From owner-freebsd-questions@freebsd.org Mon Aug 6 15:07:14 2018 Return-Path: Delivered-To: freebsd-questions@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id E2725105BBA5 for ; Mon, 6 Aug 2018 15:07:14 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: from kicp.uchicago.edu (kicp.uchicago.edu [128.135.20.70]) by mx1.freebsd.org (Postfix) with ESMTP id 92C277BA04 for ; Mon, 6 Aug 2018 15:07:14 +0000 (UTC) (envelope-from galtsev@kicp.uchicago.edu) Received: from point.uchicago.edu (point.uchicago.edu [128.135.52.6]) by kicp.uchicago.edu (Postfix) with ESMTP id 46B107180CE; Mon, 6 Aug 2018 10:07:14 -0500 (CDT) Subject: Re: Erase memory on shutdown To: Polytropon Cc: thor , freebsd-questions@freebsd.org References: <20180805150241.1E186200349F8E@ary.qy> <4e70e969-14f7-c65d-96d2-dd1610499cd0@irk.ru> <63033.108.68.162.197.1533484522.squirrel@cosmo.uchicago.edu> <20180806073738.6f459398.freebsd.ed.lists@sumeritec.com> <57043.108.68.162.197.1533514207.squirrel@cosmo.uchicago.edu> <5f673fdc-4dd8-663a-605a-6b7cdce5206d@irk.ru> <59554.108.68.162.197.1533522663.squirrel@cosmo.uchicago.edu> <20180806155016.8214e603.freebsd@edvax.de> From: Valeri Galtsev Message-ID: <72676f59-bb8f-757b-d882-89080508a3b7@kicp.uchicago.edu> Date: Mon, 6 Aug 2018 10:07:14 -0500 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <20180806155016.8214e603.freebsd@edvax.de> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Aug 2018 15:07:15 -0000 On 08/06/18 08:50, Polytropon wrote: > On Sun, 5 Aug 2018 21:31:03 -0500 (CDT), Valeri Galtsev wrote: >> Yes, it was repeated forever that security begins with physical security. >> And repeating again what my friend likes to say: nothing can stop the guy >> wit the screwdriver. Not quite true, but pretty close. > > In this context, even encrypted partitions sometimes don't help. > > Things that actually have happened: > > 1. > > A thief stole the server of a small business. They had encryption > in place, and because their HPC told them that keys should be used, > they stored keys on a USB stick that was put in the font USB > connector of the server, because their HPC said it was very > convenient to do so, as the server found the keys when booting > and could then enable access to the encrypted disk. > > GAME OVER. > > > > 2. > > A group of theves stole the whole server rack, including the > UPS units, attached them to a power generator in their van, > drove it to the "extraction site" which had regular power, > re-attached regular power, and copied everything from the > still running system without being hit by any "please enter > the password" dialogs. > > GAME OVER. > I like this one. I once had to relocate server into another server room in the building next door, and I didn't want to interrupt user processes. I put UPS on the cart, had UPS running on its battery, reconnected power cords of redundant power supply of the server one at a time to UPS, put server on top of UPS, rolled it into another server room, and reconnected it back to regular power. Nothing interrupted. Active ssh connections hang for few minutes, but none timed out. And users didn't know the server was physically moved. Valeri > > > The guy with the screwdriver usually wins. ;-) > > -- ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++