 |
|
|
|
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Darren New <dne### [at] san rrcom> wrote:
> Warp wrote:
> > Resetting the root password from local console is not a security hole.
> > It's regular maintenance. It's by design.
> Possibly, depending on how you think about it. It certainly makes for
> insecure personal desktop computers in a corporate environment, for
> example.
I was mainly talking from the point of view of the owner of the
computer, which is naturally also its administrator.
There are certain things you just *must* be able to do to the computer
as an administrator. The most typical example would be booting it (which,
if it was possible to do remotely by anyone without permission, would be
considered a huge security hole).
It would, quite naturally, not make too much sense that if you forgot
the root password, you would be completely stuck and the computer would
become completely unmaintainable. There must, of course, be some way of
resetting the root password (given that you have direct physical access
to the computer). It's just common sense.
You could, of course, make a computer somewhat "secure" by disabling
a bunch of things (such as being able to boot in single user mode and
booting from a CD) and setting a bios password. However, it wouldn't make
too much sense to do this to your own computer because if you ever forget
that root password, it would be quite bothersome to get your computer back.
> > There's no such a thing as security if you have physical access to the
> > computer.
> Sure there is. Otherwise, why would anyone build encrypting disk
> drivers, mandatory access control, etc?
Security of the data is not the same as security of the system.
If someone can hack into your computer and delete all your encrypted
files (or worse, replace them with something else without you noticing
for a long time, perhaps messing up your backups), I wouldn't call that
security.
Accounts, access control, etc. are only good for remote access.
If someone has direct access to your computer, they serve only as a
deterrent for the novice and a slowdown for the expert. There's little
stopping the user from eg. booting from a linux installation disk and
wiping out the contents of the HDs.
(That doesn't mean that accounts couldn't be handy even if the computer
is used by more than one person. They can be very handy eg. for a computer
used by the entire family, with each member having their own accounts. It
makes maintenance easier and accidents less catastrophical.)
> > It doesn't matter which OS you are using.
> This would be factually incorrect also, unless you believe ...
You mean some OS can stop someone from booting from a CD and wiping
the HDs, for example?
> > Heck, you can take
> > a sledgehammer and bring down the system with it.
> ... counts as "insecure."
Well, it is. I count a system which can be brought down by anyone
without permission as being insecure. You can only try to stop that
being done remotely, but if someone has physical access to your
computer, no such luck.
> > The point in security is whether the system can be hacked remotely.
> I think you're overgeneralizing. I think it's because security isn't a
> binary property of a system.
I don't think it's too much of an exaggeration:
If someone has direct physical access to the computer, it is insecure.
Remote access can be made much more secure.
--
- Warp
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Warp wrote:
> Darren New <dne### [at] sanrrcom> wrote:
>> Warp wrote:
>>> Resetting the root password from local console is not a security hole.
>>> It's regular maintenance. It's by design.
>
>> Possibly, depending on how you think about it. It certainly makes for
>> insecure personal desktop computers in a corporate environment, for
>> example.
>
> I was mainly talking from the point of view of the owner of the
> computer, which is naturally also its administrator.
Right. And I was pointing out that resetting the root password from the
local console is indeed a security hole if the owner of the computer
isn't the one sitting at the console. Makes sense?
> It would, quite naturally, not make too much sense that if you forgot
> the root password, you would be completely stuck and the computer would
> become completely unmaintainable. There must, of course, be some way of
> resetting the root password (given that you have direct physical access
> to the computer). It's just common sense.
Sure. But preserve all the data of everyone on the machine when
resetting the password is less secure than resetting the password by
wiping out all data on the machine.
> Security of the data is not the same as security of the system.
> If someone can hack into your computer and delete all your encrypted
> files (or worse, replace them with something else without you noticing
> for a long time, perhaps messing up your backups), I wouldn't call that
> security.
Right.
> Accounts, access control, etc. are only good for remote access.
I disagree. If they're only good for remote access, why is there advice
that you shouldn't log in as root for everyday use?
> If someone has direct access to your computer, they serve only as a
> deterrent for the novice and a slowdown for the expert. There's little
> stopping the user from eg. booting from a linux installation disk and
> wiping out the contents of the HDs.
Again, you're making a boolean description of security. The fact that
you can destroy the computer doesn't mean it's "insecure".
>> This would be factually incorrect also, unless you believe ...
>
> You mean some OS can stop someone from booting from a CD and wiping
> the HDs, for example?
No, but that's *more* secure than someone booting from a CD and reading
all your files. That's why they invented paper shredders.
I'd rather have my backup disks, when stolen by a thief, get wiped out
and sold as blank media than to have all my personal information
accessible to the thief. There's not too much you can do to keep the
disk from getting stolen, but you can keep the data from getting stolen.
> If someone has direct physical access to the computer, it is insecure.
Well, in some senses of the word, it's insecure. In other senses, it
isn't. If I boot Vista and I need to put a USB frob in to decrypt the
boot partition, the machine is significantly more secure than if I'm
running Win98, even if neither machine is plugged into a network at all.
> Remote access can be made much more secure.
No question there. Remote access prevents a number of attacks. But that
doesn't mean local access must or even should allow all attacks.
--
Darren New / San Diego, CA, USA (PST)
Remember the good old days, when we
used to complain about cryptography
being export-restricted?
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
> OK. Well 42 FPS is still faster than you need.
Need for what?
>> 25 fps looks very jerky compared to 30 or 60 fps for CG.
>
> Really? I observed virtually no visible difference at all (except the
> speed of the motion).
Well of course everybody has different perception of flicker/motion
blur/smoothness, look at the attached that I made in POV a while back (I
think it is xVid format, can't remember). The balls are bouncing at 60, 30
and 15 fps. If you can't see the difference between the "smoothness" of the
red and green balls then I guess you're lucky as you can tolerate lower
framerates in games (==cheaper hardware) :-)
Post a reply to this message
Attachments:
Download 'out.avi.dat' (601 KB)
|
|
| |
| |
|
|
|
|
| |
| |
|
|
> Accounts, access control, etc. are only good for remote access.
> If someone has direct access to your computer, they serve only as a
> deterrent for the novice and a slowdown for the expert. There's little
> stopping the user from eg. booting from a linux installation disk and
> wiping out the contents of the HDs.
That may be so, but they wouldn't be able to read my data, or modify it
without me noticing (eg that the HD has been wiped, or certain files give an
error when trying to load). They need my password and my USB security key
to be able to do that.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Darren New <dne### [at] sanrrcom> wrote:
> Right. And I was pointing out that resetting the root password from the
> local console is indeed a security hole if the owner of the computer
> isn't the one sitting at the console. Makes sense?
Well, if you can reinstall linux in the computer, then that's basically
the same level of insecurity as being able to reset the root password.
> > It would, quite naturally, not make too much sense that if you forgot
> > the root password, you would be completely stuck and the computer would
> > become completely unmaintainable. There must, of course, be some way of
> > resetting the root password (given that you have direct physical access
> > to the computer). It's just common sense.
> Sure. But preserve all the data of everyone on the machine when
> resetting the password is less secure than resetting the password by
> wiping out all data on the machine.
How is the OS going to stop someone from booting from a specially created
CD which allows you to read the contents of the HDs regardless of what
the ownership flags of the files are?
The only way to reduce that risk is to encrypt the files, but in that
case then even being able to reset the root password is not going to help
in decrypting them.
> > Accounts, access control, etc. are only good for remote access.
> I disagree. If they're only good for remote access, why is there advice
> that you shouldn't log in as root for everyday use?
If you are referring to protection against fumbling things (eg.
accidentally writing "rm /"), then of course it's a good thing to not
to be always logged as root. However, I was talking from the point of
view of a malicious user who wants to do some mayhem to the system.
Accounts are of no use if the malicious person has direct access to
the computer.
> Again, you're making a boolean description of security. The fact that
> you can destroy the computer doesn't mean it's "insecure".
Then we disagree.
> > You mean some OS can stop someone from booting from a CD and wiping
> > the HDs, for example?
> No, but that's *more* secure than someone booting from a CD and reading
> all your files. That's why they invented paper shredders.
If your files are encrypted then the root password is of no use to
decrypt them. You can only do the same thing as you could do with the
boot CD: Destroy or modify the files.
> I'd rather have my backup disks, when stolen by a thief, get wiped out
> and sold as blank media than to have all my personal information
> accessible to the thief. There's not too much you can do to keep the
> disk from getting stolen, but you can keep the data from getting stolen.
What does this have to do with you being able to reset the root password?
> > Remote access can be made much more secure.
> No question there. Remote access prevents a number of attacks. But that
> doesn't mean local access must or even should allow all attacks.
Being able to reset the root password and being able to boot from a CD
are basically the same thing. The only way you can "protect" anything is
by encryption, in which case neither thing is too helpful in decrypting.
--
- Warp
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
scott <sco### [at] laptopcom> wrote:
> That may be so, but they wouldn't be able to read my data, or modify it
> without me noticing (eg that the HD has been wiped, or certain files give an
> error when trying to load). They need my password and my USB security key
> to be able to do that.
The only way to achieve that is encrypting the files, in which case being
able to reset the root password is of no additional help (compared to being
able to boot from a CD).
Being able to reset the root password and being able to boot from a CD
are basically the same thing, when you have direct access to the computer.
--
- Warp
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
> The only way to achieve that is encrypting the files, in which case being
> able to reset the root password is of no additional help (compared to
> being
> able to boot from a CD).
How are you going to reset the root password if the harddrive is encrypted?
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
scott <sco### [at] laptopcom> wrote:
> > The only way to achieve that is encrypting the files, in which case being
> > able to reset the root password is of no additional help (compared to
> > being
> > able to boot from a CD).
> How are you going to reset the root password if the harddrive is encrypted?
Perhaps you didn't understand what I said?
Let me rephrase: Not being able to reset the root password does not add
any security compared to being able to boot from a CD.
Conversely, being able to reset the root password is no more insecure
than being able to boot from a CD.
Neither thing is going to help you decrypting those files. However,
both things can be used to abuse the system in other ways.
I'm certain you can set up linux in a way that it's not possible to
reset the root password. However, that's somewhat moot if you are still
able to boot from a CD. Just boot from a CD and you have root access to
the HD. The only way to try to protect from that is to disable booting
from CD from bios and put a bios password. Of course this is only a slight
slowdown, not a working security measure (because that doesn't stop the
malicious person from physically removing the HD from the computer and
putting it in another), but it introduces a maintenance disadvantage:
You'd better not forget the bios password.
The thing is, no matter what you try to do, if the malicious person has
direct access to the computer, it will be insecure. The only thing you can
do is to encrypt your data, in which case it doesn't matter if the root
password can be reset (because the root password doesn't help you decrypting
the files). This is completely equivalent to being able to boot from a CD,
and also to be able to remove the HD from the computer and putting it in
another.
The initial claim was that being able to reset the root password (when
you are using the computer directly, not remotely) is somehow a security
hole. This is nonsense. It's not more of a security hole than being able
to boot from a CD or being able to physically transfer the HD to another
computer.
You can, of course, disable this. However, it would be mostly useless
from a security point of view.
--
- Warp
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
> The thing is, no matter what you try to do, if the malicious person has
> direct access to the computer, it will be insecure. The only thing you can
> do is to encrypt your data, in which case it doesn't matter if the root
> password can be reset (because the root password doesn't help you
> decrypting
> the files).
Unless your particular encryption system works transparently to the user for
each account automatically (like it does in Win XP). If that was the case,
being able to gain access as root would allow you to access all the files
encrypted by root. Is it impossible that there is some software for Linux
that works in a similar manner? (ie you can only "decrypt" by logging in
with a particular account, not from examining HD contents).
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
>
> The thing is, no matter what you try to do, if the malicious person has
> direct access to the computer, it will be insecure. The only thing you can
> do is to encrypt your data, in which case it doesn't matter if the root
> password can be reset (because the root password doesn't help you decrypting
> the files). This is completely equivalent to being able to boot from a CD,
> and also to be able to remove the HD from the computer and putting it in
> another.
Not 100% equivalent.
Changing a password is something you can do in a few seconds, and is barely
noticeable.
Rebooting on a CD is a slightly more noticeable operation.
And, if a password-locked BIOS is configured to prevent boot from CD,
removing the hard drive is very very noticeable.
See, there's still some levels in-between...
> The initial claim was that being able to reset the root password (when
> you are using the computer directly, not remotely) is somehow a security
> hole. This is nonsense. It's not more of a security hole than being able
> to boot from a CD or being able to physically transfer the HD to another
> computer.
It's a higher risk, since it can be done so quietly compared to the other
options you cite.
Fabien.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
|
|
