Security-related questions

Sat Apr 26 02:12:03 UTC 2008

Larry Hartman wrote:
> On Friday 25 April 2008 07:00:39 am Derek Broughton wrote:
>   
>> Nils Kassube wrote:
>>     
>>> Larry Hartman wrote:
>>>       
>>>> Is it possible to create two user accounts, one that shows up in the
>>>> KDM/GDM logon display with restricted accesses, and another that is
>>>> invisible to KDM/GDM with more accesses?
>>>>         
>>> At least for KDM the user isn't visible if the user ID is below 1000.
>>>       
>> And you can specifically exclude users from the KDM login chooser - I
>> suspect, but don't know, that such users could still be used to login if
>> you actually used a valid username/password.
>>
>>     
>>>> In the same vein, pertaining to these two accounts, is it possible to
>>>> restrict visibility to certain directories from the restricted
>>>> account
>>>>         
>>> This can be done with the usual file / directory permissions. However you
>>> can't hide essential directories like /usr/bin etc.
>>>       
>> Again, you can _hide_ all sorts of things in konqueror (using .directory
>> files, iirc - I've deleted the ones kubuntu installs by default, so I'm not
>> certain) - but it's just "security through obscurity".
>>
>>     
>>>> to hide directories and files from view, even the "hidden"
>>>> options in the various file managers--so that only when logging into
>>>> the user account with more access do they become visible?
>>>>         
>>> The hidden attribute is only a sort of interpretation of file names
>>> starting with "." by the file managers or other programs. If there is no
>>> global configuration override, you probably can't make "hidden" files
>>> invisible. And in a terminal you can definitely see the files with the
>>> appropriate commands (e.g. "ls -A").
>>>       
>> Yeah, that's the same situation as the .directory files.
>>
>> What you can actually get even the slightest look at, in any unix-based
>> filesystem, is determined by the "x" (traverse) permission on a directory.
>>
>> So if you want to hide, say, /sbin from ordinary users, you remove the "x"
>> permission from world, and make special users part of a group that does
>> have "x" permission.  It gets complicated ... :-)
>>
>>     
>>>> I am curious because I read a trial brief this week concerning a laptop
>>>> that was inspected by border control agents through actually turning it
>>>> on.
>>>>         
>>> If you want to hide something from border control agents, it is probably
>>> better to not have sensitive data on the machine.
>>>       
>> That's really your only option.  If you try to _hide_ data from US border
>> control, I believe you're now committing a crime.
>>
>> At least one legal office is now sending it's lawyers across the Canada-US
>> border with clean laptops - they download everything they need from
>> the 'net.  It's scary to imagine that its now more secure to save your data
>> on the Internet than on a well protected laptop (or that the people we most
>> have to protect ourselves from, are the people we expect to protect us).
>>
>>     
>>> I read something the
>>> other day, that a laptop hard disk was cloned at border control. You
>>> can't really hide an account because the user name has to be listed
>>> in /etc/passwd. Maybe you want to read a bit about truecrypt at
>>> <http://www.truecrypt.org>, but I can't tell you how safe that would be
>>> at border control.
>>>       
>> Failing to deliver the decryption key could be a violation of the PATRIOT
>> act.
>> --
>> derek
>>     
>
> I'm not looking at violating laws, but do wish to understand the technical 
> aspects of this scenario.  Here is my recap of what was suggested so far--and 
> I thank folks for responses, I am getting educated.
>
> 1.  External harddrives are one solution, until all your personal affects are 
> searched....this would require another traveler to hold the drive during the 
> travel.  Shipping the drive would entail a loss of accountability because the 
> package could get searched along the way.
>
> 2.  If the harddrive is cloned, then how good are the capabilities to examine 
> it at most security checkpoints.  Do most security checkpoints even have 
> capability to clone?  If the equipment is confiscated, then the loss is as 
> total as having the data read by unwanted eyes.
>
> 3.  Despite what these lawyers are doing, I do not trust the internet as a 
> viable option for secure storage.  If it is on the net, it is available for 
> all to hack and see.
>   

Not to mention the CIA snooping through everything "we" do on the net.

> 4.  Someone above mentioned that even if the user account were not visible in 
> the display manager, the username had to be listed in /etc/passwd...which 
> would be a give away to investigators that something is up.
>
> 5.  Any overt encryption would also be a dead giveaway.
>
> 6.  Perhaps my question would be rephrased to, "how to hide data in such a 
> transparent way so as to not arouse suspicions that would cause further 
> investigation?"
>
>
> Good discussion.
>
> Larry
>
>   

The best way is to keep anything you want to "hide" is in the computer 
between your ears. I don't "think" they have perfected mind reading yet. 
But it is a possibility.

-- 
Life is what happens while your busy making other plans.