|
|
|
| Authored by: Anonymous on Thursday, February 28 2013 @ 07:51 AM EST |
Linus's language in The News Pick is way out of place on
Groklaw. A single link might be more appropriate with a
brief explanation/warning as to why. I hope he does not
talk like that around children; not a good example at all.
[ Reply to This | Parent | # ]
|
| |
| Authored by: JamesK on Thursday, February 28 2013 @ 11:18 AM EST |
Of course the big question remains is how the company that has a track record of
insecure software gets to throw this up in front of an OS that's clearly more
secure. And, as PJ mentioned recently, shouldn't this be considered an
anti-trust issue?
---
The following program contains immature subject matter.
Viewer discretion is advised.[ Reply to This | Parent | # ]
|
| |
| Authored by: JK Finn on Thursday, February 28 2013 @ 12:12 PM EST |
Linus Torvalds: I will not change
Linux...
(that one comes with a language warning...)
A key quote
there is this (Peter Jones, a member of the
Fedora Engineering Steering
Committee):
"Red Hat will not sign kernel modules built by an
outside
source. We're simply not going to sign these kernel modules.
That's
one of the big reasons we want a setup where they can
sign their own modules in
the first place."
Red Hat will not be signing those modules, but
they want
their customers to be loading them anyway, so the only
solution they
see is for the module creator to have
Microsoft sign them. Since they only sign
PE format
binaries, loading and parsing such binaries would need to be
supported in the Linux kernel.
The obvious counter for this is that if
Red Hat can't
trust those binaries enough to sign them, there's definitely
no
reason for the mainstream kernel to do so. Other
distributions recognize that
the trust model as presented is
utterly broken for any other source than
Microsoft and are
not forcing signed kernel modules even in a "securely
booted" environment, but RH has decided otherwise.
Considering that MS
has already at least once signed a
third party bootloader shim with the wrong
key (ZDNet article) and their recently apparent
diligence in certificate management (Azure Cloud, remember?)
it
is only a matter of time when a remotely exploitable Win8
driver signed with an
irrevocable key appears in the wild.
If the driver happens to be one of the
proprietary blobs
chances are that the same exploit exist in the Linux module
as well. When that happens the ones unable to replace the
driver themselves
are those using Windows 8 and those using
a RH distribution.
I think
Torvalds is right here, language issues aside.
Either the distribution signs
everything they support
or encourage the user to do so. This
model is just
broken.
JK Finn [ Reply to This | Parent | # ]
|
| |
| Authored by: Anonymous on Thursday, February 28 2013 @ 12:45 PM EST |
That mistake is in using the word "user".
I agree with everything he
says if he replaces "user" with "owner of the hardware".
In single person
households, the owner is the user - they are synonymous.
But the moment
you have more then one person using particular hardware, not all users are
owners. It's not so synonymous.
I have a newphew staying with me. I own
my computer, I've set up an account for him so he can use it.
I'm the
only one that has access and authority to decide what software gets installed
into the main system... such as a kernel module being loaded.
The newphew
could download software set to be installed "user locally" and run that if he'd
like... but he - as user and not owner - doesn't get to decide what goes into
the system files.
Of course, I suspect Linus is refering to "user" in the
sense of "the person who can log in as root". But it's a subtle difference -
that user is not necessarily owner/admin - that I think would make an important
point in the discussion. The security model being discussed should be available
to root in some way that precludes non-authorized users.
RAS[ Reply to This | Parent | # ]
|
| |
| Authored by: Anonymous on Thursday, February 28 2013 @ 01:31 PM EST |
until one day millions of Windows 8 machines refuse to boot.
Because of the crazy ways different mobos implement UEFI
and MS' extensions to it, the fix will be long and painful, and
will be the start of a mass migration to Linux. The Linux industry
will be unprepared and some distros will go to the wall.
The survivors will be those that apply proper security in
a usable fashion.
[ Reply to This | Parent | # ]
|
| |
| Authored by: Anonymous on Thursday, February 28 2013 @ 02:36 PM EST |
Microsoft has already sold back door keys to customers... and Anonymous broke
into it and had Bradley Manning use it. How does UEFI make anything anymore
secure? It doesn't, it's just vendor lock in of the worst kind and of huge
proportions.[ Reply to This | Parent | # ]
|
|
|
|
|
