20090823 Update: AA1, Linux Security, TinyCore, Etc.

Quick personal follow up to my previous post about the latest, and probably most extensive yet detected, vulnerability in the Linux kernel.

I’ve been using my own kernel under what used to be CrunchBang. I can’t blacklist certain modules (e. g., bluetooth and IRDA) because I built them into the kernel rather than as modules. Yuck. Back to using the big-ass kernel from the repository if I’m going to use Linux. At least if I’m going to use my ex-CrunchBang install (it’s no longer even close to being what it was originally — from the window manager to the applications to my own kernel and so on).

I haven’t even booted into Linux since last week when my wireless crapped out under Linux again — I’ve had a busy week and this next one will be even more hectic. Right now, I’m not sure if I’ll bother upgrading again because I’m completely fed up with losing wireless and not being able to get it back without rebooting several times. As I noted, the crash and resulting videos came as I was making a screencast explaining why I dislike binary-based distros and their packaging and why I was more likely going to start using TinyCore more often.

Problem is, the same thing occurred one time under TinyCore. The ath5k time-out thing is not a distro problem. It’s a problem somewhere between the kernel/module, possibly WPA, and possibly a couple other things. So I have more than a reason or two to reduce my use of Linux on my AA1. I’m most likely reclaiming the larger partition I have set up for /home under CrunchBang for use under Windows (probably as an encrypted partition) and then using my 5GB partition for {Tiny,Micro}Core.

I’ve settled on another laptop and should have it next week. It’s not new — I don’t think I’ll ever again buy anything new enough that running Linux will be such a pain in the ass as it’s been with the AA1. The more bleeding edge the hardware, the more quirks and utterly stupid bullshit there will be with getting its glorious open source drivers to function properly and in some sort of stable manner. I checked all the specs to make sure Linux will have better support for the next laptop than I have on my AA1 now.

Right now I’m debating between Slackware (13 is almost ready) and CentOS 5.3, both of which have modern-enough kernels to support the hardware in the laptop. The reasons I’d install Slackware are for its lengthy support cycles and so I don’t have to download miscellaneous headers to (re-)compile anything. The reason for CentOS is to have an enterprise-grade distro with enterprise-grade support cycles (as in seven years). After all, I have to use this for my work. I can’t afford to randomly lose wireless (especially if it requires several reboots to get it functioning again) or to have to deal with freezing up when disconnecting the laptop from a projector.

I’m open-minded beyond those two distros. Even source-based since I’m going to have a few days around Labor Day weekend where I can leave it to compile all day long and let it catch on fire or something.

Back to the security issue affecting eight years’ worth of Linux kernels. Is {Tiny,Micro}Core a better solution for problems like this particular vulnerability? In some ways, it may be. It doesn’t come with a full set of modules. You have to install things separately because the whole concept is more modular. The kernel is read-only and in RAM. If someone were able to pwn at the kernel level, you can reboot into a fresh environment because the base system isn’t writable.

The counter to all that is, the more persistency you have for your installation the more vulnerable you are. Most of your configuration files are stored either in /opt or /home, which are read-write. Depending which extensions you use, you may have the same kind of exposure you’d have under any other distro.

And, most importantly, the weakest link in security is almost always the user. You can’t underestimate the problem users cause from clicking on links to opening things to setting up files so that anyone (aka “world” in Unix terms) can write or execute them. Some people ignore permissions altogether or set them up for the sake of convenience — such as other small/live distros that run only as root. I’m not saying that {Tiny,Micro}Core is inherently safer with its use of sudo (I wish more users would accept a default scheme which sets a random password so even running off the live CD or USB would require entering a password before mounting and erasing a drive, etc.).

So add TinyCore to the list with Slackware and CentOS. That may be the fastest way to get it up and running anyway. And TinyCore may be the last remaining Linux distro on my AA1 whether I run Linux on it again or not.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: