Talk:HavenCo

It should be noted that this article appears to have been written by someone with the same Wikipedia user name as one of the people named in the article.

One might speculate on how long HavenCo could resist an attack from a nation state or its police force, or how robust its communications to the Net are against attack.

One might also speculate what form a sting operation by a nation state against prospective data haven users would take.

The Anome


Feel free to speculate on such things and add them to the article!

(I am CTO of HavenCo, but I think the HavenCo article is relatively unbiased; no one else posted anything yet, though)

Our policy has always been "we can destroy stuff before it is captured, and will do so". We have sufficient security/military/etc. to protect equipment from our own staff, and from invasion. We certainly can't defend against destruction. Our communications are relatively robust (terminating in many countries), but even someone like AboveNet could be flooded off the net for a few weeks with enough effort. Our security is sufficient to delay capture long enough to destroy things (which in most cases just means shutting off power; disks are encrypted, and boot codes require positive cooperation and can be destroyed with a single switch)

We also do tamper-resistant hardware for our more security-conscious customers -- even I can't compromise it. Even if the hardware fell into "enemy" hands for months, it would be in my opinion impossible to recover data. As for being a sting -- sure. Crypto AG is a better example. We deal with this issue by not requiring *any* information from customers; leave a bag of cash in a locker at an airport, anonymous-remail me the code, I'll pick it up, and then put a server online, using factory-standard tamper-resistance, which can be remotely verified. We *could* be a sting, but we work to make sure stuff is provably secure even from ourselves, so even if I worked for the CIA or MI6, customers could trust our security due to faith in mathematics and physics. I'd have *more* trust in HavenCo if it were MI6/CIA, as then you'd know for sure it was being operated professionally. Most of our customers are casinos and backups anyway, and don't really care about security from intelligence agencies.

I'll include some comments on this (including links to Crypto AG and a brief article on it) if you don't.



So, you are saying that you have direct undersea fibre connectivity to many countries?

Please explain 'factory-standard tamper-resistance'.

The Anome


Wireless, satellite, etc. to many countries, yes. Fiber is planned but expensive to go to many countries. Also we handle layer-3 (IP) in more countries than layer-2, using encrypted tunnels.

We have metal-enclosed coprocessors (486, crypto coprocessor, storage) inside sealed PCI cards which zeroize themselves if they detect any attempt at tampering. People run security-critical parts of their application on those, random other stuff outside. So even if you break into the machine, all the critical data is on this card (which is really a separate computer), which runs a special-purpose OS, has been audited, etc.

Costs range from ~$8 (iButton) to ~$50k (Compaq Atalla); IBM 4758-002 is in my opinion the best. There was recently found a vulnerability with one of the libraries, but it's not one we use. The hardware itself is very secure.


You mean Michael Bond and Richard Clayton's attack at http://www.cl.cam.ac.uk/~rnc1/descrack/ ?

Looking at the IBM documentation on the 4758, it is clear that the hardware's security hinges on the user trusting IBM (for example, only they should know the root certificate for the 4758). But if you are a sting operation, IBM will surely have cooperated with those parties? And this same would be true of any US or UK sourced security hardware, such as the iButton or the Compaq.

The Anome


Yes, that research.

You can do "cut and choose" verification on the hardware, and you can run your own software inside a module. IBM doesn't have the ability to *change* the machines once they're released, only to certify fraudulent ones, so you can buy a thousand, open 999 to verify there is no backdoor, load your software into one, and then ship it, knowing it hasn't been tampered with.

Also there are non-US/UK manufacturers of such devices, and the technology to make such a device is not *that* impossible. Plus, you could do secret-sharing across multiple manufacturers, if you cared, at multiple sites.

But most people have no reason to be so paranoid. The people involved with HavenCo have some pre-HavenCo notoriety beforehand, but I suppose you could claim I was recruited by <agency> when I was 10 years old and raised to run a sting operation :)


Surely that's the point. If I am not paranoid, I don't need an offshore data haven. I just trust secure processor hardware and mathematics in a number of Tier-1 secure colos in various jurisdictions. That gives me as much resilience and security as could normally be desired. If I want to go beyond this, I need to have my own physically secure premises and hire my own guard force.

If someone is paranoid enough to need a data haven, then they are presumably either

  • mentally ill or
  • doing something that makes them reasonably expect to be subject to such attacks.

If the former, no amount of security will satisfy them. If the latter, they will need to take precaustions that assume that serious resources will be brought to bear upon them - such as

  • having a copy of the IBM 4758 root private key
  • bribing, threatening or simply employing third parties in a sting operation

The Anome


I'm not convinced that it's necessary to explore the demand for a data haven in this particular article; perhaps that would be better suited to an article on data havens in general. If you're right about no one wanting a data haven, Anome, then HavenCo will go under. Time will tell. But I'd like to focus more on HavenCo itself, its relationship to that odd little place called Sealand, and possible attacks and on HavenCo's setup. And avoiding turning the whole thing into an advertisement, of course. :) --Stephen Gilbert