I have been pondering laptop theft. Now, I know our company source code is of limited interest to all but a few odd companies scattered around the globe. But the idea of it getting away from me is not so very nice. A couple of us here maintain a subversion checkout on our laptops. By design, the laptop is complete and can be used to create the entire product for four or five platforms, just by a few make commands. What is the best security? What are the reasonable options? For a current Linux distro. I think it is a given that any Linux user security does not apply. Just boot Knoppix and all is revealed. The proverbial double edged sword. One could encrypt the file system. This seems a bit much. Encrypting the files themselves is not feasible. There are a gazillion of them. (I counted.) Can you encrypt an existing file system? I suspect not. One could have a BIOS password. This sounds best. But I guess these are easily gotten around? It sounds too simple a solution. Or one that leads to other odd problems. Is anyone else protecting their laptops in some unknown-in-these-parts-but-soon-to-replace-the-mudshark-in-your-mythology way? (I blame the IPOD on my desk. I listen to all sorts of odd things that I usually forget about at home.) -- Roger Oberholtzer OPQ Systems AB Ramböll Sverige AB Kapellgränd 7 P.O. Box 4205 SE-102 65 Stockholm, Sweden Tel: Int +46 8-615 60 20 Fax: Int +46 8-31 42 23 -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
On 6/16/06, Roger Oberholtzer <roger@opq.se> wrote:
I have been pondering laptop theft. Now, I know our company source code is of limited interest to all but a few odd companies scattered around the globe. But the idea of it getting away from me is not so very nice. A couple of us here maintain a subversion checkout on our laptops. By design, the laptop is complete and can be used to create the entire product for four or five platforms, just by a few make commands.
What is the best security? What are the reasonable options? For a current Linux distro.
I think it is a given that any Linux user security does not apply. Just boot Knoppix and all is revealed. The proverbial double edged sword.
One could encrypt the file system. This seems a bit much. Encrypting the files themselves is not feasible. There are a gazillion of them. (I counted.) Can you encrypt an existing file system? I suspect not.
One could have a BIOS password. This sounds best. But I guess these are easily gotten around? It sounds too simple a solution. Or one that leads to other odd problems.
Is anyone else protecting their laptops in some unknown-in-these-parts-but-soon-to-replace-the-mudshark-in-your-mythology way?
(I blame the IPOD on my desk. I listen to all sorts of odd things that I usually forget about at home.)
Using an encrypted filesystem for the sensitive stuff is the way to go. The BIOS password is easily disabled when you have a screwdriver and physical access to the machine. You do not have to encrypt everything, just the sensitive stuff, like the sources. -- -- Svetoslav Milenov (Sunny) Windows is a 32-bit extension to a 16-bit graphical shell for an 8-bit operating system originally coded for a 4-bit microprocessor by a 2-bit company that can't stand 1 bit of competition. -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
On Friday 16 June 2006 17:41, Roger Oberholtzer wrote:
One could encrypt the file system. This seems a bit much.
I think this is the only real protection. Anything else can be worked around easily
Encrypting the files themselves is not feasible. There are a gazillion of them. (I counted.) Can you encrypt an existing file system? I suspect not.
Not presently, no
One could have a BIOS password. This sounds best. But I guess these are easily gotten around? It sounds too simple a solution. Or one that leads to other odd problems.
Screwdriver->hard drive->computer without BIOS password Modern hard drives have a built-in password protection, that forces you to enter it on boot regardless of which machine it's in. But I've never used it and have no idea how stable/reliable/secure it is -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
On Friday 16 June 2006 16:47, Anders Johansson wrote:
Encrypting the files themselves is not feasible. There are a gazillion of them. (I counted.) Can you encrypt an existing file system? I suspect not.
Not presently, no
Surprised at that as you can on Windows.
Modern hard drives have a built-in password protection, that forces you to enter it on boot regardless of which machine it's in. But I've never used it and have no idea how stable/reliable/secure it is
ATA locking of hard drives is quite effective as the drive will not spin up without the correct unlock key, this system is used on the Xbox for example. I once locked a drive whilst experimenting and locked myself out, I found out that most drives have a master key installed by the manufacturer which is higher up the protection food-chain and you can use this to unlock the drive and that http://www.hddunlock.com/ make an unlock tool that has the master unlock codes built in. Therefore I'd not use it. I think that not storing sensitive data on the local hard drive is the only way to be sure. Otherwise I'd encrypt the drives. Matthew -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
On Fri, Jun 16, 2006 at 05:41:49PM +0200, Roger Oberholtzer wrote:
What is the best security? What are the reasonable options? For a current Linux distro.
I assume you mean "For a current version of SuSE" there? ;-)
One could encrypt the file system. This seems a bit much. Encrypting the files themselves is not feasible. There are a gazillion of them. (I counted.) Can you encrypt an existing file system? I suspect not.
Partition the disk and put all your interesting stuff on the encrypted partition? That way, you don't need to have access to the encrypted disk to boot and use the machine, but you do need it to do anything with the source code. If you don't want to repartition the disk, perhaps you could create a large file in the existing partition and mount it as a loopback encrypted file system? IMHO it seems that an encrypted FS is the solution you really need. Disclaimer: I have no experience of encrypted file systems, so I could be talking complete rubbish. -- David Smith Work Email: Dave.Smith@st.com STMicroelectronics Home Email: David.Smith@ds-electronics.co.uk Bristol, England GPG Key: 0xF13192F2 -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
On Fri, 2006-06-16 at 16:53 +0100, David SMITH wrote:
On Fri, Jun 16, 2006 at 05:41:49PM +0200, Roger Oberholtzer wrote:
What is the best security? What are the reasonable options? For a current Linux distro.
I assume you mean "For a current version of SuSE" there? ;-)
Took me a minute to figure why you asked. True. SUSE 10.x. But I thought I posted this to a different, more general group. No matter. I got some useful information here as well. -- Roger Oberholtzer -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
Roger Oberholtzer wrote:
I have been pondering laptop theft. Now, I know our company source code is of limited interest to all but a few odd companies scattered around the globe. But the idea of it getting away from me is not so very nice. A couple of us here maintain a subversion checkout on our laptops. By design, the laptop is complete and can be used to create the entire product for four or five platforms, just by a few make commands.
Use encrypted partitions, however, I believe they have to be configured as encrypted, when created. You can also use a hard drive password, if your computer supports it. Hard drive passwords are not easily defeated. Don't forget about those utilities that ensure files are completely erased etc. As always, security is a many layered thing. -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
On Friday 16 June 2006 08:41, Roger Oberholtzer wrote:
One could encrypt the file system. This seems a bit much. Encrypting the files themselves is not feasible. There are a gazillion of them. (I counted.) Can you encrypt an existing file system? I suspect not.
As others have mentioned, I would created an encrypted partition large enough to hold the source code you want to protect. I've never used an encrypted partition in a production system, but I have toyed around with them a bit. Keep in mind that an encrypted filesystem is designed to limit access to the data it holds, and this can come back to bite you when you upgrade OS's, move the encrypted filesystem to another partition, or another location on the same filesystem, lose the password, something gets corrupted, etc. Keep recent backups. I would also keep a unencrypted diff between the master subversion repo and my checkout on the laptop. That small set of changes won't be a huge help to an attacker, but it will protect your changes if something should happen to the encrypted filesystem. I also suggest you check out TrueCrypt. It is a Windows encryption program that is quite respected, and has recently been ported to Linux. I intend to try it out myself at my next opportunity. Regards, Mark -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
On Friday 16 June 2006 08:41 am, Roger Oberholtzer wrote:
I have been pondering laptop theft. Now, I know our company source code is of limited interest to all but a few odd companies scattered around the globe. But the idea of it getting away from me is not so very nice. A couple of us here maintain a subversion checkout on our laptops. By design, the laptop is complete and can be used to create the entire product for four or five platforms, just by a few make commands.
What is the best security?
I'd highly suggest bolting it down to the desk. That usually works fine. At least you won't get in the news like the US Department of Defense. -- k -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
On Fri, 2006-06-16 at 14:51 -0700, kai wrote:
I'd highly suggest bolting it down to the desk. That usually works fine. At least you won't get in the news like the US Department of Defense.
I 100% agree! Physical, physical, physical! It takes no less than a dozen meetings, arguments and, sometimes, even threats, but anytime someone talks about not having separate, physical networks, wants portable computers or "remote administration" I take the keyboard to them. - You will put that financial back-end on a dedicated, non-Internet connected network. - You will not put any classified information on the non-classified network - You will go into a secured room with sign-in/out to administer it and I will _not_ allow you to remotely administer from a non-secured area I have spent my career working on US DoD classified programs and in major, major US financial institutions that handle a significant number of our nation's transactions. Management will argue cost, support issues, etc... and you have to tell them they are wrong, wrong, wrong repeatedly. And I am not afraid to say it to their face -- "You might get a bonus now for saving money, but someone else will be cleaning up the mess a few years from now after you've been promoted." Now I can't talk about their stupidity, collectively or otherwise, because of various agreements I have signed. ;-> But more publicly, Ohio's First Energy is a perfect example of a chronic screw-up. Their IT -- despite complaints of plant engineers -- allowed their control systems networks to be tied into their general networks for "support purposes." So when a worm came through it overloaded First Energy's control systems and they couldn't provide necessary standby power to the grid. It significantly contributed to the NE US / southern Canadian black-out a few years ago. And what's worse is that the same issue took down a First Energy's nuclear power plant control system just 6 months earlier (luckily it wasn't producing power, but was in test). Physical, physical, physical security. -- Bryan J. Smith Professional, technical annoyance mailto:b.j.smith@ieee.org http://thebs413.blogspot.com ---------------------------------------------------------- The existence of Linux has far more to do with the breakup of AT&T's monopoly than anything Microsoft has ever done. -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
On Saturday 17 June 2006 00:27, Bryan J. Smith wrote:
On Fri, 2006-06-16 at 14:51 -0700, kai wrote:
I'd highly suggest bolting it down to the desk. That usually works fine. At least you won't get in the news like the US Department of Defense.
I 100% agree! Physical, physical, physical!
It takes no less than a dozen meetings, arguments and, sometimes, even threats, but anytime someone talks about not having separate, physical networks, wants portable computers or "remote administration" I take the keyboard to them.
- You will put that financial back-end on a dedicated, non-Internet connected network.
- You will not put any classified information on the non-classified network
- You will go into a secured room with sign-in/out to administer it and I will _not_ allow you to remotely administer from a non-secured area
I have spent my career working on US DoD classified programs and in major, major US financial institutions that handle a significant number of our nation's transactions. Management will argue cost, support issues, etc... and you have to tell them they are wrong, wrong, wrong repeatedly. And I am not afraid to say it to their face -- "You might get a bonus now for saving money, but someone else will be cleaning up the mess a few years from now after you've been promoted."
Now I can't talk about their stupidity, collectively or otherwise, because of various agreements I have signed. ;->
But more publicly, Ohio's First Energy is a perfect example of a chronic screw-up.
Their IT -- despite complaints of plant engineers -- allowed their control systems networks to be tied into their general networks for "support purposes." So when a worm came through it overloaded First Energy's control systems and they couldn't provide necessary standby power to the grid. It significantly contributed to the NE US / southern Canadian black-out a few years ago.
And what's worse is that the same issue took down a First Energy's nuclear power plant control system just 6 months earlier (luckily it wasn't producing power, but was in test).
Physical, physical, physical security.
Nuclear Power plants running on Microsoft Windows platform? Gives a whole new meaning to "Blue Screen of Death"! Damn, that is scary! Jerry
-- Bryan J. Smith Professional, technical annoyance mailto:b.j.smith@ieee.org http://thebs413.blogspot.com ---------------------------------------------------------- The existence of Linux has far more to do with the breakup of AT&T's monopoly than anything Microsoft has ever done.
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
On Fri, 2006-06-16 at 23:55 +0200, Jerry Westrick wrote:
Nuclear Power plants running on Microsoft Windows platform?
No. But they are on the same physical network as Windows systems that are blabbing all over the place. Or they are being remotely administered by them.
Gives a whole new meaning to "Blue Screen of Death"! Damn, that is scary!
Some monitoring systems may be Windows-based, or older UNIX-based, or even OS/2-based! They are on a private network for a reason. Sneaker-net is the _only_ way to administer them. -- Bryan J. Smith Professional, technical annoyance mailto:b.j.smith@ieee.org http://thebs413.blogspot.com ---------------------------------------------------------- The existence of Linux has far more to do with the breakup of AT&T's monopoly than anything Microsoft has ever done. -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
On Fri, 2006-06-16 at 23:55 +0200, Jerry Westrick wrote:
Nuclear Power plants running on Microsoft Windows platform?
Gives a whole new meaning to "Blue Screen of Death"!
Damn, that is scary!
Yellow glow of death at midnight. Then you really know MicroSoft crashed another one. -- ___ _ _ _ ____ _ _ _ | | | | [__ | | | |___ |_|_| ___] | \/ -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
On Wednesday 21 June 2006 13:34, Carl William Spitzer IV wrote:
On Fri, 2006-06-16 at 23:55 +0200, Jerry Westrick wrote:
Nuclear Power plants running on Microsoft Windows platform?
Gives a whole new meaning to "Blue Screen of Death"!
Damn, that is scary!
Yellow glow of death at midnight. Then you really know MicroSoft crashed another one.
I like to watch NASA TV on the web during the active space missions. During the most recent shuttle mission I was amazed listening to a rather lengthy session of astronauts and ground control trying to diagnose a problem with a computer on the shuttle that controlled something pertinent (but fortunately not life-sustaining) to the mission. They kept rebooting this thing and reporting "it BSOD'd again". Eventually they replaced it with a spare that worked. -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
On Wed, 2006-06-21 at 13:51 -0400, Ken Jennings wrote:
On Wednesday 21 June 2006 13:34, Carl William Spitzer IV wrote:
On Fri, 2006-06-16 at 23:55 +0200, Jerry Westrick wrote:
Nuclear Power plants running on Microsoft Windows platform?
Gives a whole new meaning to "Blue Screen of Death"!
Damn, that is scary!
Yellow glow of death at midnight. Then you really know MicroSoft crashed another one.
I like to watch NASA TV on the web during the active space missions. During the most recent shuttle mission I was amazed listening to a rather lengthy session of astronauts and ground control trying to diagnose a problem with a computer on the shuttle that controlled something pertinent (but fortunately not life-sustaining) to the mission. They kept rebooting this thing and reporting "it BSOD'd again". Eventually they replaced it with a spare that worked.
Which doesn't mean that the shuttle uses Windows. It may very well indicate how much of a cultural metaphor that screen has become. -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Wednesday 2006-06-21 at 20:21 -0400, Mike McMullin wrote:
Which doesn't mean that the shuttle uses Windows. It may very well indicate how much of a cultural metaphor that screen has become.
In 2000 they used W95 for things like email, reports, etc, by the astronauts, if my memory serves me right. And they complained that sometimes they "hung". - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFEmmhptTMYHG2NR9URAuU+AJ9EJq1cPzwNOKkyawjub3wcP3RxbQCfWYfJ Cm/n7s4cgfV/nzDZMw265U8= =TCsG -----END PGP SIGNATURE----- -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
On Thu, 2006-06-22 at 11:52 +0200, Carlos E. R. wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
The Wednesday 2006-06-21 at 20:21 -0400, Mike McMullin wrote:
Which doesn't mean that the shuttle uses Windows. It may very well indicate how much of a cultural metaphor that screen has become.
In 2000 they used W95 for things like email, reports, etc, by the astronauts, if my memory serves me right. And they complained that sometimes they "hung".
Now that does suck. I do recall my W95 was fairly stable, I saw my first BSOD in 98, and especially in ME. Hint to Novell: Get them done up with SLED10, gratis. -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Thursday 2006-06-22 at 19:30 -0400, Mike McMullin wrote:
In 2000 they used W95 for things like email, reports, etc, by the astronauts, if my memory serves me right. And they complained that sometimes they "hung".
Now that does suck. I do recall my W95 was fairly stable, I saw my first BSOD in 98, and especially in ME.
Hint to Novell: Get them done up with SLED10, gratis.
Notice that they used 95 because it was certified; the 2000 wasn't (at that time at least). The same would apply to linux, I guess. They had an internal group pushing for linux, by the way. I don't know what they are using now, - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFEmzaCtTMYHG2NR9URAiJJAJ9vKs3nEK4b57JcqEg8qciwY2d8nACffHNw PT/2jxlPWWYcwwDA43p0toA= =syEu -----END PGP SIGNATURE----- -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
Jerry Westrick wrote:
Nuclear Power plants running on Microsoft Windows platform? Gives a whole new meaning to "Blue Screen of Death"! Damn, that is scary!
Carl William Spitzer IV wrote:
Yellow glow of death at midnight. Then you really know MicroSoft crashed another one.
I don't care what the OS is, when you connect private control system networks to LANs, bad things happen. These networks are supposed to be standalone and not connected to anything else. The stupidity is in IT departments doing otherwise. Or support personnel arguing they need access from their desk. You don't just keep control system networks "up-to-date" like generic PCs. You also have no reason to have them connected to generic PCs. There is no need for general access. We really need some regulatory, but peer-reviewed statues here in the US. Unfortunately, the National Society of Professional Engineers (NSPE) and their state boards continue to view Software Engineering and most other EE-based engineering as "not real engineering." No matter how much the American Accreditation Board of Engineering and Technology (ABET), IEEE and key "technology" US states (like Texas, who has a huge semiconductor and control systems industry) argue that "Software Engineering" is a true and separate EE discipline from Electrical, Controls, etc..., the "bridge builders" and other "civil engineers" that control the NSPE and state boards think it's not. Environmental engineers had the same problem in the 1970s as well. But eventually they got their statues and licensing. It'll take a serious, internal financial compromise and major impact to the US economy -- or a nuclear power plant meltdown for this to happen. I was hopeful the NE-US/Canada blackout would have changed the NSPE and Ohio's BoPE attitude, but it didn't. -- Bryan J. Smith Professional, technical annoyance mailto:b.j.smith@ieee.org http://thebs413.blogspot.com ---------------------------------------------------------- The existence of Linux has far more to do with the breakup of AT&T's monopoly than anything Microsoft has ever done. -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
On Wed, 2006-06-21 at 16:09 -0400, Bryan J. Smith wrote:
Jerry Westrick wrote:
Nuclear Power plants running on Microsoft Windows platform? Gives a whole new meaning to "Blue Screen of Death"! Damn, that is scary!
Carl William Spitzer IV wrote:
Yellow glow of death at midnight. Then you really know MicroSoft crashed another one.
I don't care what the OS is, when you connect private control system networks to LANs, bad things happen. These networks are supposed to be standalone and not connected to anything else. The stupidity is in IT departments doing otherwise. Or support personnel arguing they need access from their desk. You don't just keep control system networks "up-to-date" like generic PCs. You also have no reason to have them connected to generic PCs. There is no need for general access.
There is no need for a n on-*nix OS on the control systems.
We really need some regulatory, but peer-reviewed statues here in the US. Unfortunately, the National Society of Professional Engineers (NSPE) and their state boards continue to view Software Engineering and most other EE-based engineering as "not real engineering."
No matter how much the American Accreditation Board of Engineering and Technology (ABET), IEEE and key "technology" US states (like Texas, who has a huge semiconductor and control systems industry) argue that "Software Engineering" is a true and separate EE discipline from Electrical, Controls, etc..., the "bridge builders" and other "civil engineers" that control the NSPE and state boards think it's not.
Environmental engineers had the same problem in the 1970s as well. But eventually they got their statues and licensing.
It'll take a serious, internal financial compromise and major impact to the US economy -- or a nuclear power plant meltdown for this to happen. I was hopeful the NE-US/Canada blackout would have changed the NSPE and Ohio's BoPE attitude, but it didn't.
The Ohio power grid snafu was because their grid monitoring system had locked up (again). Why it was allowed to go on is a good question. That one system failure costs millions if not billions of dollars. -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
On Friday 16 June 2006 6:27 pm, Bryan J. Smith wrote:
On Fri, 2006-06-16 at 14:51 -0700, kai wrote:
I'd highly suggest bolting it down to the desk. That usually works fine. At least you won't get in the news like the US Department of Defense.
I 100% agree! Physical, physical, physical! As do I. One of my friends left his office for about 2 minutes and when he got back his laptop was missing. This was in a facility where one had to show a badge to get in, and personal laptops had to be labeled by security. I think, at the time, he was also chairman of the board of the credit union, but we are talking about 10 years ago when identity theft was uncommon.
In my office, I use a locking device tied to my desk. Not very secure since someone can come in, and lift my desk up, but I never keep any sensitive data on the laptop since I use it mainly for presentations and classroom lectures when I am teaching. -- Jerry Feldman <gaf@blu.org> Boston Linux and Unix user group http://www.blu.org PGP key id:C5061EA9 PGP Key fingerprint:053C 73EC 3AC1 5C44 3E14 9245 FB00 3ED5 C506 1EA9 -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
On Friday 16 June 2006 21:11, Roger Oberholtzer wrote:
I have been pondering laptop theft. Now, I know our company source code is of limited interest to all but a few odd companies scattered around the globe. But the idea of it getting away from me is not so very nice. A couple of us here maintain a subversion checkout on our laptops. By design, the laptop is complete and can be used to create the entire product for four or five platforms, just by a few make commands.
What is the best security? What are the reasonable options? For a current Linux distro.
I think it is a given that any Linux user security does not apply. Just boot Knoppix and all is revealed. The proverbial double edged sword.
One could encrypt the file system. This seems a bit much. Encrypting the files themselves is not feasible. There are a gazillion of them. (I counted.) Can you encrypt an existing file system? I suspect not.
One could have a BIOS password. This sounds best. But I guess these are easily gotten around? It sounds too simple a solution. Or one that leads to other odd problems.
Is anyone else protecting their laptops in some unknown-in-these-parts-but-soon-to-replace-the-mudshark-in-your-mythology way?
(I blame the IPOD on my desk. I listen to all sorts of odd things that I usually forget about at home.)
-- Roger Oberholtzer
OPQ Systems AB Ramböll Sverige AB Kapellgränd 7 P.O. Box 4205 SE-102 65 Stockholm, Sweden
Tel: Int +46 8-615 60 20 Fax: Int +46 8-31 42 23
encfs is a good choice. I using the same for encrypting my source code under the workspace directory. The packages and kernel modules are included in SuSE 10.1. encfs will create a loopback encrypted file system(FUSE) in the current non-encrypted partition where it can be mounted on a subdirectory inside your home directory and place all your code and work copies in it. It supports AES, blowfish upto 256 bits encryption. While mounting it asks for the paraphrase/password and its ready to use. I don't see any performace issues. -- CHAITANYA CHALASANI LINUX USER #410931 -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
Re: reliability of an encrypted partition, I have been using them in DOS for about 8 years, and under Suse (now 9.3) for about 4 years. I have never had a problem. I no longer use 'passwords' (really encryption keys), we now use phrases. like 'onceuponatime'. They are easier to remember, and a longer key gives better encryption. My only complaint is, I would like an inconized program that asks for the key so I don't have to enter it each time I boot (only if I am going into the encrypted partition.) Oh yes, we run 2 networks (internal ops and the internet). We don't do windows except for vertical market packages on a dedicated computer without a network connection. -- John R. Sowden AMERICAN SENTRY SYSTEMS, INC. Residential & Commercial Alarm Service UL Listed Central Station Serving the San Francisco Bay Area Since 1967 mail@americansentry.net www.americansentry.net -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
On Saturday 17 June 2006 12:59 pm, John R. Sowden wrote:
Re: reliability of an encrypted partition, I have been using them in DOS for about 8 years, and under Suse (now 9.3) for about 4 years. I have never had a problem. I no longer use 'passwords' (really encryption keys), we now use phrases. like 'onceuponatime'. They are easier to remember, and a longer key gives better encryption.
Since I'm trying to ignore my wife who insists on watching those boorish soccer games... Is this something you use with partitioner? I mean, do you install the software then create a virtual partition in YaST or do you just run the software and it creates the virtual encrypted partition? This sounds nice, especially for some of my items under my Documents folder which may be personal in nature. The rest of my stuff (my MP3's and games) I could care less about. When making a backup - kdar or otherwise - does the encryption information go along with the partition? -- kai - www.perfectreign.com 43...for those who require slightly more than the answer to life, the universe and everything. -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
kai wrote:
Is this something you use with partitioner? I mean, do you install the software then create a virtual partition in YaST or do you just run the software and it creates the virtual encrypted partition?
You can enable encryption, when you use Yast to create the partition. -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
On Saturday 17 June 2006 03:03 pm, James Knott wrote:
kai wrote:
Is this something you use with partitioner? I mean, do you install the software then create a virtual partition in YaST or do you just run the software and it creates the virtual encrypted partition?
You can enable encryption, when you use Yast to create the partition.
Got it! Thanks. -- k -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
On Saturday 17 June 2006 12:59 pm, John R. Sowden wrote:
Re: reliability of an encrypted partition, I have been using them in DOS for about 8 years, and under Suse (now 9.3) for about 4 years. I have never had a problem. I no longer use 'passwords' (really encryption keys), we now use phrases. like 'onceuponatime'. They are easier to remember, and a longer key gives better encryption.
Since I'm trying to ignore my wife who insists on watching those boorish soccer games...
Is this something you use with partitioner? I mean, do you install the software then create a virtual partition in YaST or do you just run the software and it creates the virtual encrypted partition?
This sounds nice, especially for some of my items under my Documents folder which may be personal in nature. The rest of my stuff (my MP3's and games) I could care less about.
When making a backup - kdar or otherwise - does the encryption information go along with the partition?
-- kai - www.perfectreign.com
43...for those who require slightly more than the answer to life, the universe and everything. as previously answered, I set up the partition in Yast. Once I enter the key,
On Sat June 17 2006 13:46, kai wrote: the partition is fully accessible, therefore when I copy a file on an encrypted partition to elsewhere, it is plaintext. -- John R. Sowden AMERICAN SENTRY SYSTEMS, INC. Residential & Commercial Alarm Service UL Listed Central Station Serving the San Francisco Bay Area Since 1967 mail@americansentry.net www.americansentry.net -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Saturday 2006-06-17 at 13:46 -0700, kai wrote: ...
Is this something you use with partitioner? I mean, do you install the software then create a virtual partition in YaST or do you just run the software and it creates the virtual encrypted partition?
Yast can create the partition, or, an encrypted filesystem residing in a big file in another partition. Time ago they were defined in /etc/cryptotab, but since I'm not sure when (9.3?) they are defined directly in /etc/fstab. The first method implied running the script "/etc/init.d/boot.crypto start" to "open" them. The second one works with just a normal "mount" command. If the entry has a "noauto" option, it will not be mounted on boot.
When making a backup - kdar or otherwise - does the encryption information go along with the partition?
If the partition is "open" and you backup the files, they will be saved in clear. However, you can 'dd' the raw partition or the file where it resides to the backup media. I posted a small howto on that here, by the way. Trick: if you create an encrypted partition on a file of the exact size of the raw backup media, you can backup it fast and with the same encryption phrase, for example to a CD or DVD, and later mount it read only. - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD8DBQFEmZi0tTMYHG2NR9URAsMeAJ9L38rvk3GxCxRn9rBIeeB5rUTQGACfY1hA XEPtdUVVTD00KjNzzkxNcWo= =8mQ3 -----END PGP SIGNATURE----- -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
On June Saturday 17 2006 3:59 pm, John R. Sowden wrote: ,snip>
My only complaint is, I would like an inconized program that asks for the key so I don't have to enter it each time I boot (only if I am going into the encrypted partition.) Oh yes, we run 2 networks (internal ops and the internet).
I agree w/ everything here. It's the biggest complaint I get, "it's too much bother to have to type the password again etc. " However I am slowly getting my point across. Next laptop I get to "play w/ " I am going to encrypt the boot record as someone suggested in a past discussion to see if it works. i.e. no passphase or password = no boot, that should keep my company stuff at least a bit slower for a vandal. I too prefer passphrases. But I'm still having problems getting this group to encrypt their email. I am working on "making it happen", but some in this group are really hard heads, and "we've *always* done it this way" seems to be a magic bullet ,I have yet to dodge, completely. Keeping the discussion open is the best I can do so far. Again, real life examples do me the most good here. Just got an agreement to insist any windows computer must not be able to reach the internet, nor be reachable thru the network which *does* reach the internet. That small "victory" (??!) was more than 3 years in the making. I wonder tho, returning to the idea of encrypting the /boot area; Knoppix might still run, even tho it ought not do so. And that opens the whole hard drive , if it ( Knoppix) boots. Any one have any real life experience to help there? ( we are small company and so far as I can tell a laptop for testing will have to be a private personal purchase... <sigh> ( if we ever go big, I want a huge raise <g>) No I don't contemplate ever going big enough to get anything back.. it's just like the Reichians "thought murder a day keeps the doctor away " I know, I know it conflicts w/ the universes unintended consequenses, but at the moment, I can't reach a teacher so, I must blunder onward in hope that the grace I have reached will keep me from doing anything insanely stupid. I wouldn't wish current circumstances on ANYONE.
We don't do windows except for vertical market packages on a dedicated computer without a network connection.
Bless you for this information, it finally nailed down my problem w/ windows legacy stuff.. I at least have that done now. Even better, since we are consultants, it will be policy to tell our clients how to do this and eventually get to a safe way to keep information that , for sure no one wants to see on the net. Not just credit card info is a problem. You wouldn't want your kids locations, pictures, schools etc posted somewahere as a part of info about you.. would you? Or even stupid stuff like , do you pay your water bill on time.... It's not like we are asking for the moon here. That was easier to achieve than getting anyone who has private information AND a duty to keep it that way, to actually take any measure to secure their system. Thancks in advance for any real world info .. this should be a continuing discussion . It *is* our job to both insist others who take our info ( and others) actually protect it. And to do the same at any location they have a computer and the internet connection. If they lock the door to their appartment, flat , house, why don't they understand they need to do at least the same w/ other people's information which they insist on taking down and keeping. Waaaay back in the dark ages, I used to watch people who worked for an eye doc... Optometrist .. who had a practise among the rich and famous that was the envy of his peers. But he would have long days during the summers when the office just wasn't that busy, and the first thing that happened, was the files were gone thru by "help" that had nothing else to do.. Even tho he thought locking the file drawer was the best way to protect that info. He forgot to secure the key in anyway... Most of the time the break ins weren't malicious, but it was just one more location where private info could leak to the world. I fear most of the databases which have information, including usually credit card info, is subject to that same "casual browsing". I yell at everyone I can when we do their audits, but it doesn't change.. because it's too much trouble to change the way it's always been done. It's what scares me the most about the current rush to wireless in businesses and health locations. We all know how secure that is.... bah! -- j 'There is nothing wrong w/ me. There must be something wrong w/ the Universe ' B. Crusher -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
On 6/19/06, jfweber@gilweber.com wrote:
On June Saturday 17 2006 3:59 pm, John R. Sowden wrote: ,snip>
I wonder tho, returning to the idea of encrypting the /boot area; Knoppix might still run, even tho it ought not do so. And that opens the whole hard drive , if it ( Knoppix) boots. Any one have any real life experience to help there? ( we are small company and so far as I can tell a laptop for testing will have to be a private personal purchase... <sigh> ( if we ever go big, I want a huge raise <g>)
If the case is just to not allow someone with no permanent physical access to the machine, just set the password for the BIOS, and in BIOS disable booting from CDROM, USB, floppy. This will not help if someone has real physical access though, as he/she can open the machine and reset the BIOS password, or just unplug the HDD and attach it to another machine for reading. Then your only safeguard is encrypted fs. -- -- Svetoslav Milenov (Sunny) Windows is a 32-bit extension to a 16-bit graphical shell for an 8-bit operating system originally coded for a 4-bit microprocessor by a 2-bit company that can't stand 1 bit of competition. -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
On 6/19/06, Sunny <sloncho@gmail.com> wrote:
On 6/19/06, jfweber@gilweber.com wrote:
On June Saturday 17 2006 3:59 pm, John R. Sowden wrote: ,snip>
I wonder tho, returning to the idea of encrypting the /boot area; Knoppix might still run, even tho it ought not do so. And that opens the whole hard drive , if it ( Knoppix) boots. Any one have any real life experience to help there? ( we are small company and so far as I can tell a laptop for testing will have to be a private personal purchase... <sigh> ( if we ever go big, I want a huge raise <g>)
If the case is just to not allow someone with no permanent physical access to the machine, just set the password for the BIOS, and in BIOS disable booting from CDROM, USB, floppy.
This will not help if someone has real physical access though, as he/she can open the machine and reset the BIOS password, or just unplug the HDD and attach it to another machine for reading. Then your only safeguard is encrypted fs.
I have not been tracking this thread, but there are a couple of physical harddisk solutions in addition to the above. First for several years, there have been laptop drives that require the user to enter a password via the bios before they will accept i/o commands. These drives have been common on some of the IBM laptops. They are not fool-proof because the data on the drive is not actually encrypted and a smart data theif can replace the drive electronics with a set of drive electronics that don't have the password set. Not trivial to do, but far from impossible. Also, I think Seagate for one sells laptop drives that do real encryption on the fly. This is much better because replacing the drive electronics won't help you. I'm not positive you can buy them or if there just vaporware, but check out the Seagate Momentus FDE (full drive encryption) laptop drives. http://www.seagate.com/docs/pdf/marketing/PO-Momentus-FDE.pdf Greg -- Greg Freemyer The Norcross Group Forensics for the 21st Century -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
On Mon, 2006-06-19 at 13:41 -0400, jfweber@gilweber.com wrote:
On June Saturday 17 2006 3:59 pm, John R. Sowden wrote: ,snip>
My only complaint is, I would like an inconized program that asks for the key so I don't have to enter it each time I boot (only if I am going into the encrypted partition.) Oh yes, we run 2 networks (internal ops and the internet).
I agree w/ everything here. It's the biggest complaint I get, "it's too much bother to have to type the password again etc. " However I am slowly getting my point across. Next laptop I get to "play w/ " I am going to encrypt the boot record as someone suggested in a past discussion to see if it works. i.e. no passphase or password = no boot, that should keep my company stuff at least a bit slower for a vandal.
I too prefer passphrases. But I'm still having problems getting this group to encrypt their email. I am working on "making it happen", but some in this group are really hard heads, and "we've *always* done it this way" seems to be a magic bullet ,I have yet to dodge, completely. Keeping the discussion open is the best I can do so far.
Again, real life examples do me the most good here. Just got an agreement to insist any windows computer must not be able to reach the internet, nor be reachable thru the network which *does* reach the internet. That small "victory" (??!) was more than 3 years in the making.
I wonder tho, returning to the idea of encrypting the /boot area; Knoppix might still run, even tho it ought not do so. And that opens the whole hard drive , if it ( Knoppix) boots. Any one have any real life experience to help there? ( we are small company and so far as I can tell a laptop for testing will have to be a private personal purchase... <sigh> ( if we ever go big, I want a huge raise <g>)
No I don't contemplate ever going big enough to get anything back.. it's just like the Reichians "thought murder a day keeps the doctor away " I know, I know it conflicts w/ the universes unintended consequenses, but at the moment, I can't reach a teacher so, I must blunder onward in hope that the grace I have reached will keep me from doing anything insanely stupid.
I wouldn't wish current circumstances on ANYONE.
We don't do windows except for vertical market packages on a dedicated computer without a network connection.
Bless you for this information, it finally nailed down my problem w/ windows legacy stuff.. I at least have that done now. Even better, since we are consultants, it will be policy to tell our clients how to do this and eventually get to a safe way to keep information that , for sure no one wants to see on the net. Not just credit card info is a problem.
Some points to think about: What is the advantage of encrypting the whole drive? the O.S. is open source, no secrets there to be found. Just have some area's strongly encrypted. Each with a different passphrase. Passwords/passphrases only needed when you access that specific area. Or is the entire filesystem littered with sensitive data?? Limit the amount of time the vault is uncrypted, specially if "other" people in your company have su-access, and the system is connected to any network. => Don't trust admins, they are usualy underpaid. <= If you want it stronger, use smartcard with 2K-key length with pin-code afaik opensc & openct are part of the distro When you have an T43, you can opt for three-factor security: Smartcard + fingerprint + pin And to avoid people leaving the card in the machine, use the same card you need to get in/out/around the building ;-)) And a screenlock with minimum delay... Hans
-- pgp-id: 926EBB12 pgp-fingerprint: BE97 1CBF FAC4 236C 4A73 F76E EDFC D032 926E BB12 Registered linux user: 75761 (http://counter.li.org) -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The Tuesday 2006-06-20 at 00:27 +0200, Hans Witvliet wrote:
Some points to think about: What is the advantage of encrypting the whole drive? the O.S. is open source, no secrets there to be found. Just have some area's strongly encrypted. Each with a different passphrase. Passwords/passphrases only needed when you access that specific area.
Some more ideas: Encrypted partitions can not be automatically umounted, for instance, when the screen saver/locker fires: if one file is opened, it will fail. If the laptop can be suspended to disk, the passphrase is stored in clear text somewhere in the swap partition - and of course, the encrypted partition remains open all the time. - -- Cheers, Carlos Robinson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (GNU/Linux) Comment: Made with pgp4pine 1.76 iD4DBQFEmZqitTMYHG2NR9URAn4BAJd6YCTqzPqzXRL3NE4tCJaSJBtvAJ0ejfVH uUJ0Wd+hrqrwgejCUaEEAQ== =kVEd -----END PGP SIGNATURE----- -- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
participants (20)
-
Anders Johansson
-
Bryan J. Smith
-
Carl William Spitzer IV
-
Carlos E. R.
-
Chaitanya Chalasani
-
David SMITH
-
Greg Freemyer
-
Hans Witvliet
-
James Knott
-
Jerry Feldman
-
Jerry Westrick
-
jfweber@gilweber.com
-
John R. Sowden
-
kai
-
Ken Jennings
-
Mark A. Taff
-
Matthew Stringer
-
Mike McMullin
-
Roger Oberholtzer
-
Sunny