Linux.com

Home News Featured Blogs Libby Clark Linux Video of the Week: Matthew Garrett Argues for Better Security in 2014

Linux Video of the Week: Matthew Garrett Argues for Better Security in 2014

In his keynote talk at LinuxConf Australia this week, Linux kernel developer Matthew Garrett argues that the software industry can help improve security at every level of the stack – and that it's possible to do so without sacrificing user freedom.

Garrett presentation“Do not allow conversations to be about reducing user freedom in order to improve security,” he said in his concluding statements. “Challenge anyone who says this. Ensure they know it's unacceptable.”

(View the full video here.)

2013 was a big year for security in the PC industry, characterized by the mass implementation of UEFI Secure Boot, the Snowden revelations, and the openSSL website security breach, said Garrett, who works for cloud computing company Nebula and implemented UEFI Secure Boot for Fedora. Each event has changed the way the software industry views security and each provides its own lessons for Linux developers and sysadmins.

The openSSL site breach was originally thought to be the first example of a hypervisor breach, Garrett said, but it turned out the website credentials were easily guessable. However, the site breach calls attention to the larger issue: the hypervisor is still a vulnerability. It's critical that cloud providers can ensure guests running on the same hardware remain fully separate and can't break through the hypervisor, he said. He called on providers to be transparent about their security implementations and for customers to demand that information from their cloud providers.

“There are some difficult questions we should be asking cloud providers and so far mostly haven't,” Garrett said.

The NSA revelations also dramatically affected how the industry views security, though perhaps not in the most productive way. Garrett implied that the magnitude and scale of the technical attacks have somewhat overwhelmed developers who don't even know where to begin improving security for their users.

The Snowden leaks led developers to realize that technical attacks that were before only theoretically possible, were already actually happening. Yet despite the mass of information leaked, we still “don't know what our attackers are capable of,” Garrett said.

He encouraged developers not to fixate on what intelligence agencies are capable of and to instead focus on smaller-scale vulnerabilities and what they can control. Script kiddies and organized criminal hackers looking for credit card numbers are still a far more common security threat, he reasoned.

“What can we do to protect users and protect the state of the art and make sure computer security is as good as it can be?” he asked.

He defended verified boot schemes as one method for protecting the software stack at its root. Vendors must also allow users to install their own OS, however. The industry, especially in the mobile segment, still has a ways to go in allowing users to replace the cryptographic key and/or the firmware, he said. Such freedom is critical to allowing experimentation and innovation in the tech industry.

UEFI Secure Boot “is one of the rare cases where I'm going to say Microsoft did the right thing for user freedom,” he said.

(View the original video here.)

Garrett list

 

Comments

Subscribe to Comments Feed
  • AdamWill Said:

    "said Garrett, who works for cloud computing company Nebula and implemented UEFI Secure Boot for Fedora" Matthew actually implemented SB support for pretty much everyone. AFAIK, every major distro with SB support uses Matthew's 'shim' implementation. The Linux Foundation has an alternative implementation, but it arrived later than shim and provided no benefits over it, so it is not terribly widely used.

  • Eddie G. Said:

    I for one am all for security, but I wonder sometimes about just how "smart" it is to go around just splattering every breach in the news....I mean I know the people who had their info stolen from Target SHOULD be notified, but to have the issue just thrown out there? Isn't that "feeding" the people who actually committed the crime? Or wouldn't it be wiser to keep things that get "exposed" as quiet as possible to prevent other nations from snooping? I mean in all reality, no one here is a multimillionaire....but suppose a foreign nation approached you and offered you a "ridiculous" amount of money for some information? I guess what I'm trying to say is that a lot of other countries have their systems broken into.....sometimes more than once in a day....but they don't BROADCAST it to the world! Maybe its better to just "lock down" everything and to gain access to things you need with even MORE layers of security?...


Who we are ?

The Linux Foundation is a non-profit consortium dedicated to the growth of Linux.

More About the foundation...

Frequent Questions

Join / Linux Training / Board