On Tuesday, 19 December 2017 16:33:49 CET Unman wrote:
> Tom
> 
> Ive suggested before that if you give this advice you should
> clearly state the consequences.

Ok, no worries. Here you go:

The consequences is that the template, which has no personal or identifying 
information, can be used to run apps that make outbound connections. Don’t 
worrry! No inbound connections are possible.

In short;
* There is no possibility of loss of private data (since there is none).
* There is no possibility of a remote hacking attack (b/c no 
listening services).
* There is no possibility of a hacker installing bad software in 
your template (only you can do that).

Bottom line is that there is no additional risk when a user uses a corporate 
firewall and a http proxy to allow him to download updates.

Unman, being paranoid is fine, but making users unable to update their system 
unless they do it the very complicated way you approve of will not help 
security.
We are dealing with people, lets keep that in mind.
Specifically, the result of being too strict on this is that they will end up 
either not updating (and missing security updates) or maybe just giving up 
and using the simple route of throwing security out the window and just 
getting the job done.

Perfection is the enemy of good enough.


And since I’m being nasty today, lets focus on another illusion in this 
email. You wrote;
> sys-net will not enforce a firewall 

Basically true, sys-net indeed bypasses sys-firewall.
But you are mistaken if you think that sys-firewall adds security.
Sys-firewall adds the _option_ of allowing you to _manually_ add security.
IF you have the know-how on how to do so. Which most people don’t. 
sys-firewall allows you to block remote hosts by IP-address, manually. And 
optionally.

Making people believe that having sys-firewall makes them more secure is 
selling an illusion of security, which is really bad for actual security 
because it follows that people will believe they are magically secured.
In reality the configuration of the firewall is a highly specialized and low-
level task that most people without sys-admin-training will simply not do.

Security is not about following a rulebook, it is about people first and 
foremost. Lets not lose focus of that, please.

-- 
Tom Zander
Blog: https://zander.github.io
Vlog: https://vimeo.com/channels/tomscryptochannel

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/2682772.EKl5eY0fiO%40strawberry.
For more options, visit https://groups.google.com/d/optout.

Reply via email to