Why 28-backspace Vulnerability is not so Serious?

There have been news being circulated around regarding 28-backspace vulnerability of a Linux bootloader, Grub2.

Why this is not a serious problem? Because relying your security on bootloader is utterly stupid to begin with. If someone has a physical access to your machine, that means, they can easily bypass limitations set by a boot loader. It is a very simple feat to create a thumbdrive with a bootloader without such authentication in place, whether this vulnerability exists or not. Therefore, the existence of this vulnerability does not provide any difference from a security standpoint.

To protect a system with this type of issues, you’ll have to take steps like:

  • Limit physical access to the device.
  • Encrypt root partition

If only thing this protection on this Grub2 feature provides, that’s an illusion of security, maybe we are better off without this feature. (If someone’s so concerned about giving access to rescue shell so easily, in casual operation, then remove a rescue shell from Grub2 installation. If system administrator ever needs one, just boot from external media with rescue shell access.)

Linux: Some words about it

I have been advocating Linux for both notebook and desktop system for some time, let me run down some factors that will affect when you want make a switch.
I have been using Linux exclusive from around 1994 to 1997, and after I some blank, I am now using Linux on couple of machines for several months now. So I will have some comparative analysis for those who are thinking about coming back as well.

Installation

Installation was somewhat pain around 1994, where installer were rudimentary, while newer distributions such as Redhat started introducing more user friendly installation. Today’s installers are mostly graphical (though, text only installation method is still there as an option). Another big thing about it is most of modern distributions offer liveCD feature. With this feature, you can boot Linux off from CD to try it out, without writing a bit on your hard drive, and many even allows you to install it right onto your hard drive, if you like it so it will be bootable from your hard drive. By partitioning your hard drive, it is possible to have both of those operating systems co-exist on one machine, where you will be prompted whether you want boot up Windows or Linux. Most Linux also has provision of writing to USB thumb drive, which allows you to boot up Linux by plugging in your USB thumb drive, while saving all data into it. It may be useful for temporarily borrowing your friend machine and for recovery purpose. This is big and practical advantage over Windows as simply license don’t allow this at all.
While most, if not all Linux can be downloaded fairly easily, nice people at Ubuntu can send you free CD if you request one. (This can be used for both installation and liveCD.) Or just ask friend who has installation disc. Anyone who I know that are interested installing Linux, just ask me and I will burn you one.

GUI

No, you don’t have to use CUI (Character User Interface) like command shell if you don’t really want to. Just like command prompt on Windows. Learning how to use command line, however learning how to use CUI certainly makes your life easier in some case. It’s just like Windows, if you don’t really touch command prompt, you can live that was, too.
Linux GUI has pretty much everything you will expect. But of course, there are some difference where you can find different options and such.

Softwares

Most of productivity tools and applications comes with distribution out of the box. For example, Ubuntu ships with OpenOffice.org for office suite, GIMP for graphic editor, and such. Usability out of the box, in fact is much higher than Windows.
However, some hard-to-find aspect of Linux would be games and some type of niche applications.
Installation and removal of applications are easy on modern Linux distributions as they come with package manager built in.

Security and Administration

Generally, when people talk about Linux security, they tend to believe it is more secure than Windows. It is in fact yes and no.

  • If your own account is compromised and the perpetrator does not have access to root (Linux equivalent of Administrator) account, damage can only extend to your own account.
  • Many distribution has designed so built-in firewall receive ports closed unless they are reactivated or necessary.
  • Linux has lower userbase than Windows and Mac, so it is less likely to be targeted.

Generally speaking, Linux do offer at least same level or higher security than Windows, when combined those factors above.
Administrating on Linux has different mentality than Windows.

  • On Windows, SYSTEM account (non-interactive account that Windows system maintains) assumes privileges higher than Administrator account. Which means there are certain things you try to do on your system but your SYSTEM account do not allow. On Linux, root has highest privilege. You can do real damage as root, if you don’t be careful. But at the end of day, nothing gets on your way if you try to do something on your system, to fix things. Flipside is, if you stay away from root account, you can’t really do real damage to the system.
  • On Windows, your files are locked, which means if something else is using your file, you cannot generally delete them. On Linux, you can delete file while it is being used unless application specifically requests file to be locking. (Inside Linux, applications still do have access to the file you have deleted until the application is terminated.) This often prevents “access denied” error when you try to delete files. (Which can be annoying if you really know what you are doing.)
  • Linux, especially due to its design coming from server operating system, minimizes necessity of rebooting. Only time you have to reboot your machine would be when some critical file on your system has been updated.

    Compatibility

    It used to be relatively hard to come by hardware compatible with Linux. But these days, most graphics card are supported on Linux by a manufacture. Drivers for most of hardware are available.
    Software wise, if you have to connect to Exchange server, Evolution E-mail application is available, and for 90% people, OpenOffice.org should have enough compatibility with Microsoft Office.

    Where to start?

    Convinced? Try Ubuntu. Trying is best way to start. If you are capable of burning ISO image to CD, you can download image file from Ubuntu and start trying. If not, order CD, or ask me.
    Further reading
    Wikipedia article on Linux
    Ubunchu the manga about Ubuntu