12 Aug
2022
12 Aug
'22
5:35 p.m.
Anyone who is in charge of security on systems for an organization of
any size should do all those things anyhow. Vendor support may not be
focused on the requirements of a specific organization. Most security
is driven by configuration and organizational policy. The vast majority
of hacks are social. I used to go though all the attack vectors, but
nothing ever applied to me. I got tired or reading about how firefox
had a vulnerability because a page running on a tab other than the
current one, could open a window.
My system, which is reasonably secure, has just been running for 15
years or so. I've been doing a lot of rebooting and I notice the BIOS
boot screen says something about indestrutable and list a bunch of
hazards like humidity that I am protected from. Maybe it will last
another 15 years :).
I could probably just ignore the hack and be fine. What do I have to
steal? Some tax returns and meatloaf recipies. All the things I wanted
to keep private 15 years ago are now routinly stolen. My contacts,
where I've been, who I saw, and my correspondence. As a public servant,
my salary is public. If tax returns are made public, and there is
occasional talk about that, it will only leave the meatloaf recipies.
So, no, for this system, I don't spend time doing all the security
activities that I would if I had an organization with data that needed
to be protected. Getting bricked is no fun, I'll admit, but it isn't
the end of the world either.
I enjoy learning and using the technology. I'll beef some things up and give it a
whirl. Review what I back up. I missed my raid scripts. Basically, I want security and
privacy just because I should be able to have these things. I'd like to get back some
of the privacy I've lost, but I seem to be alone in that.
-Gary
On Thu, Aug 11, 2022 at 03:08:55PM -0700, Rick Moen wrote:
Quoting Brian E. Lavender (brian(a)brie.com):
There are probably a boat load of known
vulnerabilities in F13.
The only way running Internet-exposed Fedora 13, even for a minimal host
that's just barely enough of an OS build to support a hypervisor, in
2022, would involve the local sysadmin _completely_ having assumed and
diligently carried out, without fail, all security maintenance
_manually_ for all eleven years, since 2011-06-24, when Security Team
coverage of F13 ceased permanently.
That would mean diligently reading all CVEs for all local components
exposed to public traffic -- including the Linux kernel (especially its
network stack), all public-facing services, and all of their libs and
support utilities -- doing, as appropriate, paring of
code/functionality, upgrading, mitigating, applying needed source
patches, etc.
That could be done, by a sufficiently determined and well-prepared
sysadmin who wishes to hand-maintain a very minimal system for
locally-compelling reasons. Gary, _did_ you do all that?
If you didn't, Gary, that's likely a key part of your problem. And
dismissing the problem of need to plug proven security holes with "the
upgrade treadmill is that it is a waste of time" is a reminder that
denial isn't a river in Egypt.
_______________________________________________
Lug-nuts mailing list -- lug-nuts(a)bigbrie.com
To unsubscribe send an email to lug-nuts-leave(a)bigbrie.com