[ Date Index ][
Thread Index ]
[ <= Previous by date /
thread ]
[ Next by date /
thread => ]
Jon Still wrote:
On Thu, 16 May 2002, Ian P. Christian wrote:Perhaps a little off topic, but I see no reason why manufacturers should wise up to it. Anyone who knows anything about hardware will know how to get around the jumper anyway, so why hide it?One of the more important rules of security is that physical security is paramount - once a cracker has physical access to your machine he can do as near as dammit anything. Why bother trying to bypass a BIOS password when you can just remove the HD?
As always it is a threat model - if you are trying to discourage people from stealing your computer, or to discard it quickly after stealing it, or just discourage your IT department from accessing your PC unattended then a password on boot that isn't easily bypassed is an excellent method. If you care about data security (after physical security is bypassed) than yes BIOS passwords aren't very useful, you need to encrypt the data. For most thefts, especially laptops, I'd guess the thieves are more interested in the value of the computer, rather than the data, but unless we catch the majority of them we'll never know for sure! If every time they stole one they had to work out how to reset the BIOS password, or replace/reflash the bios, some would go back to stealing cars or jewelry ;) Effectively it is a defence by obscurity, and of decreasing utility in this Internet enabled age, but still not useless. I can witness how many SUN Microsystem boxes were dumped because the battery backed NVRAM devices failed, when all it required was a spare battery and 5 lines of Boot prompt typing. HP still licence HP-UX software based on system ID, we all know it is software programmable, but I've never seen anyone attempt to make unauthorised copies of software by reprogramming it. Irritatingly for disaster recovery work reseting the system ID would be very handy, as it is otherwise required to relicence such software, but HP wouldn't like that.
This is why companies such as IBM and nCipher are now producing Hardware Security Modules - basically a PCI card or drive-bay enclosure that is used to store key-pairs. These devices are generally tamper-resistant (or at least tamper-evident) and once you've put the keys into the box you *cannot* get them out. Keys can only be reloaded into a box if you have a certain number of smartcards that store key data.
I was taught about some similar stuff in the financial transaction hardware at some banks back in the mid Eighties (Acid and circuit boards don't mix). Although I've never found anyone in the City who admits to using such sophisticated tamperproof systems any more. -- The Mailing List for the Devon & Cornwall LUG Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the message body to unsubscribe.