On 07/30/2011 01:01 AM, Jos Vos wrote:
On Sat, Jul 30, 2011 at 12:29:24AM +0900, 夜神 岩男 wrote:
Coming originally from secret squirrel land, one of the cardinal
security rules for us was simply "If the attacker has physical access,
you don't have security".
I would say "... you have much less security". No security is just
not true. Doing all the things Dag said and using encrypted filesystems
provides a certain security level even when physical access.
If you have a compromise of any sort in a truly high security
environment -- the sort of environment where a minor sidechannel
information leak (this can even be things like consistent data on the
frequency of disk i/o) is cause to rip out millions of dollars of
deployed equipment, cancel a large operation, re-deploy a dispersed set
of operating units or move satellites around -- then you are
compromised. Its like the old saying about being "kind of pregnant" and
has everything to do with the level of paranoia required by that
environment.
I can't think of anywhere this is the case that is using SL 6, though I
could be wrong...
Physical acces to a system is where coded security gives way in absolute
terms to physical security measures. But again, that is if we're talking
about serious security environments and almost none of our use cases
probably represent that -- so we're left simply balancing usability vs
security like normal people.
The assumption "almost none of our use cases probablt represent that" is
a very bad starting point. Probably the people that completely fucked
up GNOME (GNOME3 in Fedora 15 is almost unusable for most people I know)
had a similar thought when they destroyed the GNOME desktop.
...and so I have to give you points for the above statement. I can't
know, and after reading some insane Gnome 3 dev list discussions not 5
minutes ago you are right to warn about such habits of thought.
-Iwao
