From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jim Choate To: <9fans@cse.psu.edu> Cc: In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: [9fans] Re: Using 9P(2000) in Unix/Linux(/Windows) Date: Thu, 15 May 2003 07:04:00 -0500 Topicbox-Message-UUID: ac751f90-eacb-11e9-9e20-41e7f4b1d025 On Thu, 15 May 2003, Anssi Porttikivi wrote: > A practical need I have in mind and which prompted me to ask: when > booting a CD based 'live' Linux (like Knoppix) on an arbitrary PC > machine I'd like to mount my home directory (with all dot filed > settings) securely over the Internet. You'll need to create an encrypted tunnel first. Then the mount should behave normally, except it will be even slower ;) Since you want to use a CD you'll of course have the problem of making sure that the keys burned on the CD are well kept. This means no loaning of the CD to 3rd parties, and burning a seperate CD for each node you want to boot remotely, otherwise you increase the chances of a 'known plaintext' or 'reply' attack. You could use something similar to kerb to pass tickets/cert's over the net instead of actual keys. This will help against replay attacks. These sorts of things usually require sync'ed clocks or something similar, a secure reliable shared resource (ala clock skew). Anther approach is to use some sort of mod'ed distro (I use Trinux) and a net-boot (eg bootp or tftp) distro. Then of course you have the 'trusted computing' problem. If you keep up with the Cypherpunks at all, I believe Ross Anderson has written a paper on related issues and there is a conference of some sort coming soon on that sort of topic. Check the archives, Ross might not be the author. The issue came up within the last couple of weeks. These assume that you are booting the machine from the CD. If instead you simply want to take an existing Linux machine, slap a CD into a drive, and then open a tunnel and mount the drive; calling that secure at any point is hopeless with todays technology. The system is not secrurable (ie TEMPEST/Van Eck, bus snooping, left behind swap and malloc fragments with code/data sitting around, regular archival runs, etc.). You've got yourself a very! hard problem in the second case. -- ____________________________________________________________________ We are all interested in the future for that is where you and I are going to spend the rest of our lives. Criswell, "Plan 9 from Outer Space" ravage@ssz.com jchoate@open-forge.org www.ssz.com www.open-forge.org --------------------------------------------------------------------