On 2024-07-02 18:20, George Toft via PLUG-discuss wrote: > I work for a bank, and you would be amazed at how much security is > baked into the connecting your browser to their web servers. Makes the > NSA look like freshmen. And no, I'm not telling you who I work for. > > Regards, > > George Toft I'd like to hear more. The world is a hostile place. I recently went old school. I asked the bank to disarm my online banking. I now deal with paper statements and everything gets paid by check. Not as convenient as on-line banking, however I am hoping it makes my world a little bit more secure. What are your thoughts? Keith > > On 6/29/2024 5:19 PM, Keith Smith via PLUG-discuss wrote: >> Mike, >> >> The world is a hostile place.  The more precautions you take the >> better.  I cover the camera on my cellular phone while not in use.  I >> cover the camera that is built into my laptop while it is not in use.  >> I think on-line banking is dangerous.  At some point I want to turn >> off WIFI and go to wired only on my local net. >> >> We lock our cars and houses for a reason. >> >> I do not know as much security as I'd like, however it might be >> necessary at some point to to become more cyber. >> >> About 24 years ago the members of the Tucson Free Unix Group (TFUG) >> helped me build a server that I ran out of my home.  We left the email >> relay open and I got exploited.  About 10 years ago I became root and >> I accidentally overwrote my home directory. yikes... both were >> painful.  The first example is a reason we must be more aware of what >> we are doing. The 2nd is an example why we should use sudo as much as >> we can instead of becoming root. >> >> Keith >> >> >> >> On 2024-06-29 08:55, Michael via PLUG-discuss wrote: >>> I just realized, while 99% of the people on this list are honest >>> there >>> is the diabolical 1%. So I guess I enter my password for the rest of >>> my life. Or do you think that it really matters considering this is >>> only a mailing list? >>> >>> On Sat, Jun 29, 2024, 10:22 AM Michael wrote: >>> >>>> Thanks for saying this. I realized that I only needed to run apt as >>>> root. I didn't know how to make it so I could do that..... but >>>> chatgt did! >>>> >>>> On Sat, Jun 29, 2024, 5:53 AM Eric Oyen via PLUG-discuss >>>> wrote: >>>> >>>>> NO WORRIES FROM THIS END RUSTY. >>>>> >>>>> As a general rule, I use sudo only for very specific tasks >>>>> (usually updating my development package tree on OS X) and no >>>>> where else will I run anything as root. I have seen what happens >>>>> to linux machines that run infected binaries as root and it can >>>>> get ugly pretty fast. In one case, I couldn’t take the machine >>>>> out of service because of other items I was involved with, so I >>>>> simply made part of the dir tree immutable after replacing a few >>>>> files in /etc. That would fill up the system logs with an error >>>>> message about a specific binary trying to replace a small number >>>>> of conf files. Once the offending binary was found, it made things >>>>> easier trying to disable it or get rid of it. However, after a >>>>> while, I simply pulled the drive and ran it through a Dod secure >>>>> erase and installed a newer linux bistro on it. I did use the same >>>>> trick with chattr to make /bin, /sbin and /etc immutable. That >>>>> last turned out to be handy as I caught someone trying to rootkit >>>>> my machine using a known exploit, only they couldn’t get it to >>>>> run because the binaries they wanted to replace couldn’t be >>>>> written to. :)Yes, this would be a bit excessive, but over the >>>>> long run, proved far less inconvenient than having to wipe and >>>>> reinstall an OS. >>>>> >>>>> -Eric >>>>> From the central Offices of the Technomage Guild, security >>>>> Applications Dept. >>>>> >>>>>> On Jun 28, 2024, at 6:43 PM, Rusty Carruth via PLUG-discuss >>>>> wrote: >>>>>> >>>>>> (Deep breath.  Calm...) >>>>>> >>>>>> I can't figure out how to respond rationally to the below, so >>>>> all I'm going to say is - before you call troll,  you might want >>>>> to research the author, and read a bit more carefully what they >>>>> wrote.  I don't believe I recommended any of the crazy things you >>>>> suggest.  And I certainly didn't intend to imply any of that. >>>>>> >>>>>> On the other hand, it may not have  been clear, so I'll just say >>>>> "Sorry that what I wrote wasn't clear, but english isn't my first >>>>> language.  Unfortunately its the only one I know". >>>>>> >>>>>> And on that note, I'll shut up. >>>>>> >>>>>> On 6/26/24 15:05, Ryan Petris wrote: >>>>>>> I feel like you're trolling so I'm not going to spend very much >>>>> time on this. >>>>>>> >>>>>>> It's been a generally good security practice for at least the >>>>> last 25+ years to not regularly run as a privileged user, >>>>> requiring some sort of escalation to do administrative-type tasks. >>>>> By using passwordless sudo, you're taking away that escalation. >>>>> Why not just run as root? Then you don't need sudo at all. In >>>>> fact, why even have a password at all? Why encrypt? Why don't you >>>>> just put all your data on a publicly accessible FTP server and >>>>> just grab stuff when you need it? The NSA has all your data anyway >>>>> and you don't have anything to hide so why not just leave it out >>>>> there for the world to see? >>>>>>> >>>>>>> As for something malicious needing to be written to use sudo, >>>>> why wouldn't it? sudo is ubiquitous on unix systems; if it didn't >>>>> at least try then that seams like a pretty dumb malicious script >>>>> to me. >>>>>>> >>>>>>> You also don't necessarily need to open/run something for it to >>>>> run. IIRC there was a recent image vulnerability in Gnome's >>>>> tracker-miner application which indexes files in your home >>>>> directory. And before you say that wouldn't happen in KDE, it too >>>>> has a similar program, I believe called Baloo. >>>>>>> >>>>>>> There also exists the recent doas program and the systemd >>>>> replacement run0 to do the same. >>>>>>> >>>>>>> On Wed, Jun 26, 2024, at 12:23 PM, Rusty Carruth via >>>>> PLUG-discuss wrote: >>>>>>>> Actually, I'd like to start a bit of a discussion on this. >>>>>>>> >>>>>>>> >>>>>>>> First, I know that for some reason RedHat seems to think that >>>>> sudo is >>>>>>>> bad/insecure. >>>>>>>> >>>>>>>> I'd like to know the logic there, as I think the argument FOR >>>>> using sudo >>>>>>>> is MUCH stronger than any argument I've heard (which, >>>>> admittedly, is >>>>>>>> pretty close to zero) AGAINST it.   Here's my thinking: >>>>>>>> >>>>>>>> Allowing users to become root via sudo gives you: >>>>>>>> >>>>>>>> - VERY fine control over what programs a user can use as root >>>>>>>> >>>>>>>> - The ability to remove admin privs (ability to run as root) >>>>> from an >>>>>>>> individual WITHOUT having to change root password everywhere. >>>>>>>> >>>>>>>> Now, remember, RH is supposedly 'corporate friendly'. As a >>>>> corporation, >>>>>>>> that 2nd feature is well worth the price of admission, PLUS I >>>>> can only >>>>>>>> allow certain admins to run certain programs? Very nice. >>>>>>>> >>>>>>>> So, for example, at my last place I allowed the 'tester' user >>>>> to run >>>>>>>> fdisk as root, because they needed to partition the disk under >>>>> test.  In >>>>>>>> my case, and since the network that we ran on was totally >>>>> isolated from >>>>>>>> the corporate network, I let fdisk be run without needing a >>>>> password. >>>>>>>> Oh, and if they messed up and fdisk'ed the boot partition, it >>>>> was no big >>>>>>>> deal - I could recreate the machine from scratch (minus >>>>> whatever data >>>>>>>> hadn't been copied off yet - which would only be their most >>>>> recent run), >>>>>>>> in 10 minutes (which was about 2 minutes of my time, and 8 >>>>> minutes of >>>>>>>> scripted 'dd' ;-)  However, if the test user wanted to become >>>>> root using >>>>>>>> su, they had to enter the test user password. >>>>>>>> >>>>>>>> So, back to the original question - setting sudo to not >>>>> require a >>>>>>>> password.  We should have asked, what program do you want to >>>>> run as root >>>>>>>> without requiring a password? How secure is your system? What >>>>> else do >>>>>>>> you use it for?  Who has access?  etc, etc, etc. >>>>>>>> >>>>>>>> There's one other minor objection I have to the 'zero defense' >>>>> statement >>>>>>>> below - the malicious thing you downloaded (and, I assume ran) >>>>> has to be >>>>>>>> written to USE sudo in its attempt to break in, I believe, or >>>>> it >>>>>>>> wouldn't matter HOW open your sudo was. (simply saying 'su - >>>>> myscript' >>>>>>>> won't do it). >>>>>>>> >>>>>>>> And, if you're truly paranoid about stuff you download, you >>>>> should: >>>>>>>> >>>>>>>> 1 - NEVER download something you don't have an excellent >>>>> reason to >>>>>>>> believe is 'safe', and ALWAYS make sure you actually >>>>> downloaded it from >>>>>>>> where you thought you did. >>>>>>>> >>>>>>>> 2 - For the TRULY paranoid, have a machine you use to download >>>>> and test >>>>>>>> software on, which you can totally disconnect from your >>>>> network (not >>>>>>>> JUST the internet), and which has NO confidential info, and >>>>> which you >>>>>>>> can erase and rebuild without caring.  Run the downloaded >>>>> stuff there, >>>>>>>> for a long time, until you're pretty sure it won't bite you. >>>>>>>> >>>>>>>> 3 - For the REALLY REALLY paranoid, don't download anything >>>>> from >>>>>>>> anywhere, disconnect from the internet permanently, get >>>>> high-tech locks >>>>>>>> for your doors, and wrap your house in a faraday cage! >>>>>>>> >>>>>>>> And probably don't leave the house.... >>>>>>>> >>>>>>>> The point of number 3 is that there is always a risk, even >>>>> with >>>>>>>> 'well-known' software, and as someone else said - they're >>>>> watching you >>>>>>>> anyway.  The question is how 'safe' do you want to be? And how >>>>> paranoid >>>>>>>> are you, really? >>>>>>>> >>>>>>>> Wow, talk about rabbit hole! ;-) >>>>>>>> >>>>>>>> 'Let the flames begin!' :-) >>>>>>>> >>>>>>>> >>>>>>>> On 6/25/24 18:50, Ryan Petris via PLUG-discuss wrote: >>>>>>>>>> wanted sudo not to require a password. >>>>>>>>> Please reconsider this... This is VERY BAD security practice. >>>>> There's basically zero defense if you happen to download/run >>>>> something malicious. >>>>>>>>> >>>>>>>>> On Tue, Jun 25, 2024, at 6:01 PM, Michael via PLUG-discuss >>>>> wrote: >>>>>>>>>> then I remember that a PLUG member mentioned ChatGPT being >>>>> good at troubleshooting so I figured I'd give it a go. I sprint >>>>> about half an hour asking it the wrong question but after that it >>>>> took 2 minutes. I wanted sudo not to require a password. it is >>>>> wonderful! now I don't have to bug you guys. so it looks like this >>>>> is the end of the user group unless you want to talk about OT >>>>> stuff. >>>>>>>>>> >>>>>>>>>> -- :-)~MIKE~(-: >>>>>>>>>> --------------------------------------------------- >>>>>>>>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org >>>>>>>>>> To subscribe, unsubscribe, or to change your mail settings: >>>>>>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss >>>>>>>>>> >>>>>>>>> --------------------------------------------------- >>>>>>>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org >>>>>>>>> To subscribe, unsubscribe, or to change your mail settings: >>>>>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss >>>>>>>> --------------------------------------------------- >>>>>>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org >>>>>>>> To subscribe, unsubscribe, or to change your mail settings: >>>>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss >>>>>>>> >>>>>> --------------------------------------------------- >>>>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org >>>>>> To subscribe, unsubscribe, or to change your mail settings: >>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss >>>>> >>>>> --------------------------------------------------- >>>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org >>>>> To subscribe, unsubscribe, or to change your mail settings: >>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss >>> --------------------------------------------------- >>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org >>> To subscribe, unsubscribe, or to change your mail settings: >>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss >> --------------------------------------------------- >> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org >> To subscribe, unsubscribe, or to change your mail settings: >> https://lists.phxlinux.org/mailman/listinfo/plug-discuss > --------------------------------------------------- > PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org > To subscribe, unsubscribe, or to change your mail settings: > https://lists.phxlinux.org/mailman/listinfo/plug-discuss --------------------------------------------------- PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org To subscribe, unsubscribe, or to change your mail settings: https://lists.phxlinux.org/mailman/listinfo/plug-discuss