Physical access
|
| Author | Content |
|---|---|
| Sander_Marechal Oct 11, 2007 1:22 PM EDT |
I agree with the comments posted on the blog. Anyone having physical access to your machine can break any security measure you have. Encrypted hard drives exempted in some cases. |
| herzeleid Oct 11, 2007 2:07 PM EDT |
bleh - it's not remotely exploitable |
| montezuma Oct 11, 2007 2:22 PM EDT |
Yeah I'm sure the evildoers (to quote the great helmsman) will be more interested in your wallet, jewellery or ipod than in getting root access on your mega-geeky linux box. |
| azerthoth Oct 11, 2007 2:28 PM EDT |
Mostly I was trying to point out that this is something that *should* be done as part of the install routine. One extra question to answer. Sure anyone with physical access to your system will be able to get around all kinds of things. However with encrypted drives and passwording grub you can seriously minimize the risk. |
| Steven_Rosenber Oct 11, 2007 2:35 PM EDT |
I seem to remember the Debian Etch installer offering the option of fully encrypting the hard drive. I did a recent Debian install and didn't see it. Maybe I needed to choose LVM. But short of full encryption and a physically hidden backup (so you can restore a destroyed system), I don't think you can be safe from physical intrusion. |
| jezuch Oct 11, 2007 2:47 PM EDT |
Bah, when I use this "trick" on my Debian box, I'm greeted with friendly "give root password for maintenance". It doesn't work for me!! |
| Steven_Rosenber Oct 11, 2007 2:54 PM EDT |
I think you have to do it during the install. I'll have to try it. |
| Sander_Marechal Oct 11, 2007 4:17 PM EDT |
@jezuch: Not that you mention it, I do indeed vaguely recall Debian asking for the root pw for single user mode. It's been a long time since I needed single user mode though. |
| azerthoth Oct 11, 2007 4:19 PM EDT |
Odd I dont remember seeing it, then again I'm getting older now, soo .... |
| henke54 Oct 11, 2007 9:02 PM EDT |
make a 'looker' on your pc ..... ;-P http://www.cl.cam.ac.uk/~jgd1000/ |
| gus3 Oct 12, 2007 12:55 AM EDT |
"Give root password for maintenance" is still under init script control. Appending "init=/bin/sh" to the kernel command line at the LILO or GRUB prompt gets around that. Remedy: require a password for editing the boot parameters. GRUB uses "password", LILO uses "password=" and "restricted". |
| jdixon Oct 12, 2007 2:42 AM EDT |
> Remedy: require a password for editing the boot parameters. GRUB uses "password", LILO uses "password=" and "restricted". Which is still overcome by using a live CD. You can set the computer to only boot from the hard drive and set a bios password, but even that can usually be overcome by a jumper on the motherboard. The only sure way to protect your data is to encrypt the hard drive, and even that doesn't prevent someone from formatting the drive and destroying your data, or from imaging your drive to a portable device and taking it away to be cracked at their leisure. If you don't have physical security, you don't have security. |
| Sander_Marechal Oct 12, 2007 4:52 AM EDT |
Quoting:even that doesn't prevent someone from formatting the drive and destroying your data That is what you *want*. The point of encrypting something is that you rather loose it forever than let someone else access it. Quoting:or from imaging your drive to a portable device and taking it away to be cracked at their leisure. That's virtually impossible if you use a decent encryption algorithm and good sized keys/cyphers. |
| jezuch Oct 12, 2007 5:21 AM EDT |
Quoting:That's virtually impossible if you use a decent encryption algorithm and good sized keys/cyphers. People say that USA's NSA does that on their leisure several times a day ;) My professor at the university insisted that they are 30 years ahead of us mere mortals in cryptography. Well, if *that*'s true... |
| jdixon Oct 12, 2007 5:24 AM EDT |
> That's virtually impossible if you use a decent encryption algorithm and good sized keys/cyphers. Processing power doubles every two years. The impossible now is the couple of hours job about 6-8 years down the road. It's very important to keep in mind how long the data needs to be protected. |
| jdixon Oct 12, 2007 5:25 AM EDT |
> People say that USA's NSA does that on their leisure several times a day ;) In addition to top line clusters, the NSA probably has custom build hardware designed for that explicit purpose. That alone would give them a significant edge. |
| Sander_Marechal Oct 12, 2007 6:16 AM EDT |
I suggest TrueCrypt then. It's indistinguishable from random data, and it can contain a volume-within-a-volume that's equially indetectable. Plus it supports a lot of different encryption technologies. They would have to try them all just to crack the outer volume, then do the same thing again on an inner volume. I think that would even keep the NSA busy for some time. It's just too bad that I don't see any distro's shipping with it by default. I always have to build kernel modules. That should keep them busy for some time. Besides, I don't believe they are *that* far ahead. Just double your key sizes and you'll increase their work exponentially. |
| thenixedreport Oct 12, 2007 12:27 PM EDT |
Good post man, and a great point indeed. If the environment in question has a ton of people moving throughout an attacker may not want to risk wasting too much time, so the more hoops you throw up for them, the better. If it appears to be taking too long and too many people are moving throughout the area, they may just pack it up and leave to avoid getting caught. Also, make sure that the staff is properly trained for recognizing legitimate personnel, vendors, repair people, etc........ Once that is taken care of as well, security overall will be greatly increased. |
| hkwint Oct 13, 2007 3:04 PM EDT |
> People say that USA's NSA does that on their leisure several times a day ;) Hehe, those NSA experts are the same 'assumed US computer experts' which built the security system of the Pentagon network? Did you ever calculate 2^256 and calculate how long brute force attack takes, for example for AES? I mean, AES was invented by two Belgian people (they can be better trusted than American people when it comes to exporting encryption in my opinion since the Americans suffer from restrictions, but who am I); and a lot of cryptographers looked at it. OpenBSD uses AES. I'm sorry, but I cannot believe the incompetent people who screwed up security of the Pentagon, which seams like something important to me, are more competent than a worldwide cryptographers community and the people working at OpenBSD. Not all smart people work for US government. But that's just my guess, and you might be right. People tell a lot about the NSA, like they already have 'cold fusion' etc. In the US army they can't even build smart bombs which don't hit civilians, hell, they even die from friendly fire. I guess US most competent people - when it comes to data manipulation - work at the designing agencies of those bombs, and at the security team of the Pentagon. And those same people are 30 years ahead of us? The only reason I could believe so is if they have a working quantum computer, but I don't believe that. |
| gus3 Oct 13, 2007 8:48 PM EDT |
hkwint:Quoting:more competent than a worldwide cryptographers community and the people working at OpenBSD.Just because I'm an OpenBSD committer (I'm not) and I create a variation on the Caesar cipher doesn't make me an expert. In the words of Bruce Schneier, "anyone can create a cipher that he can't crack." And what's with the OT anti-USian rant in the last paragraph? |
| hkwint Oct 15, 2007 10:50 AM EDT |
Quoting:And what's with the OT anti-USian rant in the last paragraph? It's not, it goes for any other country too (I thought about that myself). But people don't say the French secret agency is 30 years ahead of us, so that's the reason I don't have to point out the French can't build smart bombs or prevent friendly fire. You're just being sensitive, which I can understand from my earlier posts, but this time I didn't intend a anti-USian rant. |
Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]
Becoming a member of LXer is easy and free. Join Us!