Home » Learning Curve » Red Hat Diaries
Live CD Makes MainstreamCan this be possible?
Has hell frozen over? Can it be true? Are the eejits on Windows finally waking up? Pinch yourselves - but Robert Mitchell finally brought the 'live CD' topic to the widely read Computerworld.
'Jay McLaughlin has me worried', wrote the IDG tech journalist on 24 March. And note right away that being a tech journalist means only you're an expert in journalism - not in technical matters. But that'll be apparent shortly anyway. Mitchell continues.
'I do my online banking from the same home computer the rest of the family uses for Web surfing and online games. I have the McAfee security suite loaded and do regular scans so accessing online banking should be protected. Right?'
Oh goodness. First clue. Luckily Mitchell knows Jay McLaughlin.
Not really, says McLaughlin, a Certified Information Security Professional and CIO of CNL Bank. Accessing online banking from your everyday PC is just asking for trouble.
The sky is blue. Bears shit in the woods. Usually.
'The CIO of the Orlando Florida based regional bank would like to see all of his customers - both consumers and businesses - access online banking either from a dedicated machine or from a self-booting CD-ROM running Ubuntu Linux and Firefox.'
Recognising that most consumers don't want to buy a separate computer for online banking, CNL are seriously considering making available free Ubuntu Linux bootable 'live CD' discs in their branches and by mail.
Whoa! Stop right there! Who is this Jay McLaughlin? The cheek to propose a good idea that actually works! The audacity to suggest solutions to a worldwide dilemma rather than discuss it to death! Yes it's truly too good to be true. And now it's 'out there', disseminated by no less than Computerworld. It might never go away at this point. So many people out of work - in these tough times to boot!
'Everything you need will be sandboxed in that CD', says McLaughlin CISSP.
Mitchell continues. 'That should protect customers from increasingly common drive-by downloads and other vectors for malicious code that may infect and lurk on PCs, waiting to steal the user account names, passwords and challenge questions normally required to access online banking.'
Why yes it should protect them! So why are you proposing it? No more emptied bank accounts? Is that what you want?
'A bootable CD works because it's isolated from the host PC environment. Malware on the host can't touch it - and any malware picked up when running from the CD-ROM goes away once the CD is ejected.'
Well yes - the malware (if it existed and that's a long shot) would be only in memory. Supposedly. That's the theory. One thing's certain: Linux isn't Windows. Thank goodness for that. And (gasp) read-only CDs can't be written to.
'When you eject the CD you have removed everything off the machine', says McLaughlin. And that's pretty close to the truth.
Whatever: the live CD suggestion's been out there for some time now. It was probably Brian Krebs who picked it up. But his fans (with their GRC legacy) mostly dashed it into the ground. They even mod Brian himself down when he reminds them that getting off Windows is necessary for banking.
The story's been out there for months. This site picked it up. Yet it's never been in the mainstream before.
A Waste of Money
McLaughlin says security suites are increasingly ineffective at keeping up with threats from organised crime rings abroad. No news there - but at least someone in the mainstream is finally saying it.
'If you are using online banking you should be using a hardened system that is not used for anything else but online banking.'
Mitchell claims both the FDIC, the ABA, and the FFIEC have already come out with recommendations for corporate banking clients. Those recommendations haven't reached Acme Tool in East Jesus. They probably won't until this very story is splashed across the front page of the New York Times.
'Any key logger can grab the user name, password and answers to challenge questions that banks commonly use to authenticate users today.'
And whilst Brian and a very few others continue to notch up Zeus victims, both banks and corporate clients go on in ignorant bliss. Countries in the EU can officially condemn Microsoft products but the US government can't do that - not with US jobs at stake?
'McLaughlin thinks the bootable Ubuntu CD option may be the best alternative right now. Regardless of who you bank with, he suggests ordering a copy of the free Ubuntu Desktop Edition selt-booting CD and try it for your online banking.'
Poor use of the word 'thinks'. The proper word is 'knows'. The live CD is free and it's 100% protection. Antivirus costs money and it's 0% protection. Tough decision.
Whatever: after all these months of nagging the mainstream sources, finally someone picks up the story. Almost by accident.
'McLaughlin and Genes put a sufficient scare into me that I've decided to give it a go. Yes, it's a hassle to reboot for online banking - until you think of what could happen if someone stole your credentials. On the plus side, I'll be exposed to Linux on a regular basis.'
It's that 'thinking' part that's difficult for Windows users. Armoured cars are a hassle too.
'Who knows?' concludes Mitchell. 'I might decide that I like running Linux for more than just online banking.'
Whoa there, dude. Fools rush in. Do you seriously think you could live without your fabulous Windows Se7en computer?
The Comments
Credit to Bob Mitchell for taking this mainstream. One can't accuse him of too much. Bob's a journalist - not a computer security expert. Yes he writes about computer security but he's only a journalist. So cut him some slack.
But it's another matter when it comes to the comments. It's in the comments one sees that those people aren't part of the problem - they are the problem.
I would recommend using a MANDRIVA ONE 2010 live CD disk with KDE desktop since it looks much more like the software most users are using daily. Good move, Einstein. You've finally got people aligned and focused on a super simple solution even eejits can handle - and now you're going to get them as confused as they get when shopping for washing detergent?
It is also great looking software that offers a lot of great Linux features plus excellent security settings in the Control Center, if you choose to use them. You might just get people to consider putting a CD into a computer and you're already perpetrating fanboy overload.
The LiveCD idea is a non starter, the average person has no idea about linux and wont wait the 30 seconds to boot down, 1min to boot up, then 30 seconds to boot down and minute to boot up again to do a transaction. Some people should wear sandwich signs even in bed. 'No brains here, please go away.'
Cop out. It's like asking every customer to pack heat because they don't want to give guns to their security guards. What a wonderful analogy.
The bank's applications can be well enough designed so that there is no possibility of hacking. Show us your CISSP badge.
I think McLaughlin's heart is in the right place. His brain just might not be up to the task at hand. Let's face it: all it takes to get a CISSP is some free time and a Sugar Daddy to pay for the training.
Turns out, that's cheaper than actually hiring someone who can think in the first place.
Genes seems to have the more reasonable view here. I always hate to say that the Euros are doing something right, but I've got to admit it here. Oh wow. How rude. Pulling out the big guns. Someone needs to get slapped around a bit.
Instead of Live CD & Flash drives, what about the Virtual Machines like VMWare, Virtual Box(Free) and etc. No need to reboot, run the host on the fly. These virtual machines have low level interaction with network cards, not directly with the Windows machine.
I agree, it is hard to educate the common person. If you agree then why are you trying to do it anyway?
I would never, ever access my online banking with anything but Linux. Hello! How did this one get in here? Guards!
Asking consumers to boot from an Ubuntu CD for their everyday online banking is like asking them to return to using tellers to cash a check instead of withdrawing cash at ATMs. There's a Luddite in every crowd, said PT Barnum.
Malware is a major problem. And this year's Sybil Fawlty Bleeding Obvious Award goes to...
Scenario: I walk into said bank a pick up a magic live cd. Its 3+ years old.
I load it into my machine reboot and fire up Firefox 3.0.7... The vast majority of updates are to fix security holes! You want to do online banking without those updates!?!
I dont think so. It's amazing the lengths people will go to in order to dumb themselves down.
But more to the point. You would not consider on-line banking with FreeBSD, openBSD, PC-BSD or openSolaris?
Linux is but one part of the *nix world.
http://pcbsd.org/
'PC-BSD 8.0 Released
'Monday, 22 February 2010
'Run in Live mode directly from DVD
PC-BSD is BSD for non-geeks. More sophomoronic information overload.
But instead of a Live CD, the Canonical's Wubi installs Ubuntu from inside Windows. Oh just shut up, you monkey!
Online banking from a Windows machine is a mistake and booting to Linux is the only way to go. Guards!
Thanks Robert for pointing out the security benefits and welcome to the world of Linux! Hey! Whoa! He hasn't even tried it yet!
Afterword
There are more wonderful comments at the Slashdot link below - but be prepared: they're even worse.
The talk about live CDs is good. Their adoption would be even better. As long as people are simultaneously aware there's another issue they have little control of: the security of the banks themselves.
Never trust a bank using Microsoft software. But more about that later.
See Also
Rixstep Learning Curve: Get a Live CD
Slashdot Linux Story: Can Ubuntu Save Online Banking?
Computerworld Reality Check: Can Ubuntu save online banking?
|