bilwalsh at swbell.net
Sat Apr 26 03:12:03 BST 2008
Larry Hartman wrote:
> On Friday 25 April 2008 07:00:39 am Derek Broughton wrote:
>> Nils Kassube wrote:
>>> Larry Hartman wrote:
>>>> Is it possible to create two user accounts, one that shows up in the
>>>> KDM/GDM logon display with restricted accesses, and another that is
>>>> invisible to KDM/GDM with more accesses?
>>> At least for KDM the user isn't visible if the user ID is below 1000.
>> And you can specifically exclude users from the KDM login chooser - I
>> suspect, but don't know, that such users could still be used to login if
>> you actually used a valid username/password.
>>>> In the same vein, pertaining to these two accounts, is it possible to
>>>> restrict visibility to certain directories from the restricted
>>> This can be done with the usual file / directory permissions. However you
>>> can't hide essential directories like /usr/bin etc.
>> Again, you can _hide_ all sorts of things in konqueror (using .directory
>> files, iirc - I've deleted the ones kubuntu installs by default, so I'm not
>> certain) - but it's just "security through obscurity".
>>>> to hide directories and files from view, even the "hidden"
>>>> options in the various file managers--so that only when logging into
>>>> the user account with more access do they become visible?
>>> The hidden attribute is only a sort of interpretation of file names
>>> starting with "." by the file managers or other programs. If there is no
>>> global configuration override, you probably can't make "hidden" files
>>> invisible. And in a terminal you can definitely see the files with the
>>> appropriate commands (e.g. "ls -A").
>> Yeah, that's the same situation as the .directory files.
>> What you can actually get even the slightest look at, in any unix-based
>> filesystem, is determined by the "x" (traverse) permission on a directory.
>> So if you want to hide, say, /sbin from ordinary users, you remove the "x"
>> permission from world, and make special users part of a group that does
>> have "x" permission. It gets complicated ... :-)
>>>> I am curious because I read a trial brief this week concerning a laptop
>>>> that was inspected by border control agents through actually turning it
>>> If you want to hide something from border control agents, it is probably
>>> better to not have sensitive data on the machine.
>> That's really your only option. If you try to _hide_ data from US border
>> control, I believe you're now committing a crime.
>> At least one legal office is now sending it's lawyers across the Canada-US
>> border with clean laptops - they download everything they need from
>> the 'net. It's scary to imagine that its now more secure to save your data
>> on the Internet than on a well protected laptop (or that the people we most
>> have to protect ourselves from, are the people we expect to protect us).
>>> I read something the
>>> other day, that a laptop hard disk was cloned at border control. You
>>> can't really hide an account because the user name has to be listed
>>> in /etc/passwd. Maybe you want to read a bit about truecrypt at
>>> <http://www.truecrypt.org>, but I can't tell you how safe that would be
>>> at border control.
>> Failing to deliver the decryption key could be a violation of the PATRIOT
> I'm not looking at violating laws, but do wish to understand the technical
> aspects of this scenario. Here is my recap of what was suggested so far--and
> I thank folks for responses, I am getting educated.
> 1. External harddrives are one solution, until all your personal affects are
> searched....this would require another traveler to hold the drive during the
> travel. Shipping the drive would entail a loss of accountability because the
> package could get searched along the way.
> 2. If the harddrive is cloned, then how good are the capabilities to examine
> it at most security checkpoints. Do most security checkpoints even have
> capability to clone? If the equipment is confiscated, then the loss is as
> total as having the data read by unwanted eyes.
> 3. Despite what these lawyers are doing, I do not trust the internet as a
> viable option for secure storage. If it is on the net, it is available for
> all to hack and see.
Not to mention the CIA snooping through everything "we" do on the net.
> 4. Someone above mentioned that even if the user account were not visible in
> the display manager, the username had to be listed in /etc/passwd...which
> would be a give away to investigators that something is up.
> 5. Any overt encryption would also be a dead giveaway.
> 6. Perhaps my question would be rephrased to, "how to hide data in such a
> transparent way so as to not arouse suspicions that would cause further
> Good discussion.
The best way is to keep anything you want to "hide" is in the computer
between your ears. I don't "think" they have perfected mind reading yet.
But it is a possibility.
Life is what happens while your busy making other plans.
More information about the kubuntu-users