zlacker

[parent] [thread] 8 comments
1. alksjd+(OP)[view] [source] 2022-01-27 21:33:08
Totally locking down a computer to just a pre-approved set of software is a huge step towards securing it from the kind of attackers most individuals, companies, and governments are concerned with. Sacrificing "software freedom" for that kind of security is a trade off that the vast majority of users will be willing to make - and I think the free software community will need to come to terms with that fact at some point and figure out what they want to do about it.
replies(3): >>lupire+P7 >>pdonis+m8 >>0xedd+AA
2. lupire+P7[view] [source] 2022-01-27 22:07:41
>>alksjd+(OP)
Free software doesn't really work in a networked untrusted world.
replies(2): >>tomrod+Cv >>nijave+iT
3. pdonis+m8[view] [source] 2022-01-27 22:09:54
>>alksjd+(OP)
> Totally locking down a computer to just a pre-approved set of software is a huge step towards securing it from the kind of attackers most individuals, companies, and governments are concerned with.

No, it isn't. It's a way for corporations and governments to restrict what people can do with their devices. That makes sense if you're an employee of the corporation or the government, since organizations can reasonably expect to restrict what their employees can do with devices they use for work, and I would be fine with using a separate device for my work than for my personal computing (in fact that's what I do now). But many scenarios are not like that: for example, me connecting with my bank's website. It's not reasonable or realistic to expect that to be limited to a limited set of pre-approved software.

The correct way to deal with untrusted software on the client is to just...not trust the software on the client. Which means you need to verify the user by some means that does not require trusting the software on the client. That is perfectly in line with the "zero trust" model advocated by this memo.

◧◩
4. tomrod+Cv[view] [source] [discussion] 2022-01-28 00:17:33
>>lupire+P7
Why?
5. 0xedd+AA[view] [source] 2022-01-28 00:50:12
>>alksjd+(OP)
Wrong. 80% of attacks are social engineering ones. In which an employee is convinced to make a bank transfer, open some document, install some program. From there, often times it's exploiting wide spread software commonly found in large organizations.

Everything you said cannot be further from the truth.

replies(1): >>themac+jC
◧◩
6. themac+jC[view] [source] [discussion] 2022-01-28 01:01:14
>>0xedd+AA
Hence the pre-approved software restrictions. In a locked down system, even the most gullible employee won't have the authorization to "install some program".

I'd also hope that businesses care about more than 80% of attacks, preferably they should care about 100% of attacks. Hence, pre-approved software restrictions.

replies(1): >>ensan+5P
◧◩◪
7. ensan+5P[view] [source] [discussion] 2022-01-28 02:56:11
>>themac+jC
Wrong again.

The computers in any sizable business already have the pre-approved restrictions set on the OS level. Employers can’t just install any software.

replies(1): >>xxpor+dZ
◧◩
8. nijave+iT[view] [source] [discussion] 2022-01-28 03:40:16
>>lupire+P7
Linux and BSD beg to differ
◧◩◪◨
9. xxpor+dZ[view] [source] [discussion] 2022-01-28 04:58:07
>>ensan+5P
That's not true at any big dev shop
[go to top]