Just How Paranoid Are You? 931
An anonymous reader writes "We all understand the need for security in a corporate environment. Personal computers, however, typically don't have nearly the amount of sensitive information (or it's at least less damaging if found). How far do you go to protect your computer? I recently went overboard on securing my information (at least as secure as Windows XP can be). I have a hardware firewall (GTA GB500), 30 character password, and all remotely personal information stored on a 256bit AES encrypted volume. How far do you go to protect your information against 'Big Brother' or even your family/friends?"
Security against 'Big Brother' is a myth (Score:5, Insightful)
S
Re:Esay easy easy (Score:4, Insightful)
How about unpublished exploits? All those take care of too?
Lock grandma in the closet! (Score:5, Insightful)
Re:Physical access! (Score:0, Insightful)
He wouldn't, just told me it would be fine, it's nothing to worry about.
That leads me to poke around with a pair of tweezers up my nose - you know, it's really surprising how much space you have back there if you really concentrate while you're prodding about, to see what is where.
After a couple of attempts I latched onto something that didn't give any feedback of belonging to me - I couldn't feel the tweezing, and it didn't hurt. Giving it a tug I felt a *big* pressure change in my sinus, and pulled slowly. Out came what has to be the filthiest thing from my head. Two and a half inches long, dark green/brown and stained with a little blood on the end, it was close to the consistency of a pencil eraser in parts, moving to the consistency of jello at one end.
Then came the draining. Gack. What looked like 2 tablespoons of pus ran from my nose, which honestly made me feel physically ill. I like squeezing a zit as much as the next person, but this was just a bit much.
Anyway, after an hour I felt awesome. no more pressure on the side of my face, and I swear my eyes focus a little better than they did before. I took the gel-lump into my doctor, told him what it was, how it happened, how it had fixed all the sinus pressure I'd been having.
He didn't think that was the problem.
Go figure. My situation wasn't problematic. I wasn't in pain, I didn't have any long term damage to my health, but still a doctor when presented with symptoms and requests from a patient and ignores them, even when the final cause is discovered isn't someone to keep around, so I changed docs and told him why. Give each doc a good go at solving a problem, but if they insist on sticking on a point that really doesn't feel right, do change.
doctors? lawyers? (Score:5, Insightful)
What about doctors? Lawyers? Accountants? Schools? Bookstores? etc.
If you've been paying attention to the news you'll know that every so often somebody buys a used computer disk and finds the results of STD tests (including AIDS) for tens of thousands of people. Or the name, address and credit card information for thousands of customers.
The loss of this information may not cause the DJIA to drop 10%, but it can be devastating to the people involved. But security is often lax since it's "only" a PC and it never occurs to these people that their computers may be stolen precisely because of the confidential information on the disk.
Even home users can face a difficult situation if they take their work home. They have a duty to protect that information... then they work on those files on virus-ridden systems. Today's viruses seem to focus on spam and stealing credit card numbers, but it's not hard to imagine more sophisticated attackers looking for other information.
Re:Physical access! (Score:5, Insightful)
This may be modded as funny, but is actually quite interesting. I know of a number (at least I know they used to) of sysadmins whose offsite backup was at home. This included some organizations with fairly substantial interests in limiting the access to their information. It should be company policy to properly pay for and establish a secure off site location for backups that are not in insecure locations like peoples homes. This should include any company that backs up information related to personnel information like SS#'s and such. For lots of companies or research institutions with just research info that is not sensitive, backups at home can be wholy appropriate.
Keyloggers (Score:3, Insightful)
Call me ignorant but wouldn't one simple phishing/keylogging software to get your password and its all for nothing?
You would have to get the software on your machine first, but there are loads of way it could be done (even on linux and especially if its hooked up to the Internet) but its well worth the trouble for a person.
Precautions have to fit threats (Score:3, Insightful)
Who are the threats? {family, boss, cybercrooks, burglars, fire}
What is the threat? Discovery, use or loss?
What is the cheapest/easiest precaution?
Multiple user accounts, removeable media, doorlocks, backups and selective crypto are all I bother with.
Re:Big Brother... (Score:4, Insightful)
Note that this does not mean make your data as humanly secure as possible. If it takes six months of brute force time to break my encryption, I don't mind. I don't have anything that is worth the trouble. So I'm not going to create hurdles for myself by securing it further.
If you have more valuable data, then make it as much harder to get to it. Going overboard will not gain you anything, other than a hassle.
Yes, big brother can storm my house, and torture the information out of me. But it's not worth their trouble. It perhaps would be worth it if I had no security measures and conducted all my Internet transactions in plain text. So I just use a few simple measures to make sure it's not that easy.
Re:Physical access! (Score:5, Insightful)
Right-click on the network icon in the system tray then select "Disable". Seems easier to me than having to bring up a console, enter 25 characters, and hit return.
I'm no Microsoft fan but come on, ya gotta pick your battles a little better than this.
BBC's "Micro Live" TV series (Score:5, Insightful)
Of course, that's not the only blunder. A cracker under the name "The Cheshire Catalyst" broke into a network service they were demonstrating, and started piping songs onto the computer screen in the TV studio.
These security breaches got the kind of publicity few crackers could ever hope to achieve today. A live television audience of maybe 7-8 million, and next to zero chance that the camera is going to pull away?
One important lesson I learned, over these incidents, is that security is rarely accidental. Nor is it something you can consider seperately from the rest of the design. Designing something to be consistant and uniform means that errors will stick out like a sore thumb. In terms of security, or reliability, elegence is everything.
Exactly why I don't post AC (Score:4, Insightful)
There is no saftey in anonymity, only mediocrity. People are always looking to see who hides behind the mask even as they step over the unwashed masses.
Re:Physical access! (Score:3, Insightful)
We were developing a backup plan that involved cross-backups between the two buildings where this particular part of the company was housed. What were the odds, we figured, of something bad happening to both buildings at the same time?
On 9/11, watching the smoke from the Pentagon, we reconsidered that position.
Re:Physical access! (Score:4, Insightful)
You right click on the connection's system tray icon and click disable.
OK, now perform that action in a shell script.
/smartass
Re:My security system (Score:5, Insightful)
Who says any of the rest of this information is not easy to determine?
lets see:
Apache is kept reasonably up to date.
FWReport is a report generator. Not directly exploitable. All it does is send me reports, and I wrote it and released it open source (as advertised on the web site), so you would expect me to be running it, right? I am sure you would expect Theo to be running OpenBSD too, right?
Qmail.... When was the last time there was an exploit in Qmail?
Look.... If you use Netcraft, you can see I am using Apache. Not saying so does not mean people can't find out. If you use Netcraft, you can even see I am running Linux.
Hmmm.... and if you check port 110, it is open and you can look up the welcome message to see I am in fact running Qmail. So I have saved you, what? 10 minutes online with Google and Netcraft by telling you this information? How hard is it to determine this information? How hard is it to obscure this information?
In essence, nothing I said is anything I could keep secret anyway from an attacker who would even do light recon.
Now.... Beyond the basics (here is where I won't tell you details but can tell you principles and design ideas):
1) If a program fails and is compromised, that should provide as little access to anything else as possible.
2) If I have to require passwords on one remotely accessible resource, these passwords should not be reusable on another group of such resources.
It is all about defence in depth and providing as many obstacles as possible to cause damage to me and my business, and containing the damage so that we can gracefully recover with a minimum of downtime. I won't share details. But I think we can all agree on the goals (these goals have been discussed in other whitepapers I have written, so again, this is public information).
Re:Firey death to the intruders! (Score:5, Insightful)
Common sense please (Score:1, Insightful)
Secondly, most of us are probably so insignificant as individuals that the odds of 'big brother' even being interested in any of us individually is non-existent (except in delusions of self-importance which do nothing more than attempt to compensate for feelings of inadequecy).
Thirdly, all this does not mean you shouldn't use tools to protect your privacy. Over the past few years, the threat to privacy and data theft has become real--the enemy is identity theives, nosy peers, business competitors, etc.
Re:Physical access! (Score:4, Insightful)
Seriously, some people are very impressed by CLIs. Especially green ones. Try "cat
Re:Firey death to the intruders! (Score:2, Insightful)
Unless they're one of the many people who happen to know how to reset your CMOS settings...
ND
Re:Physical access! (Score:2, Insightful)
Under those circumstances, I very much want my encryption easily broken.
At some level of difficulty it becomes easier for such organizations to break kneecaps to get the password than it is to use computers to do it.
I like the old "obsolete" DES, since anyone with the resources to break it also has the resources to torture me to get the keys if they couldn't.
Re:I'm not paranoid enough.... (Score:3, Insightful)
Re:Physical access! (Score:3, Insightful)
Re:OpenBSD server (Score:2, Insightful)
Re:Physical access! (Score:2, Insightful)
Also wipe the data if anyone breaks in. Easy enough to do with a standard security system, if you already have the electromagnet in place. In fact, you might want to forget the switch under your see, and just attach it to your door.
This way, you have less chance of them successfully arguing you tampered with evidence after you heard the police knock down your door. You didn't do anything. Be sure to not even stand up without the police asking you to.
This is better than a password. They can compel you to give up a password by going to court. They could, even more easier legally, compel you to turn off the electromagnet, but won't actually have time to get a court order.
(Nothing is stopping you from having a switch to turn the system on in the first place, and flipping that when the police break in (So you don't sit in eternal danger of losing all your data if something screws up.), as long as you are willing to lie and claim it was already on when they came in.)
Re:Physical access! (Score:2, Insightful)
BIOS password - Sign of an imbecile (Score:3, Insightful)
Re:Paranoid?? used to be. (Score:1, Insightful)
Incidentally, I wouldn't have just worn gloves. You can leave a lot of other material lying around besides fingerprints (hair follicles and the like). Remember, your body is constantly shedding material (you'd be amazed at what falls between the cracks in my keyboard).
Re:Firey death to the intruders! (Score:3, Insightful)
That's what the encrypted filesystem is there for; then you also have to acquire the key.
Other possibility is the ATA password, supported by more modern disks.
You can also query the SMART registers in the disk, and check the power-on counter; if there was a discrepancy, a disk powered up without you knowing about it, check why.
Yet another option is welding the case shut. Won't stop the adversary, but will make tampering obvious and slows him down. You can also use sealing wax instead, if you want more service-friendly option, but a determined adversary will make a negative of the seal from the epoxy and then reseal it again.
I just want to demonstrate that unless your data is with you (USB) or in an isp datacenter, your so-called friends can play havoc.
An USB dongle may get lost or stolen (even easier than a stationary desktop machine). An ISP colocation may be entered by anyone posing as a serviceman, if their security is sufficiently lax (which it way too often is); social engineering is a king here.
Re:Firey death to the intruders! (Score:3, Insightful)
Locks on cases are not very useful. The metal that the case is made of is not adequate. The lock is so much stronger than the case, the lock will break the case.
This is like the apartment that had the reinforced steel door. The thieves cut a hole in the drywall 32 inches over with a utility knife and got everything they wanted. Yes, many if not most apartments are this insecure. (The really good ones have 1/4 or 1/2 inch plywood below the drywall in the halls. Not much better.)
End result is physical security must be adequate: if you can touch the box, you can get access.
On another note, the case is usually OFF my box, and was ALWAYS off at school (Steam heat is WONDERFUL!). The lock went to a cable so the box wouldn't walk. This is an example of apparent security. The item was secured against casual theft, nothing else.
Phil
Re:I'm not paranoid enough.... (Score:3, Insightful)
There isn't anything that I wouldn't want her to see in there, either. It's the principle of the thing. Relationships are based on trust, and when someone is reading your personal correspondence behind your back, trust is lacking.
I'm a pretty laid back guy, but I don't play games with my privacy.
Re:Careful with swap and temp files (Score:3, Insightful)