Computer Security - Protecting the Operating System

09-24-2006, 08:10 PM

Hello,
I have just come to the conclusion that the only way to protect the machine
with free physical access to anauthorized personnel is... to encrypt it.
Unfortunately it seems that this can be done only the lonely by DriveCrypt
software which costs a lot. It's wonderful stuff indeed allowing to encrypt
the drive with authentication feature at the pre-boot level! The encryption
seems excellent AES-256 algotithm. It's only drawback (except for the price)
is that it doesn't see Linux partitions (not to mention that it doesn't run
on Linux)which makes them liable to potential attack. It looks like for now
only Windows operationg system may be securely locked unless you run Linux
as a VMware guest system on the DriveCrypted Windows host. I wonder what are
your experiences with respect to securing the stand alone box with
uncontrolled physical access, like at the University (my case).
P.S. Have just noticed free stuff called CompuSec PC Security Suite which
seems both Windows and Linux compatible though as compared to DriveCrypt it
uses weaker encrypting algorithm AES-128 and looks like is much slower. I
cannot wait to hear your comments.
Kindest regards,
--
Ricardo

Ricardo

09-25-2006, 12:58 PM

"Ricardo" <> wrote in message
news:c6eac$4516d82a$57cf8a7f$. ..
> Hello,
> I have just come to the conclusion that the only way to protect the
> machine
> with free physical access to anauthorized personnel is... to encrypt
> it.
> Unfortunately it seems that this can be done only the lonely by
> DriveCrypt
> software which costs a lot. It's wonderful stuff indeed allowing to
> encrypt
> the drive with authentication feature at the pre-boot level! The
> encryption
> seems excellent AES-256 algotithm. It's only drawback (except for
> the price)
> is that it doesn't see Linux partitions (not to mention that it
> doesn't run
> on Linux)which makes them liable to potential attack. It looks like
> for now
> only Windows operationg system may be securely locked unless you run
> Linux
> as a VMware guest system on the DriveCrypted Windows host. I wonder
> what are
> your experiences with respect to securing the stand alone box with
> uncontrolled physical access, like at the University (my case).
> P.S. Have just noticed free stuff called CompuSec PC Security Suite
> which
> seems both Windows and Linux compatible though as compared to
> DriveCrypt it
> uses weaker encrypting algorithm AES-128 and looks like is much
> slower. I
> cannot wait to hear your comments.
> Kindest regards,
> --
> Ricardo
>

Explain how encrypting your hard drive using an MBR bootstrap program
replacement will protect the OS and any files. It doesn't. The
purpose of boot-time encryption is to prevent someone from *stealing*
the information from the hard drive. Once you boot past the
encryption authentication, obviously the OS must be usable to the user
which means files can be written. Once you're in, you're in and can
modify the files. The purpose is not to let in a thief in the first
place.

09-25-2006, 02:07 PM

"Ricardo" <> wrote in
news:c6eac$4516d82a$57cf8a7f$:

> Hello,
> I have just come to the conclusion that the only way to protect the
> machine with free physical access to anauthorized personnel is... to
> encrypt it. Unfortunately it seems that this can be done only the
> lonely by DriveCrypt software which costs a lot. It's wonderful stuff
> indeed allowing to encrypt the drive with authentication feature at
> the pre-boot level! The encryption seems excellent AES-256 algotithm.
> It's only drawback (except for the price) is that it doesn't see Linux
> partitions (not to mention that it doesn't run on Linux)which makes
> them liable to potential attack. It looks like for now only Windows
> operationg system may be securely locked unless you run Linux as a
> VMware guest system on the DriveCrypted Windows host. I wonder what
> are your experiences with respect to securing the stand alone box with
> uncontrolled physical access, like at the University (my case).
> P.S. Have just noticed free stuff called CompuSec PC Security Suite
> which seems both Windows and Linux compatible though as compared to
> DriveCrypt it uses weaker encrypting algorithm AES-128 and looks like
> is much slower. I cannot wait to hear your comments.
> Kindest regards,

Free Compusec works fine and is not discenibly slower than any other full
HD OTFE encryption product (the hit from any of them is negligible on a
fast machine).

I wouldn't worry about AES-128, it's more than strong enough. In fact, it
is rare for a user to have a password/passphrase that comes anywhere close
to 128-bit equivalence - the password, not the encryption, is usually the
weakest link.

Regards,

09-25-2006, 04:07 PM

Ricardo,

There are a dozen or so full/whole disc encryption solutions available
with pre-boot authentication option. See the URL below for list:

http://www.full-disc-encryption.com/...ncryption.html

I use CompuSec. It is free and has support for Linux. It has pre-boot
authentication and has a builting credential manager. One thing that is
missing support for Trusted Platform Module (TPM). TPM can make the key
recovery possible and simplify single sign on.

You might also want to take a look at hardware based Full Disc
Encryption. There are few vendors that provide that. The above URL
lists a few. Hardware based FDE works regardless of the OS you are
using.

If you are using a notebook Ce-Infosys has PCMCIA card or Seagate
Technology will soon have FDE HDD for notebooks:
http://www.seagate.com/docs/pdf/mark...400_fde_bb.pdf

Also check out the Wikipedia article about Full Disc Encryption:
http://en.wikipedia.org/wiki/FDE
It talks about "Full disk encryption vs. file or directory encryption"

P.S. If you have any feedback about DriveCrypt, please do send it to
me. I am looking to buy that product as well.

Ricardo wrote:
> Hello,
> I have just come to the conclusion that the only way to protect the machine
> with free physical access to anauthorized personnel is... to encrypt it.
> Unfortunately it seems that this can be done only the lonely by DriveCrypt
> software which costs a lot. It's wonderful stuff indeed allowing to encrypt
> the drive with authentication feature at the pre-boot level! The encryption
> seems excellent AES-256 algotithm. It's only drawback (except for the price)
> is that it doesn't see Linux partitions (not to mention that it doesn't run
> on Linux)which makes them liable to potential attack. It looks like for now
> only Windows operationg system may be securely locked unless you run Linux
> as a VMware guest system on the DriveCrypted Windows host. I wonder what are
> your experiences with respect to securing the stand alone box with
> uncontrolled physical access, like at the University (my case).
> P.S. Have just noticed free stuff called CompuSec PC Security Suite which
> seems both Windows and Linux compatible though as compared to DriveCrypt it
> uses weaker encrypting algorithm AES-128 and looks like is much slower. I
> cannot wait to hear your comments.
> Kindest regards,
> --
> Ricardo

09-25-2006, 06:22 PM

Vanguard wrote:

> Explain how encrypting your hard drive using an MBR bootstrap program
> replacement will protect the OS and any files. It doesn't. The

Sure it does. By encrypting them.

> purpose of boot-time encryption is to prevent someone from *stealing*
> the information from the hard drive. Once you boot past the
> encryption authentication, obviously the OS must be usable to the user

Where in the poster's question did you see anything that would indicate
he was wanting to do anything else? In fact the notable mention of wide
open physical access more or less tells us he's trying to secure a
machine that might be stolen or tampered with while he's not around,
and the machine is off.

> which means files can be written. Once you're in, you're in and can
> modify the files. The purpose is not to let in a thief in the first
> place.

Yeah. That's the whole idea behind whole disk encryption. To keep
people with physical access from "getting in in the first place". And
it's the best protection there is in this scenario.

09-25-2006, 07:28 PM

U¿ytkownik "Ricardo" <> napisa³ w wiadomo¶ci
news:c6eac$4516d82a$57cf8a7f$. ..
> ...
Thank you guys so much for your comments. They will help a lot.
Kindest regards,
Ricardo

09-26-2006, 05:54 AM

"Anonyma" <anon-> wrote in message
news:...
> Vanguard wrote:
>
>> Explain how encrypting your hard drive using an MBR bootstrap
>> program
>> replacement will protect the OS and any files. It doesn't. The
>
> Sure it does. By encrypting them.
>
>> purpose of boot-time encryption is to prevent someone from
>> *stealing*
>> the information from the hard drive. Once you boot past the
>> encryption authentication, obviously the OS must be usable to the
>> user
>
> Where in the poster's question did you see anything that would
> indicate
> he was wanting to do anything else? In fact the notable mention of
> wide
> open physical access more or less tells us he's trying to secure a
> machine that might be stolen or tampered with while he's not around,
> and the machine is off.
>
>> which means files can be written. Once you're in, you're in and
>> can
>> modify the files. The purpose is not to let in a thief in the
>> first
>> place.
>
> Yeah. That's the whole idea behind whole disk encryption. To keep
> people with physical access from "getting in in the first place".
> And
> it's the best protection there is in this scenario.
>

The subject says the OP is trying to protect the operating system.
Excuse me, but why does the OP care since anyone can purchase or
obtain a copy of the OS? I read "free physical access to anauthorized
personnel" meaning the malcontents actually have *access* to the OS or
data files, not simply that they can manage to leave a fingerprint on
the case. The OP could use a BIOS password and padlock the case (to
protect the BIOS settings, and some laptops don't even need to protect
against physical entry) if that's all he wanted to do to restrict
physical access *inside* the box (and not preventing instrusion means
I can get around your encryption by altering the hardware inside by
letting it read the unencrypted data after the cold file system has
been decrypted after boot).

It doesn't sound like the OP was particularly concerned about losing
his laptop/desktop when travelling but protecting his *data* wherever
he happens to leave the computer lying around. Well, why couldn't
someone then load their own MBR bootstrap program that moves out the
original one (used for security)? That is, they simply chain the
original bootstrap program onto their own (by, perhaps, moving the
original MBR bootstrap program into the rest of the unused first
track). While the malware that runs under the OS can't get at the
bootstrap password to decrypt the hard drive, the replacement MBR
bootstrap can. If you want real security, you need to have it BEFORE
you or the BIOS even touch the hard drive (or any other drive or
storage device). Does CompuSec or DriveCrypt protect against the MBR
bootstrap area getting usurped (just like they usurped it) and getting
chained so the authentication used for decryption cannot be captured?
Obviously if physically access isn't restricted than something could
be installed inside the box that runs even before the MBR bootstrap
program gets loaded.

There is no point in protecting the OS from theft as it is readily
available elsewhere. There is no point in protecting the applications
(unless they are your projects). Both can be readily obtained
elsewhere than from your piddly laptop so encrypting them is just
stupid because it is a waste of performance. If the OP really means
that they want to hide their data by encrypting it, then TrueCrypt
would be sufficient, and it's free. Why incur the performance penalty
of decryption on the OS when its just the data files that need to be
protected? Plus you're not screwed over by the security product
usurping the MBR bootstrap program that perhaps you would like to use
for a multiboot manager. As I recall, Safeboot was the only one that
would chain the original MBR bootstrap program after it usurped that
spot while all the others simply step atop the MBR bootstrap area.

09-26-2006, 03:13 PM

Vanguard wrote:

> "Anonyma" <anon-> wrote in message
> news:...
> > Vanguard wrote:
> >
> >> Explain how encrypting your hard drive using an MBR bootstrap
> >> program
> >> replacement will protect the OS and any files. It doesn't. The
> >
> > Sure it does. By encrypting them.
> >
> >> purpose of boot-time encryption is to prevent someone from
> >> *stealing*
> >> the information from the hard drive. Once you boot past the
> >> encryption authentication, obviously the OS must be usable to the
> >> user
> >
> > Where in the poster's question did you see anything that would
> > indicate
> > he was wanting to do anything else? In fact the notable mention of
> > wide
> > open physical access more or less tells us he's trying to secure a
> > machine that might be stolen or tampered with while he's not around,
> > and the machine is off.
> >
> >> which means files can be written. Once you're in, you're in and
> >> can
> >> modify the files. The purpose is not to let in a thief in the
> >> first
> >> place.
> >
> > Yeah. That's the whole idea behind whole disk encryption. To keep
> > people with physical access from "getting in in the first place".
> > And
> > it's the best protection there is in this scenario.
> >
>
>
> The subject says the OP is trying to protect the operating system.
> Excuse me, but why does the OP care since anyone can purchase or
> obtain a copy of the OS?

Why would you believe "stealing" the operating system is the only
threat. Far more likely scenario is wanting to keep people from
tampering with the copy you have installed. A good way to do that is to
prevent anyone from accessing it when nobody is around. Make it
impossible to even boot the machine, or access the drive with the OS on
it. Whole disk encryption is the best way to do that.

> I read "free physical access to anauthorized
> personnel" meaning the malcontents actually have *access* to the OS or
> data files,

Then you're misreading things or assuming way too much. Physical access
means just that. They have the ability to lay hands on the equipment.
It doesn't mean a single thing about access to data, you're just
assuming the equipment is left on 24/7.

> It doesn't sound like the OP was particularly concerned about losing
> his laptop/desktop when travelling but protecting his *data* wherever

Yes. And encrypting it is the best way to do that outside a hardened
bunker and armed guards. In many ways it's more secure than even that.

> he happens to leave the computer lying around. Well, why couldn't
> someone then load their own MBR bootstrap program that moves out the
> original one (used for security)? That is, they simply chain the

Because the whole disk is encrypted. Replacing the MBR just makes the
whole drive inaccessible even *with* proper authentication.

Did you really believe that whole disk encryption could be circumvented
by swapping MBR's, or maybe booting from another device??

Wow...

09-26-2006, 03:52 PM

Anonyma wrote:

> Vanguard wrote:
>
>> Explain how encrypting your hard drive using an MBR bootstrap program
>> replacement will protect the OS and any files. It doesn't. The
>
> Sure it does. By encrypting them.

No, it doesn't. I can simply overwrite the hard drive with garbage and all
files are gone.

>> purpose of boot-time encryption is to prevent someone from *stealing*
>> the information from the hard drive. Once you boot past the
>> encryption authentication, obviously the OS must be usable to the user
>
> Where in the poster's question did you see anything that would indicate
> he was wanting to do anything else? In fact the notable mention of wide
> open physical access more or less tells us he's trying to secure a
> machine that might be stolen or tampered with while he's not around,
> and the machine is off.

A non-tamper-resistent machine is trivially tampered to reveal everything.
The simplest and most obvious method is to modify the bootloader to store
the entered key additionally to its normal functions - that's why you
should keep on a separate media. Then, ranging from modifying the BIOS
(pretty easy) to reading data directly from RAM (FireWire, PCI, PCMCIA) and
keyloggers (put between your keyboard and the keyboard connector) up to
directly updating the CPU's microcode, everything else will be successful.

>> which means files can be written. Once you're in, you're in and can
>> modify the files. The purpose is not to let in a thief in the first
>> place.
>
> Yeah. That's the whole idea behind whole disk encryption. To keep
> people with physical access from "getting in in the first place". And
> it's the best protection there is in this scenario.

Beside that, what exactly would someone try if the OS boots without
invention to a login screen where the password is unknown? I can't see how
someone should be able to write files at this point.

09-26-2006, 06:20 PM

Sebastian Gottschalk wrote:

> Anonyma wrote:
>
> > Vanguard wrote:
> >
> >> Explain how encrypting your hard drive using an MBR bootstrap program
> >> replacement will protect the OS and any files. It doesn't. The
> >
> > Sure it does. By encrypting them.
>
> No, it doesn't. I can simply overwrite the hard drive with garbage and all
> files are gone.

What a meaningless drizel of semantic idiocy... "a watermelon can't fly
an airplane so it's no good for painting your house...".

Oh, and you're replying to posters you've claimed to have killfiled
again ya' pathetic loser.

<rest snipped unread>

09-25-2006, 12:58 PM	#2
Vanguard Posts: n/a	Re: Protecting the Operating System "Ricardo" <> wrote in message news:c6eac$4516d82a$57cf8a7f$. .. > Hello, > I have just come to the conclusion that the only way to protect the > machine > with free physical access to anauthorized personnel is... to encrypt > it. > Unfortunately it seems that this can be done only the lonely by > DriveCrypt > software which costs a lot. It's wonderful stuff indeed allowing to > encrypt > the drive with authentication feature at the pre-boot level! The > encryption > seems excellent AES-256 algotithm. It's only drawback (except for > the price) > is that it doesn't see Linux partitions (not to mention that it > doesn't run > on Linux)which makes them liable to potential attack. It looks like > for now > only Windows operationg system may be securely locked unless you run > Linux > as a VMware guest system on the DriveCrypted Windows host. I wonder > what are > your experiences with respect to securing the stand alone box with > uncontrolled physical access, like at the University (my case). > P.S. Have just noticed free stuff called CompuSec PC Security Suite > which > seems both Windows and Linux compatible though as compared to > DriveCrypt it > uses weaker encrypting algorithm AES-128 and looks like is much > slower. I > cannot wait to hear your comments. > Kindest regards, > -- > Ricardo > Explain how encrypting your hard drive using an MBR bootstrap program replacement will protect the OS and any files. It doesn't. The purpose of boot-time encryption is to prevent someone from stealing the information from the hard drive. Once you boot past the encryption authentication, obviously the OS must be usable to the user which means files can be written. Once you're in, you're in and can modify the files. The purpose is not to let in a thief in the first place.

09-25-2006, 02:07 PM	#3
nemo_outis Posts: n/a	Re: Protecting the Operating System "Ricardo" <> wrote in news:c6eac$4516d82a$57cf8a7f$: > Hello, > I have just come to the conclusion that the only way to protect the > machine with free physical access to anauthorized personnel is... to > encrypt it. Unfortunately it seems that this can be done only the > lonely by DriveCrypt software which costs a lot. It's wonderful stuff > indeed allowing to encrypt the drive with authentication feature at > the pre-boot level! The encryption seems excellent AES-256 algotithm. > It's only drawback (except for the price) is that it doesn't see Linux > partitions (not to mention that it doesn't run on Linux)which makes > them liable to potential attack. It looks like for now only Windows > operationg system may be securely locked unless you run Linux as a > VMware guest system on the DriveCrypted Windows host. I wonder what > are your experiences with respect to securing the stand alone box with > uncontrolled physical access, like at the University (my case). > P.S. Have just noticed free stuff called CompuSec PC Security Suite > which seems both Windows and Linux compatible though as compared to > DriveCrypt it uses weaker encrypting algorithm AES-128 and looks like > is much slower. I cannot wait to hear your comments. > Kindest regards, Free Compusec works fine and is not discenibly slower than any other full HD OTFE encryption product (the hit from any of them is negligible on a fast machine). I wouldn't worry about AES-128, it's more than strong enough. In fact, it is rare for a user to have a password/passphrase that comes anywhere close to 128-bit equivalence - the password, not the encryption, is usually the weakest link. Regards,

09-25-2006, 04:07 PM	#4
Saqib Ali Posts: n/a	Re: Protecting the Operating System Ricardo, There are a dozen or so full/whole disc encryption solutions available with pre-boot authentication option. See the URL below for list: http://www.full-disc-encryption.com/...ncryption.html I use CompuSec. It is free and has support for Linux. It has pre-boot authentication and has a builting credential manager. One thing that is missing support for Trusted Platform Module (TPM). TPM can make the key recovery possible and simplify single sign on. You might also want to take a look at hardware based Full Disc Encryption. There are few vendors that provide that. The above URL lists a few. Hardware based FDE works regardless of the OS you are using. If you are using a notebook Ce-Infosys has PCMCIA card or Seagate Technology will soon have FDE HDD for notebooks: http://www.seagate.com/docs/pdf/mark...400_fde_bb.pdf Also check out the Wikipedia article about Full Disc Encryption: http://en.wikipedia.org/wiki/FDE It talks about "Full disk encryption vs. file or directory encryption" P.S. If you have any feedback about DriveCrypt, please do send it to me. I am looking to buy that product as well. Ricardo wrote: > Hello, > I have just come to the conclusion that the only way to protect the machine > with free physical access to anauthorized personnel is... to encrypt it. > Unfortunately it seems that this can be done only the lonely by DriveCrypt > software which costs a lot. It's wonderful stuff indeed allowing to encrypt > the drive with authentication feature at the pre-boot level! The encryption > seems excellent AES-256 algotithm. It's only drawback (except for the price) > is that it doesn't see Linux partitions (not to mention that it doesn't run > on Linux)which makes them liable to potential attack. It looks like for now > only Windows operationg system may be securely locked unless you run Linux > as a VMware guest system on the DriveCrypted Windows host. I wonder what are > your experiences with respect to securing the stand alone box with > uncontrolled physical access, like at the University (my case). > P.S. Have just noticed free stuff called CompuSec PC Security Suite which > seems both Windows and Linux compatible though as compared to DriveCrypt it > uses weaker encrypting algorithm AES-128 and looks like is much slower. I > cannot wait to hear your comments. > Kindest regards, > -- > Ricardo

09-25-2006, 06:22 PM	#5
Anonyma Posts: n/a	Re: Protecting the Operating System Vanguard wrote: > Explain how encrypting your hard drive using an MBR bootstrap program > replacement will protect the OS and any files. It doesn't. The Sure it does. By encrypting them. > purpose of boot-time encryption is to prevent someone from stealing > the information from the hard drive. Once you boot past the > encryption authentication, obviously the OS must be usable to the user Where in the poster's question did you see anything that would indicate he was wanting to do anything else? In fact the notable mention of wide open physical access more or less tells us he's trying to secure a machine that might be stolen or tampered with while he's not around, and the machine is off. > which means files can be written. Once you're in, you're in and can > modify the files. The purpose is not to let in a thief in the first > place. Yeah. That's the whole idea behind whole disk encryption. To keep people with physical access from "getting in in the first place". And it's the best protection there is in this scenario.

09-25-2006, 07:28 PM	#6
Ricardo Posts: n/a	Re: Protecting the Operating System U¿ytkownik "Ricardo" <> napisa³ w wiadomo¶ci news:c6eac$4516d82a$57cf8a7f$. .. > ... Thank you guys so much for your comments. They will help a lot. Kindest regards, Ricardo

09-24-2006, 08:10 PM	#1
	Protecting the Operating System Hello, I have just come to the conclusion that the only way to protect the machine with free physical access to anauthorized personnel is... to encrypt it. Unfortunately it seems that this can be done only the lonely by DriveCrypt software which costs a lot. It's wonderful stuff indeed allowing to encrypt the drive with authentication feature at the pre-boot level! The encryption seems excellent AES-256 algotithm. It's only drawback (except for the price) is that it doesn't see Linux partitions (not to mention that it doesn't run on Linux)which makes them liable to potential attack. It looks like for now only Windows operationg system may be securely locked unless you run Linux as a VMware guest system on the DriveCrypted Windows host. I wonder what are your experiences with respect to securing the stand alone box with uncontrolled physical access, like at the University (my case). P.S. Have just noticed free stuff called CompuSec PC Security Suite which seems both Windows and Linux compatible though as compared to DriveCrypt it uses weaker encrypting algorithm AES-128 and looks like is much slower. I cannot wait to hear your comments. Kindest regards, -- Ricardo Ricardo

09-26-2006, 05:54 AM	#7
Vanguard Posts: n/a	Re: Protecting the Operating System "Anonyma" <anon-> wrote in message news:... > Vanguard wrote: > >> Explain how encrypting your hard drive using an MBR bootstrap >> program >> replacement will protect the OS and any files. It doesn't. The > > Sure it does. By encrypting them. > >> purpose of boot-time encryption is to prevent someone from >> stealing >> the information from the hard drive. Once you boot past the >> encryption authentication, obviously the OS must be usable to the >> user > > Where in the poster's question did you see anything that would > indicate > he was wanting to do anything else? In fact the notable mention of > wide > open physical access more or less tells us he's trying to secure a > machine that might be stolen or tampered with while he's not around, > and the machine is off. > >> which means files can be written. Once you're in, you're in and >> can >> modify the files. The purpose is not to let in a thief in the >> first >> place. > > Yeah. That's the whole idea behind whole disk encryption. To keep > people with physical access from "getting in in the first place". > And > it's the best protection there is in this scenario. > The subject says the OP is trying to protect the operating system. Excuse me, but why does the OP care since anyone can purchase or obtain a copy of the OS? I read "free physical access to anauthorized personnel" meaning the malcontents actually have access to the OS or data files, not simply that they can manage to leave a fingerprint on the case. The OP could use a BIOS password and padlock the case (to protect the BIOS settings, and some laptops don't even need to protect against physical entry) if that's all he wanted to do to restrict physical access inside the box (and not preventing instrusion means I can get around your encryption by altering the hardware inside by letting it read the unencrypted data after the cold file system has been decrypted after boot). It doesn't sound like the OP was particularly concerned about losing his laptop/desktop when travelling but protecting his data wherever he happens to leave the computer lying around. Well, why couldn't someone then load their own MBR bootstrap program that moves out the original one (used for security)? That is, they simply chain the original bootstrap program onto their own (by, perhaps, moving the original MBR bootstrap program into the rest of the unused first track). While the malware that runs under the OS can't get at the bootstrap password to decrypt the hard drive, the replacement MBR bootstrap can. If you want real security, you need to have it BEFORE you or the BIOS even touch the hard drive (or any other drive or storage device). Does CompuSec or DriveCrypt protect against the MBR bootstrap area getting usurped (just like they usurped it) and getting chained so the authentication used for decryption cannot be captured? Obviously if physically access isn't restricted than something could be installed inside the box that runs even before the MBR bootstrap program gets loaded. There is no point in protecting the OS from theft as it is readily available elsewhere. There is no point in protecting the applications (unless they are your projects). Both can be readily obtained elsewhere than from your piddly laptop so encrypting them is just stupid because it is a waste of performance. If the OP really means that they want to hide their data by encrypting it, then TrueCrypt would be sufficient, and it's free. Why incur the performance penalty of decryption on the OS when its just the data files that need to be protected? Plus you're not screwed over by the security product usurping the MBR bootstrap program that perhaps you would like to use for a multiboot manager. As I recall, Safeboot was the only one that would chain the original MBR bootstrap program after it usurped that spot while all the others simply step atop the MBR bootstrap area.

09-26-2006, 03:13 PM	#8
TwistyCreek Posts: n/a	Re: Protecting the Operating System Vanguard wrote: > "Anonyma" <anon-> wrote in message > news:... > > Vanguard wrote: > > > >> Explain how encrypting your hard drive using an MBR bootstrap > >> program > >> replacement will protect the OS and any files. It doesn't. The > > > > Sure it does. By encrypting them. > > > >> purpose of boot-time encryption is to prevent someone from > >> stealing > >> the information from the hard drive. Once you boot past the > >> encryption authentication, obviously the OS must be usable to the > >> user > > > > Where in the poster's question did you see anything that would > > indicate > > he was wanting to do anything else? In fact the notable mention of > > wide > > open physical access more or less tells us he's trying to secure a > > machine that might be stolen or tampered with while he's not around, > > and the machine is off. > > > >> which means files can be written. Once you're in, you're in and > >> can > >> modify the files. The purpose is not to let in a thief in the > >> first > >> place. > > > > Yeah. That's the whole idea behind whole disk encryption. To keep > > people with physical access from "getting in in the first place". > > And > > it's the best protection there is in this scenario. > > > > > The subject says the OP is trying to protect the operating system. > Excuse me, but why does the OP care since anyone can purchase or > obtain a copy of the OS? Why would you believe "stealing" the operating system is the only threat. Far more likely scenario is wanting to keep people from tampering with the copy you have installed. A good way to do that is to prevent anyone from accessing it when nobody is around. Make it impossible to even boot the machine, or access the drive with the OS on it. Whole disk encryption is the best way to do that. > I read "free physical access to anauthorized > personnel" meaning the malcontents actually have access to the OS or > data files, Then you're misreading things or assuming way too much. Physical access means just that. They have the ability to lay hands on the equipment. It doesn't mean a single thing about access to data, you're just assuming the equipment is left on 24/7. > It doesn't sound like the OP was particularly concerned about losing > his laptop/desktop when travelling but protecting his data wherever Yes. And encrypting it is the best way to do that outside a hardened bunker and armed guards. In many ways it's more secure than even that. > he happens to leave the computer lying around. Well, why couldn't > someone then load their own MBR bootstrap program that moves out the > original one (used for security)? That is, they simply chain the Because the whole disk is encrypted. Replacing the MBR just makes the whole drive inaccessible even with proper authentication. Did you really believe that whole disk encryption could be circumvented by swapping MBR's, or maybe booting from another device?? Wow...

09-26-2006, 03:52 PM	#9
Sebastian Gottschalk Posts: n/a	Re: Protecting the Operating System Anonyma wrote: > Vanguard wrote: > >> Explain how encrypting your hard drive using an MBR bootstrap program >> replacement will protect the OS and any files. It doesn't. The > > Sure it does. By encrypting them. No, it doesn't. I can simply overwrite the hard drive with garbage and all files are gone. >> purpose of boot-time encryption is to prevent someone from stealing >> the information from the hard drive. Once you boot past the >> encryption authentication, obviously the OS must be usable to the user > > Where in the poster's question did you see anything that would indicate > he was wanting to do anything else? In fact the notable mention of wide > open physical access more or less tells us he's trying to secure a > machine that might be stolen or tampered with while he's not around, > and the machine is off. A non-tamper-resistent machine is trivially tampered to reveal everything. The simplest and most obvious method is to modify the bootloader to store the entered key additionally to its normal functions - that's why you should keep on a separate media. Then, ranging from modifying the BIOS (pretty easy) to reading data directly from RAM (FireWire, PCI, PCMCIA) and keyloggers (put between your keyboard and the keyboard connector) up to directly updating the CPU's microcode, everything else will be successful. >> which means files can be written. Once you're in, you're in and can >> modify the files. The purpose is not to let in a thief in the first >> place. > > Yeah. That's the whole idea behind whole disk encryption. To keep > people with physical access from "getting in in the first place". And > it's the best protection there is in this scenario. Beside that, what exactly would someone try if the OS boots without invention to a login screen where the password is unknown? I can't see how someone should be able to write files at this point.

09-26-2006, 06:20 PM	#10
Nomen Nescio Posts: n/a	Re: Protecting the Operating System Sebastian Gottschalk wrote: > Anonyma wrote: > > > Vanguard wrote: > > > >> Explain how encrypting your hard drive using an MBR bootstrap program > >> replacement will protect the OS and any files. It doesn't. The > > > > Sure it does. By encrypting them. > > No, it doesn't. I can simply overwrite the hard drive with garbage and all > files are gone. What a meaningless drizel of semantic idiocy... "a watermelon can't fly an airplane so it's no good for painting your house...". Oh, and you're replying to posters you've claimed to have killfiled again ya' pathetic loser. <rest snipped unread>

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search