Re: Consumer-Mass-Product Grade Laptop (with above average security) [was: Military-Grade Laptop Security for All]
On 3/1/07, rayservers support <support@rayservers.com> wrote:
... All laptop users need privacy and computer security.
on the other end of the spectrum consider: http://www.walmart.com/catalog/product.do?product_id=5622733 -> VIA C7 (w/Padlock RNGx2, AES, SHA, MontMult, NX) Everex StepNote [0] 15.4" Widescreen Laptop (for posterity, $398 refurb. / $468 retail) add a Sony MicroVault USM-H [1] usb fob for your (physical & disk :) key ring for loop-aes pass phrase protected storage with minimal cumbersome-ness... ... of course, getting a nice bsd/linux full disk crypted os provisioned is still annoying in nearly every distribution. in this sense, a rayservers service fee may be quite fiscally responsible given your individual skills with software. :) 0. 12W StepNote 1500 , 5.3lbs http://www.everex.com/products/nc1500/nc1500.htm (note that poor battery specs are due to small 3 cell used, not power consumption of the hardware) 1. USM-H 1.5g / 14.5x 2.7 x 30.0 mm in 256 MB, 512MB, 1GB , 2GB http://www.sony.net/Products/Media/Microvault/usm-h.html 99. 'Software Ciphers Suck!' :P http://archives.neohapsis.com/archives/fulldisclosure/2005-12/0746.html
coderman wrote:
On 3/1/07, rayservers support <support@rayservers.com> wrote:
... All laptop users need privacy and computer security.
on the other end of the spectrum consider:
http://www.walmart.com/catalog/product.do?product_id=5622733 -> VIA C7 (w/Padlock RNGx2, AES, SHA, MontMult, NX) Everex StepNote [0] 15.4" Widescreen Laptop (for posterity, $398 refurb. / $468 retail)
add a Sony MicroVault USM-H [1] usb fob for your (physical & disk :) key ring for loop-aes pass phrase protected storage with minimal cumbersome-ness...
If you are after strong security, you want to ensure, at a minimum, encrypted swap and /tmp as well. After all, it is unlikely the mathematics will be broken by any adversary you are likely to encounter... but such an adversary will likely be able to read clear text on disk that the consumer did not know existed... With a 100% encrypted disk, operating system logs, temp and swap files, etc are not possible avenues for information leakage to a potential attacker. Many people use the free Truecrypt program which implements decent crypto, but then they use insecure Windows which has full access to the decrypted contents while they are in use... any resident malware can then snarf the information and send it away... the text editor and cleartext in memory could be sent to virtual memory or written to Windows temp files, etc. The loop-aes readme describes how to implement encrypted root for those of you who want to do this yourself (and we encourage you to). The cost of the time you will spend putting all the pieces of the puzzle together is likely to exceed the premium you would pay us for a secured notebook. Additionally we offer VPN services that secure your network access as well as secure-out-of-the-box email hosted with SSL mail servers and OpenPGP email where the key is under your control (i.e. security that locks out the email provider). Your local ISP will have no way to determine your surfing habits. We are aware of the cheap VIA notebooks - if any organization wants to order 20 or more based on that hardware we will add it to our line. We are always happy to do custom notebooks based on the your favorite hardware or even your existing notebook. Best regards, Support.
On 3/5/07, rayservers support <support@rayservers.com> wrote:
... If you are after strong security, you want to ensure, at a minimum, encrypted swap and /tmp as well.
agreed. full disk crypto with a tamper resistant pre-boot auth/loader is the only way to go... :)
... The cost of the time you will spend putting all the pieces of the puzzle together is likely to exceed the premium you would pay us for a secured notebook.
absolutely. i did a poor job pointing this out in my original post when i mentioned how much almost every distro out there sucks in the respect. good key management and an easy pre-installed FDE setup (with VMs! and even dual boot, etc!) is hard and well worth the cost of paying someone skilled at such things to do it for you...
We are aware of the cheap VIA notebooks
most of the distro builds of openssl, openssh, entropy daemon (if present), and other tools don't currently take advantage of padlock acceleration. this is one element that would be nice to see more collaboration on implementation (in any camp, bsd, linux, etc) my friend got his nc1500 today from a thurs morning order. it runs ubuntu edgy with a modified kernel and tools (see below) including loop-aes and padlock accel for fde, ipsec, openssl, openssh, openvpn, and entropy daemon for hw_random to /dev/random processing. best regards, the below part: if you'd like to help seed the c5/c7 dev tarball and iso torrents (and same for janusvm dev torrents with some new features to test) send me an email for early seeding of the torrents. thanks!
participants (2)
-
coderman -
rayservers support