|
| Authored by: Anonymous on Saturday, March 02 2013 @ 03:44 PM EST |
"...don't you see a need for being able to trust someone besides yourself
or Microsoft?"
Its not about "a need", its about who picks the trustee...
If that "trust" is determined by someone else, and I have no say, then
I don't trust. And that includes "distro". I don't use Ubuntu partly
because they have a confirmed habit of selling "trust" to commercial
interests. (much the same reason I don't use Windows) So why would I trust their
key?
But even without the buntu commercialization efforts, I wouldn't trust what I
don't know. I use Slackware, but if it suddenly required running signed keys
that I didn't control, I'd switch to BSD.
Its my hardware, bought and paid for, and my receipt says "sales
receipt" not "license". So I own it, and the terms of use are my
own, not someone else who thinks they know my needs better than I do.
The obvious solution is don't get into the situation in the first place. If the
hardware advertises secure boot Win8 kool-aid compliance, buy something else.[ Reply to This | Parent | # ]
|
- No - Authored by: PJ on Saturday, March 02 2013 @ 04:25 PM EST
- Here is a link that might help..... - Authored by: dacii on Saturday, March 02 2013 @ 06:21 PM EST
- No - Authored by: AntiFUD on Saturday, March 02 2013 @ 06:38 PM EST
- No - Authored by: PJ on Saturday, March 02 2013 @ 09:26 PM EST
- No - Authored by: Wol on Saturday, March 02 2013 @ 08:01 PM EST
- No - Authored by: PJ on Saturday, March 02 2013 @ 09:25 PM EST
- Yes - Authored by: Anonymous on Saturday, March 02 2013 @ 09:46 PM EST
- Yes - Authored by: PJ on Sunday, March 03 2013 @ 01:39 AM EST
- Yes - Authored by: Anonymous on Sunday, March 03 2013 @ 02:53 AM EST
- LVM - Authored by: artp on Saturday, March 02 2013 @ 11:18 PM EST
- No - Authored by: Anonymous on Sunday, March 03 2013 @ 02:01 PM EST
- USB disks, Knoppix and DD - Authored by: cricketjeff on Sunday, March 03 2013 @ 04:53 PM EST
- imho, dont use lvm on laptops - Authored by: Anonymous on Monday, March 04 2013 @ 07:58 AM EST
- I agree with you - Authored by: jbb on Sunday, March 03 2013 @ 07:54 AM EST
- I agree with you - Authored by: Anonymous on Sunday, March 03 2013 @ 03:30 PM EST
- I agree with you - Authored by: Anonymous on Sunday, March 03 2013 @ 11:16 PM EST
| |
| Authored by: cassini2006 on Sunday, March 03 2013 @ 04:04 PM EST |
Following the secure boot logic, only user generated keys should be trusted.
If you want to trust something your distribution sends, then the key should be
resigned by the user. This avoids the problem of someone breaking the
distribution's master key, and then sending around malware accordingly.
The
"breaking the master key problem" is the problem as with Microsoft's approach
(b). Sooner or later, someone will break Microsoft's key, and the key cannot be
revoked. If Microsoft's key was ever revoked, then a flotilla of Windows PCs
would instantly stop working and that would be bad.
The security model
changes significantly when the key revocation is done on a per user basis as in
(c). With user based keys, you are only wiping out one computer at a time.
Also, it is possible to develop a procedure where the users are appropriately
notified of what is going on, what happened, and downtime is scheduled
accordingly. Importantly, for uninfected PCs, updates could be blocked until a
secure key-chain was established.
It could be argued that if malware was
capable of rooting a computer, and forging a distribution key, then it could
also forge the user's specific key. At this point, the secure model (c)
degenerates into (a), running Linux as normal and attempting to design a secure
O/S. Hence, the observation that the secure boot model is a waste of time.
However, for some applications, the modest security improvement would be
welcome. [ Reply to This | Parent | # ]
|
|
|
|
