[sf-lug] Full Disk Encryption options?
erich.newell at gmail.com
Mon Mar 24 17:48:31 PDT 2008
Well...I have another few minutes before I roll out for my evening run...
1) Where'd you get the idea I'm a software guy? A significant part of my
background, but not my focus these days:
2) Yes, you can get laptop keyloggers...I didn't formulate that statement
well. My bad. Let me try that again: Show me one that you will be able to
install while I'm away from my laptop while eating lunch...Being a security
minded individual, if I return and find my laptop *off* or even at a command
prompt (read: crash/rebooted) I *will* take the time to determine why. First
on this list will be any signs of intrusion...which there will undoubtedly
be. I may have mentioned "stripping access screws" on your laptop? I can
always cut new heads into them if absolutely necessary for repairs...try and
to that while stealthily making major modifications to the laptop...you can
get a mini-PCI version, but that would have to take the place of
aforementioned "smart card reader"...I think I might notice that. (Read:
unwanted/new appendage to laptop)
3) Even if someone were to capture all my keystrokes and manage to get the
device back unbeknownst to me. What good would it do them? The entire point
behind TWO FACTOR AUTHENTICATION is that it requires BOTH parts. I still
have my smartcard, with my crypographically stored keys.
4) I've never argued that physical access isn't an important aspect to
control...only that full disk encryption is an appropriate, feasible and
infinitely more secure approach if implemented correctly.
5) You have defined a set of possible attacks to consider (You know, that
"Threat Modeling" thing) that might be successful against the aforementioned
solution...offhanded comments about "pixie dust" really don't provide the
detail I'm looking for. I believe that is called trolling.
If anyone *else* is interested...I would like to more directly discuss the
merits of my proposed solution. I appreciate the vigor with which Rick is
pushing his "prevent physical access!" approach, but I'm more honestly
interested in what we can do to protect our data when someone of malicious
intent DOES get ahold of our data storage devices.
Thank you Kristian for the link to the miniPCI keylogger...I have another
one that makes an interesting read as well (and much more scary!):
Anybody know anything about the "watermark attack" or another idea I'm
working with is a timeout that works in conjunction with dm-crypt to flush
the memory and require re-loading of the key from the smartcard after a
certain amount of time.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the sf-lug