[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: console access



On Thu, 29 Jan 1998, Schlomo Schapiro wrote:

> H,
> 
> > 
> > After installing the machine and Linux, open the box, and set up the
> > floppy drive to be floppy drive B:. BIOS can't boot from it that way.
> > Change the setup in the BIOS. You will still be able to mount floppys with
> > data. Then, close the box using special screws or purchase a computer
> > anti-theft kit and use it. Check out Office Depot, I think they have them.
> > This makes shure that noone can open the machine and change the setup
> > back.
> 
> Ever heard of the 'Swap floppy' option ? I use it for convenient cabling.
> Also, if you need floppy, get a floppy controller on the secondary address
> (like on AHA1542) so that BIOS won't know the floppy. And put the computer
> into a tresor.

Yes, I have, but it does NOT make the B: floppy bootable. If it does, then
get another mother board, because most don't let that happen.

> 
> > Just what do you mean by cracking the BIOS ? The BIOS password is secure
> > if the case cannot be opened to short the battery and do the other obvious
> > tricks.
> 
> The BIOS password is against office workers. There are enough programs to
> change the CMOS settings (INCLUING the password) and you can even flash
> another BIOS nowadays (like one to your liking)

Once it is clear that the user must first crack the system security (as he
cannot boot from the floppy, and cannot open the case, which is secured by
the computer security kit, without doing physical damage and a lot of
noise), he will have to get past Linux security first, by hacking, to
assume root privileges, which will allow him to tinker with IO ports,
which will allow him to change the BIOS settings. My question is, why
would someone want to change the BIOS settings, once he already has a way
to be root ?! 

>  
> > On the other hand, if you have a set of determined opponents with the
> > right tools, then they will perhaps anonymously email you a copy of the
> > /root directory and all the passwords on the system in clear, just for
> > laughs. It is possible that they will decide not to return the hardware,
> > though. It has happened before, apparently.
> 
> Yes, it's just too easy once you can touch the computer - even with those
> anti-thief-systems (How do you suppose computer technicians solve those
> problems ! :-) )
> 
> Again, physical access is all !!!
> 

We are not trying to replicate the Bank of England's safes, or Fort Knox.
This is supposedly a machine set up in a classroom or lab in a building
full of people, and we shall not assume that someone will crack it with
bellicous intentions. The computer security kit seals the case and the
other components of the system to a table or heater (pipe etc), such that
it is not possible to move it or open the case without a pair of garden
shears at least, and the more expensive ones have an alarm that goes off
if you try to do that.

A more appropriate case is the one used in Israeli banks, inside the
public teller office, where a computer and printer are inserted in a
wooden cabinet with doors, that is locked. Inside there is a computer
connected to a LAN, and a keyboard. Outside, a second keyboard (numerical
pad), where you punch in your PIN number. This is usually connected in
series with the normal keyboard cable. Plus the magnetic card wand (serial
I think) and the monitor. I suppose that one could locate the makers of
these tables and order one (the are made in Israel, I am sure of that). 

> Schlomo
> 
> PS: Espesially true for Novell Netware - the console is just like an
> invitation to enter and stay.

Novell Netware was not designed for use in Automatic Banking Machines or
other security-conscious uses.

The solution I gave has been used before, not with Linux though, in
schools where computers are set up in labs that are open most of the time. 
The computers were also provided with a filtered power circuit and a
separate fuse (but no UPS). 

Peter