Fred Stluka via plug on 9 Apr 2021 11:09:48 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] that's nice


On 4/8/21 9:44 PM, Rich Freeman via plug wrote:
I think most competent companies are using TPM-backed encryption for
this reason.
"Competent companies"!  I love it!  Seems like a rare critter
to me.  We should do a survey to see how many PLUG folks
work at companies where all file-systems on all computers
are encrypted.  Even with the highly competent technical
folks who are the typical PLUG user, I'm guessing that's a
pretty low percentage.

Anyone want to tell us what they see at work?

BTW, you and I had this same discussion on this same PLUG
mailing list on 5/19/2020.  Remember this excerpt, where
you conceded that TPM has some big flaws?

X X You seem to put a lot of faith in TPM (hardware support for
X X encrypted disks).  Does it worry you that I can so easily Google
X X things like:
X X - https://www.nextofwindows.com/how-to-clear-and-manage-tpm-on-windows-10
X X
X X It talks about how to clear the TPM.  And says you should always
X X do so before disposing of a computer because people can steal
X X your keys out of the TPM itself!  Even if you follow that advice,
X X what about stolen laptops?  No one warned you it was about to
X X be stolen, so you didn't get a chance to clear the keys from the
X X TPM.  Doh!
X
X Obviously TPMs, like everything else, are physical implementations and
X they can have flaws.  Unfortunately there have been some big ones
X lately.

To see it in context:
- http://lists.netisland.net/archives/plug/plug-2020-05/msg00068.html#:~:text=You%20seem%20to%20put%20a%20lot%20of%20faith,Doh%21

- http://lists.netisland.net/archives/plug/plug-2020-05/msg00073.html#:~:text=It%20talks%20about,some%20big%20ones%0alately.

(If you're using Chrome, the relevant txt will be highlighted in
yellow.)

You can take advantage of OS exploits, but you can't
just bypass the OS security entirely.  Their main concern is laptop
theft, but user tampering is also something that it prevents.
Yeah, sort of.  Would have absolutely zero effect on any
exploit I've ever used.  I'm almost always already logged in
to a valid account, and just finding ways to bypass "security"
that lets some users do things, but not others.  I don't have
to crack the encryption.  I just do normal file access using
normal techniques that conveniently encrypt and decrypt
on the fly, all built into the encrypted filesystem.


Chromeboxes use TPM-backed encryption for user data only, but they use
boot verification for the OS, which also prevents tampering.  Those
have a slightly different security model than typical Windows
desktops.
Yeah, that's nothing to do with Windows.  Chromebooks run
Chrome OS, which is based on Linux.  Do you know anyone
running Windows on a Chromebook?


To be fair, most Linux distros do not support TPM-backed full disk
encryption.  They might let you set a disk encryption password, but in
this case the user typically knows the password, and thus the user can
bypass the encryption when booting from a rescue disk.  This probably
reflects that most big companies don't care about Linux on the
desktop.

Exactly!  Except in the case of a stolen laptop, or a person
wandering around your office trying to break into desktops
via live CDs, full disk encryption is useless.  If you have a
valid account on the computer, you can login and have the
filesystem encrypt and decrypt on the fly.



Maybe if you're talking about small companies.  I can't imagine most
Fortune 500 companies are deploying desktops without file permissions.

I can imagine it easily.  Let's take a survey.  Anyone?

And as I said, even if they do, permissions get gradually
stripped off silently as people move files across the network
or via USB to computers and devices that aren't using
permissions.

It's kind of an all or nothing things.  Any 90% solution fails
quickly.  It doesn't take many iterations of 90% x 90% x 90%
x 90% ... to get to "mostly unprotected".

Granted, some of them just worry about security on fileservers and
don't worry about client PCs so much.

True.


Companies have been moving away
from this in recent years for a couple of reasons:

1.  They want to prevent users from storing data on local PCs where it
is more vulnerable.
Not going to happen.  As long as there's local storage, people
will find reasons to use it.  Valid reasons, or just for convenience.

As a similar example, have you ever tried to tell a guy on the
business side of a company that he's not allowed to suck data
into a local spreadsheet to analyze it?  That instead he has to
wait for the DB or Reporting group to create a new report for
him?  That NEVER works.  They either do it without telling you,
or escalate the issue to their boss.

In the same way, people will insist on doing their own backups
of data that's critical to them.  And on taking data home, if
possible, to work with it there.

People will ALWAYS do whatever's convenient to try to get
their work done faster and better.  Unless it's explicitly
prevented by file permissions or something.  But Windows
has no real file permissions.  Doh!


2.  Ransomware/phishing/etc attacks are getting more common, and
securing the local PC helps keep this stuff out.

Not at all.  Phishing and other forms of social engineering
are the biggest attack vector for ransomware.  If someone
needs and has access to the data, and can be tricked into
doing something foolish and insecure, no amount of disk
encryption or even file permissions will help.  For that, you
need active security measures like monitoring outgoing
connections (including email), and logwatch, fail2ban,
tripwire, etc.  See:
- http://bristle.com/Tip/Linux.htm#unix_security


A lot of what you say might have been true 20 years ago, but I think
it is less true today.
OK.  Windows now is better than Windows then?  Maybe so.
But has it reached an acceptable level yet?  Has it even reached
table stakes to be justified in calling itself an "operating system"?
Or is it just a better toy than it used to be?


Also, we're talking about antivirus software in this thread.  Almost
all corporate antivirus software phones home.  If you go fiddling with
it, and it doesn't phone home with the expected status, you're
probably going to get a visit.  I imagine that this sort of thing is
not going to be tolerated for just about anybody.  Maybe a star
performer gets a very stern talking to and a chance to never do it
again.  Really though it isn't a situation you want to be in.

True.  But the original poster said that the AV software was
consuming his entire CPU.  If so, and he can't get his work done,
perhaps turn it off now ad then, and let it run flat out when he
goes home?  It's hard to see getting fired for that.  Much more
likely to get fired for not making any progress on his assigned
task, week after week after week.  True?


My advice is to just let the company IT manage THEIR computer the way
THEY want to, and just stick to the SOP.  If you can't get your work
done as a result, talk to your boss about it, and make it IT's
problem.  There are almost always ways to escalate such things.

Good idea!  Exactly what I recommend (when feasible).


I stopped caring about how the company manages their hardware a long
time ago - if I want to do something not company related I use my own
PC for this.  If I'm traveling or whatever I bring my own PC with me
alongside the company one.  I tend to pick ultralight laptops/etc as a
result since they're mainly for travel.  If I ever had to carry a
company phone I'd just carry my own phone alongside it for the same
reason - don't mix personal and employer stuff.

Good idea!  And do you ALWAYS respect their likely wishes
that you NEVER move data between the two, via WiFi, USB,
Dropbox, or even email?  No, neither do I, but I try to act
responsibly and in their best interest.

--Fred
------------------------------------------------------------------------
Fred Stluka -- http://bristle.com -- Glad to be of service!
Open Source: Without walls and fences, we need no Windows or Gates.
------------------------------------------------------------------------

On 4/8/21 9:44 PM, Rich Freeman via plug wrote:
On Thu, Apr 8, 2021 at 9:27 PM Fred Stluka via plug
<plug@lists.phillylinux.org> wrote:
Yes, physical access does open up a lot of possibilities.
But Microsoft keeps claiming that it doesn't.
I think most competent companies are using TPM-backed encryption for
this reason.  You can take advantage of OS exploits, but you can't
just bypass the OS security entirely.  Their main concern is laptop
theft, but user tampering is also something that it prevents.

Chromeboxes use TPM-backed encryption for user data only, but they use
boot verification for the OS, which also prevents tampering.  Those
have a slightly different security model than typical Windows
desktops.

To be fair, most Linux distros do not support TPM-backed full disk
encryption.  They might let you set a disk encryption password, but in
this case the user typically knows the password, and thus the user can
bypass the encryption when booting from a rescue disk.  This probably
reflects that most big companies don't care about Linux on the
desktop.

Windows doesn't really have file permissions at all, or at least
they're pretty much always not being used, or are being deleted
from files all the time.
Maybe if you're talking about small companies.  I can't imagine most
Fortune 500 companies are deploying desktops without file permissions.

Granted, some of them just worry about security on fileservers and
don't worry about client PCs so much.  Companies have been moving away
from this in recent years for a couple of reasons:

1.  They want to prevent users from storing data on local PCs where it
is more vulnerable.
2.  Ransomware/phishing/etc attacks are getting more common, and
securing the local PC helps keep this stuff out.
3.  Targeted laptop theft for espionage/etc instead of just petty
theft is becoming more common, so they want to make sure the OS
security settings aren't disabled if this happens.

A lot of what you say might have been true 20 years ago, but I think
it is less true today.

Also, we're talking about antivirus software in this thread.  Almost
all corporate antivirus software phones home.  If you go fiddling with
it, and it doesn't phone home with the expected status, you're
probably going to get a visit.  I imagine that this sort of thing is
not going to be tolerated for just about anybody.  Maybe a star
performer gets a very stern talking to and a chance to never do it
again.  Really though it isn't a situation you want to be in.

My advice is to just let the company IT manage THEIR computer the way
THEY want to, and just stick to the SOP.  If you can't get your work
done as a result, talk to your boss about it, and make it IT's
problem.  There are almost always ways to escalate such things.  I
stopped caring about how the company manages their hardware a long
time ago - if I want to do something not company related I use my own
PC for this.  If I'm traveling or whatever I bring my own PC with me
alongside the company one.  I tend to pick ultralight laptops/etc as a
result since they're mainly for travel.  If I ever had to carry a
company phone I'd just carry my own phone alongside it for the same
reason - don't mix personal and employer stuff.


___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug