physical security, USB authentication?

[cmyr]

Recently I've begun to think about the security of my online roll... I've taken all of the standard measures, (I have a dedicated machine with the latest windows and up to date anti-virus software running behind a sold physical firewall) but I'm begining to think more about physical security.

A bios password or something would be fine, but that would be pretty easy to bypass, and so I've been thinking of other solutions... I'll look into hard-disk encryption, but I'm also thinking about something like USB-key authentication.

Does anyone have any experience with this sort of thing? What I would like, ideally, would be a USB key that would have to be present in order for me to login to a particular account at the XP login screen, or alternatively it could be that if the key wasn't present, XP would start up as usual and log in automatically as a rather benign user with firefox and not much else, but if I wanted to log in to my actual account I would need to have the USB key.


I appreciate that this is rather pie-in the sky, but I'm just day-dreaming... I haven't been able to find much about the realities of usb-authentication for home use, but I'm assuming they modify the boot-loader.

Does anyone have any experience with any of this? Any reccomendations? A usb biometric might also work, I'm not really sure.


Any other physical security thoughts?

[kerowo]

Unless you are encrypting your HD, having physical access to the machine would negate any of your ideas.

My new computer uses Vista and it has a password reset key feature where you can create a key to reset the password on your account, it can be anything from a USB drive to a floppy or CD. You could use something like Password Safe to create long, random passwords and only use the password reset key for access to the machine, but that would be such a pita that you would stop using it.

For XP if you are really parinoid I'd find an encryption product and put the key on a flash drive that you keep with all the time and encrypt your drive. I suppose you could always use an external drive for all your poker stuff and keep that with you at all times as well.

[cmyr]

well if I have a usb device that needs to be present and verified before the bootloader runs, an attacker with physical access would have to swap out the HD to do anything, and I'm not too concerned about that. I'd just rather it were a little more difficult to get in then say to reset bios and boot into safemode.



How much does HD encryption drag a machine's speed down? I'm running a P4 @ 3 ghz with 2 gigs of ram, would it be an issue?

[Freakin]

kerowo: is that a feature of bitlocker?

If it were me, I would probably use a virtual machine on the dedicated machine and encrypt the virtual disk between use plus all the other normal vm security features.

[kerowo]

[ QUOTE ]
kerowo: is that a feature of bitlocker?

If it were me, I would probably use a virtual machine on the dedicated machine and encrypt the virtual disk between use plus all the other normal vm security features.

[/ QUOTE ]

No, I only have Home Premium. It's a pretty cool idea and I'll like it if I ever have Vista at work where they usually have some strick pw changing rules. The cool thing is you don't have to update it after changing your password.

OP, if someone has physical access to your hardware the only thing to stop them is good encryption. The question you need to answer when you start thinking of physical security is who are you protecting against? A nosey roommate with no computer skills or your roomate the comp sci major? If it isn't a roommate what are you scared of? That will dictate what is sensible.

Freakin's VM idea is pretty good too because if someone has the HD they still can get at your data and the only time you are decrypting big chunks of data is to play poker. I'm not talking on the fly encryption of your HD, I was talking encrypting the folder where the app/apps are before logging off.

[Freakin]

[ QUOTE ]
[ QUOTE ]
kerowo: is that a feature of bitlocker?

If it were me, I would probably use a virtual machine on the dedicated machine and encrypt the virtual disk between use plus all the other normal vm security features.

[/ QUOTE ]

No, I only have Home Premium. It's a pretty cool idea and I'll like it if I ever have Vista at work where they usually have some strick pw changing rules. The cool thing is you don't have to update it after changing your password.

OP, if someone has physical access to your hardware the only thing to stop them is good encryption. The question you need to answer when you start thinking of physical security is who are you protecting against? A nosey roommate with no computer skills or your roomate the comp sci major? If it isn't a roommate what are you scared of? That will dictate what is sensible.

Freakin's VM idea is pretty good too because if someone has the HD they still can get at your data and the only time you are decrypting big chunks of data is to play poker. I'm not talking on the fly encryption of your HD, I was talking encrypting the folder where the app/apps are before logging off.

[/ QUOTE ]

there is still the problem of the registry if you are only encrypting the program files. I would nto feel that my computer was secure unless the entire filesystem and registry is encrypted.

I would recommend something like a 4-5GB VM disk. Install windows on it and install your poker programs.

You can run your PT databases on your main computer and have the VM PT connect to it instead of dealing with very large databases on your VM.

This way you only have to encrypt a relatively small amoutn of data

i think VMWare makes a program called ACE to encrypt VMs. look into it.

I would either do this or use a WHOLE DRIVE encryption program

[cmyr]

I guess I have two sort of test-cases:

the first is that my apartment is broken into at random, but by an individual who can recognize pokertracker and see an opportunity when one appears. I would this individual to have to go through some hoops in order to boot up and snoop around, by which time I'll have changed everything important on another machine.


My second case is that some random friend of a roommate's, at a party or something, knowing I play poker and knowing I have an office at the end of the hall, decides to go take a look around.


First and foremost I'd like to be able to go away for a week and not worry about whether everything is safe.

[C McGuinness]

Use a laptop and buy a safe to store it in. A typical UL B rated safe weighs about 400 pounds, is bolted to the floor, and provides fire and burglary protection. The "B" rating means that, in the lab, with all tools at their disposal and as much prep time as they like, and complete design specs, it took the UL experts 5 minutes to break in. Which translates into "forever" for your burglar.

You will have to go to a locksmith to get your safe and have it installed -- the safes at hardware stores like Lowes are large, impressive, and not secure.

That will beat any other approach you want to consider, and cost a lot less too! And you can use the safe for other things, too...

[cmyr]

hard to get 1600x1200 twice on a laptop. Thanks for the advice though, I'll consider it.

really.


There are clearly ways I can make my machine more physically secure. I'm not so worried that I'm going to rent space under Cheyenne. If you can tell me where and how my ideas are lacking, that would be useful. If not, thanks anyway.

[Dave I]

Get an external USB drive, store all data on it, encrypt the whole drive with TrueCrypt , lock away the drive when not in use. Keep the keyfile used to decrypt on a different USB flash drive that stays with you at all times. Keep a backup keyfile in a safe deposit box.

This is pretty much the only option (regarding physical access) and relatively easy to work with.

I can't think of a single way this could be defeated outside of the encryption algorithm being broken or someone holding a gun to your head (and TrueCrypt thought of that). There is some awesome information on the TrueCrypt site.