Hi all,
Sorry for the size of this email, but this issue drives me nuts.
This discussion is for the most part not going anywhere and looks like
dirty laundry between various party.
Campaign for no BLOB start by refusing BLOB period. No one will do
goodwill if not force to do so. That's human nature at large with few
exceptions, but definitely corporation nature BIG TIME! Never ear of the
corporate Jello mentality? No matter how hard you push on one side of
the jiggleling good looking served plate on your table, as soon as you
stop pushing, it takes is original form back, unless you cut part of it.
Same for BLOBs. Unless you cut them out, they will keep coming back.
Show how BLOB are bad, refuse them, buy hardware that don't need BLOB.
If a product don't sale, they get replace on the free market, that's
just how it is. Company are after market share, if they don't sale, they
will change. So, make them change!
I already post proof on this list a few months ago of how bad BLOB are
with proof that if push to shove, I would argue that even the stock
exchange commission might be interested to know in some cases.
In my own case, I discover in my expensive commercial product purchase a
few years ago and fully licenses with yearly 20% purchase price
recurring support cost on it, that without my knowledge and even my
explicit agreement, that private informations were send to that company
each night! When raise hell on it, was send left and right with no clear
answer, but keeping pushing was told that it will be disable in my license.
But why was it there in the first place I asked? Did I have a choice? I
didn't even know it.
I didn't trust that answer, put firewall filtering everything coming OUT
of it and collecting stats on it as well to proof my point and to fully
discover really how it was working, oppose to what the technical manual
said it was work.
With logs in hands, send to them, that same company discovered that some
informations was leaking to some other employee, or may be ex employee
of that same company that they were not aware of.
How you call that for miss use BLOBs and why they shouldn't be allow.
You have no clue what's in them and what they do, because you can't see
the code from it!
Now a few months later, after all daily data is block, I get from that
same company emails saying in the line of (some part was deliberately
remove to protect the identity here)
" To ensure your ***** platform is performing properly, ...... to view
the performance of your system. You will be contacted ..... Support
engineer to access your respective system to capture performance data."
They never cared before, each time troubles were send to them, stupid
answers were provided in most cases, no solutions come out of it and we
are left to fix it ourselves via work around. Even when proof of
problems were provided, nothing was done to fix it!
Now tell me. Are they really interested in making sure my systems are
working properly??? Draw your own conclusions?
They never been before, but when all blobs were block from sending
private data from my business and my customers to them, a few months
later under pretenses of making sure all works well, they request access
to the systems?
Tell me, would you let Microsoft for example, access your servers to see
if they work well? I don't think so. But again, you might already do
that via BLOB. You just don't know.
If they were really proactive about performance of my systems, first of
all they would have make it obvious that they were doing that. Then they
would give you reports of it as well wouldn't they? Look to me if
someone was doing this legally or to help their customers in a proactive
way, I bet you that a marketing guy would make a big fuss about it to
sale it to you and use it to show you they care about you don't you
think? Buy our systems, we proactively monitor all aspect of it and
provide you feedback on the well being of your systems for your and your
customers benefit. I know a few IT manager that would jump to that and
be so happy to report to their managers all the good that come out of
this, etc.
Sorry, I don't buy it!
So, putting BLOB in your systems, is a way for any outsiders to have
access to your systems without you knowing it, regardless how you look
at it! OK, I grant you, it is not such a way in all cases, but do you
know that?
Plus you have no clue what these BLOB are doing!
I challenge you, anyone that accept BLOB in your systems without
questioning it, to proof that no private informations doesn't leak from
your systems and that you don't have a back door into your systems
without you knowing it. Or at best a remote hole ready to be discover
and not fix in the future as that same provider wouldn't care. How long
will it takes before you discover that you are running BLOB, knowingly
or not that have remote holes in them. Some users complained that some
security announcements are not release on security@, but send to misc@
and that's to hard to find, etc. But they are well publish and
accessible from so many different places. Now, do you think you will
even know you have a BLOB remote hole on your system? I bet not.
How many say they are well protected because they use PF for example,
but let me ask you this? How many saying this, also are proactive in
filtering what is going OUT as well as what's coming in? How many? There
is a truck load or users on the net that have no protections what so
ever, a few that are concern about it and will run PF or something else,
now how many of these will also configure it to allow OUT only what's
suppose to go out?
Aren't you running something like this:
pass out on $ext_if inet proto tcp all modulate state flags S/SA
pass out on $ext_if inet proto { udp, icmp } all keep state
For who ever are actually running PF?
Does this stop any outgoing traffic? I don't think so?
But you always ear that "my setup is so special and complicated that
doing so is impossible, you just don't understand". Well, I will reply
with, if you don't know what you are suppose to send out, you don't know
your setup, you don't understand your job and sure hell don't know how
to protect your systems either, so how can you do it in the first place.
These will be the same users to jump into putting BLOB into their
systems in the first place may be. just because it's easy to say yes,
oppose to find alternatives to them.
Most likely that person would be better cooking hamburger at McDonald's
if you asked me. But that's just my crude point of you I grant you that.
Accepting BLOB is the same thing here! Try to pretend that it is not, or
present it in any shape or form you want, that's what it is, so call it
as such. Simply irresponsible!
I guess if you put BLOB in your systems, then you don't value and
respect the data and property of your company and/or customers and don't
do them a service by doing so.
I value my customers to much to put any of their property in danger like
this. I am not perfect, I may make mistakes, but from the start, I try
not to be irresponsible to start with. Again, accepting BLOB, what ever
way you try to present it, is just that, irresponsible and careless. It
is choosing the easy way out at a price, up to you to decide what that
price is. I guess some value their freedom and security more then
others, or learn to value what they have left of it.
Say no to BLOB in any shape or form is the only way to go, and make a
stand about it and get the corporations to respond to it.
Then, when all open source projects are 100% free of BLOB, make it known
and talk with one voice. You will see how fast things change then.
Because by doing so, you just created a void in the market and a piece
of a pie to take away. Corporations respond to market share, nothing else!
Plus if you voice your concern and proof of security problem to media,
or even possible high risk of it, you will see share holders reacting to
it as well and demanding swift action on the subject to protect their
market share.
Call me idealist if you like, but that's really how it work in the real
world. This is no utopia to make it change quickly. But as long as all
involved see it for what it is, witch is not the case at this time for
sure. A temporary side effect may be you will not run the latest and
greatest video card or what nut, this month because you don't accept
BLOB, but that's your choice to make. Make no mistakes about it however,
it will not last to long before it change.
Put yourself at risk, for the force obligation to run BLOB on your
latest hardware if you like, but think first about what you value most?
Now that was way to long, my apology, but this issue drives me crazy and
it is very hard for me to conceive how users can't see this issue
clearly. But hey, it takes all kinds of users to create world wide
connected network where private informations is not so private after all
doesn't it?
Is your informations is private?
Best,
Daniel
