Following this thread has been quite entertaining. I have witnessed a group of technologists attempting to derive technical solutions, essentially barriers, to help one father protect his PC from his daughter. Very creative, complex, and expensive ideas have surfaced, been torpedoed, and subsequently raised again in a different incarnation. Yet, we miss the obvious. In this case, as in others we rarely speak of, it is most efficient to interdict the attacker. No complex configurations, hardware upgrades, or additional locking mechanisms necessary. She has physical access to the PC, and could rebuild the system, soak it in the bathtub, put refrigerator magnets on the hard drive, etc. Practically, she will always have access to the PC. The answer: Remove the threat through behavior modification. Tell the daughter, if she does it again, she will not be allowed to obtain a drivers license until she is 18 years of age (or substitute deterrent message of fathers choosing). If given the choice of being able to deter an attack or hardening the system, I choose effective deterrence every time. My humble opinion. (and yes, I realize the various side threads of this discussion scales beyond the original issue, but so does what I am saying) M.Rosenquist -----Original Message----- From: Edward J. Metzler [mailto:emetzler@private] Sent: Thursday, January 02, 2003 4:04 PM To: crime@private Subject: RE: CRIME Microsoft Windows XP question I really appreciate all of your comments. I intend to speak with my friend about how he protected access to his written down password. I do know that he did not log on to this system until after his daughter broke in. I didn't think to take out the floppy as I did the modem. Perhaps that will help in the future. Again, thanks for your insights. Edward J. Metzler aCCredo Corp. -- Proactive Risk Management 13267 SW Bull Mountain Road Tigard, OR 97224 Direct: 503-624-2124; Fax: 503-624-5723; Cell: 503-805-7758 http://www.accredo.com <http://www.accredo.com/> emetzler@private This e-mail, including attachments, may include confidential and/or proprietary information, and may be used only by the person or entity to which it is addressed. If the reader of this e-mail is not the intended recipient or his or her authorized agent, the reader is hereby notified that any dissemination, distribution or copying of this e-mail is prohibited. If you have received this e-mail in error, please notify the sender by replying to this message and delete this e-mail immediately. -----Original Message----- From: owner-crime@private [mailto:owner-crime@private] On Behalf Of Nate McAlmond Sent: Thursday, January 02, 2003 2:06 PM To: 'rrwilso@private' Cc: crime@private Subject: RE: CRIME Microsoft Windows XP question Bios passwords and boot media are nothing you should count on. If you don't have physical security you don't have any security. Nate McAlmond -----Original Message----- From: rrwilso@private [mailto:rrwilso@private <mailto:rrwilso@private> ] Sent: Thursday, January 02, 2003 1:27 PM To: Crispin Cowan Cc: crime@private Subject: Re: CRIME Microsoft Windows XP question So take the removable media out of the boot sequence and set a BIOS password. Crispin Cowan <crispin@private To: Shaun Savage <savages@private> om> cc: crime@private Sent by: Subject: Re: CRIME Microsoft Windows XP question owner-crime@private dx.edu 01/02/2003 01:17 PM Shaun Savage wrote: > Even though Linux is not totally secure, it is an order of magnitude > better than any MSwindows product. Buy using SELinux, (which is free) > or WireX (which is good), a person can improve security where socal > engineering is the only fesible way. While I appreciate the praise, neither Immunix nor SELinux provide security against physical access. The problem is below the operating system, in the BIOS: by default, the hardware/BIOS looks at removable media (floppy, CD, DVD) ahead of looking at the hard drive to boot from. To 0wn the machine, just insert a malicious disk and reboot. > Open Source Linux Rules Linux, security-enhanced or not, is subject to the same threat. To prevent this attack, while also offering physical access (i.e. in a public kiosk or a school lab) you have to physically block the removable media. For instance, you remove the CD and floppy drives from the machine, and then encase the whole box in a locked cabinet so the attacker can't install their own drives. Protecting a home PC from your kids is flat out impossible. If it still is important to have this protection, get a door lock. Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX http://wirex.com/~crispin/ <http://wirex.com/~crispin/> Security Hardened Linux Distribution: http://immunix.org <http://immunix.org> Available for purchase: http://wirex.com/Products/Immunix/purchase.html <http://wirex.com/Products/Immunix/purchase.html> Just say ".Nyet" (See attached file: attjnhdd.dat) =========================================================================== IMPORTANT NOTICE: This communication, including any attachment, contains information that may be confidential or privileged, and is intended solely for the entity or individual to whom it is addressed. If you are not the intended recipient, you should delete this message and are hereby notified that any disclosure, copying, or distribution of this message is strictly prohibited. Nothing in this email, including any attachment, is intended to be a legally binding signature.
This archive was generated by hypermail 2b30 : Fri Jan 03 2003 - 18:58:30 PST