87
Windows 10 users urged to upgrade to avoid "security fiasco"
(www.bleepingcomputer.com)
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
this post was submitted on 06 Jan 2025
87 points (95.8% liked)
Cybersecurity
5908 readers
346 users here now
c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.
THE RULES
Instance Rules
- Be respectful. Everyone should feel welcome here.
- No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
- No Ads / Spamming.
- No pornography.
Community Rules
- Idk, keep it semi-professional?
- Nothing illegal. We're all ethical here.
- Rules will be added/redefined as necessary.
If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.
Learn about hacking
Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !securitynews@infosec.pub !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub
Notable mention to !cybersecuritymemes@lemmy.world
founded 2 years ago
MODERATORS
As long as you have a TPM.
It also takes 15 minutes to upgrade to Linux, with no such requirement.
Even on Linux, it's probably a good idea to set up SecureBoot with your TPM. Very few distros will automatically set this up for you, but I know for sure that Ubuntu and Fedora do this by default.
Can you explicate why I should want either SecureBoot or a TPM in a Linux environment?
As a normal person I don't think there's a good reason. It just makes it harder for someone to get into your system/recover your data if there's a problem with the machine (or if it's stolen but personally I think it's less likely for that to happen for the majority of people). If it's a company PC with sensitive info on it that's backed up elsewhere then yea you want to prevent people from getting into that thing as much as possible.
Per the arch wiki for Secure Boot:
Secure Boot is a security feature found in the UEFIstandard, designed to add a layer of protection to the pre-boot process: by maintaining a cryptographically signed list of binaries authorized or forbidden to run at boot, it helps in improving the confidence that the machine core boot components (boot manager, kernel, initramfs) have not been tampered with.
As such it can be seen as a continuation or complement to the efforts in securing one's computing environment, reducing the attack surface that other software security solutions such as system encryption cannot easily cover, while being totally distinct and not dependent on them. Secure Boot just stands on its own as a component of current security practices, with its own set of pros and cons.
Note: For a deeper overview about Secure Boot in Linux, see Rodsbooks' Secure Boot article and other online resources.
Per arch wiki for TPM:
Trusted Platform Module (TPM) is an international standard for a secure cryptoprocessor, which is a dedicated microprocessor designed to secure hardware by integrating cryptographic keys into devices.
In practice a TPM can be used for various different security applications such as secure boot, key storage and random number generation.
TPM is naturally supported only on devices that have TPM hardware support. If your hardware has TPM support but it is not showing up, it might need to be enabled in the BIOS settings.
Note: There are two very different TPM specifications: 2.0 and 1.2, which also use different software stacks.
All that to say this is still not as secure as it could be (since it lacks some decent remote attestation), but security is best in layers, so a Secure Boot setup can be a great way to protect your pre-boot process.
How does this work?
Depends on your distros documentation, but essentially it verifies your UEFI, OS kernel, and other boot processes haven't been tampered with based on cryptographic signatures. Its really a neat setup.
Bazzite and probably other uBlue distros, which are all based on some Fedora atomic variant, also do this by default and have instructions for setting it up later, if you choose not to do it at install.
Can you keep a dual boot while still accessing files from either?
Yes, my Fedora install is happy to pull files from NTFS with no adjustments, and there must be some Windows software that can read the LVM of Fedora.
That's assuming they are either not encrypted or you know the encryption keys.
What does that protect against other than physical attacks?
I have it switched on but I never had a second thought about it.
Files on your Windows disks can be accessed from Linux if you dual-boot.
People planning to migrate to Linux should probably allow themselves more than 15 minutes for the process of backing up all the things, choosing a distro, installing it, finding out what software is available, what needs to be learned, what needs to be given up, what new things are available, configuring everything, and getting used to using it.
It's a pretty big job. You've got to do it eventually though, might as well get started.
I'd argue it's no bigger job than keeping up with Windows.
Switching to 11 would cause more than 15 minutes of headaches as well.