The good and bad of Linux LiveCDs (ComputerWorld)

[Posted March 30, 2005 by corbet]

ComputerWorld describes the benefits of live Linux CDs, but then finds something to worry about: "A PC booted from a Linux LiveCD is transformed. It no longer has any of the user accounts, logging and security controls of its original host operating system. It has become a Linux system, completely under the control of the end user and loaded with an arbitrary selection of open-source software -- yet it still has access to the same hard drives, network, servers and other resources as before. The security threat this poses is obvious."

to post comments

The good and bad of any bootable CD

Posted Mar 30, 2005 22:38 UTC (Wed) by Max.Hyre (subscriber, #1054) [Link] (1 responses)

The last paragraph of the article notes

If your corporate desktops and notebooks are distributed with the ability to boot from CD-ROM enabled in the BIOS, ask yourself this: Do you know what your users' favorite Linux distributions are?

Or their favorite MS windows version? Or *BSD?

The trouble is found at a lower level. If a company either doesn't trust its computer users, or feels that a laptop may fall into hostile hands, not only should the BIOS disable CD boots, but it should have a master password, and if they really care, the drive should be encrypted.

A system physically available to untrusted parties needs a lot more than simply ``Don't boot that CD''.

The good and bad of any bootable CD

Posted Mar 30, 2005 23:29 UTC (Wed) by crouchet (guest, #1084) [Link]

This is exactly right. Live CDs don't CREATE the security hole, they just make more people aware of them. For real security you need to consider BIOS settings, encryption of data, physical security and who to trust.

Security threat?

Posted Mar 30, 2005 22:58 UTC (Wed) by drathos (guest, #6454) [Link] (6 responses)

The security threat this poses is obvious.

Yeah, it's the same as the threat posed by allowing anyone (with or without a LiveCD) physical access to the computer.

If you don't trust someone with your data, don't let them sit right in front of it.

The good and bad of screw-drivers (FUDWorld)

Posted Mar 30, 2005 23:18 UTC (Wed) by ballombe (subscriber, #9523) [Link]

Agreed. Last week, someone called me because their computer would not boot. After investigations, the problem was that the hard-drive has been stollen.

The security threat screw-drivers pose is obvious.

Different kind of trust

Posted Mar 30, 2005 23:24 UTC (Wed) by proski (guest, #104) [Link] (4 responses)

Maybe the author is not so stupid? I would think the users are trusted with the data, or they would not work in the company. They are just not trusted with choosing a secure OS for their PC (e.g. because they are not sysadmins and don't read security alerts every morning).

What if a LiveCD has an unsafe old browser that allows attackers from outside the company to access data on the hard drive? What if that LiveCD makes the wireless card work as an unsecured access point? What if it has a modified PDF reader that sends whole documents to bad guys?

Different kind of trust

Posted Mar 31, 2005 4:38 UTC (Thu) by chbarts (guest, #28896) [Link] (3 responses)

And what if the user decides to take a screwdriver and remove a hard drive? Even if it's encrypted, that only buys you a set amount of time. Physical access to the machine is the end of being able to secure the computer against that person. Fiddling with the BIOS to disallow alternative boot media is merely an obstacle on the path, and not even the most difficult one to overcome.

In any case, no PC within a company should have a direct line to the outside Internet. There should be at least one firewall between it and the rest of the world that would prevent all of the scenarios you outline in your second paragraph. If the corporate intranet is well-run, it shouldn't be possible for any machine on the inside, no matter how inept or malicious, to send or recieve data from random machines outside the intranet.

Different kind of trust

Posted Mar 31, 2005 5:16 UTC (Thu) by proski (guest, #104) [Link] (2 responses)

Judging by your comment, your employer should not let you use LiveCD. Even if you can be trusted with physical access to company's PCs, you trust firewalls too much. Firewalls don't help against unsecured access points.

Different kind of trust

Posted Mar 31, 2005 7:24 UTC (Thu) by tyhik (guest, #14747) [Link] (1 responses)

Yeah, why would a company need access points on PCs anyway?

Different kind of trust

Posted Mar 31, 2005 13:53 UTC (Thu) by proski (guest, #104) [Link]

If you take time to read the story and all the comments, you'll see that it's a "discussion" between those who get it and those who don't get it. The story was about people running LiveCD without permission of their emlpoyer.

Even if a LiveCD was made in good faith, the consequences on including some packages could have been miscalculated. For your information, HostAP starts by default in Master (AP) mode with ESSID "test" without encryption. If you have a supported card and the LiveCD in question has HostAP included, and it brings up new interfaces automatically, you have a problem.

What's worse, it cannot be assumed that all LiveCDs are made in good faith. I wouldn't trust those that come with flashy magazines.

The good and bad of Linux LiveCDs (ComputerWorld)

Posted Mar 30, 2005 23:09 UTC (Wed) by neoprene (guest, #8520) [Link]

Whats the black magic in Linux Live-CD's this writer whines about? PC's having BIOS'es that allow booting from CD-ROM [or _any_ medium for that matter] into _any_ Operating System? Or that DHCP allows any stray notebook to be connected to an intra-net? And also magically bypass security on internal server facilities?
Using a windoze installation CD has been a classic way to circumvent the security stuff in a widoze install and blow out passwords, but that may have been fixed.
"Want to know if Mepis ships with the right libraries..." uhh, apt-get install??
This writer seems be pretty clueless about Linux and network security.
http://www.infoworld.com/article/05/03/11/11OPopenent_1.html
http://www.infoworld.com/article/05/03/04/10OPopenent_1.html
M$ sponsoring freelance writers? nah

The good and bad of Linux LiveCDs (ComputerWorld)

Posted Mar 31, 2005 1:55 UTC (Thu) by brianomahoney (guest, #6206) [Link] (2 responses)

Sorry, If they have the box, and the data, encrypted or not, you are
set up for a brute force attack. There is now EXTENSIVE literature about all this, a lot of it written by Schnier, and all correct.

So, for starters, if you don't fully encrypt the hard drive, do not pass go -- there is a service jumper on the MB to take a master password off, if it has a TP chip as a SecurityDevice, a Nation State, semicondutor manufacturer or small University has the tools, scanning electron u-scope, and skill to read the key right off the chip. If you do encrypt the drive you may have a few days, enough say, to get your people out of a country before the key is found and your people are shot.

But the entire HD is highly vulnerable to known ciphertext, partial known plaintext attack, especially if it is one of a tiny number of MS installs.

Tiny here is relative, a few tens of thousands, not 2^160, so you can use all the fonts, known .exe files .... as known plaintext, and its catch 22, if you have a single key the easier it is to recover that key, if you go for multiple keys you get other problems.

So you encrypt the drive, and try to destroy the data if the machine is captured, no ... I dont boot off the HD, it goes in a special trey with the write line cliped, but in any case it would take about 2 days to even make a decent attempt to erase 80GB (so residual magnetization is removed).

The only way I know to do it is to pack the dive with plastic explosive, use a kevlar bag, to retain the debris and program the machine to time-delay destruct.

So this a VERY HARD problem, as many of the world's Intelligence Agencies and Militaries well know. It is not, as presented, an issue of CD-Roms allowing users to circumvent corporate security, because that is always technical and very weak. It is because, if you physically have the machine you are 90% of the way to owning it.

Let me make one last point, many of us know that it ceases to be a secret if you tell someone, it is a conspiracy instead ;-). If you need a secure conspiracy DO NOT use computers, mobile phones or paper an make sure you talk ambiguously where you can not be overheard, preferably, as in the Vatican in Attic Greek.

Let me say this differently, anything you put in a computer should be regarded as published, and it probably will be.

The good and bad of Linux LiveCDs (ComputerWorld)

Posted Mar 31, 2005 13:44 UTC (Thu) by cthulhu (guest, #4776) [Link]

Agreed with everything you said. However you are not mentioning that there are various levels of attacks. The right bootable CD and machine access can give a person undetected access very quickly to a machine for a period of time. In this case, the only goal might be to install snooping software, or to copy some data from the disk onto a flash drive. If a user or IT department cannot know there was such a breach, then they might go on for quite some time.

There are different levels of threats. Increasing the difficulty of getting to the HD through BIOS passwords, encryption, etc. can increase the length of time before exploitation and increase required expertise of the thief. The usual cost/benefit analysis applies.

The good and bad of Linux LiveCDs (ComputerWorld)

Posted Mar 31, 2005 18:42 UTC (Thu) by elanthis (guest, #6227) [Link]

Sure, you can never provide 100% security, but there is a stark difference between kinda secure and very secure. The vast majority of thieves, vandals, and so on do not have the knowledge or equipment to get past many security measures.

Not letting a user boot of a live CD can have a very dramatic effect on security because NOT because you have removed the possibility of running unauthorized software, but because you HAVE removed the possibility of a large segment of attackers from running unauthorized software. Instead of having 40% of people being able to steal your data you now only have 1% of people being able to steal data (those are made-up numbers).

ALL security is about deterants. The lock on the door to your house, car, locker, whatever can be circumvented. But it's still better than having no lock. Truly determined or very competent thieves will be able to get in no matter what you do, but the casual or ignorant thieves will be stopped.

The number of directed attacks a system receives is not infinite. The smaller the chance of any one of those attacks being successful, the smaller the chance of actually having a successful security breach. That's what security is all about. Decreasing the chances. You can never eliminate them, but you can decrease them to the point that they are improbable to ever happen in the lifetime of your system.

The good and bad of Linux LiveCDs (ComputerWorld)

Posted Mar 31, 2005 3:53 UTC (Thu) by tialaramex (subscriber, #21167) [Link]

Physical security before all else, there is no substitute. In order to put a CD in your drive, an attacker must be physically situated at the machine. And for any computer security system that's Game Over! If you give your employee a notebook computer, why should it be any different from a box of matches, or a company car? You trust them to use it responsibly, and if you catch them breaking your trust it's a disciplinary matter, not a technical issue.

But the article is a little wrong, having the LiveCD, and physical access in general doesn't give you quite everything, it's equivalent to full system administrator access, not God status.

On this machine for example, a LiveCD would let you read many of my documents, my BASH history, and so on, and there are no doubt embarassing or valuable things in there I'd be unhappy to lose. But you wouldn't instantly get my most important information, it's all secured cryptographically. My PGP key is secured with a passphrase, as are certain valuable but rarely used financial documents, a data partition and so on. The login passwords use MD5crypt, my web passwords are secured with yet another passphrase, except banking and financial sites which are not stored anywhere. Finally my remote access SSH keys are secured, and are trivially deleted from the other machines where I have access.

Windows does score points over Unix for envisioning the "compromised client" scenario early in development of their distributed filesystem. NFS servers trusted the client to report correctly which user is attempting access, while in contrast SMB / CIFS provide a per-user authentication mechanism which means if you use a LiveCD you'll still need a valid password to get access. In a corporate setting that meant you could deploy NFS only if you trusted all the clients, while SMB/ CIFS are more flexible.

NFSv4 finally provides a sane mechanism for per-user authentication, but it's not very widely deployed yet. Let's hope that Sun and NetApp are serious about this fix and do what's necessary to get it rolled out everywhere.

The good and bad of Linux LiveCDs (ComputerWorld)

Posted Mar 31, 2005 4:39 UTC (Thu) by tavis (guest, #14187) [Link]

I took the author's point to be a bit different. It's not that Linux gives a malicious user some new-found ability to break into a computer, but rather, that if lots of folks in a company start using a different operating system -- whatever operating system -- it will come with all of the vulnerabilities that an additional operating system has, and that tech support people have an additional set of remote exploits to worry about, without really knowing which exploits they are because the operating system only appears ephemerally.

It's a bit hard for me to imagine that this is a serious problem, because in order to create a problem that lasts beyond a reboot, an outside attacker would have to first of all get into the machine (which is difficult since most live CDs don't by default run any outside-accessible services besides SSH), recognize that the OS is a live CD, locate the hard drive (if it's even mounted), and install malware on it. Possible, certainly, but beyond the energy level of most script kiddies -- especially when it's so much easier just to break into the computer and install malware while it's running Windows.

Home use(r)

Posted Mar 31, 2005 8:29 UTC (Thu) by tousavelo (guest, #27022) [Link]

Suppose that I am a home user with no skills in security. I will boot Linux from a Live-CD. The Live-CD is not continuously updated so the OS might have some "old" security holes. The Live-CD might be a test/beta release with some suboptimal default security setting. The Live-CD might have public userid/passwords (demo-demo; root-root). Anyway, the Live-CD has most probably built-in static userids/passwords.

The media of the Live-CD is static and safe but in my eyes, the data on my disk is at risk as soon as I connect to the Internet (backups ?). In the past, it didn't stop me. Nowadays, I would consider connecting as too risky.

The good and bad of Linux LiveCDs (ComputerWorld)

Posted Mar 31, 2005 9:42 UTC (Thu) by beejaybee (guest, #1581) [Link]

Useful tools are _always_ dangerous!

The good and bad of Linux LiveCDs (ComputerWorld)

Posted Apr 7, 2005 11:26 UTC (Thu) by NRArnot (subscriber, #3033) [Link]

If you don't trust your users, go into the BIOS, set a tough password, and disable boot from anything except the hard disk. Then put a padlock on the PC to disable the screwdriver and BIOS-reset approach. You may also need to replace the CD writer by a CD ROM, and put epoxy glue into the USB connectors, for related reasons. And then you'll need some very fancy network switches and folks to run them.

If you're totally paranoid lock the PCs and network in a secure area and extend the KVM to the user's desktop, or secure the server and give the users dumb thin clients.

A live CD is a very powerful tool, that can be used for good or bad. If you're running a business you probably want to restrict it to trusted technical support staff, if only to avoid well-intentioned accidents with the # prompt. And who watches the watchmen? It's a problem as old as the human world, and it's usually a mistake to apply a technical fix to a human problem.