User: Password:
|
|
Subscribe / Log in / New account

Lightweight Portable Security

Lightweight Portable Security

Posted Dec 16, 2010 18:46 UTC (Thu) by dlang (subscriber, #313)
In reply to: Lightweight Portable Security by jake
Parent article: Lightweight Portable Security

true, and that is why adding a LSM and using a non-root user are good things to do.

however, this has nothing to do with accessing local drives.


(Log in to post comments)

Lightweight Portable Security

Posted Dec 16, 2010 19:22 UTC (Thu) by jake (editor, #205) [Link]

> however, this has nothing to do with accessing local drives.

i feel like somehow i am missing your point, sorry if so ...

malware over the wire can mount the local drives and do various ugly things ... that's what it has to do with accessing local drives ... as we seem to agree, an LSM and/or non-root user would help here, but that's not the case currently ...

jake

Lightweight Portable Security

Posted Dec 16, 2010 20:39 UTC (Thu) by dlang (subscriber, #313) [Link]

the purpose isn't to protect local drives from the user, it's to protect the user from stuff that may be on local drives by ignoring them.

malware doesn't need to access the local drives to do bad things, and malware would have a hard time figuring out what local drives to mount where to do bad things to them anyway. I'm not aware of any malware that goes digging through your system to even try to do this sort of thing, all malware that I am aware of just affects the stuff that's currently mounted.

in the article you spent a lot of time talking about how the user can still get at the local disks, and my point is that that really doesn't matter.

Lightweight Portable Security

Posted Dec 16, 2010 20:55 UTC (Thu) by jake (editor, #205) [Link]

> in the article you spent a lot of time talking about how the user can
> still get at the local disks, and my point is that that really doesn't
> matter.

and my point is that it *does* matter ... whether malware exists today that roots around on the local disks for information of interest, or to alter the installed OS, doesn't really matter -- though i suspect there are isolated cases of that kind of malware out there already ...

the organization sponsoring LPS is set up to protect the data of the DoD, which may well reside on the local disks and/or the USB stick ... if DoD employees are using this at home or on their laptops as some sort of "secure web browser", and have local data of interest, there is a problem, no?

and if we are protecting against nation-state class attacks, those actors developing targeted malware to access or modify that local data is most certainly in the cards ...

i guess i didn't miss your point, i just disagree :)

jake

Lightweight Portable Security

Posted Dec 16, 2010 23:01 UTC (Thu) by dlang (subscriber, #313) [Link]

this is intended to protect the DoD data, but the intention as I read it is to use unknown hardware to securely access DoD data.

not to boot this on a secured DoD system and access insecure networks (things like disk encryption, firewall rules, air-gapped networks, etc would come in to play to prevent this)

if the user has sensitive data on their local machine that is a problem completely separate from LPS, and LPS can't solve the problem (the person can just boot into the normal OS of the box, or boot from another live CD, in any case that data is exposed)

Lightweight Portable Security

Posted Dec 16, 2010 21:01 UTC (Thu) by droundy (subscriber, #4559) [Link]

I got the impression that the system was supposed to be able to protect against malware that might be created intentionally by nation states that might be specifically targeting the user. It isn't marketed to only protect against run-of-the-mill windows malware, so it's reasonable to expect that it should be able to defend against attacks that specifically target computer. Which also I presume would mean protecting against attacks that rewrite the BIOS, since that could compromise future uses of the system, since it could boot from the hard drive while pretending to boot from the CD or usb stick.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds