 |
|
|
|
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Tor Olav Kristensen wrote:
>
> Just boot an OS from a media that he does not control.
> E.g. Knoppix from a CD or a memory stick.
>
You do realize that if it's a company machine, he controls the boot order.
--
Eero "Aero" Ahonen
http://www.zbxt.net
aer### [at] removethis zbxtnetinvalid
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Orchid XP v8 wrote:
> I was say this with complete authority: If you are not a computer
> expert, there is nothing you can do to stop your sysadmin reading
> through your stuff if he wants.
Remember that not all sysadmins are as clued also. Would *you* know how
to flash a BIOS so it looks like it's booting your operating system but
is really booting a different one? I sure wouldn't.
--
Darren New / San Diego, CA, USA (PST)
Helpful housekeeping hints:
Check your feather pillows for holes
before putting them in the washing machine.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
>> I was say this with complete authority: If you are not a computer
>> expert, there is nothing you can do to stop your sysadmin reading
>> through your stuff if he wants.
>
> Remember that not all sysadmins are as clued also. Would *you* know how
> to flash a BIOS so it looks like it's booting your operating system but
> is really booting a different one? I sure wouldn't.
Would a typical non-expert computer user know how to do something that
actually requires this? No. ;-)
If we assume that the sysadmin is sufficiently more knowledgable than
you that you're asking somebody else who to keep them out, you're more
or less doomed to failure. (Unless the person you ask knows your system
well and comes up with some damned good advice!)
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Eero Ahonen wrote:
> Tor Olav Kristensen wrote:
>>
>> Just boot an OS from a media that he does not control.
>> E.g. Knoppix from a CD or a memory stick.
>>
>
> You do realize that if it's a company machine, he controls the boot order.
Yes, but (IIRC) in this part of the discussion it was said that it
would be difficult for the manager of a company to prevent system
administrators to read confidential information.
If you are the manager, you can instruct system administrators to
set the desired boot order on your PC.
--
Tor Olav
http://subcube.com
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
>> You do realize that if it's a company machine, he controls the boot
>> order.
>
> Yes, but (IIRC) in this part of the discussion it was said that it
> would be difficult for the manager of a company to prevent system
> administrators to read confidential information.
>
> If you are the manager, you can instruct system administrators to
> set the desired boot order on your PC.
If you are the manager, you can instruct the system administrators to
keep out of your files. Why are we having this discussion again? ;-)
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Jim Henderson wrote:
> That's good to know - I know this can be implemented a number of
> different ways, and not being a Windows user, I wasn't sure which method
> was used.
The main drawback, of course, is that you're still limited by your login
password's length. You can't have a 90-character pass phrase locking the
files like you can in some other systems. But it's probably good enough
to keep out random curiousity seekers, general laptop thieves, and so
on. Just don't store your child porn that way and expect to get away
with it. I wouldn't trust lives to it, but it *is* convenient that you
can encrypt some files and not others.
Plus, I'm pretty sure that if you (say) encrypt files on a USB drive,
the actual private key to decrypt the files isn't on the drive itself.
Rather, it's only stored on the C: drive on the machine you log in
to[1]. So if you encrypt your backups, it's probably pretty secure, and
certainly better than nothing.
[1] Bonus points to any flames about AD, that you can install windows on
something other than C:, and so on.
--
Darren New / San Diego, CA, USA (PST)
Helpful housekeeping hints:
Check your feather pillows for holes
before putting them in the washing machine.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Darren New wrote:
> [1] Bonus points to any flames about AD, that you can install windows on
> something other than C:, and so on.
Writing "C:" is much shorter than writing "the local hard drive(s)". ;-)
I know nothing about file-level encryption on the Windoze platform (not
something I ever use), but I would *presume* that for local user
accounts, the encryption key is in the registry somewhere, whereas for
network used accounts it'll be in the Active Directory somewhere [where
the sysadmin can get at it].
I'm far more concerned about the fact that we routinely email stuff to
people using password-protected Zip files, which are apparently
trivially crackable. :-S Still, all those customers who are serious
about security make us use some kind of SSH/SSL encrypted remote access
system rather than just email. ;-)
--
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On Sun, 06 Jul 2008 10:48:57 -0700, Darren New wrote:
> Jim Henderson wrote:
>> That's good to know - I know this can be implemented a number of
>> different ways, and not being a Windows user, I wasn't sure which
>> method was used.
>
> The main drawback, of course, is that you're still limited by your login
> password's length. You can't have a 90-character pass phrase locking the
> files like you can in some other systems. But it's probably good enough
> to keep out random curiousity seekers, general laptop thieves, and so
> on. Just don't store your child porn that way and expect to get away
> with it. I wouldn't trust lives to it, but it *is* convenient that you
> can encrypt some files and not others.
What is the current max length of a Windows password? I know my 20-
character password had to be cut down to 14 IIRC on WinNT and possibly
Win2K - the dumb thing seemed to be that when setting the password, the
password got truncated and then hashed, but when checking, it was hashed
as is (or vice versa), so if you set your password to a value that was
too long, you could never login.
> Plus, I'm pretty sure that if you (say) encrypt files on a USB drive,
> the actual private key to decrypt the files isn't on the drive itself.
> Rather, it's only stored on the C: drive on the machine you log in
> to[1]. So if you encrypt your backups, it's probably pretty secure, and
> certainly better than nothing.
That's handy.
> [1] Bonus points to any flames about AD, that you can install windows on
> something other than C:, and so on.
Not sure I follow here - unless you're saying that with AD the key isn't
stored on the local machine...
Jim
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
On Sun, 06 Jul 2008 18:15:55 +0100, Orchid XP v8 wrote:
>>> You do realize that if it's a company machine, he controls the boot
>>> order.
>>
>> Yes, but (IIRC) in this part of the discussion it was said that it
>> would be difficult for the manager of a company to prevent system
>> administrators to read confidential information.
>>
>> If you are the manager, you can instruct system administrators to set
>> the desired boot order on your PC.
>
> If you are the manager, you can instruct the system administrators to
> keep out of your files. Why are we having this discussion again? ;-)
Because not all sysadmins follow their manager's instructions.
Jim
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
| |
|
|
Jim Henderson wrote:
> What is the current max length of a Windows password?
I'm not sure, and it changes depending what you're doing. Just logging
in locally? Logging into a domain? Talking over SAMBA? Talking to a
non-windows-NT SAMBA? It's at least 14 characters, and if you make it
that long, the 7+7 broken hash in the login doesn't work any more.
(I.e., at 14+ characters, you can't brute force it nearly as easily as
at 13 characters, because Windows no longer exhibits the flaw that makes
it easy to crack.)
>> [1] Bonus points to any flames about AD, that you can install windows on
>> something other than C:, and so on.
>
> Not sure I follow here - unless you're saying that with AD the key isn't
> stored on the local machine...
Only that saying "C:" is a generic term, and I'm aware of that fact.
--
Darren New / San Diego, CA, USA (PST)
Helpful housekeeping hints:
Check your feather pillows for holes
before putting them in the washing machine.
Post a reply to this message
|
|
| |
| |
|
|
|
|
| |
