Sebastian .Rother wrote: > Theo de Raadt schrieb: > >>>Hello everybody, >>> >>>I found an entry on the Website wich confused me: >>> >>>New functionality: >>>. >>>. >>>. >>>wd <http://www.openbsd.org/cgi-bin/man.cgi?query=wd&sektion=4> disks >>>have the security feature frozen before being attached to prevent >>>malicious users setting a password that would prevent the contents of >>>the drive from being accessed. >>> >>>Isn't that a disadvantage? Maybe I understand it in a wrong way but I >>>understood, that I can't use this feature anymore on 3.8. >>> >>> >> >>Let me onto your machine as root for about 10 seconds, and I will show >>you why this disk drive feature is retarded. >> > > Yes you're right Theo but isn't that a Problem an OS shouldn't deal with? > I mean that is no software related Problem. It's part of the "physical > security" > maybe or it's maybe part of your own "net of trust".
No, this isn't a physical security issue at all. If I slip you a really cool program that you run blindly without reading the source (which I was careful to not give you), I could easily set a disk PW...and then sell you the password. How much is your data worth to you? Send that amount to me, and I'll unlock it for you. maybe. Anyone remember the OpenSSH "exploit" which spread viral-like between users who were amazed that a program, run as root, would report that it successfully used OpenSSH to gain root access to your machine (meanwhile, mailing your password and network files to a drop box for later abuse)? People handed it around, to "show" each other. Virus powered by stupidity. Finest kind. ok, want a more "innocent" version? Ok, how about this: Web page fires off a Mozilla/Firefox) exploit. Exploit first invokes sudo with atactl, boom. Password set, even though you aren't running as root (unless you actually demand PWs every time you run sudo). This "feature" should be set only by the BIOS in the machine (if it is to exist at all, but it does, and it probably isn't going away for a while). This is a feature only if you call a time bomb a feature. There was a number of threads on this on misc@ recently... ... > Sometimes this Password is the nearly last stage of defence against an > Attacker. Eventually, this password will be the first stage of attack against users. Wait for it. Nick.
