On 2019-01-27 19:15, billol...@gmail.com wrote: > On Sunday, January 27, 2019 at 12:22:03 PM UTC-5, unman wrote: >>[snip] >> Qubes provides a framework for using software - it doesn't take away the >> onus on users to use that software properly, and to ensure they are aware >> of good practice. (As an aside I'm always baffled by people querying >> how they can use Facebook under Tor or Whonix. What are they thinking?) >> I regularly audit templates with tripwire, running from an >> offline openBSD qube, and do standards checks with debsums. I do good >> deal of my work offline in openBSD and then transfer encrypted in to >> other qubes for transmission. That seems like overkill, and isn't for >> everyone: it might be for you. >> >> unman > > I think this is the most important thing you wrote. I used to do > network security for a small scientific government network back in the > 1990s, and I constantly ran into the problem that there is an inverse > relationship between security and usability. The scientists on my > network were constantly finding ways of going around whatever security > measures I put in place precisely because they didn't want to deal > with the "hassle." > > But I'm no different, really. Not too many years ago, I routinely > disabled SELinux when I installed a new OS simply because I considered > it too much of a hassle to learn how to use it effectively. It made > it difficult for me to do stuff. Everybody yelled at me, but it just > wasn't worth the effort to me. Now, I've learned it a bit and it's not > such a hassle. > > There's this balance between the inconvenience/damage associated with > an intrusion versus the inconvenience associated with the security > configuration. For me on the computer I'm using as I write this, it > wouldn't be the end of the world if *everything* on my computer were > owned by someone else. It would be a hassle, but not fatal -- I have > insurance, etc. for the financial information I have here, and I don't > really care if someone sees the email conversations I have on this > machine. > > So, considering the financial stuff, for instance. There's a hassle > with someone getting my credit card information. It's happened > (though not because of a computer glitch). My card gets frozen, I > can't use it for a week or two, I have to make a bunch of phone calls, > etc. But I'm financially protected and eventually I'll be fine. The > problem is the hassle factor, not financial ruin. My biggest security > concern is someone using up all my bandwidth; I live in a rural area > and have metered service. Someone using up 5 gigs of bandwith is more > concerning to me than them owning 5 gigs of data from my machine. So, > I have to ask myself, which is more hassle -- dealing with the > intrusion, or dealing with the security hassle? > > It's my responsibility to determine where that balance is, and nobody > else's. And it's likely different for everybody. For instance, I > used to have a blog, but I'm a litigation consultant and I started > seeing my blog posts turning up in court. So I don't blog any more. I > can't be on Facebook, or LinkedIn, or Doximity, or ResearchGate. > That's not a problem for me, but it would drive my wife crazy. I use > one laptop for some stuff, and I use a different laptop, differently > configured, for other stuff. > > And, the higher up the food chain you go with respect to people > interested in surveilling you, the less chance you have of keeping > them out. I'm out of the business now, but back in the day I > occasionally did some classified work. I remember some years ago, I > called a friend of mine who worked for the government. I called him > using the work phone of an acquaintance to ask him a technical > question. He picked up the phone and immediately said "Hey, Bill, how > you doing?" > > I was stunned. I asked him how the hell he knew it was me. He said > "Bill, I'm with the <government agency>. We always know where you > are." > > I have another friend who spent his early career working for a > government contractor. His job was to break into people's houses at > night and install keyloggers on their computers. With a subpoena, of > course. All the security software in the world won't help you with > that. > > The key, for me, is to achieve the maximum security that I can achieve > and stay below my maximum hassle tolerance. Qubes is nice because it > adds a big uptick in transparent security with only a small uptick in > hassle -- at least for someone who is fairly conversant with sysadmin > stuff. So for me it's a big win. But it's not all there is. > > There's no such thing as perfect security. There's only finding the > balance between one's perceived risk, one's actual vulnerability, and > one's tolerance for hassle. And any security configuration is > self-defeating if: > > 1) People take it for granted and think that it's all they have to > think about, and/or > 2) It's enough of a hassle that you start going around it to do your work. > > > billo
To Billollib. To sumarise your post; 1/ It's the Users of software that subvert OS's and/or Software. 2/ I've nothing to hide so why bother. Both topics are, I feel, are hijacking this post; which concerns the Apt vulnerability within Debian. That's not to say your points aren't important, they are. And, for that reason I'll provide a response. Which is based largely on the opinions of recognised experts in thier fields: 1/ Users are to blame. It's that classic argument put forward by a minority of software developers; I've created a wonderful system and its the users who subverted it. We've seen this approach from the likes of Mr Zuckerburg who blames the users of Facebook for allowing their privacy to be invaded. In reality of course his software is carefully crafted to covertly exploit users privacy and then maximise revenue streams by covertly selling their data to advertisers and politcal lobbyists; e.g. Cambridge Analyitica. I and many others believe that Twitter, Microsoft, Apple et al operate similar business models based on stealing data and up-selling it. Of course when a data breach is made public their highly paid "spin doctors" will invariably concoct are yarn; blaming users or anyone else they can think of and then send it to their buddies in main stream media for publication. 2/ I've nothing to hide so why bother. It's this submissive, cavalier and defeatist approach to online privacy that's regularly promoted, in the form of propaganda by virtually all main stream media outlets on behalf of their owners; a small clan of very rich "global elites"; who attempt and largely succeed in exerting control and influence over the masses; i.e. us peasants. I think the most appropriate and succinct reply I've seen is: "If you think privacy is unimportant for you because you have nothing to hide, you might as well say free speech is unimportant for you because you have nothing useful to say". You might also wish to read this in depth response: https://www.aclu.org/blog/national-security/secrecy/you-may-have-nothing-hide-you-still-have-something-fear. Last but certainly not least, Here's a quote from that renowned privacy supporting journalist Glynn Greenwald; the guy who broke the Ed Snowden revelations. "Over the last 16 months, as I've debated this issue around the world, every single time somebody has said to me, "I don't really worry about invasions of privacy because I don't have anything to hide." I always say the same thing to them. I get out a pen, I write down my email address. I say, "Here's my email address. What I want you to do when you get home is email me the passwords to all of your email accounts, not just the nice, respectable work one in your name, but all of them, because I want to be able to just troll through what it is you're doing online, read what I want to read and publish whatever I find interesting. After all, if you're not a bad person, if you're doing nothing wrong, you should have nothing to hide." Not a single person has taken me up on that offer". By: Glenn Greenwald in Why privacy matters - TED Talk -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To post to this group, send email to qubes-users@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/ba54141c79ff74fa19218b302f3cd37a%40riseup.net. For more options, visit https://groups.google.com/d/optout.
