[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Create a SAFE TOR Hidden Service in a VM (Re: Please Help Me Test my Hidden Service Pt. 2)



On 02/24/10 00:10, Ringo wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

One update that should be noted is that this doesn't protect against
"bad nanny" attacks. With full disk encryption, the boot partition isn't
encrypted (as you have to load it so it can ask for your passphrase and
decrypt the rest of the drive). If the machine isn't physically secured,
it's vulnerable to this type of attack.

Perhaps mention the benefits of TPM chips (on 'ix, they can be configured to benefit the user, not some record company)?

- Alternatively, a simple BIOS boot password will block nanny from using your own cpu against you (e.g. loading up a CD or USB OS). Should she delete the password - which she wouldn't do - she'll not be able to replace it and you'll then know that you need to use a different HD.

- FWIW, I run a quick MD5 hash check on the boot partition as part of my boot up. Quick and easy; again, IDS, not IPS.

- Somewhere I read of using smartmontools to keep track of disk-usage; a script interrogates the HD at shutdown and again at startup; if they don't match, the drive was used outside of the OS (e.g. removed and copied by a forensic program). Suppose you could add a second, manual test (or hidden script) that assured that they didn't crack your encryption and use your own OS.

Of course, nothing is 100%


***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxxx with
unsubscribe or-talk    in the body. http://archives.seul.org/or/talk/