[IAEP] what subjects belong to IAEP? (was Re: is Soas safe?)

[Tomeu Vizoso]

On Mon, Mar 22, 2010 at 00:47, Luke Faraone <luke at faraone.cc> wrote:
> [please drop iaep in followup emails, this is a technical discussion]

A discussion doesn't belong to IAEP because of being about technical matters?

What I would have expected instead is that IAEP is for general
discussion and sugar-devel for development.

Regards,

Tomeu

> On Sun, Mar 21, 2010 at 19:31, Yamandu Ploskonka <yamaplos at gmail.com> wrote:
>>
>> I guess that harddrive-less units are totally OK, but what happens in
>> normal, hard-drive based machines if somehow a stick gets infected? when
>> booting from a USB stick, is it like when booting from a CD or for those
>> old enough to remember, like booting from a floppy?
>>
>> I mean, that was THE way to get infected before Word macros started
>> being the star, since such infection basically bypass all anti-malware
>> protection, except when set at the BIOS level, and how many people knew
>> about it in my younger days?
>>
>> How can we ensure this is not an issue made worse by Soas users?
>> Opinions and knowledge, anyone?
>
> The operating system running on the SoaS stick has unrestricted access to
> the computer. It can mount internal disks, repartition, etc; anything one
> could do if you were "root" on the running computer.
> So far, the only security vulnerability experienced in conjunction with USB
> sticks has been Windows viruses. Since the SoaS stick does not contain WINE,
> it cannot run any Windows executables, and unless a virus is specially
> crafted to work on Linux and handle the specific way that LiveUSB sticks are
> constructed, it is unlikely to pose any threat.
> There is no way to mitigate this threat other than to verify the integrity
> of a SoaS stick from a trusted (ideally sole-role) computer designed for
> that purpose, or have the BIOS check the kernel signature (a la the XO), and
> have the kernel verify the userland. This is overkill for 99% of situations.
>
> In summary: There are much more probable threats to be worried about, and as
> of today, SoaS does not have the level of popularity where one would have to
> consider such solutions.
> If we want to protect against rouge activities, there are existing
> technologies that can easily be put into place with a configuration change
> (`touch /etc/olpc-security`) and some testing. This is a good thing to work
> on short-term in my opinion.
>
> Thanks,
>
> Luke Faraone
> http://luke.faraone.cc
>
>
> _______________________________________________
> SoaS mailing list
> SoaS at lists.sugarlabs.org
> http://lists.sugarlabs.org/listinfo/soas
>
>