On 11/22/2018 12:56 PM, Chris Bennett wrote:
On Thu, Nov 22, 2018 at 09:55:35AM -0600, Boris Goldberg wrote:
Hello Chris,
There is something extremely weird going on around lately. People are
easily take offense where no offense where intended (and hard to find
anyway). Nick was just telling you that (in his expert opinion) you
shouldn't worry much about "Meltdown, Spectre, insecure motherboard chips",
but concentrate on the real security instead. Unfortunately the real
security takes years of learning and experience, and can't be "advised" in
a couple of emails, but he provided a lot of valuable (and valid)
information (which you where not ready to digest, I guess).
If you are allowing to run an arbitrary code on you server you are
screwed with or without Spectre, otherwise there is nothing to spy on you
on that server (even if it's technically possible).
If (any) government agency really want to access you server, you are
writing to the wrong list, otherwise government installed spying chips (if
any) wont really hurt you. On the other hand, crapware (like Superfish)
might.
BTW, your boss doesn't need to be stupid to compromise your password (or
keys), just a "normal" human. Security isn't grokkable by "normal" people.
I'm actually sorry, Nick.
I've got a personal situation that has me very touchy right now.
But that's another issue completely.
Since there is a forum, and one has to stay, I have a few questions.
I looked over a lot of forums, both for features and security.
I realized that I couldn't properly judge security.
If a forum has a lot of security patches, does that mean that problems
are being swiftly dealt with or that the forum has serious problems?
If a forum doesn't have reported security patches, does that mean that
it is good or just not maintained? I never thought about this before.
It seems to me that a login username should not be allowed to be the
displayed forum username. The real username is also used for purchases,
membership activities, etc.
I also think that passwords need to be enforced to be changed
occasionally. What sort of timing delay is okay with users?
Nobody really likes changing passwords, but since so many people use the
same one all over the place, it seems like a good idea since they would
then be forced to have a different one from the rest.
There is a need for pretty secure stuff, like the forum and membership,
purchases, etc.
But also very secure activities. Seems to me that 2 servers (or more)
would be best to accomplish this. Any disagreement or other suggestions?
The main website is probably the most important objective right now.
It's what the public sees. And if (which means when, not if) I make a
mistake, the world won't come tumbling down.
Thanks all,
Chris Bennett
I'd look for software that has bug bounties. I'd also look at the CVEs
for each product and compare with the patch history. The delay between
a flaw being reported versus patched is going to be a much better
indicator than rate of patches. I'd also consider the seriousness of
the flaw being patched as well, like if it is due to a widespread issue
(EG, Metldown, heartbleed, etc) or if it is due to some basic
programming error (Apple's "enter a blank password for root enough times
and you'll get root" or Microsoft's "patching Windows 10 will obliterate
your install because of a typo in the patch code that is supposed to
leave c:\users\ alone").
Also, look for something that could support external authentication,
especially something industry standard like LDAP, so you can use the
authentication database all your service can use while not relying on
whoever wrote the individual bits of software to have written something
that doesn't suck. Also look for something that will allow the admin
pages to be hosted on a different url from the user accessible stuff.
If you are handling payment or financial information, outsource it to
something like paypal or another well-known payment processor. While
they aren't very secure, they are insured, so if they fuck something up,
you aren't holding the bag and are very unlikely to be blamed for it by
your users.
As for number of servers, more than one is going to be the better way.
If something has a port accessible by any old rando, you shouldn't be
storing anything secure on it. Especially if the server also stores
something the user can craft (EG, photos from the forum, arbitrary text,
etc).
As for ISPs, just assume they are all total shit (Most of them are
anyway) and treat them like you would an open wireless network. Don't
use their DNS and encrypt everything you can. Use static IPs if you
can. Don't allow passwords for ssh on anything public facing. Only
allow admin pages to be accessible from a private network (So that you'd
need to use an ssh tunnel to get to it remotely)
-CA
