James B. Byrne
2015-Jul-31 13:37 UTC
[CentOS] Fedora change that will probably affect RHEL
On Thu, July 30, 2015 12:54, Chris Murphy wrote:> On Thu, Jul 30, 2015 at 9:54 AM, Valeri Galtsev > <galtsev at kicp.uchicago.edu> wrote: > >>> Now I use Google. They offer MFA opt in. And now I'm more secure >>> than I was with the myopic ISP. >> >> "More secure" only to the level one can trust google ;-) > > Yes I know, but I put them in approximately the same ballpark as > having to trust my proprietary CPU, and proprietary logic board's > proprietary firmware.So your motherboards and nics can 'call-home' on a regular basis and you would not mind if they did? There is, in my opinion, a fundamental difference between accepting the possibility of vendor installed trojans on hosts that may never be connected to an external network and adopting an infrastructure that depends upon such behaviour. Ones risk tolerance varies according to the perceived value of the asset to be protected. The problem that Google, Amazon, NSA, FSB, GCHQ, CCSE and the rest pose to the average person is that the average person has no idea of how to value pervasive recording of their private activities. Thus there is no basis upon which they may form a reasonable risk assessment. Therefore no reasonable estimation of the acceptable cost for prevention can be made. Consequently this promotes the prevalence of what amounts to folk-remedy security measures; virus scanners (most of dubious or no worth) mainly; master password protection schemes (that in many cases require you to reveal all of your passwords to third-parties); and of course consumer grade two-factor authentication schemes that just happen to require revelation of your private cell phone number to commercial enterprises. The common elements to all these are: low cost, dubious efficacy, hidden defects, and consumer ignorance. I have a router at home that 'talks' to both my ISP and its manufacturer on a regular basis, regardless of whether or not there is active traffic on the exceptional circuit. Which behaviour is why all of my home traffic, internal and external, goes via an ssh pipe established through a system placed in front of the router. But how many consumers, and keep in mind that my ISP is one of the largest telecoms in the world, would even dream that such things happen? Much less take steps to thwart that surveillance? Or even know what steps are possible? This sort of stuff should be out and out illegal. But, as the router is the 'property' of the telecom it is up to them what they wish to have it do and the consumer's choice it put up with that or do without. We are living in the golden age of snake-oil technology. Which, as the governments of the world have become addicted to surveillance of their subjects, -- one cannot really call citizens those so treated by their rulers -- is unlikely to change for a generation or more. It took more than 100 years of consumer activism to change advertising and product safety laws and these are yet far from perfect. I am not convinced that effective data security laws will prove any easier to establish. Or be accomplished any sooner. Which is why I consider discussion of password strength nothing more than a pointless diversion of attention from the real issues of data security and network integrity. A discussion that is truly representative of our 'security theatre' industry; being both expensive and irrelevant. In system design we call this stuff 'bike-shedding'. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
Valeri Galtsev
2015-Jul-31 14:44 UTC
[CentOS] Fedora change that will probably affect RHEL
On 07/31/15 08:37, James B. Byrne wrote:> > On Thu, July 30, 2015 12:54, Chris Murphy wrote: > >> On Thu, Jul 30, 2015 at 9:54 AM, Valeri Galtsev >> <galtsev at kicp.uchicago.edu> wrote: >> >>>> Now I use Google. They offer MFA opt in. And now I'm more secure >>>> than I was with the myopic ISP. >>> >>> "More secure" only to the level one can trust google ;-) >> >> Yes I know, but I put them in approximately the same ballpark as >> having to trust my proprietary CPU, and proprietary logic board's >> proprietary firmware. > > So your motherboards and nics can 'call-home' on a regular basis and > you would not mind if they did? > > There is, in my opinion, a fundamental difference between accepting > the possibility of vendor installed trojans on hosts that may never be > connected to an external network and adopting an infrastructure that > depends upon such behaviour. > > Ones risk tolerance varies according to the perceived value of the > asset to be protected. The problem that Google, Amazon, NSA, FSB, > GCHQ, CCSE and the rest pose to the average person is that the average > person has no idea of how to value pervasive recording of their > private activities. Thus there is no basis upon which they may form a > reasonable risk assessment. Therefore no reasonable estimation of the > acceptable cost for prevention can be made. > > Consequently this promotes the prevalence of what amounts to > folk-remedy security measures; virus scanners (most of dubious or no > worth) mainly; master password protection schemes (that in many cases > require you to reveal all of your passwords to third-parties); and of > course consumer grade two-factor authentication schemes that just > happen to require revelation of your private cell phone number to > commercial enterprises. The common elements to all these are: low > cost, dubious efficacy, hidden defects, and consumer ignorance.The main lesson of history is that people never learn lessons of history (I refer to known dictatorships collecting all possible information about everybody, still us, "free people", don't care)> > I have a router at home that 'talks' to both my ISP and its > manufacturer on a regular basis, regardless of whether or not there is > active traffic on the exceptional circuit. Which behaviour is why all > of my home traffic, internal and external, goes via an ssh pipe > established through a system placed in front of the router. > > But how many consumers, and keep in mind that my ISP is one of the > largest telecoms in the world, would even dream that such things > happen? Much less take steps to thwart that surveillance? Or even > know what steps are possible?ISP still will collect information about your traffic destination, as they know where packets from your front box go (their equipment does send this your traffic there). There are ways to thwart that, tor project is the first that comes to my mind.> > This sort of stuff should be out and out illegal. But, as the router > is the 'property' of the telecom it is up to them what they wish to > have it do and the consumer's choice it put up with that or do > without. > > We are living in the golden age of snake-oil technology. Which, as > the governments of the world have become addicted to surveillance of > their subjects, -- one cannot really call citizens those so treated by > their rulers -- is unlikely to change for a generation or more. It > took more than 100 years of consumer activism to change advertising > and product safety laws and these are yet far from perfect. I am not > convinced that effective data security laws will prove any easier to > establish. Or be accomplished any sooner.This illegal activity is a crime I never heard any politician was ever punished for. 100 years is infinity for me (I will not live that long). But I agree, let's at least try to do something. Valeri> > Which is why I consider discussion of password strength nothing more > than a pointless diversion of attention from the real issues of data > security and network integrity. A discussion that is truly > representative of our 'security theatre' industry; being both > expensive and irrelevant. In system design we call this stuff > 'bike-shedding'. >-- ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++