On Thu, Nov 22, 2018 at 09:55:35AM -0600, Boris Goldberg wrote: > Hello Chris, > > There is something extremely weird going on around lately. People are > easily take offense where no offense where intended (and hard to find > anyway). Nick was just telling you that (in his expert opinion) you > shouldn't worry much about "Meltdown, Spectre, insecure motherboard chips", > but concentrate on the real security instead. Unfortunately the real > security takes years of learning and experience, and can't be "advised" in > a couple of emails, but he provided a lot of valuable (and valid) > information (which you where not ready to digest, I guess). > If you are allowing to run an arbitrary code on you server you are > screwed with or without Spectre, otherwise there is nothing to spy on you > on that server (even if it's technically possible). > If (any) government agency really want to access you server, you are > writing to the wrong list, otherwise government installed spying chips (if > any) wont really hurt you. On the other hand, crapware (like Superfish) > might. > > BTW, your boss doesn't need to be stupid to compromise your password (or > keys), just a "normal" human. Security isn't grokkable by "normal" people.
I'm actually sorry, Nick. I've got a personal situation that has me very touchy right now. But that's another issue completely. Since there is a forum, and one has to stay, I have a few questions. I looked over a lot of forums, both for features and security. I realized that I couldn't properly judge security. If a forum has a lot of security patches, does that mean that problems are being swiftly dealt with or that the forum has serious problems? If a forum doesn't have reported security patches, does that mean that it is good or just not maintained? I never thought about this before. It seems to me that a login username should not be allowed to be the displayed forum username. The real username is also used for purchases, membership activities, etc. I also think that passwords need to be enforced to be changed occasionally. What sort of timing delay is okay with users? Nobody really likes changing passwords, but since so many people use the same one all over the place, it seems like a good idea since they would then be forced to have a different one from the rest. There is a need for pretty secure stuff, like the forum and membership, purchases, etc. But also very secure activities. Seems to me that 2 servers (or more) would be best to accomplish this. Any disagreement or other suggestions? The main website is probably the most important objective right now. It's what the public sees. And if (which means when, not if) I make a mistake, the world won't come tumbling down. Thanks all, Chris Bennett
