On Thu, 2003-01-02 at 13:26, rrwilso@private wrote: > So take the removable media out of the boot sequence and set a BIOS > password. an I'll open up the box and reset the bios > > > > Crispin Cowan > <crispin@private To: Shaun Savage <savages@private> > om> cc: crime@private > Sent by: Subject: Re: CRIME Microsoft Windows XP question > owner-crime@private > dx.edu > > > 01/02/2003 01:17 > PM > > > > > > > Shaun Savage wrote: > > > Even though Linux is not totally secure, it is an order of magnitude > > better than any MSwindows product. Buy using SELinux, (which is free) > > or WireX (which is good), a person can improve security where socal > > engineering is the only fesible way. > > While I appreciate the praise, neither Immunix nor SELinux provide > security against physical access. The problem is below the operating > system, in the BIOS: by default, the hardware/BIOS looks at removable > media (floppy, CD, DVD) ahead of looking at the hard drive to boot from. > To 0wn the machine, just insert a malicious disk and reboot. > > > Open Source Linux Rules > > Linux, security-enhanced or not, is subject to the same threat. > > To prevent this attack, while also offering physical access (i.e. in a > public kiosk or a school lab) you have to physically block the removable > media. For instance, you remove the CD and floppy drives from the > machine, and then encase the whole box in a locked cabinet so the > attacker can't install their own drives. > > Protecting a home PC from your kids is flat out impossible. If it still > is important to have this protection, get a door lock. > > Crispin > -- > Crispin Cowan, Ph.D. > Chief Scientist, WireX http://wirex.com/~crispin/ > Security Hardened Linux Distribution: http://immunix.org > Available for purchase: http://wirex.com/Products/Immunix/purchase.html > Just say ".Nyet" > > (See attached file: attjnhdd.dat) > > > > =========================================================================== > IMPORTANT NOTICE: This communication, including any attachment, contains > information that may be confidential or privileged, and is intended solely > for the entity or individual to whom it is addressed. If you are not the > intended recipient, you should delete this message and are hereby notified > that any disclosure, copying, or distribution of this message is strictly > prohibited. Nothing in this email, including any attachment, is intended > to be a legally binding signature. -- Brian Beattie | Having had the honor of being selected beattie@beattie-home.net | for a Resource Action by my former employer, | it is my pleasure to announce my immediate www.beattie-home.net | availability, contract or permanent. Embedded Systems, Linux/Unix internals Software Engineer
This archive was generated by hypermail 2b30 : Thu Jan 02 2003 - 18:38:27 PST