1 |
Michael Orlitzky <michael@××××××××.com> wrote: |
2 |
|
3 |
>-----BEGIN PGP SIGNED MESSAGE----- |
4 |
>Hash: SHA1 |
5 |
> |
6 |
>On 03/19/2013 11:28 PM, Michael Mol wrote: |
7 |
>> |
8 |
>> Not so much. The idea would be that you could power cycle the |
9 |
>> device to get access to it again. The device would be read for the |
10 |
>> keys at system bootup, but then would shut itself off after a few |
11 |
>> minutes to prevent the keys from being read from disk. (There's |
12 |
>> still the risk of them being read from the memory of the process |
13 |
>> using them, but that's slightly more difficult, and security is all |
14 |
>> about raising the bar.) |
15 |
>> |
16 |
> |
17 |
>Eject the USB drive after five minutes? This raises the bar |
18 |
>significantly, to "has tried to send the 'close CD tray' command to a |
19 |
>USB stick before." |
20 |
> |
21 |
>-----BEGIN PGP SIGNATURE----- |
22 |
>Version: GnuPG v2.0.19 (GNU/Linux) |
23 |
> |
24 |
>iQIcBAEBAgAGBQJRSTmpAAoJEBxJck0inpOiKusP/1sVI0A5hbT1pE8yRu+Ydn5W |
25 |
>j+O6o9j+r2Tqzkay0/tXPWs8HJlM7c8yQcaRvQoCiau2mQzitSk+nLxCPh/GLpis |
26 |
>2d49ihFKmVFk7qrIzMkrHoV4XRc2jVfgiEq+n8W5dYpODPCX9N4MQidgiYePnZ52 |
27 |
>YEtxijEkfPk73j5jPoJh6SNWtzrdLUC6DH4mmghqgmZcn4glkhWpqIU6U/tj4hJT |
28 |
>iN67F5g0g8YSIQNTBsTO/TLrQmrHdb/iT2v9hTxeL+Ly+xjHKJmSikP+f0rOOrQn |
29 |
>vXbJHGk2IAgajDHcdG3jDJvoQDgA0vl+uJ/i4tj++rwMNNXxX7MmFq9qGqGGjBp4 |
30 |
>nwFVJn9QGMHq2boDXISXlz+zNcjLWcaxNrXQiqSB5sqnbvjg27/NCDaQG8+ZgWzX |
31 |
>a/JGLqu3l7LoribH54E51PGdpKiiooDgYjgQkB9ZrSM6/X14JftqWavEALrLQXfM |
32 |
>ud32XTgMGiBVqyjtGQ4VDS2KtQnZAWhORMQJvOx3nwApUiXOlyX8xoyazYetnTaC |
33 |
>pZFgYRgmNYQodweJNrpz28EekEhwr1A/HHYhe5ANqUSO44xZBhsfEhtz0ycVd0ok |
34 |
>2JnCC4WwmQtqifD4S3hEsn4BN1XvxCH8YhXV6S+ApD9bo22ybZFw7f54tMSV0L/d |
35 |
>brkafk2u3Bhnh2yFr+6k |
36 |
>=pX91 |
37 |
>-----END PGP SIGNATURE----- |
38 |
|
39 |
I don't think it is possible to un-eject a usb-drive without powercycling it. |
40 |
|
41 |
And why wait 5 minutes to eject it? Simply do that as soon as the keys are read? |
42 |
|
43 |
Extra option: |
44 |
Stick the usbdisk driver as a module in a ramdisk and then rmmod it. |
45 |
Remove the module from disk |
46 |
And use module signing. From what I understand. The keys for that are generated at compile time? And you can delete them from the kernel sources after compiling. |
47 |
|
48 |
-- |
49 |
Joost |
50 |
-- |
51 |
Sent from my Android phone with K-9 Mail. Please excuse my brevity. |