[IAEP] is Soas safe?
Luke Faraone
luke at faraone.cc
Sun Mar 21 19:47:36 EDT 2010
[please drop iaep in followup emails, this is a technical discussion]
On Sun, Mar 21, 2010 at 19:31, Yamandu Ploskonka <yamaplos at gmail.com> wrote:
> I guess that harddrive-less units are totally OK, but what happens in
> normal, hard-drive based machines if somehow a stick gets infected? when
> booting from a USB stick, is it like when booting from a CD or for those
> old enough to remember, like booting from a floppy?
>
> I mean, that was THE way to get infected before Word macros started
> being the star, since such infection basically bypass all anti-malware
> protection, except when set at the BIOS level, and how many people knew
> about it in my younger days?
>
> How can we ensure this is not an issue made worse by Soas users?
> Opinions and knowledge, anyone?
The operating system running on the SoaS stick has unrestricted access to the computer. It can mount internal disks, repartition, etc; anything one could do if you were "root" on the running computer.
So far, the only security vulnerability experienced in conjunction with USB sticks has been Windows viruses. Since the SoaS stick does not contain WINE, it cannot run any Windows executables, and unless a virus is specially crafted to work on Linux and handle the specific way that LiveUSB sticks are constructed, it is unlikely to pose any threat.
There is no way to mitigate this threat other than to verify the integrity of a SoaS stick from a trusted (ideally sole-role) computer designed for that purpose, or have the BIOS check the kernel signature (a la the XO), and have the kernel verify the userland. This is overkill for 99% of situations.
In summary: There are much more probable threats to be worried about, and as of today, SoaS does not have the level of popularity where one would have to consider such solutions.
If we want to protect against rouge activities, there are existing technologies that can easily be put into place with a configuration change (`touch /etc/olpc-security`) and some testing. This is a good thing to work on short-term in my opinion.
Thanks,
Luke Faraone
http://luke.faraone.cc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 271 bytes
Desc: OpenPGP digital signature
Url : http://lists.sugarlabs.org/archive/iaep/attachments/20100321/85d47061/attachment.pgp
More information about the IAEP
mailing list