Re: [arch-general] Preferred CHOST
The last time I read https://www.schneier.com/ perhaps 2 or 3 years ago, he mentions that using 2 computers is relatively save. One computer using all the anonymous abilities we have for mailing and surfing and just a second computer for sharing data between the Internet and a disconnected PC, using a brand new "unchecked" USB stick. IMO we at least should use a computer in the middle and inspect such an USB stick.
Re: [arch-general] Preferred CHOST
The end ;). There's no security if you are connected to the Internet. The difference between using an relatively unsecure Arch Linux computer, with a MUA pointing out what distro we use and a relatively tricky secure way using at least 3 computers to share our data between an anonymous Internet connection and an Internet free computer could be ignored, it's a minor difference regarding to security. Resume: Secure = cables and no cables are connected to the Internet and care about the emission of your tube monitor ;).
Re: [arch-general] Preferred CHOST
On Thu, Nov 13, 2014 at 04:28:13PM -0500, vixsomnis wrote: > Considering USB as a standard is vulnerable (BadUSB malware that infects > the firmware of the USB device), you'd be safer having your "off the > net" computer just connected via ethernet cable to your anonymous > computer, and making sure the link is locked down. You need to have your offline PC be connected to another machine only via serial cable. http://wiki.cacert.org/HELP/7 --Sean
Re: [arch-general] Preferred CHOST
Ok, we could use randomly chosen live media for the control computer in the middle instead of changing the hardware several times a day, but it's more risky. Anyway, instead of my USB stick I guess you're right, the manually disconnected and connected ethernet cable is the most save way, but really no wlan, we are talking about a cable connection and we insert and remove the cable after looking out of our windows, to ensure that there are no black helicopters in front of our houses.
Re: [arch-general] Preferred CHOST
On Thu, 13 Nov 2014 22:16:28 +0100 Ralf Mardorf wrote: > On Thu, 13 Nov 2014 21:31:40 +0100 > Ralf Mardorf wrote: > > > On Thu, 13 Nov 2014 15:02:58 -0500 > > Sean Greenslade wrote: > > > > > On Thu, Nov 13, 2014 at 06:55:51AM +0100, Ralf Mardorf wrote: > > > > Sean, actually you tells us that we should care about security > > > > holes in Mutt/1.5.23 to attack you ;) and since you're replying > > > > to Arch general email, you're likely using Arch Linux. This > > > > likely is a trick, you're running Alpin on openSUSE? ;) > > > > > > Ha hah! I'm running LFS and using telnet as my mail client! > > > > > > I kid, I kid. And I actually did have that thought as I was > > > writing that mail. So, uh...do as I say, not as I do, etc. etc. I > > > really won't claim that my setup is anywhere near hardened. > > > > :) > > > > Another point of view is, that if we mention Arch Linux in a header, > > we also point out, that our OS is upgraded with current security > > patches from upstream. IOW it's easier for you, to attack somebody > > using another Linux distro. OTOH the latest bash issue was fixed by > > FreeBSD and all Linux distros I watch very soon and much more people > > use Apple, Windows and Android (pseudo-Linux) operating systems. I > > like to show that I'm using a MUA running on Arch Linux. Assumed I > > should need security, then I would use two additional computers to > > provide that. One for absolutely anonymous Internet usage and > > another computer that is completely decoupled from the Internet. > > Assumed we want to share data between the anonymous Interne > computer and the computer without an Internat connection, e.g. by a > "brand new tidied up" USB stick, we should consider to use a third > computer before we transfer the data. With the computer in the > middle, we should check if the USB stick is "clean". The computer in > the middle should be rebuild several times a day, using different > hardware combinations. PPS: And each time a day with a different most exotic install such as http://www.plan9.bell-labs.com/wiki/plan9/plan_9_wiki/ http://www.imdb.com/title/tt0052077/
Re: [arch-general] Preferred CHOST
Considering USB as a standard is vulnerable (BadUSB malware that infects the firmware of the USB device), you'd be safer having your "off the net" computer just connected via ethernet cable to your anonymous computer, and making sure the link is locked down. -- vixsomnis On Thu, Nov 13, 2014, at 04:22 PM, Toyam Cox wrote: > On Thu, Nov 13, 2014 at 4:16 PM, Ralf Mardorf > > wrote: > > > On Thu, 13 Nov 2014 21:31:40 +0100 > > Ralf Mardorf wrote: > > > > > On Thu, 13 Nov 2014 15:02:58 -0500 > > > Sean Greenslade wrote: > > > > > > > On Thu, Nov 13, 2014 at 06:55:51AM +0100, Ralf Mardorf wrote: > > > > > Sean, actually you tells us that we should care about security > > > > > holes in Mutt/1.5.23 to attack you ;) and since you're replying to > > > > > Arch general email, you're likely using Arch Linux. This likely is > > > > > a trick, you're running Alpin on openSUSE? ;) > > > > > > > > Ha hah! I'm running LFS and using telnet as my mail client! > > > > > > > > I kid, I kid. And I actually did have that thought as I was writing > > > > that mail. So, uh...do as I say, not as I do, etc. etc. I really > > > > won't claim that my setup is anywhere near hardened. > > > > > > :) > > > > > > Another point of view is, that if we mention Arch Linux in a header, > > > we also point out, that our OS is upgraded with current security > > > patches from upstream. IOW it's easier for you, to attack somebody > > > using another Linux distro. OTOH the latest bash issue was fixed by > > > FreeBSD and all Linux distros I watch very soon and much more people > > > use Apple, Windows and Android (pseudo-Linux) operating systems. I > > > like to show that I'm using a MUA running on Arch Linux. Assumed I > > > should need security, then I would use two additional computers to > > > provide that. One for absolutely anonymous Internet usage and another > > > computer that is completely decoupled from the Internet. > > > > Assumed we want to share data between the anonymous Interne > > computer and the computer without an Internat connection, e.g. by a > > "brand new tidied up" USB stick, we should consider to use a third > > computer before we transfer the data. With the computer in the > > middle, we should check if the USB stick is "clean". The computer in the > > middle should be rebuild several times a day, using different hardware > > combinations. > > > > > But perhaps that would be too much hassle. Maybe the computer in the > middle > should be a live-ISO chosen at random by the offline computer, which > would > have been pre-loaded with all the necessary verification tools. > > -- > - Toyam
Re: [arch-general] Preferred CHOST
On Thu, Nov 13, 2014 at 4:16 PM, Ralf Mardorf wrote: > On Thu, 13 Nov 2014 21:31:40 +0100 > Ralf Mardorf wrote: > > > On Thu, 13 Nov 2014 15:02:58 -0500 > > Sean Greenslade wrote: > > > > > On Thu, Nov 13, 2014 at 06:55:51AM +0100, Ralf Mardorf wrote: > > > > Sean, actually you tells us that we should care about security > > > > holes in Mutt/1.5.23 to attack you ;) and since you're replying to > > > > Arch general email, you're likely using Arch Linux. This likely is > > > > a trick, you're running Alpin on openSUSE? ;) > > > > > > Ha hah! I'm running LFS and using telnet as my mail client! > > > > > > I kid, I kid. And I actually did have that thought as I was writing > > > that mail. So, uh...do as I say, not as I do, etc. etc. I really > > > won't claim that my setup is anywhere near hardened. > > > > :) > > > > Another point of view is, that if we mention Arch Linux in a header, > > we also point out, that our OS is upgraded with current security > > patches from upstream. IOW it's easier for you, to attack somebody > > using another Linux distro. OTOH the latest bash issue was fixed by > > FreeBSD and all Linux distros I watch very soon and much more people > > use Apple, Windows and Android (pseudo-Linux) operating systems. I > > like to show that I'm using a MUA running on Arch Linux. Assumed I > > should need security, then I would use two additional computers to > > provide that. One for absolutely anonymous Internet usage and another > > computer that is completely decoupled from the Internet. > > Assumed we want to share data between the anonymous Interne > computer and the computer without an Internat connection, e.g. by a > "brand new tidied up" USB stick, we should consider to use a third > computer before we transfer the data. With the computer in the > middle, we should check if the USB stick is "clean". The computer in the > middle should be rebuild several times a day, using different hardware > combinations. > But perhaps that would be too much hassle. Maybe the computer in the middle should be a live-ISO chosen at random by the offline computer, which would have been pre-loaded with all the necessary verification tools. -- - Toyam
Re: [arch-general] Preferred CHOST
On Thu, 13 Nov 2014 21:31:40 +0100 Ralf Mardorf wrote: > On Thu, 13 Nov 2014 15:02:58 -0500 > Sean Greenslade wrote: > > > On Thu, Nov 13, 2014 at 06:55:51AM +0100, Ralf Mardorf wrote: > > > Sean, actually you tells us that we should care about security > > > holes in Mutt/1.5.23 to attack you ;) and since you're replying to > > > Arch general email, you're likely using Arch Linux. This likely is > > > a trick, you're running Alpin on openSUSE? ;) > > > > Ha hah! I'm running LFS and using telnet as my mail client! > > > > I kid, I kid. And I actually did have that thought as I was writing > > that mail. So, uh...do as I say, not as I do, etc. etc. I really > > won't claim that my setup is anywhere near hardened. > > :) > > Another point of view is, that if we mention Arch Linux in a header, > we also point out, that our OS is upgraded with current security > patches from upstream. IOW it's easier for you, to attack somebody > using another Linux distro. OTOH the latest bash issue was fixed by > FreeBSD and all Linux distros I watch very soon and much more people > use Apple, Windows and Android (pseudo-Linux) operating systems. I > like to show that I'm using a MUA running on Arch Linux. Assumed I > should need security, then I would use two additional computers to > provide that. One for absolutely anonymous Internet usage and another > computer that is completely decoupled from the Internet. Assumed we want to share data between the anonymous Interne computer and the computer without an Internat connection, e.g. by a "brand new tidied up" USB stick, we should consider to use a third computer before we transfer the data. With the computer in the middle, we should check if the USB stick is "clean". The computer in the middle should be rebuild several times a day, using different hardware combinations.
Re: [arch-general] Preferred CHOST
On Thu, 13 Nov 2014 15:02:58 -0500 Sean Greenslade wrote: > On Thu, Nov 13, 2014 at 06:55:51AM +0100, Ralf Mardorf wrote: > > Sean, actually you tells us that we should care about security > > holes in Mutt/1.5.23 to attack you ;) and since you're replying to > > Arch general email, you're likely using Arch Linux. This likely is > > a trick, you're running Alpin on openSUSE? ;) > > Ha hah! I'm running LFS and using telnet as my mail client! > > I kid, I kid. And I actually did have that thought as I was writing > that mail. So, uh...do as I say, not as I do, etc. etc. I really > won't claim that my setup is anywhere near hardened. :) Another point of view is, that if we mention Arch Linux in a header, we also point out, that our OS is upgraded with current security patches from upstream. IOW it's easier for you, to attack somebody using another Linux distro. OTOH the latest bash issue was fixed by FreeBSD and all Linux distros I watch very soon and much more people use Apple, Windows and Android (pseudo-Linux) operating systems. I like to show that I'm using a MUA running on Arch Linux. Assumed I should need security, then I would use two additional computers to provide that. One for absolutely anonymous Internet usage and another computer that is completely decoupled from the Internet.
Re: [arch-general] Preferred CHOST
On Thu, Nov 13, 2014 at 06:55:51AM +0100, Ralf Mardorf wrote: > Sean, actually you tells us that we should care about security holes in > Mutt/1.5.23 to attack you ;) and since you're replying to Arch general > email, you're likely using Arch Linux. This likely is a trick, you're > running Alpin on openSUSE? ;) Ha hah! I'm running LFS and using telnet as my mail client! I kid, I kid. And I actually did have that thought as I was writing that mail. So, uh...do as I say, not as I do, etc. etc. I really won't claim that my setup is anywhere near hardened. --Sean
Re: [arch-general] Preferred CHOST
Op 13 nov. 2014 05:32 schreef "Sean Greenslade" : > > On Wed, Nov 05, 2014 at 01:53:25PM +0100, Ralf Mardorf wrote: > > If somebody should fear an attack, than it's wiser even not to > > mention what version of Claws Mail, GTK and what architecture is used. > > This can be done by the account settings. > > Configuration > Edit accounts... > Edit selected account > Send > > > [ ] Add user agent header > > Very true, and it is sound advice to make this change. The less you tell > people about your system, the harder it is for them to profile it for > vulnerabilities. Posting on a public mailinglist, dedicated to a single distribution might be a bit of a giveaway, though... ;-) Mvg, Guus
Re: [arch-general] Preferred CHOST
On Wed, 2014-11-12 at 23:22 -0500, Sean Greenslade wrote: > On Wed, Nov 05, 2014 at 01:53:25PM +0100, Ralf Mardorf wrote: > > If somebody should fear an attack, than it's wiser even not to > > mention what version of Claws Mail, GTK and what architecture is used. > > This can be done by the account settings. > > Configuration > Edit accounts... > Edit selected account > Send > > > [ ] Add user agent header > > Very true, and it is sound advice to make this change. The less you tell > people about your system, the harder it is for them to profile it for > vulnerabilities. Sean, actually you tells us that we should care about security holes in Mutt/1.5.23 to attack you ;) and since you're replying to Arch general email, you're likely using Arch Linux. This likely is a trick, you're running Alpin on openSUSE? ;) Regards, Ralf
Re: [arch-general] Preferred CHOST
On Wed, Nov 05, 2014 at 01:53:25PM +0100, Ralf Mardorf wrote: > If somebody should fear an attack, than it's wiser even not to > mention what version of Claws Mail, GTK and what architecture is used. > This can be done by the account settings. > Configuration > Edit accounts... > Edit selected account > Send > > [ ] Add user agent header Very true, and it is sound advice to make this change. The less you tell people about your system, the harder it is for them to profile it for vulnerabilities. --Sean
Re: [arch-general] Preferred CHOST
On Wed, 5 Nov 2014 13:03:14 +0100 Martti Kühne wrote: > > What is insecure when doing it? > > You cannot tell or know. But your way an attacker (they usually know > more than you or I) has the advantage of knowing exactly which of the > distros he is targeting. If somebody should fear an attack, than it's wiser even not to mention what version of Claws Mail, GTK and what architecture is used. This can be done by the account settings. Configuration > Edit accounts... > Edit selected account > Send > [ ] Add user agent header Regards, Ralf
Re: [arch-general] Preferred CHOST
On Wed, Nov 5, 2014 at 12:13 PM, Ralf Mardorf wrote: > Hi Martti, > > On Wed, 5 Nov 2014 07:56:25 +0100 > Martti Kühne wrote: >> On Tue, Nov 4, 2014 at 11:32 PM, Ralf Mardorf >> wrote: >> > >> > OK, so it perhaps should be the default for CHOST, but for packages >> > such as Claws mail --build=$(uname -m)-arch-linux-gnu should be ok, >> > while CHOST still could be as it is. >> > >> >> >> Wait, you'd prefer an untrue, nongeneric and revealing value passed in >> your mail headers to the generic and truthful representation of your >> system? > > could you explain what's untrue with it? Other distros do that too. > Well your software isn't built with the CHOST you want claws to recite. So technically it would be lying. >> Go ahead and build the package that way and want to have mail headers >> that uniquely reveal your choice linux distribution? >> Did you think this through? I mean, yeah, Arch has its benefits, but >> I'm not sure security is of no concern at all for it. > > What is insecure when doing it? You cannot tell or know. But your way an attacker (they usually know more than you or I) has the advantage of knowing exactly which of the distros he is targeting. cheers! mar77i
Re: [arch-general] Preferred CHOST
Hi Martti, On Wed, 5 Nov 2014 07:56:25 +0100 Martti Kühne wrote: > On Tue, Nov 4, 2014 at 11:32 PM, Ralf Mardorf > wrote: > > > > OK, so it perhaps should be the default for CHOST, but for packages > > such as Claws mail --build=$(uname -m)-arch-linux-gnu should be ok, > > while CHOST still could be as it is. > > > > > Wait, you'd prefer an untrue, nongeneric and revealing value passed in > your mail headers to the generic and truthful representation of your > system? could you explain what's untrue with it? Other distros do that too. > Go ahead and build the package that way and want to have mail headers > that uniquely reveal your choice linux distribution? > Did you think this through? I mean, yeah, Arch has its benefits, but > I'm not sure security is of no concern at all for it. What is insecure when doing it? Regards, Ralf
Re: [arch-general] Preferred CHOST
On Tue, Nov 4, 2014 at 11:32 PM, Ralf Mardorf wrote: > > OK, so it perhaps should be the default for CHOST, but for packages such > as Claws mail --build=$(uname -m)-arch-linux-gnu should be ok, while > CHOST still could be as it is. > Wait, you'd prefer an untrue, nongeneric and revealing value passed in your mail headers to the generic and truthful representation of your system? Go ahead and build the package that way and want to have mail headers that uniquely reveal your choice linux distribution? Did you think this through? I mean, yeah, Arch has its benefits, but I'm not sure security is of no concern at all for it. cheers! mar77i
Re: [arch-general] Preferred CHOST
On Tue, 4 Nov 2014 19:21:24 +0100 Andreas Radke wrote: > I remember > some packages that strictly needed this generic CHOST variable to be > able to compile out of the box. Any customized naming made them fail > to pass configure. OK, so it perhaps should be the default for CHOST, but for packages such as Claws mail --build=$(uname -m)-arch-linux-gnu should be ok, while CHOST still could be as it is. 2 Cents, Ralf
Re: [arch-general] Preferred CHOST
Am Tue, 4 Nov 2014 07:29:25 +0100 schrieb Ralf Mardorf : > Hi :) > > why is the wanted default CHOST ARCHITECTURE-unknown-linux-gnu instead > of ARCHITECTURE-arch-linux-gnu? > > $ grep CHOST /etc/makepkg.conf > CHOST="x86_64-unknown-linux-gnu" > > I wasn't aware of this, until I started testing Claws [1], [2]. > > Other distros usually prefer self-promotion. > > Regards, > Ralf > > [1] > http://lists.claws-mail.org/pipermail/users/2014-November/011307.html > > [2] > The following task is now closed: > > FS#42659 - [claws-mail] X-Mailer feature request > > Reason for closing: Not a bug > Additional comments about closing: check the wanted Arch Linux default > CHOST in /etc/makepkg.conf ;) > Afaik this is for historical reason. I can only speak about the x86_64 port that I've been working from the very early days. Arch64 was made following CLFS and they recommended this variable naming: http://www.linuxfromscratch.org/clfs/view/svn/x86_64-64/cross-tools/variables.html I'm not sure about the reason for our 32bit mother distribution. The variable is pretty much of no interest at runtime. But I remember some packages that strictly needed this generic CHOST variable to be able to compile out of the box. Any customized naming made them fail to pass configure. -Andy pgpYgdrJw1wKN.pgp Description: Digitale Signatur von OpenPGP
