In 2000, Microsoft published a white paper called "10 Immutable Laws of Security."  Although it seems so long ago now, the principles that the paper describes are indeed timeless. Law number three addresses physical security: If a bad guy has unrestricted physical access to your computer, it isn't your computer anymore.
 "The 10 Immutable Laws of Security" (http://www.microsoft.com/technet/archive/community/ columns /security/ essays /10imlaws.mspx).
The article then lists "a sampling, going from stone age to space age," of the damage this bad guy can do:
Mount the ultimate low-tech denial-of-service attack by smashing your computer with a sledgehammer.
Unplug the computer, remove it from your facility, and hold it for ransom.
Boot the computer from a floppy disk and reformat the hard drive. BIOS passwords won't help: he can simply open the case and replace the BIOS chips (among other ways of removing BIOS passwords).
Remove the hard drive from your computer, install it in another one, and read it.
Duplicate your hard drive and take it home; now he's got as much time as he needs to conduct brute-force attacks against your password database, either by guessing or using cracking programs.
Replace your keyboard with one that contains a radio transmitter, thereby monitoring everything you type.
Some have criticized this law as being overly simplistic; there are occasions, they claim, when you can't ensure good physical security. The popular example is the laptop computer. "How can we keep our laptops secure if they get stolen?" we are often asked. Honestly, you can't be completely secure from that. We return to this topic later in the chapter