Yes, we have no hibernate today

Henry Hertz Hobbit hhhobbit at securemecca.com
Fri Jun 25 03:29:51 MDT 2010


On 06/25/2010 04:05 AM, Henry Hertz Hobbit wrote:

<SNIP>

Now that you have got it to suspend / hibernate you can
either continue to do it and delete this message or
read more and decide if you really want to use hibernate
or suspend at all.  TAP THE DELETE BUTTON NOW!

> # dd bs=1048576 count=128 if=/dev/sda7 of=/tmp/SWAP
> $ okteta /tmp/SWAP &

I should hasten to add I don't mean you should zero the entire
SWAP space.  I have the following characters at 0xFF6 ... 0xFFF
in my SWAP and where ever they are at they should probably be
preserved unless the swapper itself over-writes them:

SWAPSPACE2

And for Ubuntu 10.04 make sure you select the second safe mode
and then boot up to the root login before you start dd'ing away
the evidence. Reboot immediately after you have done the dd.

I have already done it with an offset past that since I am NOT
using full disk encryption (multiple OS problems) and I don't
want that hibernate that was stuffed into my SWAP to stay around.
Now SWAP will probably stay there with lots of zeros in it
instead of the random garbage it had before.  It was shocking to
see just how much stuff hibernate rammed into the SWAP space.

The problem I am seeing with this whole scenario is because he
mentioned full disk encryption.  What good does full disk
encryption do you if you suspend / hibernate?  You have basically
made that protection for a laptop null and void if your laptop
ever gets lost / stolen as long as there is still enough power
to boot up.  It kind of reminds me of the people using the
Enigma cipher that had combination outside / inside indicators
for their message settings that had three characters each.  So
what did they pick?  LON-DON, MAD-RID, BER-LIN, ... Why did
they do that?  "The Enigma machine is unbreakable, so we will
just use these keys since they are easy to remember." Let's
use hibernate / suspend because we know that Linux is so
infinitely secure that it will be okay.  Every set of security
mechanisms and procedures are no better than their weakest link,

Even if you aren't using full disk encryption I still see a
problem with hibernate / suspend.  If I steal your laptop at
a busy airport I am still home free.  I just hit the power
button and I am in.  Let's use hibernate / suspend to save
a few seconds will be a thief's best friend.

Let's also not encrypt our files because Linux is so much
superior to Windows. I can probably make bank on some of the
people that responded not using encryption on your files as
well.  For the some users it is because they are counting on
their full disk encryption for their entire protection which
the hibernate / suspend just bypassed.  For the users without
full disk encryption it is because they are smug in their belief
that Linux is so infinitely superior that you don't need to do
anything more than just run Linux and all the worlds ills go
away.

Are you sure you want to use the Hibernate / Suspend feature?
This especially holds for a machine that is highly portable.  I
worked for a DoD contractor once and they said they had two
Solaris Tadpole laptops.  You couldn't prove it by me because I
never saw them.  They were there in November when I arrived on
contract and by the next August when my contract had been extended
not just once but twice and they were begging me to stay longer
both of those Tadpoles were gone - STOLEN! This was at a place
a lot more secure than where most of you people's laptops are at.

I repeat - hibernate / suspend is a security nightmare.  But at
least you know how to do it if it gets lost from the menu.

HHH


More information about the PLUG mailing list