[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: sudo security Was: Reporting missing package during install

Iain M Conochie writes:
 > On 11/12/13 08:01, Gian Uberto Lauri wrote:
 > >   > Encrypt your hard disk.
 > >
 > > Hoping that the encryption you use has no backdoor.
 > You do understand what the peer review process is right? 

I got it about 20 years ago. Is it enough?

 > Although not a 
 > magic bullet, it can help weed this out.
 
You say it. It is not bullet proof. The bullet has already pierced the
target once. Therefore it may happen again.

But this is only partly in topic with the sudo security (or better,
sudo configuration security), since data privacy is only part of the
problem, maybe the lesser part of the problem: the cpu time of the
machine could be more profitable that the information it stores.

 > >
Iain M Conochie <iain@thargoid.co.uk>
 > >> Choose a *very* good password.
 > > For the encryption, I suppose. That once one has his hands on the
 > > hardware there is no user/prom/bios password stopping his intrusion.
 > 
 > Oh please. A BIOS password does nothing if your computer is stolen. Just 
 > remove the disk and put it in another one.

I know I am not an English native speaker, that my English language
skills are more "wild magic" than education.

I know that when a message is not understood you have to blame the
message transmitter.

But I still think that

    "That once one has his hands on the hardware there is no
     user/prom/bios password stopping his intrusion."
 
means that no password at all will stop an intruder that can
physically reach a machine. 

May I suggest  to think about the  text you are commenting  a bit more
and to ask when in doubt?

 > Security is a journey, not a destination. No one thing will make your 
 > computer use secure.

Ahem, it was 20 years ago when I played the "break the security" game.
Maybe my technical skills could be outdated there, not the basic
theory henceforth we agree on this completely.

 > Well, maybe never connecting it to a network is the 
 > one major thing you can do.

No. The last frontier is to use the audio device to establish unwanted
communication channels. And stuxnet demonstrated that you can hit not-network
connected computer provided a large number of vulnerable machines.

(am I really the only one that took care to read how stuxnet worked?)

I think that the security problems that sudo could pose with the
default configuration could really be "useful" in a situation where
you need a large number of bots. What could trigger this? a large user
base with a majority of non-tech aware users.

 > However, that makes it un-usable in my 
 > opinion. You can never be completely secure. Just as in the world you 
 > can never be completely safe. You have to make compromises.

True, in the sense that security costs should never be larger than the
value of the secured thing.

But, in my (not so) humble, it is also true that the expert has to
protect the non-expert, especially in a socially aware environment.

 > The one thing I would say is that security by obscurity is worse than no 
 > security as it gives you the nice warm glow that you are secure without 
 > being so.

100% true.

 > I see this alot in the commercial world and it really sucks :(

Again, 100% true.

-- 
 /\           ___                                    Ubuntu: ancient
/___/\_|_|\_|__|___Gian Uberto Lauri_____               African word
  //--\| | \|  |   Integralista GNUslamico            meaning "I can
\/                 coltivatore diretto di software       not install
     già sistemista a tempo (altrui) perso...                Debian"

Warning: gnome-config-daemon considered more dangerous than GOTO
Reply to: