undefined | Better HN

0 pointsbrianpgordon8y ago0 comments

Maybe it's crazy that we give people physical access to machines and expect them not to be able to obtain root.

I don't have any experience with enterprise-grade IT, but it seems like shared computers should be thin clients or at least use UEFI to securely boot an image over the network and not keep anything sensitive locally.

If you give someone physical access to a box, they will be able to own it.

0 comments

jzl8y ago

This is actually how the public workstations in MIT computer clusters have always worked. The root password is public to anyone with a legit account, but access to it gets you almost nothing because all services including the network filesystem are kerberized, and machines are really good at wiping all local changes upon logout. Some more details here: https://www.quora.com/Are-computer-networks-in-MIT-harder-to...

ekianjo8y ago

yes. physical access should never be considered secure.

j / k navigate · click thread line to collapse