Monday, March 29, 2010

Guess who wants you to run Ubuntu Linux?

Your bank.

At least, if you bank at CNL Bank in Orlando:
Recognizing that most consumers don't want to buy a separate computer for online banking, CNL is seriously considering making available free Ubuntu Linux bootable "live CD" discs in its branches and by mail. The discs would boot up Linux, run Firefox and be configured to go directly to CNL Bank's Web site. "Everything you need to do will be sandboxed within that CD," he says. That should protect customers from increasingly common drive-by downloads and other vectors for malicious code that may infect and lurk on PCs, waiting to steal the user account names, passwords and challenge questions normally required to access online banking.
This is so full of awesome that it could almost collapse into a Black Hole of awesomeness. Here's why:
  • The big money in online crime is in attacking online banking. That's where transactions are authorized, so it's where the smart Bad Guy wants to be. CNL is focused on the right threat scenario.
  • The Bad Guys are quite rational, and so attack the Operating System that the bulk of their customers run at home. That's Windows. CNL is focused on the right vulnerability scenario.
  • There's a lot of inertia in moving to Linux, and so most people simply won't. By creating the bootable CDs and offering them to their customers, CNL is reducing the friction their customers would encounter.
While nothing is a panacea, this is a very logical step. Well done, CNL Bank.


Ian Argent said...

And great big heaping security fail by making them available by mail...

(Though given that there *is* a cost to physical mail; that may be enough to make that attack vector impractical).

Depending on how well the CDs are secured in the bank, you could poison the CD stacks as well. Much lower cost attack. Or attack them at the duplicators, etc.

Those CDs are now an incredibly valuable attack target - if you can compromise them you have bypassed a layer of security - the CD provider has told you they're safe, after all.

I was going to say, "not that it's not worth doing"; but then gave it a thought... What if $BIG_BANK did this? (Say one whose initials name a snake?)

Unknown said...
This comment has been removed by a blog administrator.