On 2012/02/01 09:28, Yasha Karant wrote:
> On 02/01/2012 09:03 AM, Konstantin Olchanski wrote:
>> On Wed, Feb 01, 2012 at 08:47:28AM -0800, Yasha Karant wrote:
>>> https://bugzilla.redhat.com/show_bug.cgi?id=636628
> [snip]
>> Anyone with physical access to the machine can walk away with your disks,
>> or boot their own OS from a USB disk or from the network, and have root access
>> to all files without having to get root access. So you can safely assume
>> that for unfriendly purposes, having physical access is the same as knowing
>> the root password.
>>
>
> It is my understanding that if the BIOS on a standard IA-32 or X86-64 machine is
> protected by a boot password, then there is no access to the boot procedure of
> the BIOS and thus the media you suggest cannot be booted unless these are in
> BIOS boot order preceding the physical internal hard drive.
>
> Am I an in error?
>
> Yasha Karant

Only two things provide security as far as I know. The first is a FULLY
encrypted file system. The other is not permitting other people physical
access to the machine. "Case opened" detection can tell you if you've been
compromised. It can't protect the disks. BIOS passwords are bypass-able in
some cases by simply shorting the coin for a couple seconds. They can be
worked around by simply removing the disks. If there is time they can be
copied with dd and worked upon at leisure.

At the very least keep critical files fully protected with encryption. It
slows the machine down somewhat. But that is a worthwhile tradeoff methinks.

{^_^}