LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Closed Thread
  Search this Thread
Old 03-07-2005, 07:20 PM   #31
lawmaker
LQ Newbie
 
Registered: Mar 2005
Posts: 18

Original Poster
Rep: Reputation: 0

Quote:
Originally posted by antony.booth
I think you're living on a different planet.
I suggest your data is so sensitive and valuable to nasty people, you shouldn't store it on computer.

smile.

thanks for the technical contribution.
 
Old 03-07-2005, 08:35 PM   #32
tormented_one
Member
 
Registered: Oct 2004
Location: Small Town USA
Distribution: slamd64 2.6.12 Slackware 2.4.32 Windows XP x64 pro
Posts: 383

Rep: Reputation: 30
[Quote]bios passwords are easily reset.

besides, the hd can simply be removed.[Quote/]

All of the stuff you are speaking of can be easily "cracked" as well, and if you were half as smart as you think you are why not add the bios password for a extra measure? Do some goggling anyone with half a hacker gene in them can get past all of that. Ever heard of computer forensics? I have some software that would eat that 1344mb triple blowfish up, and not even blink. Especially on a windows system, the parts of the os are too integrated. A linux 1344mb algorithum is a little harder but still posible to break.
 
Old 03-07-2005, 08:35 PM   #33
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
Quote:
Originally posted by KimVette
Easy fix: have your shutdown script clear /tmp
also, another approach could be to put /tmp in a ramdisk... this way there will be no trace of anything left even if the power goes off and the shutdown script didn't get executed...

Quote:
Originally posted by lawmaker
swap file/virtual memory would reveal masses of info.
the swap partition can be encrypted just like any other partition...


Last edited by win32sux; 03-07-2005 at 08:54 PM.
 
Old 03-07-2005, 09:45 PM   #34
jiml8
Senior Member
 
Registered: Sep 2003
Posts: 3,171

Rep: Reputation: 116Reputation: 116
Quote:
Your true level of security is far, far, far lower than you think. The fact that you have to reinstall Windows every few months is evidence of that.
This is very likely the truth. Windows just isn't that bad, once you have it set up, unless you mess with it or permit it to become infested with spyware/trojans/virii, etc.

WRT the OP's security question, I can't answer it because it isn't what I know. I can say, however, that I am quite sensitive to his need for security because I experience the same thing with my laptop. I have gone to considerable lengths to secure the HD so that if the machine is stolen, the very critical data that is on it won't be compromised.

In my case, the laptop runs XP and I have chosen to leave it that way because I have a soution that is quite adequately secure, my XP installation is secure because I make it so and continually monitor it to make sure it remains so, and I don't want to have to deal with figuring out and securing a Linux installation against theft, when such an activity isn't necessary because my windows installation is quite adequately secure.

This XP install has survived without being reloaded for nearly 3 years now, including service packs, upgrades, the installation of an assortment of software for various purposes, the failure of a HD - with the need to scroll the entire system off as the drive was failing, and then scroll it back onto a new HD - and then to fix up the damage.

If OP is compelled to continually reload Windows, he has another, quite serious problem and he is fooling himself if he thinks his system is secure.
 
Old 03-08-2005, 09:34 AM   #35
broch
Member
 
Registered: Feb 2005
Distribution: Slackware-current 64bit
Posts: 458

Rep: Reputation: 32
Quote:
the target of the security is against entry into the laptop, when it is stolen.
You have two choices then:
1. Install FreeBSD that has "all of it" for free
2. Install SuSE 9.2 during the installation select hdd ecryption (blowfish)

What you install depends on your skills. I don't consider FBSD installation difficult (later is KDE 3.4 Gnome 2.6, fluxbox/blackbox xfce4, whatever), however people are frightened by non-GUI installer, so maybe SuSE is the right choice.

The above will give you real advantage over windows:
1. it is free (SuSE 9.2 Pro can be installed over internet or DVD, FBSD is free)
2. it is more secure
3. FreeBSD disk encryption is more mature (older) than whatever you have in windows world. Additionally it is possible that someone will gain access to your key. However using it he/she will not get access to the data.


So in terms of data access I would go with UNIX/UNIX-like option (In fact I have FBSD 5.3 on my laptop). However I would not consider encryption as a only security measure.

So event in terms of data encription I'd say that I feel safer with FBSD or SuSE.
 
Old 03-08-2005, 10:48 AM   #36
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
i think it's also important to mention the risks involved with the boot process getting hijacked, as it could make all the encryption in the world useless...

it's another reason why the truly paranoid user should separate the boot process from the laptop, using a usb thumbdrive or a live cd...

Quote:
Trust is intertwined with cryptography and authentication. An implicit assumption of trustworthiness is given to any device that has an electronic key. For example, when I share my bank account PIN with an automatic teller machine, I trust that the ATM will not share my PIN with an inappropriate third party. In the same way, when I provide an encryption key to my computer, I assume the key will not be shared with anyone else. I trust the computer to keep the secret between us.

So, can you trust your computer? Unless you carry it with you everywhere, you really can't. This is true even if the disks have been encrypted. Consider this scenario: someone steals your computer as you sleep. The thief makes a copy of the encrypted contents of the computer, even though they are useless to him without their encryption key. He then replaces the encrypted laptop contents with something a little more diabolical and puts the computer back. When you wake up the next day, the computer prompts for an encryption password as it does every morning. But this time when you provide the key it electronically transmits the key to the thief. Because he now has a copy of your data and key, he can read your files.

This scenario may be a bit far-fetched, but it does illustrate a point. You can't trust your laptop. It's too big to keep your eyes on all the time. Therefore, no matter how well implemented your encryption system is, it is built without the prerequisite foundation of trust.

To ensure that we can trust the computer's boot process, we need to separate it from the computer. Consider this: you carry the keys to your car with you instead of carrying your car. Your encryption key is a natural conceptual leap from your car key. You can protect your encryption key more easily, so you don't have to carry your computer everywhere. To take things a little further and to address the above scenario, we also will place the software required to boot the computer on this key. The Flash disk will serve as this key. By protecting the software that boots the system initially, in addition to the encryption key, we can mitigate the risk of the boot process being hijacked.
http://www.linuxjournal.com/article/7743

Last edited by win32sux; 03-08-2005 at 07:46 PM.
 
Old 03-08-2005, 02:22 PM   #37
lawmaker
LQ Newbie
 
Registered: Mar 2005
Posts: 18

Original Poster
Rep: Reputation: 0
Quote:
Originally posted by broch
You have two choices then:
1. Install FreeBSD that has "all of it" for free
2. Install SuSE 9.2 during the installation select hdd ecryption (blowfish)

this is interesting.

if fbsd has 'all of it', i need to read what it can do, for a newbie.

do you have any links?

as i understand fbsd can run most linux binaries, and is more stable/secure compared to linux. the remaining apps can be run under a virtual program like vmware.

If all that is true, i'm not sure why people use linux, instead of fbsd, as everyones running away from the wintroll disease, so why not go all the way?

I did find an interesting opensource program, based on 'encryption for masses', which was developed by the drivecrypt team years ago.

http://truecrypt.sourceforge.net/downloads.php

It hasn't been ported to linux/fbsd yet, but as it's opensource, i can only hope someone considers that.

ok. new project, check out fbsd, as it's supposed to be more secure/stable than linux. No point doing half measures.

Of course, my understanding of fbsd could be wrong.
 
Old 03-08-2005, 03:34 PM   #38
Aeiri
Member
 
Registered: Feb 2004
Posts: 307

Rep: Reputation: 30
Quote:
If all that is true, i'm not sure why people use linux, instead of fbsd, as everyones running away from the wintroll disease, so why not go all the way?
People don't use Linux for security. Only stupid people do. I use Linux because I tried it out and I prefer it so much more over Windows or Mac or DOS. The flexibility it poses makes me piss my pants sometimes.

Quote:
ok. new project, check out fbsd, as it's supposed to be more secure/stable than linux. No point doing half measures.
An OS is only as secure as the user that uses it. If we had experts secure a Windows box, they could do that, and it would be LOADS more secure than a vanilla FreeBSD install that Aunt Sally just tried out.

Quote:
I did find an interesting opensource program, based on 'encryption for masses', which was developed by the drivecrypt team years ago.
If you really want a secure system, why are you trusting systems that other people made? How do you know they didn't put loopholes, backdoors, trojans, anything in there without your knowledge?

I suggest you make your own OS from scratch, with your own hardware you built from scratch (backdoors can be in hardware, too). That way, nobody can mess with your stuff.

But wait, people can figure out the internal workings of your system, can't they? Windows is closed source, and it has security patches quite often... hmm... scratch that as well. I guess the only way you can get security is to lobotomize the human race and then break up the Earth into all of its electrons, protons, and neutrons, and create your own elements to create your own laptop, and then create your own OS off of that. Make sure you make some tinfoil, too, because those aliens might be able to break into your computer as well.

See, I guess my point is, if you really need the security you desire, guess what, you're screwed. People have been floating around the idea that "there is no such thing as 100% security" a lot lately. I think that that is false and misleading. My belief is there is no such thing as security, period.

The innovative ideas of cryptography and security are just neat little tricks to slowing people down. That doesn't do a thing when someone has enough will and applies enough force to your system. Think of it in terms of physical security. If someone has a "foolproof" safe, wouldn't a wrecking ball tear right through it?

I'm going to be laughing when they break blowfish, while sitting next to the guy that copied your HD in your sleep.

The only way to prevent people discovering your secret personal stuff is to not do anything that you wouldn't be willing to defend in court in the first place (or in an argument with friends or family, whatever). Hell, if you aren't successful in court, you probably will only go to a minimum security prison anyway, that is, if you aren't covering up murder. If you are covering up something like that, then you deserve everything that you get. If you are hiding something from your spouse or something, the most you'll get is a divorce... OooOOOoO!
 
Old 03-08-2005, 08:03 PM   #39
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
Quote:
Originally posted by Aeiri
OS is only as secure as the user that uses it.
that is SO TRUE...

also, some people seem to forget that SECURITY IS NOT A PRODUCT. IT'S A PROCESS.

the "i'm gonna switch to freebsd cuz it's more stable/secure" thing really cracked-me-up... LOL...


Last edited by win32sux; 03-08-2005 at 08:07 PM.
 
Old 03-08-2005, 08:13 PM   #40
lawmaker
LQ Newbie
 
Registered: Mar 2005
Posts: 18

Original Poster
Rep: Reputation: 0
Quote:
Originally posted by win32sux

the "i'm gonna switch to freebsd cuz it's more stable/secure" thing really cracked-me-up... LOL...
laughing at newbies is cool, as long as we get there in the end.

let me try rephrasing the question.

Can anyone here, with all the knowledge and expierience they have of linux/bsd, confirm that they are able to match the specifications outlined at the beginning of this thread?

I'm sure it could be done with development, but in reasonably practical terms for a newbie, that's not an immediate option.

thanks.

Last edited by lawmaker; 03-08-2005 at 08:19 PM.
 
Old 03-08-2005, 09:47 PM   #41
TruckStuff
Member
 
Registered: Apr 2002
Posts: 498

Rep: Reputation: 30
After reading this entire thread, I think I can safely say that the answer to your question is no, there is no tool publicly available for *nix that meets all of the criteria you have stated.

I will also say that with the tools mentioned in this thread you could very easily accomplish what you want, especailly if you truly are the "tinkerer" you claim to be. A combination of StegFS and loopback encrypted file systems can provide all of the security one will ever need. Unless you do some *very* high level work for Uncle Sam, anything beyond this is simply a waste of time.

So, now that your original question has been answered (for at least the third time in this thread), can we please go on to something more productive than argueing over trivialities?

Last edited by TruckStuff; 03-08-2005 at 09:51 PM.
 
Old 03-09-2005, 06:56 PM   #42
frandalla
Member
 
Registered: Oct 2003
Location: Tokyo - Japan
Distribution: Slackware
Posts: 348
Blog Entries: 1

Rep: Reputation: 37
I think you should try those solutions SOMEWHERE ELSE FIRST and if it fits you do the switch. I really don't think you'll find a comercial "all-in-a-package" solution for what you want and THAT doesn't make linux less secure than windows. What that means is that windows has yet another security solution as it is the most used OS out there. Linux IS more secure than windows but it has its own flaws too undoubtly. You say that you're not familiar to Linux so you don't know what you may leave uncovered is not a good argument. You don't know Linux because you lack study and experience (this is not an offense. You said that too) but you can become an expert on Linux and its security issues if you want. That doesn't happen with windows. Do you have the source code? Do you have access to a full detailed documentation to its development? How can you know that you covered all the issues if you don't even know all of them. There are many of'em known by microsoft but not released as they still don't have a patch available. You're far to be a linux security specialist ut even farther to be a windows one as the number of flaws and issues is to big and many are unknown/unrevelead.
my 2cents
 
Old 03-10-2005, 05:07 AM   #43
Darin
Senior Member
 
Registered: Jan 2003
Location: Portland, OR USA
Distribution: Slackware, SLAX, Gentoo, RH/Fedora
Posts: 1,024

Rep: Reputation: 45
Some observations:

Most Live Linux CDs offer customizability that can be burnt to a new CD. Once you set up the system the way you want it (network printer, right apps, etc) you can burn it on a CD or two and it will likely NEVER have to be reinstalled. It not only doesn't have data that needs encryption but it won't become convoluted and require a reinstall, it won't store persistant histories and if it is compromised via a hack/virus/intrusion then a simple reboot will fix it.

With enough RAM you can forgo a swap partition and mount /tmp from a ramdisk, that problem is now resolved. Even without enough RAM, swap and /tmp can still be mounted inside another partition that is encrypted, or set to be wiped in the shutdown script, or both.

The next step is a partition on either the existing hard drive or removable media such as a thumb drive (there are reasonably priced 4GB and larger USB drives now) or even an external HDD on USB or firewire via existing laptop ports or a PCMCIA card. The partition can be encrypted to whatever level you want it to be. With the OS not encrypted, you actually add security because there is no longer a library of pre-deciphered code (a base OS to compare against your encrypted OS) available to help anyone decode the data you wish to protect.

With these solutions in place, you have an OS that won't degrade and won't store any information you don't want it to. Without the OS storing information or being encrypted, you speed up performance, provide a system less vulnerable to cracks and other forms of intrusion and you no longer provide the OS files as a possible decipher tool. You also add another layer of security in that you can easily seperate the OS from the data and make it even harder to gain initial access to the encrypted data's location. Heck, you could even leave the HDD bootable with your old Windows OS and some useless data as a 'honey pot' for someone to spend a good chunk of time breaking into only to find they barked up the wrong tree!

 
Old 03-10-2005, 03:19 PM   #44
frandalla
Member
 
Registered: Oct 2003
Location: Tokyo - Japan
Distribution: Slackware
Posts: 348
Blog Entries: 1

Rep: Reputation: 37
The honeypot idea is pretty good
 
Old 03-10-2005, 03:46 PM   #45
IsaacKuo
Senior Member
 
Registered: Apr 2004
Location: Baton Rouge, Louisiana, USA
Distribution: Debian 9 Stretch
Posts: 2,349
Blog Entries: 8

Rep: Reputation: 384Reputation: 384Reputation: 384Reputation: 384
I'd view the "honeypot" as more of a risk than it's worth. If there's a hard drive in the computer, then there's a chance that someone could secretly install some spyware on that hard drive. The way that would work is:

1. Laptop is stolen.
2. Spyware is installed on the hard drive's bootloader and the BIOS is set to boot from hard drive first.
3. Laptop is returned before it's missed.

4. The next time I put the CD and USB thumbdrive in, I might not notice the spyware loading from the hard drive before the CD boots. This spyware then records keystrokes and/or copies data from the thumbdrive to the hard drive.

5. Laptop is stolen again.
6. Spyware data is retrieved.

Paranoid? Yes, of course.

Now things would be a bit different if the laptop had no hard drive. Without a hard drive, there wouldn't be any place to install spyware--nor any place for such spyware to save data. It's pretty easy to use some wire snips to cut off the IDE connector pins, making it rather difficult for the bad guys to install a (silent) hard drive. They'd have to cosmetically duplicate the entire laptop. Making periodic personalized cosmetic mutilations of the laptop can make it difficult for the bad guys to make a convincing replacement.

Alternatively, a scratchbuilt "briefcase computer" can be VERY hard for the bad guys to compromise. The case of the computer should be clear plastic, so all of the components are visible from all sides. This prevents hiding a flash drive behind the LCD screen, for example. The "lid" would house the mini-ITX board and the LCD screen, while the "base" would house the keyboard, touchpad, and CD drive. The exact choice of components is critical to prevent the possibility of hiding spy hardware. For example, a typical 5.25" CD-ROM drive is no good because there's too much internal space which could be used nefariously.
 
  


Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Comparing security on Windows and Linux Ephracis Linux - Security 4 07-01-2005 10:17 PM
security: windows vs linux crispyleif Linux - Newbie 10 03-08-2005 03:14 AM
Any Linux Vs Windows 2000 Security resource? neelay1 Linux - Security 1 12-07-2004 02:44 PM
Linux security Vs Windows security keene General 50 11-01-2003 11:22 PM
Linux VS Windows Security demmylls Linux - General 7 10-17-2003 03:33 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 07:53 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration