> On 04 Sep 2025, at 18:48, Gert Doering <gert at greenie.muc.de>
wrote:
>
> Hi,
>
> On Thu, Sep 04, 2025 at 02:46:22PM +0000, Rene Malmgren wrote:
>> Would you put 1000 BTC on a system and have OpenSSH as a frontline
software to protect it?
>
> I would not put 1000 BTC on a system that is accessible via any means
> from the Internet. This is how real men do "security".
Yeah that one? the only secure computer, is one buried in a 100feet thick and
deep steel enforced concrete container with no network en electricity supply?
and even then I?ll have my doubts ;)
I do believe the only fail safe firewall is the side-cutter applied to both the
network en power cables.>
> But if I had to, OpenSSH would be the least of my worries. I guess I'd
> ensure that only pubkey auth is possible, that there is a firewall in
> the way that only allows specific subnets that I trust, etc. - but that
> is general good hygiene. Reduce blast radius. Bugs happen.
Even subnets can?t be ?trusted? once you?ve traversed an untrusted network?
which makes for an interesting thing I can now do with IPv6? I have typically
64bits to use for a hash/mac to communicate with 0_o thanks that is an
interesting toy R&D
> Like, kernel bugs that are exploitable remotely... so, "do not put
things
> on the Internet".
I?ll add that I?ll also NOT use a public Linux Distro, but OpenBSD that was
audited (Somebody once said: Trust, but verify) the the borders too..
>
> gert
> --
> "If was one thing all people took for granted, was conviction that if
you
> feed honest figures into a computer, honest figures come out. Never doubted
> it myself till I met a computer with a sense of humor."
> Robert A. Heinlein, The Moon is a Harsh
Mistress
>
> Gert Doering - Munich, Germany gert at
greenie.muc.de
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev