Re: Looking for a Grub frontend for end user

[Vladimir 'φ-coder/phcoder' Serbinenko]

On 02.05.2012 04:27, Kf Lee wrote:
> 2) The user OS are all installed in the usb. When computer startup,
the Grub take the control and check which usb has an OS in it that is
bootable. In this way I can play with different OS having them installed
in several usb.
Most of USB sticks around are a cheap unreliable stuff slow compared to
SSDs or traditional HDDs for most tasks. They're useful for recovery
scenarios and to have a familiar environment when travelling but are of
bad quality for primary OS.
>
> 3) In office, the staff carry their entire OS with him. Plug in and
> work at any computer, when job done, take him usb with him.  All
> security issue solved. If his OS got virus, he is the only one suffer
> from it.
>
This point simply doesn't hold. Using USB rather than fixed HDD presents
no additional challenges to a virus writer. After all, if the virus is
able to write itself on a HDD, what makes USB different?
Quite the opposite, the USB themselves that people carry all the time
with them is in itself a major virus carrier. Even if you put
regulations like "Don't put this USB stick into other computers",
someone who need to transfer data and by chance has only this stick will
use it and in the meanwhile get all the viruses of both target and
destination computer. It makes data theft more likely since people may
intentionally or unintentionally often carry these sticks around and
they'll get stolen or lost. After all, it's easier to get one of your
employees drunk beyond remembering in a bar and get the stick off him
than it's to break into an adequately protected physical facility.
Moreover in the case of break-in into your facility the law is on your
side (you're a victim of break-in) while in later it's against you (you
failed to secure customer data) and depending on country penalties apply
and your public image will get disastrous as well.
Also it puts everyone into managing his own OS which is a bad thing
unless all your stuff consists of sysadmins. It's unreasonable to
require anyone from cleaner (who have no idea) to CEO (who consider it
too low for their duties), including the people in non-IT jobs like
accountants (who are neither educated nor paid for computer security) to
be an educated sysadmin. Imagine a village where everyone constructs his
own house without knowing anything about building. Many of them will be
shaky from the beginning and crumble in few days, most won't survive
full year, and after a good winter only few will remain, probably, done
by people who learned how to build or have a talent.
Even if you distribute initial OS yourself there are still many routine
tasks you simply can't expect everyone to do properly.
For security just stick to usual scenarios (network of centrally managed
computers or servers+thin clients) with adequate permission policy. Also
if you have no idea about security or don't have enough experience hire
someone who does (if your company is big enough) or purchase a network
administration contract with a company who offers such services or, most
commonly, some combination of both like a part- or full-time sysadmin
and a support contract with a company like Red Hat. After all you
buy/rent your building from specialists rather than attempting to
construct yourself.
In my country, and probably in others, failing to secure adequately
customer data is a criminal offence, so it's probably better not to risk
it and let professionals do their job.


-- 
Regards
Vladimir 'φ-coder/phcoder' Serbinenko

signature.asc
Description: OpenPGP digital signature