Re: Fedora change that will probably affect RHEL

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]





On 07/31/15 08:37, James B. Byrne wrote:

On Thu, July 30, 2015 12:54, Chris Murphy wrote:

On Thu, Jul 30, 2015 at 9:54 AM, Valeri Galtsev
<galtsev@xxxxxxxxxxxxxxxxx> wrote:

Now I use Google. They offer MFA opt in. And now I'm more secure
than I was with the myopic ISP.

"More secure" only to the level one can trust google ;-)

Yes I know, but I put them in approximately the same ballpark as
having to trust my proprietary CPU, and proprietary logic board's
proprietary firmware.

So your motherboards and nics can 'call-home' on a regular basis and
you would not mind if they did?

There is, in my opinion, a fundamental difference between accepting
the possibility of vendor installed trojans on hosts that may never be
connected to an external network and adopting an infrastructure that
depends upon such behaviour.

Ones risk tolerance varies according to the perceived value of the
asset to be protected.  The problem that Google, Amazon, NSA, FSB,
GCHQ, CCSE and the rest pose to the average person is that the average
person has no idea of how to value pervasive recording of their
private activities.  Thus there is no basis upon which they may form a
reasonable risk assessment.  Therefore no reasonable estimation of the
acceptable cost for prevention can be made.

Consequently this promotes the prevalence of what amounts to
folk-remedy security measures; virus scanners (most of dubious or no
worth) mainly; master password protection schemes (that in many cases
require you to reveal all of your passwords to third-parties); and of
course consumer grade two-factor authentication schemes that just
happen to require revelation of your private cell phone number to
commercial enterprises.  The common elements to all these are: low
cost, dubious efficacy, hidden defects, and consumer ignorance.

The main lesson of history is that people never learn lessons of history (I refer to known dictatorships collecting all possible information about everybody, still us, "free people", don't care)


I have a router at home that 'talks' to both my ISP and its
manufacturer on a regular basis, regardless of whether or not there is
active traffic on the exceptional circuit.  Which behaviour is why all
of my home traffic, internal and external, goes via an ssh pipe
established through a system placed in front of the router.

But how many consumers, and keep in mind that my ISP is one of the
largest telecoms in the world, would even dream that such things
happen?  Much less take steps to thwart that surveillance?  Or even
know what steps are possible?

ISP still will collect information about your traffic destination, as they know where packets from your front box go (their equipment does send this your traffic there). There are ways to thwart that, tor project is the first that comes to my mind.


This sort of stuff should be out and out illegal.  But, as the router
is the 'property' of the telecom it is up to them what they wish to
have it do and the consumer's choice it put up with that or do
without.

We are living in the golden age of snake-oil technology.  Which, as
the governments of the world have become addicted to surveillance of
their subjects, -- one cannot really call citizens those so treated by
their rulers --  is unlikely to change for a generation or more. It
took more than 100 years of consumer activism to change advertising
and product safety laws and these are yet far from perfect.  I am not
convinced that effective data security laws will prove any easier to
establish.  Or be accomplished any sooner.

This illegal activity is a crime I never heard any politician was ever punished for. 100 years is infinity for me (I will not live that long). But I agree, let's at least try to do something.

Valeri

Which is why I consider discussion of password strength nothing more
than a pointless diversion of attention from the real issues of data
security and network integrity.  A discussion that is truly
representative of our 'security theatre' industry; being both
expensive and irrelevant.  In system design we call this stuff
'bike-shedding'.


--
++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos



[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux