Just fyi, the same article also says: A pretty big deal to be sure- someone without backups could see someone use root to delete their system. This is pretty much a non-factor in computers though- if they really wanted to hose your install, they could simply remove the drive, hook it up to their computer and then wipe the drive clean. Still, this makes it easier and is unnecessary. **EDIT** Well, if access is terminal in nature (where they cant access the drive but can access keyboard), this is pretty bad. Also, they wouldnt need to connect your drive externally to delete the partition if you dont have a bootup password (either in the bootloader or via UEFI/BIOS); the easiest way to protect yourself is a power on password and update as soon as your distro drops a fix (wont protect you if they reset CMOS using hardware techniques, but then they might as well remove the drive first).
Yet ANOTHER Debian crypto problem? (This issue is probably only present in Debian. I could not reproduce it in Arch, and other users have reported not being able to reproduce it in Fedora).
This seems silly. Just secure console access. If someone has physical access, you're hosed anyway. Also, this ... ... is just plain wrong. If the system isn't encrypted, you can get root in single-user mode, and change the root password
Its still a really silly thing to do. I mean it would allow people to hose your install if you dont have a hard drive password or boot password... That said, given what you say about someone having physical access, I agree. I used ABS and took a look at how Arch does it- it looks to me (could be wrong) that it just loops over and over and over again asking for the password- doesnt appear to ever drop to a shell.
And here I was panicking because I'd just set up LUKS.... But @mirimir is correct, this article is pure garbage. Local console only, doesn't give any access to encrypted data, and applies for all systems with an initramfs anyway. Don't trust your computer if it's fallen into malicious hands, etc. Literally nothing new here.
OMG. Author of that article doesn't know the difference between grub-install and update-grub. *bangs head on keyboard* Also I'm not convinced the additional kernel parameter 'panic=5' will do anything useful. That's to make it reboot after 5 seconds *if the kernel panics*. This flaw doesn't involve a kernel panic, just exiting the boot process and getting a busybox shell in the initramfs. It would be nice if tech journalists did the bare minimum of research before just parroting stuff!
Oh boy, haven't you learned anything on all those years of yours? Journalism is that: mostly not researched stuff, with a ton of political bias, with a ton of sensationalism, with a little cherry on top from those few people who own all the media.
One thing this article and others dealing with the subject has assured me of: I am very glad that I pull /boot from my computers. Of course any physical access to a machine allows for complete manipulation of unencrypted /boot. BUT - if that is on a stick in my pocket I am not too concerned. LOL!! Plus, before I go anywhere at all, I always checksum my MBR's as well. All other sectors are beyond their reach. For now I'll avoid the bios discussion.
I'm not too concerned. I decided to throw all the paranoia away and just have an encrypted OS for privacy in case one of my tech-savy friends decide to sniff my documents. Inside the encrypted partition I have a backup of my GPT and /boot first sectors, complete boot partition, and /dev/sda2 first sector backup as well (the encrypted partition). If in doubt I just boot up the Arch ISO, mount the encrypted partition, and overwrite these with the backups. Thinking that somehow a multi-gazillion dollar agency will come after me is just ridiculous So I don't do that anymore. My firewall now is just protecting the income, not the outcome. I don't use GRSec anymore until 4.10 comes. I'm very happy, relaxed, and can focus on other things now instead of feeling anxious about a 0.000001% chance scenario.
This type of sensationalist garbage comes around on a regular basis as if the so called journalists share a rota for it. What surprises me though is just how many folks think some North Korean is manually searching for a back door into their PC. The real secret to desktop security is learning to realize just how unimportant you are to the world. Those with an ego will always suffer from security based paranoia whilst the rest of us just switch on our machines and enjoy the experience.
Seconded ! Whenever I start reading articles such as the earlier one from zdnet , I let out a heavy sigh ( often just a mental one ) Is this serious , is it credible , is it going to affect me and others around me ? Not so much a kernel panic as "journo panic " then , or a journalist trying to create "reader panic" Why do they not do their research ? Because to do so takes time and effort , and doesn't necessarily boost the paycheck ( it doesn't boost their professional credibility either , but that appears to be much less important to them ) Always the pressure to make headlines .... " Never let the facts get in the way of a good story " Clearly as true today as it ever was. @Gullible Jones " I'm not convinced the additional kernel parameter 'panic=5' will do anything useful " It will not .... it should read 'journo panic=5' .... Wait 5 seconds before booting the journalist
