http://www.redhatconfig.com/
http://www.redhatconfig.com/
Given this is not to require field servicable parts, encase it inside a plastic potted brick.Use a security plan that requires that particular CPU s/n to function. Use the CPU s/n as the encryption key.Tie functionality to that devices ethernet card mac address.Have phone home technology that if hardware changes, it stops working.Design the system such that some critical small part is required to be downloaded from your website when the system is restarted.Rate limit the transactions such that a computer program prompting it with all possible inputs would take forever to gather all the outputs.Do not use a standard database for your data. Use something stable but obscure. It makes the data files useless without the system programs to read it. I do this on all my systems.Bill Watson-----Original Message-----
From: rhelv5-list-bounces@redhat.com [mailto:rhelv5-list-bounces@redhat.com] On Behalf Of Ahmed Kamal
Sent: Friday, January 18, 2008 1:05 PM
To: Red Hat Enterprise Linux 5 (Tikanga) discussion mailing-list
Subject: Re: [rhelv5-list] Protect my stolen diskThanks for understanding what I need, and not asking why I need it :) Yes, it is very similar to the google box.
So, none of you actually faced a protected box of this kind. The one time I wanted to look inside a box (it was some firewall box from India), I ripped the drive, tried to mount it but couldn't ...
mount said the filesystem was unknown! I kept trying for 15 minutes or so, but didn't have enough motivation to spend money/time on this, so I just gave up. I wanted to replicate that, but I have no idea how it was done.
So, if anyone ever saw a protected box of this sort, and understood how it was done ;) please share your experience
Thanks for all the comments
On Jan 18, 2008 10:48 PM, Paul Krizak < paul.krizak@amd.com> wrote:
If the technology he's developing is comparable in nature to that of a
Google Search Appliance, then I could see how this would be the case.
For example, the internal index may use database schemas (or data) that
should not be accessible to the customer. Additionally, any PHP/CGI/etc
code loaded on the machine would be good to have hidden from prying eyes
to prevent code theft.
If I were building something akin to a Google Search Appliance, i.e.
something that you bring into an isolated network, plug it in, then
treat it as a "black box" appliance, then I would probably be asking the
same questions he's asking. However, I doubt even the Googles of the
world go to the extreme of actually encrypting the hard disk just to
protect the data and code. A well-engineered firewall and system
configuration that prevents access to confidential data and code is
probably enough to keep most casual observers out. Anybody nefarious
enough to rip the hard disk out of the box to try and get to the data is
probably determined enough to get around any encryption scheme that
would be implemented.
Companies that purchase "black box" servers like this aren't in the
business of stealing code...that's why they buy a "black box", turn it
on, and expect it to "just work".
Paul Krizak 7171 Southwest Pkwy MS B400.2A
Advanced Micro Devices Austin, TX 78735
Linux/Unix Systems Engineering Desk: (512) 602-8775
Silicon Design Division Cell: (512) 791-0686John Summerfield wrote:
> Ahmed Kamal wrote:
>> oh! No, the hardware is *not* my concern. It's the data! Let me quickly
>> recap. Let's try points this time
>>
>> - The Linux system I build will be on someone else's network (mostly
>> other
>> potentially hostile companies)
>> - The system provides a web interface to a database that users should
>> access
>> & use
>> - The users should not be able to steal/mount the disk, to dump my
>> database
>> or look at my code
>> - I know such setup will never be 100% secure, I just need to make
>> stealing
>> the data as hard as possible
>>
>> Hope that's clear. I apologize if I was not too clear earlier
>
>
> Nothing you've said so far tells me why you must have confidential data
> on local storage or why you can't run these "kiosk" machines of a server
> located in a secure location.
>
>
>
>>
>> On Jan 18, 2008 5:46 PM, J E < jef_umd@umd.umich.edu> wrote:
>>
>>> On Jan 18, 2008, at 10:27 AM, John Summerfield wrote:
>>>
>>>> Ahmed Kamal wrote:
>>>>> Perhaps I misused the word "kiosk" and was not clear describing the
>>>>> role of
>>>>> the nodes. They will not be on my network. They will be on someone
>>>>> else's
>>>>> network (some other company, or some other organization). The nodes
>>>>> will be
>>>>> providing network services (Custom databases, accessible through a
>>>>> browser),
>>>>> sometimes some ldap services.
>>>>> Again, the people around the machine should use it as intended, no
>>>>> one
>>>>> should be able to steal/mount the disk to dump data (at least not
>>>>> easily)
>>>> I think we need better information about the problem you're trying
>>>> to solve.
>>>
>>> Agreed. If your main worry is that the hardware will be stolen, cheap
>>> hardware abounds in the marketplace. I'd not invest heavily in systems
>>> that aren't going to be monitored - probably better to treat them as
>>> throwaways if you aren't going to lock them in some form of cabinet.
>>> And don't rule out hardware terminal servers like those available from
>>> HP starting at $200.
>>>
>>> If it's the data that you are worried about, the fact that you have to
>>> ask how best to protect it should tell you that doing it with local
>>> storage is probably a very bad idea.
>>>
>>> jef
>>>
>>> _______________________________________________
>>> rhelv5-list mailing list
>>> rhelv5-list@redhat.com
>>> https://www.redhat.com/mailman/listinfo/rhelv5-list
>>>
>>
>>
>> ------------------------------------------------------------------------
>>
>> _______________________________________________
>> rhelv5-list mailing list
>> rhelv5-list@redhat.com
>> https://www.redhat.com/mailman/listinfo/rhelv5-list
>
>
_______________________________________________
rhelv5-list mailing list
rhelv5-list@redhat.com
https://www.redhat.com/mailman/listinfo/rhelv5-list
_______________________________________________
rhelv5-list mailing list
rhelv5-list@redhat.com
https://www.redhat.com/mailman/listinfo/rhelv5-list