Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 7 Nov 1999 11:01:25 -0600 (CST)
From:      James Wyatt <jwyatt@rwsystems.net>
To:        Alexandr Gribenko <aeg@iname.com>
Cc:        security@freebsd.org, QuestionsBSD <questions@freebsd.org>
Subject:   Physical security hints (Was: Encrypted HDD)
Message-ID:  <Pine.BSF.4.10.9911070857400.6088-100000@bsdie.rwsystems.net>
In-Reply-To: <NDBBKNDPMMIMOBJEOANEGEAHCAAA.aeg@iname.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 7 Nov 1999, Alexandr Gribenko wrote:
> Has anyone tried/seen something like this on FreeBSD BOX??
> I am not paranoic, I am just creating VERY public FreeBSD server, anyone
> have access to the box itself
> I used all my ideas like loading splash screen and setting timeout to 1
> second  ;o)
> the idea is to disable access to file systems by loading from fixit/other
> floppy
> Do not recommend me to remove FDD driver, I did it ;o)
> I do have a backup ;o)
> The problem is that it is too public (Da school man ;o)

Like everyone says: "You can't stop the determined individual in the right
circumstances."

That said, you can do a few things:

1) See if you can secure the case
  1a) I'm guessing that buying a secure case is too expensive here.
  1b) If you can find a system the university (or a company) is tossing
    that they bought a secure case or case lock for, gut the case and
    replace it's guts with your favorites or move the lock to your case.
  1c) Last resort: Replace case screws with Torx (or other) 'security
    screws'. 'They' can get the tool at Home Depot or an auto supply, but
    it is better than Phillips or 'standard' screws on most techie pocket
    knives will usually take care of.

2) Remove the knobs on the front
  2a) If there is a 'keylock' key switch on the front, use it for reset.
  2b) If there is a reset or power-off button, disconnect it.
  2c) Set the BIOS to always-on and ignore-front-switch.
  2d> If there is a power switch on front, bypass it or superglue it on.

3) Set the BIOS to discourage tampering
  3a) Password protect the BIOS; the rest of these kinda depend on it.
    Put the password on a folded sticky note inside so you don't have to
    lose the settings if you forget. If they can read the note sealed in
    the machine,they can reset the password anyway.
  3b) Set it boot from wd0/ATAPI before fd0/floppy. If you can't, set it
    to swap the fd0/fd1 drives. Floppy still usable, but not bootable.
  3c) Disable any network or CDROM boot.

All this stuff is OS neutral for kiosks and such, the FreeBSD points are
more tricky and should cover the fact they can still reach the power cord
in the back.

Has anyone been able to make network booting work for FreeBSD? - Jy@



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.10.9911070857400.6088-100000>