Increasing Computer Security through Hardware?

Audiostar asks: "I am interested in adding some security to several of my computers, but am unsure as to which product to go with. I would like to use some sort of external security measure, such as a pen drive token or something similar. I had considered custom building a key card and reader to install on all my machines, but once I started thinking about the cost and time of building a card reader for each of my computers it became rather impractical. Does anyone have any suggestions for external locking devices or software? I would prefer something that I could use on both my Windows and Linux machines, but protecting the Windows machines are the top priority. I don't need anything too fancy, just an added layer of protection from the multitude of various people who come in and out of my place of business everyday. I own a 128mb flash disk watch, so possibly using that as a token would be both easy and geek chic. Any suggestions on what to install?"

How about this

[MarsDefenseMinister]

Use a password to log in. And set your screensaver to activate, with a password, after a short amount of time.

Re:How about this

[BlurredWeasel]

But how would that be any fun, I mean, a few major problems with this idea

* Way Way too cheap: Technology is supposed to drain your wallet

* Too Mundane: everybody has a screensaver, who's impressed by that nowadays

* Breakable: reboot into single user mode? If you encrypt all your files with a key stored on a usb flash thingy, then you'll be all set

Added layer of protection

[Motherfucking+Shit]

I don't need anything too fancy, just an added layer of protection from the multitude of various people who come in and out of my place of business everyday.

I've had a good deal of success with one of these.

Nobody's compromised any of my machines yet!

Re:Added layer of protection

[toast0]

How does that connect to your computer? USB? Serial? Ethernet?

Is it supported in Linux?

Does this attract or repel you?

[orthogonal]

I don't need anything too fancy, just an added layer of protection from the multitude of various people who come in and out of my place of business everyday.

Really fucking big neodynium magnet installed in the door frame of the entrance to your office.

(Shamelessly stolen from Cryptonomicon. I guess Neal Stephenson should have used a bigger magnet.)

Re:Does this attract or repel you?

[enigmatichmachine]

i've oftentimes thought about building a electomagnet into my pc case, such that if a secret switch isn't held down as the case is opened, the electomagnet fries the HDD. never had any data valuable enough to bother though. Anyone ever done it/ know someone who has?

Use reliable hardware.

[ezraekman]

Don't use the watch. You'll smack it against something, and then you're screwed. Ditto for a generic USB flash drive, unless you're sure it's bulletproof. Get something reliable, or don't get anything. If you want to be sure you're covered, buy three of whatever it is. Keep one handy, one in a fireproof safe/lockbox on the premises, and one at home. If your only hardware key gets hosed, so do you.

Oh, and KISS. You're right; the cardkey isn't practical, and not just because it'd be difficult/expensive to build. It would probably also be something prohibitively difficult to troubleshoot, should you have problems later. Then you have to call a specialist, and hope he's A) cheap and B) can figure out how to solve your custom-built (and therefore, proprietary) hardware problem. You're probably on the right track with small, removable hardware. Just make sure it's also reliable, or it's useless.

Re:Smart Card

[oO+Peeping+Tom+Oo]

My apologies for double posting, but a far as commercial products go, this doesn't seem like a bad solution.... http://www.cyberflex.slb.com/ There is also a Linux SDK, if you want to go down that road......

Look out for Fritz Chip- The CryptoProcessor

[Phoe6]

Fritz is a secure cryptoprocessor that implements the trusted computing scheme on personal computers. It uses public key cryptography for the processes communicating amongst themselves. So it would always be helpful unless the security measure is broken by an exact match comprosimed Fritz Chip. ( Which would ofcourse need some quantum computing cycles). So we can assume that it cannot be compromized till date. M$ has plans to incorporate Fritz Chip in the next OS,Longhorn.

Re:Look out for Fritz Chip- The CryptoProcessor

[dave1212]

Oh, fuck. No 'trusted computing', please.

A lock

[metalhed77]

Maybe a good lock for your door? Other than that something that's easy to use, and somewhat less easy to break in case it fails or you lose a key. Who exactly is going to be stealing this data? You could always go out and get one of systems cards that'll fry a hard disk if someone attempts to tamper with it but I think that you're not at that level of data sensitivity. Perhaps nothing more than an encrypted filesystem (easy in windows XP) is needed.

It'll definitely handle Windows...

[jargonCCNA]

Check out the Securikey on ThinkGeek. I'm not sure if someone's written Linux drivers for it, but there's your hardware level -- and it's two-factor.

Hardware Encrypted Hard Drive

[sgifford]

This hardware encrypted hard drive might be part of what you're looking for.

Re:Huh?

[0x0d0a]

His complaint is legitimate, even if not for this particular case. "Locking" a Windows or Linux box does nothing for security if someone happens to have a rescue disc handy (well, other than let you possibly know that the machine has rebooted).

Try this...

[b06r011]

i downloaded Float's Mobile Agent and noticed that with the bluetooth connection, there is an option to automatically lock the workstation when your phone is out of (bluetooth) range. i haven't used it myself, but it looks kinda handy - the number of times i have remembered to pick up my mobile, but not lock the workstation.

and if you really want to make your pc hardware secure, have you tried padlocking it to the wall? :)

How about...

[FLEB]

Keep the important stuff on an external HDD, and handcuff it to your wrist.

(Note: this is not meant to be a constructive idea)

Re:Huh?

[toast0]

Lock down the bios*, so it only boots from the hard drive. Password protect your lilo.

Yes, you can open the case, and fiddle with the lose bios settings jumper, but one hopes you'ld notice when they open the case.

*Many bioses have a backdoor password, make sure yours doesn't, or at the least it's not a common one.

Er? Bad question!

[dasunt]

Audiostar asks: "I am interested in adding some security to several of my computers, but am unsure as to which product to go with...

Er, what sort of security?

A simple bios boot password will prevent the computer-naive from accessing your machine.

GnuPG under Windows and the unix clones will allow you to encrypt/decrypt and digitally sign files.

The unix clones tend to be able to encrypt their entire filesystem by whatever algorythm you want. NTFS claims some sort of filesystem encryption as well, but I'm unfamiliar with the mechanism and thus won't recommend it.

OpenBSD has encrypted swap and tends to be tops on the 'utterly paranoid' scale.

How about you tell us what you are trying to do exactly, and we'll tell you the best solution.

how far are you willing to go?

[bluGill]

Security is a tradeoff, go too far and you end up being so annoyed with it that you bypass your measures and become less secure. So decide how far you need to go.

I'm, not impressed with hardware security, other than keeping important files on the USB keychain at your side. (And even then you need regular backups kept in a good data safe) Do a web search and you can find information on how to fake fingerprints. You can find keyboard loggers, which a well equipped attacker can modify into a more general logger to simulate your hardware device. (though I doubt you are worth that much effort, and encryption can prevent man in the middle attacks like this if you are)

Personally I would build a network, save all my files to a UNIX (openBSD perhaps) box in a secure area, and mount that disk everytime I was at the machine, and unmount it when I was done.

Don't forget access control lists. If the user you leave the machine logged in as cannot access files you have one less worry. Window has pretty good ACLs if you use them.

What are you protecting against?

[jonadab]

You didn't tell us -- are you protecting against vandalism (some clown messing
up the settings, deleting stuff, whatever) or against information theft? The
solution will be completely different.

To protect against vandalism, nothing beats nightly offsite backups, nothing.

To protect against information theft, how about storing the informationg in
question on an external device that you keep on your person? Then when they
go to steal it, it's not there. Hard to beat that.

Re:Er? Bad question!

[DavidTC]

NTFS encryption is exactly as good as Windows security.

Haha. No, seriously, the concept behind NTFS encryption is great. It keeps keys with login creditials, and they're decrypted with your login password. I forget the algorythm, but it's not some snake oil crap, it's a real, heavy duty encryption thing. Linux could use something like it, it's so amazingly transparent and just works correctly.

The problem, of course, is that administrator has all the keys, and administrator isn't anywhere near protected enough to be allowed that kind of power...a single spyware and all everyone's super secret files are free for the taking.

Basically, NTFS encryption on Windows is about the same concept asking people their names before they board a plane, but doing a really good check on the name they gave, with absolutely no check to see if that's actually their name. They've bolted working security on a system with completely broken authentication. You can only get 'your own' files, but it's rather easy to be someone else, or even the administrator, so it's really goofy.

Abit SecureIDE

[Asterisk]

Abit makes a product that sits between the IDE port on your motherboard and the hard drive. It encrypts all of the data on-the-fly and requires a small dongle to be plugged in externally to work. Combine that with a good case lock, and you should be all set.

Re:Huh?

[Audiostar]

Now, if you'd like to admit that you're business is being run out of your dorm room, and you only want something "cool" to lock out your buddies in the dorm, then maybe you'd get some better advice.

That is truly +2 insightful. You got me. I want to protect my computer mostly from my annoying RA and frat buddies, not the freelance graphic designers I occasionally employ that aren't monitored constantly while they are working. I can only guess that you are making this assumption based on the fact that my email address on my slashdot profile is a University address, but this stems only from the fact that I have had this /. account since I my days in college. I will be sure to change it now to my current address.

Its pretty amazing that someone can ask a simple question and a sarcastic and rude response can get +2 Insightful. Did it get +2 because of the Ctrl+alt+Del comment? Because I actually was already aware of that function, believe it or not. I know that as a college student it could be assumed that certain subtle nuances of computer usage could slip past you in all those hungover mornings from the previous night's sorority function, and you bringing this to my attention has been a great service to me. Flamebait.

Gimme Access and it wont matter

[nurb432]

If someone has physical access and determination, nothing you do will be 100%..

All you can do is slow them down..

Enabling bios passwords, disabling boot from anything but the HD, storing data on the servers, and good system passwords should be enough to keep out the casuals...