Re: [Fed-Talk] FW: Army to require built-in security
Re: [Fed-Talk] FW: Army to require built-in security
- Subject: Re: [Fed-Talk] FW: Army to require built-in security
- From: "Timothy J. Miller" <email@hidden>
- Date: Mon, 07 Aug 2006 08:18:08 -0500
Amanda Walker wrote:
Under the TCPA protection profile, the TPM is required to be tamper
evident to be certified as TCPA compliant:
Well, it's in there, but what does it really mean?
"""
T.Hack_Physical is countered by O.Tamper_ID, which states: The TOE shall
provide features that permit a human to detect physical tampering of a
system component. Although this objective does not prevent physical
tampering, it allows physical tampering to be detected if the TOE is
physically examined.
"""
Tamper tape on the case is going to be yanked by the site
sysadmins--they need to get in the case for all sorts of legitimate
reasons and I'm willing to bet they're not going to bother putting it
back. Plus, think about where your system is--under the desk or under
the monitor, right? Think you'll see case tape in these situations?
Plus, physical tamper evidence inside the case is effectively useless to
the system's user. Physical tamper evidence *relies* on the user to
alert the admins unless you're willing to institute mandatory, regular
inspections.
Electronic alerting of physical tampering is another false sense of
security. Dell PowerEdge servers alert when rebooted if the case has
been opened. How many admins really pay attention to that? And since I
have physical access, all I essentially have to do is boot twice. :)
That's the problem with physical security of components in open storage
environments--people suck at it. Better to just lock the door and keep
the cleaning crew out altogether.
As far as "more secure than a smartcard" goes, there's a reason why
smartcard credentials should be revoked if the card goes missing for
more than a couple of days. ;)
-- Tim
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden