Maybe this is because the oil industry evolved from the same people who ran the cattle industry, where a man's word was his bond and multi-million dollar deals were made on a handshake. Integrity was everything, and if you lost that, you simply weren't in the business anymore.
Oh GAWD please stop with the cheesy platitudes and the pining away for older, ostensibly better times. That is such a tired trope. Surely you recognize that this is a ludicrous and unprovable statement based on no evidence whatsoever?
Government (and "free governemtn money") corrupts pretty much everything absolutely...
And surely you recognize that this is a contradiction of your previous statement? The oil industry enjoys enormous tax breaks and subsidies. Are those billions in subidies not government money? Is the oil industry somehow immune to corruption because of its mythical birth among cattle barons?
I disagree that Outlook.com is all that great. If you want your email to be truly secure, you need to encrypt it at the client and, in trying to set this up with one of my clients, I found that a) the documentation on this process using Outlook is very poor, b) one must pay to purchase a Digital Certificate for Outlook, and c) once my client did purchase a Digital Cert from one of the vendors listed on microsoft's website, windows and/or Outlook 2010 could not find this certificate or did not recognize it. A waste of time and money.
I found it much easier to configure Thunderbird with a self-signed certificate and OpenPGP. The email is encrypted on my computer and decrypted on the client's computer. However, it's probably not feasible to train a bunch of tech-challenged workers to do this themselves and would likely introduce too much of a training/support burden for any sizeable IT shop.
I realize that M$ may offer some handy tools for IT managers tasked with managing a large organization -- if you are willing to pay for it. I also find it extremely disappointing that client-based email encryption is not more widespread and easy to implement.
Agreed, but the lengths to which they go in order to exploit their users is what is not revealed. The cost of using google services is one's privacy. In fact, to call it "free" is false advertising. Caveat Emptor, to be sure, but I often wonder how much I'm being exploited and the hard truth is that I don't even know. That's why I like to see these stories surface -- and hate them at the same time.
I don't think you are sufficiently concerned about the privacy issue. Perhaps you'd show more interest if you thought that insurance companies can track your purchases without your permission to extract higher premiums from you. I would agree that it's hardly surprising, but would also argue that governmental regulations to protect consumer privacy would be an option here. Given that there is now a health care mandate, it would be reasonable to contain the monstrous corporations who stand to benefit directly. My health insurance company hiked my monthly premium $50 and has yet to give me any reason why.
Personally, I've always despised vile companies like Experian, TransUnion, etc. that profit by selling my private details to large corporations. The OP doesn't offer any explanation about where those diagrams came from, but the thought that Google is specifically selling the anxieties of its customers to the highest bidder seems pretty vile to me and they should be called out for it.
Unless I'm mistaken, the USB stick itself might present an exploit before you've written any data to it. I.E., it is not unheard of for USB memory sticks to arrive from the manufacturer already containing an exploit. There's another post somewhere in this thread about it. I seem to recall this happening frequently. E.g.,:
https://isc.sans.edu/diary.html?storyid=4247
I've read (and re-read) that and it is in part what has launched this paranoid post in the first place. I find the terms used in that document pretty vague -- and wonder if the jargon therein has more specific meanings that might be defined elsewhere. I was tasked with implementing a PCI-compliant payment page on someone's website to be hosted in the rackspace cloud and rackspace customer support discouraged the implementation of such applications on their Cloud Servers because they are "not PCI compliant." I was never able to get a satisfactory answer as to why they were not and thought it wise to begin exploring security features starting with the hardware.
The point of the questions was to generate helpful discussion. Your response reminds me of the computer programmer in the old joke:
Q: Why did the computer programmer get stuck in the shower?
A: The shampoo bottle said lather, rinse, repeat.
A lot of the questions were of course rhetorical. I apologize for not thinking them through more. I thought folks could read between the lines and offer useful information. Some folks have.
Sane people, when they talk about secure computing, talk about something in the middle. The insane say it's an all or nothing false dichotomy. These are the same people who implement stupid password policies as administrators that ultimately result in the recycling of insecure passwords,for example.
It's like they say about a crowd getting chased by a bear: you don't have to be the fastest runner, you just have to be faster than the slowest guy. Security definitely admits of degrees and all of this all-or-nothing discussion is all well and good if we are talking theoreticals, but the binary mentality is not particularly useful on a day-to-day basis for ordinary developers.
That said, I think the firmware question has been overlooked a bit -- certainly as it relates to USB sticks. This seems like such a common (and obvious) exploit vector. Building USB sticks costs almost nothing and there seem to be so many cases where exploits have been propagated this way.
I like this idea, but the cost sounds a little prohibitive.
I'm also wondering how we know a given MOBO is safe -- or a given linux distro. I realize this is paranoid and a really broad question soliciting bazillions of possible responses, but would like to hear people's approach to verifying the security of hardware, firmware, and OS.
And, btw, what browser would you expect to use on this banking computer? I wouldn't recommend Chrome.
I've had some luck using Knoppix for this purpose -- they have a nice CD-booting distro. But then it occurs to me that I don't know if I can really trust Knoppix.
Also, nobody seems to be able to tell me where I can get a trustworthy USB stick. I think this is where I am most unreasonably paranoid. I've heard so many stories about USB sticks being the source of viral infections. Is there some methodical, easy way to inspect the damn things for exploits?
It's a shame this is an anonymous post as it is so totally thoughtful and reasonable.
I'm not interested in participating in any nation-state-threatening behaviors. I am totally interested in protecting sensitive data related to finances and other totally legal behaviors. I'm also interested in enhancing privacy in any way possible.
I realize the questions in my original post are poorly formulated if I was after detailed techniques and procedures. I am still hoping to construct an overview of helpful behaviors from the construction of a workstation or laptop through to the process of software development in a networked environment. There are a lot of very informative posts here, but also a big bunch of people who think they are funny.
To clarify, the goal is to try and formulate a useful overview of all the facets of computing to try and identify salient threat points and mitigate them. I'd ideally like to realize what major threat vectors are (user actions, hardware back doors, software exploits, etc) and what the overall relative risk is.
This is a good answer. My threat model would include anyone who wants access to my banking information but also access to anywhere I spend money and ALSO anyone who might want to sniff out my server passwords, etc. I doubt the NSA or Bruce S. care about what I do.
All good points. Perhaps you have some advice about how to protect one's data in the cloud? Encryption comes to mind, but what if your virtual machines are also allocated in the cloud? In this case, the encryption and decryption schemes might also be at risk because they too are in the cloud.
Also, how might one protect one's mobile phone from Google/Apple snooping? I've wanted to put a hosts file on my Android phone for some time but haven't gotten around to it.
There is no way you can avoid putting trust on something outside your own control
I'm aware of this and did not intend to ask "what should I do" but rather what other folks tend to do. Sadly, most responses here are something like "forget about it" which is decidedly unhelpful. It's like a common sense question is being addressed by Descartes or something. Seems to me there is plenty of good advice that could be kicking around. How about these questions:
* If you ever get thumb/pen USB drives, where do you get them from to make sure they are *safe*
* What settings do you use for your linux package management? Do you trust multiverse? universe?
* Are there any motherboard manufacturers or component manufacturers (or builders of systems) that are particularly detail-oriented when it comes to security?
Sadly, this whole thread seems like a pedantic pissing contest in most respects. There are, however, some informative posts. I'm still looking for a link to the Thompson article everyone keeps talking about.
Write your own OS, that way the government can't backdoor your OS's manufacturer without prior knowledge.
I'll get right on that...
At a minimum flash your motherboard's firmware to something trusted or written yourself
I've had tremendous success with dd-wrt for my wireless router. Is there any similar such beast for motherboards? Any resources would be much appreciated
Slashdot Mirror
Actually, battery-powered cars sort of dominated the automobile industry at first. Nobody seems to realize this.
Maybe this is because the oil industry evolved from the same people who ran the cattle industry, where a man's word was his bond and multi-million dollar deals were made on a handshake. Integrity was everything, and if you lost that, you simply weren't in the business anymore.
Oh GAWD please stop with the cheesy platitudes and the pining away for older, ostensibly better times. That is such a tired trope. Surely you recognize that this is a ludicrous and unprovable statement based on no evidence whatsoever?
Government (and "free governemtn money") corrupts pretty much everything absolutely...
And surely you recognize that this is a contradiction of your previous statement? The oil industry enjoys enormous tax breaks and subsidies. Are those billions in subidies not government money? Is the oil industry somehow immune to corruption because of its mythical birth among cattle barons?
YES! Mod parent up. It's nice to see the old security paranoia in somebody else.
I disagree that Outlook.com is all that great. If you want your email to be truly secure, you need to encrypt it at the client and, in trying to set this up with one of my clients, I found that a) the documentation on this process using Outlook is very poor, b) one must pay to purchase a Digital Certificate for Outlook, and c) once my client did purchase a Digital Cert from one of the vendors listed on microsoft's website, windows and/or Outlook 2010 could not find this certificate or did not recognize it. A waste of time and money.
I found it much easier to configure Thunderbird with a self-signed certificate and OpenPGP. The email is encrypted on my computer and decrypted on the client's computer. However, it's probably not feasible to train a bunch of tech-challenged workers to do this themselves and would likely introduce too much of a training/support burden for any sizeable IT shop.
I realize that M$ may offer some handy tools for IT managers tasked with managing a large organization -- if you are willing to pay for it. I also find it extremely disappointing that client-based email encryption is not more widespread and easy to implement.
Nonsense! Home-built cluster can be cheap and very educational. http://helmer.sfe.se/
Agreed, but the lengths to which they go in order to exploit their users is what is not revealed. The cost of using google services is one's privacy. In fact, to call it "free" is false advertising. Caveat Emptor, to be sure, but I often wonder how much I'm being exploited and the hard truth is that I don't even know. That's why I like to see these stories surface -- and hate them at the same time.
I don't think you are sufficiently concerned about the privacy issue. Perhaps you'd show more interest if you thought that insurance companies can track your purchases without your permission to extract higher premiums from you. I would agree that it's hardly surprising, but would also argue that governmental regulations to protect consumer privacy would be an option here. Given that there is now a health care mandate, it would be reasonable to contain the monstrous corporations who stand to benefit directly. My health insurance company hiked my monthly premium $50 and has yet to give me any reason why.
Personally, I've always despised vile companies like Experian, TransUnion, etc. that profit by selling my private details to large corporations. The OP doesn't offer any explanation about where those diagrams came from, but the thought that Google is specifically selling the anxieties of its customers to the highest bidder seems pretty vile to me and they should be called out for it.
Make him watch the movie "Colors" -- or at least this little bit: http://www.youtube.com/watch?v=IbUxePfsoWE
Unless I'm mistaken, the USB stick itself might present an exploit before you've written any data to it. I.E., it is not unheard of for USB memory sticks to arrive from the manufacturer already containing an exploit. There's another post somewhere in this thread about it. I seem to recall this happening frequently. E.g.,: https://isc.sans.edu/diary.html?storyid=4247
Thanks for your thoughtful response
I've read (and re-read) that and it is in part what has launched this paranoid post in the first place. I find the terms used in that document pretty vague -- and wonder if the jargon therein has more specific meanings that might be defined elsewhere. I was tasked with implementing a PCI-compliant payment page on someone's website to be hosted in the rackspace cloud and rackspace customer support discouraged the implementation of such applications on their Cloud Servers because they are "not PCI compliant." I was never able to get a satisfactory answer as to why they were not and thought it wise to begin exploring security features starting with the hardware.
Congratulations, you have passed the Turing test.
The point of the questions was to generate helpful discussion. Your response reminds me of the computer programmer in the old joke:
Q: Why did the computer programmer get stuck in the shower?
A: The shampoo bottle said lather, rinse, repeat.
A lot of the questions were of course rhetorical. I apologize for not thinking them through more. I thought folks could read between the lines and offer useful information. Some folks have.
Sane people, when they talk about secure computing, talk about something in the middle. The insane say it's an all or nothing false dichotomy. These are the same people who implement stupid password policies as administrators that ultimately result in the recycling of insecure passwords,for example.
It's like they say about a crowd getting chased by a bear: you don't have to be the fastest runner, you just have to be faster than the slowest guy. Security definitely admits of degrees and all of this all-or-nothing discussion is all well and good if we are talking theoreticals, but the binary mentality is not particularly useful on a day-to-day basis for ordinary developers.
That said, I think the firmware question has been overlooked a bit -- certainly as it relates to USB sticks. This seems like such a common (and obvious) exploit vector. Building USB sticks costs almost nothing and there seem to be so many cases where exploits have been propagated this way.
But where do you get the trustworthy USB stick?
I like this idea, but the cost sounds a little prohibitive.
I'm also wondering how we know a given MOBO is safe -- or a given linux distro. I realize this is paranoid and a really broad question soliciting bazillions of possible responses, but would like to hear people's approach to verifying the security of hardware, firmware, and OS.
And, btw, what browser would you expect to use on this banking computer? I wouldn't recommend Chrome.
I've had some luck using Knoppix for this purpose -- they have a nice CD-booting distro. But then it occurs to me that I don't know if I can really trust Knoppix.
Also, nobody seems to be able to tell me where I can get a trustworthy USB stick. I think this is where I am most unreasonably paranoid. I've heard so many stories about USB sticks being the source of viral infections. Is there some methodical, easy way to inspect the damn things for exploits?
POW! I've been looking for this oft-mentioned Thompson article. Thank you.
It's a shame this is an anonymous post as it is so totally thoughtful and reasonable.
I'm not interested in participating in any nation-state-threatening behaviors. I am totally interested in protecting sensitive data related to finances and other totally legal behaviors. I'm also interested in enhancing privacy in any way possible.
I realize the questions in my original post are poorly formulated if I was after detailed techniques and procedures. I am still hoping to construct an overview of helpful behaviors from the construction of a workstation or laptop through to the process of software development in a networked environment. There are a lot of very informative posts here, but also a big bunch of people who think they are funny.
To clarify, the goal is to try and formulate a useful overview of all the facets of computing to try and identify salient threat points and mitigate them. I'd ideally like to realize what major threat vectors are (user actions, hardware back doors, software exploits, etc) and what the overall relative risk is.
This is a good answer. My threat model would include anyone who wants access to my banking information but also access to anywhere I spend money and ALSO anyone who might want to sniff out my server passwords, etc. I doubt the NSA or Bruce S. care about what I do.
All good points. Perhaps you have some advice about how to protect one's data in the cloud? Encryption comes to mind, but what if your virtual machines are also allocated in the cloud? In this case, the encryption and decryption schemes might also be at risk because they too are in the cloud.
Also, how might one protect one's mobile phone from Google/Apple snooping? I've wanted to put a hosts file on my Android phone for some time but haven't gotten around to it.
Thanks for the links. I'll be checking this out. Maybe those dudes have some ideas about security.
There is no way you can avoid putting trust on something outside your own control
I'm aware of this and did not intend to ask "what should I do" but rather what other folks tend to do. Sadly, most responses here are something like "forget about it" which is decidedly unhelpful. It's like a common sense question is being addressed by Descartes or something. Seems to me there is plenty of good advice that could be kicking around. How about these questions:
* If you ever get thumb/pen USB drives, where do you get them from to make sure they are *safe*
* What settings do you use for your linux package management? Do you trust multiverse? universe?
* Are there any motherboard manufacturers or component manufacturers (or builders of systems) that are particularly detail-oriented when it comes to security?
Sadly, this whole thread seems like a pedantic pissing contest in most respects. There are, however, some informative posts. I'm still looking for a link to the Thompson article everyone keeps talking about.
Got any suggestions for DLP (is that Data Loss Prevention)? Also, if this comes from a package repository, how do we know it's safe?
What is this TEMPEST of which you speak?
Write your own OS, that way the government can't backdoor your OS's manufacturer without prior knowledge.
I'll get right on that...
At a minimum flash your motherboard's firmware to something trusted or written yourself
I've had tremendous success with dd-wrt for my wireless router. Is there any similar such beast for motherboards? Any resources would be much appreciated