recovery from stupid error

Farhad Shakiba fshakiba at gmail.com
Thu Jul 14 23:45:52 CDT 2005


On 7/14/05, Judd Pickell <pickell at gmail.com> wrote:

> But the first case makes sense, you wouldn't want someone to sit down
> at your computer reboot it, and access root. However, you fail to miss
> the most obvious point of your whole scenario. IF someone has managed
> to get that much access without your knowledge, and their intents were
> so malicious as to seek out to access root without your knowledge, a
> password on the root access will not protect you.
> 
> Anyone who can sit down at a computer has all or most of these options
> available to them:
> 1) they can set a boot password at bios, preventing you access period
> to your computer.
> 2) They can insert a LiveCD (ie Knoppix) and access your entire drive
> at their leisure, and without a root password.
> 3) They can enter a win98 floppy and reformat your HD for the hell of
> it. No password needed.
> 4) If your boot options allow it (which generally these days they do)
> they can throw in an install cd, reinstall Linux/windows/etc and lock
> you out of your system. Again without needing root access.
> 5) They just grab the box, run, and you never see your computer again.
> 

Going with your analogy we might as well forget about putting locks on
our cars and doors since everyone has physical access to our property.

Unofortunately what you fail to see is that security measures in many
cases are meant to "slow down" the malicious action.

I believe the root access through recovery mode could be a problem.
Any feature that gives full administrator access  to my computer
within 30 seconds  of physical contact & without any external
utilities is a problem. If someone stumbles across my computer at work
when I'm out of the office for a few minutes, they might not have
knoppix in their pocket but all they have to do is poweroff ->
recovery mode.

Just because every security measure can be bypassed doesn't mean we
have to get rid of username/password logins on every computer. I also
don't see this as a wise practice to base the security of a computer
on "assumptions" of what the target audience may or may not know.



More information about the ubuntu-devel mailing list