On Thu, Dec 02, 2004 at 02:25:16PM -0700, Andrew McNabb wrote: > On Thu, Dec 02, 2004 at 01:56:34PM -0700, Scott K wrote: > > I can only use my pgp key on my home computer and any other > > computer I store my private key. I would have to be quite > > confident nobody with admin access (especially on compromised > > machines) or physical access (I've done data recovery plenty of > > times by plugging a drive into my computer and using root > > priveleges to get data) could get at my key. I suppose if I felt > > really confident I could implement Mike's SELinux and not worry as > > much about this sort of invasion.
Ummmmmmm... I'm flattered, really, but to set the record straight, the Information Assurance Department of the United States National Security Agency (NSA) developed the FLASK architecture and SELinux, not me. :-) I just did BSD Secure Levels. And what does MAC have to do with giving your key to a machine under third-party control, anyway? MAC cannot protect against an attacker with physical access, unless you have something like a TPM deployed, because MAC is only applicable under a trusted kernel. > > To get around this I could upload my key to the cs computers, but > > then I would have to trust CS admins (which I don't; no offense, > > but I've seen prior abuse). So ultimately my key would only be > > attatched to mail I sent from home and be somewhat meaningless > > (since I don't have a Linode server set up). > > You are free to do whatever you want, depending on your paranoia level. > I consider myself a moderate security-conscious person, i.e. no tinfoil > hat. If you have a really good passphrase, theoretically you should be > fine leaving your key anywhere. If you cannot trust your private key on a machine, then you cannot trust your passphrase protecting that key with that machine, as you point out with keystroke loggers et. al. If the machine is not under your physical control *at any time*, then someone can taint the kernel, install a root kit, swap the keyboard with one that has an embedded keystroke logger, etc. Lab machines are especially untrustworthy; anyone can slip one of these on a lab machine: http://www.keyghost.com/kgHE.htm And walk away with all sorts of fun secrets. When you sit down on a lab machine, you check the physical cable connection from your keyboard to the box *every time*, right? And you carefully inspect the keyboard itself, right? http://www.keyghost.com/securekb.htm Are you sure that that lab machine was not booted from a CD or a USB keychain drive, with a login screen identical to the CS department's login screen? I hope that's all disabled in the BIOS, and the cases themselves are physically locked, which helps to some degree. A heartbeat daemon that stops responding on a reboot isn't a bad idea. Or... how do you know that's the *real* GDM, and not a program that looks like GDM running under a student's session? Is the network cable in the back plugged into the right router, or a rogue wireless bridge? What about the monitor, keyboard, and mouse - are they plugged into the right box? Have you checked, or do you just take that for granted? How often do students SSH into their home machines from lab machines? CS department admins: you type ``/bin/su'' and not ``su'' from student accounts when you help students debug machine problems, right? And are you *sure* that's ``bash'', or is it ``bash-1337'' that's running? When you hit Ctrl-Alt-F1, is that login prompt really from /bin/login? When your job is to lock systems down from every angle of attack, all the possible vectors make one's head spin. Personally, I have developed a new level of paranoia about these sorts of things. And securing machines for which attackers have physical access is nothing short of a nightmare. The only thing keeping the the average CS department lab from imploding is the general honesty and trustworthiness of the students. Mike .___________________________________________________________________. Michael A. Halcrow Security Software Engineer, IBM Linux Technology Center GnuPG Fingerprint: 05B5 08A8 713A 64C1 D35D 2371 2D3C FDDA 3EB6 601D What's another word for synonym?
pgpOTk76Qa3O5.pgp
Description: PGP signature
-------------------- BYU Unix Users Group http://uug.byu.edu/ The opinions expressed in this message are the responsibility of their author. They are not endorsed by BYU, the BYU CS Department or BYU-UUG. ___________________________________________________________________ List Info: http://uug.byu.edu/cgi-bin/mailman/listinfo/uug-list
