Date: Tue, 4 Jul 2000 06:48:12 -0400 From: Troy Arie Cobb <tcobb@staff.circle.net> To: 'Alex Popa' <razor@ldc.ro>, Dan O'Connor <dan@mostgraveconcern.com> Cc: freebsd-security@freebsd.org, freebsd-stable@freebsd.org Subject: RE: securing the boot process (again?!?) Message-ID: <AE4A7B7EB10DD4118CBD0050DA196F4F0BE610@FRIGGA>
next in thread | raw e-mail | index | archive | help
There are small locks you can buy which fit into a floppy drive and secure it with a key. If your users don't need to put floppies in on a regular basis (but perhaps YOU do occasionally), then this can be a good choice to avoid booting the evil-floppy-kernel. -Troy Cobb Circle Net, Inc. http://www.circle.net 1-800-321-2237 x308 > -----Original Message----- > From: Alex Popa [mailto:razor@ldc.ro] > Sent: Tuesday, July 04, 2000 6:27 AM > To: Dan O'Connor > Cc: freebsd-security@freebsd.org; freebsd-stable@freebsd.org > Subject: Re: securing the boot process (again?!?) > > > On Mon, Jul 03, 2000 at 08:43:38PM -0700, Dan O'Connor wrote: > > >> Doesn't your computer have a BIOS password? These are > typically invoked > > >> *before* the BIOS tries to boot off any disk... > > > > > >Unfortunately BIOS passwords can be disabled on the > motherboard in a matter > > >of minutes (for most motherboards that I know of). Even > Dell laptops > > (don't > > >know about their desktops/servers) have a master > password that Dell will > > give > > >you if you call them, provided you give them some details first. > > > > Looks like there's not really much you can do if you > can't physically secure > > the machine. > > > > Even all the other tricks, boot only from hard drive, > setting the delay to > > '0', are pointless if someone can get inside the hardware > case, change > > jumpers, get into the BIOS and turn on boot from floppy > and then boot from a > > floppy. On the other hand, if someone has the opportunity > to do all that, > > they might as well just steal the whole box... > > > > Moral of the story: either secure the machine in a > location where malicious > > users can't get to it or take the consequences. > > > Okay, my mistake: by "public access machine" I meant users > have access > to the fromt panel of the PC (so they can use the floppy > drive) and a > keyboard and monitor, but *NOT* the inside of the case (the case is > sort of buried in a wall). And the problem I had was > (apart from booting > an evil kernel installed on /tmp) that by setting the > floppy drive to > "none" in the BIOS the kernel (4.0-STABLE) canot use floppies after > booting. > > I do have a BIOS password, and of what I've heard there is no other > way of bypassing it except for the jumpers on the motherboard > (impossible, see above). > > ------------+------------------------------------------ > Alex Popa, |There never was a good war or a bad peace > razor@ldc.ro| -- B. Franklin > ------------+------------------------------------------ > "It took the computing power of three C-64s to fly to the Moon. > It takes a 486 to run Windows 95. Something is wrong here." > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-stable" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AE4A7B7EB10DD4118CBD0050DA196F4F0BE610>