On Wed, 18 Aug 2004, at 11:51am, [EMAIL PROTECTED] wrote: > On Tue, Aug 17, 2004 at 09:58:31PM -0400, [EMAIL PROTECTED] wrote: >> Most important of all, in order to make use of data in a filesystem >> journal, you basically need to assume the attacker has achieved full root >> compromise of your system. > > Or have gained physical access to the hard disk ...
I was including that in "full root compromise". :-) > If the data were valuable to others in some way, it might even be worth > breaking into your home for. Absolutely. That's why I tell people that physical security always has to come first. It's amazing how many places have *literal* security holes. >> If you were really serious, you would start by never connecting a system >> containing sensitive information to a public network like the Internet. > > For mere mortals with financial and logistical constraints, that's not > always an option. Well, it all depends. As far as capital costs go, with a removable hard drive carrier, you could achieve this for less then $100. I certainly agree, though, that it's likely overkill for most personal users. > Managing IA is about managing risks, but it's also about managing costs... Even more: They are the same thing. Two sides of the same coin, as the saying goes. In the end, just about every decision comes down to one question: Is it worth it? (It's determining the inputs to that function that make life so interesting. :-) ) >> You physically secure the whole computer. It's called "system high". > > Really? I've never heard that term before. Have any links? Well, really, I'm abusing the term slightly. What it *really* means is that everyone who has access to the computer is cleared to have access for all the information on the computer. The most common way a system-high configuration is achieved is to physically secure the whole thing. Crude, but very effective. The term comes from the classic NSA "Rainbow Series" on "Trusted Computer Systems". You can find the formal definition here: http://www.fas.org/irp/nsa/rainbow/tg004.htm Look under the entry for "modes of operation". The Rainbow books, despite their age, remain a very good resource for people in the IA field. The NSA, mission objectives aside, know what they are doing. One thing I always liked about the NSA's policies in particular is that they state and require that products alone *are not considered trusted*. Only an entire system (equipment, software, personnel and procedures) can be certified as a trusted system. That's still a rare attitude in the business world. > Well, IIRC, the best encryption that Linux can do to a partition is AES > 256. A 256-bit symmetric AES cipher is considered extremely strong by today's standards, provided it is used properly (e.g., the secret is truly random; the cipher is cycled with each data block; the secret is adequately protected; etc.). I haven't seen any analysis, one way or the other, on what's built-in to the Linux kernel. But then, I haven't looked for any, either. :-) > Do you think NSA can't crack AES 256? Well, some of the best minds in the world think it isn't feasible with today's technology. Of course, the NSA might have some kind of incredible breakthrough algorithm or something. Like that black box from the movie "Sneakers", for example. :) To answer the question: I don't know if the NSA can crack AES 256. But I do know that if they can, then nothing we do, short of absolute physical security, will keep them out. So I run through the managed risk routine. I believe it is a threat with very low probability, and counter-measures have a very high cost. I thus conclude that the counter-measures are not justified. > If you need to be certain, a dead-man timer may have value. Well, again, it's all about managed risk. "Certain" means different things to different people. In some circles, "certain" means assets are protected by 24-hour TPC (two party control) teams, and equipped with "rapid destruction mechanisms" that can be triggered in the event of "imminent compromise by hostile forces". That's about as certain as you can get, I think. Dead man timers don't give you certainty, though. If you're compromised before the dead man timer expires, you're hosed. And if you miss the timer reset, you're hosed. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | _______________________________________________ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss