Security-related questions

Larry Hartman larryhartman50 at vzavenue.net
Sat Apr 26 01:21:56 UTC 2008 

On Friday 25 April 2008 07:00:39 am Derek Broughton wrote:
> Nils Kassube wrote:
> > Larry Hartman wrote:
> >> Is it possible to create two user accounts, one that shows up in the
> >> KDM/GDM logon display with restricted accesses, and another that is
> >> invisible to KDM/GDM with more accesses?
> >
> > At least for KDM the user isn't visible if the user ID is below 1000.
>
> And you can specifically exclude users from the KDM login chooser - I
> suspect, but don't know, that such users could still be used to login if
> you actually used a valid username/password.
>
> >> In the same vein, pertaining to these two accounts, is it possible to
> >> restrict visibility to certain directories from the restricted
> >> account
> >
> > This can be done with the usual file / directory permissions. However you
> > can't hide essential directories like /usr/bin etc.
>
> Again, you can _hide_ all sorts of things in konqueror (using .directory
> files, iirc - I've deleted the ones kubuntu installs by default, so I'm not
> certain) - but it's just "security through obscurity".
>
> >> to hide directories and files from view, even the "hidden"
> >> options in the various file managers--so that only when logging into
> >> the user account with more access do they become visible?
> >
> > The hidden attribute is only a sort of interpretation of file names
> > starting with "." by the file managers or other programs. If there is no
> > global configuration override, you probably can't make "hidden" files
> > invisible. And in a terminal you can definitely see the files with the
> > appropriate commands (e.g. "ls -A").
>
> Yeah, that's the same situation as the .directory files.
>
> What you can actually get even the slightest look at, in any unix-based
> filesystem, is determined by the "x" (traverse) permission on a directory.
>
> So if you want to hide, say, /sbin from ordinary users, you remove the "x"
> permission from world, and make special users part of a group that does
> have "x" permission.  It gets complicated ... :-)
>
> >> I am curious because I read a trial brief this week concerning a laptop
> >> that was inspected by border control agents through actually turning it
> >> on.
> >
> > If you want to hide something from border control agents, it is probably
> > better to not have sensitive data on the machine.
>
> That's really your only option.  If you try to _hide_ data from US border
> control, I believe you're now committing a crime.
>
> At least one legal office is now sending it's lawyers across the Canada-US
> border with clean laptops - they download everything they need from
> the 'net.  It's scary to imagine that its now more secure to save your data
> on the Internet than on a well protected laptop (or that the people we most
> have to protect ourselves from, are the people we expect to protect us).
>
> > I read something the
> > other day, that a laptop hard disk was cloned at border control. You
> > can't really hide an account because the user name has to be listed
> > in /etc/passwd. Maybe you want to read a bit about truecrypt at
> > <http://www.truecrypt.org>, but I can't tell you how safe that would be
> > at border control.
>
> Failing to deliver the decryption key could be a violation of the PATRIOT
> act.
> --
> derek

I'm not looking at violating laws, but do wish to understand the technical 
aspects of this scenario.  Here is my recap of what was suggested so far--and 
I thank folks for responses, I am getting educated.

1.  External harddrives are one solution, until all your personal affects are 
searched....this would require another traveler to hold the drive during the 
travel.  Shipping the drive would entail a loss of accountability because the 
package could get searched along the way.

2.  If the harddrive is cloned, then how good are the capabilities to examine 
it at most security checkpoints.  Do most security checkpoints even have 
capability to clone?  If the equipment is confiscated, then the loss is as 
total as having the data read by unwanted eyes.

3.  Despite what these lawyers are doing, I do not trust the internet as a 
viable option for secure storage.  If it is on the net, it is available for 
all to hack and see.

4.  Someone above mentioned that even if the user account were not visible in 
the display manager, the username had to be listed in /etc/passwd...which 
would be a give away to investigators that something is up.

5.  Any overt encryption would also be a dead giveaway.

6.  Perhaps my question would be rephrased to, "how to hide data in such a 
transparent way so as to not arouse suspicions that would cause further 
investigation?"


Good discussion.

Larry

More information about the kubuntu-users mailing list