«

"nemo_outis" <> wrote in
news:Xns9DBE8189F9EBFpqwertyu@69.16.185.247:

Incidentally, I should point out how useful standard tamper-
indicating devices such as tape, stickers, and ties are in
enhancing one's physical security. Relatively cheap too (You
needn't crack $100 even for a goodly supply of high-quality
seals, ties, etc. and you may get away with as low as $20.)

For instance, using numbered tape/sticker seals on the bottom
"hatches" of one's laptop can be used to ensure no one has
opened the case and, for instance, inserted a hardware
keylogger. (Ditto for desktop cases including their front
drive panels, etc., keyboards, printers, scanners, xerox
machines, etc.)

Or a security latching plastic tie can be used to ensure that
the side panels cannot be opened surreptiously on a desktop or
even wrapped around a laptop to ensure the clamshell case
can't be opened without detection (Even good ties are cheap
enough to be used regularly and then cut & discarded before
each use.)

If you go this route, here are several cautions:

1) There is enormous variation in quality in the stickers,
tape, and ties from different security companies. Some are
very good, but many (far too many!) are worthless (or worse
than useless if they instil a false sense of confidence). Tags
MUST have unique serial numbers - generic unnumbered tags are
worthless, even if tamper-indicating.

2) The stickers, etc. by themselves are useless if you do not
have the self-discipline to adhere to a rigorous protocol for
checking them regularly (I suggest before EVERY session.)
That means checking the tag number, not just its integrity,
lest a resourceful adversary have acquired a batch from the
same manufacturer and replaced your tags with look-alikes.

3) Even the best of these stickers can be defeated - they are
not a panacea.

4) It is best if you keep your supplies of such tape,
stickers, etc. secure so that no one steals any of them
(although even this is not crucial if - as you should - you
actually monitor the *numbers* printed on the seals you use
and not their mere presence.)

With regard to my first and third points above, the ultimate
experts in the area of security seals and such are the folks
at Los Alamos National Laboratory. It is very worthwhile
googling the wealth of information from this source, including
their cautionary tales of how easy it is to circumvent many
such seals, etc.

One security aspect that is sometimes overlooked is
*authentication* of your hardware. For instance, one common
way of quickly installing a hardware keylogger is to "swap"
your desktop keyboard for one of the same brand with a
keylogger already installed (most commonly in
work/university/etc. environments with many similar machines -
typically by a coworker).

In response to this risk you can make a point of regularly
chcking the serial numbers but not all devices have them. Or
instead you can use the number of an affixed security seal.

One very good "poor man's seal/ID" is a torn piece from a 1-
dollar bill containing the serial number affixed to whatever
is to be authenticated (but see my Los Alamos remarks above
regarding glue). A bitch to counterfeit including the "tear
details" so they match the other half you keep in your wallet.
While I don't use this technique on any of my computers, I do
use it on a DVD that is my "known-good" source for various
info including Truecrypt recovery headers, etc.

Another "poor man's security seal" that is extremely difficult
to counter is my "epoxy and sprinkles" one.

As a semi-permanent seal one puts a blob of clear two-part
epoxy spanning the door, etc. that is to be monitored. But
while mixing the epoxy you stir in a goodly number of small
colored sprinkles (about poppyseed size). I found some
plastic ones that were perfect at a one-dollar store (I
wouldn't recommend using the edible kind but maybe they would
work

It is best if the epoxy/sprinkles blob is thick enough that
there is a 3-dimensional pattern of sprinkles rather than just
a 2-dimensional one, but even a two-dimensional pattern will
be extraordinarily difficult for an adversary to replicate.
Take a (macro) photo of the blob from two different angles (to
capture the 3-dimensional aspect) and regularly compare the
photos with the epoxy "seal" to detect if there has been any
tampering. (There are some paranoiac subtleties that can be
used to prevent the blob being removed intact and then
replaced afterwards, but I'll pass over such refinements at
present. Again, see Los Alamos for such risks and their
counters.)

Regards,

VanguardLH <> wrote in
news:i2f7la$la1$:


I may have misjudged you - you appear to be a well-meaning fool
rather than a trolling fool. Your stupidity was so grotesque
that I assumed it could only by feigned rather than genuine.
But it now seems you may indeed be that stupid. My condolences
on your condition.

My post was about tamper-indication. Not tamper-prevention and
not tamper-punishment. And, overlooking how stupid folks like
you can actually be, I also omitted explaining that tamper
indication, while a valuable part of physical security, is not
the whole of it.

Of course, you are free to post your opinions in this newsgroup.
Feel free to expose your ignorance and stupidity and make a fool
of yourself. Just don't expect anyone to take you seriously.

You make a lengthy post only to describe that you see little
value in tamper-indication and don't understand how to use it.
Thank you for confirming your thick-wittednes and lack of
insight. However, your remarks are not an indictment of the
utility of tamper-indication but rather of your own lack of
mother-wit.

Regards,

nemo_outis wrote:

> VanguardLH <> wrote in
> news:i2f7la$la1$:
>
> I may have misjudged you - you appear to be a well-meaning fool
> rather than a trolling fool. Your stupidity was so grotesque
> that I assumed it could only by feigned rather than genuine.
> But it now seems you may indeed be that stupid. My condolences
> on your condition.
>
> My post was about tamper-indication. Not tamper-prevention and
> not tamper-punishment. And, overlooking how stupid folks like
> you can actually be, I also omitted explaining that tamper
> indication, while a valuable part of physical security, is not
> the whole of it.
>
> Of course, you are free to post your opinions in this newsgroup.
> Feel free to expose your ignorance and stupidity and make a fool
> of yourself. Just don't expect anyone to take you seriously.
>
> You make a lengthy post only to describe that you see little
> value in tamper-indication and don't understand how to use it.
> Thank you for confirming your thick-wittednes and lack of
> insight. However, your remarks are not an indictment of the
> utility of tamper-indication but rather of your own lack of
> mother-wit.
>
> Regards,

By your response we can see just how little weight we should grant to
your opinion. You thought that response helped your position?

Bye bye.

za kAT <> wrote in
news::

Another buzzing gnat. Swat!

Swat!

Swat!

On Sat, 24 Jul 2010 23:31:59 GMT
"nemo_outis" <> wrote:

> Swat!

That, sir was an argument worthy of consideration, and I have to admit, you
completely won me over to your side of the debate with it.

Or not.

Seriously though, enjoy your little tamper-indication measure, and we all thank
you for informing and enlightening those of us (not me) who may think it might
be useful. Calling people fools won't accomplish anything, it will only make
you look like a troll.

--
n.

<> wrote in
news::

> On Sat, 24 Jul 2010 23:31:59 GMT
> "nemo_outis" <> wrote:
>
>> Swat!
>
> That, sir was an argument worthy of consideration, and I
> have to admit, you completely won me over to your side of
> the debate with it.
>
> Or not.
>
> Seriously though, enjoy your little tamper-indication
> measure, and we all thank you for informing and
> enlightening those of us (not me) who may think it might
> be useful. Calling people fools won't accomplish anything,
> it will only make you look like a troll.


As you may have already gathered, I do not suffer fools
gladly.

Nor do I use pleasant euphemisms to sugarcoat reality - I call
fools what they are: fools. When they simply repeat their
arrant nonsense I dismiss them summarily with a Swat!

I am a nasty prick. But I am not a stupid nasty prick. To
the contrary, I am a very clever, very knowledgeable nasty
prick.

You do not have to like me to learn from me. (1)

Regards,

(1) Or you can choose not to. Either way I don't give a ****.

Swat!

"iggster" <> wrote in message
news:bv8qh7-...

[...]

> No need to reply. I am fine with you having the last word.

D