On Oct 10, 2013, at 9:08 AM, Giles Coochey <gi...@coochey.net> wrote:
> On 10/10/2013 13:55, Ian Bowers wrote:
>> On Thu, Oct 10, 2013 at 8:17 AM, Alexandre Paradis
>> <alexandre.para...@gmail.com> wrote:
>> indeed, i vote to continue. Because you don't mind being overlooked by NSA
>> doesn't mean everybody don't care.
>>
>>
>>
>>
>> On Thu, Oct 10, 2013 at 7:33 AM, RĂ¼diger G. Biernat
>> <rgbier...@rgbiernat.homelinux.org> wrote:
>> This discussion about security/NSA/encryption IS important. Please go on.
>>
>>
>>
>>
>> Whether or not this is an important conversation is irrelevant. This is the
>> wrong place to have the conversation.
>>
>> I tried to turn this back into a product support discussion in the last
>> thread but sadly my comments were not among those cherry picked. This
>> discussion does not suit the purpose of this list. I see a bunch of hard
>> working people reacting to their product's integrity being continuously
>> questioned despite having all questions answered, and a few entitled
>> consumers who can't be bothered to figure out technology well enough to come
>> to their own conclusion on its integrity. As well as a bunch of people
>> that want this discussion to go someplace more appropriate. The "concerned"
>> parties are not concerned enough to learn how to read code. So you're
>> paranoid, just not paranoid enough to actually learn how to answer your own
>> questions.
>>
>> Unless there is an issue someone is having making a VPN work or getting NAT
>> running right, this is the wrong place to hold this discussion. If you're
>> having an issue with this pfSense, networking protocols, or logical
>> opertaion of the device, great! let's talk about it! I'm actually very
>> good at these things, and I'd like to spend time helping people with network
>> or network security related operational problems. Otherwise, please find
>> the email addresses of all the people who shown an interest in participating
>> in this discussion, and send an email out to that list of people to discuss
>> it among yourselves.
>>
>>
> *BLINK!*
>
> Incredible!!!! the way I am seeing the reaction to the initial question, and
> trying to query very valid points are now leading me to seriously reconsider
> the potential risk I have in continuing to use pfsense as a security tool.
Some people value the S/N ratio of mailing lists. I believe the people asking
for the discussion to be moved elsewhere are motivated by that.
As to people "trying to query very valid points," even if we take that on face
value, what do you or they hope to accomplish by asking the pfSense project
directly whether they have been approached by the NSA? The reporting around
the leaked NSA Files has established that one of the major concerns is the
legal apparatus that enables the NSA to approach companies whilst compelling
those companies not to reveal the fact. So, it's highly likely that had the
pfSense project been approached, part of that approach would have included a
mandate not to tell anyone. So how could a definitive answer be obtained given
that silence from the pfSense project COULD be interpreted to mean "yes" but
doesn't definitively mean "yes." Some people have posited ways of evading such
gag orders (e.g.,
http://www.theguardian.com/technology/2013/sep/09/nsa-sabotage-dead-mans-switch),
but, AFAIK, they have not been battle-tested in court.
I am left wondering, therefore, what it would take for people to accept that
pfSense is trustworthy in a good-faith sense? The original poster in this
thread asked for a direct answer to a straightforward question and he got it,
yet still he continues to pursue this thread. To what end? People are
outraged at the NSA revelations, but the pfSense mailing list is not the
appropriate place to be outraged at that. Go comment at the news outlets.
Write your elected officials. Support the EFF and the likes. But what more
can be accomplished on this mailing list?
There was an attempt to redirect the thread to something more practical and
focused on pfSense, e.g., what now could be considered best practices settings
to use for encryption, but it doesn't appear to be gaining much traction vs.
this thread. (Part of that might be due to the fact that not much practical
information is available right now.) As I've pointed out, the original thread
query has been answered definitively (twice now). The original poster has said
that the availability of the source code for scrutiny is not sufficient, but it
seems that ultimately that is all you have to go on in open source projects.
It's not clear to me what response it would take to establish trustworthiness
in pfSense for the original poster and the others that are apparently being led
to "to seriously reconsider the potential risk ... in continuing to use pfsense
as a security tool." Maybe if we can establish that, we can finally wrap up
this thread as far as pfSense is concerned and get back to a pfSense-focused
mailing list.
> The about list on the mailman page states: "pfSense support and discussion
> list"...
>
> This thread is clearly about discussing pfsense, therefore it is on-topic, I
> could equally take the stance, take your technical discussions to the dev
> list, however I am not the type of exclusive close-minded minded person that
> you appear to be. Please stop hijacking this thread.
I seems to me at this point that this thread is more about the NSA leaks in
general and less about pfSense in specifics. Given the pfSense aspect has
already been answered, it's dubious as to whether it is actually on-topic any
more. (Not to say that discussion of the NSA leaks is not important, just that
it is appropriately done elsewhere.)
Cheers,
Paul.
_______________________________________________
List mailing list
List@lists.pfsense.org
http://lists.pfsense.org/mailman/listinfo/list
