[ale] OT: micro mini nano PC
Jim Kinney
jim.kinney at gmail.com
Thu Feb 4 17:46:24 EST 2016
Not to pour gasoline on the anti-systemd crowd, but what the f&*k is
the reason for mounting the TM module read-WRITE?!?!? Yes. So they can
be updated by the Linux user, but since that's a security thing on par
with selinux in MLS mode, it should default to "you can't do this
without much effort" instead of "sure, make an easy mess of things".
On Thu, 2016-02-04 at 17:10 -0500, Boris Borisov wrote:
> We went away from topic anyway. Why not one more :)
> http://fossbytes.com/running-this-little-command-in-linux-can-kill-so
> me-laptops-permanently/
> On Feb 1, 2016 11:05 AM, "Phil Turmel" <philip at turmel.org> wrote:
> > On 02/01/2016 10:33 AM, Steve Litt wrote:
> > > On Mon, 01 Feb 2016 06:25:42 +0300
> > > damon at damtek.com wrote:
> >
> > >> Well, actually, its to protect against a blue pill exploits
> > where a
> > >> hypervisor "lifts" the OS off of the hardware and at that time
> > the OS
> > >> does not know it is virtualized and the exploiter has complete,
> > >> uncontested control and access to the OS. In theory it is OS
> > agnostic
> > >> and has been proofed in the lab. I don't know of any wild
> > exploits.
> > >
> > > Like so many other things, this is a tradeoff. Yes, secure boot
> > > protects from an exploit below the level of the OS, and might be
> > the
> > > only practical way to do so. On the other hand, it restricts you
> > to
> > > software possessing a key that costs money. Worse, a key signed
> > by
> > > Microsoft.
> > >
> > > No problem: The purchaser gets to leave it on or turn it off.
> > Oops, not
> > > any more. Hardware manufacturers can choose to remove the on/off
> > > switch, and worse yet, that on/off switch *never* appears on
> > their
> > > specification sheets, so you guess and return. Or more likely,
> > many
> > > people are assimilated into the Redhat SuSE Debian Ubuntu
> > conglomerate.
> >
> > But if you *do* have a mobo with configurable secure boot, you can
> > replace the certificates with your own, then sign your own kernels.
> > Then *nothing* will run before your OS on that box.
> >
> > http://kroah.com/log/blog/2013/09/02/booting-a-self-signed-linux-ke
> > rnel/
> >
> > Phil
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://mail.ale.org/mailman/listinfo/ale
> > See JOBS, ANNOUNCE and SCHOOLS lists at
> > http://mail.ale.org/mailman/listinfo
> >
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
--
James P. Kinney III
Every time you stop a school, you will have to build a jail. What you
gain at one end you lose at the other. It's like feeding a dog on his
own tail. It won't fatten the dog.
- Speech 11/23/1900 Mark Twain
http://heretothereideas.blogspot.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20160204/d2e27857/attachment.html>
More information about the Ale
mailing list