A SMART Tamper Indicator

Discussion in 'Computer Security' started by nemo_outis, Jul 23, 2010.

  1. nemo_outis

    nemo_outis Guest

    It can be useful to know if someone has attempted to
    compromise your security by firing up your computer when, for
    whatever reason, you have left it shut down but
    surreptitiously accessible (e.g., a laptop left with hotel
    security, your desktop in work after you go home for the day,
    etc.). This applies even if you use Truecrypt and even if you
    use whole-disk encryption (e.g., someone may fire up your
    computer and attempt to guess the password, or boot from a
    LiveCD/USB and image the disk, or try an "evil maid"
    compromise of the HD boot sector, etc.).

    SMART is the acronym for the diagnostic and monitoring
    metadata system that is built into all modern hard drives.
    This metadata can only be read by a user but cannot be
    manipulated or changed by one. Write access to SMART metadata
    is only possible using proprietary manufacturers' routines
    which are not available generally.

    Normally SMART metadata is used to monitor the status and
    health of a drive and any progressive degradation such as
    relocated sectors, failure to spin up, etc. Such information
    may be used by users predictively to retire a drive before
    incipient failure, or by manufacturers to determine if the
    drive was misused (e.g., excessive maximum temperature) and
    therefore warranties are void, etc.

    However, I use SMART for an entirely unrelated purpose: as a
    free, yet very powerful, tamper-indicating mechanism that is
    inherently available on any modern computer.

    Several SMART parameters are extremely useful as indicators of
    whether a computer has been fired up surreptitiously and for
    how long, such as start/stop count, drive power cycle count,
    and power-on time count. Recording these values at the end of
    a session and comparing them with the values at the beginning
    of your next session can tell you if someone has fired up your
    computer in the meantime and for how long. (The granularity of
    "how long" depends on the HD manufacturer - some use hours,
    others minutes or even seconds.)

    Moreover, because the metadata cannot be easily modified (and
    use of SMART for quasi-forensic purposes has not been widely
    recognized) this tamper-indicating mechanism will work against
    even moderately sophisticated adversaries (e.g., sysadmins,
    local LEAs, etc.). It is not likely to succeed against major
    TLAs such as NSA, MI5, Mossad, etc. But it's free and easy, so
    what the hey :)

    You can do all the "bookkeeping" manually (e.g., using a paper
    notebook to record spinup count just before shutdown, etc.)
    but this is a tad clumsy and tedious. I suggest you automate
    the process using one of the many SMART programs coupled with
    automatic shutdown and startup scripts. For instance, a
    shutdown script could write the spinup count, etc. to a file
    on a USB stick which you take with you on computer shutdown
    and then reinsert the next time you fire up. If the spinup
    count has only incremented by one the next time you use the
    computer, all is well and good. But if the spinup count has
    incremented by more than one the script could alert you and
    you could then take the necessary steps to preserve/restore
    your security or implement other appropriate action.

    Regards,
     
    nemo_outis, Jul 23, 2010
    #1
    1. Advertising

  2. nemo_outis

    nemo_outis Guest

    "Mr.B1ack" <> wrote in news:4c49fdbf$-
    privat.org:

    > On Fri, 23 Jul 2010 19:44:03 GMT, nemo_outis wrote:
    >
    >> I suggest you automate
    >> the process using one of the many SMART programs...

    >
    > ...such as...?
    >


    I use Hard Disk Sentinel but there are many others .

    Regards,
     
    nemo_outis, Jul 24, 2010
    #2
    1. Advertising

  3. nemo_outis

    nemo_outis Guest

    iggster <> wrote in
    news::

    ....
    >> ... and you could then take the
    >> necessary steps to preserve/restore your security or
    >> implement other appropriate action.
    >>
    >> Regards,


    > What would you do with the information? Tell the "evil
    > maid" not to do that again?



    It is always difficult to know if folks are as stupid as they
    appear or if they are simply trolling.

    However, following the maxim "never attribute to malice that
    which can be adequately explained by stupidity" let me give some
    obvious examples:

    1) For instance, as a minimum, if you had been exposed to "evil
    maid" corruption of the boot track you would make sure to
    restore the original boot track thereby ensuring that your
    password/key could not be harvested.

    2) You might also take pains to catch the malefactor in the act
    of trying to "harvest" the results of the evil maid attack, and
    then take appropriate steps - where "appropriate steps" might
    span the range from tongue-lashing to murder.

    Need I also explain why water is wet?

    Regards,
     
    nemo_outis, Jul 24, 2010
    #3
  4. nemo_outis

    nemo_outis Guest

    iggster <> wrote in
    news::

    > Ye, it is difficult to know. Especially for those
    > preoccupied with writing pseudo-technical essays and
    > "educating" us. Oh and do not let me forget one more nobel
    > task of nemos of this world, fighting us the stupid trolls
    > who dare to hint that maybe, just maybe you're mis-placing
    > the emphasis. Lot's of tech detail for aimed at...?
    > Anyway, don't bother... Enjoy your eloquence.



    Educate you? After that incoherent rant? You can't even manage
    an insult without tripping over your own tongue.

    No, I won't try to educate a fool like you. I take to heart
    Heinlein's counsel, “Never try to teach a pig to sing; it wastes
    your time and it annoys the pig.”

    PLONK!
     
    nemo_outis, Jul 24, 2010
    #4
  5. On Sat, 24 Jul 2010 00:18:01 GMT, nemo_outis wrote:

    > It is always difficult to know if folks are as stupid as they
    > appear or if they are simply trolling.


    I know but we put up with you anyway. :)

    *lol*
    --
    http://tr.im/1f9u
     
    Ari Silverstein, Jul 24, 2010
    #5
  6. nemo_outis

    nemo_outis Guest

    Swat!
     
    nemo_outis, Jul 24, 2010
    #6
  7. nemo_outis

    VanguardLH Guest

    nemo_outis wrote:

    > It can be useful to know if someone has attempted to
    > compromise your security by firing up your computer when, for
    > whatever reason, you have left it shut down but
    > surreptitiously accessible (e.g., a laptop left with hotel
    > security, your desktop in work after you go home for the day,
    > etc.). This applies even if you use Truecrypt and even if you
    > use whole-disk encryption (e.g., someone may fire up your
    > computer and attempt to guess the password, or boot from a
    > LiveCD/USB and image the disk, or try an "evil maid"
    > compromise of the HD boot sector, etc.).
    >
    > SMART is the acronym for the diagnostic and monitoring
    > metadata system that is built into all modern hard drives.
    > This metadata can only be read by a user but cannot be
    > manipulated or changed by one. Write access to SMART metadata
    > is only possible using proprietary manufacturers' routines
    > which are not available generally.
    >
    > Normally SMART metadata is used to monitor the status and
    > health of a drive and any progressive degradation such as
    > relocated sectors, failure to spin up, etc. Such information
    > may be used by users predictively to retire a drive before
    > incipient failure, or by manufacturers to determine if the
    > drive was misused (e.g., excessive maximum temperature) and
    > therefore warranties are void, etc.
    >
    > However, I use SMART for an entirely unrelated purpose: as a
    > free, yet very powerful, tamper-indicating mechanism that is
    > inherently available on any modern computer.
    >
    > Several SMART parameters are extremely useful as indicators of
    > whether a computer has been fired up surreptitiously and for
    > how long, such as start/stop count, drive power cycle count,
    > and power-on time count. Recording these values at the end of
    > a session and comparing them with the values at the beginning
    > of your next session can tell you if someone has fired up your
    > computer in the meantime and for how long. (The granularity of
    > "how long" depends on the HD manufacturer - some use hours,
    > others minutes or even seconds.)
    >
    > Moreover, because the metadata cannot be easily modified (and
    > use of SMART for quasi-forensic purposes has not been widely
    > recognized) this tamper-indicating mechanism will work against
    > even moderately sophisticated adversaries (e.g., sysadmins,
    > local LEAs, etc.). It is not likely to succeed against major
    > TLAs such as NSA, MI5, Mossad, etc. But it's free and easy, so
    > what the hey :)
    >
    > You can do all the "bookkeeping" manually (e.g., using a paper
    > notebook to record spinup count just before shutdown, etc.)
    > but this is a tad clumsy and tedious. I suggest you automate
    > the process using one of the many SMART programs coupled with
    > automatic shutdown and startup scripts. For instance, a
    > shutdown script could write the spinup count, etc. to a file
    > on a USB stick which you take with you on computer shutdown
    > and then reinsert the next time you fire up. If the spinup
    > count has only incremented by one the next time you use the
    > computer, all is well and good. But if the spinup count has
    > incremented by more than one the script could alert you and
    > you could then take the necessary steps to preserve/restore
    > your security or implement other appropriate action.
    >
    > Regards,


    Knowing that your host has been used when it's been out of your physical
    awareness means you'll have to perform some retroactive protection or
    recovery but how would that stop someone from powering up your host
    again? Could be the cleaning crew knocked into the power button on your
    case as they were cleaning your desk.

    There are lots of surveillance measures possible. One would be to not
    power down your host but leave it powered up, logged in but locked with
    a screen saver (and make sure you use a BIOS password, too), and use a
    webcam to record just who might be trying to use your host without
    authorization. Just make sure the targeted host is networked so the
    webcam output can be sent to somewhere else to prevent the abuser from
    wiping the recording, wiping your disk, or simply walking off with your
    host and you losing the evidence.

    Just have a spinup count get incremented doesn't tell you why someone
    used your computer, if it was your boss at work, if hotel security, FBI,
    or other agent responding to a bomb threat, a coworker that considers
    your host as their property, especially if your host is actually your
    company's real property and not actually yours, or why it got powered
    up. I'd rather know WHO was trying to use my host (whether my real
    property or the host to which I was assigned by my company) so something
    could actually be done about the intruder.

    The increment of the spinup count would trigger you that your host got
    used but then what are you going to do? What would to do to add more
    security that you couldn't have added before? With that added security,
    how is that going to stop someone from hitting the Power button on your
    computer's case? Then with that added security, again, what are you
    going to do about the suspected invasion? And just what is your "proof"
    going to give you for leverage? If you came back to the hotel's desk to
    ask why your laptop got powered up while it was under their lock and key
    (or sitting in your room), do you think they really need to qualify or
    excuse themself for possibly accidentally powering up your host? You
    think this spinup count would even be reasonable evidence in court?
    Would it be reasonable evidence anywhere that anyone you accuse would
    care a gnat's fart about your accusation?
     
    VanguardLH, Jul 24, 2010
    #7
  8. On Fri, 23 Jul 2010 19:44:03 GMT, nemo_outis wrote:

    > It can be useful to know if someone has attempted to
    > compromise your security by firing up your computer when, for
    > whatever reason, you have left it shut down but
    > surreptitiously accessible (e.g., a laptop left with hotel
    > security, your desktop in work after you go home for the day,
    > etc.). This applies even if you use Truecrypt and even if you
    > use whole-disk encryption (e.g., someone may fire up your
    > computer and attempt to guess the password, or boot from a
    > LiveCD/USB and image the disk, or try an "evil maid"
    > compromise of the HD boot sector, etc.).
    >
    > SMART is the acronym for the diagnostic and monitoring
    > metadata system that is built into all modern hard drives.
    > This metadata can only be read by a user but cannot be
    > manipulated or changed by one. Write access to SMART metadata
    > is only possible using proprietary manufacturers' routines
    > which are not available generally.
    >
    > Normally SMART metadata is used to monitor the status and
    > health of a drive and any progressive degradation such as
    > relocated sectors, failure to spin up, etc. Such information
    > may be used by users predictively to retire a drive before
    > incipient failure, or by manufacturers to determine if the
    > drive was misused (e.g., excessive maximum temperature) and
    > therefore warranties are void, etc.
    >
    > However, I use SMART for an entirely unrelated purpose: as a
    > free, yet very powerful, tamper-indicating mechanism that is
    > inherently available on any modern computer.
    >
    > Several SMART parameters are extremely useful as indicators of
    > whether a computer has been fired up surreptitiously and for
    > how long, such as start/stop count, drive power cycle count,
    > and power-on time count. Recording these values at the end of
    > a session and comparing them with the values at the beginning
    > of your next session can tell you if someone has fired up your
    > computer in the meantime and for how long. (The granularity of
    > "how long" depends on the HD manufacturer - some use hours,
    > others minutes or even seconds.)
    >
    > Moreover, because the metadata cannot be easily modified (and
    > use of SMART for quasi-forensic purposes has not been widely
    > recognized) this tamper-indicating mechanism will work against
    > even moderately sophisticated adversaries (e.g., sysadmins,
    > local LEAs, etc.). It is not likely to succeed against major
    > TLAs such as NSA, MI5, Mossad, etc. But it's free and easy, so
    > what the hey :)
    >
    > You can do all the "bookkeeping" manually (e.g., using a paper
    > notebook to record spinup count just before shutdown, etc.)
    > but this is a tad clumsy and tedious. I suggest you automate
    > the process using one of the many SMART programs coupled with
    > automatic shutdown and startup scripts. For instance, a
    > shutdown script could write the spinup count, etc. to a file
    > on a USB stick which you take with you on computer shutdown
    > and then reinsert the next time you fire up. If the spinup
    > count has only incremented by one the next time you use the
    > computer, all is well and good. But if the spinup count has
    > incremented by more than one the script could alert you and
    > you could then take the necessary steps to preserve/restore
    > your security or implement other appropriate action.
    >
    > Regards,


    What a complete waste of time, nemo, old boi. Such silliness.
    --
    Ari's Fun Times!
    http://tr.im/hrFG
    Motto: Run, rabbit, Run!
     
    Ari Silverstein, Jul 24, 2010
    #8
  9. nemo_outis

    nemo_outis Guest

    VanguardLH <> wrote in
    news:i2eika$ohn$:

    Let me get this straight: This is a forum on computer security
    and privacy and you are questioning the value of knowing
    whether someone has surreptitiously started your computer in
    your absence? Why are you here?


    > Knowing that your host has been used when it's been out of
    > your physical awareness means you'll have to perform some
    > retroactive protection or recovery but how would that stop
    > someone from powering up your host again? Could be the
    > cleaning crew knocked into the power button on your case as
    > they were cleaning your desk.


    Someone firing up one's computer between authorized user
    sessions could obviously arise in a large number of
    circumstances for any of a number of reasons, many malign, but
    some possibly not. (Moreover, in the first 45 years of my
    experience with computers I have yet to encounter one that was
    "accidentally" turned on - but perhaps my decades of
    experience are atypical.)

    Accordingly, what actions someone takes in a particular case
    when this happens may also vary enormously, from doing nothing
    whatsoever to possibly alerting the other members of one's al
    Qaeda cell and then fleeing into hiding.

    It depends on the circumstances.

    My SMART method has the advantage that it **alerts you** when
    such an intrusion event has happened thereby **enabling you to
    decide** what to do in light of it. Moreover, my method is
    inherently supported on virtually any computer on the planet,
    and is therefore very easy to implement even on an ad hoc
    basis.

    As for "retroactive" protection," I have no idea what this
    entails - I haven't yet mastered time travel :)

    My method is especially useful if you use whole-disk
    encryption on your computer. Many attacks designed to
    compromise security of an encrypted computer require TWO
    accesses, such as Rutkowska's "evil maid" attack to which I
    alluded earlier. My SMART method alerts one to intervene
    before that second access, thereby completely foiling such
    types of attack.


    > There are lots of surveillance measures possible. One
    > would be to not power down your host but leave it powered
    > up, logged in but locked with a screen saver (and make sure
    > you use a BIOS password, too), and use a webcam to record
    > just who might be trying to use your host without
    > authorization. Just make sure the targeted host is
    > networked so the webcam output can be sent to somewhere
    > else to prevent the abuser from wiping the recording,
    > wiping your disk, or simply walking off with your host and
    > you losing the evidence.


    You can implement any number of other security measures either
    generally at all times or in response to an alert from my
    SMART method.

    It depends in large measure on what you are trying to
    accomplish, which could vary from safeguarding your data to
    running a honeypot to catch malfeasors.

    You must decide whether you are trying to protect the computer
    hardware, the data, yourself, or have some other objective.
    This will, in turn, depend on the significance of putative
    attacks in light of your particular risk and consequence
    analysis, and the resources available to you to counter or
    respond to them.

    As I said, it depends on the circumstances.

    My SMART method is cheap, easy, and effective - a valuable
    tool to have in one's security toolbox. It is not a panacea,
    however, and I warn you it is not sufficient, by itself, to
    achieve World Peace.


    > Just have a spinup count get incremented doesn't tell you
    > why someone used your computer...


    Just having your home alarm go off doesn't tell you why
    someone has broken into your house in your absence. But many
    folks nonetheless believe it worthwhile having a home alarm to
    alert them of such events.

    I wonder why?


    > ...if it was your boss at
    > work, if hotel security, FBI, or other agent responding to
    > a bomb threat, a coworker that considers your host as their
    > property, especially if your host is actually your
    > company's real property and not actually yours, or why it
    > got powered up. I'd rather know WHO was trying to use my
    > host (whether my real property or the host to which I was
    > assigned by my company) so something could actually be done
    > about the intruder.


    There are many things "I'd rather know" including next month's
    stock market prices, but I settle instead for measures that
    are satisfactory and appropriate in the circumstances. For
    instance, when staying a day or two at a hotel with my laptop
    I do not festoon the hotel with hidden micro video-cams which
    use chirp-burst spread spectrum communications to relay real-
    time video to my surveillance van parked outside. But I do
    monitor my laptop's SMART info.

    No, my method is not a crystal ball, nor does it provide
    psychological profiles and assessments of the intruders. It is
    a simple intrusion alert which also provides an indication of
    duration. While, lamentably, this information does not allow
    me to analytically reconstruct the entire state of the
    universe, it is nonetheless very useful to be alerted to
    computer intrusion events.

    However, if you would not find such an intrusion alert useful,
    or can't figure out what to do if you'd received such an
    alert, don't use my SMART method.

    Regards,
     
    nemo_outis, Jul 24, 2010
    #9
  10. nemo_outis

    VanguardLH Guest

    nemo_outis wrote:

    > VanguardLH <> wrote in
    > news:i2eika$ohn$:
    >
    > Let me get this straight: This is a forum on computer security
    > and privacy and you are questioning the value of knowing
    > whether someone has surreptitiously started your computer in
    > your absence? Why are you here?


    Oh, so if I contest your pretense that this has value regarding the
    security of your host then I'm not permitted to post here. Uh huh. If
    you don't want the possibility of contravening opinions, don't post.
    These newsgroups exist to engender discussions, not to orate. I don't
    see how knowing that a counter got incremented is going to eliminate the
    problem. It doesn't prevent the spinup. It doesn't catch the intruder.
    It doesn't thwart or bar the same or another intruder from powering up
    your host again. It doesn't scare the intruder. Without adding more to
    it, a counter that alerts you after the fact and without any evidence
    seems very weak security. By the time you add security that is actually
    effective at preventing the intrusion or identifying the intruder, this
    counter becomes worthless. It seems to be extremely cheap and weak
    security in trying to eliminate having to expend the resources to do
    better security in the first place.

    Running around like a chicken with its head cutoff accomplishes what?
    That I know someone powered up my host tells me WHAT to do? If I head
    off to work tomorrow and find my rake laying out in my yard when I last
    left it in the shed despite me locking up my shed and doing all other
    security measures, what would I do? Yell into the air? If the shed
    wasn't locked then it was my fault. If the shed was locked and still is
    locked, just WHAT am I supposed to do? I put the rake back in the shed
    and wait to see if it shows up outside again but finding the rake and
    already securing the shed means I can't do anything about whomever is
    moving the rake outside my shed. The action doesn't get discontinued
    because I have no means of actually punishing the perpetrator.

    Any security measures that I implement, like preventing my host from
    powering up in my absence, can be achieved before the invasion. It is
    when an invasion occurs that knowing who did it is a must. Otherwise
    you know you've been invaded but have nothing to do about it.

    The best I can see that is accomplished by knowing your host was powered
    up in your absence is that you then implement further security measures
    to protect your host. Somehow I think that someone watching that their
    host gets powered up has probably neglected to secure their host from
    physical intrusion or even theft.

    I own a store. I come to the store the next morning. A red light is
    flashing telling me that someone broke into my store. This alarm system
    doesn't call for help or notify anyone about the intrusion. It doesn't
    even scare off the intruder. So just WHAT would I do when seeing that
    flashing light upon arriving at work? Well, the only thing I can do and
    that would be to reset it and see when it happens again. Now if the
    alarm that has enables the red flashing light also recorded who was on
    the premises, sent me an e-mail or phoned me, or notified a security
    team then that red light has a purpose. So it seems the next step in
    utilizing the spinup counter is to do something about it at the time it
    trips; however, there are probably other security programs available
    that'll alert you or whomever you choose should your computer get
    powered up without your permission via a correct password (which gets
    checked even before having to wait for the OS to load).

    It seems even a BIOS password (and a secured case) would surpass the
    protection of a spinup counter if all it ever did was to count and do
    nothing about it.

    > My SMART method has the advantage that it **alerts you** when
    > such an intrusion event has happened thereby **enabling you to
    > decide** what to do in light of it. Moreover, my method is
    > inherently supported on virtually any computer on the planet,
    > and is therefore very easy to implement even on an ad hoc
    > basis.


    "when such an intrusion has happened". That didn't indicate the alert
    was immediate but something you discovered much later long after the
    invasion and with no information as to who was the invader. To use the
    spinup counter for immediate alert means having to wait until the OS has
    loaded (and that the alert checker runs as a service so it checks before
    logging in especially since the intruder may not be logging in). Of
    course, if the intruder has inserted a CD and your BIOS is configured to
    boot from it then your alert checker and notifier isn't going to work.
    Well, not immediately to have any useful effect.

    I don't see the point of getting alerted to an intrusion sometime long
    after it has occurred other than perhaps as a reminder that I need to up
    the physical security of my host which I could've done beforehand
    anyway. If I go to the trouble of setting up an intrusion detector that
    tells me nothing about the intruder then I might as well take actions
    now instead of doing them after noticing an unidentified intrusion
    later.

    >> There are lots of surveillance measures possible. One
    >> would be to not power down your host but leave it powered
    >> up, logged in but locked with a screen saver (and make sure
    >> Just have a spinup count get incremented doesn't tell you
    >> why someone used your computer...

    >
    > Just having your home alarm go off doesn't tell you why
    > someone has broken into your house in your absence. But many
    > folks nonetheless believe it worthwhile having a home alarm to
    > alert them of such events.


    Nope, home alarms that "go off" but don't alert someone actually make a
    lot of noise in the hopes that it scares off the intruder. After all,
    the neighbor's will hear and the intruder wants to remain secretive. I
    don't see anything mentioned in your method that actually attempts to
    scare the intruder to make them go away.

    >> ...if it was your boss at
    >> work, if hotel security, FBI, or other agent responding to
    >> a bomb threat, a coworker that considers your host as their
    >> property, especially if your host is actually your
    >> company's real property and not actually yours, or why it
    >> got powered up. I'd rather know WHO was trying to use my
    >> host (whether my real property or the host to which I was
    >> assigned by my company) so something could actually be done
    >> about the intruder.

    >
    > There are many things "I'd rather know" including next month's
    > stock market prices, but I settle instead for measures that
    > are satisfactory and appropriate in the circumstances. For
    > instance, when staying a day or two at a hotel with my laptop
    > I do not festoon the hotel with hidden micro video-cams which
    > use chirp-burst spread spectrum communications to relay real-
    > time video to my surveillance van parked outside. But I do
    > monitor my laptop's SMART info.


    Going a little overboard here. Using one method (of several) to
    physically monitor your host with a webcam doesn't require anything than
    the webcam. Of course, if you're concerned the intruder is expert
    enough to circumvent your BIOS and OS logins to wipe the recording from
    your hard disk, and if you have Internet access, then you simply send
    the recording (usually snapshots whether timed or triggered by an event)
    to some other host, even to perhaps an online storage service.

    I'm wondering what you *do* after noticing your spinup count has been
    incremented. Have you been so attacked in the past? If so, what did
    you DO about it when all you know is that your host got powered up but
    with no provable knowledge as to who was the intruder or just what they
    did?

    I grant that knowing your host got [possibly] invaded might have some
    value but only in that it makes you aware that you need to implement
    better security. So it seems a cheap means of finding out if you really
    have to expend more effort and money to protect your host or if you can
    by with what you already employ. That's like waiting until your host
    gets stolen and then figuring out afterward how you should have better
    physically secured it. So it seems this spinup alert is merely a means
    to prod you to do something better than you've done already, like lock
    your office door, put the laptop inside a lockable case that is cabled
    to something rather immobile, or install a keylock in the Power button's
    wiring along with locking the case. If you don't see an increment in
    the spinup count for which you cannot account then you would not need to
    implement the extra security measures. You can feel comfortable that
    you don't have to implement more security. So, yes, the spinup alert
    tells you that you need to do something MORE than what you've already
    done if you actually do something about improving security after finding
    you've been invaded. The counter doesn't let you do anything about the
    invasion itself.
     
    VanguardLH, Jul 24, 2010
    #10
  11. nemo_outis

    nemo_outis Guest

    "nemo_outis" <> wrote in
    news:Xns9DBE8189F9EBFpqwertyu@69.16.185.247:

    Incidentally, I should point out how useful standard tamper-
    indicating devices such as tape, stickers, and ties are in
    enhancing one's physical security. Relatively cheap too (You
    needn't crack $100 even for a goodly supply of high-quality
    seals, ties, etc. and you may get away with as low as $20.)

    For instance, using numbered tape/sticker seals on the bottom
    "hatches" of one's laptop can be used to ensure no one has
    opened the case and, for instance, inserted a hardware
    keylogger. (Ditto for desktop cases including their front
    drive panels, etc., keyboards, printers, scanners, xerox
    machines, etc.)

    Or a security latching plastic tie can be used to ensure that
    the side panels cannot be opened surreptiously on a desktop or
    even wrapped around a laptop to ensure the clamshell case
    can't be opened without detection (Even good ties are cheap
    enough to be used regularly and then cut & discarded before
    each use.)

    If you go this route, here are several cautions:

    1) There is enormous variation in quality in the stickers,
    tape, and ties from different security companies. Some are
    very good, but many (far too many!) are worthless (or worse
    than useless if they instil a false sense of confidence). Tags
    MUST have unique serial numbers - generic unnumbered tags are
    worthless, even if tamper-indicating.

    2) The stickers, etc. by themselves are useless if you do not
    have the self-discipline to adhere to a rigorous protocol for
    checking them regularly (I suggest before EVERY session.)
    That means checking the tag number, not just its integrity,
    lest a resourceful adversary have acquired a batch from the
    same manufacturer and replaced your tags with look-alikes.

    3) Even the best of these stickers can be defeated - they are
    not a panacea.

    4) It is best if you keep your supplies of such tape,
    stickers, etc. secure so that no one steals any of them
    (although even this is not crucial if - as you should - you
    actually monitor the *numbers* printed on the seals you use
    and not their mere presence.)

    With regard to my first and third points above, the ultimate
    experts in the area of security seals and such are the folks
    at Los Alamos National Laboratory. It is very worthwhile
    googling the wealth of information from this source, including
    their cautionary tales of how easy it is to circumvent many
    such seals, etc.

    One security aspect that is sometimes overlooked is
    *authentication* of your hardware. For instance, one common
    way of quickly installing a hardware keylogger is to "swap"
    your desktop keyboard for one of the same brand with a
    keylogger already installed (most commonly in
    work/university/etc. environments with many similar machines -
    typically by a coworker).

    In response to this risk you can make a point of regularly
    chcking the serial numbers but not all devices have them. Or
    instead you can use the number of an affixed security seal.

    One very good "poor man's seal/ID" is a torn piece from a 1-
    dollar bill containing the serial number affixed to whatever
    is to be authenticated (but see my Los Alamos remarks above
    regarding glue). A bitch to counterfeit including the "tear
    details" so they match the other half you keep in your wallet.
    While I don't use this technique on any of my computers, I do
    use it on a DVD that is my "known-good" source for various
    info including Truecrypt recovery headers, etc.

    Another "poor man's security seal" that is extremely difficult
    to counter is my "epoxy and sprinkles" one.

    As a semi-permanent seal one puts a blob of clear two-part
    epoxy spanning the door, etc. that is to be monitored. But
    while mixing the epoxy you stir in a goodly number of small
    colored sprinkles (about poppyseed size). I found some
    plastic ones that were perfect at a one-dollar store (I
    wouldn't recommend using the edible kind but maybe they would
    work :)

    It is best if the epoxy/sprinkles blob is thick enough that
    there is a 3-dimensional pattern of sprinkles rather than just
    a 2-dimensional one, but even a two-dimensional pattern will
    be extraordinarily difficult for an adversary to replicate.
    Take a (macro) photo of the blob from two different angles (to
    capture the 3-dimensional aspect) and regularly compare the
    photos with the epoxy "seal" to detect if there has been any
    tampering. (There are some paranoiac subtleties that can be
    used to prevent the blob being removed intact and then
    replaced afterwards, but I'll pass over such refinements at
    present. Again, see Los Alamos for such risks and their
    counters.)

    Regards,
     
    nemo_outis, Jul 24, 2010
    #11
  12. nemo_outis

    nemo_outis Guest

    VanguardLH <> wrote in
    news:i2f7la$la1$:


    I may have misjudged you - you appear to be a well-meaning fool
    rather than a trolling fool. Your stupidity was so grotesque
    that I assumed it could only by feigned rather than genuine.
    But it now seems you may indeed be that stupid. My condolences
    on your condition.

    My post was about tamper-indication. Not tamper-prevention and
    not tamper-punishment. And, overlooking how stupid folks like
    you can actually be, I also omitted explaining that tamper
    indication, while a valuable part of physical security, is not
    the whole of it.

    Of course, you are free to post your opinions in this newsgroup.
    Feel free to expose your ignorance and stupidity and make a fool
    of yourself. Just don't expect anyone to take you seriously.

    You make a lengthy post only to describe that you see little
    value in tamper-indication and don't understand how to use it.
    Thank you for confirming your thick-wittednes and lack of
    insight. However, your remarks are not an indictment of the
    utility of tamper-indication but rather of your own lack of
    mother-wit.

    Regards,
     
    nemo_outis, Jul 24, 2010
    #12
  13. nemo_outis

    VanguardLH Guest

    nemo_outis wrote:

    > VanguardLH <> wrote in
    > news:i2f7la$la1$:
    >
    > I may have misjudged you - you appear to be a well-meaning fool
    > rather than a trolling fool. Your stupidity was so grotesque
    > that I assumed it could only by feigned rather than genuine.
    > But it now seems you may indeed be that stupid. My condolences
    > on your condition.
    >
    > My post was about tamper-indication. Not tamper-prevention and
    > not tamper-punishment. And, overlooking how stupid folks like
    > you can actually be, I also omitted explaining that tamper
    > indication, while a valuable part of physical security, is not
    > the whole of it.
    >
    > Of course, you are free to post your opinions in this newsgroup.
    > Feel free to expose your ignorance and stupidity and make a fool
    > of yourself. Just don't expect anyone to take you seriously.
    >
    > You make a lengthy post only to describe that you see little
    > value in tamper-indication and don't understand how to use it.
    > Thank you for confirming your thick-wittednes and lack of
    > insight. However, your remarks are not an indictment of the
    > utility of tamper-indication but rather of your own lack of
    > mother-wit.
    >
    > Regards,


    By your response we can see just how little weight we should grant to
    your opinion. You thought that response helped your position?

    Bye bye.
     
    VanguardLH, Jul 25, 2010
    #13
  14. nemo_outis

    nemo_outis Guest

    za kAT <> wrote in
    news:-privat.org:

    Another buzzing gnat. Swat!
     
    nemo_outis, Jul 25, 2010
    #14
  15. nemo_outis

    nemo_outis Guest

    Swat!
     
    nemo_outis, Jul 25, 2010
    #15
  16. nemo_outis

    nemo_outis Guest

    Swat!
     
    nemo_outis, Jul 25, 2010
    #16
  17. nemo_outis

    Guest Guest

    On Sat, 24 Jul 2010 23:31:59 GMT
    "nemo_outis" <> wrote:

    > Swat!


    That, sir was an argument worthy of consideration, and I have to admit, you
    completely won me over to your side of the debate with it.

    Or not.

    Seriously though, enjoy your little tamper-indication measure, and we all thank
    you for informing and enlightening those of us (not me) who may think it might
    be useful. Calling people fools won't accomplish anything, it will only make
    you look like a troll.

    --
    n.
     
    Guest, Jul 25, 2010
    #17
  18. nemo_outis

    nemo_outis Guest

    <> wrote in
    news::

    > On Sat, 24 Jul 2010 23:31:59 GMT
    > "nemo_outis" <> wrote:
    >
    >> Swat!

    >
    > That, sir was an argument worthy of consideration, and I
    > have to admit, you completely won me over to your side of
    > the debate with it.
    >
    > Or not.
    >
    > Seriously though, enjoy your little tamper-indication
    > measure, and we all thank you for informing and
    > enlightening those of us (not me) who may think it might
    > be useful. Calling people fools won't accomplish anything,
    > it will only make you look like a troll.



    As you may have already gathered, I do not suffer fools
    gladly.

    Nor do I use pleasant euphemisms to sugarcoat reality - I call
    fools what they are: fools. When they simply repeat their
    arrant nonsense I dismiss them summarily with a Swat!

    I am a nasty prick. But I am not a stupid nasty prick. To
    the contrary, I am a very clever, very knowledgeable nasty
    prick.

    You do not have to like me to learn from me. (1)

    Regards,

    (1) Or you can choose not to. Either way I don't give a ****.
     
    nemo_outis, Jul 25, 2010
    #18
  19. nemo_outis

    nemo_outis Guest

    Swat!
     
    nemo_outis, Jul 25, 2010
    #19
  20. "iggster" <> wrote in message
    news:...

    [...]

    > No need to reply. I am fine with you having the last word.


    :eek:D
     
    FromTheRafters, Jul 25, 2010
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Silverstrand
    Replies:
    2
    Views:
    1,195
    zachig
    Jul 3, 2005
  2. Silverstrand
    Replies:
    1
    Views:
    902
    unholy
    Aug 27, 2005
  3. erha
    Replies:
    0
    Views:
    1,153
  4. Dave \Doc\ Corio

    Visited links indicator not working

    Dave \Doc\ Corio, May 23, 2005, in forum: Firefox
    Replies:
    4
    Views:
    790
    Dave \Doc\ Corio
    May 24, 2005
  5. wjva
    Replies:
    1
    Views:
    594
    Bryce
    Aug 20, 2003
Loading...

Share This Page