User: Password:
|
|
Subscribe / Log in / New account

Taking it seriously

Taking it seriously

Posted Jun 1, 2012 21:09 UTC (Fri) by gmaxwell (guest, #30048)
In reply to: Taking it seriously by raven667
Parent article: Implementing UEFI Secure Boot in Fedora

Fair enough— but stand back and think about that.

What makes Fedora strong compared to Microsoft? Microsoft is the dominant player, Microsoft can employ many more designers— and out spend Fedora in every way, Microsoft can set a more consistent vision for the developers of the software they ship. Microsoft can hire almost any talent they like. These are all formidable strengths and they have many others.

What can't Microsoft do? Their business model is fundamentally incompatible with giving users an operating system which they— or their designees— can easily and legally change. Microsoft can't deliver a self-contained self-hosting system that with a few commands can patch and recompile anything it runs. It's incompatible for giving users access to the complete source code for everything they run, thus lowering the learning curve and turning out an endless stream of new developers.

Linux distributions could start engaging in top to bottom signing of userspace binaries— but in doing so it would be weakening the strengths of the open world and playing into pattern of top down control which they are fundamentally better at. Even if there are magic buttons and procedures you can add to regain these freedoms, and even if you ignore that one of the most important software freedom's is the freedom to share the results of your modifications and have other people able to use them easily... the additional friction of having to disable that 'security' diminishes our communities advantages.

There absolutely are applications for locked down machines where doing so provides a distinct advantage to the owner of the machine. But these applications are not typical for Fedora. I think it would be arguably in the GNU/Linux communities long term to leave those markets to special case distributions— or even to Microsoft.

I strongly support improved security— but there are a great many things which can be done to provide a more material improvement than codesigning without the compromises. The immutable boot only lets the horse be put back in the barn without reimaging the system— but by then it may be too late. At the point of initial compromise the users data may have been copied and erased, their bank accounts emptied, bitcoins stolen, whathave you.

If all you really care about is making sure that botnets don't persist then perhaps secureboot plus a sufficient amount of signed userspace is enough. But it's pretty weak from the perspective of actually securing the user.

We're hardly making use of SELinux, for example— Why are programs like Pidgin, Evince, and Firefox able to access my home directory except via a carefully audited privileged separated filechooser app? Why aren't they running in a sandbox? Why have we not built accelerated versions of tools like valgrind which are able to provide even stronger sandboxing than SELinux around the most vulnerable code? I could fill pages of things which would provide more security improvement for users than code signing without diminishing our fundamental advantage vs the closed software world. If it's security we're trying to get— why would we first do the one thing that makes us more like Microsoft?


(Log in to post comments)

Taking it seriously

Posted Jun 2, 2012 4:48 UTC (Sat) by raven667 (subscriber, #5198) [Link]

I think we are having a good discussion here. Yay!

> What makes Fedora strong compared to Microsoft? [...] Microsoft can [...] out spend Fedora in every way, Microsoft can set a more consistent vision for the developers of the software they ship.

MS can do extensive QA and UX testing but they don't have a monopoly on smart people or good designs and in my judgement MS seems pretty poor at having a vision and organizing their labor in any sensible way. Their recent attempt at coherence around "Metro" is a refreshing exception for a company who's major applications all use different custom UI toolkits that only superficially resemble each other.

> Their business model is fundamentally incompatible with giving users [...] access to the complete source code for everything they run

The industry behaves as if this were true so for practical purposes it is true but RedHat shows that there is plenty of business in selling the binaries while giving away the source, protected by Trademark more than Copyright, although the success of other Linux business indicates that there may only be room for one major player selling binaries based on the same source as other minor players.

> Linux distributions could start engaging in top to bottom signing of userspace binaries— but in doing so it would be weakening the strengths of the open world [...] the additional friction of having to disable that 'security' diminishes our communities advantages.

I don't believe this at all. As long as you can load your own keys or disable the secure boot from the physical machine then anyone who is a "developer" and wants to work with source can do so. I think working with source is a much bigger hurdle than changing a firmware setting or a jumper or loading a key.

> I think it would be arguably in the GNU/Linux communities long term to leave those markets to special case distributions— or even to Microsoft.

I disagree again. Having user unfriendly defaults is not in the long term interest of GNU/Linux. Making all users, including non-developers, go through what you yourself describe as "additional friction" and then not taking advantage of available technology is not a positive thing. To re-iterate, I don't think the additional friction of modifying secure boot is a problem for developers but I do think it is a (small, unnecessary) problem for non-developer users.

> I strongly support improved security

I do too.

> but there are a great many things which can be done to provide a more material improvement than codesigning without the compromises.

It doesn't have to be either/or, that's a false dichotomy

> The immutable boot only lets the horse be put back in the barn without reimaging the system— but by then it may be too late. At the point of initial compromise the users data may have been copied and erased, their bank accounts emptied, bitcoins stolen, whathave you.
If all you really care about is making sure that botnets don't persist then perhaps secureboot plus a sufficient amount of signed userspace is enough. But it's pretty weak from the perspective of actually securing the user.

Yep, that's all its trying to do, it doesn't cure cancer or cook a perfect steak either.

> We're hardly making use of SELinux, for example— Why are programs like Pidgin, Evince, and Firefox able to access my home directory except via a carefully audited privileged separated filechooser app? Why aren't they running in a sandbox? Why have we not built accelerated versions of tools like valgrind which are able to provide even stronger sandboxing than SELinux around the most vulnerable code?

This is a whole 'nother discussion. It would be great if we could do a ground-up re-design of how operating systems and applications work to help enforce this kind of sandboxing and seperation. I think that ultimately, in the coming decades, so much of application technology is going to be sucked into the web browser that this is the place to focus, as is being done in all the major browsers.

> If it's security we're trying to get— why would we first do the one thing that makes us more like Microsoft?

I am not primarily a MS technology user, apparently I'm obligated to say that up front, but it's not productive to act like MS has cooties or something. One sees the same thing whenever a discussion of Mono comes up. They may be stupid and evil on many levels but that doesn't mean that all their technology is bad or that changes they make to the marketplace can't be put to good use. All this crypto stuff can be used for both evil and good purposes, the fact that bad things can be done doesn't mean that we shouldn't do the good things.


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds