Re: Single user mode

Richard B. Johnson (root@analogic.com)
Tue, 21 Jan 1997 08:55:55 -0500 (EST)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Claus-Justus Heine: "Re: syslogd and 2.1.14"
Previous message: Ingo Molnar: "new proposal for doing SMP [long]"

On 20 Jan 1997, Markus Gutschke wrote:

> zblaxell@myrus.com (Zygo Blaxell) writes:
[SNIPPED]
>
> I still believe that the PC architecture does not provide any
> reasonable security, if you can gain physical access to the
> machine. Other architectures might be better off, but it appears that
> most of them still have some exploitable backdoors.
[SNIPPED]

Physical access to a machine prevents complete security (any machine). All
machines must be maintained. If you can't "get into it" when you have it
in your physical presence, you can't fix it. You will have to throw it
away if it doesn't work or .... The system administrator changed all the
passwords and quit.

Most people who know about many Operating Systems think that VAX/VMS machines
are very secure. I can "break into" any machine I can touch. So can you.
To prevent such break-ins, you have to put the machine in a secure area and
allow access only over "secure" links. This is incompatible with the idea
of a "Workstation".

An IBM/PC-AT can be "booted" over the keyboard wire. This is the
"Manufacturing Test" provided in the BIOS. In principle, you could upload
a 32-bit operating system and begin execution. This should not scare you.
You have physical access to the machine. Shorting out the battery to the
BIOS will clear any BIOS password. You might not have to do this because
the "password" is hashed (munged) into a single BYTE in the timer chip
CMOS. There are many keystrokes that could get you "in", regardless of
the password that was set.

Simplest... Take the hard disk an mount it on your machine. Do whatever
then reinstall it. All these things and others can be done when you
have physical access to a machine.

If you want or need security, keep the secure machine locked up and
accessible only using tools that you wrote. True security comes from
keeping the power switch off also.

Cheers,
Dick Johnson
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Richard B. Johnson
Project Engineer
Analogic Corporation
Voice : (508) 977-3000 ext. 3754
Fax : (508) 532-6097
Modem : (508) 977-6870
Ftp : ftp@boneserver.analogic.com
Email : rjohnson@analogic.com, johnson@analogic.com
Penguin : Linux version 2.1.21 on an i586 machine (66.15 BogoMips).
Warning : It's hard to remain at the trailing edge of technology.
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Next message: Claus-Justus Heine: "Re: syslogd and 2.1.14"
Previous message: Ingo Molnar: "new proposal for doing SMP [long]"