[CentOS] Fedora change that will probably affect RHEL

Fri Jul 31 13:37:25 UTC 2015
James B. Byrne <byrnejb at harte-lyne.ca>

On Thu, July 30, 2015 12:54, Chris Murphy wrote:

> On Thu, Jul 30, 2015 at 9:54 AM, Valeri Galtsev
> <galtsev at kicp.uchicago.edu> wrote:
>
>>> Now I use Google. They offer MFA opt in. And now I'm more secure
>>> than I was with the myopic ISP.
>>
>> "More secure" only to the level one can trust google ;-)
>
> Yes I know, but I put them in approximately the same ballpark as
> having to trust my proprietary CPU, and proprietary logic board's
> proprietary firmware.

So your motherboards and nics can 'call-home' on a regular basis and
you would not mind if they did?

There is, in my opinion, a fundamental difference between accepting
the possibility of vendor installed trojans on hosts that may never be
connected to an external network and adopting an infrastructure that
depends upon such behaviour.

Ones risk tolerance varies according to the perceived value of the
asset to be protected.  The problem that Google, Amazon, NSA, FSB,
GCHQ, CCSE and the rest pose to the average person is that the average
person has no idea of how to value pervasive recording of their
private activities.  Thus there is no basis upon which they may form a
reasonable risk assessment.  Therefore no reasonable estimation of the
acceptable cost for prevention can be made.

Consequently this promotes the prevalence of what amounts to
folk-remedy security measures; virus scanners (most of dubious or no
worth) mainly; master password protection schemes (that in many cases
require you to reveal all of your passwords to third-parties); and of
course consumer grade two-factor authentication schemes that just
happen to require revelation of your private cell phone number to
commercial enterprises.  The common elements to all these are: low
cost, dubious efficacy, hidden defects, and consumer ignorance.

I have a router at home that 'talks' to both my ISP and its
manufacturer on a regular basis, regardless of whether or not there is
active traffic on the exceptional circuit.  Which behaviour is why all
of my home traffic, internal and external, goes via an ssh pipe
established through a system placed in front of the router.

But how many consumers, and keep in mind that my ISP is one of the
largest telecoms in the world, would even dream that such things
happen?  Much less take steps to thwart that surveillance?  Or even
know what steps are possible?

This sort of stuff should be out and out illegal.  But, as the router
is the 'property' of the telecom it is up to them what they wish to
have it do and the consumer's choice it put up with that or do
without.

We are living in the golden age of snake-oil technology.  Which, as
the governments of the world have become addicted to surveillance of
their subjects, -- one cannot really call citizens those so treated by
their rulers --  is unlikely to change for a generation or more. It
took more than 100 years of consumer activism to change advertising
and product safety laws and these are yet far from perfect.  I am not
convinced that effective data security laws will prove any easier to
establish.  Or be accomplished any sooner.

Which is why I consider discussion of password strength nothing more
than a pointless diversion of attention from the real issues of data
security and network integrity.  A discussion that is truly
representative of our 'security theatre' industry; being both
expensive and irrelevant.  In system design we call this stuff
'bike-shedding'.

-- 
***          e-Mail is NOT a SECURE channel          ***
        Do NOT transmit sensitive data via e-Mail
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3