On Thu, 2010-02-25 at 13:41 -0500, 7v5w7go9ub0o wrote: > On 02/24/10 23:16, Ted Smith wrote: > > On Wed, 2010-02-24 at 11:56 -0500, 7v5w7go9ub0o wrote: > [] > >> Perhaps mention the benefits of TPM chips (on 'ix, they can be > >> configured to benefit the user, not some record company)? > >> > > Yup. Check out Trusted Grub if you're blessed with the appropriate > > hardware. > [] > >> - FWIW, I run a quick MD5 hash check on the boot partition as part > >> of my boot up. Quick and easy; again, IDS, not IPS. > >> > > Do you read the source for your shell script before every boot? The > > attacker could just replace your hash check with a no-op and print > > "Everything is fine", and you wouldn't be any wiser. > > > > That's right - unless, I suppose, you could store it somewhere in the > TPM chip, and have TPM oversee the hashing. But as you mention, Trusted > Grub is the more elegant solution. (Wish I could get a TPM chip for my > Asus P6T :-( ) > > FWIW, I run this check after boot up, and after Loop-AES OTFE is active > and makes the encrypted hash available (sigh...Intrusion detection, not > Intrusion prevention) Oh, in that case it seems like it would be secure - the intruder can't change the encrypted hash, and if you verify that the hash is correct before starting networking, they can't get your password either. This is getting a bit long for an OT thread, so I think we should cut it off here.
Attachment:
signature.asc
Description: This is a digitally signed message part