Re: Thanks, everyone, for your comments Re: CIA Outlaw Country attack against CentOS / Rhel (and Fedora?) Is this credible?
Tim: >> One day I noticed, while in the middle of browsing, that the "camera >> is on" LED had lit up, though not noticing *when* it came on. I >> wasn't doing anything nefarious, so somewhere in the midst of a pile >> of ordinary websites I'd browsed through, one of them was a nosey >> parker. stan: > That's sobering. Chances are it comes from content a website includes within itself from an external source. e.g. Advertising. All someone has to do is inject an active malware into the advertising that a plethora of websites incorporate in their pages, and they've got an army of invaders. >> The galling thing is that at no time was I asked to permit it to >> happen, and my browser was set up so that it should. > Yeah, the browser is really my main security risk. I think it is for everyone. It's a huge program full of errors, some of them quite serious. It's your main interface to the world, and you go to all manner of places, most of them unplanned (unless you never use search engines). And you visit places which incorporate content from other places (so even prudent browsing is more of a risk than you might think it is). And a web browser is a two-way mechanism (people really forget that). You've only got to do something like google how to make your printer do some particular task to come up with a plethora of sites that purport to provide that information. These sites haven't written the help information, though, they've just imported some other website's help information, as an enticement to get you to load their nefarious page wrapped up with the their own crap. > I think it is also a manifestation of the convenience versus security > trade-off. Since most people surfing the web care more about > convenience than security, browser market share is determined by that, > and security plays second fiddle. Yes, and as always, when *most* people don't give a damn, everyone *else* suffers. -- [tim@localhost ~]$ uname -rsvp Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64 (always current details of the computer that I'm writing this email on) Boilerplate: All mail to my mailbox is automatically deleted, there is no point trying to privately email me, I only get to see the messages posted to the mailing list. I reserve the right to treat other people in exactly the same way that they treat me. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: Thanks, everyone, for your comments Re: CIA Outlaw Country attack against CentOS / Rhel (and Fedora?) Is this credible?
On Sat, 01 Jul 2017 01:15:02 +0930 Tim wrote: > It's not as far-fetched as you might think. > > One day I noticed, while in the middle of browsing, that the "camera > is on" LED had lit up, though not noticing *when* it came on. I > wasn't doing anything nefarious, so somewhere in the midst of a pile > of ordinary websites I'd browsed through, one of them was a nosey > parker. That's sobering. > The galling thing is that at no time was I asked to permit it to > happen, and my browser was set up so that it should. Yeah, the browser is really my main security risk. Firefox used to have plugins that let it be locked down pretty well, as well as be customized. They're moving to a new model for plugins in order to sandbox them, a model that is more restrictive for plugin actions, harder to develop for, and vets them more closely before allowing them into their download repository, and it has made many of those plugins obsolete. The latest nightly tells me that it is turning off many of my plugins because they are no longer compatible. Goodbye self-destructing-cookies, :-(. They still work in the Fedora version, but there is a major cutoff coming in August, I think. So, your experience could become more common. I think it is also a manifestation of the convenience versus security trade-off. Since most people surfing the web care more about convenience than security, browser market share is determined by that, and security plays second fiddle. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: Thanks, everyone, for your comments Re: CIA Outlaw Country attack against CentOS / Rhel (and Fedora?) Is this credible?
Allegedly, on or about 29 June 2017, stan sent: > after the comments in this thread, I think maybe I'm not paranoid > enough. That the IT security professionals are paranoid enough to > cover their cameras? If they're that worried they're vulnerable, it's > a good bet I should be. :-) It's not as far-fetched as you might think. One day I noticed, while in the middle of browsing, that the "camera is on" LED had lit up, though not noticing *when* it came on. I wasn't doing anything nefarious, so somewhere in the midst of a pile of ordinary websites I'd browsed through, one of them was a nosey parker. The galling thing is that at no time was I asked to permit it to happen, and my browser was set up so that it should. So, my laptop's built in camera is taped over, too. If it weren't such a near-impossible task, I'd unplug the damn thing. -- [tim@localhost ~]$ uname -rsvp Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64 (always current details of the computer that I'm writing this email on) Boilerplate: All mail to my mailbox is automatically deleted, there is no point trying to privately email me, I only get to see the messages posted to the mailing list. A positive attitude is worth the effort if it annoys enough people. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: Thanks, everyone, for your comments Re: CIA Outlaw Country attack against CentOS / Rhel (and Fedora?) Is this credible?
On Fri, Jun 30, 2017 at 09:40:30AM +0100, Gary Stainburn wrote: > However, I still have a number of WinXP machines running – through > necessity. I'm so sorry for you. I've gotten rid of all of them at my clients, through a mixture of software/hardware upgrades, or in the absolute worst cases running them as VMs on host systems so I can monitor and restrict any external connections. > As for wiping Windows boxes on a regular basis, I would be surprised > if 10% of people did this. Concur; I regularly have client workstations that run for 5-7 years from the day we put them in service without ever reloading the OS--be it Windows, OS X, or Linux. Of course, I take care of them... > There is no way that I would be able to resource such a project. There is, but typically not for any office with fewer than, say, 100 workstations and with non-standard hardware platforms. If you've the luxury of using standardized hardware platforms, and enough installations to make it worthwhile, you can create image libraries for deployment. But because of the management/administrative overhead of creating, inventorying and updating stored images, it's just not worth the trouble for most SMBs. > Having to wipe and reinstall because Windows is stuffed again > happens far too often in my opinion. Eh. Not so much since Win7, provided the machine is properly managed--and that means stomping on users who never meet a download they didn't like, don't play in our (admin) sandbox, etc. Cheers, -- Dave Ihnat dih...@dminet.com ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: Thanks, everyone, for your comments Re: CIA Outlaw Country attack against CentOS / Rhel (and Fedora?) Is this credible?
On Fri, Jun 30, 2017 at 08:53:07AM -0400, Tom Horsley wrote: > Which is why you can get computer cases that are physically > secured with keypads and locks and hardware records of when > case was opened, etc. (of course they get expensive :-). Eh, not so much; most business-class machines have BIOS intrusion logs, and the intrusion switch adds virtually nothing to the cost of the machine. Case locks--most have a tab that would allow a cable or even padlock to be installed that would require visible evidence of tampering. FTM, just get some frangible evidence tape, forget the lock--you can't stop someone from getting in, you CAN make it evident it's been tampered with. Cheers, -- Dave Ihnat dih...@dminet.com ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: Thanks, everyone, for your comments Re: CIA Outlaw Country attack against CentOS / Rhel (and Fedora?) Is this credible?
On Thu, 29 Jun 2017 23:05:09 -0400 William Oliver wrote: > He was always amused > by all this firewall and virus detection stuff; it doesn't mean > anything when you have a keylogger, a warrant, a flashlight, and hands > on a box. Which is why you can get computer cases that are physically secured with keypads and locks and hardware records of when case was opened, etc. (of course they get expensive :-). ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: Thanks, everyone, for your comments Re: CIA Outlaw Country attack against CentOS / Rhel (and Fedora?) Is this credible?
On Thu, 2017-06-29 at 19:34 -0700, stan wrote: > The consensus seems to agree with me, that this is a minor threat > as threats go. > > I thought I was paranoid about security. But after the comments in > this > thread, I think maybe I'm not paranoid enough. That the IT security > professionals are paranoid enough to cover their cameras? If they're > that worried they're vulnerable, it's a good bet I should be. :-) > Oh, and if you really want to be paranoid, one of my friends' first jobs was to work for a contractor that worked for the federal government. His job (among other things) was to break into people's houses and install keyloggers on their computers. He was always amused by all this firewall and virus detection stuff; it doesn't mean anything when you have a keylogger, a warrant, a flashlight, and hands on a box. billo ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: Thanks, everyone, for your comments Re: CIA Outlaw Country attack against CentOS / Rhel (and Fedora?) Is this credible?
On Friday 30 June 2017 03:59:59 William Oliver wrote: > The thing that amazes me about the Window and Mac worlds is that people > never seem to wipe their boxes. I know people who run their machines > for four or five years without ever doing a clean reinstall. I worked > at a place that ran Windows XP well beyond its out of service date -- > going as far as buying separate service contracts to keep it going. > > For *eight* years, as far as I know, the desktop box in my office never > had its disk wiped. Now, sure, I only used it for very limited stuff, > but still, the entire organization -- hundreds and hundreds of machines > -- was like that. > [snip lots of unsurprising stuff] I could run this one as welcome to the real world. I'm not the most nieve of SysOps nor am I the most switched on. However, I still have a number of WinXP machines running – through necessity. We even had Win3.11WfW running well past Y2K because we had to. The programs we were running were not compatible with Win95. As for wiping Windows boxes on a regular basis, I would be surprised if 10% of people did this. There is no way that I would be able to resource such a project. Having to wipe and reinstall because Windows is stuffed again happens far too often in my opinion. -- Gary Stainburn Group I.T. Manager Ringways Garages http://www.ringways.co.uk https://fundraise.cancerresearchuk.org/page/garys-march-march ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: Thanks, everyone, for your comments Re: CIA Outlaw Country attack against CentOS / Rhel (and Fedora?) Is this credible?
On Thu, 2017-06-29 at 19:34 -0700, stan wrote: > The consensus seems to agree with me, that this is a minor threat > as threats go. > > I thought I was paranoid about security. But after the comments in > this > thread, I think maybe I'm not paranoid enough. That the IT security > professionals are paranoid enough to cover their cameras? If they're > that worried they're vulnerable, it's a good bet I should be. :-) > The thing that amazes me about the Window and Mac worlds is that people never seem to wipe their boxes. I know people who run their machines for four or five years without ever doing a clean reinstall. I worked at a place that ran Windows XP well beyond its out of service date -- going as far as buying separate service contracts to keep it going. For *eight* years, as far as I know, the desktop box in my office never had its disk wiped. Now, sure, I only used it for very limited stuff, but still, the entire organization -- hundreds and hundreds of machines -- was like that. The interesting thing was they they were locked into it by the government. This was a healthcare organization, which dealt in private health data. Their case management system had FDA approval to run on Windows XP, but did not have FDA approval for running on Win 7 or Win 10. I was told it would cost around 15 million dollars and take two years to go through the FDA approval process -- by which time the validation would already be obsolete. I *think* they were going to try to skip all the way to Win 10, but the validation process was always running behind the release of the new Windows. It amazed me -- the FDA, by it's byzantine rules for validation and such for protected health information, made it impossible for companies to update their software in a timely manner in order to protect it. I never actually tried to do an intrusion -- why ask for the hassle. It's hard to do without leaving fingerprints if people are watching hard enough. owever, once in extremis I *did* unplug my desktop from the net and boot up with a live fedora distro so I could use some linux software I had. I had left my laptop at home that day, and needed to do some processing on some images. I kept a bootable disk image of a recent backup in my backpack all the time back then, so I could go places with just a portable 1 TB drive instead of my laptop. It came up fine, and the Windows disk was not encrypted... billo ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Thanks, everyone, for your comments Re: CIA Outlaw Country attack against CentOS / Rhel (and Fedora?) Is this credible?
The consensus seems to agree with me, that this is a minor threat as threats go. I thought I was paranoid about security. But after the comments in this thread, I think maybe I'm not paranoid enough. That the IT security professionals are paranoid enough to cover their cameras? If they're that worried they're vulnerable, it's a good bet I should be. :-) ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org