I practice a variant. Schadenfreudzen. Chilled out joy, dude. And minimal harm

back to on topic,,,,,,,,did I say that ,,,,,,,, ,,,,,,,,,In all reality you just never know what could be in the software we use ,,,,,,,every distro just about will have packages compiled from source in their repo's and some one is doing the compiling ,,,,and could introduce anything at all .

the big Q is ,,,,,,,,,"do you feal lucky to day ,,,,,,,,well do ya punk."

VINNY

That's right. Using a computer and its software essentially requires extending a degree of trust to mostly unknown parties.

Isn't it amazing, given how many individuals contribute to linux, that there aren't backdoors and priveledge escalation vulnerabilities in everything? It's almost as amazing as al-Qaeda not being able to get anything past the TSA. Must be because of the NSA's SELinux software, which we're mandated to trust without question. I know it makes me feel safe and secure anyway.

Security is an illusion and people spend way too much time securing things of little or no value.

Such backdoors eventually get found and code is modified to either remove them or eliminate their execution paths. See, for instance, weaknesses in Dual_EC_DRBG.

I'm assuming this statement is sarcasm.

Who's mandating you to trust SELinux? Debian/Ubuntu don't -- it's disabled here, and these distros use AppArmor instead. But SELinux is actually very good at what it does, and no one's "mandating trust without question." While it was an NSA development, the code is completely open source and was accepted into the 2.6 mainline kernel. It's been reviewed countless times.

Safety and security aren't the same thing, and simply feeling safe and secure doesn't necessarily mean that you actually are safe and secure. See, for example, airport security.

It's an illusion only if it isn't risk based. Taking a risk based approach to evaluating and implementing security controls has tangible, measurable benefits in making a system more resilient. I'll agree that, far to often, people direct their energies toward securing the wrong things, though.

Security is always a trade-off with usability/freedom. The only way to truly secure you computer would be to encase it in concrete and sink it to the bottom of the ocean. Anything less than that will not be 100% secure.

The al-Qaeda comment (which means the-Toilet) in Arabic is a reference to the recent 95% failure rate of the TSA. If there was really a global terrorist organization conspiring to kill you, you'd be dead already. All this fear mongering serves people who sell security services (like the military) not the public.

I've used this analogy a lot. Thing is, even here, the computer isn't secure -- saltwater will corrode the concrete and the pressure will crush the machine. Feathers, our civil engineer in residence, can probably comment further

A fair amount of discussion disputes this interpretation. I'll leave up to individual forum members to fire up Tor and go Googling for themselves.

I agree with this. The likelihood of any of us being killed in a terrorist incident is approximately 1 in 12,500,000. Billions of dollars have been wasted on protective measures that are essentially worthless for us.



I spoke about this at TechEd in 2007. An Australian journalist wrote about my session. Amazingly, my slides are still available! (Hint: slide 58 is intended to show the opposite of what a security professional is actually supposed to do.)