lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <200211232201.gANM12H10976@netsys.com>
From: ratel at mailvault.com (ratel)
Subject: Please post to the list 

-----BEGIN PGP SIGNED MESSAGE-----

On 23-Nov-2002 13:03:24 -0500, you wrote:

> >>>Two words: AIR GAP.
> >>
> >> Not an option, therefore not worth discussing.
> >
> >Actually, it is an option, just not one you're in a position 
> >to take. Someone in your institution chose convenience over 
> >privacy long ago, fine. So did nearly everyone. But you can't 
> >pretend it's not a tradeoff.
> 
> No, it's not an option.  A university that disconnects from the
Internet is committing institutional suicide.  In less than one
semester, that university would be out of business.  The faculty would
be the first to leave, and the students would follow quickly.

I didn't say disconnect from the internet, I said don't leave anything
you really value on boxes you connect to the internet. As I said, it's
all a tradeoff; surely it's within your power to encourage
compartmentalization at least a little bit.

All I know is I definitely rest easier knowing that any of you could
root my machines to your heart's content and find nothing much of
interest. On an individual level, removable storage media in a drawer
next to your desk isn't that expensive and sure saves you some serious
stomach acid.

Speaking of stomach acid, I have reason to distrust IRC so profoundly I
won't touch it unless I'm personally logging in from a completely
separate and clean laptop that doesn't have even one byte of my real
information on it. Is all the trouble really worth it to me? yes.  Would
I be arrogant and foolish enough to start issuing dares to people I
don't know about how secure I am? You must be out of your mind. As long
as you're connected to the internet at all you're running a risk. You
make the informed choice about how much risk to take, you live with it.
We're all in the same boat in that respect.


> >>Do you really think the average sysadmin cares?
> 
> >No, not at all. I know the average American doesn't give a damn 
> >about anything beyond comfort and convenience. Who cares about 
> >abstract ideas, what governments do or what's happening our civil 
> >liberties as long as we've all got our cushy sysadmin jobs, TV, 
> >porn, and cold beer, right? I think the fact that so many 
> >intelligent and talented people are so complacent and apathetic 
> >is a real shame. 
> 
> Nice try.
> 
> My statement was made *in the context* of this discussion of network
security, *not* as a blanket statement covering all situations.  It *is*
possible to deeply care about what goes on in government without being
foolish enough to protest those actions within the context of the job
you've been hired to do.  

I don't know what kind of jobs you've had--but can't you imagine that
seeing some serious corruption and rot in your own sector and not
speaking out against it (or trying to counter it in some way) would have
the distinct possibility of leaving an incredibly bad taste in your
mouth? I just can't accept the idea that we're somehow obliged to check
our critical faculties and values at the door in the name of getting a
paycheck. 

And I'll bet anyone who ever has knows exactly the kind of feeling I'm
talking about. Almost palpable, isn't it. 


>And frankly, I don't *know* any admins whose jobs are cushy.  (Perhaps
this reveals your ignorance on that issue.)

I've known some incredibly cushy and incredibly hidebound and lazy
admins and ISSOs, yes. Not at a university or small company, true. If
that comprises the bulk of your experience, I'm certainly not one to
argue with you.


> The admins I know are overworked and underpaid, putting in many long
> hours outside the office to keep up with all the issues they have to
> deal with.  I personally work about 12 -14 hours a day - 9 at the
office
> and the rest at home, and I don't get weekends off.  Not because my
> employer demands it, but because it's not possible to do the job I
> expect myself to do and keep up with changes in the industry in a 40
> hour week.  (I'm not complaining either.  I *love* what I do.)

Well, you're a better man that the ones I was thinking of, that's for
sure.


> >You sidestep the whole issue of the implication of governments 
> >being all-too-willing to keep vulnerabilities to themselves by 
> >dragging in something somebody else happened to have said in the 
> >same forum. Good job.
> 
> I don't sidestep it.  In the context of my job, there's *nothing* I
can do about it.  Obsessing about it is simply a waste of the precious
time that I have.  Governments will do what governments will do. 

That's what most Germans under Hitler said. That's what the Chinese
under Mao said, that's what the Russians said under Stalin said. I could
sit here all night listing historical examples of people who said that.

However, that's not what the Founding Fathers said. Nor any of the other
people I respect most.


> And I will vote my conscience on the issues.  It is for others to
crusade > on issues that inspire them.  I crusade on the ones that
inspire me.

As long as you're doing something. I've just come to the point where I
feel like I haven't been doing enough.


> >So you actually mean to say you think JTF-CNA analysts believe 
> >in full disclosure? Oh wait, you don't care. Nevermind. Dream on. 
> 
> No, I never even hinted that.  I'm simply saying that, within the
context of what I do at work, it's irrelevant.

Irrelevant to your job, maybe, but I have a feeling one of these days
sometime soon it's going to become all-too-apparent why it's not
irrelevant to your life.


> >Unfortunately, I do lay awake at night about what's happening to 
> >this country. I wonder how bad it'll have to get before you quit 
> >feeling so smug and stop laughing too.
> 
> Jesus once said, "The poor you will always have with you."  I would
say, "The evil (or mal-intentioned, if you will) you will always have
with  you."  

But will the institutional structures coming into place in the form of
the Department of Homeland Security, the Patriot Act, Palladium etc.
give them the upper hand? 

Someone once said fascism is a condition where laws succumb to
lawlessness in favor of the power of the state. If they keep chipping
away at the Constitution and rule of law, that's exactly where we're
headed.

> Many americans don't believe it, but the place to effect change is the
ballot box.  Always has been, and always will be.  You don't have to be
a ranting crusader to make changes occur.  You simply have to vote and
convince others to vote with you.

Oh well, it's a start. 
http://www.lp.org

Ratel.

***


"Americans used to roar like lions for liberty. Now we bleat
like sheep for security." - Norman Vincent Peale.



-----BEGIN PGP SIGNATURE-----
Version: MailVault 2.2 from Laissez Faire City http://www.mailvault.com

iQA/AwUAPd/6VOYNtyh3zif9EQIYPwCg9v8pGMw40A67bTv3cfZtNg06FxwAoJM5
itDAlE+kp9DRSZrULS48aVyv
=seOm
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ