Thank you so much George!!
Another Question. I was a police officer in the 80's and 90's. During
my tenure the bank was on the hook for any criminal acts as long as the
customer was not negligent. I only dealt with this on a couple
occasional.
So If someone gets access to my online banking and I report it in a
timely manner, or if someone washes one of my checks and I report it in
a timely manner, is the bank on the hook or am I?
BTW I thought going old school was the most secure. I do not trust the
Internet. My daily driver is a Linux Box and I do not use my cellular
phone for anything except to talk and read some news. I am semiretired
and have home officed for a long time.
Any suggestions are appreciated.
On 2024-07-03 21:48, George Toft wrote:
> Sorry, Kieth, I have bad news for you. You took a 30+ year leap
> backwards in security.
>
> I can tell you for certain, from my bank fraud analyst friend (just got
> promoted to financial crimes investigator), checks are the second most
> insecure way of transferring money, first being putting the money in
> the envelope. They helped the USPS bust a fraud ring who worked in the
> Post Office - fraudsters were pulling checks out of envelopes inside
> the local Post Office. My friend pulled out all the details for the
> Postmaster General.
>
> ACH is free (for you) and secure and guaranteed by the originator as
> they are on the hook to prove the identity of who initiated the
> transaction and they have to pay. It's all very complicated, and I'm
> not going into details here.
>
> I use ACH all the time. My physical devices have multi-layer physical
> protection. Logical access control is in-place. Both have multi-factor
> authentication. Password resets require multi-factor authentication.
>
> And the DoD is worse - their systems have so many layers, it was easier
> to just let my account get deleted from lack of use and rebuilt it from
> scratch. I have notes that tell me screen-by-screen what to put in each
> box and which ones to ignore. It's so secure, legitimate users can't
> even get in... and this is just my health insurance.
>
> Where all of this can break down - getting on topic - is with the SSH
> protocol and web proxies. When you connect to a website using HTTPS
> using a web proxy, your web browser uses it's cert to set up the
> connection, or so it thinks. What's really happening is the proxy is
> responding to the request and decrypting the message, then it forms a
> new request and sends it to the bank, which believes the proxy and
> sends it back. Everything gets decrypted on the proxy, so whoever has
> admin access to the proxy can see everything. Kinda like opening
> envelopes in the mail room :) Disclaimer: This is what some networking
> guys told me in a presentation about 10 years ago.
>
> In summary, ACH is safe if you do it from home without a proxy. Of
> course "safe" is relative, but it's safer than checks in the mail. Drop
> into your bank and ask the branch manager, or call their customer
> service and ask. They won't tell you checks are bad, but they will
> steer you to ACH and tell you it's better. Break out the Rosetta Stone
> and figure out what "better" means in corporate-speak. Banks are in it
> to win it, and they don't offer something for free unless they are
> saving money (cost avoidance) on the alternatives.
>
> Regards,
>
> George Toft
>
> On 7/3/2024 6:21 AM, techlists@phpcoderusa.com wrote:
>> <scroll>
>>
>> On 2024-07-02 18:20, George Toft via PLUG-discuss wrote:
>>> I work for a bank, and you would be amazed at how much security is
>>> baked into the connecting your browser to their web servers. Makes
>>> the NSA look like freshmen. And no, I'm not telling you who I work
>>> for.
>>>
>>> Regards,
>>>
>>> George Toft
>>
>> I'd like to hear more. The world is a hostile place. I recently went
>> old school. I asked the bank to disarm my online banking. I now deal
>> with paper statements and everything gets paid by check. Not as
>> convenient as on-line banking, however I am hoping it makes my world a
>> little bit more secure.
>>
>> What are your thoughts?
>>
>> Keith
>>
>>
>>
>>
>>
>>>
>>> On 6/29/2024 5:19 PM, Keith Smith via PLUG-discuss wrote:
>>>> Mike,
>>>>
>>>> The world is a hostile place. The more precautions you take the
>>>> better. I cover the camera on my cellular phone while not in use.
>>>> I cover the camera that is built into my laptop while it is not in
>>>> use. I think on-line banking is dangerous. At some point I want to
>>>> turn off WIFI and go to wired only on my local net.
>>>>
>>>> We lock our cars and houses for a reason.
>>>>
>>>> I do not know as much security as I'd like, however it might be
>>>> necessary at some point to to become more cyber.
>>>>
>>>> About 24 years ago the members of the Tucson Free Unix Group (TFUG)
>>>> helped me build a server that I ran out of my home. We left the
>>>> email relay open and I got exploited. About 10 years ago I became
>>>> root and I accidentally overwrote my home directory. yikes... both
>>>> were painful. The first example is a reason we must be more aware
>>>> of what we are doing. The 2nd is an example why we should use sudo
>>>> as much as we can instead of becoming root.
>>>>
>>>> Keith
>>>>
>>>>
>>>>
>>>> On 2024-06-29 08:55, Michael via PLUG-discuss wrote:
>>>>> I just realized, while 99% of the people on this list are honest
>>>>> there
>>>>> is the diabolical 1%. So I guess I enter my password for the rest
>>>>> of
>>>>> my life. Or do you think that it really matters considering this is
>>>>> only a mailing list?
>>>>>
>>>>> On Sat, Jun 29, 2024, 10:22 AM Michael <bmike1@gmail.com> wrote:
>>>>>
>>>>>> Thanks for saying this. I realized that I only needed to run apt
>>>>>> as
>>>>>> root. I didn't know how to make it so I could do that..... but
>>>>>> chatgt did!
>>>>>>
>>>>>> On Sat, Jun 29, 2024, 5:53 AM Eric Oyen via PLUG-discuss
>>>>>> <plug-discuss@lists.phxlinux.org> wrote:
>>>>>>
>>>>>>> NO WORRIES FROM THIS END RUSTY.
>>>>>>>
>>>>>>> As a general rule, I use sudo only for very specific tasks
>>>>>>> (usually updating my development package tree on OS X) and no
>>>>>>> where else will I run anything as root. I have seen what happens
>>>>>>> to linux machines that run infected binaries as root and it can
>>>>>>> get ugly pretty fast. In one case, I couldn’t take the machine
>>>>>>> out of service because of other items I was involved with, so I
>>>>>>> simply made part of the dir tree immutable after replacing a few
>>>>>>> files in /etc. That would fill up the system logs with an error
>>>>>>> message about a specific binary trying to replace a small number
>>>>>>> of conf files. Once the offending binary was found, it made
>>>>>>> things
>>>>>>> easier trying to disable it or get rid of it. However, after a
>>>>>>> while, I simply pulled the drive and ran it through a Dod secure
>>>>>>> erase and installed a newer linux bistro on it. I did use the
>>>>>>> same
>>>>>>> trick with chattr to make /bin, /sbin and /etc immutable. That
>>>>>>> last turned out to be handy as I caught someone trying to rootkit
>>>>>>> my machine using a known exploit, only they couldn’t get it to
>>>>>>> run because the binaries they wanted to replace couldn’t be
>>>>>>> written to. :)Yes, this would be a bit excessive, but over the
>>>>>>> long run, proved far less inconvenient than having to wipe and
>>>>>>> reinstall an OS.
>>>>>>>
>>>>>>> -Eric
>>>>>>> From the central Offices of the Technomage Guild, security
>>>>>>> Applications Dept.
>>>>>>>
>>>>>>>> On Jun 28, 2024, at 6:43 PM, Rusty Carruth via PLUG-discuss
>>>>>>> <plug-discuss@lists.phxlinux.org> wrote:
>>>>>>>>
>>>>>>>> (Deep breath. Calm...)
>>>>>>>>
>>>>>>>> I can't figure out how to respond rationally to the below, so
>>>>>>> all I'm going to say is - before you call troll, you might want
>>>>>>> to research the author, and read a bit more carefully what they
>>>>>>> wrote. I don't believe I recommended any of the crazy things you
>>>>>>> suggest. And I certainly didn't intend to imply any of that.
>>>>>>>>
>>>>>>>> On the other hand, it may not have been clear, so I'll just say
>>>>>>> "Sorry that what I wrote wasn't clear, but english isn't my first
>>>>>>> language. Unfortunately its the only one I know".
>>>>>>>>
>>>>>>>> And on that note, I'll shut up.
>>>>>>>>
>>>>>>>> On 6/26/24 15:05, Ryan Petris wrote:
>>>>>>>>> I feel like you're trolling so I'm not going to spend very much
>>>>>>> time on this.
>>>>>>>>>
>>>>>>>>> It's been a generally good security practice for at least the
>>>>>>> last 25+ years to not regularly run as a privileged user,
>>>>>>> requiring some sort of escalation to do administrative-type
>>>>>>> tasks.
>>>>>>> By using passwordless sudo, you're taking away that escalation.
>>>>>>> Why not just run as root? Then you don't need sudo at all. In
>>>>>>> fact, why even have a password at all? Why encrypt? Why don't you
>>>>>>> just put all your data on a publicly accessible FTP server and
>>>>>>> just grab stuff when you need it? The NSA has all your data
>>>>>>> anyway
>>>>>>> and you don't have anything to hide so why not just leave it out
>>>>>>> there for the world to see?
>>>>>>>>>
>>>>>>>>> As for something malicious needing to be written to use sudo,
>>>>>>> why wouldn't it? sudo is ubiquitous on unix systems; if it didn't
>>>>>>> at least try then that seams like a pretty dumb malicious script
>>>>>>> to me.
>>>>>>>>>
>>>>>>>>> You also don't necessarily need to open/run something for it to
>>>>>>> run. IIRC there was a recent image vulnerability in Gnome's
>>>>>>> tracker-miner application which indexes files in your home
>>>>>>> directory. And before you say that wouldn't happen in KDE, it too
>>>>>>> has a similar program, I believe called Baloo.
>>>>>>>>>
>>>>>>>>> There also exists the recent doas program and the systemd
>>>>>>> replacement run0 to do the same.
>>>>>>>>>
>>>>>>>>> On Wed, Jun 26, 2024, at 12:23 PM, Rusty Carruth via
>>>>>>> PLUG-discuss wrote:
>>>>>>>>>> Actually, I'd like to start a bit of a discussion on this.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> First, I know that for some reason RedHat seems to think that
>>>>>>> sudo is
>>>>>>>>>> bad/insecure.
>>>>>>>>>>
>>>>>>>>>> I'd like to know the logic there, as I think the argument FOR
>>>>>>> using sudo
>>>>>>>>>> is MUCH stronger than any argument I've heard (which,
>>>>>>> admittedly, is
>>>>>>>>>> pretty close to zero) AGAINST it. Here's my thinking:
>>>>>>>>>>
>>>>>>>>>> Allowing users to become root via sudo gives you:
>>>>>>>>>>
>>>>>>>>>> - VERY fine control over what programs a user can use as root
>>>>>>>>>>
>>>>>>>>>> - The ability to remove admin privs (ability to run as root)
>>>>>>> from an
>>>>>>>>>> individual WITHOUT having to change root password everywhere.
>>>>>>>>>>
>>>>>>>>>> Now, remember, RH is supposedly 'corporate friendly'. As a
>>>>>>> corporation,
>>>>>>>>>> that 2nd feature is well worth the price of admission, PLUS I
>>>>>>> can only
>>>>>>>>>> allow certain admins to run certain programs? Very nice.
>>>>>>>>>>
>>>>>>>>>> So, for example, at my last place I allowed the 'tester' user
>>>>>>> to run
>>>>>>>>>> fdisk as root, because they needed to partition the disk under
>>>>>>> test. In
>>>>>>>>>> my case, and since the network that we ran on was totally
>>>>>>> isolated from
>>>>>>>>>> the corporate network, I let fdisk be run without needing a
>>>>>>> password.
>>>>>>>>>> Oh, and if they messed up and fdisk'ed the boot partition, it
>>>>>>> was no big
>>>>>>>>>> deal - I could recreate the machine from scratch (minus
>>>>>>> whatever data
>>>>>>>>>> hadn't been copied off yet - which would only be their most
>>>>>>> recent run),
>>>>>>>>>> in 10 minutes (which was about 2 minutes of my time, and 8
>>>>>>> minutes of
>>>>>>>>>> scripted 'dd' ;-) However, if the test user wanted to become
>>>>>>> root using
>>>>>>>>>> su, they had to enter the test user password.
>>>>>>>>>>
>>>>>>>>>> So, back to the original question - setting sudo to not
>>>>>>> require a
>>>>>>>>>> password. We should have asked, what program do you want to
>>>>>>> run as root
>>>>>>>>>> without requiring a password? How secure is your system? What
>>>>>>> else do
>>>>>>>>>> you use it for? Who has access? etc, etc, etc.
>>>>>>>>>>
>>>>>>>>>> There's one other minor objection I have to the 'zero defense'
>>>>>>> statement
>>>>>>>>>> below - the malicious thing you downloaded (and, I assume ran)
>>>>>>> has to be
>>>>>>>>>> written to USE sudo in its attempt to break in, I believe, or
>>>>>>> it
>>>>>>>>>> wouldn't matter HOW open your sudo was. (simply saying 'su -
>>>>>>> myscript'
>>>>>>>>>> won't do it).
>>>>>>>>>>
>>>>>>>>>> And, if you're truly paranoid about stuff you download, you
>>>>>>> should:
>>>>>>>>>>
>>>>>>>>>> 1 - NEVER download something you don't have an excellent
>>>>>>> reason to
>>>>>>>>>> believe is 'safe', and ALWAYS make sure you actually
>>>>>>> downloaded it from
>>>>>>>>>> where you thought you did.
>>>>>>>>>>
>>>>>>>>>> 2 - For the TRULY paranoid, have a machine you use to download
>>>>>>> and test
>>>>>>>>>> software on, which you can totally disconnect from your
>>>>>>> network (not
>>>>>>>>>> JUST the internet), and which has NO confidential info, and
>>>>>>> which you
>>>>>>>>>> can erase and rebuild without caring. Run the downloaded
>>>>>>> stuff there,
>>>>>>>>>> for a long time, until you're pretty sure it won't bite you.
>>>>>>>>>>
>>>>>>>>>> 3 - For the REALLY REALLY paranoid, don't download anything
>>>>>>> from
>>>>>>>>>> anywhere, disconnect from the internet permanently, get
>>>>>>> high-tech locks
>>>>>>>>>> for your doors, and wrap your house in a faraday cage!
>>>>>>>>>>
>>>>>>>>>> And probably don't leave the house....
>>>>>>>>>>
>>>>>>>>>> The point of number 3 is that there is always a risk, even
>>>>>>> with
>>>>>>>>>> 'well-known' software, and as someone else said - they're
>>>>>>> watching you
>>>>>>>>>> anyway. The question is how 'safe' do you want to be? And how
>>>>>>> paranoid
>>>>>>>>>> are you, really?
>>>>>>>>>>
>>>>>>>>>> Wow, talk about rabbit hole! ;-)
>>>>>>>>>>
>>>>>>>>>> 'Let the flames begin!' :-)
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 6/25/24 18:50, Ryan Petris via PLUG-discuss wrote:
>>>>>>>>>>>> wanted sudo not to require a password.
>>>>>>>>>>> Please reconsider this... This is VERY BAD security practice.
>>>>>>> There's basically zero defense if you happen to download/run
>>>>>>> something malicious.
>>>>>>>>>>>
>>>>>>>>>>> On Tue, Jun 25, 2024, at 6:01 PM, Michael via PLUG-discuss
>>>>>>> wrote:
>>>>>>>>>>>> then I remember that a PLUG member mentioned ChatGPT being
>>>>>>> good at troubleshooting so I figured I'd give it a go. I sprint
>>>>>>> about half an hour asking it the wrong question but after that it
>>>>>>> took 2 minutes. I wanted sudo not to require a password. it is
>>>>>>> wonderful! now I don't have to bug you guys. so it looks like
>>>>>>> this
>>>>>>> is the end of the user group unless you want to talk about OT
>>>>>>> stuff.
>>>>>>>>>>>>
>>>>>>>>>>>> -- :-)~MIKE~(-:
>>>>>>>>>>>> ---------------------------------------------------
>>>>>>>>>>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
>>>>>>>>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>>>>>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>>>>>>>>>
>>>>>>>>>>> ---------------------------------------------------
>>>>>>>>>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
>>>>>>>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>>>>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>>>>>>> ---------------------------------------------------
>>>>>>>>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
>>>>>>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>>>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>>>>>>>
>>>>>>>> ---------------------------------------------------
>>>>>>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
>>>>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>>>>
>>>>>>> ---------------------------------------------------
>>>>>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
>>>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>> ---------------------------------------------------
>>>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>> ---------------------------------------------------
>>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>> ---------------------------------------------------
>>> PLUG-discuss mailing list: PLUG-discuss@lists.phxlinux.org
>>> To subscribe, unsubscribe, or to change your mail settings:
>>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
---------------------------------------------------
PLUG-discuss mailing list:
PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss