Date: Tue, 4 Jul 2000 13:27:21 +0300 From: Alex Popa <razor@ldc.ro> To: Dan O'Connor <dan@mostgraveconcern.com> Cc: freebsd-security@freebsd.org, freebsd-stable@freebsd.org Subject: Re: securing the boot process (again?!?) Message-ID: <20000704132721.A13263@ldc.ro> In-Reply-To: <0d8b01bfe56a$0c01c580$0200000a@danco>; from dan@mostgraveconcern.com on Mon, Jul 03, 2000 at 08:43:38PM -0700 References: <0d8b01bfe56a$0c01c580$0200000a@danco>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Jul 03, 2000 at 08:43:38PM -0700, Dan O'Connor wrote: > >> Doesn't your computer have a BIOS password? These are typically invoked > >> *before* the BIOS tries to boot off any disk... > > > >Unfortunately BIOS passwords can be disabled on the motherboard in a matter > >of minutes (for most motherboards that I know of). Even Dell laptops > (don't > >know about their desktops/servers) have a master password that Dell will > give > >you if you call them, provided you give them some details first. > > Looks like there's not really much you can do if you can't physically secure > the machine. > > Even all the other tricks, boot only from hard drive, setting the delay to > '0', are pointless if someone can get inside the hardware case, change > jumpers, get into the BIOS and turn on boot from floppy and then boot from a > floppy. On the other hand, if someone has the opportunity to do all that, > they might as well just steal the whole box... > > Moral of the story: either secure the machine in a location where malicious > users can't get to it or take the consequences. > Okay, my mistake: by "public access machine" I meant users have access to the fromt panel of the PC (so they can use the floppy drive) and a keyboard and monitor, but *NOT* the inside of the case (the case is sort of buried in a wall). And the problem I had was (apart from booting an evil kernel installed on /tmp) that by setting the floppy drive to "none" in the BIOS the kernel (4.0-STABLE) canot use floppies after booting. I do have a BIOS password, and of what I've heard there is no other way of bypassing it except for the jumpers on the motherboard (impossible, see above). ------------+------------------------------------------ Alex Popa, |There never was a good war or a bad peace razor@ldc.ro| -- B. Franklin ------------+------------------------------------------ "It took the computing power of three C-64s to fly to the Moon. It takes a 486 to run Windows 95. Something is wrong here." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20000704132721.A13263>