OpenBSD 3.8 - http://www.openbsd.org/38.html - Question
Hello everybody, I found an entry on the Website wich confused me: New functionality: . . . wd http://www.openbsd.org/cgi-bin/man.cgi?query=wdsektion=4 disks have the security feature frozen before being attached to prevent malicious users setting a password that would prevent the contents of the drive from being accessed. Isn't that a disadvantage? Maybe I understand it in a wrong way but I understood, that I can't use this feature anymore on 3.8. Kind regards, Sebastian
Re: OpenBSD 3.8 - http://www.openbsd.org/38.html - Question
Hello everybody, I found an entry on the Website wich confused me: New functionality: . . . wd http://www.openbsd.org/cgi-bin/man.cgi?query=wdsektion=4 disks have the security feature frozen before being attached to prevent malicious users setting a password that would prevent the contents of the drive from being accessed. Isn't that a disadvantage? Maybe I understand it in a wrong way but I understood, that I can't use this feature anymore on 3.8. Let me onto your machine as root for about 10 seconds, and I will show you why this disk drive feature is retarded.
Re: OpenBSD 3.8 - http://www.openbsd.org/38.html - Question
Theo de Raadt schrieb: Hello everybody, I found an entry on the Website wich confused me: New functionality: . . . wd http://www.openbsd.org/cgi-bin/man.cgi?query=wdsektion=4 disks have the security feature frozen before being attached to prevent malicious users setting a password that would prevent the contents of the drive from being accessed. Isn't that a disadvantage? Maybe I understand it in a wrong way but I understood, that I can't use this feature anymore on 3.8. Let me onto your machine as root for about 10 seconds, and I will show you why this disk drive feature is retarded. Yes you're right Theo but isn't that a Problem an OS shouldn't deal with? I mean that is no software related Problem. It's part of the physical security maybe or it's maybe part of your own net of trust. Theere some PRO and CONTRA but it deals mostly with trust or physical security. :-/ Are there improvements for the virtual encrypted Partitions? Like stronger encryption? Or maybe using Twofish... Sometimes this Password is the nearly last stage of defence against an Attacker. Kind regards, Sebastian
Re: OpenBSD 3.8 - http://www.openbsd.org/38.html - Question
Yes you're right Theo but isn't that a Problem an OS shouldn't deal with? Are you even trying to make sense? I mean that is no software related Problem. It's part of the physical security maybe or it's maybe part of your own net of trust. Theere some PRO and CONTRA but it deals mostly with trust or physical security. :-/ Are there improvements for the virtual encrypted Partitions? Like stronger encryption? Or maybe using Twofish... Sometimes this Password is the nearly last stage of defence against an Attacker. You are totally not making sense.
Re: OpenBSD 3.8 - http://www.openbsd.org/38.html - Question
Sebastian .Rother wrote: Theo de Raadt schrieb: Hello everybody, I found an entry on the Website wich confused me: New functionality: . . . wd http://www.openbsd.org/cgi-bin/man.cgi?query=wdsektion=4 disks have the security feature frozen before being attached to prevent malicious users setting a password that would prevent the contents of the drive from being accessed. Isn't that a disadvantage? Maybe I understand it in a wrong way but I understood, that I can't use this feature anymore on 3.8. Let me onto your machine as root for about 10 seconds, and I will show you why this disk drive feature is retarded. Yes you're right Theo but isn't that a Problem an OS shouldn't deal with? I mean that is no software related Problem. It's part of the physical security maybe or it's maybe part of your own net of trust. No, this isn't a physical security issue at all. If I slip you a really cool program that you run blindly without reading the source (which I was careful to not give you), I could easily set a disk PW...and then sell you the password. How much is your data worth to you? Send that amount to me, and I'll unlock it for you. maybe. Anyone remember the OpenSSH exploit which spread viral-like between users who were amazed that a program, run as root, would report that it successfully used OpenSSH to gain root access to your machine (meanwhile, mailing your password and network files to a drop box for later abuse)? People handed it around, to show each other. Virus powered by stupidity. Finest kind. ok, want a more innocent version? Ok, how about this: Web page fires off a Mozilla/Firefox) exploit. Exploit first invokes sudo with atactl, boom. Password set, even though you aren't running as root (unless you actually demand PWs every time you run sudo). This feature should be set only by the BIOS in the machine (if it is to exist at all, but it does, and it probably isn't going away for a while). This is a feature only if you call a time bomb a feature. There was a number of threads on this on misc@ recently... ... Sometimes this Password is the nearly last stage of defence against an Attacker. Eventually, this password will be the first stage of attack against users. Wait for it. Nick.