|
|
|
|
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On Sat, 13 Oct 2007 06:50:16 -0400, Warp wrote:
> Jim Henderson <nos### [at] nospamcom> wrote:
>> > You mean some OS can stop someone from booting from a CD and wiping
>> > the HDs, for example?
>
>> My brand-new HP Pavillion has settings in the hardware that do just
>> that,
>
> The hardware is not the OS.
No, really? In the end, I don't care if it's the OS or the hardware, if
I can restrict the usage in a corporate environment in that way, I don't
particularly care which it is.
The end result is what *I'm* looking at.
>> in fact. Password protect the bios and disallow booting from any
>> device other than the hard drive.
>
> Bios settings can be reset, and hard drives can be physically
> transferred
> to other computers.
Sure, so what you do is lock it in a room where only authorized users can
access it, bolt it to the desk, and lock the case. Sure, they *could*
come in with a sawzall and cut the lock, bolts, or case open, but they're
likely to be seen.
Computer security ain't just about the OS, it's about the entire system.
If you try to practice security using *only* the OS, you *will* fail.
> Bios passwords are only a deterrent. They are not secure.
Again, depends on the level of physical access to the system.
Jim
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On Sat, 13 Oct 2007 09:09:35 -0700, Darren New wrote:
> Supposedly, the new Vista full-drive encryption prevents this, storing
> the password somewhere on the motherboard or some such, even if you
> chose not to have a USB key.
I'd heard that - there are some systems that implement this at the
hardware level as well - I think my Thinkpad has an option like that that
keys the drive to the hardware.
Jim
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Jim Henderson <nos### [at] nospamcom> wrote:
> Sure, so what you do is lock it in a room where only authorized users can
> access it,
Optimally only the person who knows the root password has direct access
to the computer.
In which case it doesn't really matter if the root password can be
reset locally or not.
--
- Warp
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On Sat, 13 Oct 2007 17:23:37 -0400, Warp wrote:
> Jim Henderson <nos### [at] nospamcom> wrote:
>> Sure, so what you do is lock it in a room where only authorized users
>> can access it,
>
> Optimally only the person who knows the root password has direct
> access
> to the computer.
This is certainly true for servers. Unfortunately, we also have these
things called "users" who use computers. ;-)
> In which case it doesn't really matter if the root password can be
> reset locally or not.
Yes.
BTW, this was considered very standard practice for NetWare (still is,
for that matter) - physical console access = access to everything. It
amazed me that some systems admins never understood that concept - and
put their servers in, say, the middle of their office space.
Similarly with Windows, in a retail environment I used to work in a few
years ago, the servers were put in the store managers office. Guess
where many store managers put shoplifters they catch while waiting for
the police, frequently unsupervised....
Now make each of those servers a domain controller. Yep, we had to plan
our designs around the idea that someone could walk off with the hard
drives from the system, compromising a domain of 500-1500 DCs.
"Not pretty" doesn't even begin to describe the amount of traffic
generated by a global password change with that many DCs. With the WAN
in place, I estimated 4 months worth of traffic at 100% network
utilization.
Jim
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Jim Henderson <nos### [at] nospamcom> wrote:
> > Optimally only the person who knows the root password has direct
> > access
> > to the computer.
> This is certainly true for servers. Unfortunately, we also have these
> things called "users" who use computers. ;-)
Users should only use the computer remotely. Just give the users a
dummy "multimedia" PC with no valuable information stored in it and
which HD can be reset to default each night. (That's what they do at the
university here.)
Networked file systems exist for a reason.
--
- Warp
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
>> Law enforcement can get a subpoena or warrant for keys to a safe. I
>> suspect that in many countries they would treat a password the same.
>> Failing to turn over the password might have worse consequences, since a
>> contempt of court charge would just leave someone sitting in jail until
>> they turned over the password.
>
> If the suspect simply claims that he forgot it, how can they prove he
> didn't?
Well I guess if they showed he had used it every day for the last 5 years
then the jury wouldn't find it too hard to come to a decision...
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
scott <sco### [at] laptopcom> wrote:
> Well I guess if they showed he had used it every day for the last 5 years
Big Brother is watching? I'm not comfortable with where this is going...
I see where this is going. Let's see which country is the first to make
all kinds of encryption illegal.
--
- Warp
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
>> Well I guess if they showed he had used it every day for the last 5 years
>
> Big Brother is watching? I'm not comfortable with where this is going...
If you've just been arrested (and had your PC taken away) on suspicion of
downloading child porn (or whatever), then I think the police could quite
easily get records of your activity online, they may have even been spying
on you already.
It's then up to the jury what they think after all the facts have been
presented. It's not going to look good if you conveniently "forgot" the
password to work your computer the day it was confiscated, but you managed
to work it fine for the last few years.
Besides, the ISP will probably have records of what you did online, and I
suspect some expert lab would be able to look at the PC and say how recently
a lot of the data on the disc had changed (ie was the drive re-encrypted
with a different key recently).
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
scott <sco### [at] laptopcom> wrote:
> they may have even been spying on you already.
Regardless of the suspected crime type, I'm still not very comfortable
if the police could legally spy on anyone they want.
I suppose that's where the world is going. Hundreds of millions of people
will have to reduce their rights to privacy so that the few dozens of bad
criminals can be spied upon.
--
- Warp
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
>> they may have even been spying on you already.
>
> Regardless of the suspected crime type, I'm still not very comfortable
> if the police could legally spy on anyone they want.
How are they meant to catch people downloading illegal material without
spying on you? Don't ISPs already report suspected illegal activity to the
police?
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |