> He suggested finding an unused line on a UART. Typical routers don't use > their parallel ports for much, so I suppose you could toggle a bit on the > parport (I remember suggesting to Mike that Charles would be able to > consider the feasibility of this idea, based on his work with parallel-port > LCDs). And I2C might be able to do this too ... I don't really know about > that one. > > That said, it still *sounds* like software WP, even though there is a > hardware element involved. If the remote connection is compromised, then so > is security. He suggested you could find or create a protocol with > acceptably low risk of compromise ... but if this were true as a general > matter, we wouldn't be worrying about system penetrations, right?
Right. It's still software based write-protection, and someone with full access to the box can reverse engineer the setup pretty easily. As root, there's no need to figure out any nasty authentication, only which bits to toggle to enable writing. Of course, you'd still have security by obscurity, and most folks wouldn't really try that hard to crack the system, but it's not fundamentally a lot more secure than no write protection, primarily since the code to enable/disable WP is resident on the box, so it's just a matter of how long it takes the intruder to find it, then figure out what it does. I personally like the idea of a hardware switch. Even if you've got a remote box (let's say you're a consultant and the box is at a client site). A quick call to the client to "flip the switch" helps give them a good feeling, and prepares them for your next bill ;-) If it's absolutely essential to have remotely configurable write-protect, I'd probably try to tie it into a seperate system (perhaps part of a remote maintainence system that could include other features like serial port console connections to the systems in question, remote control of AC power for those times when a hard-reset is needed, etc). In addition to being able to diddle the WP setting, you can also do most any required disaster recovery (assuming no hardware failures and the BIOS has serial-console re-direction). This sort of application is one of the things I'd like to see LEAF grow into supporting...I'm rapidly approaching the point where I need a serial port terminal server to use as a cheap, remotely accessable KVM switch for all my linux boxes. Yes, I run ssh, but you can select an emergency boot partition with a serial console...kind of hard to do with ssh, at least until they patch ssh support into grub or lilo ;-) Charles Steinkuehler [EMAIL PROTECTED] _______________________________________________ Leaf-devel mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-devel
