A Safer Space

30 Dec 2014

Life works on inertial guidance. You can't see where you're going unless you know where you've been.

And I'm becoming increasingly aware that the real riches are in memories, and that the mind is unreliable without external help.

For those two reasons, I've kept a journal for years.

But it's not working. I've been using Evernote, a cloud service that's powerful and convenient, but far from secure. And that means I self-censor: I'm deliberately vague, using private language, in-jokes and obscure references to get my point across. Or sometimes I just put a line or two, intending it to act as a 'memory key' that will allow me to remember the rest. But my memory is going. I just tested the retrieval by re-reading entries only a year old, and they don't make sense to me at all. Those moments, some of them important, none of them repeatable, are lost in time. Did they even happen?

I need a safer space, one where I can be honest. The actual risk is low - rogue spy agencies and cracking groups may monitor everyone, but they're largely interested in power and money, not me. But the psychological impact is important. Like drawing the blinds in the bedroom, the space must feel safe against a hypothetical attacker whether or not there's a real one.

So I built one.

First step, an important one when considering solving a problem with technology: Can I solve this problem without technology? In this case, no - my handwriting is too slow, and there's no easy way to back up or transport a written journal.

Next step: Air gap. A machine that's connected to the internet is a machine that you don't own any more.

I don't want to have to buy or maintain new hardware, so I set up a bootable USB key to use with my existing mac. It runs a secure distribution that rhymes with 'nails'. I won't link it because just googling the term apparently flags your network traffic for further analysis. I wish that I was joking about this.

Next step: storage. Nails can maintain an encrypted partition on the same thumb drive, which I'll use to store plaintext documents edited with nvPY. Installing nvPY involves downloading it on another machine and copying it across on a thumbdrive.

Next step: backups. I look at a number of options, but tar + gpg is the simplest. I'll copy encrypted archives onto a second thumbdrive, and from there into my normal OS X system and backup routine. I write a couple of shell scripts to automate it.

A backup you haven't tested is a backup you don't have, so I encrypt a simple "this is a test" note, copy it to a second removable drive, reboot into OS X, and decrypt it again. The OS X boot is insecure, but there was no private data in the archive I just decrypted. Good to go. Right?

No. It's not until hours later that I realise that, to decrypt, I typed my passphrase into an insecure machine. A hypothetical attacker now has the passphrase, and needs only wait until a secure archive appears. One slip is all it took. I change the passphrase.

It turns out that security is hard. There are other edge cases, too - a compromised machine could watch for encrypted files written to external drives and backdoor them. Or the encryption algorithm itself might have been deliberately weakened at the design stage.

It's hard even for simple challenges. I'm not even attempting to protect against Evil Maid or $5-wrench attacks. I don't need to.

But it's a frightening world where, if I did, I wouldn't be able to.