To Secure Boot or Not To Secure Boot...

I just bought a new desktop which of course had Windows 8 installed. 
Just my opinion, but I don't think Windows 8 is the turd it's made out 
be.  I loaded Classic Shell to get the start menu back and it's 
basically back to normal Windows--except that they've taken away Aero 
and everything looks like Windows 3.1 again.

Regardless, after doing a lot of reading about Secure Boot and the 
associated problems I wanted to try to dual boot Win 8 with Kubuntu.

I never got out of the gate.  For some reason I can't get Kubuntu 13.04 
to boot from usb or cd with secure boot enabled.  I get a message about 
an "Empty Security Header" and it locks up.

So I replaced the original hard drive with one of my own,  and proceeded 
to install Kubuntu in UEFI mode but with Secure Boot disabled.  I'm 
going to set the original hard drive aside for a while and see how 
things work out without Windows to fall back on.

My question for the Linux experts is this: Am I any less safe from a 
security standpoint running Linux without Secure Boot than I am with 
Windows with it?

Even with Secure Boot, I don't feel comfortable doing any kind of 
banking with Windows.

Thanks,
kyfho
0
kyfho
8/11/2013 2:35:29 PM
grc.techtalk.linux 3969 articles. 0 followers. Follow

7 Replies
1009 Views

Similar Articles

[PageSpeed] 48
Get it on Google Play
Get it on Apple App Store

On 08/11/13 10:35, kyfho wrote:

<snip>

>
> My question for the Linux experts is this: Am I any less safe from a
> security standpoint running Linux without Secure Boot than I am with
> Windows with it?

No. Don't know the stats, but I'd guess that most banking malware
infections are downloaded into their victims from the web (e.g. 0-day
browser exploits, infected media files, etc.), or via contaminated flash
drives, and typically not through physical access black-bag jobs

In general you're much safer with Linux - a properly-configured Linux
box remains less vulnerable than a typically-configured Windows box.
Even presuming you set up the Windows box carefully and practiced
safe-hex, you would still be the primary target of most attacks - Linux
being a minor player on the web.

Which begs the question, what additional protections are provided
Windows with TCPA/secure boot?

This is the use of TPM by one Linux add-on; you'd have to tweak your kernel:

"The Enforcer is a Linux Security Module designed to improve integrity
of a computer running Linux by ensuring no tampering of the file system.
It can interact with TCPA hardware to provide higher levels of assurance
for software and sensitive data.

It can check, as every file is opened, if the file has been changed, and
take an admin specified action when it detects tampering. The actions
can be any combination of log the error, deny access to the file, panic
the system, or several operations that work with the TPM.

The Enforcer can also work with the TPM to store the secret to an
encrypted loopback file system, and unmount this file system when a
tampered file is detected. The secret will not be accessible to mount
the loopback file system until the machine has been rebooted with
untampered files. This allows sensitive data to be protected from an
attacker.

The Enforcer can also bind specific files so that only specific
applications can access them (for example, only apache is allowed to
access apache's secret ssl key). This means that even if someone
compromises your system, the attacker will not be able to steal critical
files.

Finally, the Enforcer can make sure that no files added to directories
after its database is built are allowed to be accessed."


<http://sourceforge.net/projects/enforcer/>

It uses LILO w/TCPA instead of GRUB :-)

>
> Even with Secure Boot, I don't feel comfortable doing any kind of
> banking with Windows.

Good.

FWIW, I've discontinued banking and stock portfolio management using -
Linux - follow some of the discussions on SSL attacks.

In the U.S., by treasury rules you're generally toast if your bank or
broker account or transaction is electronically hacked and you don't
catch it within hours. Credit card transactions come under different
rules, and you can be compensated for bogus charges - so restrict online
to CC; allow your CC company to auto-debit a bank account somewhere and
you just monitor the charges.







0
Roger
8/11/2013 6:54:54 PM
On 08/11/2013 02:54 PM, Roger Parks wrote:

> It uses LILO w/TCPA instead of GRUB :-)
Yikes!!  I'm doomed.  Lots of good info though.
>
>
> FWIW, I've discontinued banking and stock portfolio management using -
> Linux - follow some of the discussions on SSL attacks.
>
> In the U.S., by treasury rules you're generally toast if your bank or
> broker account or transaction is electronically hacked and you don't
> catch it within hours. Credit card transactions come under different
> rules, and you can be compensated for bogus charges - so restrict online
> to CC; allow your CC company to auto-debit a bank account somewhere and
> you just monitor the charges.
>
>

My understanding is that Federal �Regulation E� limits consumer 
liability to $50 if reported within two days of discovery.  Businesses 
though don't have this protection.

Is this not correct?
0
kyfho
8/11/2013 8:53:34 PM
On 08/11/2013 10:35 AM, kyfho wrote:
> 
> My question for the Linux experts is this: Am I any less safe from a 
> security standpoint running Linux without Secure Boot than I am with 
> Windows with it?

There is no such thing as Linux /with/ "Secure Boot", and "Secure Boot" 
has nothing to do with security. So the answer is No. You're still 
better off.

> Even with Secure Boot, I don't feel comfortable doing any kind of 
> banking with Windows.

Secure Boot is the marketing term MSFT used to hide the true intention 
of their revised scheme, which is to lock people out of using their 
computers with anything other than software bought from or through 
Microsoft, or with Microsoft's permission.

-- 
Mark Warner
MEPIS Linux
Registered Linux User #415318
....lose .inhibitions when replying
0
Mark
8/11/2013 10:32:06 PM
On 08/11/13 16:53, kyfho wrote:
> On 08/11/2013 02:54 PM, Roger Parks wrote:
>
>> It uses LILO w/TCPA instead of GRUB :-)
> Yikes!!  I'm doomed.  Lots of good info though.
>>

LILO is much easier to use than GRUB, IMHO


>>
>> FWIW, I've discontinued banking and stock portfolio management
>> using - Linux - follow some of the discussions on SSL attacks.
>>
>> In the U.S., by treasury rules you're generally toast if your bank
>>  or broker account or transaction is electronically hacked and you
>>  don't catch it within hours. Credit card transactions come under
>> different rules, and you can be compensated for bogus charges - so
>>  restrict online to CC; allow your CC company to auto-debit a bank
>>  account somewhere and you just monitor the charges.
>>
>>
>
> My understanding is that Federal “Regulation E” limits consumer
> liability to $50 if reported within two days of discovery.
> Businesses though don't have this protection.
>
> Is this not correct?

No; I believe that is indeed correct - 48 hours and $50 unless the bank
publishes a different policy. I searched for policies a few years ago,
and found some that were even more draconian, and some very
customer-friendly.

I simply refuse to make a daily check to see if a withdrawal occurred
while I was asleep, so have disabled online transactions at my banks.
(Though one bank will now send me an email  upon receiving a withdrawal
transaction).

I note that the same mechanism can transfer cash out of your stock
brokerage account; but if you convert any cash into a fund, the
transference can not occur until the fund is first sold - which requires
action on the part of your broker.


0
Roger
8/11/2013 10:38:48 PM
On 08/11/2013 06:32 PM, Mark Warner wrote:

> There is no such thing as Linux /with/ "Secure Boot", and "Secure Boot"
> has nothing to do with security.So the answer is No. You're still
> better off.


Secure Boot is supposed to provide protection from bootkits/rootkits by 
requiring boot loaders and kernels to be digitally signed before they 
can be executed.  I guess my question could have been better phrased as 
"Is Secure Boot such a game changer that a Linux user would feel 
comfortable using Windows for something like banking?"  My guess is that 
you are still in the "NO" column. :-)


Even Linus Torvalds in this short youtube video says Secure Boot is a 
good idea even though it can be used "for horribly bad things" which I 
suppose was a dig at Microsoft's intentions.

http://www.youtube.com/watch?v=eRSiWtZgIcI

Thanks,

kyfho




0
kyfho
8/12/2013 12:58:51 AM
On 8/11/2013 8:58 PM, kyfho wrote:
> 
> Even Linus Torvalds in this short youtube video says Secure Boot is a 
> good idea even though it can be used "for horribly bad things" which I 
> suppose was a dig at Microsoft's intentions.
> 
> http://www.youtube.com/watch?v=eRSiWtZgIcI

I can't imagine Linus is endorsing Secure Boot as Microsoft has 
implemented it. Which is what we are faced with at the moment. Handing 
over control of your machine's boot mechanism to MSFT in exchange for an 
incremental security bump??? I think not.

-- 
Mark Warner
....lose .inhibitions when replying
0
Mark
8/12/2013 5:45:11 PM
kyfho wrote:
> Secure Boot is supposed to provide protection from bootkits/rootkits by 
> requiring boot loaders and kernels to be digitally signed before they 
> can be executed.  I guess my question could have been better phrased as 
> "Is Secure Boot such a game changer that a Linux user would feel 
> comfortable using Windows for something like banking?"  My guess is that 
> you are still in the "NO" column. :-)
> 
> 
> Even Linus Torvalds in this short youtube video says Secure Boot is a 
> good idea even though it can be used "for horribly bad things" which I 
> suppose was a dig at Microsoft's intentions.

yes, that's what it's supposed to do, make sure the core components of 
the operating system haven't been compromised.  microsoft of course 
knows more about their operating system than even rootkit programmers 
do, so their rootkit scanner that runs on patch tuesday should pick 
EVERYTHING up without a problem.  except for rootkits that block the 
running of the rootkit detector somehow... and even they might be hard 
to make work, ms has everything locked down, and doesn't need secure 
boot... for the core anyway, everything else is a nest of wtf's.

for a linux user, unless the installer for the rootkit is truly magical, 
it won't work on most installs, and will probably be noticeable if they 
did manage to make a change.  the combinations of bootloaders, various 
kernel locations, kernel versions, the problem that the linux kernel is 
pretty monolithic for most distros, it'll be a bit of a wedge to drive. 
  with windows, there's one file to deal with, same version of it for a 
whole string of windows versions, never changing locations or names and 
small size would make it an easy change.  adding to the fact that 
there's really only one windows distro in each generation, even the ones 
labeled for different purposes, just flags being set in the registry, 
when one rootkit works, it'll pretty much always work.

the problem with microsoft being the one that does the licensing, is... 
that they basically have monopoly.  if they get it into their head that 
it'd be a grand idea to tell manufacturers that they won't support 
hardware with the option to disable secure boot, linux users are screwed 
till a legal challenge is mounted and won against ms.  even the biggest 
motherboard manufacturers will get on their knees and open wide at the 
prospect of losing such a big market.

those linux distros that -have- the secure boot headers, if microsoft 
says no disabling, then those distros will be our only option if we want 
the coolest new hardware.  with steam working on linux now, it could be 
a bigger problem than it was, not too long ago the standard linux user 
would be 'latest hardware?  my tape drive still works, i don't need a 
new one'.
0
jim
8/17/2013 8:31:12 PM
Reply:

Similar Artilces:

security too secure
Name: joe Product: Firefox Summary: security too secure Comments: The security thing won't let me in this sight no matter how I accept, confirm, get certificate, etc. https://www.vtext.com/customer_site/jsp/messaging_lo.jsp Browser Details: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-GB; rv:1.9.1b4) Gecko/20090423 Firefox/3.5b4 From URL: http://hendrix.mozilla.org/ Note to readers: Hendrix gives no expectation of a response to this feedback but if you wish to provide one you must BCC (not CC) the sender for them to see it. ...

How secure is secure?
Thanks to this group and all the high tech individuals who frequent it I have learned how to protect my PC from the inside out. But what about security risks to my info 'before' it gets to my computer? Like my mail box on the server. Could someone hack into that and thumb through my mail? If so, how would I ever know? (The short story) We have a rogue employee at my work who one day decided to run the web site, she got in tight with the ISP, got tools to set and delete passwords on a protected directory on the server. Who knows if she has telnet access to other things, li...

when is secure, secure?
Lo everyone, I wrote a custom authentication handler for PureFTPD, using a combination of authentication methods, for about 4 different types of users. So far, from testing it, it does look to work properly, and does it's job pretty well (and fast). I use #!/usr/bin/perl -W as well as use Strict, and use warnings, and the code returns no errors or warnings when run. I am right to presume that this basically only really tells me the my syntax and structure of the application is right? What's a good way to see whether it is actually SECURE... There is a couple of lines of...

Secure By Design: How Guardian Digital Secures EnGarde Secure Linux
"EnGarde Secure Linux is not just another "repackaged" Linux distribution, but a modern open source system built from the ground up to provide secure services in the threatening world of the modern Internet."... http://www.linuxsecurity.com/content/view/125195/171/ ...."The Community edition of EnGarde Secure Linux is completely free and open source, and online security and application updates are freely available with GDSN registration."... http://www.engardelinux.org/modules/index/index.cgi -- js ...

Schneier on Security: Linux Security
Schneier on Security: Linux Security http://www.schneier.com/blog/archives/2005/01/linux_security.html *********************************************************** Quote *********************************************************** I'm a big fan of the Honeynet Project (and a member of their board of directors). They don't have a security product; they do security research. Basically, they wire computers up with sensors, put them on the Internet, and watch hackers attack them. They just released a report about the security of Linux: =====================================...

Torvalds strongly objects to Windows 8 secure boot keys in the Linux kernel
Torvalds strongly objects to Windows 8 secure boot keys in the Linux kernel Summary: Linux founder Linus Torvalds makes no bones about it. He thinks inserting signed binaries into the Linux kernel is "moronic." http://www.zdnet.com/torvalds-strongly-objects-to-windows-8-secure-boot-keys-in-the-linux-kernel-7000011811/ Time to kiss binaries goodbye is my take and let Linux be the standard. -- Jimmy Johnson Ubuntu 12.04 - AMD64 - EXT4 - KDE 4.8.5 at sda9 Registered Linux User #380263 On 2/28/2013 10:22 AM, Jimmy Johnson wrote: > Torvalds strongly objects to...

Microsoft confirms that UEFI 'secure boot' might lock out Linux from new PC's
Can anyone list machines that we can still load Opensuse or Linux on in the future? This article shows that Microsoft is going to lock their machines to New Windows only. 'Microsoft confirms that UEFI &#039;secure boot&#039; might lock out Linux and older versions of Windows from new PCs | ZDNet' (http://tinyurl.com/3gwbcls) -- darren787 ------------------------------------------------------------------------ Any system that has UEFI instead of BIOS has this potential. IF the OEM decides to implement it and does not provide a way to turn it off it cou...

UEFI Secure Boot
Steve, please revisit your understanding of the UEFI Secure Boot issue. I think you've misrepresented the situation in Microsoft's favor. Microsoft have made it clear that they will not require that OEMs allow end users to either disable or add keys to their UEFI firmware. They have shifted the blame and simply say that if an end user cannot use another operating system, it's the OEM's fault. Some OEMs may make it easy to install other operating systems and some may make it impossible. The OEMs have little incentive to support users installing alternative operating sy...

security with DSL and boot up
If one has DSL on all the time with modem on and hooked up to computer and one turns on their computer,is the computer vulnerable at any time from hacking during the boot up process. I have noticed on several different computers that the anti virus and firewall icons appear last in the tray. Does this mean these security programs turn on last and leave the computer open to attack until they are fully turned on? I always turn my computer and modem off when not in use(energy savings).I turn my computer on first then my modem. Joe K" <"Joe K <"Joe K"@myhome.com...

Securing the boot environment?
Hi I am not sure if this is the correct place to ask this question but if not pls point me to the proper place pls. :) This is for Novell for a desktop computer with no server and running just on windows 7. Like to ask how does novell secure the booting enviroment when the computer is turned on? Can users enter f8, advance safe mode, run the CD drive, etc and bypass novell secruity to change the settings? I assume the admin can set restrictions so users cannot use these functions right? Does these function edit the windows reg to block this or does the progammers have to w...

Forever loading boot/linux boot/initrd
Imaging was working fine 3 days ago. Now its broken. Zen 7 sp1. I have not changed anything on the network. It takes about 45 minutes to load the above files. I can boot with a boot disk fine but when it starts downloading the image, its really slow. I have reinstalled imaging and pxe services on the server. I am using wireshark and don't see any unusual traffic on the network. Any ideas would be appreciated. -- warmstr ------------------------------------------------------------------------ On Fri, 29 Aug 2008 14:36:02 GMT, warmstr wrote: > I have > not ch...

F-Secure Readies Security Software For Linux
F-Secure Corp. on Tuesday unveiled security software for open-source Samba file servers and Linux, addressing a need that's growing within the enterprise market. The Finnish company announced the availability of antivirus software for Samba that automatically detects and removes viruses from files stored on the server. The new product is meant to protect all Samba-attached computers from malicious code that could enter the network from a Windows or Linux machine. Next month, F-Secure plans to ship a Linux version of F-Secure Policy Manager, which will extend centrally managed ...

Secure connections: how secure are they?
*QUOTE* ......... both useful and malicious information can be transmitted via network connections. Standard solutions protect computers against threats present in standard network connections, but aren't able to counter threats present in secure connections. Verifying the contents of a secure connection is impossible by virtue of its secure nature, as demonstrated by the different types of protection listed above. As a result, malicious data within secure channels can cause a significant amount of damage, and sometimes more than if it were to be transmitted via a standard, non-s...

How secure is secure enough?
July 28, 2008 (Computerworld) This story originally appeared in Computerworld's print edition. If there is a Holy Grail in the information security industry, it surely is the answer to the question, "How secure is secure enough?" It's a question that many security managers have either avoided answering altogether or tried to quickly sidestep by throwing a fistful of mainly pointless operational metrics at anyone who cared to ask. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=321921&intsrc=hm_list -- "Never d...

Web resources about - To Secure Boot or Not To Secure Boot... - grc.techtalk.linux

Secure Digital - Wikipedia, the free encyclopedia
Secure Digital or ( SD ) is a non-volatile memory card format for use in portable devices, such as mobile phones , digital cameras , GPS navigation ...

Facebook To Users: ‘Add Your Phone Number To Help Secure Your Account’
Some Facebook users are seeing alerts above the Graph Search bars on their News Feeds , prompting them to “Add your phone number to help secure ...

Perth Scorchers beat Melbourne Renegades as Shaun Marsh, Michael Klinger secure first-ever 10-wicket ...
Perth Scorchers openers Michael Klinger and Shaun Marsh make Big Bash history, recording the first 10-wicket win and wicketless inning in the ...

A few simple steps you can take to make your iPhone more secure
... care less if a friend managed to guess your password and see your most recent texts, it's never a bad idea to make your iPhone more secure. ...

China’s United PV Secures $1.5 Billion Funding To Acquire Solar Power Projects
One of China’s rapidly emerging solar power project developers and operators, United PV, has secured a fresh credit line to expand its footprint ...

Drupal will use HTTPS to secure its update process
Developers of the popular Drupal content management system are working to secure the software's update mechanism after a researcher recently ...

Faster, longer, more secure: why the iPhone 6c will blow the iPhone 5s out of the water
We’ve heard enough at this point to be pretty sure that a 4-inch iPhone 6c is coming, but how will it stack up against the last 4-inch iPhone, ...

Exploiting Silent Circle's Secure Blackphone
The highly secure device could have been exploited, were it not for the responsible disclosure by a security researcher.

Where to Find Secure 7.6% Yields in 2016
Most stocks that pay meaningful yields today do so because their stock prices are cheap. Their dividends are being paid from earnings that aren’t ...

Clinton email about non-secure fax re-ignites concerns about her sidestepping ...
Fox News Clinton email about non-secure fax re-ignites concerns about her sidestepping ... Fox News A recently released email from Hillary ...

Resources last updated: 1/11/2016 10:40:25 PM