Pi (or similar) could be used in place of the Edison with a little bit of effort.

Pretty much anything you can connect via SSH to either through USB gadget mode or wifi or whatever.