RE: CRIME Microsoft Windows XP question

From: Kuo, Jimmy (Jimmy_Kuo@private)
Date: Thu Jan 02 2003 - 16:50:46 PST

  • Next message: Paul Farrier: "RE: CRIME Microsoft Windows XP question"

    I don't recall if we had a discussion here about how to have "strong"
    memorable passwords.
     
    I prefer keyboard patterns, for example, 7ujmghjkl or 8uhb6yjm or some kind
    of keyboard pattern.
     
    You can stick in a "hold shift down" for any part of it.
     
    You can do a circle, a box, plus sign, X, 2 per row, 3 per row, 2 per row
    going up rows (nmhjyu67).  All very easy ro train your fingers to do.
     
    Jimmy
    
    -----Original Message-----
    From: Edward J. Metzler [mailto:emetzler@private]
    Sent: Thursday, January 02, 2003 4:04 PM
    To: crime@private
    Subject: RE: CRIME Microsoft Windows XP question
    
    
    I really appreciate all of your comments.
     
    I intend to speak with my friend about how he protected access to his
    written down password.  I do know that he did not log on to this system
    until after his daughter broke in.
     
    I didn't think to take out the floppy as I did the modem.  Perhaps that will
    help in the future.
     
    Again, thanks for your insights.
    
    Edward J. Metzler
    aCCredo Corp. -- Proactive Risk Management
    13267 SW Bull Mountain Road
    Tigard, OR 97224
    Direct: 503-624-2124; Fax: 503-624-5723; Cell: 503-805-7758
    http://www.accredo.com <http://www.accredo.com/>
    emetzler@private
    
    This e-mail, including attachments, may include confidential and/or
    proprietary information, and may be used only by the person or entity to
    which it is addressed. If the reader of this e-mail is not the intended
    recipient or his or her authorized agent, the reader is hereby notified that
    any dissemination, distribution or copying of this e-mail is prohibited. If
    you have received this e-mail in error, please notify the sender by replying
    to this message and delete this e-mail immediately.
    
    
    
    
    -----Original Message-----
    From: owner-crime@private [mailto:owner-crime@private] On Behalf Of
    Nate McAlmond
    Sent: Thursday, January 02, 2003 2:06 PM
    To: 'rrwilso@private'
    Cc: crime@private
    Subject: RE: CRIME Microsoft Windows XP question
    
    
    
    Bios passwords and boot media are nothing you should count on. If you don't
    have physical security you don't have any security.
    
    Nate McAlmond 
    
    -----Original Message----- 
    From: rrwilso@private [ mailto:rrwilso@private
    <mailto:rrwilso@private> ] 
    Sent: Thursday, January 02, 2003 1:27 PM 
    To: Crispin Cowan 
    Cc: crime@private 
    Subject: Re: CRIME Microsoft Windows XP question 
    
    
    
    So take the removable media out of the boot sequence and set a BIOS 
    password. 
    
    
     
    
    
                          Crispin Cowan
    
    
                          <crispin@private         To:      Shaun Savage
    <savages@private>                                             
    
                          om>                      cc:      crime@private
    
    
                          Sent by:                 Subject: Re: CRIME Microsoft
    Windows XP question                                        
    
                          owner-crime@private
    
    
                          dx.edu
    
    
     
    
    
     
    
    
                          01/02/2003 01:17
    
    
                          PM
    
    
     
    
    
     
    
    
    
    
    
    Shaun Savage wrote: 
    
    > Even though Linux is not totally secure, it is an order of magnitude 
    > better than any MSwindows product.  Buy using SELinux, (which is free) 
    > or WireX (which is good), a person can improve security where socal 
    > engineering is the only fesible way. 
    
    While I appreciate the praise, neither Immunix nor SELinux provide 
    security against physical access. The problem is below the operating 
    system, in the BIOS: by default, the hardware/BIOS looks at removable 
    media (floppy, CD, DVD) ahead of looking at the hard drive to boot from. 
    To 0wn the machine, just insert a malicious disk and reboot. 
    
    > Open Source Linux Rules 
    
    Linux, security-enhanced or not, is subject to the same threat. 
    
    To prevent this attack, while also offering physical access (i.e. in a 
    public kiosk or a school lab) you have to physically block the removable 
    media. For instance, you remove the CD and floppy drives from the 
    machine, and then encase the whole box in a locked cabinet so the 
    attacker can't install their own drives. 
    
    Protecting a home PC from your kids is flat out impossible. If it still 
    is important to have this protection, get a door lock. 
    
    Crispin 
    -- 
    Crispin Cowan, Ph.D. 
    Chief Scientist, WireX                      http://wirex.com/~crispin/
    <http://wirex.com/~crispin/>  
    Security Hardened Linux Distribution:       http://immunix.org
    <http://immunix.org>  
    Available for purchase: http://wirex.com/Products/Immunix/purchase.html
    <http://wirex.com/Products/Immunix/purchase.html>  
                    Just say ".Nyet" 
    
    (See attached file: attjnhdd.dat) 
    
    
    
    =========================================================================== 
    IMPORTANT NOTICE: This communication, including any attachment, contains 
    information that may be confidential or privileged, and is intended solely 
    for the entity or individual to whom it is addressed.  If you are not the 
    intended recipient, you should delete this message and are hereby notified 
    that any disclosure, copying, or distribution of this message is strictly 
    prohibited.  Nothing in this email, including any attachment, is intended 
    to be a legally binding signature. 
    



    This archive was generated by hypermail 2b30 : Thu Jan 02 2003 - 18:41:39 PST