User: Password:
|
|
Subscribe / Log in / New account

Practical security for 2014

Practical security for 2014

Posted Jan 10, 2014 11:28 UTC (Fri) by ssmith32 (subscriber, #72404)
In reply to: Practical security for 2014 by ibukanov
Parent article: Practical security for 2014

I don't think you can update the signing keys for UEFI secure boot via the browser.. all instances I've heard of require a user to be physically present at the console on the boot of the machine. This is about as user-friendly as it's ever going to get.

I'm not sure what browser certificates you're talking about - but it sounds like root CA certs for SSL.. which is not really the same thing (but definitely an issue)..

Take care,
-stu


(Log in to post comments)

Practical security for 2014

Posted Jan 11, 2014 4:30 UTC (Sat) by drag (subscriber, #31333) [Link]

I don't see anything less then requiring to move a jumper to make a portion of a flash drive read-write should be required.

Making this sort of thing update-able from a browser pretty much completely defeats the purpose of having secure boot in the first place.

Practical security for 2014

Posted Jan 11, 2014 4:34 UTC (Sat) by Cyberax (✭ supporter ✭, #52523) [Link]

> I don't see anything less then requiring to move a jumper to make a portion of a flash drive read-write should be required.

In most cases it's usually a keypress immediately after the cold reboot. That's not as resilient as a jumper, but still pretty secure.

Practical security for 2014

Posted Jan 11, 2014 4:53 UTC (Sat) by drag (subscriber, #31333) [Link]

Just as long as it can't be done via software is really the most important part.

But nothing beats physically disabling the ability of the computer to write to flash when it comes to making sure that nothing writes to flash without your permission. :)

Practical security for 2014

Posted Jan 11, 2014 5:17 UTC (Sat) by tnoo (subscriber, #20427) [Link]

Sure, as long as the flash drive or the system's software really honors this jumper setting. Like, for example, CHDK on Canon cameras uses the storage card lock slider to indicate whether the firmware should be loaded from the card on bootup. If so, the camera writes the images to the locked storage card.

The situation might be still worse with flash drives which contain full microcontrollers doing all kinds of elaborate calculations, and thus are likely to be hackable as well.

Practical security for 2014

Posted Jan 17, 2014 10:05 UTC (Fri) by robbe (subscriber, #16131) [Link]

> The situation might be still worse with flash drives which contain full
> microcontrollers [...]

Every storage device since at least 2000 (including "simple" cards) includes controllers sufficiently complex to host malware.

See for example http://www.bunniestudios.com/blog/?p=3554


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds