[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On 21/08/13 21:52, Simon Avery wrote: > > Not necessarily, if it can be accessed remotely. Yeah, if the machine is running and the encrypted storage is online and mounted, the crypto isn't going to help much. It's weird how many people don't seem to realise that! It's for protecting at rest, when the machine and it's storage is off. > > Sticky label on a physical machine, especially if it's locked away in a > cupboard, ain't so bad. If the bad guy has physical access to your > hardware, you've already lost. > > Not necessarily (see my reply to the other Simon yesterday). It's also strange - to me at least - that people automatically assume physical access = game over. There are a lot of gradations of "physical access". Now, if the bad guys have literally nicked your equipment and it's now sat in their well-stocked lab, they have skillz, coffee and patience... well, you are definitely screwed. Even super-hardened devices specifically designed to withstand exactly this kind of attack are going to fall to determined enough attackers eventually (see: every games machine ever released). Once they start chemically stripping the chips and putting them under electron microscopes, well, they kind of deserve to get to the bottom of it to be fair. However, a lot of people - I'd even say most - seem to equate "the bad guy has physical access" with "the bad guy is in your office, sat down in front of one of your computers". As I pointed out, that isn't difficult to mitigate. Lock all firmware and boot code with admin passwords, and if you've got a TPM, the admin can actually leverage the good side of this technology to secure everything with keys instead. All options to change boot order, trigger a linux recovery image boot, tamper with the kernel stanza, reconfigure BIOS, default EFI... all of that should be locked out against the users anyway. With employers who let me, I have all workstations and laptops tethered to bolted down desks or a wall ringbolt with a decent locking cable - most boring, cheap-ass £300 business PCs have reinforced latches on the case to thread the same cable through too, preventing the case being opened (turn chassis intrusion alerts on as well). Most servers have lockable cases by default, and I tether them to the racks as well even though they're already in an access-controlled room. At this point the bad guy is going to need a good couple of hours, when nobody else is around and really, he's just going to have to steal the damn thing anyway if he can cut the lock cable. Can't get into the case to reset jumpers or just nick the drives, can't boot from USB, can't reset anything... Thwarted. This is exactly what I do with my home systems, except I'm way too lazy to keep all the various laptops, phones and other portable gadgets secured, it would compromise their usefulness too much. All full size computers however are physically tethered down and cases locked shut. Without my admin passwords, it's not possible to do anything after turning them on except watch them boot to their configured OS - bootloaders, BIOS/EFI/etc firmware, the lot: it's all locked. The best crims/spooks could hope for if they broke in whilst we were all away on holiday is nicking all our other gadgets (only computers get this treatment, anyone could waltz in and nick the big TV downstairs or the stereo!) and any small stuff we'd left lying around - with some decent boltcutters and a van they could certainly nick everything but they won't be getting any data from them as all drives are encrypted. So I don't think this old "if the bad guy has physical access" mantra isn't anywhere near as absolute as people make it out to be. Regards -- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/listfaq