Zot, et al,
I do agree the poster was asking how to better secure a Windows machine. I
took the liberty of looking deeper into the issue at the root cause (and
admittedly, in doing so possibly making some inaccurate assumptions). In my
experience, many times what people ask for, is not necessarily what they
need to solve the root problem.
So the root of the problem, as I interpreted it, is how does the Poster aid
his client in securing a system in such particular circumstances. As the
thread evolved through locking the case, installing biometrics, removing
local drives, changing OS's, protecting against keystroke capture devices,
etc., I found humor in some of the recommendations, given the circumstances
detailed in the original message.
From a look-down perspective, I find may security engineers tackle problems
with tools, configurations, or technical solutions, believing that strong
castle walls will provide the protection they desire. It is the nature of
an Engineer to find or build a tool or structure to solve a problem. It is
my belief that 'hardening' is only one aspect to a proper and effective
Defense-in-Depth strategy. It definitely has its place, however a good
strategist will look at his enemy and find the balance of tactics which will
lead to victory. In this case, a normal amount hardening and a strong dose
of deterrence is the best combination to provide the expected level of
security against the specified threat.
I know I am rambling. So one last personal thought: Several basic aspects
exist to defeat any given attack. I look at it this way:
1. Interdict the Attacker (remove or deter the person driving the attack)
2. Render the attacker's Methods ineffective (typically Hardening, patching,
etc. which denies the attacker a path to success)
3. Deny the Objective (remove the motivation for conducting the attack)
Cheers,
Matthew Rosenquist
-----Original Message-----
From: Zot O'Connor [mailto:zot@private]
Sent: Thursday, January 09, 2003 2:34 AM
To: CRIME List
Subject: RE: CRIME Microsoft Windows XP question
> From: Rosenquist, Matthew [mailto:matthew.rosenquist@private]
> Following this thread has been quite entertaining. I have witnessed a
> group of technologists attempting to derive technical solutions,
> essentially barriers, to help one father protect his PC from his
> daughter. Very creative, complex, and expensive ideas have surfaced,
> been torpedoed, and subsequently raised again in a different
> incarnation. Yet, we miss the obvious.
>
No you forget the questions from the original post:
Here are my questions:
1. How is it possible to login to Windows XP without knowing the
password?
2. What can I do about it?
Nothing here says "How do I stop his daughter from breaking in?" She
did an obvious attack, and I am sure that he and her dad had words. If
she is arrogant enough the father has since apologized :)
He asked a technical question, and is getting technical answers. To
some extent he is getting the answer "Physical Security is crucial"
However there are assumptions to what level the attack is willing to
go. People have poo poo'ed some concepts "because a counter exists."
Physical access for 5-10 minutes is much much different than having a
weekend with the machine. 5-10 minutes on machine with no
floppy/cdrom/USB, password protected BIOS with the HD as the only boot
device will stop most attackers cold. Yes an attacker can have a screw
gun ready, and the exact MB memorized, and the flash pins done in 5
minutes, but this is not Mission Impossible III.
All security is Partial Security, it just raises the Bar.
So most of the suggestions are good one. The init -> USB key is another
great layer. Add all of this together and I am now protected against
all but the really sophisticated attackers, or the ones with a lot of
free time with the machine. Don't bother to tell me how fast you can
open the PC, add a drive, etc., that requires sophistication.
> Tell the
> daughter, if she does it again, she will not be allowed to obtain a
> drivers license until she is 18 years of age
Which begs two questions: How old is she (if she's 19 this will not
work), and is she looking for work? If not, she is getting a degree in
this? What were her grades before seeing War Games?
On Fri, 2003-01-03 at 11:08, Andrew Plato wrote:
> However, its seems to me Dad should be happy his daughter is hacking
> PCs. She could be rotting her brain out on reality television and
> Britney Spears.
Andrew, Andrew, Andrew don't you read the news?
http://www.cnn.com/2002/TECH/internet/12/13/lycos.search/index.html
Tattoos, Britney top Web search list
...
Lycos lists music-trading service Kazaa at No. 2, tattoos at No. 3, pop
idol Britney Spears was No. 4, the NFL (National Football League) at No.
6, and Christmas at No. 9.
...
What do you think she was doing on-line anyway?
--
Zot O'Connor
http://www.ZotConsulting.com
http://www.WhiteKnightHackers.com
This archive was generated by hypermail 2b30 : Thu Jan 09 2003 - 13:33:09 PST