Re: [GTALUG] security threats of Open Source

2020-11-25 Thread David Thornton via talk
Fair points, All of the service contracts I've worked behind say effectively: If we can't keep it from happening, then we can't be held responsible for it happening. You paid for a managed linux server, linux has a bug and you crash, we are not responsible. We'll patch when it comes out, we'll ad

Re: [GTALUG] security threats of Open Source

2020-11-21 Thread Dave Collier-Brown via talk
I've seen better coverage but less depth from commercial entities. I just referred a Kobo bug to the in-house counsel, as the assigned support creature could neither understand the problem /nor/ the process. I used to work with their lawyer at Lexis Nexis: that's *not* a common kind of situati

Re: [GTALUG] security threats of Open Source

2020-11-21 Thread D. Hugh Redelmeier via talk
| From: David Thornton via talk | Date: Fri, 20 Nov 2020 15:25:42 -0500 Thanks for reviving this thread 10 months later. What prompted you to do that? Note: this is not a complaint. I continue to think that this is an important and unresolved topic. | As administrators we have a responsibil

Re: [GTALUG] security threats of Open Source

2020-11-20 Thread Lennart Sorensen via talk
On Fri, Nov 20, 2020 at 03:21:23PM -0500, David Thornton via talk wrote: > I can second the "noscript" thing. "Default deny" is good practice. No- one > has to explain it for firewalls ( any more I hope), so why do we have to > explain it in other places? Have you seen what Apple did in MacOS 11 f

Re: [GTALUG] security threats of Open Source

2020-11-20 Thread David Thornton via talk
As administrators we have a responsibility to vet. Even if it's to "deligate" the vetting, we have to vet the deligate. Npm is a hot mess, and most people get that now. Galaxy / puppetforge / helm stuff ? Take a number. It sprouts faster than you can get on it sometimes. Pays the mortgage :) D

Re: [GTALUG] security threats of Open Source

2020-11-20 Thread David Thornton via talk
I can second the "noscript" thing. "Default deny" is good practice. No- one has to explain it for firewalls ( any more I hope), so why do we have to explain it in other places? On Thu, Jan 23, 2020 at 7:00 PM Don Tai via talk wrote: > I regularly browse with javascript turned off. I use NoScrip

Re: [GTALUG] security threats of Open Source

2020-01-25 Thread D. Hugh Redelmeier via talk
| From: Dhaval Giani via talk | On Thu, Jan 23, 2020 at 11:08 AM D. Hugh Redelmeier via talk < | talk@gtalug.org> wrote: | | > < | > https://www.zdnet.com/article/microsoft-spots-malicious-npm-package-stealing-data-from-unix-systems/ | > > | > | > This article list six cases of malware contribu

Re: [GTALUG] security threats of Open Source

2020-01-23 Thread Dhaval Giani via talk
Hugh, On Thu, Jan 23, 2020 at 11:08 AM D. Hugh Redelmeier via talk < talk@gtalug.org> wrote: > < > https://www.zdnet.com/article/microsoft-spots-malicious-npm-package-stealing-data-from-unix-systems/ > > > > This article list six cases of malware contributed to npm (the repo for > sharing node.js

Re: [GTALUG] security threats of Open Source

2020-01-23 Thread Don Tai via talk
I regularly browse with javascript turned off. I use NoScript. While it is a hassle, I whitelist trusted sites, but refuse script from 3d party sites. There is a bit of setup to do to whitelist sites. Scripts have long been abused. Browsing without js restores a bit of honesty in web pages, as a lo

Re: [GTALUG] security threats of Open Source

2020-01-23 Thread o1bigtenor via talk
On Thu, Jan 23, 2020 at 3:37 PM D. Hugh Redelmeier via talk wrote: > > | From: o1bigtenor via talk > > | In this vein - - - - a contact who in computer terms calls himself a > dinosaur > | refuses to allow javascript on his computers doing all his browsing on text > | based browsers. In his opin

Re: [GTALUG] security threats of Open Source

2020-01-23 Thread D. Hugh Redelmeier via talk
| From: o1bigtenor via talk | In this vein - - - - a contact who in computer terms calls himself a dinosaur | refuses to allow javascript on his computers doing all his browsing on text | based browsers. In his opinion javascript is a serious accident already in free | fall. What you're sharing

Re: [GTALUG] security threats of Open Source

2020-01-23 Thread o1bigtenor via talk
On Thu, Jan 23, 2020 at 1:08 PM D. Hugh Redelmeier via talk wrote: > > > > This article list six cases of malware contributed to npm (the repo for > sharing node.js and JavaScript source). > > Ho

[GTALUG] security threats of Open Source

2020-01-23 Thread D. Hugh Redelmeier via talk
This article list six cases of malware contributed to npm (the repo for sharing node.js and JavaScript source). How many undetected cases exist? I've alway pretended that Linux distros vet the