Actually, I was very amused to read that this guy's daughter hacked his machine but my suggestion is not to punish her but to encourage her to go for a bachelor degree in computer science! Sarah > > This message is in MIME format. Since your mail reader does not understand > this format, some or all of this message may not be legible. > > ------_=_NextPart_001_01C2B347.1327CAA0 > Content-Type: text/plain > > Following this thread has been quite entertaining. I have witnessed a group > of technologists attempting to derive technical solutions, essentially > barriers, to help one father protect his PC from his daughter. Very > creative, complex, and expensive ideas have surfaced, been torpedoed, and > subsequently raised again in a different incarnation. Yet, we miss the > obvious. > > > > In this case, as in others we rarely speak of, it is most efficient to > interdict the attacker. No complex configurations, hardware upgrades, or > additional locking mechanisms necessary. She has physical access to the PC, > and could rebuild the system, soak it in the bathtub, put refrigerator > magnets on the hard drive, etc. Practically, she will always have access to > the PC. > > > > The answer: Remove the threat through behavior modification. Tell the > daughter, if she does it again, she will not be allowed to obtain a drivers > license until she is 18 years of age (or substitute deterrent message of > fathers choosing). If given the choice of being able to deter an attack or > hardening the system, I choose effective deterrence every time. > > > > My humble opinion. (and yes, I realize the various side threads of this > discussion scales beyond the original issue, but so does what I am saying) > > > > M.Rosenquist > > > > -----Original Message----- > From: Edward J. Metzler [mailto:emetzler@private] > Sent: Thursday, January 02, 2003 4:04 PM > To: crime@private > Subject: RE: CRIME Microsoft Windows XP question > > > > I really appreciate all of your comments. > > > > I intend to speak with my friend about how he protected access to his > written down password. I do know that he did not log on to this system > until after his daughter broke in. > > > > I didn't think to take out the floppy as I did the modem. Perhaps that will > help in the future. > > > > Again, thanks for your insights. > > Edward J. Metzler > aCCredo Corp. -- Proactive Risk Management > 13267 SW Bull Mountain Road > Tigard, OR 97224 > Direct: 503-624-2124; Fax: 503-624-5723; Cell: 503-805-7758 > http://www.accredo.com <http://www.accredo.com/> > emetzler@private > > This e-mail, including attachments, may include confidential and/or > proprietary information, and may be used only by the person or entity to > which it is addressed. If the reader of this e-mail is not the intended > recipient or his or her authorized agent, the reader is hereby notified that > any dissemination, distribution or copying of this e-mail is prohibited. If > you have received this e-mail in error, please notify the sender by replying > to this message and delete this e-mail immediately. > > > > -----Original Message----- > From: owner-crime@private [mailto:owner-crime@private] On Behalf Of > Nate McAlmond > Sent: Thursday, January 02, 2003 2:06 PM > To: 'rrwilso@private' > Cc: crime@private > Subject: RE: CRIME Microsoft Windows XP question > > Bios passwords and boot media are nothing you should count on. If you don't > have physical security you don't have any security. > > Nate McAlmond > > -----Original Message----- > From: rrwilso@private [mailto:rrwilso@private > <mailto:rrwilso@private> ] > Sent: Thursday, January 02, 2003 1:27 PM > To: Crispin Cowan > Cc: crime@private > Subject: Re: CRIME Microsoft Windows XP question > > > > So take the removable media out of the boot sequence and set a BIOS > password. > > > > > > > Crispin Cowan > > > <crispin@private To: Shaun Savage > <savages@private> > > om> cc: crime@private > > > Sent by: Subject: Re: CRIME Microsoft > Windows XP question > > owner-crime@private > > > dx.edu > > > > > > > > > 01/02/2003 01:17 > > > PM > > > > > > > > > > > > > Shaun Savage wrote: > > > Even though Linux is not totally secure, it is an order of magnitude > > better than any MSwindows product. Buy using SELinux, (which is free) > > or WireX (which is good), a person can improve security where socal > > engineering is the only fesible way. > > While I appreciate the praise, neither Immunix nor SELinux provide > security against physical access. The problem is below the operating > system, in the BIOS: by default, the hardware/BIOS looks at removable > media (floppy, CD, DVD) ahead of looking at the hard drive to boot from. > To 0wn the machine, just insert a malicious disk and reboot. > > > Open Source Linux Rules > > Linux, security-enhanced or not, is subject to the same threat. > > To prevent this attack, while also offering physical access (i.e. in a > public kiosk or a school lab) you have to physically block the removable > media. For instance, you remove the CD and floppy drives from the > machine, and then encase the whole box in a locked cabinet so the > attacker can't install their own drives. > > Protecting a home PC from your kids is flat out impossible. If it still > is important to have this protection, get a door lock. > > Crispin > -- > Crispin Cowan, Ph.D. > Chief Scientist, WireX http://wirex.com/~crispin/ > <http://wirex.com/~crispin/> > Security Hardened Linux Distribution: http://immunix.org > <http://immunix.org> > Available for purchase: http://wirex.com/Products/Immunix/purchase.html > <http://wirex.com/Products/Immunix/purchase.html> > Just say ".Nyet" > > (See attached file: attjnhdd.dat) > > > > =========================================================================== > IMPORTANT NOTICE: This communication, including any attachment, contains > information that may be confidential or privileged, and is intended solely > for the entity or individual to whom it is addressed. If you are not the > intended recipient, you should delete this message and are hereby notified > that any disclosure, copying, or distribution of this message is strictly > prohibited. Nothing in this email, including any attachment, is intended > to be a legally binding signature. > > > ------_=_NextPart_001_01C2B347.1327CAA0 > Content-Type: text/html > > <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> > <html> > > <head> > <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"> > > > <meta name=Generator content="Microsoft Word 10 (filtered)"> > <title>Message</title> > > <style> > <!-- > /* Font Definitions */ > @font-face > {font-family:Tahoma; > panose-1:2 11 6 4 3 5 4 4 2 4;} > @font-face > {font-family:Verdana; > panose-1:2 11 6 4 3 5 4 4 2 4;} > /* Style Definitions */ > p.MsoNormal, li.MsoNormal, div.MsoNormal > {margin:0in; > margin-bottom:.0001pt; > font-size:12.0pt; > font-family:"Times New Roman";} > a:link, span.MsoHyperlink > {color:blue; > text-decoration:underline;} > a:visited, span.MsoHyperlinkFollowed > {color:blue; > text-decoration:underline;} > p.MsoAutoSig, li.MsoAutoSig, div.MsoAutoSig > {margin:0in; > margin-bottom:.0001pt; > font-size:12.0pt; > font-family:"Times New Roman";} > p > {margin-right:0in; > margin-left:0in; > font-size:12.0pt; > font-family:"Times New Roman";} > span.EmailStyle18 > {font-family:Arial; > color:navy;} > @page Section1 > {size:8.5in 11.0in; > margin:1.0in 1.25in 1.0in 1.25in;} > div.Section1 > {page:Section1;} > --> > </style> > > </head> > > <body lang=EN-US link=blue vlink=blue> > > <div class=Section1> > > <p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt; > font-family:Arial'>Following this thread has been quite entertaining. I have > witnessed a group of technologists attempting to derive technical solutions, > essentially barriers, to help one father protect his PC from his daughter. > Very creative, complex, and expensive ideas have surfaced, been torpedoed, and > subsequently raised again in a different incarnation. Yet, we miss the obvious. > </span></font></p> > > <p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt; > font-family:Arial'> </span></font></p> > > <p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt; > font-family:Arial'>In this case, as in others we rarely speak of, it is most > efficient to interdict the attacker. No complex configurations, hardware > upgrades, or additional locking mechanisms necessary. She has physical access > to the PC, and could rebuild the system, soak it in the bathtub, put > refrigerator magnets on the hard drive, etc. Practically, she will always have > access to the PC. </span></font></p> > > <p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt; > font-family:Arial'> </span></font></p> > > <p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt; > font-family:Arial'>The answer: Remove the threat through behavior modification. > Tell the daughter, if she does it again, she will not be allowed to obtain a > drivers license until she is 18 years of age (<i><span style='font-style:italic'>or > substitute deterrent message of fathers choosing</span></i>). If given the > choice of being able to deter an attack or hardening the system, I choose > effective deterrence every time.</span></font></p> > > <p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt; > font-family:Arial'> </span></font></p> > > <p class=MsoNormal><font size=2 face=Arial><span style='font-size:10.0pt; > font-family:Arial'>My humble opinion. (and yes, I realize the various side > threads of this discussion scales beyond the original issue, but so does what I > am saying)</span></font></p> > > <p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size: > 10.0pt;font-family:Arial;color:navy'> </span></font></p> > > <div> > > <p class=MsoAutoSig><b><font size=3 color=navy face=Verdana><span > style='font-size:12.0pt;font-family:Verdana;color:navy;font-weight:bold'>M.Rosenquist</span></font></b></p> > > </div> > > <p class=MsoNormal><font size=2 color=navy face=Arial><span style='font-size: > 10.0pt;font-family:Arial;color:navy'> </span></font></p> > > <p class=MsoNormal style='margin-left:.5in'><font size=2 face=Tahoma><span > style='font-size:10.0pt;font-family:Tahoma'>-----Original Message-----<br> > <b><span style='font-weight:bold'>From:</span></b> Edward J. Metzler > [mailto:emetzler@private] <br> > <b><span style='font-weight:bold'>Sent:</span></b> </span></font><font size=2 face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'>Thursday, > January 02, 2003</span></font><font size=2 face=Tahoma><span style='font-size: > 10.0pt;font-family:Tahoma'> </span></font><font size=2 face=Tahoma><span > style='font-size:10.0pt;font-family:Tahoma'>4:04 PM</span></font><font size=2 > face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'><br> > <b><span style='font-weight:bold'>To:</span></b> crime@private<br> > <b><span style='font-weight:bold'>Subject:</span></b> RE: CRIME Microsoft > Windows XP question</span></font></p> > > <p class=MsoNormal style='margin-left:.5in'><font size=3 face="Times New Roman"><span > style='font-size:12.0pt'> </span></font></p> > > <div> > > <p class=MsoNormal style='margin-left:.5in'><font size=2 color=blue face=Arial><span > style='font-size:10.0pt;font-family:Arial;color:blue'>I really appreciate all > of your comments.</span></font></p> > > </div> > > <div> > > <p class=MsoNormal style='margin-left:.5in'><font size=3 face="Times New Roman"><span > style='font-size:12.0pt'> </span></font></p> > > </div> > > <div> > > <p class=MsoNormal style='margin-left:.5in'><font size=2 color=blue face=Arial><span > style='font-size:10.0pt;font-family:Arial;color:blue'>I intend to speak with my > friend about how he protected access to his written down password. I do > know that he did not log on to this system until after his daughter broke in.</span></font></p> > > </div> > > <div> > > <p class=MsoNormal style='margin-left:.5in'><font size=3 face="Times New Roman"><span > style='font-size:12.0pt'> </span></font></p> > > </div> > > <div> > > <p class=MsoNormal style='margin-left:.5in'><font size=2 color=blue face=Arial><span > style='font-size:10.0pt;font-family:Arial;color:blue'>I didn't think to take > out the floppy as I did the modem. Perhaps that will help in the future.</span></font></p> > > </div> > > <div> > > <p class=MsoNormal style='margin-left:.5in'><font size=3 face="Times New Roman"><span > style='font-size:12.0pt'> </span></font></p> > > </div> > > <div> > > <p class=MsoNormal style='margin-left:.5in'><font size=2 color=blue face=Arial><span > style='font-size:10.0pt;font-family:Arial;color:blue'>Again, thanks for your > insights.</span></font></p> > > </div> > > <p style='margin-right:0in;margin-bottom:12.0pt;margin-left:.5in'><font size=2 > face="Times New Roman"><span style='font-size:10.0pt'><!-- Converted from text/plain format -->Edward > J. Metzler<br> > aCCredo Corp. -- Proactive Risk Management<br> > </span></font><font size=2><span style='font-size:10.0pt'>13267 SW Bull > Mountain Road</span></font><font size=2><span style='font-size:10.0pt'><br> > </span></font><font size=2><span style='font-size:10.0pt'>Tigard</span></font><font > size=2><span style='font-size:10.0pt'>, </span></font><font size=2><span > style='font-size:10.0pt'>OR</span></font><font size=2><span style='font-size: > 10.0pt'> </span></font><font size=2><span style='font-size:10.0pt'>97224</span></font><font > size=2><span style='font-size:10.0pt'><br> > Direct: 503-624-2124; Fax: 503-624-5723; Cell: 503-805-7758<br> > <a href="http://www.accredo.com/">http://www.accredo.com> > emetzler@private<br> > <br> > This e-mail, including attachments, may include confidential and/or proprietary > information, and may be used only by the person or entity to which it is > addressed. If the reader of this e-mail is not the intended recipient or his or > her authorized agent, the reader is hereby notified that any dissemination, > distribution or copying of this e-mail is prohibited. If you have received this > e-mail in error, please notify the sender by replying to this message and > delete this e-mail immediately.<br> > <br> > </span></font></p> > > <blockquote style='margin-top:5.0pt;margin-right:0in;margin-bottom:5.0pt'> > > <p class=MsoNormal style='margin-right:0in;margin-bottom:12.0pt;margin-left: > .5in'><font size=2 face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'>-----Original > Message-----<br> > <b><span style='font-weight:bold'>From:</span></b> owner-crime@private > [mailto:owner-crime@private] <b><span style='font-weight:bold'>On Behalf Of </span></b>Nate > McAlmond<br> > <b><span style='font-weight:bold'>Sent:</span></b> </span></font><font size=2 face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'>Thursday, January > 02, 2003</span></font><font size=2 face=Tahoma><span style='font-size:10.0pt; > font-family:Tahoma'> </span></font><font size=2 face=Tahoma><span > style='font-size:10.0pt;font-family:Tahoma'>2:06 PM</span></font><font size=2 > face=Tahoma><span style='font-size:10.0pt;font-family:Tahoma'><br> > <b><span style='font-weight:bold'>To:</span></b> 'rrwilso@private'<br> > <b><span style='font-weight:bold'>Cc:</span></b> crime@private<br> > <b><span style='font-weight:bold'>Subject:</span></b> RE: CRIME Microsoft > Windows XP question</span></font></p> > > <p style='margin-left:.5in'><font size=2 face="Times New Roman"><span > style='font-size:10.0pt'>Bios passwords and boot media are nothing you should > count on. If you don't have physical security you don't have any security.</span></font></p> > > <p style='margin-left:.5in'><font size=2 face="Times New Roman"><span > style='font-size:10.0pt'>Nate McAlmond</span></font> </p> > > <p style='margin-left:.5in'><font size=2 face="Times New Roman"><span > style='font-size:10.0pt'>-----Original Message-----</span></font> <br> > <font size=2><span style='font-size:10.0pt'>From: rrwilso@private [<a > href="mailto:rrwilso@private">mailto:rrwilso@private</a>]</span></font> > <br> > <font size=2><span style='font-size:10.0pt'>Sent: </span></font><font size=2><span style='font-size:10.0pt'>Thursday, January 02, 2003</span></font><font > size=2><span style='font-size:10.0pt'> </span></font><font > size=2><span style='font-size:10.0pt'>1:27 PM</span></font> <br> > <font size=2><span style='font-size:10.0pt'>To: Crispin Cowan</span></font> <br> > <font size=2><span style='font-size:10.0pt'>Cc: crime@private</span></font> <br> > <font size=2><span style='font-size:10.0pt'>Subject: Re: CRIME Microsoft > Windows XP question</span></font> </p> > > <p class=MsoNormal style='margin-right:0in;margin-bottom:12.0pt;margin-left: > .5in'><font size=3 face="Times New Roman"><span style='font-size:12.0pt'> </span></font></p> > > <p style='margin-left:.5in'><font size=2 face="Times New Roman"><span > style='font-size:10.0pt'>So take the removable media out of the boot sequence > and set a BIOS</span></font> <br> > <font size=2><span style='font-size:10.0pt'>password.</span></font> </p> > > <p class=MsoNormal style='margin-left:.5in'><font size=3 face="Times New Roman"><span > style='font-size:12.0pt'> </span></font></p> > > <p style='margin-left:.5in'><font size=2 face="Times New Roman"><span > style='font-size:10.0pt'> > </span></font></p> > > <p style='margin-left:.5in'><font size=2 face="Times New Roman"><span > style='font-size:10.0pt'> > Crispin > Cowan > </span></font></p> > > <p style='margin-left:.5in'><font size=2 face="Times New Roman"><span > style='font-size:10.0pt'> > <crispin@private > To: Shaun Savage <savages@private> > </span></font></p> > > <p style='margin-left:.5in'><font size=2 face="Times New Roman"><span > style='font-size:10.0pt'> > om> > cc: crime@private > </span></font></p> > > <p style='margin-left:.5in'><font size=2 face="Times New Roman"><span > style='font-size:10.0pt'> > Sent > by: > Subject: Re: CRIME Microsoft Windows XP > question > </span></font></p> > > <p style='margin-left:.5in'><font size=2 face="Times New Roman"><span > style='font-size:10.0pt'> > owner-crime@private > </span></font></p> > > <p style='margin-left:.5in'><font size=2 face="Times New Roman"><span > style='font-size:10.0pt'> > dx.edu > </span></font></p> > > <p style='margin-left:.5in'><font size=2 face="Times New Roman"><span > style='font-size:10.0pt'> > </span></font></p> > > <p style='margin-left:.5in'><font size=2 face="Times New Roman"><span > style='font-size:10.0pt'> > </span></font></p> > > <p style='margin-left:.5in'><font size=2 face="Times New Roman"><span > style='font-size:10.0pt'> > </span></font><font size=2><span style='font-size:10.0pt'>01/02/2003</span></font><font > size=2><span style='font-size:10.0pt'> > 01:17 > </span></font></p> > > <p style='margin-left:.5in'><font size=2 face="Times New Roman"><span > style='font-size:10.0pt'> > PM > </span></font></p> > > <p style='margin-left:.5in'><font size=2 face="Times New Roman"><span > style='font-size:10.0pt'> > </span></font></p> > > <p style='margin-left:.5in'><font size=2 face="Times New Roman"><span > style='font-size:10.0pt'> > </span></font></p> > > <p class=MsoNormal style='margin-right:0in;margin-bottom:12.0pt;margin-left: > .5in'><font size=3 face="Times New Roman"><span style='font-size:12.0pt'><br> > <br> > </span></font></p> > > <p style='margin-left:.5in'><font size=2 face="Times New Roman"><span > style='font-size:10.0pt'>Shaun Savage wrote:</span></font> </p> > > <p style='margin-left:.5in'><font size=2 face="Times New Roman"><span > style='font-size:10.0pt'>> Even though Linux is not totally secure, it is an > order of magnitude</span></font> <br> > <font size=2><span style='font-size:10.0pt'>> better than any MSwindows > product. Buy using SELinux, (which is free)</span></font> <br> > <font size=2><span style='font-size:10.0pt'>> or WireX (which is good), a > person can improve security where socal</span></font> <br> > <font size=2><span style='font-size:10.0pt'>> engineering is the only > fesible way.</span></font> </p> > > <p style='margin-left:.5in'><font size=2 face="Times New Roman"><span > style='font-size:10.0pt'>While I appreciate the praise, neither Immunix nor > SELinux provide</span></font> <br> > <font size=2><span style='font-size:10.0pt'>security against physical access. > The problem is below the operating</span></font> <br> > <font size=2><span style='font-size:10.0pt'>system, in the BIOS: by default, > the hardware/BIOS looks at removable</span></font> <br> > <font size=2><span style='font-size:10.0pt'>media (floppy, CD, DVD) ahead of > looking at the hard drive to boot from.</span></font> <br> > <font size=2><span style='font-size:10.0pt'>To 0wn the machine, just insert a > malicious disk and reboot.</span></font> </p> > > <p style='margin-left:.5in'><font size=2 face="Times New Roman"><span > style='font-size:10.0pt'>> Open Source Linux Rules</span></font> </p> > > <p style='margin-left:.5in'><font size=2 face="Times New Roman"><span > style='font-size:10.0pt'>Linux, security-enhanced or not, is subject to the > same threat.</span></font> </p> > > <p style='margin-left:.5in'><font size=2 face="Times New Roman"><span > style='font-size:10.0pt'>To prevent this attack, while also offering physical > access (i.e. in a</span></font> <br> > <font size=2><span style='font-size:10.0pt'>public kiosk or a school lab) you > have to physically block the removable</span></font> <br> > <font size=2><span style='font-size:10.0pt'>media. For instance, you remove the > CD and floppy drives from the</span></font> <br> > <font size=2><span style='font-size:10.0pt'>machine, and then encase the whole > box in a locked cabinet so the</span></font> <br> > <font size=2><span style='font-size:10.0pt'>attacker can't install their own > drives.</span></font> </p> > > <p style='margin-left:.5in'><font size=2 face="Times New Roman"><span > style='font-size:10.0pt'>Protecting a home PC from your kids is flat out > impossible. If it still</span></font> <br> > <font size=2><span style='font-size:10.0pt'>is important to have this > protection, get a door lock.</span></font> </p> > > <p style='margin-left:.5in'><font size=2 face="Times New Roman"><span > style='font-size:10.0pt'>Crispin</span></font> <br> > <font size=2><span style='font-size:10.0pt'>--</span></font> <br> > <font size=2><span style='font-size:10.0pt'>Crispin Cowan, Ph.D.</span></font> <br> > <font size=2><span style='font-size:10.0pt'>Chief Scientist, > WireX > <a href="http://wirex.com/~crispin/" target="_blank">http://wirex.com/~crispin/></span></font> > <br> > <font size=2><span style='font-size:10.0pt'>Security Hardened Linux > Distribution: <a href="http://immunix.org" > target="_blank">http://immunix.org></span></font> <br> > <font size=2><span style='font-size:10.0pt'>Available for purchase: <a > href="http://wirex.com/Products/Immunix/purchase.html" target="_blank">http://wirex.com/Products/Immunix/purchase.html></span></font> > <br> > <font size=2><span style='font-size:10.0pt'> > Just say ".Nyet"</span></font> </p> > > <p style='margin-left:.5in'><font size=2 face="Times New Roman"><span > style='font-size:10.0pt'>(See attached file: attjnhdd.dat)</span></font> </p> > > <p class=MsoNormal style='margin-right:0in;margin-bottom:12.0pt;margin-left: > .5in'><font size=3 face="Times New Roman"><span style='font-size:12.0pt'> </span></font></p> > > <p style='margin-left:.5in'><font size=2 face="Times New Roman"><span > style='font-size:10.0pt'>===========================================================================</span></font> > <br> > <font size=2><span style='font-size:10.0pt'>IMPORTANT NOTICE: This > communication, including any attachment, contains</span></font> <br> > <font size=2><span style='font-size:10.0pt'>information that may be > confidential or privileged, and is intended solely</span></font> <br> > <font size=2><span style='font-size:10.0pt'>for the entity or individual to > whom it is addressed. If you are not the</span></font> <br> > <font size=2><span style='font-size:10.0pt'>intended recipient, you should > delete this message and are hereby notified</span></font> <br> > <font size=2><span style='font-size:10.0pt'>that any disclosure, copying, or > distribution of this message is strictly</span></font> <br> > <font size=2><span style='font-size:10.0pt'>prohibited. Nothing in this > email, including any attachment, is intended</span></font> <br> > <font size=2><span style='font-size:10.0pt'>to be a legally binding signature.</span></font> > </p> > > </blockquote> > > </div> > > </body> > > </html> > > ------_=_NextPart_001_01C2B347.1327CAA0-- >
This archive was generated by hypermail 2b30 : Fri Jan 03 2003 - 18:57:16 PST