On Wed, 18 Aug 2004, at 11:51am, [EMAIL PROTECTED] wrote:
> On Tue, Aug 17, 2004 at 09:58:31PM -0400, [EMAIL PROTECTED] wrote:
>> Most important of all, in order to make use of data in a filesystem
>> journal, you basically need to assume the attacker has achieved full root
>> compromise of your system.
>
> Or have gained physical access to the hard disk ...
I was including that in "full root compromise". :-)
> If the data were valuable to others in some way, it might even be worth
> breaking into your home for.
Absolutely. That's why I tell people that physical security always has to
come first. It's amazing how many places have *literal* security holes.
>> If you were really serious, you would start by never connecting a system
>> containing sensitive information to a public network like the Internet.
>
> For mere mortals with financial and logistical constraints, that's not
> always an option.
Well, it all depends. As far as capital costs go, with a removable hard
drive carrier, you could achieve this for less then $100. I certainly
agree, though, that it's likely overkill for most personal users.
> Managing IA is about managing risks, but it's also about managing costs...
Even more: They are the same thing. Two sides of the same coin, as the
saying goes. In the end, just about every decision comes down to one
question: Is it worth it? (It's determining the inputs to that function
that make life so interesting. :-) )
>> You physically secure the whole computer. It's called "system high".
>
> Really? I've never heard that term before. Have any links?
Well, really, I'm abusing the term slightly. What it *really* means is
that everyone who has access to the computer is cleared to have access for
all the information on the computer. The most common way a system-high
configuration is achieved is to physically secure the whole thing. Crude,
but very effective.
The term comes from the classic NSA "Rainbow Series" on "Trusted Computer
Systems". You can find the formal definition here:
http://www.fas.org/irp/nsa/rainbow/tg004.htm
Look under the entry for "modes of operation".
The Rainbow books, despite their age, remain a very good resource for
people in the IA field. The NSA, mission objectives aside, know what they
are doing.
One thing I always liked about the NSA's policies in particular is that
they state and require that products alone *are not considered trusted*.
Only an entire system (equipment, software, personnel and procedures) can be
certified as a trusted system. That's still a rare attitude in the business
world.
> Well, IIRC, the best encryption that Linux can do to a partition is AES
> 256.
A 256-bit symmetric AES cipher is considered extremely strong by today's
standards, provided it is used properly (e.g., the secret is truly random;
the cipher is cycled with each data block; the secret is adequately
protected; etc.). I haven't seen any analysis, one way or the other, on
what's built-in to the Linux kernel. But then, I haven't looked for any,
either. :-)
> Do you think NSA can't crack AES 256?
Well, some of the best minds in the world think it isn't feasible with
today's technology. Of course, the NSA might have some kind of incredible
breakthrough algorithm or something. Like that black box from the movie
"Sneakers", for example. :)
To answer the question: I don't know if the NSA can crack AES 256. But I
do know that if they can, then nothing we do, short of absolute physical
security, will keep them out.
So I run through the managed risk routine. I believe it is a threat with
very low probability, and counter-measures have a very high cost. I thus
conclude that the counter-measures are not justified.
> If you need to be certain, a dead-man timer may have value.
Well, again, it's all about managed risk. "Certain" means different
things to different people. In some circles, "certain" means assets are
protected by 24-hour TPC (two party control) teams, and equipped with "rapid
destruction mechanisms" that can be triggered in the event of "imminent
compromise by hostile forces". That's about as certain as you can get, I
think.
Dead man timers don't give you certainty, though. If you're compromised
before the dead man timer expires, you're hosed. And if you miss the timer
reset, you're hosed.
--
Ben Scott <[EMAIL PROTECTED]>
| The opinions expressed in this message are those of the author and do |
| not represent the views or policy of any other person or organization. |
| All information is provided without warranty of any kind. |
_______________________________________________
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
