Hacker News new | ask | show | jobs
by stcredzero 4909 days ago
> Physical access should not equal compromise.

Physical access == compromise even for devices that are as simple as a hollow metal box.

http://en.wikipedia.org/wiki/Safe

Security ratings for those devices are measured in time. Basically, if you lose possession, it's just a matter of time. Digital security is both easier and harder, because all you're protecting there is information. If you wish for the information to be destroyed on tampering, then your job may be easier.

The only way for there to be hardening when physical access is lost is to have some form of layered defense in depth, the aim being giving the user enough time to send a command to wipe the device.
2 comments
carmaa 4909 days ago
Over time, yes. Your statement about physical access == compromise is missing that crucial detail. There's no reason why someone should be able to access all your data just because they have physical access to your device for a short period.

If you really want to do the analogy thing, the DMA vulnerability would be the equivalent of a safe with a door where no key is needed in the back. It would not be a very good safe.

Just sayin'.

link
stcredzero 4909 days ago
> the DMA vulnerability would be the equivalent of a safe with a door where no key is needed in the back.

More like a safe where the "master key" was leaked and wasn't disabled in the models that were sold.

link
carmaa 4909 days ago
I don't think the specifics of the analogy is under discussion here, but rather that it's stupid and counter-productive to dismiss an obvious vulnerability because protecting against it is hard.

Welcome to the world of security, I guess.

link
wisty 4909 days ago
> Physical access == compromise even for devices that are as simple as a hollow metal box.

Only if it's unattended. You can't break a safe, without looking suspicious. You can't disassemble a PC, and take out its hard drive, and not attract a bit of attention.

Being able to root a system by attaching a dongle is a whole different story. It's like auto-play on USB all over again.

link
stcredzero 4909 days ago
> Only if it's unattended. You can't break a safe, without looking suspicious. You can't disassemble a PC, and take out its hard drive, and not attract a bit of attention.

Yes, it goes both for a safe and a computer, so you're reinforcing my point about the equivalency of their security. Safes wouldn't be secure at all without the vigilance of bank employees, etc.

With a Firewire device to DMA the password, all you need is to hook up the device long enough to copy all of active memory. Certainly something that could happen at a hackerspace or at a conference. For the James Bond set, invent a device that you can set about 4 feet (1.3 meters) away on the table, and after it's done copying memory, the firewire cord unhooks itself and retracts back into the device.

link
carmaa 4909 days ago
Hey.

Do you leave your PC or in standby when traveling? When you leave your desk at work?

More importantly, do you think that end users would expect password protection to work? Even when their PC is on?

There's plenty of scenarios where a PC may end up being in another persons control while powered on. This is a relevant threat scenario. Deal with it.

link
Oflameo 4909 days ago
Attaching a dongle seems very suspicions to me, unless it something like a library computer. A library computer shouldn't have any critical data in the first place making the point moot.
link