On Wed, 2010-02-24 at 11:56 -0500, 7v5w7go9ub0o wrote: > On 02/24/10 00:10, Ringo wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > One update that should be noted is that this doesn't protect against > > "bad nanny" attacks. With full disk encryption, the boot partition isn't > > encrypted (as you have to load it so it can ask for your passphrase and > > decrypt the rest of the drive). If the machine isn't physically secured, > > it's vulnerable to this type of attack. > > Perhaps mention the benefits of TPM chips (on 'ix, they can be > configured to benefit the user, not some record company)? > Yup. Check out Trusted Grub if you're blessed with the appropriate hardware. > - Alternatively, a simple BIOS boot password will block nanny from using > your own cpu against you (e.g. loading up a CD or USB OS). Should she > delete the password - which she wouldn't do - she'll not be able to > replace it and you'll then know that you need to use a different HD. > > - FWIW, I run a quick MD5 hash check on the boot partition as part of my > boot up. Quick and easy; again, IDS, not IPS. > Do you read the source for your shell script before every boot? The attacker could just replace your hash check with a no-op and print "Everything is fine", and you wouldn't be any wiser.
Attachment:
signature.asc
Description: This is a digitally signed message part