On Thu, 27 Jan 2011 11:03:58 +0100 Sjoerd Hardeman <sjo...@lorentz.leidenuniv.nl> wrote:
> Celejar schreef: > > On Wed, 26 Jan 2011 23:24:07 +0100 > > Jochen Schulz <m...@well-adjusted.de> wrote: > > > >> Celejar: > >>> Brad Alexander <stor...@gmail.com> wrote: > >>> > >>>> Linux admins used LUKS, and as a further step, I put /boot (the only > >>>> partition that cannot be encrypted) on a USB stick, so that if anyone > >>>> got the laptop, they had no access to the data. > >>> Why does putting /boot on a USB stick gain you anything? > >> Because an unencrypted /boot may be altered by an attacker without you > >> noticing it. Theoretically, the kernel may be replaced by another one > >> that reports your passphrase to the attacker. > > > > Oh, basically the Evil Maid attack. Fair enough. But then you have to > > make sure the attacker can't flash the BIOS ... > Bother to explain how it works? If you have an encrypted partition, no > adapted kernel will ever be able to access it. So how can an adapted > kernel report the passphrase? > > Or do you mean that the kernel can be altered to log the passphrase > somewhere? This then is a way more general problem, as physical access > to the computer will always allow someone to install a sniffing hardware > or software device. I think we're talking about the latter - the attacker replaces your kernel with a modified one to record the passphrase. Yes, it's basically true that an attacker with physical access can always install a sniffer, but forcing him to do it in hardware will make it harder. http://www.schneier.com/blog/archives/2009/10/evil_maid_attac.html Celejar -- foffl.sourceforge.net - Feeds OFFLine, an offline RSS/Atom aggregator mailmin.sourceforge.net - remote access via secure (OpenPGP) email ssuds.sourceforge.net - A Simple Sudoku Solver and Generator -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110127085238.c1e2f215.cele...@gmail.com
