Jump to content
coffeendonut

How secure are files if my computer gets stolen?

Recommended Posts

how would one disable the linux 1 bypass???

man lilo.conf:

    password=<password>

              Protect the `image=' or `other=' with a password (or passphrase).  It may be specified as  a

              global  option.  The  interpretation  of  the  `password=' setting is modified by the words

              `mandatory', `restricted', and `bypass' (see below).

              The password may be specified in the config-file (less secure) or entered at  the  time  the

              boot  loader is installed. To request interactive entry of the password, it should be speci-

              fied: password="".  Passwords entered interactively are not required to be entered again  if

              the  boot  installer  is re-run. They are cached, in hashed form, in a companion file to the

              config-file, default name: /etc/lilo.conf.crc. If the config-file is updated, a warning mes-

              sage will be issued telling you to re-run lilo -p to force re-creation of the password cache

              file.

 

      mandatory

              A password is required to boot this image. This is the default. May  be  used  on  a  single

              `image=' or `other=' to override a different global setting.

 

      restricted

              A password is only required to boot the image if kernel parameters are specified on the com-

              mand line (e.g. 'single').  May be used on a single `image=' or `other=' to override a  dif-

              ferent global setting.

 

see the full man page for other options.

 

but as pointed before, if your machine is phisically compromised you can't do anything (ie a guy with a screw can stole the hd and mount it on another machine and access your data-- unless that data is encrypted)

Edited by aru

Share this post


Link to post
Share on other sites

Leaving aside for now the issue of HD physical security, most BIOSes these days can be password-protected. I have a bottom-of-the-line Toshiba laptop that offers this, so you can't even use a boot-disk without knowing the password. Admittedly the password is only 8 characters, but I'm not aware of a software method to bruteforce this, so you would be stuck trying to bruteforce it manually...

 

<please let me know if I'm incorrect, it happens quite a lot>

 

As for the HD, these can be hardware-protected as well, and from what I read here it can be pretty tricky to use the drive again, never mind get at the data:

 

http://www.experts-exchange.com/Hardware/Q_20423260.html

 

<you may want to just skip down to Darrel_fong's useful suggestions, it is a long thread>

 

I agonise about this myself, but against the average housebreaker I think BIOS-level protection is a pretty good start. Somehow I doubt they'd just return it, but here's hoping...

Share this post


Link to post
Share on other sites

There are many ways to bypass that. The easiest way is to remove the battery of the mobo, or you can discharge an EMP near it (don't laugh it has already been done by someone :cheeky: --not me) but that is dangerous since it might ruin it.

 

Another method, I don't know if it works on your lappy is to disconect the HD from the rest of the machine and it will automatically boot the floppy or the cdrom.

Share this post


Link to post
Share on other sites

You can set it so that teh root-password is asked at bootlevel 1. The lilo-password could be another level of security ... if you want, I'll have a look, but try this:

 

when lilo starts, go to the commandline (pressing "escape"?):

 

type:

 

linux init=/bin/sh

 

"linux" should be replaced by a linux-entry of lilo. This will get you root-privileges ... it doesn't start any services. I tried this on a fedora3-box lately, tryong to add a use, but it refused ... maybe because they use SElinux? I don't really know. You could ofcourse dissalow going to the commandline in lilo/adding options and putting a password in the bios. Ofcourse I also once found tools for circumventing the bios-password ...

 

I think encryption is the best option, maybe in combination with stego... (let's you hide info in pictures/music/... don't know if the (partial) name is correct). There are opensource programs for the stego-stuff I believe and also program that try to detect the stego...

 

Michel

Share this post


Link to post
Share on other sites

Think if you do a search for drakloop on this list you will see some posts by dragonmage who is the "resident expert" on it. He uses it still afaik. Should be able to install it from the CD or via urpmi. On my 101 OE it is under SYSTEM--ARCHIVING--OTHER--DRAKLOOP. It is quite nice unless you really like to use cli all the time.

 

I use it and kgpg for files that are things I do not want others to access. Drakloop does not seem to goof up my speed here but I don't use it 100% of the time. My CPU is only AthlonXP 1600 so not fast by today's standards. I used Bestcrypt but it always felt clunky though it did not cause slowdowns.

 

Sorry slow to reply. I am two days home from having quadruple bypass surgery.

 

Missed the board while I was out of action. Glad to be back. :P

Share this post


Link to post
Share on other sites

It all depends what your needs are. If you plan to backup the data on dvd, and wish to keep it encrypted on dvd -

urpmi mountloop

then open the application called drakloop (it gets installed with mountloop). create a folder decide on encryption methods eg aes 196 and keep all your encryption with the same choice to simplify remounting and so on.

When you mount the drakloop folder, it appears as a usual ext3 partition with all your lovely data that made gives your company the edge in the market. When you unmount it, your competitors have no idea what is on that "partition" - they only see and "ENCFILE" - a soldid hunk of nothingness except for the size of the data. no otehr info is accessible.

 

To burn to dvd as encrypted data, merely unmount the folder then burn the encrypted file (to my recollection it is named "encfile")

using K3B or any other burn software. The dvd now contains the encrypted file which can only be decrypted with the key u provided. You can now mount the drakloop folder again and delete that data - use it for other data, and then unmount and bakkup to dvd again.

 

To mount the same file from the dvd, you have the option of using the terminal or the easiest way IMHO is to create a special 4.3 GB drakloop (encfile) folder "partition" (drakloop partition/folders reside in your home folder). i name it "dvd" and use it only for accessing older bakked up data. I suggest you keep this "drakloop dvd folder" for mounting any "encfile" that's stored on your dvds or whatever media u use. Make sure that your dvd folder is not mounted by drakloop/unmount the "dvd folder". Now simply delete any encfile that exists in the "dvd" drakloop folder and copy the encfile from your dvd to the dvd drakloop folder. once the copy is finished, mount the folder using drakloop and u see your decrypted data from the dvd. It's that simple.

 

One problem is that it seems mandriva will not be supporting this mountloop package for much longer because of some security loophole - darned if i understand it. :( It's unfortunate and i request mandriva to please continue to have us choose between mountloop and other options notwithstanding there may be some security risk. we can make that choice as end users can't we?

The other option is gpg - but thene each file must be encrypted on its own. it's tiresome.

 

the other option is truecrypt or realcrypt. Realcrypt is easy enough to install but it takes years to master the use of it for me. so i tried truecrypt because it has a gui. No can install/compile so far. very hard to compile truecrypt in mandriva. Please can someone either request that mountloop continue to remain available because it works like a symphony for most people. alternatively, create a gui for realcrypt.

 

What i have done for now is installed FEDORA 9 - from install, u can encrypt not only your home partition, but your root as well. The only un encrypted section is about 198MB for the boot. The rest is encrypted and its all done by a simple check in a box. you must install from the dvd and its easiest to select a partition and have anaconda (fedora installer) provide a default LVM setup on a partition.

 

Truecrypt is easy as pie to install in fedora 9 (an unofficial rpm is available). The unofficial rpm gives the full truecrypt functionality - hidden or non hidded folders can be created/data encrypted "on the fly"/unencryoted/burned to disc/remounted same as drakloop, only it is sure to be maintained and readable on all distros (even the smutty closed source ones)

 

For now, i am sold on fedora for their one touch encryption at install

Edited by hq197

Share this post


Link to post
Share on other sites

RealCrypt is TrueCrypt rebranded by Mandriva and with a new easy-to-use GUI interface. So there's absolutely no reason to use Fedora or the NSA spyware Red Hat bundles with it.

 

http://wiki.mandriva.com/en/RealCrypt

 

Big corporations and governments pose a much greater security risk than crackers or terrorists in the today's global fascist police state.

Share this post


Link to post
Share on other sites
Fedora or the NSA spyware Red Hat bundles with it.
There is no known spyware from the NSA in Fedora. The code is open source, and anyone can review it, if there was a backdoor, some smart, paranoid developer would have already found it and exposed it. Instead, people just continue to perpetuate a rumor based on conjecture.

 

But nice try on the conspiracy theory. I did get a good chuckle reading your contributions to this thread.

 

Big corporations and governments pose a much greater security risk than crackers or terrorists in the today's global fascist police state.
I think your political commentary is better left for OTW. It's not really relevant in this discussion. Then again, bringing up a thread that's over a year old just to post some paranoid, political stuff is kind of irrelevant on it's own. Edited by tyme

Share this post


Link to post
Share on other sites

Realcrypt has been dropped entirely from Mandriva. It was decided that the truecrypt licence prohibited re-distribution, even in the modified form used by Mandriva.

 

Jim

Share this post


Link to post
Share on other sites

Aye, I think it's better using cryptsetup instead of truecrypt/realcrypt or whatever incarnation it takes.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...