rm | Cleaning up recycle bin

Valeri Galtsev galtsev at kicp.uchicago.edu
Mon Feb 24 16:21:28 UTC 2020 


On 2020-02-24 10:15, Kevin P. Neal wrote:
> On Mon, Feb 24, 2020 at 11:06:21AM -0500, Jerry wrote:
>> On Mon, 24 Feb 2020 09:38:46 -0600, Valeri Galtsev stated:
>>> It depends on what kind of attack you are trying to defend from. If it
>>> is theft of your hard drive from your cold powered off machine, then
>>> this will help (not 100% solve it, just brute force drive decryption
>>> attack is too expensive or slow). If, however, it is physical machine
>>> security that you are trying to solve, encrypting drive not
>>> necessarily will help. The following is the speculation about how the
>>> attack can be performed. Bad guy has physical access to your machine
>>> when it is up and running. He opens the case, splashes liquid nitrogen
>>> onto your RAM, pulls RAM modules, plugs them into his device. Low
>>> temperature ensures the content of RAM is not lost while physically
>>> swapping it over to bad guy's device, and that device ensures the
>>> content of RAM is not lost (pretty much the same way as dynamic RAM is
>>> used always). And the guy takes the hard drive. Encryption/decryption
>>> happens on the fly on running machine (otherwise yanking the power
>>> will allow on to have decrypted drive), and therefore the
>>> encryption/decryption key(s) must me somewhere in the RAM when machine
>>> runs. And the bad guy has it all now: the whole content of the RAM
>>> (with the keys), and [encrypted] hard drive. He has your information.
>>
>> Can you document an actual event when this scenario occurred?
> 
> Freezing RAM and then recovering the data is an attack that became public
> a few years ago (maybe five? I don't think ten?).
>

That sounds right. It's been quite some time since I've first heard 
about that. I remember my first reaction: YES, it's pure physics, how 
come I didn't think about that myself... (I guess, I didn't have the 
need of doing it - that might be my excuse then).

Valeri
-- 
++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++

More information about the freebsd-questions mailing list