Looks like if you utilize full disk encryption, you'll need to disable firewire. On Linux it looks like a grsec setting will protect you, though I'm not sure of the details - my system doesn't have firewire so I don't feel like looking into it.

http://www.breaknenter.org/projects/inception/?mwh=1


Inception is a FireWire physical memory manipulation and hacking tool exploiting IEEE 1394 SBP-2 DMA. The tool can unlock (any password accepted) and escalate privileges to Administrator/root on almost* any machine you have physical access to. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe interfaces.

Inception aims to provide a stable and easy way of performing intrusive and non-intrusive memory hacks on live computers using FireWire SBP-2 (http://en.wikipedia.org/wiki/Serial_Bus_Protocol_2) DMA (http://en.wikipedia.org/wiki/Direct_memory_access). It is primarily intended to do its magic against computers that utilize full disk encryption such as BitLocker, FileVault, TrueCrypt or Pointsec. There are plenty of other ways to hack a machine that doesn’t pack encryption. Inception is also useful for incident response teams and digital forensics experts when faced with live machines.


Inception’s main mode works as follows: By presenting a Serial Bus Protocol 2 (SBP-2) (http://en.wikipedia.org/wiki/Serial_Bus_Protocol_2) unit directory to the victim machine over the IEEE1394 FireWire interface, the victim operating system thinks that a SBP-2 device has connected to the FireWire port. Since SBP-2 devices utilize Direct Memory Access (DMA) (http://en.wikipedia.org/wiki/Direct_memory_access) for fast, large bulk data transfers (e.g., FireWire hard drives and digital camcorders), the victim lowers its shields and enables DMA for the device. The tool now has full read/write access to the lower 4GB of RAM on the victim. Once DMA is granted, the tool proceeds to search through available memory pages for signatures at certain offsets in the operating system’s password authentication modules. Once found, the tool short circuits the code that is triggered if an incorrect password is entered.


More info on protecting yourself from the tool's creator:

http://www.reddit.com/r/netsec/comments/11dhke/inception_020_released_supports_dmaunlocking/c6lmab1


Thanks for all the Reddit love my friends! Hit me up with questions on Twitter (https://twitter.com/breakNenter)
To stay safe and protect against FireWire DMA attacks, here's a couple of suggestions:
Windows

Block the SBP-2 driver (http://support.microsoft.com/kb/2516445)
Remove FireWire drivers from your system if you don't need to user FireWire
OS X

Don't panic - if you are using FileVault2 and OS X Lion (10.7.2) and higher, the OS will automatically turn off DMA when locked - you're still vulnerable to attacks when unlocked, though
Set a firmware password (http://ilostmynotes.blogspot.com/2012/01/os-x-open-firmware-settings-use-nvram.html)
Linux

Disable DMA or remove the 1394 drivers (http://www.hermann-uwe.de/blog/physical-memory-attacks-via-firewire-dma-part-1-overview-and-mitigation) (see the 'Mitigation: Linux' section)
All of the above will impact FireWire in one way or the other. Unfortunately, this is a FireWire design problem, not an OS problem, and would have to be fixed in the SBP-2 protocol itself. DMA is good for speed, bad for security.

When I was reading this I could only think: What idiots designed this?

Good to know though, thanks for sharing.

I'll remove 1394 support from my kernel config, it's not as if I ever used that port anyway :p

When I was reading this I could only think: What idiots designed this?

Good to know though, thanks for sharing.

I'll remove 1394 support from my kernel config, it's not as if I ever used that port anyway :p
Well, it seems like a lot of stuff it was hastily designed for usability and not really tested for security (coughWEPcough). I'm not sure what guy proposed that raw unhindered memory access would be a good idea, and I'm not sure what guy approved that, but they should both be tied to a table and have a car battery hooked up to their nipples with alligator clamps.


Q, you use Gentoo, right? I think I remember you mentioning it before. I'm thinking about going back to it. I've been using Arch for ~6 years now and moved over from Gentoo when I got sick of the compile times (was on a 900Mhz Athlon machine then, now I have an AMD FX8120 box I built for ~$450). I think I got fed up at OpenOffice or maybe Xfree86, one of those two, maybe something else took 24 hours to compile and I wanted to throw the machine out the window. I think it actually was OpenOffice.

Well, it seems like a lot of stuff it was hastily designed for usability and not really tested for security (coughWEPcough). I'm not sure what guy proposed that raw unhindered memory access would be a good idea, and I'm not sure what guy approved that, but they should both be tied to a table and have a car battery hooked up to their nipples with alligator clamps.
Totally.


Q, you use Gentoo, right? I think I remember you mentioning it before.
Yes, I'm using it again. I have been on Ubuntu/Kubuntu for some time, but returned to Gentoo when I got a Core 2 Duo laptop (fast enough :p ).


I'm thinking about going back to it. I've been using Arch for ~6 years now and moved over from Gentoo when I got sick of the compile times (was on a 900Mhz Athlon machine then, now I have an AMD FX8120 box I built for ~$450). I think I got fed up at OpenOffice or maybe Xfree86, one of those two, maybe something else took 24 hours to compile and I wanted to throw the machine out the window. I think it actually was OpenOffice.
Well, there is of course libreoffice-bin (I'm using that right now, as I got fed up with the compiling after revdep-rebuild wanted to spend another 6 hours at it ...).

I'm not sure how the AMD FX8120 compares with the Core 2 Duo, but I see that yours has 8 cores and runs at 3.1GHz, so it's most likely quite a bit faster as opposed to my dual-core. So, for what is it worth, here are some compile times of the biggest packages I have installed (I'll only take the latest compile of each package, so it might be above average due to factors like me using the laptop at the same time for example):


Wed Dec 5 06:32:52 2012 >>> app-office/libreoffice-3.6.4.3
merge time: 6 hours, 19 minutes and 36 seconds.

Tue Jan 1 04:24:31 2013 >>> sys-devel/gcc-4.6.3
merge time: 2 hours, 25 minutes and 41 seconds.

Tue Jan 1 09:34:10 2013 >>> www-client/chromium-24.0.1312.45
merge time: 3 hours, 53 minutes and 33 seconds.

Mon Dec 10 03:38:51 2012 >>> www-client/firefox-17.0.1
merge time: 1 hour, 39 minutes and 18 seconds.

Sun Jan 6 19:40:31 2013 >>> kde-base/kdelibs-4.9.5
merge time: 1 hour, 15 minutes and 38 seconds.

Sun Jan 6 18:23:31 2013 >>> app-emulation/wine-1.5.21
merge time: 1 hour, 7 minutes and 5 seconds.

Of course, stuff like KDE and Xorg are these days split up into dozens/hundreds of packages, so you only install what you need or want.

I've recently moved to the unstable tree and so far I'm liking it.

Arch isn't too bad though I think (although I haven't run it in years), why move?

Totally.


Yes, I'm using it again. I have been on Ubuntu/Kubuntu for some time, but returned to Gentoo when I got a Core 2 Duo laptop (fast enough :p ).


Well, there is of course libreoffice-bin (I'm using that right now, as I got fed up with the compiling after revdep-rebuild wanted to spend another 6 hours at it ...).

I'm not sure how the AMD FX8120 compares with the Core 2 Duo, but I see that yours has 8 cores and runs at 3.1GHz, so it's most likely quite a bit faster as opposed to my dual-core. So, for what is it worth, here are some compile times of the biggest packages I have installed (I'll only take the latest compile of each package, so it might be above average due to factors like me using the laptop at the same time for example):



Of course, stuff like KDE and Xorg are these days split up into dozens/hundreds of packages, so you only install what you need or want.

I've recently moved to the unstable tree and so far I'm liking it.

Arch isn't too bad though I think (although I haven't run it in years), why move?
That's not too bad, nowhere near what it was with that ol' Athlon I used to run. My interest in Gentoo is more out of nostalgia, I used to use it quite a bit before I switched to Arch (had a samba (for home backups) / ssh server running on gentoo w/ tcp forward set for a makeshift vpn to get around my high school's censorship software - they blocked slashdot as 'hacking'), and when I was first learning Linux with the old Red Hat distros (7.3-8.0) there was an air of ... eliteness ... about Gentoo back then. But you're right about Arch - it's a damn good distro. I think I'll run it in a virtual machine to satiate my resurging interest in it so I don't kill my nice shiny Arch setup.


Was never a fan of KDE, though. Running awesome (http://awesome.naquadah.org/) right now with no DE.