Page 7 of 10 FirstFirst ... 56789 ... LastLast
Results 61 to 70 of 94

Thread: The State Of Linux Distributions Handling SecureBoot

  1. #61
    Join Date
    Apr 2010
    Posts
    1,946

    Default

    Quote Originally Posted by ShadowBane View Post
    Really, any of the remote root exploits listed here would allow the installation of bootloader viruses...
    http://www.exploit-db.com/platform/?p=linux

    Bootloader exploits are attractive because they are very hard to detect from a booted computer. There is no reason to expect that people using Linux would never be targeted by such attacks.
    Sure nice database of non-working exploits(hint: outdated) , very valuable for studying.

  2. #62
    Join Date
    Apr 2011
    Posts
    114

    Default

    Quote Originally Posted by crazycheese View Post
    First, they need to do that. That's what other layers are up to.
    Second, even if have done that, they only defeated one layer. They can't inject kernel code, only in userspace. And userspace can be CRCed as well - but thats outside even of SecureBoot scope.
    If they can write directly to your hard drive then they can inject kernel code by just replacing your kernel or bootloader and rebooting. That's the whole point.

    The difference is that my "version" does not require you to "surrender" to me or be executed.
    Your version requires everyone to have two computers if they want protection. It also requires every user to generate a key and store it on the other computer. It also means that they have to regenerate their signature every time they update the kernel or bootloader, and to do that they have to connect it to the other computer. It's user-hostile and unworkable.

    Don't take this as an absolute endorsement of Microsoft's approach. I'd prefer that a neutral third party be in charge of handling signatures. But nobody's been willing to spend the millions of dollars that would be required for that to happen, and so it hasn't.

  3. #63
    Join Date
    Apr 2010
    Posts
    1,946

    Default

    Quote Originally Posted by mjg59 View Post
    Again, please describe a solution that Microsoft could have used to prevent bootloader malware without also preventing booting of unsigned Linux. They worried about their OS. They came up with a solution that works for their OS. If you don't like their solution, describe a better one.
    I have pointed out the correct solution in the end of the post above.
    They are playing around with trust games, where they themselves trust only in own closed cycle society, but require others to trust them.
    This will never work, unless they lie and FUD.

    They just GPL the whole codebase and gain instant trust from everyone, that includes all cryptomechanisms.
    Then, they just sell copies with one-slot serial. I think ID invented it with Quake3....
    Still... they will go bankrupt in next 5 years. Because they exist only due to monopoly which will stop existing once they GPL the system.
    Because in this system only the top contributor gets money, not the top brawler.

    ----
    I will address whole three quotes seperately and then as one whole, because they line up forming a proof.
    Quote Originally Posted by mjg59 View Post
    That's what I said. You're free to sell a computer running Windows 8 without Secure Boot. You don't get the Microsoft certification. Since you're not forced to ship with Secure Boot enabled (merely given an incentive to), it's probably not an antitrust violation.
    No, the link pointed out that "You don't get the Microsoft certification" means "you quit freely our 'protection', meet you at your own funeral".

    Quote Originally Posted by mjg59 View Post
    The touch hardware needs to be certified, not the entire platform.
    No, the hardware case is not important. The important is the INCIDENT, which proves that uncertified systems (see above) can and will have reduced functionality, while paying SAME price.

    Quote Originally Posted by mjg59 View Post
    Absolutely, which is why Microsoft require that it be possible to replace the Microsoft keys on any x86 systems. Anyone with access to the firmware menu can install their own keys.
    And here it comes.

    No one will risk own extinction.

    No one will deactivate SecureBoot. At least, in living form on the market.

    You can't replace keys. Consider this crude code example:

    Code:
    if (microsoft_certified == true) goto work;
    
    die_due_to_high_costs_and_no_support_from_monopoly_owner(OEM_pointer);
    
    if (microsoft_certified == false) 
    printf("Freedom..Choice...Fairness... You replace keys here...");
    
    work:
    // (obfuscated code here)
    Last edited by crazycheese; 12-28-2012 at 07:16 PM.

  4. #64
    Join Date
    Apr 2010
    Posts
    1,946

    Default

    Quote Originally Posted by mjg59 View Post
    If they can write directly to your hard drive then they can inject kernel code by just replacing your kernel or bootloader and rebooting. That's the whole point.
    CRC missmatch on reboot. Or segfault. Or both.

  5. #65
    Join Date
    Nov 2007
    Posts
    1,353

    Default

    Quote Originally Posted by mjg59 View Post
    Again, please describe a solution that Microsoft could have used to prevent bootloader malware without also preventing booting of unsigned Linux. They worried about their OS. They came up with a solution that works for their OS. If you don't like their solution, describe a better one.
    I'm tired of trying new ways to say the same thing.... So I'll just say it the exact same way....

    THATS NOT OUR PROBLEM!!!

    IF MS is worried about their OS, then let them worry about thier OS. Leave ours alone please.

  6. #66
    Join Date
    Mar 2011
    Posts
    326

    Default

    I'm going to play devils advocate for a second.

    Microscam software is too full of holes to protect itself from bootloaders. I understand that this is their solution and it's a great one (as long as it can be turned off via bios or jumper).

    On another note I think anyone who uses Windows is basically asking for problems like this. It has a large user base so is targeted more often. I would say the average user is less than computer savvy.
    It's far too easy to run something bad or have it hid in something that looks like a mp3. Too easy to compromise with out of the box configurations or too expensive to pay the virus scanner or spyware fees.
    Oh and hunt for your driver's scam sites come up first in google! Yup some system they got, they need to do this, it's their only hope!

    Side note Linux users have to be careful, i use su instead of sudo because you never know who will try to do what on your computer when your back is turned!

  7. #67
    Join Date
    May 2008
    Posts
    209

    Exclamation If you want to dual-boot or install over Windows, it is your problem

    Quote Originally Posted by duby229 View Post
    I'm tired of trying new ways to say the same thing.... So I'll just say it the exact same way....

    THATS NOT OUR PROBLEM!!!

    IF MS is worried about their OS, then let them worry about thier OS. Leave ours alone please.
    So, how do you stop a rootkit that installs a tiny Linux system, enough to boot, change stuff outside of Window's view, and ensures it always is loaded, and undetectable (because if you control the bootchain, your part of the disk could always be before the start of the disk, or after the end).

    One option is to not allow anything else to be installed, and never let your OS be in a position to have the bootloader changed.

    If you do want to allow system-level changes, or something like dual-boots, or even other OSes, you need a way to make sure only "good" operating systems and programs can make those changes.

    Another way to look at it is, how can you make sure the user is in control of the dual-booting, if it's possible for the user to not even be aware they are dual-booting/something has changed?

  8. #68
    Join Date
    Aug 2012
    Posts
    70

    Default

    Lot of HP, Lenovo, and other manufactures boards doesn't load linux disabling or not, doesn't matter if signed or not.
    This just doesn't work. There is something more than Security boot.

  9. #69
    Join Date
    May 2008
    Posts
    209

    Default

    Quote Originally Posted by nightmarex View Post
    I'm going to play devils advocate for a second.

    Microscam software is too full of holes to protect itself from bootloaders. I understand that this is their solution and it's a great one (as long as it can be turned off via bios or jumper).

    On another note I think anyone who uses Windows is basically asking for problems like this. It has a large user base so is targeted more often. I would say the average user is less than computer savvy.
    It's far too easy to run something bad or have it hid in something that looks like a mp3. Too easy to compromise with out of the box configurations or too expensive to pay the virus scanner or spyware fees.
    Oh and hunt for your driver's scam sites come up first in google! Yup some system they got, they need to do this, it's their only hope!

    Side note Linux users have to be careful, i use su instead of sudo because you never know who will try to do what on your computer when your back is turned!
    Microsoft's latest OSes are pretty damn good- look here:
    http://thenextweb.com/microsoft/2012...bilities-list/

    In the top 10 vulnerabilities, there is not a single MS product to be found- it's dominated by Java & Flash (which are cross-platform).

    (If you'd like to see the source article, it's here (at the bottom): http://www.securelist.com/en/analysi...lution_Q3_2012

    The Microsoft of today is not the Microsoft that put out Windows XP, and sometimes, the attackers are just so far ahead of you, there's nothing you can do (see Flame & Duqu).

  10. #70
    Join Date
    Nov 2007
    Posts
    1,353

    Default

    Quote Originally Posted by dashcloud View Post
    Microsoft's latest OSes are pretty damn good- look here:
    http://thenextweb.com/microsoft/2012...bilities-list/

    In the top 10 vulnerabilities, there is not a single MS product to be found- it's dominated by Java & Flash (which are cross-platform).

    (If you'd like to see the source article, it's here (at the bottom): http://www.securelist.com/en/analysi...lution_Q3_2012

    The Microsoft of today is not the Microsoft that put out Windows XP, and sometimes, the attackers are just so far ahead of you, there's nothing you can do (see Flame & Duqu).
    Thats what people said about XP.... "This isnt gonna be like ME"... Thats what people said about Vista. Its what people said about 7. They are ALL the same. Windows 8 -WILL- get just as badly infected as the rest of them did.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •