So take the removable media out of the boot sequence and set a BIOS password. Crispin Cowan <crispin@private To: Shaun Savage <savages@private> om> cc: crime@private Sent by: Subject: Re: CRIME Microsoft Windows XP question owner-crime@private dx.edu 01/02/2003 01:17 PM Shaun Savage wrote: > Even though Linux is not totally secure, it is an order of magnitude > better than any MSwindows product. Buy using SELinux, (which is free) > or WireX (which is good), a person can improve security where socal > engineering is the only fesible way. While I appreciate the praise, neither Immunix nor SELinux provide security against physical access. The problem is below the operating system, in the BIOS: by default, the hardware/BIOS looks at removable media (floppy, CD, DVD) ahead of looking at the hard drive to boot from. To 0wn the machine, just insert a malicious disk and reboot. > Open Source Linux Rules Linux, security-enhanced or not, is subject to the same threat. To prevent this attack, while also offering physical access (i.e. in a public kiosk or a school lab) you have to physically block the removable media. For instance, you remove the CD and floppy drives from the machine, and then encase the whole box in a locked cabinet so the attacker can't install their own drives. Protecting a home PC from your kids is flat out impossible. If it still is important to have this protection, get a door lock. Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX http://wirex.com/~crispin/ Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html Just say ".Nyet" (See attached file: attjnhdd.dat) =========================================================================== IMPORTANT NOTICE: This communication, including any attachment, contains information that may be confidential or privileged, and is intended solely for the entity or individual to whom it is addressed. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message is strictly prohibited. Nothing in this email, including any attachment, is intended to be a legally binding signature.
This archive was generated by hypermail 2b30 : Thu Jan 02 2003 - 18:46:22 PST