From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <wagner@tansi.org>
Received: from tansi.org (ns.km10532-04.keymachine.de [87.118.102.195])
	by mail.saout.de (Postfix) with ESMTP
	for <dm-crypt@saout.de>; Wed, 30 Dec 2009 03:56:54 +0100 (CET)
Received: from gatewagner.dyndns.org (84-74-164-239.dclient.hispeed.ch
	[84.74.164.239]) by tansi.org (Postfix) with ESMTP id 7D2F74250002
	for <dm-crypt@saout.de>; Wed, 30 Dec 2009 03:56:54 +0100 (CET)
Date: Wed, 30 Dec 2009 03:56:54 +0100
From: Arno Wagner <arno@wagner.name>
Message-ID: <20091230025654.GC20576@tansi.org>
References: <4B3914FB.7060008@gmail.com> <20091229201848.GA17029@tansi.org>
	<4B3A8835.1000603@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <4B3A8835.1000603@gmail.com>
Subject: Re: [dm-crypt] encrypted root: prevent / detect tampering
	with	kernel / initrd
List-Id: <dm-crypt.saout.de>
List-Unsubscribe: <http://www.saout.de/mailman/options/dm-crypt>,
	<mailto:dm-crypt-request@saout.de?subject=unsubscribe>
List-Archive: <http://www.saout.de/pipermail/dm-crypt>
List-Post: <mailto:dm-crypt@saout.de>
List-Help: <mailto:dm-crypt-request@saout.de?subject=help>
List-Subscribe: <http://www.saout.de/mailman/listinfo/dm-crypt>,
	<mailto:dm-crypt-request@saout.de?subject=subscribe>
To: dm-crypt@saout.de

On Tue, Dec 29, 2009 at 11:52:37PM +0100, Olivier Sessink wrote:
> Arno Wagner wrote:
[...]
>> But here is something easy: Use an external boot medium for  
>> verification, e.g. a memory-stick installed Knoppix with some
>> custom check script you call manually or automatically. Keep the 
>> external checker system separate from the laptop. With
>> that the ideas you outlined above would work. You can, e.g.,
>> compary MBR and files in /boot to checksums or good copies.
>> I currently have an 8GB SuperTalent Stick with the Knoppix
>> DVD installed on it in my vallet. Adding packages and your own
>> data/programs is possible as it has a writable filesystem (writes get 
>> ovelayed on top of the read-only DVD image).
>
> I am aware of this concept, but it just moves the problem to the usb  
> image (somebody sneaks into your hotel room at night ....). And again if  
> somebody did change the usb image there is no way you are going to find  
> out, even if they did something that could have been detected very  
> easily such as a changed initrd. I don't expect our "regular users" to  
> carry a very good safe with them day and night (and a safe can be picked  
> as well).

Simple again: Wear it on a chain around your neck.
Anybody that can beat this likely can beat any and all
other security measures you can implement.

Arno
-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans

If it's in the news, don't worry about it.  The very definition of 
"news" is "something that hardly ever happens." -- Bruce Schneier