On Thu, Mar 28, 2024 at 03:23:48PM -0400, Lee wrote: [...] > I disagree. I don't think I'm qualified to make an adequate threat > analysis for a Debian system and yet Nobody is. The threat analysis for my virtual server "out there" is totally different (sshd, exim, http(s), git running on external ports, yadda, yadda), but running 24/7 in some physically protected data center; for my laptop, most of the time behind a firewall, but running a web browser *and* phisically insecure (can be stolen/left behind). So in the first case it makes sense to focus on network hardening, whereas disk encryption is an unnecessary hassle (ever tried to boot from a LUKS disk remotely? Yes, I know it /can/ be done). In the second case disk encryption is a /must/ (as it is to keep up to date with it). How would you make a threat analysis "for Debian"? That makes no sense. The only you can do is to document the security properties of each and every component and use that as a toolkit for your particular use case. Security, as Bruce Schneier [1] says, is a process. Not a product. Cheers [1] https://www.schneier.com/ -- t
Attachment:
signature.asc
Description: PGP signature