2

I have no experience using Ubuntu before

I'm doing a point of sale project for a restaurant which will run in local Lan (offline not online). I will setup one mini PC as an Ubuntu web server. and my client will access into it via local lan via http request. The server will be placed inside the restaurant.

Is it possible to protect from someone who wants to steal my file or clone the entire disk and use it with another restaurant?

Or Ubuntu already has some mechanism inside to protect someone from doing this, e.g. password require before transfer file out of the computer? or password needed before clone the disk?

I know nothing about Ubuntu, can you please tell me the easiest way to protect my project from being stolen?

Braiam
  • 67,791
  • 32
  • 179
  • 269
Team
  • 21
  • 2

2 Answers2

1

Disk encryption only works to the point where you've got somebody manually unlocking it. If the server can boot itself and start up without human interaction, if somebody gains access, they've got the data.

Here are a few ideas ranging from basic to silly.

  • Lock the server in a box. Bolt the box to a wall. Treat it like a safe.

  • Make the restaurant contractually liable for the physical security of the software. Make it known that their copy is watermarked and if it ends up on a torrent site, they're liable for the lost sales. But do it without sounding like a douche.

  • Physical port blocking: Blank off any USB, serial, etc ports.

  • Glue SATA cables into their ports (and block other SATA ports).

  • Lock the BIOS. Disable other SATA ports. Disable USB. Disable everything you're not using.

  • Rebuild the kernel with make localmodconfig so the only drivers your kernel has is for the hardware it's dealing with.

  • Consider full-disk encryption with a physical key like a smart card or a good biometric system. Staff will leave smartcards in (because they've got better things to do) but biometric might work if you implement some sort of auto-shutdown at the end of the day.

  • Physical DRM. Dongles devices that form part of the code execution. They're really expensive to create and aren't insurmountable (cite: Autocad's torrid and failed relationship with dongles).

  • "Phone home" if the server is opened. Script something up that looks at internal light levels. If they increase dramatically, trigger a SMS via an attached dongle (you might be introducing a new attack vector).

A lot of these things don't just make the server more secure, they make it much less robust and harder to fix... Most of these countermeasures are at least an extra point of failure.

Consider that with most applications, their maximum shelf-life is five years. Making this cheap enough not to bother stealing might be a better strategy.

Oli
  • 293,335
  • What about if I make the server runs 24/7. and it need password to start running. And when I sell my project I fill the password to run it. after that if someone clone it, they need password to start the server? can they change the password or hack or maybe it is not worth time doing? anyway thank you so much for your creative solutions and your patient haha – Team Dec 20 '13 at 14:10
  • @Team: That solution would give some problems if for instance the power went out or something like that. I've gotten really good results using a usb to decrypt the drive (using full drive encryption). I did this by installing the decryption software onto the usb and make that bootable. I put a check in there that checks if you're still using the same bios it enters the password (a full 128 bit password). The same thing is also possible using a truecrypt extension that checks if you're still using the same bios before prompting: "enter password". I'll try to find where I got that extension – Akisame Dec 20 '13 at 14:29
  • ok so if they clone to another pc with other bios they will not be able to run the server? or they are able to run but not able to edit data? thank you very much for your suggestion my friend. can you please suggest me links or the program you use? for ubuntu? – Team Dec 20 '13 at 14:36
  • They will not be able to boot the server if the bios changed if you follow my suggestion. My friend here said that he used an bit of a obscure trick. He got truecrypt to check the bios version and info etc and used that as a password. It's quite hard to figure out what the password is (but once you've cracked the trick it's quite easy, it is a bit less secure than my previous suggestion). The plus side to this is that it is A LOT easier to setup than my suggestion and only someone how knows what he/she is doing will be able to crack it. – Akisame Dec 20 '13 at 14:46
  • "Make it known that their copy is watermarked and if it ends up on a torrent site, they're liable for the lost sales." How much money are you going to ask for if this happens? Millions? They're going to bet their business on someone (disgruntled employee/criminal/the cleaner) not talking a single PC from their office at any point ever? Good luck getting anyone to sign that contract! –  Mar 10 '17 at 16:13
0

Well if you are running a web server people can only access the files broadcast by the server. So this will be one directory and it's subdirectories. You can control access to these files further. Normally a standard server setup does not give access to scripts like PHP as they are run on the server. However, HTML and javascript code are always going to be possible to copy as that is how the web works. You send the HTML to their PC where it is rendered.

Julian Stirling
  • 2,889
  • Thank you very much for your answer. But as my server is placed inside the restaurant, can someone come and clone the entire hard disk then they get everything included my python files? is this concept possible? or can they just go to my server and control it because it is in the restaurant they can just walk into my server and do something with it? or even they get into my server they can't do anything? – Team Dec 20 '13 at 12:42
  • Physical security. The moment someone has physical access to your system, they can do anything. Just lock it up. – Journeyman Geek Dec 20 '13 at 12:54
  • From the setup installation of Ubuntu, you can choose to encrypt the disk. – blade19899 Dec 20 '13 at 12:56
  • if I choose encrypt the disk, even someone can physically get into my server, they can not decrypt it right? and they can not clone my entire server's hard disk? – Team Dec 20 '13 at 13:00
  • If someone physically gets to the computer, and plugs in an external drive, then yes they could clone it. Seems very unlikely. If you encrypt it they can clone the encrypted version then try to decrypt it at home. Perhaps in 20 years (maybe less, computers speed up) they may have your data! This is as secure as is possible apart from the option that you just don't have the project for fear that down the line a thief may break the encrypted version he physically stole years before. That thief probably is concentrating on bank's computers not yours! – Julian Stirling Dec 20 '13 at 13:16
  • they will because they want to get my program and sell it or use it for free t-t is there anyway to protect or there is no way? like password to start to run. So if they get the entire Harddisk but do not have password to start to run or something like that? – Team Dec 20 '13 at 13:20
  • If the disk is encrypted then without a password they wont be able to get the data off it for years if ever. The US government use 256Bit encryption for top secret files. Is that secure enough? – Julian Stirling Dec 20 '13 at 13:30
  • I mean I do not care about weather they can edit the data inside or not. My program has an CMS inside it, so if they can clone and run it on the new Hard disk that will threat me. will encryption protect them from running it on their new Harddisk? or it is just protect them to not be able to edit the data? (in this case they can use CMS via http request to edit the data). they will get into the machine for sure because the owner allows them to do ^^" – Team Dec 20 '13 at 13:36
  • 1
    I think you either need to edit the post to be very clear about exactly what you are worried about. i.e. I have software in PHP/flash, on a web server. This is what I am worried people may do. This is what I want them to do. Or take this to a computer security forum. I am starting to get the feeling that this may be a joke and you are just trying to pull me into an endless conversation? – Julian Stirling Dec 20 '13 at 13:39
  • sorry, this is not a joke. the above comment is my last question. if you could answer that would be great for me because I really need it. thank you very much – Team Dec 20 '13 at 13:43
  • let us continue this discussion in chat – Julian Stirling Dec 20 '13 at 13:44
  • sorry I do not have enough reputation to get into it t-t it needed 20 can we talk on email? my email is tammarat.team at gmail.com – Team Dec 20 '13 at 13:48