[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Create a SAFE TOR Hidden Service in a VM (Re: Please Help Me Test my Hidden Service Pt. 2)



On Wed, 2010-02-24 at 11:56 -0500, 7v5w7go9ub0o wrote:
> On 02/24/10 00:10, Ringo wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > One update that should be noted is that this doesn't protect against
> > "bad nanny" attacks. With full disk encryption, the boot partition isn't
> > encrypted (as you have to load it so it can ask for your passphrase and
> > decrypt the rest of the drive). If the machine isn't physically secured,
> > it's vulnerable to this type of attack.
> 
> Perhaps mention the benefits of TPM chips (on 'ix, they can be 
> configured to benefit the user, not some record company)?
> 
Yup. Check out Trusted Grub if you're blessed with the appropriate
hardware.
> - Alternatively, a simple BIOS boot password will block nanny from using 
> your own cpu against you (e.g. loading up a CD or USB OS). Should she 
> delete the password - which she wouldn't do - she'll not be able to 
> replace it and you'll then know that you need to use a different HD.
> 
> - FWIW, I run a quick MD5 hash check on the boot partition as part of my 
> boot up. Quick and easy; again, IDS, not IPS.
> 
Do you read the source for your shell script before every boot? The
attacker could just replace your hash check with a no-op and print
"Everything is fine", and you wouldn't be any wiser.

Attachment: signature.asc
Description: This is a digitally signed message part