How can I secure my system, like, physically, too?

For example, I don't want people to be able to go on my computer, use a system recovery disk and create a partiton, then get my files from my other partition.

Also, I don't want them to be able to pull the harddrive out and use it as a slave drive on another computer and gleen my files.

Ideas? Suggestions? Tutorials?

Dankeshern!

First thing: 100% security is not possible.

Things you can do to add more security:

- password protect bios.
See: Manual that came with your motherboard.

- boot sequence should boot HD first, then floppy and/or cd/dvd.
See: Manual that came with your motherboard.

- protecting your HD could be done by encrypting it.
Feed your searchengine with:
linux encrypted filesystem <distro>

- password protect lilo.
man lilo

- use strong passwords for root and users (use md5 instead of des for encryption).
- check for package updates which are security related and install them.

Hope this helps a bit.

Of the excellent suggestions druuna makes, encrypting your filesystem is really the main one to achieve what you want to. You can encrypt the entire hard disk (there are tutorials around and it should be easier with the 2.6 kernel).

An alterntive from SuSE or Mandrake, for example, allows you to create encrypted partitions very easily. This is simpler than doing the whole hard disk and can protect your data.

If you are really serious about protecting your data from even a motivated and well financed attacker, you would also need to think about clearing out temporary files written in the root partition and wiping swap space using some disk wipe utility; but I suspect for most of us that is beyond what is really sensible to bother with*.

* Because firstly most of use don't have anything that a motivated and well financed attacker would really care about and secondly if someone did need to get the information that badly there are probably easier ways that retrieving it forensically from your hard drive, such as just threatening or blackmailing you to supply the password.

I'll third the motion for encrypted partitions. If you *really need that much security* then nothing else will substitute for encrypting the partitions, because any of the other methods can be bypassed. If someone has physical access to your box you have to conceed that they will be able to break in. After that, all you have left is encrypting the data so even when they haul it away it will be useless to them (although still a Denial of Service to you).

I question whether you really need that much security? I don't think you'd be asking questions like this if it was for your work, and I think a business would hire someone more knowledgeable to security critical systems, so I'm assuming this is for personal use. Unless of course, you're afraid your computer will be seized and used as evidence against you... in which case, we're back to encryption because I assure you the government will be able to bypass all those other controls in a few minutes.

Thanks for the responses!

Yeah, it's for personal use. I'm doing it because it's fun, I want to learn how to 'secure' (to best ability - everything's breakable) systems.

Also, I'm thinking of buying a laptop - and yeah - you get the point

To offer another view point, I think this is a valid question for those of us that work on laptops and I think MORE people should be asking this same question. I know that when I am on-site at a client, I lock up my laptop with a cable lock which is fine and dandy if a thief cares about stealing the machine, however, the HD, RAM, Battery etc. are readily available to anyone with a screw driver and 30 seconds - less if the perp is under 22 years old and from the tech-generation. Of those removable components, the HD is valuable because it holds business data which should be protected as much or more strongly than the machine as a whole - contracts, HR info, passwords, the Cadbury secret, it's all on there. You can't physically lock it to a desk, so what then?

Encryption, of course, is the answer. But I would be willing to bet that >95% of people out there do not have any HD protection on their machines. I don't.

Now you have me thinking, maybe I should encrypt my laptop disk to learn how... What are the performance implications?

J.

I've been thinking the same thing about disk encryption (though I don't think I would go further than encrypting my data right now).

However, the key point is whether the thief can benefit from your data. If the kid steals your hard drive, you've still lost it whether or not its encrypted. If he could then use it to ruin your business, steal money from your bank account etc. then encryption is a good thing. If he just gets a bunch of files that do him no good at all, there's still not much point.

I hear what you are saying and I understand that if it is just a 'snatch&run' crime then the data isn't as valuable as the machine. However, I'm sure many of us here do carry valuable information. In my case, I have a great deal of confidential data that travels with me. I'm sure it's not valuable to most people, but it would probably benefit others. My non-encryption is a risk to my clients and in-turn is a risk to me.

For instance, I am usually given administrator access to my client's systems - usually in the form of an ID file which is susceptible to automated password cracking. As part of my job function, I perform security audits on some systems - I am always surprised at how many systems rely on security through obscurity... after it's in my audit, the holes are no longer obscure and hence valuable to a would-be attacker.

*shrug* I'm at the low end of the scale but how 'bout those execs that wander around with their laptops in tow; contain information about mergers, HR, financial performance etc. Shouldn't they be concerned about data protection as well? I wonder when data encryption will become the norm.

JordanH

Sounds like you have a good reason to encrypt.

As an aside, someone I know works for a big bank and had their laptop stolen (from a secure locked storeroom) at a conference. The whole thing was encrypted (running Win2K). The thief actually phoned him up, pretending to be a police officer who had found the laptop and asked for the password so the police could verify it was his.

Naturally he declined this kind offer, but encryption worked well for him, protecting the banks data.

I've heard some pretty crazy tales too. I did some work for our police department a while back and I joked about not needing to lock up my laptop... they quite seriously told me that they have had several laptops go missing and to make sure it was locked at all times. Can you imagine having the guts to walk into a police headquarters, pick up a police laptop and walk back out of the building?! Some people astound me.