begin quoting Tracy R Reed as of Wed, Apr 20, 2005 at 09:25:19AM +0700: > Stewart Stremler wrote: > > No. Difficulty alone is insufficient. Security-by-obscurity is 'difficult'. > > But it's not worth it. > > You are speaking in absolute here. Always a dangerous thing. :)
Heh. Fair cop. > You have > a password on your email account right? That is security by obscurity. No, it isn't. It's a secret. > It is still possible to get into your email account (brute force) but it > is very difficult. You don't brute-force your way past security by obscurity; you finesse it, or you explore your way around it. > And that is probably pretty much the only protection > you have on your email. I have lots. Some are more protected than others. > There are different kinds of > security-by-obscurity. The traditional and most unwise kind is to > scramble your movie in a proprietary non-peer reviewed algorithm and > hide the key on the device that decrypts it and hope nobody finds out. > That is the worst kind of security by obscurity and we have seen it > fail. Erm, that's not the example that comes to mind for me. I'm thinking of code obfuscation, unpublished encryption algorithms, and created web-pages that have no public links to them. > Using a password is the best kind of security by obscurity and we > can make it so difficult to defeat that it is sufficient enough. But Except that it isn't 'obscurity' unless you broaden the term into meaninglessness. > running as root is not security by obscurity. At the moment everyone > knows Linux users in general don't run as root. So the attacker knows > exactly what they are up against. They know they will have to find a > local exploit if they want to spoof those DDoS packets at their enemies > IRC server. That adds sufficient difficulty as to be worth it. You're presuming network-friendliness again. I thought that we determined that the theoretical user in question didn't have that high on their list. > > If they lose their data, it doesn't matter if the computer is still up > > or not. > > And if the computer goes down they are likely to lose their data. (Likely? Based on what? I've had computers 'go down' -- crash -- a lot, and rarely has data been lost. So it's not the computer crashing that's the problem.) And if they lose their data but the computer stays up, the computer might as well go down. > > Really? And here I was under the impression that Linux distributions had > > kicked that problem and made the installation easy! > > The initial installation is easy, sure. Reinstall while preserving user > data may be easy for the end user if he knows how to reinstall only the > system partitions and then manually remount his /home. I don't see > Lindows users doing this. Yah, they'll probably be told to use a single-user install. But I see that other operating systems are ahead of Linux here. Perhaps the installers will get better in time. > >> Backing up > >>their data is a major PITA which is why very few people do it. They > > > > True. That's a deficiency in the system. :) > > Actually, it doesn't have to be. We all have these huge HD's now but > relatively little important data that really needs to be saved. We According to who? We have large hard-drives, but we also have multi- megapixel digital cameras. We have digital video cameras. We have email with no effective size limit, and so we share. Most of the user's data should be treated as important. And that goes up every year. > should just be copying all of our data to a another HD or a trusted > friends HD. No need for the average user to get involved in complicated > backup software and media rotation etc. But most people think they have > to do this in order to have good backups and it ends up being so much > trouble that they don't even bother. Keeping just one copy of your data strikes me as a security concern. But, that being said, they sell those one-push disk things that will 'backup your data'. Plug it in to the firewire port, push the button, and it backs up your machine for you. Would that be sufficient? > > The OS is the queen. The user's data is the king. If you lose the king, > > all else is irrelevent. > > And if you lose the queen the king sits at home alone on a friday night > with rosey and her five sisters. Now your descending into rude imagery. For humor or lack of a decent response I can't tell. [snip] > > Yes. But that's not the point. > > Of course it's the point! It's one of the big reasons why we don't run > as root! WE don't run as root because WE run servers and multi-user machines. > >> The users data is very unpredictable. But the > >>OS data is usually the same from one machine to another and is a target > >>for modification with often disasterous consequences for the users data. > > > > So? > > So the users data is harder to programmatically mine or modify whereas > the OS is relatively easy which increases the chances of an attacker > messing with the OS and crashing the system. So? Once the user's data is compromised, we don't CARE what happens to the system from a security standpoint. If it crashes, all the better, we know we had a problem. > > When your system is compromised, you can't trust _anything_. Full stop. > > Trying to split hairs about what is "likely" is... wishful thinking. > > And how will you know your system is compromised? I think it is much > easier to tell if you don't give them root on a silver platter. I don't think it matters. Either their left a trail, or they didn't, and if you don't find obvious evidence, you still need to boot from clean media to check. > > How do you know? You don't. You can't. Unless you're monitoring all > > the activities on the machine, it's all wishful thinking. > > Sure we know. You've never seen an exploited box? How often did they > mess with stuff in a homedir compared to how often they rootkit the box > and leave the homedir alone? I've seen /var trashed, /home trashed, and an attempt at 'rm -rf'. Perhaps you've forgotton the deliberate malice in the 80's and 90's targetted at the user's data? That mindset hasn't gone away, it's just been swamped by the spammers and DDoSers. So appealing to the good nature of the intruders to be nice is, well, we're back to wishful thinking again, aren't we? > >>>It's easy for us to get caught up in protecting the OS that we forget > >>>that a single-user machine is there for a single user. If they lose > >>>thier data, what use is the machine? > >> > >>See above. > > > > The question stands. > > > > What use is the machine? > > Then the machine is obviously of no use. Exactly. > Past experience with these > things shows that if you lose the OS you are likely to lose your data as > well. Irrelevent. Once you've lost your data, who cares about the OS? Now, if you put TWO users on the system, the question undergoes a state change -- losing MY data but not YOUR data is better than losing my data AND your data. But we're now outside of the constraints of the question. > > Dunno about BIOS, but a PROM password prevents _any_ changes, from > > what I've seen. > > Do PC's (or any platform) have this capability? I have never heard of it > before. Only PROM write protection I know of is blowing the fuse which > turns it into a ROM. BootPROMs have had passwords for some time. The next time you flash your BIOS, set a password first, and see what happens... > > Application-level bugs. Are we opening the door to those? (If IE and > > Outlook were released for Linux, what are the chances of their being > > setuid root?) > > If they were released for Linux I doubt they would be suid root. They > may need administrator privs on Windows because of the poor design in > one big application reaches into every nook and cranny of the system in > an attempt to be "integrated" with the OS. You're being reasonable in response to my cynicism. Stop that! > > If you could arrange things so the OS would be trashed but the data > > safe, you'd be peachy. > > Sure you would. But this is usually not possible. Exactly! > > Which is Michael's point, I think: either way, your data is in trouble. > > > > So why make things more annoying for yourself? > > I still think nobody is really after your data. They are after your box > as a network/computing resource and they need access to the OS to do That's not a safe assumption. > this. And while accessing the OS there is a very good chance they will > screw something up which will cause you to lose your data. If they're not after your data, and/or aren't interested in being malicious, how will screwing up the OS lose your data? It's still on the disk! Crashing the machine doesn't trash your home directory. Unless this is a new feature that I am as yet unaware of. > > If your system is compromised, it's compromised. Your data is in danger. > > Appealing to the masses doesn't change that. > > I never said it wasn't. What I am saying is that giving the attacker > access to your OS on a silver platter is a good way to lose your data as > well. You keep saying that as if it means something. You've already lost your data in this case. Why are you worrying about the OS? [snip] > > That doesn't explain why I don't spread broken glass on my doorstep. > > > > Or put in thirty-seven deadbolts instead of one. > > Here is the safety vs usability tradeoff we always mention. Spreading > broken glass or 37 deadbolts is very inconvenient. Just one deadbolt > seems to be the sweet spot for most people. Exactly! The assertion is that the safety vs usability tradeoff for a single-user system is 'full access everywhere'. That's the claimed 'sweet spot' for this case. > > And why don't I lock _all_ the doors inside the house? Make him break > > into the bathroom and the bedroom. That would add 'security in depth'. > > > > I think the 'more difficult' excuse^Wexplaination is overly simplistic. > > So intead of "more difficult" you demand absolute security or it isn't > worth bothering with? No... I'm saying that difficulty for its own sake does not make things any better. I demand that additional difficulty in the name of security ought to actually provide a concomitant improvement in security. The root/non-root distinction in the single-user non-dual-boot system doesn't appear do that. I feel like the Tortise trying to convince Achilles that A and B imply C... -Stewart "Have recently been introduced to Pareto optimality" Stremler
pgpvhPHuAgIvW.pgp
Description: PGP signature
-- [email protected] http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-list
