[sf-lug] Full Disk Encryption options?

Kristian Erik Hermansen kristian.hermansen at gmail.com
Mon Mar 24 12:38:06 PDT 2008


Do you sleep with the laptop under your pillow :-)

On 3/24/08, Rick Moen <rick at linuxmafia.com> wrote:
> Quoting Kristian Erik Hermansen (kristian.hermansen at gmail.com):
> > That's a great question Tom.  There are a few reasons.  Let's just
> > assume for a moment that I only encrypt /home, so that all my user
> > data is protected.  I leave for lunch and some guy happens to snag my
> > laptop for the hour I am gone.  During this hour, he is able to boot
> > my machine with a LiveCD and plant a backdoor libc library that does
> > bad stuff.
> Back during the 1999 boom, I was chief sysadmin at one of the major-name
> Linux startups of the day, which shall go nameless, and a new guy came
> aboard as Chief Technical Officer per top-down orders from the VC.  In
> theory, this charmer thus became my immediate boss.
> I had a very bad feeling about this person, which eventually turned out
> to be justified (in spades), and, in particular, had the recurring
> impression that he was gaining access to sensitive company information
> that he wasn't supposed to have.  His misappropriating _company_ data
> was bad enough, but I found the possibility of his being able to spy on
> my _personal_ traffic intolerable.  So, I analysed the situation,
> conceptually:  All traffic between my company workstation and my home
> server was going over appropriate crypto tunnels, and I had faith in the
> integrity of the server and, plus that of the tunnels, but my company
> workstation was not 100% under my control:  Its software (Debian)
> _or hardware_ could be in theory gimmicked any time I was away from my
> desk.  And, as you know, the security of a crypto tunnel is, at best,
> only as good as that of the security of _both_ ends.
> So, that was when I bought, used, my very first laptop, a 1998 Sony VAIO
> PCG-505FX, which thenceforth I used at my desk for all communication I
> wished to be guaranteed unavailable to the CTO's snooping.  If/when I
> left my desk, the little VAIO carry-case came with me.  Without
> exception.
> Whole disk encryption would, you'll note, have not been enough:  The bad
> guys having physical access to a machine always means they (can) own it.
> So, my solution was:  no physical access for Mr. CTO and his overpaid
> squad of flunkies.
> (Oh yeah:  I eventually resigned when I could no longer protect my
> staff, and the firm's pending IPO was cancelled several months later in
> a flurry of litigation and mysterious executive departures.)
> _______________________________________________
> sf-lug mailing list
> sf-lug at linuxmafia.com
> http://linuxmafia.com/mailman/listinfo/sf-lug

Sent from Gmail for mobile | mobile.google.com

Kristian Erik Hermansen
"Clever ones don't want the future told. They make it."

More information about the sf-lug mailing list