Re: Does Security matter at all?

To: Debian Developers List <debian-devel@lists.debian.org>
Subject: Re: Does Security matter at all?
From: Remco Blaakmeer <remco-blaakmeer@quicknet.nl>
Date: Tue, 4 Jul 2000 23:56:52 +0200 (CEST)
Message-id: <[🔎] Pine.LNX.3.96.1000704234208.4042C-100000@rd1936.quicknet.nl>
In-reply-to: <[🔎] 87itulk4c0.fsf@dahaIM.dyndns.org>

On 4 Jul 2000, Andreas Fuchs wrote:

> There is a value in assigning a password to root. Quite so, if there
> are any users (apart from root) which will have _access_ to the
> machine -- access as in, ssh, rsh, ftp etc.

Yes.

> There may also be some value in assigning a password to root even if
> there are any users that will have _physical access_ to the machine --
> access as in, can change disks, can open the case to peek what's
> inside, pick some hard disks from their place or poke a ten-inch-nail
> into the mainboard (with the aid of a sledgehammer).
> 
> There may be some value to it, but not much, because if the user has
> physical access to the machine, he can do nearly everything he likes
> with it: smash it to little pieces, reboot it with an emergency
> floppy, take out a hard drive (which may as well be a hot drive, but
> let's not elaborate on that).
> 
> You see, there are some suble differences between mere access to a
> machine and physical access to it. That is why @VBCs have their
> important machines behind big, heavy steel doors which can be locked
> pretty tight.

Please also consider the case where people have limited, supervised
physical access to a computer. They can change disks, pull the power plug
and press the reset button, but they won't be able to open a computer case
without drawing attention. This is a fairly common situation in schools
and universities, where students have to be able to save their own
documents on a floppy disk or work on documents that have been previously
stored on a floppy disk, and even in people's homes.

Computers can be set up to be quite secure this way, even though people
have physical access. In the recent autofs discussion and the less recent
mbr discussion some people have stressed the importance of the bugs in
this situation, while others have denied that the situation even exists
without going into the matter any further. Why can't the bugs just be
fixed? In both cases (autofs and mbr) an obvious solution exists, so it
shouldn't be all that difficult.

Remco
-- 
rd1936:  11:40pm  up 19 days, 22:24,  7 users,  load average: 1.00, 1.18, 1.26

Reply to:

Follow-Ups:
- Re: Does Security matter at all?
  - From: tb@MIT.EDU (Thomas Bushnell, BSG)
- Re: Does Security matter at all?
  - From: Brian May <bam@debian.org>

References:
- Re: Does Security matter at all?
  - From: Andreas Fuchs <asf@acm.org>

Prev by Date: Re: new raid for 2.2
Next by Date: Re: SECURITY PROBLEM: autofs [all versions]
Previous by thread: Re: Does Security matter at all?
Next by thread: Re: Does Security matter at all?
Index(es):
- Date
- Thread