Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 22

Thread: sec theory

  1. #11
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    i got your idea, pooh. but how do you protect bios from being "accessible". i can only see it like on those HSM (hardware security module) where a program is constantly monitoring "physical attacks". if you try to open the "shell", all content will be destroyed. but its not what we want, is it? :lol:

    maybe if there is an SECOND processor, that has that logic builtin INSIDE the CPU (like some mainframe, where there is a service processor) that will enable the "comercial cpu" only if you pass thru it --- a hardware firewall?

    i cant see how to do that on the SAME cpu.... its like as ATM machime, easy to break
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  2. #12
    See that's what I'm saying.

    How would you access the BIOS if the ability to view the configuration is removed? How could you access the BIOS all input except that one scanner is removed from BIOS?

    There isn't enough functionality to access the BIOS with, is what I'm saying. Similar to me saying "How are you supposed to access the VCR inside of that house, if I've removed the doors, windows, and the entire house is made out of stone? (top, bottom, and sides).

    It isn't about security, it's about functionality. If you don't code something in, there is a loss of functionality. If that BIOS has no possible way to change configuration or for someone to send input to it, then there isn't a way to access it without completely reflashing it. Similar to writing a network protocol that -only- has source code to accept incoming but never send outgoing.

    It doesn't matter how much you scream at the network, that source code simply doesn't have the functionality for you to tell it to go out rather than in.


    So, it isn't about securing the BIOS. It's about removing what isn't needed, and with that the functionality to change it.


    edit: I can only think of one more example to clear up what I'm talking about here. I used to program with some friends of mine a MUD (multi user dungeon, a text based online RPG), and we had a problem with people exploiting the Rent. People, normally, could go to the Inn and 'rent' a room which would save their equipment and gold. However, someone found a way to store unlimited amounts of gold and equipment in there rather than the preset amount we defined.

    There were many ways we could solve it, but one of the solutions was to simply remove the ability to store equipment from the Inn. We didn't do that of course, but that's what I'm trying to say here. Sometimes the only way to make people follow rules isn't to write up a set of Laws (or in computer terms, protocols), it's to completely remove instances that would allow it to even occur. We could remove the ability for people to store equipment from the inn, and no one could exploit the storage anymore. We could remove the ability for people to be able to interact with the BIOS (meaning no keyboard input, no mouse input, only that one scanner while BIOS boots), and no one could exploit the BIOS anymore.

    This is of course in theory, and I'm glad you are bringing this up Good conversation

  3. #13
    Senior Member
    Join Date
    Sep 2004
    Posts
    117
    i liked the idea of cacosapo it is different, and kewl... got most of my attention

    i think keeping the functionality is really important
    will be thinking a bit, than post my comments

    enjoying the conv,really deep, did not expect it will be that deep....

  4. #14
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    Originally posted here by pooh sun tzu See that's what I'm saying.

    Similar to me saying "How are you supposed to access the VCR inside of that house, if I've removed the doors, windows, and the entire house is made out of stone? (top, bottom, and sides).
    ok, if you talking about "logical security" it will work. but if i lock up the box, why not do that thru O.S.? you cant get access to hard disk anyway... see may point? if you harden enough the box, you dont have concern about o.s. security. but if i can break the hardware (i can hammer your stone walls and enter, and fix the hole before i leave) i can do what i want - including access the bios chip -
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  5. #15
    ok, if you talking about "logical security" it will work. but if i lock up the box, why not do that thru O.S.? you cant get access to hard disk anyway... see may point? if you harden enough the box, you dont have concern about o.s. security. but if i can break the hardware (i can hammer your stone walls and enter, and fix the hole before i leave) i can do what i want - including access the bios chip -
    I don't see what good that does for you. The box is locked up in a room (room security is another matter), but obviously one you can't get to. The BIOS is still out of your reach, and the OS -and- hardware is still secure because of protocol rewriting and limitation coding.

    Now you've blown and ruined your own point by pulling the "nothing is secure" argument. Of course you could hammer down the walls, but that just isn't going to happen because of practicality reasons. Are you seriously suggesting that you would just pound through the concret walls into the server? With a harddrive that is still 4000+ encrypted? No security is ever 100% safe, but you can make it hard enough to not be worth the trouble.

    So... back at square one. How would you try use the BIOS without the features of inputting to crack a system in another room?


  6. #16
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Are you seriously suggesting that you would just pound through the concret walls into the server? With a harddrive that is still 4000+ encrypted? No security is ever 100% safe, but you can make it hard enough to not be worth the trouble.
    Well apparently all you need is an SUV. Thing is what is worth the trouble to you and your company? If it's worth the trouble to encase it in that manner (which removes some availibility issues -- CIA anyone), then it will be worth the trouble for someone to want to break it.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  7. #17
    So, it is confirmed that we are back at the ever pessemistic "nothing is ever secure" step one. :P

    Come on guys. Don't defeat the persuit of an indepth CIA based security model with something as haphazard as "we can just bust the walls down".

  8. #18
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Don't defeat the persuit of an indepth CIA based security model with something as haphazard as "we can just bust the walls down".
    But I didn't think we were. It just a matter of thinking outside the box. If we can accept that there is a minute chance of risk (e.g., in reality, how often are ATM taken out via truck? and recognize where that risk is, wouldn't that put us further? I think we do need to be realistic in that creation of this needs to be viable and allow for access to the box for hardware upgrades/repairs.

    Also, by simply staying with a single host are we not limiting ourselves? What about a larger system of hosts (given the relatively low cost of machines and other parts) to do this? Perhaps interdependent hosts?

    And I don't know if we've identified who the target audience of this concept is. This is an important factor as it determines realistic limits insofar as cost and usability. While the average Joe could use Linux (and some do -- to a degree) many do not and the inertia required to get them to do so is huge (mostly due to the "I have nothing worthwhile to steal" concept).

    That's a very different attitude compared to business, who does have something worthwhile to steal and will make attempts to protect it (for the most part). So is this for general use or company use? Are we going strictly theoretical (works great in theory but isn't necessarily viable for mass usage outside of specific environments) and fanciful or are we looking at truly viable?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  9. #19
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    Now you've blown and ruined your own point by pulling the "nothing is secure" argument.
    sorry, my argumentation was not on that direction. I thinking more about if you can get your hardware so secure as you "made", so what is the point to do all the stuff thru the BIOS?

    if i have a security enough hardware, i can do all you have mencioned on a O.S. base. In fact i dont need to do that, since its already present on most O.S. nowadays.
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  10. #20
    But I didn't think we were. It just a matter of thinking outside the box. If we can accept that there is a minute chance of risk (e.g., in reality, how often are ATM taken out via truck? and recognize where that risk is, wouldn't that put us further? I think we do need to be realistic in that creation of this needs to be viable and allow for access to the box for hardware upgrades/repairs.
    No, that's just it. I acknowledged situations like that and their possibilities. I know people can break down walls and simply steal hardware rather than crack it via software. And?! MsMittens, anyone can say "fsck it, I can break down the wall and get ur server then HARHAR", and the general responce would be "Yeah? And? So what else is new?".

    We all already know that such things are possible, and do happen. However, we are -not- talking about room security, guard security, camera protocols, transfer and hardware replacement procedures. Why? Because we are talking about the security of logging into the machine That's it. I expanded only briefly upon it (in terms of saying it was in a seperate unreachable room) so that we wouldn't get to where we are now. The "nuh uh!!! We can still BREk into teh R00m!!111five". Because we all know breaking into the room is an option, but hopefully we all remember we are talking about authentation security for the singular computer and not Management Protocol 1010. I tried to avoid that damn "nothing is secure, everything can happen!" because it's so damn obvious. I was hoping people could catch onto why I said the actual compter was in another room.. so we could move foward onto the actual authentiation system in place.

    I'm sad that it didn't happen.

    Also, by simply staying with a single host are we not limiting ourselves? What about a larger system of hosts (given the relatively low cost of machines and other parts) to do this? Perhaps interdependent hosts?
    I agree on that But, as stated in my very first post, I'm not calculating nor planning for additional machines but for a singular 31337 high level security system. This post was never about just one machine. It was about authentation security, and the post I made was merely my thoughts on a much higher level of security than PGP meets firewall.

    And I don't know if we've identified who the target audience of this concept is. This is an important factor as it determines realistic limits insofar as cost and usability. While the average Joe could use Linux (and some do -- to a degree) many do not and the inertia required to get them to do so is huge (mostly due to the "I have nothing worthwhile to steal" concept).
    That's just it though. We don't -need- to determain the target audience, because it won't matter. Security is security, and code has been written for both singular systems and high level systems. As I said above: This post was never about just one machine. It was about authentation security, and the post I made was merely my thoughts on a much higher level of security than PGP meets firewall. Not every post has to be something to teach someone else. And I'm sure most of us saw this post (mind you, he wanted it to be a competition) as a place to discuss ideas on a broad spectrum rather than be limited by the typical conversation we see each and every day on this forum : The singular user on windows/linux that maybe only needs to hide their email every so often.

    Are we going strictly theoretical (works great in theory but isn't necessarily viable for mass usage outside of specific environments) and fanciful or are we looking at truly viable?
    Both. I am going for theoretical on a singluar high level system (example: CIA database or NSA primary SAT coordinator server) and thus it requires a lot of speculation and theory. If other's want to expand more on singular systems for normal home users, then I don't see why they can't do that as well. This thread, at least in my eyes, was meant for the discussion of authentation as a whole rather than trying to single it down to one system and thus everyone reach the exact same conclusion as everyone else has before on this forum. So, welcome both theorietical and viable solutions, but let's not shut down one or the other just yet so we can change the subject to the thread killing "nothing is secure!!11"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •