Thank you so much George!! Another Question. I was a police officer in the 80's and 90's. During my tenure the bank was on the hook for any criminal acts as long as the customer was not negligent. I only dealt with this on a couple occasional. So If someone gets access to my online banking and I report it in a timely manner, or if someone washes one of my checks and I report it in a timely manner, is the bank on the hook or am I? BTW I thought going old school was the most secure. I do not trust the Internet. My daily driver is a Linux Box and I do not use my cellular phone for anything except to talk and read some news. I am semiretired and have home officed for a long time. Any suggestions are appreciated. On 2024-07-03 21:48, George Toft wrote: > Sorry, Kieth, I have bad news for you. You took a 30+ year leap > backwards in security. > > I can tell you for certain, from my bank fraud analyst friend (just got > promoted to financial crimes investigator), checks are the second most > insecure way of transferring money, first being putting the money in > the envelope. They helped the USPS bust a fraud ring who worked in the > Post Office - fraudsters were pulling checks out of envelopes inside > the local Post Office. My friend pulled out all the details for the > Postmaster General. > > ACH is free (for you) and secure and guaranteed by the originator as > they are on the hook to prove the identity of who initiated the > transaction and they have to pay. It's all very complicated, and I'm > not going into details here. > > I use ACH all the time. My physical devices have multi-layer physical > protection. Logical access control is in-place. Both have multi-factor > authentication. Password resets require multi-factor authentication. > > And the DoD is worse - their systems have so many layers, it was easier > to just let my account get deleted from lack of use and rebuilt it from > scratch. I have notes that tell me screen-by-screen what to put in each > box and which ones to ignore. It's so secure, legitimate users can't > even get in... and this is just my health insurance. > > Where all of this can break down - getting on topic - is with the SSH > protocol and web proxies. When you connect to a website using HTTPS > using a web proxy, your web browser uses it's cert to set up the > connection, or so it thinks. What's really happening is the proxy is > responding to the request and decrypting the message, then it forms a > new request and sends it to the bank, which believes the proxy and > sends it back. Everything gets decrypted on the proxy, so whoever has > admin access to the proxy can see everything. Kinda like opening > envelopes in the mail room :) Disclaimer: This is what some networking > guys told me in a presentation about 10 years ago. > > In summary, ACH is safe if you do it from home without a proxy. Of > course "safe" is relative, but it's safer than checks in the mail. Drop > into your bank and ask the branch manager, or call their customer > service and ask. They won't tell you checks are bad, but they will > steer you to ACH and tell you it's better. Break out the Rosetta Stone > and figure out what "better" means in corporate-speak. Banks are in it > to win it, and they don't offer something for free unless they are > saving money (cost avoidance) on the alternatives. > > Regards, > > George Toft > > On 7/3/2024 6:21 AM, techlists@phpcoderusa.com wrote: >> >> >> On 2024-07-02 18:20, George Toft via PLUG-discuss wrote: >>> I work for a bank, and you would be amazed at how much security is >>> baked into the connecting your browser to their web servers. Makes >>> the NSA look like freshmen. And no, I'm not telling you who I work >>> for. >>> >>> Regards, >>> >>> George Toft >> >> I'd like to hear more.  The world is a hostile place.  I recently went >> old school.  I asked the bank to disarm my online banking.  I now deal >> with paper statements and everything gets paid by check. Not as >> convenient as on-line banking, however I am hoping it makes my world a >> little bit more secure. >> >> What are your thoughts? >> >> Keith >> >> >> >> >> >>> >>> On 6/29/2024 5:19 PM, Keith Smith via PLUG-discuss wrote: >>>> Mike, >>>> >>>> The world is a hostile place.  The more precautions you take the >>>> better.  I cover the camera on my cellular phone while not in use.  >>>> I cover the camera that is built into my laptop while it is not in >>>> use.  I think on-line banking is dangerous.  At some point I want to >>>> turn off WIFI and go to wired only on my local net. >>>> >>>> We lock our cars and houses for a reason. >>>> >>>> I do not know as much security as I'd like, however it might be >>>> necessary at some point to to become more cyber. >>>> >>>> About 24 years ago the members of the Tucson Free Unix Group (TFUG) >>>> helped me build a server that I ran out of my home.  We left the >>>> email relay open and I got exploited.  About 10 years ago I became >>>> root and I accidentally overwrote my home directory. yikes... both >>>> were painful.  The first example is a reason we must be more aware >>>> of what we are doing. The 2nd is an example why we should use sudo >>>> as much as we can instead of becoming root. >>>> >>>> Keith >>>> >>>> >>>> >>>> On 2024-06-29 08:55, Michael via PLUG-discuss wrote: >>>>> I just realized, while 99% of the people on this list are honest >>>>> there >>>>> is the diabolical 1%. So I guess I enter my password for the rest >>>>> of >>>>> my life. Or do you think that it really matters considering this is >>>>> only a mailing list? >>>>> >>>>> On Sat, Jun 29, 2024, 10:22 AM Michael wrote: >>>>> >>>>>> Thanks for saying this. I realized that I only needed to run apt >>>>>> as >>>>>> root. I didn't know how to make it so I could do that..... but >>>>>> chatgt did! >>>>>> >>>>>> On Sat, Jun 29, 2024, 5:53 AM Eric Oyen via PLUG-discuss >>>>>> wrote: >>>>>> >>>>>>> NO WORRIES FROM THIS END RUSTY. >>>>>>> >>>>>>> As a general rule, I use sudo only for very specific tasks >>>>>>> (usually updating my development package tree on OS X) and no >>>>>>> where else will I run anything as root. I have seen what happens >>>>>>> to linux machines that run infected binaries as root and it can >>>>>>> get ugly pretty fast. In one case, I couldn’t take the machine >>>>>>> out of service because of other items I was involved with, so I >>>>>>> simply made part of the dir tree immutable after replacing a few >>>>>>> files in /etc. That would fill up the system logs with an error >>>>>>> message about a specific binary trying to replace a small number >>>>>>> of conf files. Once the offending binary was found, it made >>>>>>> things >>>>>>> easier trying to disable it or get rid of it. However, after a >>>>>>> while, I simply pulled the drive and ran it through a Dod secure >>>>>>> erase and installed a newer linux bistro on it. I did use the >>>>>>> same >>>>>>> trick with chattr to make /bin, /sbin and /etc immutable. That >>>>>>> last turned out to be handy as I caught someone trying to rootkit >>>>>>> my machine using a known exploit, only they couldn’t get it to >>>>>>> run because the binaries they wanted to replace couldn’t be >>>>>>> written to. :)Yes, this would be a bit excessive, but over the >>>>>>> long run, proved far less inconvenient than having to wipe and >>>>>>> reinstall an OS. >>>>>>> >>>>>>> -Eric >>>>>>> From the central Offices of the Technomage Guild, security >>>>>>> Applications Dept. >>>>>>> >>>>>>>> On Jun 28, 2024, at 6:43 PM, Rusty Carruth via PLUG-discuss >>>>>>> wrote: >>>>>>>> >>>>>>>> (Deep breath.  Calm...) >>>>>>>> >>>>>>>> I can't figure out how to respond rationally to the below, so >>>>>>> all I'm going to say is - before you call troll,  you might want >>>>>>> to research the author, and read a bit more carefully what they >>>>>>> wrote.  I don't believe I recommended any of the crazy things you >>>>>>> suggest.  And I certainly didn't intend to imply any of that. >>>>>>>> >>>>>>>> On the other hand, it may not have  been clear, so I'll just say >>>>>>> "Sorry that what I wrote wasn't clear, but english isn't my first >>>>>>> language.  Unfortunately its the only one I know". >>>>>>>> >>>>>>>> And on that note, I'll shut up. >>>>>>>> >>>>>>>> On 6/26/24 15:05, Ryan Petris wrote: >>>>>>>>> I feel like you're trolling so I'm not going to spend very much >>>>>>> time on this. >>>>>>>>> >>>>>>>>> It's been a generally good security practice for at least the >>>>>>> last 25+ years to not regularly run as a privileged user, >>>>>>> requiring some sort of escalation to do administrative-type >>>>>>> tasks. >>>>>>> By using passwordless sudo, you're taking away that escalation. >>>>>>> Why not just run as root? Then you don't need sudo at all. In >>>>>>> fact, why even have a password at all? Why encrypt? Why don't you >>>>>>> just put all your data on a publicly accessible FTP server and >>>>>>> just grab stuff when you need it? The NSA has all your data >>>>>>> anyway >>>>>>> and you don't have anything to hide so why not just leave it out >>>>>>> there for the world to see? >>>>>>>>> >>>>>>>>> As for something malicious needing to be written to use sudo, >>>>>>> why wouldn't it? sudo is ubiquitous on unix systems; if it didn't >>>>>>> at least try then that seams like a pretty dumb malicious script >>>>>>> to me. >>>>>>>>> >>>>>>>>> You also don't necessarily need to open/run something for it to >>>>>>> run. IIRC there was a recent image vulnerability in Gnome's >>>>>>> tracker-miner application which indexes files in your home >>>>>>> directory. And before you say that wouldn't happen in KDE, it too >>>>>>> has a similar program, I believe called Baloo. >>>>>>>>> >>>>>>>>> There also exists the recent doas program and the systemd >>>>>>> replacement run0 to do the same. >>>>>>>>> >>>>>>>>> On Wed, Jun 26, 2024, at 12:23 PM, Rusty Carruth via >>>>>>> PLUG-discuss wrote: >>>>>>>>>> Actually, I'd like to start a bit of a discussion on this. >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> First, I know that for some reason RedHat seems to think that >>>>>>> sudo is >>>>>>>>>> bad/insecure. >>>>>>>>>> >>>>>>>>>> I'd like to know the logic there, as I think the argument FOR >>>>>>> using sudo >>>>>>>>>> is MUCH stronger than any argument I've heard (which, >>>>>>> admittedly, is >>>>>>>>>> pretty close to zero) AGAINST it.   Here's my thinking: >>>>>>>>>> >>>>>>>>>> Allowing users to become root via sudo gives you: >>>>>>>>>> >>>>>>>>>> - VERY fine control over what programs a user can use as root >>>>>>>>>> >>>>>>>>>> - The ability to remove admin privs (ability to run as root) >>>>>>> from an >>>>>>>>>> individual WITHOUT having to change root password everywhere. >>>>>>>>>> >>>>>>>>>> Now, remember, RH is supposedly 'corporate friendly'. As a >>>>>>> corporation, >>>>>>>>>> that 2nd feature is well worth the price of admission, PLUS I >>>>>>> can only >>>>>>>>>> allow certain admins to run certain programs? Very nice. >>>>>>>>>> >>>>>>>>>> So, for example, at my last place I allowed the 'tester' user >>>>>>> to run >>>>>>>>>> fdisk as root, because they needed to partition the disk under >>>>>>> test.  In >>>>>>>>>> my case, and since the network that we ran on was totally >>>>>>> isolated from >>>>>>>>>> the corporate network, I let fdisk be run without needing a >>>>>>> password. >>>>>>>>>> Oh, and if they messed up and fdisk'ed the boot partition, it >>>>>>> was no big >>>>>>>>>> deal - I could recreate the machine from scratch (minus >>>>>>> whatever data >>>>>>>>>> hadn't been copied off yet - which would only be their most >>>>>>> recent run), >>>>>>>>>> in 10 minutes (which was about 2 minutes of my time, and 8 >>>>>>> minutes of >>>>>>>>>> scripted 'dd' ;-)  However, if the test user wanted to become >>>>>>> root using >>>>>>>>>> su, they had to enter the test user password. >>>>>>>>>> >>>>>>>>>> So, back to the original question - setting sudo to not >>>>>>> require a >>>>>>>>>> password.  We should have asked, what program do you want to >>>>>>> run as root >>>>>>>>>> without requiring a password? How secure is your system? What >>>>>>> else do >>>>>>>>>> you use it for?  Who has access?  etc, etc, etc. >>>>>>>>>> >>>>>>>>>> There's one other minor objection I have to the 'zero defense' >>>>>>> statement >>>>>>>>>> below - the malicious thing you downloaded (and, I assume ran) >>>>>>> has to be >>>>>>>>>> written to USE sudo in its attempt to break in, I believe, or >>>>>>> it >>>>>>>>>> wouldn't matter HOW open your sudo was. (simply saying 'su - >>>>>>> myscript' >>>>>>>>>> won't do it). >>>>>>>>>> >>>>>>>>>> And, if you're truly paranoid about stuff you download, you >>>>>>> should: >>>>>>>>>> >>>>>>>>>> 1 - NEVER download something you don't have an excellent >>>>>>> reason to >>>>>>>>>> believe is 'safe', and ALWAYS make sure you actually >>>>>>> downloaded it from >>>>>>>>>> where you thought you did. >>>>>>>>>> >>>>>>>>>> 2 - For the TRULY paranoid, have a machine you use to download >>>>>>> and test >>>>>>>>>> software on, which you can totally disconnect from your >>>>>>> network (not >>>>>>>>>> JUST the internet), and which has NO confidential info, and >>>>>>> which you >>>>>>>>>> can erase and rebuild without caring.  Run the downloaded >>>>>>> stuff there, >>>>>>>>>> for a long time, until you're pretty sure it won't bite you. >>>>>>>>>> >>>>>>>>>> 3 - For the REALLY REALLY paranoid, don't download anything >>>>>>> from >>>>>>>>>> anywhere, disconnect from the internet permanently, get >>>>>>> high-tech locks >>>>>>>>>> for your doors, and wrap your house in a faraday cage! >>>>>>>>>> >>>>>>>>>> And probably don't leave the house.... >>>>>>>>>> >>>>>>>>>> The point of number 3 is that there is always a risk, even >>>>>>> with >>>>>>>>>> 'well-known' software, and as someone else said - they're >>>>>>> watching you >>>>>>>>>> anyway.  The question is how 'safe' do you want to be? And how >>>>>>> paranoid >>>>>>>>>> are you, really? >>>>>>>>>> >>>>>>>>>> Wow, talk about rabbit hole! ;-) >>>>>>>>>> >>>>>>>>>> 'Let the flames begin!' :-) >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On 6/25/24 18:50, Ryan Petris via PLUG-discuss wrote: >>>>>>>>>>>> wanted sudo not to require a password. >>>>>>>>>>> Please reconsider this... This is VERY BAD security practice. >>>>>>> There's basically zero defense if you happen to download/run >>>>>>> something malicious. >>>>>>>>>>> >>>>>>>>>>> On Tue, Jun 25, 2024, at 6:01 PM, Michael via PLUG-discuss >>>>>>> wrote: >>>>>>>>>>>> then I remember that a PLUG member mentioned ChatGPT being >>>>>>> good at troubleshooting so I figured I'd give it a go. I sprint >>>>>>> about half an hour asking it the wrong question but after that it >>>>>>> took 2 minutes. I wanted sudo not to require a password. it is >>>>>>> wonderful! now I don't have to bug you guys. so it looks like >>>>>>> this >>>>>>> is the end of the user group unless you want to talk about OT >>>>>>> stuff. >>>>>>>>>>>> >>>>>>>>>>>> -- :-)~MIKE~(-: >>>>>>>>>>>> --------------------------------------------------- >>>>>>>>>>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org >>>>>>>>>>>> To subscribe, unsubscribe, or to change your mail settings: >>>>>>>>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss >>>>>>>>>>>> >>>>>>>>>>> --------------------------------------------------- >>>>>>>>>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org >>>>>>>>>>> To subscribe, unsubscribe, or to change your mail settings: >>>>>>>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss >>>>>>>>>> --------------------------------------------------- >>>>>>>>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org >>>>>>>>>> To subscribe, unsubscribe, or to change your mail settings: >>>>>>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss >>>>>>>>>> >>>>>>>> --------------------------------------------------- >>>>>>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org >>>>>>>> To subscribe, unsubscribe, or to change your mail settings: >>>>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss >>>>>>> >>>>>>> --------------------------------------------------- >>>>>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org >>>>>>> To subscribe, unsubscribe, or to change your mail settings: >>>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss >>>>> --------------------------------------------------- >>>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org >>>>> To subscribe, unsubscribe, or to change your mail settings: >>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss >>>> --------------------------------------------------- >>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org >>>> To subscribe, unsubscribe, or to change your mail settings: >>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss >>> --------------------------------------------------- >>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org >>> To subscribe, unsubscribe, or to change your mail settings: >>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss --------------------------------------------------- PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org To subscribe, unsubscribe, or to change your mail settings: https://lists.phxlinux.org/mailman/listinfo/plug-discuss