On Thu, 2003-01-02 at 19:08, Shaun Savage wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > If the boot sequence requires 'password' within the OS to access the OS > then even if someone boot the machine with evil in their head, the OS > will not decrypt it self with out the correct password. This easily > done with a modified init program. > > The object is to protect the password file and other boot programs/data. > ~ If they are encrypted with only one way to access them then you may > lose data but the system would be safe. > > I use a USB key that init reads. Ok and say I stick a boot floppy in and modify the filesystem, say rewrite the password file, so it contains passwords I know. Or I copy in a new init that has a trojan horse, or a secret backdoor or... > > Shaun > > > Crispin Cowan wrote: > | Shaun Savage wrote: > | > |> Even though Linux is not totally secure, it is an order of magnitude > |> better than any MSwindows product. Buy using SELinux, (which is free) > |> or WireX (which is good), a person can improve security where socal > |> engineering is the only fesible way. > | > | > | While I appreciate the praise, neither Immunix nor SELinux provide > | security against physical access. The problem is below the operating > | system, in the BIOS: by default, the hardware/BIOS looks at removable > | media (floppy, CD, DVD) ahead of looking at the hard drive to boot from. > | To 0wn the machine, just insert a malicious disk and reboot. > | > |> Open Source Linux Rules > | > | > | Linux, security-enhanced or not, is subject to the same threat. > | > | To prevent this attack, while also offering physical access (i.e. in a > | public kiosk or a school lab) you have to physically block the removable > | media. For instance, you remove the CD and floppy drives from the > | machine, and then encase the whole box in a locked cabinet so the > | attacker can't install their own drives. > | > | Protecting a home PC from your kids is flat out impossible. If it still > | is important to have this protection, get a door lock. > | > | Crispin > > > - -- > savages@private > GPG = B527 8F72 BAFA D490 6B30 6885 9FA2 34E8 EA73 F975 > Public key at http://www.savages.net/gpg/savages > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.0 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQE+FP6Wn6I06Opz+XURAnVLAJ9DhK7UepGQDwIir6fT433Yvw4/4gCfS3UT > 1sbJU+wAX3jJMyryaqESzHk= > =mdpU > -----END PGP SIGNATURE----- -- Brian Beattie | Having had the honor of being selected beattie@beattie-home.net | for a Resource Action by my former employer, | it is my pleasure to announce my immediate www.beattie-home.net | availability, contract or permanent. Embedded Systems, Linux/Unix internals Software Engineer
This archive was generated by hypermail 2b30 : Thu Jan 02 2003 - 23:35:51 PST