Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Increasing Computer Security through Hardware?

Cliff posted more than 10 years ago | from the when-passwords-are-too-much-of-a-hassle dept.

Security 69

Audiostar asks: "I am interested in adding some security to several of my computers, but am unsure as to which product to go with. I would like to use some sort of external security measure, such as a pen drive token or something similar. I had considered custom building a key card and reader to install on all my machines, but once I started thinking about the cost and time of building a card reader for each of my computers it became rather impractical. Does anyone have any suggestions for external locking devices or software? I would prefer something that I could use on both my Windows and Linux machines, but protecting the Windows machines are the top priority. I don't need anything too fancy, just an added layer of protection from the multitude of various people who come in and out of my place of business everyday. I own a 128mb flash disk watch, so possibly using that as a token would be both easy and geek chic. Any suggestions on what to install?"

cancel ×

69 comments

Sorry! There are no comments related to the filter you selected.

How about this (3, Interesting)

MarsDefenseMinister (738128) | more than 10 years ago | (#8606852)

Use a password to log in. And set your screensaver to activate, with a password, after a short amount of time.

Re:How about this (2, Funny)

BlurredWeasel (723480) | more than 10 years ago | (#8606916)

But how would that be any fun, I mean, a few major problems with this idea

* Way Way too cheap: Technology is supposed to drain your wallet

* Too Mundane: everybody has a screensaver, who's impressed by that nowadays

* Breakable: reboot into single user mode? If you encrypt all your files with a key stored on a usb flash thingy, then you'll be all set

Re:How about this (1)

bobbozzo (622815) | more than 10 years ago | (#8619761)

Breakable: reboot into single user mode?

lilo/grub password (or even BIOS password).

Re:How about this (0)

Anonymous Coward | more than 10 years ago | (#8626114)

Boot with a floppy, or Knoppix to find/remove/reset the BIOS/lilo/grub password. Many BIOS password systems have known vulnerabilities -- they may even be meant to be vulnerable, in order to make recovery possible. Or even better, remove the hard-drive, and pick the data off of it with a Linux LiveCD. There are many ways to get past traditional passwords and recover data. It would be difficult to do so with a hardware token that was always kept secure.

Re:How about this (1)

yuri benjamin (222127) | more than 10 years ago | (#8640098)

How can you boot with a floppy/Knoppix CD without first getting into the BIOS to change the boot order?

As for removing the HDD - that would be a bit conspicuous. I would add to the suggestion of BIOS and Grub/Lilo and Windows/Linux password, also bolt down the physcical case and see if you can put some kind of locking device on the case to prevent someone from removing the cover (to steal the HDD).

Re:How about this (0)

Anonymous Coward | more than 10 years ago | (#8643538)

step 1 open case
step 2 you now have free access

Added layer of protection (2, Funny)

Motherfucking Shit (636021) | more than 10 years ago | (#8606858)

I don't need anything too fancy, just an added layer of protection from the multitude of various people who come in and out of my place of business everyday.
I've had a good deal of success with one of these [bushmaster.com] .

Nobody's compromised any of my machines yet!

Re:Added layer of protection (3, Funny)

toast0 (63707) | more than 10 years ago | (#8607940)

How does that connect to your computer? USB? Serial? Ethernet?

Is it supported in Linux?

Re:Added layer of protection (1)

bobbozzo (622815) | more than 10 years ago | (#8619766)

It connects to the seat-to-keyboard interface.

Re:Added layer of protection (1)

Wingnut64 (446382) | more than 9 years ago | (#8650693)

Is it supported in Linux?
make war

Re:Added layer of protection (1)

Stephen Samuel (106962) | more than 10 years ago | (#8653041)

Is it supported in Linux?

I understand that ESR uses something similar -- but be real careful When you've got those things between you and the keyboard, a typo can be deadly.

Re:Added layer of protection (0)

nik0z (763040) | more than 10 years ago | (#8611241)

haha i wouldn't go near the computer with one of those pointing at me.

Or this... (0)

dtfinch (661405) | more than 10 years ago | (#8606862)

Keep your most valued files on your usb key.

Re:Or this... (1)

MikeCapone (693319) | more than 10 years ago | (#8618823)

Keep your most valued files on your usb key.

And lose it.

Goddam (-1)

Anonymous Coward | more than 10 years ago | (#8606876)

Audiostar's page completely SUCKS. It's the most broken page I've seen all day. Mozilla doesn't know what the FUCK to do with it. What a piece of shit.

I've diagnosed your problem. (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#8606921)

You are a moron.

It might not be great but it works.

Please take 240 grains of lead and call me in the morning.

Re:I've diagnosed your problem. (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#8607584)

Nope, the fucking goddamn image map on the front page doesn't work. I click all over the goddamn thing and it doesn't take me anywhere else on the site. Running Mozilla on Linux, and the fucking thing is just plain broken.

The site was written by a moron, and you're a moron if you think it works on Mozilla.

Re:I've diagnosed your problem. (0)

Anonymous Coward | more than 10 years ago | (#8607815)

It works on (copied from my mozilla's about page)
Mozilla/5.0 (X11; U; Linux i586; en-US; rv:1.5) Gecko/20031007

It's not particularly snazzy, or well sized, but I'm not running at 640x480 either.

So. You were saying?

Re:Goddam (0)

Anaxagor (211917) | more than 10 years ago | (#8606930)

"It's the most broken page I've seen all day."

Well if it wasn't broken before, it sure as hell will be now that every bored sysadmin with a Mozilla install is surfing on by to check out how broken it is.

Smart Card (1)

oO Peeping Tom Oo (750505) | more than 10 years ago | (#8606946)

Why not just use a smart card? Assuming that you run windows on your rig, it has built-in support for it.....you're just trying to keep a few simple documents safe, right? Nothing THAT important?

Re:Smart Card (2, Informative)

oO Peeping Tom Oo (750505) | more than 10 years ago | (#8607033)

My apologies for double posting, but a far as commercial products go, this doesn't seem like a bad solution.... http://www.cyberflex.slb.com/ There is also a Linux SDK, if you want to go down that road......

Does this attract or repel you? (3, Interesting)

orthogonal (588627) | more than 10 years ago | (#8606959)

I don't need anything too fancy, just an added layer of protection from the multitude of various people who come in and out of my place of business everyday.

Really fucking big neodynium magnet installed in the door frame of the entrance to your office.

(Shamelessly stolen from Cryptonomicon. I guess Neal Stephenson should have used a bigger magnet.)

Re:Does this attract or repel you? (2, Interesting)

enigmatichmachine (214829) | more than 10 years ago | (#8607926)

i've oftentimes thought about building a electomagnet into my pc case, such that if a secret switch isn't held down as the case is opened, the electomagnet fries the HDD. never had any data valuable enough to bother though. Anyone ever done it/ know someone who has?

Re:Does this attract or repel you? (1)

Bios_Hakr (68586) | more than 10 years ago | (#8613490)

I prefer thermite. Also, directing a poision-tipped dart to where a likely unwanted case-opener would likely be standing during his case opening gives a peace-of-mind equal to none...

Use reliable hardware. (4, Insightful)

ezraekman (650090) | more than 10 years ago | (#8606965)

Don't use the watch. You'll smack it against something, and then you're screwed. Ditto for a generic USB flash drive, unless you're sure it's bulletproof. Get something reliable, or don't get anything. If you want to be sure you're covered, buy three of whatever it is. Keep one handy, one in a fireproof safe/lockbox on the premises, and one at home. If your only hardware key gets hosed, so do you.

Oh, and KISS. You're right; the cardkey isn't practical, and not just because it'd be difficult/expensive to build. It would probably also be something prohibitively difficult to troubleshoot, should you have problems later. Then you have to call a specialist, and hope he's A) cheap and B) can figure out how to solve your custom-built (and therefore, proprietary) hardware problem. You're probably on the right track with small, removable hardware. Just make sure it's also reliable, or it's useless.

Look out for Fritz Chip- The CryptoProcessor (3, Interesting)

Phoe6 (705194) | more than 10 years ago | (#8607148)

Fritz is a secure cryptoprocessor [wikipedia.org] that implements the trusted computing scheme on personal computers. It uses public key cryptography for the processes communicating amongst themselves. So it would always be helpful unless the security measure is broken by an exact match comprosimed Fritz Chip. ( Which would ofcourse need some quantum computing cycles). So we can assume that it cannot be compromized till date. M$ has plans to incorporate Fritz Chip in the next OS,Longhorn.

Re:Look out for Fritz Chip- The CryptoProcessor (3, Funny)

dave1212 (652688) | more than 10 years ago | (#8607550)

Oh, fuck. No 'trusted computing', please.

Re:Look out for Fritz Chip- The CryptoProcessor (0)

Anonymous Coward | more than 10 years ago | (#8607902)

You fucking moron.

Do you actually *know* anything about Trusted Computing, or are you just a typical Slashdot weenie spouting disapproving shite about a technology you're too ignorant to investigate?

If you actually spent the time to look at what Trusted Computing *is* [trustedcom...ggroup.org] , you would see that your reaction is a) totally over the top, b) demonstrating a mis-understanding due to your fucked-up views.

Re:Look out for NGSCB! (1)

Callan.ca (758584) | more than 10 years ago | (#8613574)

Lets take a look at NGSCB shall we: http://www.microsoft.com/technet/security/news/ngs cb.mspx "Strong process isolation. Users can wall off and hide pages of main memory so that each nexus-aware application can be assured that it is not modified or observed by any other application or even the operating system." Once again, relying on a hardware function of a CPU, to cover their ass. "Sealed storage. Information can be stored in such a way that only the application from which data is saved (or a trusted designated application or entity) can open it. With sealed storage, a nexus-aware application or module can mandate that the information be accessible only to itself or to a set of other trusted components that can be identified in a cryptographically secure manner." Do you get this? you use the 'trusted' program, say oooh MS Office TCI, your cannot open or view it, without using that program, and only that program or another that Microsoft designates as 'Trusted' Do you think they will certify open office? or sun office? I think not Locking your data into their formats, and accessible only at THEIR discretion. "Secure path to and from the user. Secure channels allow data to move safely from the keyboard/mouse to nexus-aware applications, and for data to move from nexus-aware applications to a region of the screen." Wow, a 'secure path' means 'You can only view/interact with this data in the manner WE dictate, and any usage we do not EXPLICITY 'permit', by default will be prevented. (no more feeding that DVD out via S-video to your VCR, you think macrovision is a PITA..... RIAA's wet dream. Or how about: "NGSCB is being designed so that a Windows-based PC with the requisite hardware will be able to run different nexuses, although only one nexus at a time will be able to run on a machine. Anyone can write a nexus (licensing issues will be involved and licensing terms have not yet been announced). The user always has the ultimate authority over what nexuses are allowed to run." 'licensing issues' eh? CLOSING STANDARDS And take a look, even MS is trying to pollute TPM 1.2, since NGSCB will be: Q: I have heard that NGSCB will force people to run only Microsoft-approved software. A: This is simply not true. The nexus-aware security chip (the SSC) and other NGSCB features are not involved in the boot process of the operating system or in its decision to load an application that does not use the nexus. Because the nexus is not involved in the boot process, it cannot block an operating system or drivers or any nexus-unaware PC application from running. Only the user decides what nexus-aware applications get to run. [Anyone can write an application to take advantage of new APIs that call to the nexus and related components without notifying Microsoft or getting Microsoft's approval.] Did you catch this? [] ? How can 'anyone' write an application, when the standards and specifications are subject to MS's whim on who and how to license it? "It will be possible, of course, to write applications that require access to nexus-aware services in order to run." In otherwords, Office and all applications we license the use our standards, which will be made nexus-aware (ostensibly to prevent piracy) but will require us to 'call home' in order to use it. What about: Q: Is NGSCB Microsoft's implementation of the TCG or TCPA specifications? A: No, NGSCB is not an implementation of the existing specifications developed by TCPA or TCG. The upcoming version of the trusted platform module (TPM 1.2) is expected to work as the security support component in the NGSCB architecture. and Q: In what ways do TCG and the NGSCB architecture differ, and what do they have in common? A: The NGSCB architecture encompasses a much broader set of functionality than TCG, but both efforts are designed to enable a more secure and trustworthy computing platform. [This is embrace and extend, even when its supposed to be 'Trustworthy' - Authenticated booting of nexus This is 'call home or dont run' Q: Will other software products still run on machines with the TPM? A: Yes. If the software runs on systems today, it is very likely that it will continue to run on systems with a TPM. Hahah, they already say XP SP2 may 'break' existing applications, and they cover their ass 'its very likely it will continue to run' For the first few years, possibly, but once the claws are in, MS's behavior is well documented. Q: Which versions of TPM are available, which are planned, and how will they support NGSCB architecture? A: The current version of TPM is 1.1 and is available from three sources: Atmel Corp., Infineon Technologies AG and National Semiconductor Corp. Additional vendors are developing future versions. It is important to note that the TPM 1.1 will support TCG functions defined today; however, systems built with these parts will not support NGSCB. In otherwords: You have to buy a computer with a hardware chip that says what you CAN and CANT run, in order to get the 'advantages' of this NGSCB. Can anyone say 'forced upgrade' do you think if the DoD or something were to move to this hardware, that ANY contractor working with them would have a choice? Of course not. My fav: Microsoft is actively working within TCG to define a new version of the TPM specification that will meet NGSCB requirements and provide a superset of the current TCG requirements. Microsoft is avtively working against TCG to corrupt the newest version of the TPM specification that will be what WE want, and provide us with the ability to embrace and extend, thereby making interoperability with NON-MS versions as difficult as possible, and we will hold our specifications to our chest (unless you have big pockets) so as to prevent any NON-MS implementations from gaining ground. Picking 'Trustworthy' computing was the worst mistake you made Anonymous Coward, I may hate MS a lot, but the idea of someone else dictating what I do/dont do with *MY* computer, really raises my hackles. You cannot win the argument, MS is fucking with everyone on this, why do you think they change the name of it every few months? TO CONFUSE the issue, and SLOW organized protest of its adoption. And you know what, Intel found that out with Processor serial #'s, remember that? supposed to be security, but everyone saw it for what it could be, an extreme invasion of privacy, and Intel backed down. It doesnt matter what company comes out with 'Trustworthy' computers, their usage in classified, or enviroments where security is a prime concern, FINE, but MS would have us *ALL* buy 'Trusted' computers, because you know once they get a certain % of the users out there 'switched' via GIVING them away to 'seed' the market, they will start introducing Trusted/Non-trusted computer incompatibilities, and telling developers 'If you want access to our source/API's you have to code for this hardware, no more non-NGSCB runnable applications!' They have done it before, I could lay out the little cartoon footprints on the floor, they have to learn a new dance.

Re:Look out for NGSCB! (0)

Anonymous Coward | more than 10 years ago | (#8619830)

My eyes, my eyes!

A lock (2, Interesting)

metalhed77 (250273) | more than 10 years ago | (#8607164)

Maybe a good lock for your door? Other than that something that's easy to use, and somewhat less easy to break in case it fails or you lose a key. Who exactly is going to be stealing this data? You could always go out and get one of systems cards that'll fry a hard disk if someone attempts to tamper with it but I think that you're not at that level of data sensitivity. Perhaps nothing more than an encrypted filesystem (easy in windows XP) is needed.

Re:A lock (1)

kabocox (199019) | more than 10 years ago | (#8609143)

Mod parent up. It sounds like this guy just needs a room with a lock on it that the "public" isn't allowed into. IF he isn't using internet, I'd say don't hook up a modem and make sure you're networked computers don't have internet access. Then all he really needs is physical security. Hire a guy for min. wage to set in front of the computers, prevent them from walking off and unauthorized usage. Not geeky solutions but they will work. I setup my kids computer with Win2000 without a modem and it isn't hooked to the network, but it secure enough to play Blues Clues and Sponge Bob.

Huh? (1, Insightful)

RealityMogul (663835) | more than 10 years ago | (#8607249)

People that come in and out of my place of business.

You mean, like, customers??? Are you implying that these customers are unsupervised for a period of time lengthy enough to get into your computer and do something to it, or read some personal files? Maybe you should invest in something larger than a USB device. ThinkGeek doesn't sell what I'm talking about, but you could find it at the local unemployment office. Thats right, I'm talking about hiring an employee!!!

If an employee is beyond your means, then may I suggest a nifty little Windows feature: Ctrl+Alt+Del, then click "Lock Computer".

Now, if you'd like to admit that you're business is being run out of your dorm room, and you only want something "cool" to lock out your buddies in the dorm, then maybe you'd get some better advice. Otherwise, password protect your machine, change it daily if you're really concerned, and don't leave it logged in when you're not in your room.

Re:Huh? (2, Informative)

0x0d0a (568518) | more than 10 years ago | (#8607530)

His complaint is legitimate, even if not for this particular case. "Locking" a Windows or Linux box does nothing for security if someone happens to have a rescue disc handy (well, other than let you possibly know that the machine has rebooted).

Re:Huh? (2, Informative)

toast0 (63707) | more than 10 years ago | (#8607955)

Lock down the bios*, so it only boots from the hard drive. Password protect your lilo.

Yes, you can open the case, and fiddle with the lose bios settings jumper, but one hopes you'ld notice when they open the case.

*Many bioses have a backdoor password, make sure yours doesn't, or at the least it's not a common one.

Re:Huh? (1)

DavidTC (10147) | more than 10 years ago | (#8609890)

An interesting idea I've always had would be to do that, encrypt (parts of) your hard drive, and then stick a key in your CMOS memory, in an unused area. (In Linux, this can be accessed through /dev/nvram, but be aware that all your CMOS is there, so writing to it randomly will cause your machine to end up with gibberish settings.) This lets the machine work normally, even booting up and decrypting automatically with that key, but ensures they can't just reset the CMOS and instantly be in.

Of course, you need to backup the key to disk and keep those safe, in case someone actually does reset the CMOS.

Also, stick your harddrive params in the BIOS so they can't 'just' grab another hard drive and have the computer boot off that. (And it's faster, too. It amazes me whenever I sit down at a computer, boot it, and I have to wait three seconds to detect the hard drive...just how often are you switching out hard drives? Is wasting three second on every boot worth saving 30 seconds to go back into your BIOS and run autodetect when you do switch them out? That setting is for idiots who are scared of their BIOS, people with those hardware drive switches, and people who never ever reboot.)

Of course, it's not entirely secure. They could find an indentical hard drive and use that, or decrypt your hard drive (I don't know how much you can fit in a CMOS, but they can't have that much wasted and usable space. You might end up with 64 bit encryption.), but at that point, and with that much time, it's probably just easier for them to get a hardware keyboard logger and log your passwords.

Re:Huh? (1)

Aliencow (653119) | more than 10 years ago | (#8625024)

30 seconds instead of 3... So it takes 10 reboots before being profitable... That's what, at least a year (because of power outages, and I'm not even there when that happens usually) so I think I'll continue being lazy and not caring at all that my reboots take 3 seconds more...

Re:Huh? (1)

DavidTC (10147) | more than 10 years ago | (#8625647)

I knew someone as going to claim that, but it still doesn't make any sense. You'd have to postulate an enviroment where you often change out hard drives, but rarely reboot. Just because the second is true doesn't mean the first is, and in fact that combination doesn't seem to make any sense.

And 30 seconds (Which is probably about twice or even three times as long as actually required.) compared to the time required to open the case and swap out the hard drive is minisucle, in addition to the time required to set up the hard drive once it is installed.

There is no reasonable circumstances where it can be worth saving 30 seconds or less when setting up a computer that reliably costs you three second a reboot, except the ones I mentioned...you have a hardware drive switcher on the front of your computer or you don't know anything about your BIOS or you literally never reboot and didn't set it to start with. (And I obviously can't be complaining about the people who never reboot, as I'd never notice!)

And if you're going into the BIOS for any other reason, it's right there.

Re:Huh? (1)

Garak (100517) | more than 10 years ago | (#8626806)

Just don't install a cdrom or floppy drive in the machine, or remove them after you install the OS.

Re:Huh? (2, Informative)

Audiostar (734627) | more than 10 years ago | (#8612100)

Now, if you'd like to admit that you're business is being run out of your dorm room, and you only want something "cool" to lock out your buddies in the dorm, then maybe you'd get some better advice.

That is truly +2 insightful. You got me. I want to protect my computer mostly from my annoying RA and frat buddies, not the freelance graphic designers I occasionally employ that aren't monitored constantly while they are working. I can only guess that you are making this assumption based on the fact that my email address on my slashdot profile is a University address, but this stems only from the fact that I have had this /. account since I my days in college. I will be sure to change it now to my current address.

Its pretty amazing that someone can ask a simple question and a sarcastic and rude response can get +2 Insightful. Did it get +2 because of the Ctrl+alt+Del comment? Because I actually was already aware of that function, believe it or not. I know that as a college student it could be assumed that certain subtle nuances of computer usage could slip past you in all those hungover mornings from the previous night's sorority function, and you bringing this to my attention has been a great service to me. Flamebait.

It'll definitely handle Windows... (4, Informative)

jargonCCNA (531779) | more than 10 years ago | (#8607307)

Check out the Securikey [thinkgeek.com] on ThinkGeek. I'm not sure if someone's written Linux drivers for it, but there's your hardware level -- and it's two-factor.

pam_usb (1)

harakh (304850) | more than 10 years ago | (#8607337)

I don't know about the windows part im afraid but for Linux there is pam_usb [sig11.org] that works with all XDM/GDM/KDM and other PAM aware login and autentication programs. Its a simple public/private key system with the private key residing on a USB-memory.

Hardware Encrypted Hard Drive (3, Interesting)

sgifford (9982) | more than 10 years ago | (#8607418)

This hardware encrypted hard drive [thinkgeek.com] might be part of what you're looking for.

Re:Hardware Encrypted Hard Drive (1)

ManxStef (469602) | more than 10 years ago | (#8609049)

Oh yeah, that reminds me, I've seen something like that before: the Abit SecureIDE [abit-usa.com] . It's a USB key + inline IDE device that encrypts (using 40bit DES, not massively strong) the contents of the HDD at the hardware level, so isn't device-driver dependant. Can't say I've tried it, but it looks interesting and relatively cheap (~40USD).

Of course, as others have already pointed out, if someone determined has got unmonitored physical access to your hardware then the game is pretty much lost anyway... though a device like this, along with a locked case + drives cover, file level encryption, no bootable removable media such as CD/floppy makes things a bit trickier for the opportunist. Like Shrek said (OK, I'm paraphrasing), security's like an onion, it's all about *layers* ;)

Re:Hardware Encrypted Hard Drive (1)

ManxStef (469602) | more than 10 years ago | (#8609138)

Ooops, sorry - got that a bit wrong: the key *isn't USB*. From the looks of it it's a proprietry device with a Firewire-like connector that plugs into a mount on a blanking plate (supplied) which in turn connects to the inline IDE device. Bit of a pain in that it'd require a bit of work with a dremel to make it front-mounted, but equally means it's fully integrated with no additional hardware requirements.

SmartCard USB Token (1)

cs7 (758214) | more than 10 years ago | (#8607464)

Hello,

you may look for PKCS#11 enabled smartcard USB tokens. If you go for this, you can use the token email and disk encryption software, use it for Secure Single Signon and have it as a "bunker" for for you gpg/pgp keys and certificates.

Christian

Paladium? (1)

Fubar420 (701126) | more than 10 years ago | (#8607532)

I'm no MS fan, but essentially, you're looking for hardware authentication, if I read correctly, or some certification that the user is entitled to do what the code is asking to do...

While its _main_ point is not necessarily that, the paladium arch is designed essentially to ensure that..

on a less trenchcoat idea, 2.6 comes w/ a USB root key module, you might wanna check the source if palladium aint up your ally though

MSI had a USB boot lock on some motherboards (1)

Roman_(ajvvs) (722885) | more than 10 years ago | (#8607593)

I know because I got one with my motherboard [msi.com.tw] . it was a flat orange USB "smart key". Apparently, it would prevent the computer from booting if you enabled it in the BIOS and it wasn't connected. I'm not sure if it was restricted to a single computer but if you lost [msi.com.tw] the [msi.com.tw] key [msi.com.tw] , you were in trouble...

Suffice to say, I wasn't game enough to enable it... I can barely remember what I had for lunch yesterday...

Re:MSI had a USB boot lock on some motherboards (1)

batemanm (534197) | more than 10 years ago | (#8608765)

I had one of them which I did enable. From a hard reboot the machine would lock up and wait for the key but if you pressed the reset button it would start as normal.

Try this... (4, Interesting)

b06r011 (763282) | more than 10 years ago | (#8607688)

i downloaded Float's Mobile Agent [xinium.com] and noticed that with the bluetooth connection, there is an option to automatically lock the workstation when your phone is out of (bluetooth) range. i haven't used it myself, but it looks kinda handy - the number of times i have remembered to pick up my mobile, but not lock the workstation.

and if you really want to make your pc hardware secure, have you tried padlocking it to the wall? :)

Bluetooth Mobile Phone (1)

Kris_J (10111) | more than 10 years ago | (#8607710)

See if there's any product that lets you use a Bluetooth mobile phone (or PDA) as the key that locks and unlocks your workstation. Then it will secure as you walk away and unlock as you return.

How about... (3, Funny)

FLEB (312391) | more than 10 years ago | (#8607741)

Keep the important stuff on an external HDD, and handcuff it to your wrist.

(Note: this is not meant to be a constructive idea)

Er? Bad question! (4, Insightful)

dasunt (249686) | more than 10 years ago | (#8608420)

Audiostar asks: "I am interested in adding some security to several of my computers, but am unsure as to which product to go with...

Er, what sort of security?

A simple bios boot password will prevent the computer-naive from accessing your machine.

GnuPG under Windows and the unix clones will allow you to encrypt/decrypt and digitally sign files.

The unix clones tend to be able to encrypt their entire filesystem by whatever algorythm you want. NTFS claims some sort of filesystem encryption as well, but I'm unfamiliar with the mechanism and thus won't recommend it.

OpenBSD has encrypted swap and tends to be tops on the 'utterly paranoid' scale.

How about you tell us what you are trying to do exactly, and we'll tell you the best solution.

Re:Er? Bad question! (2, Informative)

DavidTC (10147) | more than 10 years ago | (#8610016)

NTFS encryption is exactly as good as Windows security.

Haha. No, seriously, the concept behind NTFS encryption is great. It keeps keys with login creditials, and they're decrypted with your login password. I forget the algorythm, but it's not some snake oil crap, it's a real, heavy duty encryption thing. Linux could use something like it, it's so amazingly transparent and just works correctly.

The problem, of course, is that administrator has all the keys, and administrator isn't anywhere near protected enough to be allowed that kind of power...a single spyware and all everyone's super secret files are free for the taking.

Basically, NTFS encryption on Windows is about the same concept asking people their names before they board a plane, but doing a really good check on the name they gave, with absolutely no check to see if that's actually their name. They've bolted working security on a system with completely broken authentication. You can only get 'your own' files, but it's rather easy to be someone else, or even the administrator, so it's really goofy.

Re:Er? Bad question! (1)

duffbeer703 (177751) | more than 10 years ago | (#8627853)

Not true.

An administrator can reset a key, but cannot read it. When you reset a key, documents become unrecoverable.

Most places who are seriously considering using file encryption implement security policies that eliminate things like local administrative accounts and check some of the powers of administrative users.

For example, data that is protected by HIPPA law in the US can be deleted, moved or indexed by a computer administrator, but cannot be modified. Only users with a business need to view/manipulate/create data can do so.

NTFS encryption is like any other encryption scheme -- it needs to be configured properly to be secure.

Re:Er? Bad question! (1)

DavidTC (10147) | more than 10 years ago | (#8628083)

Administrators certainly can read data by default in NTFS. The way it works is that all data is encrypted to them and the user who owns the file.

Whether or not you can set it up any other way I don't know, but that's how it works by default.

And setting up no local adminstrator account is insanely stupid...what if the network drivers break?

Re:Er? Bad question! (1)

duffbeer703 (177751) | more than 10 years ago | (#8630522)

If the network drivers "break", you reimage the box. Of course, if you are in a well-run business network, this doesn't happen because users don't install software and IT tests new apps against common workstation images.

If you have the budget to spend lots of time dianosing arcane workstation issues, you are misspending your budget.

The most important thing in data security is policy & practices. If you or your IT people are ignorant of the system that they work with to the point that they allow anonymous users "ie local 'Administrator'" to access sensitive, encrypted data, the data never can be secure.

Re:Er? Bad question! (1)

DavidTC (10147) | more than 10 years ago | (#8640483)

I don't think anyone said anonymous users or even known users should have access to Administator.

I was just taking issue with the concept of removing the account. By all means, IT are the only people who should have access to it, but it still needs to exist.

Otherwise you will run into incredible stupid things like having to reimage a drive because your network card failed. Which despite whatever you may claim, is not an effective way to run a business, especially a business with important enough data that it needs encryption. (Which is what this thread was about.) It may be an efficent way to run IT, but it sure as hell isn't helping the business any to wander around randomly reimaging the drives.

I mean, the most efficent way to run IT is to just not give anyone a computer, then you don't have to spend any of that precious precious budget of yours. But that's an incredibly stupid thing for a business to do, no matter how good it makes IT look.

Re:Er? Bad question! (0)

Anonymous Coward | more than 10 years ago | (#8641411)

Who logged into workstation "X" yesterday at 3:10?

Oh, it was /Administrator. Helpful.

how far are you willing to go? (2, Interesting)

bluGill (862) | more than 10 years ago | (#8609542)

Security is a tradeoff, go too far and you end up being so annoyed with it that you bypass your measures and become less secure. So decide how far you need to go.

I'm, not impressed with hardware security, other than keeping important files on the USB keychain at your side. (And even then you need regular backups kept in a good data safe) Do a web search and you can find information on how to fake fingerprints. You can find keyboard loggers, which a well equipped attacker can modify into a more general logger to simulate your hardware device. (though I doubt you are worth that much effort, and encryption can prevent man in the middle attacks like this if you are)

Personally I would build a network, save all my files to a UNIX (openBSD perhaps) box in a secure area, and mount that disk everytime I was at the machine, and unmount it when I was done.

Don't forget access control lists. If the user you leave the machine logged in as cannot access files you have one less worry. Window has pretty good ACLs if you use them.

What are you protecting against? (3, Informative)

jonadab (583620) | more than 10 years ago | (#8609819)

You didn't tell us -- are you protecting against vandalism (some clown messing
up the settings, deleting stuff, whatever) or against information theft? The
solution will be completely different.

To protect against vandalism, nothing beats nightly offsite backups, nothing.

To protect against information theft, how about storing the informationg in
question on an external device that you keep on your person? Then when they
go to steal it, it's not there. Hard to beat that.

Get a SunRay setup (0)

Anonymous Coward | more than 10 years ago | (#8611209)

Then you use wafer thin clients that are hotdesked using a smart card.

When you walk away from the machine, grab the smart card and the session "vanishes". When you come back, and reinsert your smart card, the session reappears. And the best part is that it doesn't matter which thin appliance you do this on.

Everything else is tucked safely away in your server room.

Look it all up at Sun's site.

Abit SecureIDE (4, Informative)

Asterisk (16357) | more than 10 years ago | (#8612006)

Abit makes a product [abit-usa.com] that sits between the IDE port on your motherboard and the hard drive. It encrypts all of the data on-the-fly and requires a small dongle to be plugged in externally to work. Combine that with a good case lock, and you should be all set.

until somebody steals the dongle (0)

Anonymous Coward | more than 10 years ago | (#8654058)

8-)

Lock your door. (1)

ogre2112 (134836) | more than 10 years ago | (#8625083)

Ever think about it? Padlocks! Bolts! LASER BEAMS!

Think more about the room, and less about the chincy little card reader someone could easily rip out of the front of your case, or better yet just snag the HDD from your system and proceed to hack your data..

ibutton.com (1, Informative)

Anonymous Coward | more than 10 years ago | (#8628927)

ibutton.com

Gimme Access and it wont matter (2, Insightful)

nurb432 (527695) | more than 10 years ago | (#8629738)

If someone has physical access and determination, nothing you do will be 100%..

All you can do is slow them down..

Enabling bios passwords, disabling boot from anything but the HD, storing data on the servers, and good system passwords should be enough to keep out the casuals...

Removable HDD bay (1)

gilesjuk (604902) | more than 10 years ago | (#8630760)

Remove the HDD and lock it in a safe.

Install a lock on the case, cut the wire from the start button to the motherboard, insert keyswitch like the old keyboard locks.

Should just about do it.

Keyboard lock (0)

Anonymous Coward | more than 10 years ago | (#8643726)

You need to find yourself an old model PC. One of the ones left over from the days when every PC had a klunky keyed lock to disable the keyboard.
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>