[FDE] FDE Digest, Vol 9, Issue 4

Albert caruabertu at gmail.com
Tue Jun 5 02:06:19 MDT 2007 

the experience i have with bios password etc is positive - it prevents
casual snooping by passers-by spotting a desktop/laptop in an
unattended office

but not laptop theft!

As for "I think the largest market impact of everyone enabling BIOS
and HD passwords would be a sharp spike in demand for help desk staff
:) ", while the tongue in cheek is appreciated, the easy workaround is
the usual paper copy in an envelope with the local guard/departmental
secretary etc... to spare users the hassle with helpdesk and which
also prevents a casual snooper posing as a legitimate user calling a
distant call-centre (these days in often another country) from duping
the helpdesk into revealing the firmware passwords.

Albert J Caruana Dr rer Nat

2007/6/4, fde-request at www.xml-dev.com <fde-request at www.xml-dev.com>:
> Send FDE mailing list submissions to
>         fde at www.xml-dev.com
>
> To subscribe or unsubscribe via the World Wide Web, visit
>         http://www.xml-dev.com/mailman/listinfo/fde
> or, via email, send a message with subject or body 'help' to
>         fde-request at www.xml-dev.com
>
> You can reach the person managing the list at
>         fde-owner at www.xml-dev.com
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of FDE digest..."
>
>
> Today's Topics:
>
>    1. Re: hard disk p/w protection - secure? (Crispin Cowan)
>    2. Re: hard disk p/w protection - secure? (Allen)
>    3. Re: hard disk p/w protection - secure? (Crispin Cowan)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sun, 03 Jun 2007 14:22:12 -0400
> From: Crispin Cowan <crispin at novell.com>
> Subject: Re: [FDE] hard disk p/w protection - secure?
> To: fde at www.xml-dev.com
> Message-ID: <466306D4.3030400 at novell.com>
> Content-Type: text/plain; charset=windows-1252
>
> Martin Forest wrote:
> >
> > With the correct forensic tools, you can recover all data on the disk,
> > unless the disk is encrypted. It will cost you a few thousand dollars
> > as it is not just as simple as connect the disk to another computer.
> > You basically have to dismantle the disk and use specific equipment to
> > recover the data. The HD protection will probably prevent a normal
> > person from getting the data, but if you have ?classified? information
> > on the computer, someone may find it worth spending the money to get
> > to the data.
> >
> > I still like both bios and HD passwords. If everyone set it, the
> > market for stolen laptops would be small(er)?
> >
> Why would that be? I strongly suspect that 99.99% of the market for
> stolen laptops is the hardware and nothing else. A stolen laptop
> probably doesn't even get a cursory glance before it is formatted with a
> new Windows install.
>
> It costs organizations big $$$ when a laptop with sensitive data on it
> is stolen, but that is because they don't know for sure that it has been
> fdisk'd.
>
> More over, if everyone used BIOS and HD passwords that would .... hmmm,
> not do much at all:
>
>     * No effect on the market for stolen laptops, see above.
>     * Nearly no effect on the cost of recovery if sensitive data is on a
>       stolen laptop: it just sets a lower bound on the value of the data
>       you can disregard. If the value of the data is below the $2K it
>       costs to recover the drive, then ignore the incident, otherwise
>       proceed with your press release mea culpa
>
> I think the largest market impact of everyone enabling BIOS and HD
> passwords would be a sharp spike in demand for help desk staff :)
>
> Crispin
>
> --
> Crispin Cowan, Ph.D.               http://crispincowan.com/~crispin/
> Director of Software Engineering   http://novell.com
>         AppArmor Chat: irc.oftc.net/#apparmor
>
>
>
>
> ------------------------------
>
> Message: 2
> Date: Sun, 03 Jun 2007 21:05:37 -0700
> From: Allen <netsecurity at sound-by-design.com>
> Subject: Re: [FDE] hard disk p/w protection - secure?
> To: fde at www.xml-dev.com
> Message-ID: <46638F91.7000503 at sound-by-design.com>
> Content-Type: text/plain; charset=windows-1252; format=flowed
>
>
>
> Crispin Cowan wrote:
> > Martin Forest wrote:
>
> [snip]
>
> >> person from getting the data, but if you have ?classified? information
> >> on the computer, someone may find it worth spending the money to get
> >> to the data.
>
> Since the growing wave of data theft is motivated by financial
> gain I suspect that laptops from large companies and government
> agencies will be targets so the data will have potential value.
>
> >> I still like both bios and HD passwords. If everyone set it, the
> >> market for stolen laptops would be small(er)?
>
> Since bios passwords can be defeated easily and it is relatively
> trivial to buy a matching HD to mount the platters in, unless the
> HD password somehow locks the sectors, it is not expensive to
> recover all the data. (This is how a drive is recovered when the
> head mechanism dies and they do not want to risk rubbing the
> oxide off.)
>
> > Why would that be? I strongly suspect that 99.99% of the market for
> > stolen laptops is the hardware and nothing else. A stolen laptop
> > probably doesn't even get a cursory glance before it is formatted with a
> > new Windows install.
>
> I would agree for the average theft; however, there is a long
> history of industrial espionage that we must keep in mind. I
> suspect a market will develop for stolen laptops for their
> content much like there has for credit card numbers, etc.
>
> > It costs organizations big $$$ when a laptop with sensitive data on it
> > is stolen, but that is because they don't know for sure that it has been
> > fdisk'd.
> >
> > More over, if everyone used BIOS and HD passwords that would .... hmmm,
> > not do much at all:
> >
> >     * No effect on the market for stolen laptops, see above.
> >     * Nearly no effect on the cost of recovery if sensitive data is on a
> >       stolen laptop: it just sets a lower bound on the value of the data
> >       you can disregard. If the value of the data is below the $2K it
> >       costs to recover the drive, then ignore the incident, otherwise
> >       proceed with your press release mea culpa
>
> Actually there is one market you are forgetting - blackmail. How
> much would megabucks corp pay to keep their name out of the
> papers over embarrassing disclosures?
>
> We are still in the very, very early days of seeing how the
> technology will be exploited for financial gain. Look at how bank
> robberies changed from the 1800s to today. When cars became
> common, crooks moved to them, etc.
>
> > I think the largest market impact of everyone enabling BIOS and HD
> > passwords would be a sharp spike in demand for help desk staff :)
>
> Oh, yessss!
>
> Allen
>
>
> ------------------------------
>
> Message: 3
> Date: Sun, 03 Jun 2007 23:28:50 -0700
> From: Crispin Cowan <crispin at novell.com>
> Subject: Re: [FDE] hard disk p/w protection - secure?
> To: fde at www.xml-dev.com
> Message-ID: <4663B122.7080805 at novell.com>
> Content-Type: text/plain; charset=windows-1252
>
> Allen wrote:
> > Crispin Cowan wrote:
> >
> >> It costs organizations big $$$ when a laptop with sensitive data on it
> >> is stolen, but that is because they don't know for sure that it has been
> >> fdisk'd.
> >>
> >> More over, if everyone used BIOS and HD passwords that would .... hmmm,
> >> not do much at all:
> >>
> >>     * No effect on the market for stolen laptops, see above.
> >>     * Nearly no effect on the cost of recovery if sensitive data is on a
> >>       stolen laptop: it just sets a lower bound on the value of the data
> >>       you can disregard. If the value of the data is below the $2K it
> >>       costs to recover the drive, then ignore the incident, otherwise
> >>       proceed with your press release mea culpa
> >>
> > Actually there is one market you are forgetting - blackmail. How
> > much would megabucks corp pay to keep their name out of the
> > papers over embarrassing disclosures?
> >
> Ok ... I considered that to be part of the stolen data cost. So, given
> that BIOS and HD passwords are trivially breakable, one should only
> store secrets on them that are worth less than the $2000 (or less) it
> would take to break the password protection. How is this market different?
>
> Crispin
>
> --
> Crispin Cowan, Ph.D.               http://crispincowan.com/~crispin/
> Director of Software Engineering   http://novell.com
>         AppArmor Chat: irc.oftc.net/#apparmor
>
>
>
> ------------------------------
>
> _______________________________________________
> FDE mailing list
> FDE at www.xml-dev.com
> http://www.xml-dev.com/mailman/listinfo/fde
>
>
> End of FDE Digest, Vol 9, Issue 4
> *********************************
>

More information about the FDE mailing list