Putting the "NSA Data Overwrite Standard" Legend to Death... (fwd)

[David Howe]

at Monday, February 10, 2003 3:20 AM, Jim Choate
<ravage at einstein.ssz.com> was seen to say:
> On Sun, 9 Feb 2003, Sunder wrote:
>> The OS doesn't boot until you type in your passphrase, plug in your
>> USB fob, etc. and allow it to read the key. Like, Duh!  You know,
>> you really ought to stop smoking crack.
> Spin doctor bullshit, you're not addressing the issue which is the
> mounting of an encrypted partition -before- the OS loads (eg lilo,
> which by the way doesn't really 'mount' a partition, encrypted or
> otherwise - it just follows a vector to a boot image that gets dumped
> into ram and the cpu gets a vector to execute it - one would hope it
> was the -intended- OS or fs de-encryption algorithm). What does that
> do? Nothing (unless you're the attacker).
indeed. it usually boots a kernel image with whatever modules are
required to get the main system up and running;

> There are two and only two general applications for such an approach.
> A standard workstation which isn't used unless there is a warm body
> handy. The other being a server which one doesn't want to -reboot-
> without human intervention. Both imply that the physical site is
> -secure-, that is the weakness to all the current software solutions
> along this line.
The solution is only applicable to cold or moderately tamper-proofed
systems, to prevent analysis of such systems if confiscated. It can only
become a serious component in an overall scheme, but this is universally
true - there is no magic shield you can fit to *anything* to solve all
ills; this will add protection against the specified attacks and in fact
already exists for windows (drivecrypt pluspack) - it is just
non-windoze platforms that lack a product in this area.