Re: CRIME Microsoft Windows XP question

From: Brian Beattie (beattie@beattie-home.net)
Date: Thu Jan 02 2003 - 20:25:37 PST

  • Next message: Shaun Savage: "Re: CRIME Microsoft Windows XP question"

    On Thu, 2003-01-02 at 19:08, Shaun Savage wrote:
    > -----BEGIN PGP SIGNED MESSAGE-----
    > Hash: SHA1
    > 
    > If the boot sequence requires 'password' within the OS to access the OS
    > then even if someone boot the machine with evil in their head, the OS
    > will not decrypt it self with out the correct password.  This easily
    > done with a modified init program.
    > 
    > The object is to protect the password file and other boot programs/data.
    > ~ If they are encrypted with only one way to access them then you may
    > lose data but the system would be safe.
    > 
    > I use a USB key that init reads.
    > 
    > Shaun
    
    Folks, better minds than ours have considered this issue, and the is NO
    substitute for physical security.  Leave a motivated bad guy alone with
    you CPU and he will own it.  If you can limit the bad guy to controlled
    electronic access you have a fighting chance, but there is no such thing
    as "true" security, the best you can do is to make it cost more to
    breach security, that the value of such a breach to the bad guy.  This
    has been shown over and over again.
    
    > 
    > 
    > Crispin Cowan wrote:
    > | Shaun Savage wrote:
    > |
    > |> Even though Linux is not totally secure, it is an order of magnitude
    > |> better than any MSwindows product.  Buy using SELinux, (which is free)
    > |> or WireX (which is good), a person can improve security where socal
    > |> engineering is the only fesible way.
    > |
    > |
    > | While I appreciate the praise, neither Immunix nor SELinux provide
    > | security against physical access. The problem is below the operating
    > | system, in the BIOS: by default, the hardware/BIOS looks at removable
    > | media (floppy, CD, DVD) ahead of looking at the hard drive to boot from.
    > | To 0wn the machine, just insert a malicious disk and reboot.
    > |
    > |> Open Source Linux Rules
    > |
    > |
    > | Linux, security-enhanced or not, is subject to the same threat.
    > |
    > | To prevent this attack, while also offering physical access (i.e. in a
    > | public kiosk or a school lab) you have to physically block the removable
    > | media. For instance, you remove the CD and floppy drives from the
    > | machine, and then encase the whole box in a locked cabinet so the
    > | attacker can't install their own drives.
    > |
    > | Protecting a home PC from your kids is flat out impossible. If it still
    > | is important to have this protection, get a door lock.
    > |
    > | Crispin
    > 
    > 
    > - --
    > savages@private
    > GPG = B527 8F72 BAFA D490 6B30  6885 9FA2 34E8 EA73 F975
    > Public key at  http://www.savages.net/gpg/savages
    > 
    > -----BEGIN PGP SIGNATURE-----
    > Version: GnuPG v1.2.0 (GNU/Linux)
    > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
    > 
    > iD8DBQE+FP6Wn6I06Opz+XURAnVLAJ9DhK7UepGQDwIir6fT433Yvw4/4gCfS3UT
    > 1sbJU+wAX3jJMyryaqESzHk=
    > =mdpU
    > -----END PGP SIGNATURE-----
    -- 
    Brian Beattie            | Having had the honor of being selected
    beattie@beattie-home.net | for a Resource Action by my former employer,
                             | it is my pleasure to announce my immediate
    www.beattie-home.net     | availability, contract or permanent.
    Embedded Systems, Linux/Unix internals Software Engineer
    



    This archive was generated by hypermail 2b30 : Thu Jan 02 2003 - 23:35:53 PST