however, this has nothing to do with accessing local drives.
Lightweight Portable Security
Posted Dec 16, 2010 19:22 UTC (Thu) by jake (editor, #205)
i feel like somehow i am missing your point, sorry if so ...
malware over the wire can mount the local drives and do various ugly things ... that's what it has to do with accessing local drives ... as we seem to agree, an LSM and/or non-root user would help here, but that's not the case currently ...
Posted Dec 16, 2010 20:39 UTC (Thu) by dlang (subscriber, #313)
malware doesn't need to access the local drives to do bad things, and malware would have a hard time figuring out what local drives to mount where to do bad things to them anyway. I'm not aware of any malware that goes digging through your system to even try to do this sort of thing, all malware that I am aware of just affects the stuff that's currently mounted.
in the article you spent a lot of time talking about how the user can still get at the local disks, and my point is that that really doesn't matter.
Posted Dec 16, 2010 20:55 UTC (Thu) by jake (editor, #205)
and my point is that it *does* matter ... whether malware exists today that roots around on the local disks for information of interest, or to alter the installed OS, doesn't really matter -- though i suspect there are isolated cases of that kind of malware out there already ...
the organization sponsoring LPS is set up to protect the data of the DoD, which may well reside on the local disks and/or the USB stick ... if DoD employees are using this at home or on their laptops as some sort of "secure web browser", and have local data of interest, there is a problem, no?
and if we are protecting against nation-state class attacks, those actors developing targeted malware to access or modify that local data is most certainly in the cards ...
i guess i didn't miss your point, i just disagree :)
Posted Dec 16, 2010 23:01 UTC (Thu) by dlang (subscriber, #313)
not to boot this on a secured DoD system and access insecure networks (things like disk encryption, firewall rules, air-gapped networks, etc would come in to play to prevent this)
if the user has sensitive data on their local machine that is a problem completely separate from LPS, and LPS can't solve the problem (the person can just boot into the normal OS of the box, or boot from another live CD, in any case that data is exposed)
Posted Dec 16, 2010 21:01 UTC (Thu) by droundy (subscriber, #4559)
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds