Most linux distributions can be run on read-only filesystems (same as from cd) BUT the only true security hole is running them as root, because volumes can be remounted in rw mode on the fly. I'm using this strategy on my raspberryPi that is running the game console emulators for the kids. They don't do no shutdown, they just pull the plug/wallwart. Roms are stored on etx4 USB, mounted read-only. This one is just mounted in rw mode on the PC, to manage the roms and emulator binaries.
Just make sure you run linux as unprivileged user. Privilege escalation is a thing though, but unlikely on patched systems. However, when you're not connected to the net, i doubt there is a fair chance of catching a successful exploit via USB.
Again, your postulated security described above is utterly dependent upon the rando USB device implementing only a storage class endpoint.
Whatevs. Good luck with that.
I would care less if i am running as unpriv. user on a system that is not network connected. I didn't mention that i'd never use a host with actual user data on it. I thought that would be clear because i was replying to Dabs' "frozen sysimage" approach. I would definitely not use a guest VM but a dedicated box that i can reset via dd or similar disc imaging tools, i wasn't clear on that, as i just recognize while typing this.
And yes, it's part of the very basics: there is no 100% security, only 100% security against certain (and therefor known) attack vectors.
Im gonna say this one last time. Your postulated recovery is weaksauce against anything other than a disk-resident vector.
dd aint gonna do nothing for you if malware-containing USB infects the BIOS.
Newer BIOSes.
I forgot to mention, i'd never use such for plugging in untrusted usb media.
My good old Pentium-M notebook is still running, as long as mains power is supplied.
12 year old NAS with usb should also do, wouldn't even accept input devices.
Totally wrong?
Ill leave it as an exercise to the reader to prove that there is no way for malware to futz with the safe copy of the BIOS that could overwrite the other. (Hint: as if)
depends how it is implemented
if the button is an actual hardware reset that forces a reload from ROM that seems like it would work
if it is just a software call then the malware would just reset your settings and lie to you, and if it is not an actual ROM it would just write itself in the backup...
Imo, it depends if the reset procedure copies over a default BIOS from actual ROM (safer, resets to factory BIOS) or a copy of the current BIOS from NVRAM (not safe at all).
I'd suggest it's the latter. I have a P7 milspec grade board made by asus, dual bios, read from NVRAM. So i wouldn't consider anything like this as safe as long as proven otherwise (security standard certification).
- Leaked documents reveal coronavirus infections up to 52 times higher than reported figures in Chinas Shandong province.
the problem of politicians is that even when there is a serious situation they continue to lie, I do not believe in the numbers that the Chinese government keeps talking. the situation is probably much more serious and china continues to lie about the numbers of dead and infected
The less (free) information from china (and similar dictatorships), the worse the situation, imo.
Think that the dissent by SEC Commissioner Hester Peirce is quite telling how much Bitcoin getting traction / being adopted is being feared:
"This line of disapprovals leads me to conclude that this Commission is unwilling to approve the listing of any product that would provide access to the market for bitcoin and that no filing will meet the ever-shifting standards that this Commission insists on applying to bitcoin-related productsand only to bitcoin-related products"
The "fear" phase.