Announcement

Collapse
No announcement yet.

Offtopic (split from ...data offline from live CD)

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Offtopic (split from ...data offline from live CD)

    How about if you disable user reboot and shutdown? Then you could replace the power button with a key switch.

    Please Read Me

    #2
    Attack: enter sudo reboot in a console window
    Defense: disallow sudo and su

    Attack: Remove and re-insert the power cord
    Defense: Tamper-resistant power cabling (no socket in back of PC, no socket in wall)

    Attack: Use Alt+SysRq+R+S+E+I+U+B to reboot the computer without needing to be root
    Defense: Put echo 0 > /proc/sys/kernel/sysrq in /etc/rc.local to disable Magic SysRq keys

    and so on
    aanndd ssoo oonn
    aaaannnndddd ssssoooo oooonnnn

    Comment


      #3
      Well the first one (sudo) just a good password and not being in the sudo users group would prevent that. Besides, you could block Konsole and re-direct crtl-alt-fX or close the ttys.

      I'm going to drag this out until your head explodes...



      Please Read Me

      Comment


        #4
        Attack: Attach a FireWire device (if the computer has a port) -- unlike USB, FireWire does direct memory access and can take control of the hardware
        Defense: Disable FireWire in firmware settings or blacklist the kernel module

        Attack: Press Alt+F2 and enter dbus-send --system --print-reply --dest=org.freedesktop.ConsoleKit /org/freedesktop/ConsoleKit/Manager org.freedesktop.ConsoleKit.Manager.Restart
        Defense: Disable KRunner, or the ability to (1) run commands and (2) change the KRunner configuration

        We could keep going

        The overarching point is this: if you have to work so hard to cover all the myriad ways people will try to circumvent your policies, then maybe you've hired the wrong people. If you're so worried that someone will install an alternate operating system, you should stop thinking about your employees as adversaries and instead find out if they're missing criticial tools necessary to do their jobs.
        Last edited by SteveRiley; May 31, 2014, 06:22 PM.

        Comment


          #5
          Originally posted by SteveRiley View Post
          The overarching point is this: if you have to work so hard to cover all the myriad ways people will try to circumvent your policies, then maybe you've hired the wrong people. If you're so worried that someone will install an alternate operating system, you should stop thinking about your employees as adversaries and instead find out if they're missing criticial tools necessary to do their jobs.
          Preach!

          Please Read Me

          Comment


            #6
            I will try to be serious about this, here is my real life solution. Don't boot from the HD, boot from USB or CD. The HD is just used for file storage. If your OS is on CD, it would remain untouched 100%. USB would be read/write, but in most cases these media will boot slower than a HD. If I were in fear of someone replacing the OS, the best option would be to keep the OS on your person. The PC drive could not boot without a boot sector.

            I am no expert but it seems like a simplistic solution to just pop in a CD or USB and boot the machine.

            Comment


              #7
              If one really and truely wanted to protect against the cases the OP has defined, and the business is open to the idea (and possible added expense), install the desired OS, configured just the way they want, to a server and replace all the PCs with client terminals and monitors. No USB ports. No HDDs. No floppy, CD/DVD drives. No Firewire ports.
              Windows no longer obstructs my view.
              Using Kubuntu Linux since March 23, 2007.
              "It is a capital mistake to theorize before one has data." - Sherlock Holmes

              Comment


                #8
                Originally posted by Snowhog View Post
                If one really and truely wanted to protect against the cases the OP has defined, and the business is open to the idea (and possible added expense), install the desired OS, configured just the way they want, to a server and replace all the PCs with client terminals and monitors. No USB ports. No HDDs. No floppy, CD/DVD drives. No Firewire ports.
                Yep, that's about the only way to accomplish the goals, but the tradeoff is a severe reduction in utility. No offline work can be done, for example.

                Originally posted by Simon View Post
                I will try to be serious about this, here is my real life solution. Don't boot from the HD, boot from USB or CD. The HD is just used for file storage. If your OS is on CD, it would remain untouched 100%. USB would be read/write, but in most cases these media will boot slower than a HD. If I were in fear of someone replacing the OS, the best option would be to keep the OS on your person. The PC drive could not boot without a boot sector.
                But this alone won't prevent someone from shrinking the partitions on the computer's hard drive and installing an operating system on it.

                There are really only two solutions here:
                1. Remote desktop, as Snowhog writes.
                2. Hardware-based attestation and root-of-trust using a TPM, as I described in post #14.

                Comment


                  #9
                  So it boils down to what you said Steve, you need some avenue of trust with your employees. I am glad Frank and I run a relaxed working atmosphere at the clinic. We don't bark at our staff for playing games at work. For example, Cindy is working the front desk and I can see that between patients she is on Facebook or playing a game. I really could care less as long as it relaxes her and she can get her work done. I really don't need a crab ass greeting people at the front. lol

                  I would never expect anyone to work in an environment that cannot trust each other to do their job. At lunch we usually stay in and order takeout, so a lot of us like to jump on a game. I hit Kongregate or something like that at lunch. BTW I almost forgot. We are running Linux in the office now, Frank and I set all the office PCs up to use it. A few people came in last month and was thinking they would have to relearn. But we have everything set up and no complaints. Best of all, zero downtime so far. However I lost out on installing Kubuntu, Frank convinced me that Debian with the Gnome GUI (I think) is more Windows user friendly to assimilate. But you guys know I am still loyal to my Kubuntu as my employees and coworkers are loyal to me.

                  Comment


                    #10
                    GNOME Shell (in GNOME 3.x) is about as opposite from Windows as you can imagine. Are you sure the DE that Frank picked is that one? The older GNOME 2.x is sort of Windowsish, but it is no longer under maintenance.

                    TBH, if the goal is to replicate a Windows experience, KDE is the best choice.

                    Oh, and hello from AA 2411 at 39,000 feet, enroute DFW to SFO! Yes, I'm posting this purely because I can Ain't technology grand?

                    Last edited by SteveRiley; Jun 06, 2014, 10:27 PM.

                    Comment


                      #11
                      I can't see you. Open the door and "wave".
                      Windows no longer obstructs my view.
                      Using Kubuntu Linux since March 23, 2007.
                      "It is a capital mistake to theorize before one has data." - Sherlock Holmes

                      Comment


                        #12
                        When I did that, my gin tonic flew out the door! Such a waste.

                        Comment


                          #13
                          I am getting ready to head for work, but here is the info Frank gave me.

                          Linux Debian 6.0.9
                          Kernel 2.6.32-5-686
                          Gnome 2.30.2

                          Now before you go telling me we could do better, I doubt even one machine in the office has a dual core or more. In fact, I seem to recall the best machine we got donated to us was an Intel 32 2Ghz with 1GB or so of RAM. But it is not like we spent any of our funding on this, the university gave us bonus points for that small feat alone. Frank and I feel this is a victory. It works and that is what really matters eh? Money well not spent.

                          Comment


                            #14
                            Hi again! It's sooooo coooold up here.

                            Last edited by SteveRiley; Jun 06, 2014, 10:28 PM.

                            Comment


                              #15
                              Originally posted by Snowhog View Post
                              If one really and truely wanted to protect against the cases the OP has defined, and the business is open to the idea (and possible added expense), install the desired OS, configured just the way they want, to a server and replace all the PCs with client terminals and monitors. No USB ports. No HDDs. No floppy, CD/DVD drives. No Firewire ports.
                              Forgive me, I'm having an imagination failure. Probably because I wasn't around in the old school days

                              What exactly is a client terminal & monitor? I'd imagined them as really low powered PCs that can SSH to the server, but based on your description that can't be right! What's the physical connection between it and the server?
                              samhobbs.co.uk

                              Comment

                              Working...
                              X