Sometimes we want better-than-firewall security for things. For instance:

1. An industrial control system for a municipal water-treatment plant should never have data come in or out
2. Or, a variant of the industrial control system: it should only permit telemetry and monitoring data out, and nothing else in or out
3. A system dedicated to keeping your GPG private keys secure should only have material to sign (or decrypt) come in, and signatures (or decrypted data) go out
4. A system keeping your tax records should normally only have new records go in, but may on occasion have data go out (eg, to print a copy of an old record)

In this article, I ll talk about the high side (the high-security or high-sensitivity systems) and the low side (the lower-sensitivity or general-purpose systems). For the sake of simplicity, I ll assume the high side is a single machine, but it could as well be a whole network. Let s focus on examples 3 and 4 to make things simpler. Let s consider the primary concern to be data exfiltration (someone stealing your data), with a secondary concern of data integrity (somebody modifying or destroying your data). You might think the safest possible approach is Airgapped that is, there is literal no physical network connection to the machine at all. This help! But then, the problem becomes: how do we deal with the inevitable need to legitimately get things on or off of the system? As I wrote in Dead USB Drives Are Fine: Building a Reliable Sneakernet, by using tools such as NNCP, you can certainly create a sneakernet : using USB drives as transport. While this is a very secure setup, as with most things in security, it s less than perfect. The Wikipedia airgap article discusses some ways airgapped machines can still be exploited. It mentions that security holes relating to removable media have been exploited in the past. There are also other ways to get data out; for instance, Debian ships with gensio and minimodem, both of which can transfer data acoustically. But let s back up and think about why we think of airgapped machines as so much more secure, and what the failure modes of other approaches might be.

What about firewalls? You could very easily set up high-side machine that is on a network, but is restricted to only one outbound TCP port. There could be a local firewall, and perhaps also a special port on an external firewall that implements the same restrictions. A variant on this approach would be two computers connected directly by a crossover cable, though this doesn t necessarily imply being more secure. Of course, the concern about a local firewall is that it could potentially be compromised. An external firewall might too; for instance, if your credentials to it were on a machine that got compromised. This kind of dual compromise may be unlikely, but it is possible. We can also think about the complexity in a network stack and firewall configuration, and think that there may be various opportunities to have things misconfigured or buggy in a system of that complexity. Another consideration is that data could be sent at any time, potentially making it harder to detect. On the other hand, network monitoring tools are commonplace. On the other hand, it is convenient and cheap. I use a system along those lines to do my backups. Data is sent, gpg-encrypted and then encrypted again at the NNCP layer, to the backup server. The NNCP process on the backup server runs as an untrusted user, and dumps the gpg-encrypted files to a secure location that is then processed by a cron job using Filespooler. The backup server is on a dedicated firewall port, with a dedicated subnet. The only ports allowed out are for NNCP and NTP, and offsite backups. There is no default gateway. Not even DNS is permitted out (the firewall does the appropriate redirection). There is one pinhole allowed out, where a subset of the backup data is sent offsite. I initially used USB drives as transport, and it had no network connection at all. But there were disadvantages to doing this for backups particularly that I d have no backups for as long as I d forget to move the drives. The backup system also would have clock drift, and the offsite backup picture was more challenging. (The clock drift was a problem because I use 2FA on the system; a password, plus a TOTP generated by a Yubikey) This is pretty good security, I d think. What are the weak spots? Well, if there were somehow a bug in the NNCP client, and the remote NNCP were compromised, that could lead to a compromise of the NNCP account. But this itself would accomplish little; some other vulnerability would have to be exploited on the backup server, because the NNCP account can t see plaintext data at all. I use borgbackup to send a subset of backup data offsite over ssh. borgbackup has to run as root to be able to access all the files, but the ssh it calls runs as a separate user. A ssh vulnerability is therefore unlikely to cause much damage. If, somehow, the remote offsite system were compromised and it was able to exploit a security issue in the local borgbackup, that would be a problem. But that sounds like a remote possibility. borgbackup itself can t even be used over a sneakernet since it is not asynchronous. A more secure solution would probably be using something like dar over NNCP. This would eliminate the ssh installation entirely, and allow a complete isolation between the data-access and the communication stacks, and notably not require bidirectional communication. Logic separation matters too. My Roundup of Data Backup and Archiving Tools may be helpful here. Other attack vectors could be a vulnerability in the kernel s networking stack, local root exploits that could be combined with exploiting NNCP or borgbackup to gain root, or local misconfiguration that makes the sandboxes around NNCP and borgbackup less secure. Because this system is in my basement in a utility closet with no chairs and no good place for a console, I normally manage it via a serial console. While it s a dedicated line between the system and another machine, if the other machine is compromised or an adversary gets access to the physical line, credentials (and perhaps even data) could leak, albeit slowly. But we can do much better with serial lines. Let s take a look.

Serial lines Some of us remember RS-232 serial lines and their once-ubiquitous DB-9 connectors. Traditionally, their speed maxxed out at 115.2Kbps. Serial lines have the benefit that they can be a direct application-to-application link. In my backup example above, a serial line could directly link the NNCP daemon on one system with the NNCP caller on another, with no firewall or anything else necessary. It is simply up to those programs to open the serial device appropriately. This isn t perfect, however. Unlike TCP over Ethernet, a serial line has no inherent error checking. Modern programs such as NNCP and ssh assume that a lower layer is making the link completely clean and error-free for them, and will interpret any corruption as an attempt to tamper and sever the connection. However, there is a solution to that: gensio. In my page Using gensio and ser2net, I discuss how to run NNCP and ssh over gensio. gensio is a generic framework that can add framing, error checking, and retransmit to an unreliable link such as a serial port. It can also add encryption and authentication using TLS, which could be particularly useful for applications that aren t already doing that themselves. More traditional solutions for serial communications have their own built-in error correction. For instance, UUCP and Kermit both were designed in an era of noisy serial lines and might be an excellent fit for some use cases. The ZModem protocol also might be, though it offers somewhat less flexibility and automation than Kermit. I have found that certain USB-to-serial adapters by Gearmo will actually run at up to 2Mbps on a serial line! Look for the ones on their spec pages with a FTDI chipset rated at 920Kbps. It turns out they can successfully be driven faster, especially if gensio s relpkt is used. I ve personally verified 2Mbps operation (Linux port speed 2000000) on Gearmo s USA-FTDI2X and the USA-FTDI4X. (I haven t seen any single-port options from Gearmo with the 920Kbps chipset, but they may exist). Still, even at 2Mbps, speed may well be a limiting factor with some applications. If what you need is a console and some textual or batch data, it s probably fine. If you are sending 500GB backup files, you might look for something else. In theory, this USB to RS-422 adapter should work at 10Mbps, but I haven t tried it. But if the speed works, running a dedicated application over a serial link could be a nice and fairly secure option. One of the benefits of the airgapped approach is that data never leaves unless you are physically aware of transporting a USB stick. Of course, you may not be physically aware of what is ON that stick in the event of a compromise. This could easily be solved with a serial approach by, say, only plugging in the cable when you have data to transfer.

Data diodes A traditional diode lets electrical current flow in only one direction. A data diode is the same concept, but for data: a hardware device that allows data to flow in only one direction. This could be useful, for instance, in the tax records system that should only receive data, or the industrial system that should only send it. Wikipedia claims that the simplest kind of data diode is a fiber link with transceivers connected in only one direction. I think you could go one simpler: a serial cable with only ground and TX connected at one end, wired to ground and RX at the other. (I haven t tried this.) This approach does have some challenges:

• Many existing protocols assume a bidirectional link and won t be usable
• There is a challenge of confirming data was successfully received. For a situation like telemetry, maybe it doesn t matter; another observation will come along in a minute. But for sending important documents, one wants to make sure they were properly received.

In some cases, the solution might be simple. For instance, with telemetry, just writing out data down the serial port in a simple format may be enough. For sending files, various mitigations, such as sending them multiple times, etc., might help. You might also look into FEC-supporting infrastructure such as blkar and flute, but these don t provide an absolute guarantee. There is no perfect solution to knowing when a file has been successfully received if the data communication is entirely one-way.

Audio transport I hinted above that minimodem and gensio both are software audio modems. That is, you could literally use speakers and microphones, or alternatively audio cables, as a means of getting data into or out of these systems. This is pretty limited; it is 1200bps, and often half-duplex, and could literally be disrupted by barking dogs in some setups. But hey, it s an option.

Airgapped with USB transport This is the scenario I began with, and named some of the possible pitfalls above as well. In addition to those, note also that USB drives aren t necessarily known for their error-free longevity. Be prepared for failure.

Concluding thoughts I wanted to lay out a few things in this post. First, that simply being airgapped is generally a step forward in security, but is not perfect. Secondly, that both physical and logical separation matter. And finally, that while tools like NNCP can make airgapped-with-USB-drive-transport a doable reality, there are also alternatives worth considering especially serial ports, firewalled hard-wired Ethernet, data diodes, and so forth. I think serial links, in particular, have been largely forgotten these days. Note: This article also appears on my website, where it may be periodically updated.

I think it's time to start blogging more often about this topic, and fill this section a bit more. I mean, Mermaids was a long time ago... And debconf in Mexico with my first try on skirts, getting rid of my beard and dying my hairs red is history in the meantime, too. So, what has happened in between... Well, there was of course the Regenbogenparade which I attended and which was nice. I even ordered a special t-shirt from a shop in Australia that I totally love. In summer I met up in Bratislava with a longtime friend from a MUD I played way back, and enjoyed running around in a skirt there, too. Gladly it was a sunny day. It was though... people back here in Vienna looked more awkward at me than in Bratislava. At least that was my impression... Had been to Extremadura for the i18n meeting which was quite nice. It was quite productive, even though I have to admit that I haven't done much on that front since. Even in Spain people didn't look that strange at my skirt as over here in Austria... At our company's Christmas party I got into a talk with a work colleague about the topic and she informed me that a former working colleague of us is starting with hormone treatment after the year change and if I'd fancy a meeting with him. I was quite happy about that offer so we arranged a meeting on December 23rd. It was a bit strange at first to address him as he, and we didn't know how to start talking because said working colleague was late, but after a while we talked about various things and even were finished with the more interesting topics when she finally appeared. We arranged to visit the next Trans-X meeting after the year change.
I left them for leaving home, but I wasn't able to catch my bus on time—the subway had serious problems. Well, I thought I might spend the night in the Flex so I called another working colleague who usually hangs out there about what was going on that evening, and interestingly he told me it was Gay Heaven night. I stopped believing in coincidence long ago... Anyway, was a nice evening all in all, they had a Christmas rabbit handing out "I love you" stamps with pink ink-pads. :) The Trans-X meeting wasn't too bad. It was some discussions about various topics. After a while my first shyness dropped a bit and I started to join in the discussion at some points. After the first started to leave I had some more direct talks with two of the women from there, one of them had mostly the same trip home as me so we talked on in the subway. A week later they had set a transgender weekend—no wonder, it was the weekend of the Rosenball. They were meeting in a cafe on Friday and I joined them, a bit less shy now that I at least knew some of the faces. Maria was quite ill and was sitting in her jacket within the cafe, shivering like hell... But all in all it was a nice meeting too, got to know some more nice people. I was a bit lazy from there on, didn't join another meeting... But another working colleague did invite me to the carnival party of his sister. I thought I could try a bit more than before, in the disguise of the carnival party, so I used a bra my former wife left behind, filled it with some socks, and put up some eye makeup (quite discreet, I hate overdone makeup already on natural females...) The light there wasn't the best, so they just saw my tall body at first. It took them a while to even notice the skirt, and only after I put off my long-sleeve they haven't noticed my breast. But well, I don't really blame them, my working colleague has announced me as a he, and given the low lights it's not too bad. Though, after the host noticed my breasts he asked if he could touch them and I even received a quite nice kiss from him. :D I stumbled upon the Gaia TG Guild on Gaia Online—a quite interesting web-based community. In general Gaia is filled with mostly kids, many of them immature, not able to spell and considering that even cool, but there are some quite special guilds that are lots of fun. But still, when I stumbled upon the TG Guild I was in awe of that such a thing could exist there. What I read made me feel totally happy and more confident on the path I'm having ahead of me. Last week I finally had been to an Trans-X meeting again, and Maria showed some quite interesting reportages about transsexual people—including one that was on TV just the day before about a 14 year old girl who is already on hormone treatment and has the absolute support from her family since she was 4 and confronted them with cutting "it" off when they don't allow her to wear skirts when going out, too. All the best to you, Kim! I so envy your strength... I'm sorry about the length of this entry—but I'm sick of people who tell me that I'm only playing it, or that I would hide... And I also see it as a chance to document my path for myself. I promise—the next entries will be more often and thus shorter.

Food has always been a source of contention for me when I am trying to lose weight. I never want to restrict the types of food - I've spent a long time working out what I like and dislike. One of the benefits of the Hacker's Diet isn't all that concerned with what food you eat, but simply that you get a certain amount of calories, it gives you a lot of choices for dining. The first time I was on it, I used ramen and rice to keep me fed. Those worked well because I was basically broke and the rice filled up the stomach just fine.

There are a lot of diets out there, and it's easy to try one or the other just to get completely fed up with the lack of diet-allowed food that you actually like to eat. I believe that this is a major reason that most diets fail, and why there are so many of them - after all, Atkins might work great for the people who don't have a jonesing for a bunch of fries every once in a while. If you're looking for a diet right now, think about the kinds of foods that you won't be willing to give up. There are diets out there for every type of favorite food nowadays, just walk down the fitness and health section of your local bookstore. I'm convinced that the final word is going to be a calorie deficiency. After all, what is dieting but controlled starvation?

This time dieting has been slightly different, but not very much. I've been trying to buy pre-packaged food more than normal, because it's easy to find calorie counts for them - right on the box. Lately I've been eating some TV-dinner like things, which clock in at about 400 calories a piece. This means that I'm eating 4-5 of them a day, which is like an extra bonus because eating more smaller meals is supposed to help keep the metabolism up. The maxx market economy of these meals is amazing - you can easily get 7-8 for $10, making my daily expense very low. They are also not completely horrible for you - most have some vegetables and protein and starch of some sort. There is also a decent variety, so it's hard to get bored of the same old stuff. I've also switched some of the eating out to a more healthy fast food sub place, which has the extra bonus of also being cheaper.

This Week (Nov 24 - Nov 30):
Minimum: 334.0 (-1.0) (Nov 29)
Maximum: 337.0 (-2.0) (Nov 26)
Average: 335.0 (-1.8) (135.0 to goal)
Exercise Calories: 3172 on 6 days
Average Calories per session: 528.9

Today (one day before my birthday), I got accepted as a Debian Developer. I would like to thank the following persons (in order of appearance) which supported me in the one or other way within the NM process over the last two years. Sponsors

• Rene 'rene' Engelhard
• Gerfried 'alfie' Fuchs aka Rhonda
• Christoph 'myon' Berg
• Luk 'luk' Claes

Advocate

• Gerfried 'alfie' Fuchs aka Rhonda

Application Manager

• Rene 'rene' Engelhard

New Maintainers Front Desk

• Marc 'he' Brockschmidt aka HE
• Christoph 'myon' Berg

Debian Account Managers

• Jörg 'joerg' Jaspert aka Ganneff
• James 'elmo' Troup

For the sake of completeness: This is my old and my new QA packages overview, my NM status page, my NM application report, and my account name is 'daniel' (although my nickname is 'panthera').

It's taken a while, but now I am finally in Oaxtepec and online! The journey was not too bad, pretty long of course, but otherwise fine. The vacational centre in Oaxtepec is a great venue! Tasty food, nice rooms, comfortable hacklab, beautiful surroundings and a laaarge pool. It's really warm here and I am truly enjoying myself. The internet uplink caused some trouble during the first days, which is why I haven't posted earlier, but everything is fixed now and everybody is in good spirits. There are still the usual minor annoyances, but overall we're fine. Tomorrow the official conference will kick off with the DebianDay. A special day with more general talks aimed at beginners and interested locals. The day after that the actual developer conference will start, featuring talks, workshops, round tables and lots of BoFs. I am particularly looking forward to tomorrow since it's also the day when maxx arrives, bringing along his old laptop for me to use. I've been without one since I arrived here, since my own one is still broken, and it hasn't exactly been fun being without a laptop. (Not to say it truly sucked!!)