smile.

thanks for the technical contribution.

[Quote]bios passwords are easily reset.

besides, the hd can simply be removed.[Quote/]

All of the stuff you are speaking of can be easily "cracked" as well, and if you were half as smart as you think you are why not add the bios password for a extra measure? Do some goggling anyone with half a hacker gene in them can get past all of that. Ever heard of computer forensics? I have some software that would eat that 1344mb triple blowfish up, and not even blink. Especially on a windows system, the parts of the os are too integrated. A linux 1344mb algorithum is a little harder but still posible to break.

also, another approach could be to put /tmp in a ramdisk... this way there will be no trace of anything left even if the power goes off and the shutdown script didn't get executed...

the swap partition can be encrypted just like any other partition...

This is very likely the truth. Windows just isn't that bad, once you have it set up, unless you mess with it or permit it to become infested with spyware/trojans/virii, etc.

WRT the OP's security question, I can't answer it because it isn't what I know. I can say, however, that I am quite sensitive to his need for security because I experience the same thing with my laptop. I have gone to considerable lengths to secure the HD so that if the machine is stolen, the very critical data that is on it won't be compromised.

In my case, the laptop runs XP and I have chosen to leave it that way because I have a soution that is quite adequately secure, my XP installation is secure because I make it so and continually monitor it to make sure it remains so, and I don't want to have to deal with figuring out and securing a Linux installation against theft, when such an activity isn't necessary because my windows installation is quite adequately secure.

This XP install has survived without being reloaded for nearly 3 years now, including service packs, upgrades, the installation of an assortment of software for various purposes, the failure of a HD - with the need to scroll the entire system off as the drive was failing, and then scroll it back onto a new HD - and then to fix up the damage.

If OP is compelled to continually reload Windows, he has another, quite serious problem and he is fooling himself if he thinks his system is secure.

You have two choices then:
1. Install FreeBSD that has "all of it" for free
2. Install SuSE 9.2 during the installation select hdd ecryption (blowfish)

What you install depends on your skills. I don't consider FBSD installation difficult (later is KDE 3.4 Gnome 2.6, fluxbox/blackbox xfce4, whatever), however people are frightened by non-GUI installer, so maybe SuSE is the right choice.

The above will give you real advantage over windows:
1. it is free (SuSE 9.2 Pro can be installed over internet or DVD, FBSD is free)
2. it is more secure
3. FreeBSD disk encryption is more mature (older) than whatever you have in windows world. Additionally it is possible that someone will gain access to your key. However using it he/she will not get access to the data.


So in terms of data access I would go with UNIX/UNIX-like option (In fact I have FBSD 5.3 on my laptop). However I would not consider encryption as a only security measure.

So event in terms of data encription I'd say that I feel safer with FBSD or SuSE.

i think it's also important to mention the risks involved with the boot process getting hijacked, as it could make all the encryption in the world useless...

it's another reason why the truly paranoid user should separate the boot process from the laptop, using a usb thumbdrive or a live cd...

http://www.linuxjournal.com/article/7743

this is interesting.

if fbsd has 'all of it', i need to read what it can do, for a newbie.

do you have any links?

as i understand fbsd can run most linux binaries, and is more stable/secure compared to linux. the remaining apps can be run under a virtual program like vmware.

If all that is true, i'm not sure why people use linux, instead of fbsd, as everyones running away from the wintroll disease, so why not go all the way?

I did find an interesting opensource program, based on 'encryption for masses', which was developed by the drivecrypt team years ago.

http://truecrypt.sourceforge.net/downloads.php

It hasn't been ported to linux/fbsd yet, but as it's opensource, i can only hope someone considers that.

ok. new project, check out fbsd, as it's supposed to be more secure/stable than linux. No point doing half measures.

Of course, my understanding of fbsd could be wrong.

People don't use Linux for security. Only stupid people do. I use Linux because I tried it out and I prefer it so much more over Windows or Mac or DOS. The flexibility it poses makes me piss my pants sometimes.

An OS is only as secure as the user that uses it. If we had experts secure a Windows box, they could do that, and it would be LOADS more secure than a vanilla FreeBSD install that Aunt Sally just tried out.

If you really want a secure system, why are you trusting systems that other people made? How do you know they didn't put loopholes, backdoors, trojans, anything in there without your knowledge?

I suggest you make your own OS from scratch, with your own hardware you built from scratch (backdoors can be in hardware, too). That way, nobody can mess with your stuff.

But wait, people can figure out the internal workings of your system, can't they? Windows is closed source, and it has security patches quite often... hmm... scratch that as well. I guess the only way you can get security is to lobotomize the human race and then break up the Earth into all of its electrons, protons, and neutrons, and create your own elements to create your own laptop, and then create your own OS off of that. Make sure you make some tinfoil, too, because those aliens might be able to break into your computer as well.

See, I guess my point is, if you really need the security you desire, guess what, you're screwed. People have been floating around the idea that "there is no such thing as 100% security" a lot lately. I think that that is false and misleading. My belief is there is no such thing as security, period.

The innovative ideas of cryptography and security are just neat little tricks to slowing people down. That doesn't do a thing when someone has enough will and applies enough force to your system. Think of it in terms of physical security. If someone has a "foolproof" safe, wouldn't a wrecking ball tear right through it?

I'm going to be laughing when they break blowfish, while sitting next to the guy that copied your HD in your sleep.

The only way to prevent people discovering your secret personal stuff is to not do anything that you wouldn't be willing to defend in court in the first place (or in an argument with friends or family, whatever). Hell, if you aren't successful in court, you probably will only go to a minimum security prison anyway, that is, if you aren't covering up murder. If you are covering up something like that, then you deserve everything that you get. If you are hiding something from your spouse or something, the most you'll get is a divorce... OooOOOoO!

that is SO TRUE...

also, some people seem to forget that SECURITY IS NOT A PRODUCT. IT'S A PROCESS.

the "i'm gonna switch to freebsd cuz it's more stable/secure" thing really cracked-me-up... LOL...

laughing at newbies is cool, as long as we get there in the end.

let me try rephrasing the question.

Can anyone here, with all the knowledge and expierience they have of linux/bsd, confirm that they are able to match the specifications outlined at the beginning of this thread?

I'm sure it could be done with development, but in reasonably practical terms for a newbie, that's not an immediate option.

thanks.

After reading this entire thread, I think I can safely say that the answer to your question is no, there is no tool publicly available for *nix that meets all of the criteria you have stated.

I will also say that with the tools mentioned in this thread you could very easily accomplish what you want, especailly if you truly are the "tinkerer" you claim to be. A combination of StegFS and loopback encrypted file systems can provide all of the security one will ever need. Unless you do some *very* high level work for Uncle Sam, anything beyond this is simply a waste of time.

So, now that your original question has been answered (for at least the third time in this thread), can we please go on to something more productive than argueing over trivialities?

I think you should try those solutions SOMEWHERE ELSE FIRST and if it fits you do the switch. I really don't think you'll find a comercial "all-in-a-package" solution for what you want and THAT doesn't make linux less secure than windows. What that means is that windows has yet another security solution as it is the most used OS out there. Linux IS more secure than windows but it has its own flaws too undoubtly. You say that you're not familiar to Linux so you don't know what you may leave uncovered is not a good argument. You don't know Linux because you lack study and experience (this is not an offense. You said that too) but you can become an expert on Linux and its security issues if you want. That doesn't happen with windows. Do you have the source code? Do you have access to a full detailed documentation to its development? How can you know that you covered all the issues if you don't even know all of them. There are many of'em known by microsoft but not released as they still don't have a patch available. You're far to be a linux security specialist ut even farther to be a windows one as the number of flaws and issues is to big and many are unknown/unrevelead.
my 2cents

Some observations:

Most Live Linux CDs offer customizability that can be burnt to a new CD. Once you set up the system the way you want it (network printer, right apps, etc) you can burn it on a CD or two and it will likely NEVER have to be reinstalled. It not only doesn't have data that needs encryption but it won't become convoluted and require a reinstall, it won't store persistant histories and if it is compromised via a hack/virus/intrusion then a simple reboot will fix it.

With enough RAM you can forgo a swap partition and mount /tmp from a ramdisk, that problem is now resolved. Even without enough RAM, swap and /tmp can still be mounted inside another partition that is encrypted, or set to be wiped in the shutdown script, or both.

The next step is a partition on either the existing hard drive or removable media such as a thumb drive (there are reasonably priced 4GB and larger USB drives now) or even an external HDD on USB or firewire via existing laptop ports or a PCMCIA card. The partition can be encrypted to whatever level you want it to be. With the OS not encrypted, you actually add security because there is no longer a library of pre-deciphered code (a base OS to compare against your encrypted OS) available to help anyone decode the data you wish to protect.

With these solutions in place, you have an OS that won't degrade and won't store any information you don't want it to. Without the OS storing information or being encrypted, you speed up performance, provide a system less vulnerable to cracks and other forms of intrusion and you no longer provide the OS files as a possible decipher tool. You also add another layer of security in that you can easily seperate the OS from the data and make it even harder to gain initial access to the encrypted data's location. Heck, you could even leave the HDD bootable with your old Windows OS and some useless data as a 'honey pot' for someone to spend a good chunk of time breaking into only to find they barked up the wrong tree!

The honeypot idea is pretty good

I'd view the "honeypot" as more of a risk than it's worth. If there's a hard drive in the computer, then there's a chance that someone could secretly install some spyware on that hard drive. The way that would work is:

1. Laptop is stolen.
2. Spyware is installed on the hard drive's bootloader and the BIOS is set to boot from hard drive first.
3. Laptop is returned before it's missed.

4. The next time I put the CD and USB thumbdrive in, I might not notice the spyware loading from the hard drive before the CD boots. This spyware then records keystrokes and/or copies data from the thumbdrive to the hard drive.

5. Laptop is stolen again.
6. Spyware data is retrieved.

Paranoid? Yes, of course.

Now things would be a bit different if the laptop had no hard drive. Without a hard drive, there wouldn't be any place to install spyware--nor any place for such spyware to save data. It's pretty easy to use some wire snips to cut off the IDE connector pins, making it rather difficult for the bad guys to install a (silent) hard drive. They'd have to cosmetically duplicate the entire laptop. Making periodic personalized cosmetic mutilations of the laptop can make it difficult for the bad guys to make a convincing replacement.

Alternatively, a scratchbuilt "briefcase computer" can be VERY hard for the bad guys to compromise. The case of the computer should be clear plastic, so all of the components are visible from all sides. This prevents hiding a flash drive behind the LCD screen, for example. The "lid" would house the mini-ITX board and the LCD screen, while the "base" would house the keyboard, touchpad, and CD drive. The exact choice of components is critical to prevent the possibility of hiding spy hardware. For example, a typical 5.25" CD-ROM drive is no good because there's too much internal space which could be used nefariously.