From: Bill Davidsen <davidsen@tmr.com>
To: Nico Augustijn <kernel@janestarz.com>
Cc: Jan Engelhardt <jengelh@linux01.gwdg.de>,
hvr@gnu.org, clemens@endorphin.org, linux-kernel@vger.kernel.org
Subject: Re: Cryptoloop patch for builtin default passphrase
Date: Wed, 27 Oct 2004 16:01:06 -0400 [thread overview]
Message-ID: <417FFE82.4060305@tmr.com> (raw)
In-Reply-To: <9550.212.241.49.39.1098883651.squirrel@webmail.xs4all.nl>
Nico Augustijn wrote:
> On Tue, Oct 26, 2004 at 08:17:53AM +0200, Jan Engelhardt wrote:
>
>>>This here patch will make the kernel use a default passphrase (compiled
>
> into
>
>>>the kernel or cryptoloop.ko module) when you set up a cryptoloop device
>
> with:
>
>>Suppose I break in via ssh:
>>I could load the module (if applicable), and find the address of the
>>function or variable in System.map, extract the static passphrase, and
>>well. Then?
>
>
> Ahem.
> The point you are making is rather moot. Because if you manage to get a
> shell on the system, the data can readily be copied because the encrypted
> filesystem is supposed to be mounted.
> Unless I miss your point.
>
> And once you are in the system there are easier ways to obtain the
> passphrase than the one you described above. As I clearly stated earlier,
> it is merely more difficult to obtain the encrypted data. It is _not_
> impossible. It took me approximately 4 hours to break into the system
> myself. I bet there's people around who can do it in less than 1 hour.
>
> Some of you might then ask: "What's the point of it then anyway?"
> Well, I am probably capable of creating a much better solution with almost
> unbreakable encryption. My boss just won't allow me the time for this.
> This patch took me about a day to write. It's the best I could come up
> with in such a short time.
And this provides another level of protection, which makes it useful. It
stops the casual thief who steals your laptop, and that's the most
likely exposure. If you expect you system to be secure against
government agencies or serious industrial espionage, this is pretty much
worthless, better crypto would be needed, encrypted swap, etc.
--
-bill davidsen (davidsen@tmr.com)
"The secret to procrastination is to put things off until the
last possible moment - but no longer" -me
next prev parent reply other threads:[~2004-10-27 20:06 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-10-27 13:27 Cryptoloop patch for builtin default passphrase Nico Augustijn
2004-10-27 20:01 ` Bill Davidsen [this message]
-- strict thread matches above, loose matches on Subject: below --
2004-10-25 11:54 Nico Augustijn.
2004-10-25 17:19 ` Valdis.Kletnieks
2004-10-25 17:33 ` Paulo Marques
2004-10-25 17:54 ` Valdis.Kletnieks
2004-10-25 18:23 ` Paulo Marques
2004-10-25 19:05 ` Valdis.Kletnieks
2004-10-26 11:17 ` Paulo Marques
2004-10-26 21:15 ` Bill Davidsen
2004-10-25 18:57 ` Nico Augustijn
2004-10-25 19:13 ` Valdis.Kletnieks
2004-10-26 6:17 ` Jan Engelhardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=417FFE82.4060305@tmr.com \
--to=davidsen@tmr.com \
--cc=clemens@endorphin.org \
--cc=hvr@gnu.org \
--cc=jengelh@linux01.gwdg.de \
--cc=kernel@janestarz.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).