On 07/30/2011 01:01 AM, Jos Vos wrote:
> On Sat, Jul 30, 2011 at 12:29:24AM +0900, 夜神　岩男 wrote:
>
>> Coming originally from secret squirrel land, one of the cardinal
>> security rules for us was simply "If the attacker has physical access,
>> you don't have security".
>
> I would say "... you have much less security".  No security is just
> not true.  Doing all the things Dag said and using encrypted filesystems
> provides a certain security level even when physical access.

If you have a compromise of any sort in a truly high security 
environment -- the sort of environment where a minor sidechannel 
information leak (this can even be things like consistent data on the 
frequency of disk i/o) is cause to rip out millions of dollars of 
deployed equipment, cancel a large operation, re-deploy a dispersed set 
of operating units or move satellites around -- then you are 
compromised. Its like the old saying about being "kind of pregnant" and 
has everything to do with the level of paranoia required by that 
environment.

I can't think of anywhere this is the case that is using SL 6, though I 
could be wrong...

>> Physical acces to a system is where coded security gives way in absolute
>> terms to physical security measures. But again, that is if we're talking
>> about serious security environments and almost none of our use cases
>> probably represent that -- so we're left simply balancing usability vs
>> security like normal people.
>
> The assumption "almost none of our use cases probablt represent that" is
> a very bad starting point.  Probably the people that completely fucked
> up GNOME (GNOME3 in Fedora 15 is almost unusable for most people I know)
> had a similar thought when they destroyed the GNOME desktop.

...and so I have to give you points for the above statement. I can't 
know, and after reading some insane Gnome 3 dev list discussions not 5 
minutes ago you are right to warn about such habits of thought.

-Iwao