wow, you do this to all of your systems :) What kind of business are you in :) Well, the "CPU s/n as encryption key" sounded good to me ... Looks like an interesting Grub plugin to me
On Jan 18, 2008 11:39 PM, Bill Watson <[EMAIL PROTECTED]> wrote: > Given this is not to require field servicable parts, encase it inside a > plastic potted brick. > > Use a security plan that requires that particular CPU s/n to function. Use > the CPU s/n as the encryption key. > > Tie functionality to that devices ethernet card mac address. > > Have phone home technology that if hardware changes, it stops working. > > Design the system such that some critical small part is required to be > downloaded from your website when the system is restarted. > > Rate limit the transactions such that a computer program prompting it with > all possible inputs would take forever to gather all the outputs. > > Do not use a standard database for your data. Use something stable but > obscure. It makes the data files useless without the system programs to read > it. I do this on all my systems. > > Bill Watson > [EMAIL PROTECTED] > > -----Original Message----- > *From:* [EMAIL PROTECTED] [mailto: > [EMAIL PROTECTED] *On Behalf Of *Ahmed Kamal > *Sent:* Friday, January 18, 2008 1:05 PM > *To:* Red Hat Enterprise Linux 5 (Tikanga) discussion mailing-list > *Subject:* Re: [rhelv5-list] Protect my stolen disk > > Thanks for understanding what I need, and not asking why I need it :) Yes, > it is very similar to the google box. > > So, none of you actually faced a protected box of this kind. The one time > I wanted to look inside a box (it was some firewall box from India), I > ripped the drive, tried to mount it but couldn't ... > mount said the filesystem was unknown! I kept trying for 15 minutes or so, > but didn't have enough motivation to spend money/time on this, so I just > gave up. I wanted to replicate that, but I have no idea how it was done. > > So, if anyone ever saw a protected box of this sort, and understood how it > was done ;) please share your experience > > Thanks for all the comments > > On Jan 18, 2008 10:48 PM, Paul Krizak < [EMAIL PROTECTED]> wrote: > > > If the technology he's developing is comparable in nature to that of a > > Google Search Appliance, then I could see how this would be the case. > > For example, the internal index may use database schemas (or data) that > > should not be accessible to the customer. Additionally, any PHP/CGI/etc > > > > code loaded on the machine would be good to have hidden from prying eyes > > to prevent code theft. > > > > If I were building something akin to a Google Search Appliance, i.e. > > something that you bring into an isolated network, plug it in, then > > treat it as a "black box" appliance, then I would probably be asking the > > same questions he's asking. However, I doubt even the Googles of the > > world go to the extreme of actually encrypting the hard disk just to > > protect the data and code. A well-engineered firewall and system > > configuration that prevents access to confidential data and code is > > probably enough to keep most casual observers out. Anybody nefarious > > enough to rip the hard disk out of the box to try and get to the data is > > > > probably determined enough to get around any encryption scheme that > > would be implemented. > > > > Companies that purchase "black box" servers like this aren't in the > > business of stealing code...that's why they buy a "black box", turn it > > on, and expect it to "just work". > > > > Paul Krizak 7171 Southwest Pkwy MS B400.2A > > Advanced Micro Devices Austin, TX 78735 > > Linux/Unix Systems Engineering Desk: (512) 602-8775 > > Silicon Design Division Cell: (512) 791-0686 > > > > > > John Summerfield wrote: > > > Ahmed Kamal wrote: > > >> oh! No, the hardware is *not* my concern. It's the data! Let me > > quickly > > >> recap. Let's try points this time > > >> > > >> - The Linux system I build will be on someone else's network (mostly > > >> other > > >> potentially hostile companies) > > >> - The system provides a web interface to a database that users should > > > > >> access > > >> & use > > >> - The users should not be able to steal/mount the disk, to dump my > > >> database > > >> or look at my code > > >> - I know such setup will never be 100% secure, I just need to make > > >> stealing > > >> the data as hard as possible > > >> > > >> Hope that's clear. I apologize if I was not too clear earlier > > > > > > > > > Nothing you've said so far tells me why you must have confidential > > data > > > on local storage or why you can't run these "kiosk" machines of a > > server > > > located in a secure location. > > > > > > > > > > > >> > > >> On Jan 18, 2008 5:46 PM, J E < [EMAIL PROTECTED]> wrote: > > >> > > >>> On Jan 18, 2008, at 10:27 AM, John Summerfield wrote: > > >>> > > >>>> Ahmed Kamal wrote: > > >>>>> Perhaps I misused the word "kiosk" and was not clear describing > > the > > >>>>> role of > > >>>>> the nodes. They will not be on my network. They will be on someone > > >>>>> else's > > >>>>> network (some other company, or some other organization). The > > nodes > > >>>>> will be > > >>>>> providing network services (Custom databases, accessible through a > > >>>>> browser), > > >>>>> sometimes some ldap services. > > >>>>> Again, the people around the machine should use it as intended, no > > > > >>>>> one > > >>>>> should be able to steal/mount the disk to dump data (at least not > > >>>>> easily) > > >>>> I think we need better information about the problem you're trying > > >>>> to solve. > > >>> > > >>> Agreed. If your main worry is that the hardware will be stolen, > > cheap > > >>> hardware abounds in the marketplace. I'd not invest heavily in > > systems > > >>> that aren't going to be monitored - probably better to treat them as > > >>> throwaways if you aren't going to lock them in some form of cabinet. > > >>> And don't rule out hardware terminal servers like those available > > from > > >>> HP starting at $200. > > >>> > > >>> If it's the data that you are worried about, the fact that you have > > to > > >>> ask how best to protect it should tell you that doing it with local > > >>> storage is probably a very bad idea. > > >>> > > >>> jef > > >>> > > >>> _______________________________________________ > > >>> rhelv5-list mailing list > > >>> [email protected] > > >>> https://www.redhat.com/mailman/listinfo/rhelv5-list > > >>> > > >> > > >> > > >> > > ------------------------------------------------------------------------ > > >> > > >> _______________________________________________ > > >> rhelv5-list mailing list > > >> [email protected] > > >> https://www.redhat.com/mailman/listinfo/rhelv5-list > > > > > > > > > > > > _______________________________________________ > > rhelv5-list mailing list > > [email protected] > > https://www.redhat.com/mailman/listinfo/rhelv5-list > > > > > _______________________________________________ > rhelv5-list mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/rhelv5-list > >
_______________________________________________ rhelv5-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/rhelv5-list
