[techtalk] Re: techtalk digest, Vol 1 #447 - 11 msgs

James Sutherland jas88 at cam.ac.uk
Wed May 16 08:43:42 EST 2001


On Tue, 15 May 2001, Curious wrote:

> In classical security thought.. once someone has physical access to a
> box (router, workstation, etc) they are assumed to "own" the box.. and
> in most cases this is quite true.. so physical security, policy.. grr
> ARRRGGHH.. must stop security babble! okok.. moving on..  Additional
> steps(keeping additional switches from being used in lilo): - add
> password=<insert password here> to lilo add restricted keyword if you
> only want to use the password to send additional options

For that to be effective, you *MUST* also have a BIOS password set, and
the BIOS configured ONLY to boot from the HDD (if you have a floppy or CD
drive fitted): otherwise, a malicious user can just bring along his/her
own OS and boot with that - game over...

Then you need to secure the box physically (padlocks/alarms) - otherwise
the user can just open the lid, short the CMOS Reset jumper, and then do a
floppy boot as before...


Or just accept that it's much better to lock the box away somewhere
secure, and focus on securing NETWORK access like most Linux users!


James.
-- 
"Our attitude with TCP/IP is, `Hey, we'll do it, but don't make a big
system, because we can't fix it if it breaks -- nobody can.'"

"TCP/IP is OK if you've got a little informal club, and it doesn't make
any difference if it takes a while to fix it."
		-- Ken Olson, in Digital News, 1988





More information about the Techtalk mailing list