[EROS-Arch] Re: [E-Lang] Re: Interaction Design for
End-User Security
Mark S. Miller
markm@caplet.com
Thu, 22 Mar 2001 05:20:48 -0800
At 06:09 PM Wednesday 3/21/01, John C. Randolph wrote:
>On Wednesday, March 21, 2001, at 05:44 PM, Mark S. Miller wrote:
>[snippage]
>
>>This leaves stock desktop machines in unlocked offices in an untenable
>>situation. Software by itself can do nothing to repair the situation.
>>This
>>may be the strangest argument yet for telecommuting -- separation of
>>physical vulnerabilities.
>
>What about encrypted filesystems?
Encrypted filesystems prevent the attacker from obtaining the data at the
time of the break-in. However, as with Seth's keyghost example, the
attacker can corrupt your system so that any further use of it gives them
everything. Hardware attacks like keyghost are cool but aren't necessary.
Given stock hardware, the attacker can reboot your machine from an inserted
floppy, corrupt the software that would revive it from the encrypted file
system, send the contents of the encrypted file system over the internet to
themselves for decryption later, remove their floppy, and reboot again.
When you reenter your office, you find the machine is no longer in your
locked screen saver. Instead, it's rebooted and is asking for the
passphrase for unlocking the encrypted file system. No cause for alarm,
your machine reboots more often than you'd like anyway. Even if you're
paranoid enough to not be sure you're looking at the genuine reboot-prompt
state, you reboot again and are prompted again. You type in the passphrase,
and game over.
Cheers,
--MarkM