Commit 5c2cde89 authored by Tails developers's avatar Tails developers
Browse files

doc: rephrase cold boot attack part

Try to include RAM dump on running system; be more generic
about adversaries.
parent 01e3e1dc
......@@ -106,62 +106,40 @@ To prevent against giving such a device your password or encryption
passphrase, you might want to "type" them using the mouse on a virtual
keyboard displayed on screen.
The [OnBoard](https://launchpad.net/onboard)* virtual keyboard starts
automatically with Tails and
The *[Florence](http://florence.sourceforge.net/english.html)*
virtual keyboard starts automatically with Tails and
is accessible by the keyboard icon in the systray on the top left of the screen.
It can be used to safely enter passwords using the mouse
when you suspect that a hardware keylogger may be present.
# <a name="cold"></a>Protection against cold boot attacks
**FIXME**: merge with stuff in Introduction
- if the computer you are using is powered off brutally (e.g. power supply cut,
power cable or battery unplugged, poweroff by pressing power button, …) RAM
won't be cleared immediatly on shutdown. It will be possible to achieve a cold
boot attack (**FIXME**: add a link) for several minutes to several hours
(depending on the RAM model and the temperature) which would enable an
attacker to recover everything that have been achieved during the session,
from typed texts to saved files, including password and encryption keys.
**FIXME**: end of stuff in Introduction
What happens if the police knocks on your door when you are running
Tails? This is a tough one to deal with, and there is not that much
that can be done actually. If you are really unlucky they have brought
with them freeze spray and other equipment which can be used to mount
a [cold boot attack](http://en.wikipedia.org/wiki/Cold_boot_attack).
This is done in order to get the contents of your RAM. Due to how
modern computing works, basically everything that you have been doing
for a good whike is stored in the RAM, so all information – including
passwords, encryption keys and the secret plans you wrote in a text
editor but then erased – may be stored in it in plain text. The more
resent the activity, the more likely it is that it is still in the
RAM.
RAM is usually considered to be extremely volatile, meaning that the
data itstores starts to disintegrate rapidly once power is removed.
However, it has been shown that the data might be recoverable for
seconds or even minutes after this happens, and apparently freeze
spray can be used to increase that period significantly. Once the
power is restored the RAM state will keep getting refreshed, so if the
power supply is portable the removed RAM modules' contents are in the
hands of the attacker. Alternatively the computer can simply be reset
(i.e. switched off and back on quickly), which barely even affects the
power. Then a tiny LiveCD system is loaded with the ability to dump
the RAM to some writeable media. In both cases the RAM contents can be
analysed in a computer forensics laboratory which might turn into a
major disaster depending on what they find.
So, what should you do when you hear them knocking? You could just
remove the USB stick or CD you are running Tails from. It will start to
wipe the contents of the RAM by filling it out with random junk, thus
erasing everything that was stored there before, including the
encryption key of the encrypted storage devices you might use and the
traces of your session. Then you wait, possibly trying to buy
Due to how modern computing works, basically everything that you have
done during a session is stored in the RAM. If an attacker has
physical access to your computer when you are running Tails, it may
enable her to recover everything that have been achieved during the
session, from typed texts to saved files, including passwords and
encryption keys. The more recent the activity, the more likely it is
that it is still in the RAM.
Furthermore, it has been shown that the data present in the RAM might be
recoverable for seconds or even minutes after the computer is powered
off using a [cold boot
attack](http://en.wikipedia.org/wiki/Cold_boot_attack).
In both cases the RAM contents can be analysed in a computer forensics
laboratory which might turn into a major disaster depending on what they
find.
So, what should you do when you hear an attacker knocking at your door?
You could just remove the USB stick or CD you are running Tails from. It
will start to wipe the contents of the RAM by filling it out with random
junk, thus erasing everything that was stored there before, including
the encryption key of the encrypted storage devices you might use and
the traces of your session. Then you wait, possibly trying to buy
valuable time by barricading your door.
As far as the authors know cold boot attacks are not standard
As far as the authors know, cold boot attacks are not standard
procedure within law enforcements and similar organisations anywhere
in the world yet, but it might still be good to be prepared and stay
on the safe side.
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment