On Sat Apr 29, 2006 at 14:20:28 +1000, [EMAIL PROTECTED] wrote: >Benno: >> On Fri Apr 28, 2006 at 20:18:15 +1000, Malcolm V wrote: >> >On Friday 28 April 2006 19:55, Adam Bogacki wrote: >> ><snipped> >> >> http://www.theregister.co.uk/2006/04/27/schneier_infosec/ > >Getting back to the topic, I believe that it is possible for a system >to detect whether it has been chain-loaded from some other bootloader >and then refuse to run if it detects this. The system only works off >the officially sanctioned bootloader and this bootloader never boots >anything else -- no more dual boot. Probably makes it harder to use >MS libraries in wine, also might kill Xen, VMware and all those handy >tools that give you a chance to make a few MS-Windows licenses go a >long way... > >Does this give any better security than a well-known encryption algorithm >(e.g. AES) plus a passphrase plus a key device (e.g. USB, etc)? No it >doesn't, it is probably worse because if your motherboard chip dies >you won't be able to recover your data on a different motherboard. >That means you have to have an unencrypted backup which in turn becomes >the weak point.
And from the BitLocker tech article on the MS website, it appears to have a way of working in exactly the mode you describe. Plus its optional. So, its only going to be a problem, if you choose to use Vista, and then choose to enable Vista, and then choose to work in the TPM mode. (And I'm not convinced you couldn't setup the TPM such that you say you trust a particular chain loader configuration, and I'm sure if it is possible, and people want this, then someone will make it easy to do.) Of course this could be seen as scary from a "what could they do next", point of view. E.g: to view some media you need to be running Vista and need remote attestation that requires you to use have TPM enabled and then the remote party will only trust a Vista install. Now *that* would be evil. But I think BitLocker itself is a way from that. And of course we could implement the same stuff on Linux, to make it harder for people to use Vista with it. Muhahaha! ;) Benno -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
