Announcement

Collapse
No announcement yet.

Security: Don't use PPAs or Debian? Huh?

Collapse
This topic is closed.
X
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    #16
    Originally posted by vinnywright View Post
    which is why I asked Steve if he practiced it
    I practice a variant. Schadenfreudzen. Chilled out joy, dude. And minimal harm

    Comment


      #17
      back to on topic,,,,,,,,did I say that ,,,,,,,, ,,,,,,,,,In all reality you just never know what could be in the software we use ,,,,,,,every distro just about will have packages compiled from source in their repo's and some one is doing the compiling ,,,,and could introduce anything at all .

      the big Q is ,,,,,,,,,"do you feal lucky to day ,,,,,,,,well do ya punk."

      VINNY
      i7 4core HT 8MB L3 2.9GHz
      16GB RAM
      Nvidia GTX 860M 4GB RAM 1152 cuda cores

      Comment


        #18
        That's right. Using a computer and its software essentially requires extending a degree of trust to mostly unknown parties.

        Comment


          #19
          Isn't it amazing, given how many individuals contribute to linux, that there aren't backdoors and priveledge escalation vulnerabilities in everything? It's almost as amazing as al-Qaeda not being able to get anything past the TSA. Must be because of the NSA's SELinux software, which we're mandated to trust without question. I know it makes me feel safe and secure anyway.

          Security is an illusion and people spend way too much time securing things of little or no value.

          Comment


            #20
            Originally posted by InsideJob View Post
            Isn't it amazing, given how many individuals contribute to linux, that there aren't backdoors and priveledge escalation vulnerabilities in everything?
            Such backdoors eventually get found and code is modified to either remove them or eliminate their execution paths. See, for instance, weaknesses in Dual_EC_DRBG.

            Originally posted by InsideJob View Post
            It's almost as amazing as al-Qaeda not being able to get anything past the TSA.
            I'm assuming this statement is sarcasm.

            Originally posted by InsideJob View Post
            Must be because of the NSA's SELinux software, which we're mandated to trust without question.
            Who's mandating you to trust SELinux? Debian/Ubuntu don't -- it's disabled here, and these distros use AppArmor instead. But SELinux is actually very good at what it does, and no one's "mandating trust without question." While it was an NSA development, the code is completely open source and was accepted into the 2.6 mainline kernel. It's been reviewed countless times.

            Originally posted by InsideJob View Post
            I know it makes me feel safe and secure anyway.
            Safety and security aren't the same thing, and simply feeling safe and secure doesn't necessarily mean that you actually are safe and secure. See, for example, airport security.

            Originally posted by InsideJob View Post
            Security is an illusion and people spend way too much time securing things of little or no value.
            It's an illusion only if it isn't risk based. Taking a risk based approach to evaluating and implementing security controls has tangible, measurable benefits in making a system more resilient. I'll agree that, far to often, people direct their energies toward securing the wrong things, though.

            Comment


              #21
              Security is always a trade-off with usability/freedom. The only way to truly secure you computer would be to encase it in concrete and sink it to the bottom of the ocean. Anything less than that will not be 100% secure.

              The al-Qaeda comment (which means the-Toilet) in Arabic is a reference to the recent 95% failure rate of the TSA. If there was really a global terrorist organization conspiring to kill you, you'd be dead already. All this fear mongering serves people who sell security services (like the military) not the public.

              Comment


                #22
                Originally posted by InsideJob View Post
                Security is always a trade-off with usability/freedom. The only way to truly secure you computer would be to encase it in concrete and sink it to the bottom of the ocean. Anything less than that will not be 100% secure.
                I've used this analogy a lot. Thing is, even here, the computer isn't secure -- saltwater will corrode the concrete and the pressure will crush the machine. Feathers, our civil engineer in residence, can probably comment further

                Originally posted by InsideJob View Post
                The al-Qaeda comment (which means the-Toilet) in Arabic
                A fair amount of discussion disputes this interpretation. I'll leave up to individual forum members to fire up Tor and go Googling for themselves.

                Originally posted by InsideJob View Post
                the recent 95% failure rate of the TSA. If there was really a global terrorist organization conspiring to kill you, you'd be dead already. All this fear mongering serves people who sell security services (like the military) not the public.
                I agree with this. The likelihood of any of us being killed in a terrorist incident is approximately 1 in 12,500,000. Billions of dollars have been wasted on protective measures that are essentially worthless for us.



                I spoke about this at TechEd in 2007. An Australian journalist wrote about my session. Amazingly, my slides are still available! (Hint: slide 58 is intended to show the opposite of what a security professional is actually supposed to do.)

                Comment

                Working...
                X