On Fri, Apr 8, 2022 at 7:41 AM Johannes Meixner <[email protected]> wrote: > Why? > I described why even some weak authentication > could be useful in a trusted environment. >
Authentication is not encryption. Authentication is *access control*. Encryption is *data privacy*. Don't confuse the two. Remember, we don't know what is being scanned in. It could be orders with written credit card numbers. It could be trade secrets. It could be some kid's fridge art. > > > if some rogue actor has root control over a server > > Such a case does not need to be considered > for things inside a trusted environment. > Hacking of a server to drop a root access trojan program happens in "trusted environments." Have you not heard the news of it happening to Microsoft and Okta? In this case, a "trusted environment" is one that is fully isolated from the Internet. If there's any connection that lets it go out, no matter what medium, it's not isolated. Everything else is "more secured." > > > Having folks get asked for a username/password > > will prevent the curious. > > Yes, that's the idea of it. > Prevent in particular accidental use. > Just like door plates at toilets. > > If you like access for everyone > do not set up authentication. > Lets settle one thing: I'm for preventing the curious. I'm also for preventing the rogue. "Secure the connection" means "encrypt the connection and authenticate while encrypted." Are you not for securing the connection? Kelly "STrRedWolf" Price http://redwolf.ws
