On Tue, Jun 5, 2012 at 2:38 PM, Roger Leigh <rle...@codelibre.net> wrote: > On Tue, Jun 05, 2012 at 07:26:55PM +0200, Claudius Hubig wrote:
>> However, I welcome the fact that attacks on Windows will be made more >> difficult, since that also means smaller botnets, fewer vulnerable >> computers etc. > > It will have zero effect. Not only was the certificate effectively > compromised by allowing arbitrary code to be signed apparently by > Microsoft (see recent news), how effective is the security when you > have the ability to chainload GRUB? Once you can do that, you can > load any arbitrary code of your choice. Any malware worth its salt > will just co-opt the Linux bootloader and continue on its way. > Effective security gained: none. I don't think that you can draw a straight parallel between the Terminal Server certificate lacunas exploited by "Flame" but even if we ignore the differences, yes, there's a possibility that Microsoft'll screw up and it'll have a large effect, much larger than, for example the screw-ups of Debian, kernel.org, and countless others in the past. But eben if Microsoft's replaced as the ultimate trusted authority by another, independent entity, you'll still have a TBTF, single-point-of-failure. In the proposed Fedora scenario, I don't think that you'll be able to chainload grub, or at least you won't be able to chainload a grub that isn't signed by a trusted key in the same way that you won't be able to boot a kernel that isn't signed by a trusted key. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/CAOdo=swsdcmx04lyz73bbhgks8ucam4pbtfg_a3ewvbupwo...@mail.gmail.com