Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 4 Jul 2000 06:48:12 -0400 
From:      Troy Arie Cobb <tcobb@staff.circle.net>
To:        'Alex Popa' <razor@ldc.ro>, Dan O'Connor <dan@mostgraveconcern.com>
Cc:        freebsd-security@freebsd.org, freebsd-stable@freebsd.org
Subject:   RE: securing the boot process (again?!?)
Message-ID:  <AE4A7B7EB10DD4118CBD0050DA196F4F0BE610@FRIGGA>

next in thread | raw e-mail | index | archive | help
There are small locks you can buy which fit into a floppy drive
and secure it with a key.  If your users don't need to put floppies
in on a regular basis (but perhaps YOU do occasionally), then
this can be a good choice to avoid booting the evil-floppy-kernel.


-Troy Cobb
 Circle Net, Inc.
 http://www.circle.net
 1-800-321-2237 x308

>   -----Original Message-----
>   From: Alex Popa [mailto:razor@ldc.ro]
>   Sent: Tuesday, July 04, 2000 6:27 AM
>   To: Dan O'Connor
>   Cc: freebsd-security@freebsd.org; freebsd-stable@freebsd.org
>   Subject: Re: securing the boot process (again?!?)
>   
>   
>   On Mon, Jul 03, 2000 at 08:43:38PM -0700, Dan O'Connor wrote:
>   > >> Doesn't your computer have a BIOS password? These are 
>   typically invoked
>   > >> *before* the BIOS tries to boot off any disk...
>   > >
>   > >Unfortunately BIOS passwords can be disabled on the 
>   motherboard in a matter
>   > >of minutes (for most motherboards that I know of).  Even 
>   Dell laptops
>   > (don't
>   > >know about their desktops/servers) have a master 
>   password that Dell will
>   > give
>   > >you if you call them, provided you give them some details first.
>   > 
>   > Looks like there's not really much you can do if you 
>   can't physically secure
>   > the machine.
>   > 
>   > Even all the other tricks, boot only from hard drive, 
>   setting the delay to
>   > '0', are pointless if someone can get inside the hardware 
>   case, change
>   > jumpers, get into the BIOS and turn on boot from floppy 
>   and then boot from a
>   > floppy. On the other hand, if someone has the opportunity 
>   to do all that,
>   > they might as well just steal the whole box...
>   > 
>   > Moral of the story: either secure the machine in a 
>   location where malicious
>   > users can't get to it or take the consequences.
>   > 
>   Okay, my mistake: by "public access machine" I meant users 
>   have access
>   to the fromt panel of the PC (so they can use the floppy 
>   drive) and a
>   keyboard and monitor, but *NOT* the inside of the case (the case is
>   sort of buried in a wall).  And the problem I had was 
>   (apart from booting
>   an evil kernel installed on /tmp) that by setting the 
>   floppy drive to
>   "none" in the BIOS the kernel (4.0-STABLE) canot use floppies after
>   booting.
>   
>   I do have a BIOS password, and of what I've heard there is no other
>   way of bypassing it except for the jumpers on the motherboard
>   (impossible, see above).
>   
>   ------------+------------------------------------------
>   Alex Popa,  |There never was a good war or a bad peace
>   razor@ldc.ro|                   -- B. Franklin
>   ------------+------------------------------------------
>   "It took the computing power of three C-64s to fly to the Moon.
>   It takes a 486 to run Windows 95. Something is wrong here."
>   
>   
>   To Unsubscribe: send mail to majordomo@FreeBSD.org
>   with "unsubscribe freebsd-stable" in the body of the message
>   


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?AE4A7B7EB10DD4118CBD0050DA196F4F0BE610>