DonationCoder.com Software > Post New Requests Here

IDEA: Laptop Security - Lock system/send keystroke unless key pressed in n sec

<< < (5/7) > >>

tmpusr:
That's a good feature. Optionally you should be able to prefix and/or postfix it with your own string. Apparently you're somewhat security-conscious, too...

Don't give up so quick with the process termination security hole... using the "heartbeat" again looks like a solution:

You run a pair of processes that watch that each other exists (and/or that some file is getting written): if the other one is killed or suspended (checking if process exists is not enough) it will lock out. If two is not enough, use three. Since the termination software the adversary will use won't disable them simultaneously, though the time interval is very small, it should work. Even if all ports and drives are blocked, but it's still connected to the tubes, they will provide the adversary the software on the browser.

You'd need to create a termination/suspending app to make sure it's defeated. You should try to break into the system by all these means and fail.

Were trying to change the rules of the game here: the computer will eventually be bricked, no matter what you do. The time the adversary has available to upload data should be less than the time it takes to issue the commands. In high-risk situations it shouldn't be many seconds or your recent files will end up on someone's server. It seems that with this app running the game is over for the adversary, not for you.

This security hole is patched as long as the lockout time is short enough. With a webcam you could check if the user is present, and if not, lock out in 3-5 seconds.

f0dder:
What exactly are you trying to guard yourself against - common thieves or the cops/whatever?

All this keystroke-timeout-fumbling seems like the wrong way to approach the problem. Set a screensaver, check "on resume, display logon screen" (you obviously are using a password for your user account, and of course you're running with a limited account without administrator privileges). Then, you set a system policy that disallows changing the screensaver settings. TrueCrypt has an option to dismount volumes not just when logging off, but also on screensaver activation.

As for trying to keep processes running through usermode watchdogs - not going to work. You can spawn a few hundred and poll every few milliseconds (which is going to put a heavy load on your system, mind you!) but it's still not a guarantee that your processes won't get nuked. A better approach is adjusting the process permissions and removing the SeDebugPrivilege. Since when have common thieves started doing something like this, anyway?

tmpusr:
What makes you ask that? There's a huge security industry out there. You can ask them who they're trying to guard against. There are other threats than just common thieves. Capable adversaries include professional criminals, governmental and corporate espionage.

It's obvious to me that a screensaver will never activate. And all this 'keystroke-timeout-fumbling' is already doing its job.

The nuking watchdog solution must be tested. I don't think the strain it puts on the CPU can be significant. So you can prevent program termination in a limited account? Getting a BSOD when the process is terminated would be ok, too.

f0dder:
I'm asking because it's not clear which scenario you're really trying to guard against.

If we're talking being mugged in a park, the screensaver approach would be quite sufficient imho - the thieves need to get away with your machine before they can start looking at it. And common thieves aren't interested in snooping around on the machine anyway, they just want to trade it in for cash.

The only situation I can think of where the screensaver setup I described above isn't adequate is when someone can get forceful physical access to your machine and don't need to run away with it. And in those cases, you're pretty much so SOL that your approach isn't going to help anyway :)

tmpusr:
Thieves today may know that the contents of the system may be worth something too and will keep on touching the keyboard/touchpad to prevent the screensaver.

This solution is created to address the particular problem where you abruptly lose physical access to the computer or forget to lock it and someone starts using it (the screensaver won't activate). It already provides great (practically perfect, if the timeout is short enough) security.

If the adversary is ready to "persuade" me to reveal the password, that's where plausible deniability is required, which TrueCrypt provides.

I think this is such a fundamental security feature that it should be part of the OS.

Navigation

[0] Message Index

[#] Next page

[*] Previous page