| Fred Stluka via plug on 9 Apr 2021 11:09:48 -0700 |
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
| Re: [PLUG] that's nice |
On 4/8/21 9:44 PM, Rich Freeman via plug wrote:
I think most competent companies are using TPM-backed encryption for this reason.
"Competent companies"! I love it! Seems like a rare critter to me. We should do a survey to see how many PLUG folks work at companies where all file-systems on all computers are encrypted. Even with the highly competent technical folks who are the typical PLUG user, I'm guessing that's a pretty low percentage. Anyone want to tell us what they see at work? BTW, you and I had this same discussion on this same PLUG mailing list on 5/19/2020. Remember this excerpt, where you conceded that TPM has some big flaws? X X You seem to put a lot of faith in TPM (hardware support for X X encrypted disks). Does it worry you that I can so easily Google X X things like:X X - https://www.nextofwindows.com/how-to-clear-and-manage-tpm-on-windows-10
X X X X It talks about how to clear the TPM. And says you should always X X do so before disposing of a computer because people can steal X X your keys out of the TPM itself! Even if you follow that advice, X X what about stolen laptops? No one warned you it was about to X X be stolen, so you didn't get a chance to clear the keys from the X X TPM. Doh! X X Obviously TPMs, like everything else, are physical implementations and X they can have flaws. Unfortunately there have been some big ones X lately. To see it in context:- http://lists.netisland.net/archives/plug/plug-2020-05/msg00068.html#:~:text=You%20seem%20to%20put%20a%20lot%20of%20faith,Doh%21
- http://lists.netisland.net/archives/plug/plug-2020-05/msg00073.html#:~:text=It%20talks%20about,some%20big%20ones%0alately.
(If you're using Chrome, the relevant txt will be highlighted in yellow.)
You can take advantage of OS exploits, but you can't just bypass the OS security entirely. Their main concern is laptop theft, but user tampering is also something that it prevents.
Yeah, sort of. Would have absolutely zero effect on any exploit I've ever used. I'm almost always already logged in to a valid account, and just finding ways to bypass "security" that lets some users do things, but not others. I don't have to crack the encryption. I just do normal file access using normal techniques that conveniently encrypt and decrypt on the fly, all built into the encrypted filesystem.
Chromeboxes use TPM-backed encryption for user data only, but they use boot verification for the OS, which also prevents tampering. Those have a slightly different security model than typical Windows desktops.
Yeah, that's nothing to do with Windows. Chromebooks run Chrome OS, which is based on Linux. Do you know anyone running Windows on a Chromebook?
To be fair, most Linux distros do not support TPM-backed full disk encryption. They might let you set a disk encryption password, but in this case the user typically knows the password, and thus the user can bypass the encryption when booting from a rescue disk. This probably reflects that most big companies don't care about Linux on the desktop.
Exactly! Except in the case of a stolen laptop, or a person wandering around your office trying to break into desktops via live CDs, full disk encryption is useless. If you have a valid account on the computer, you can login and have the filesystem encrypt and decrypt on the fly.
Maybe if you're talking about small companies. I can't imagine most Fortune 500 companies are deploying desktops without file permissions.
I can imagine it easily. Let's take a survey. Anyone? And as I said, even if they do, permissions get gradually stripped off silently as people move files across the network or via USB to computers and devices that aren't using permissions. It's kind of an all or nothing things. Any 90% solution fails quickly. It doesn't take many iterations of 90% x 90% x 90% x 90% ... to get to "mostly unprotected".
Granted, some of them just worry about security on fileservers and don't worry about client PCs so much.
True.
Companies have been moving away from this in recent years for a couple of reasons: 1. They want to prevent users from storing data on local PCs where it is more vulnerable.
Not going to happen. As long as there's local storage, people will find reasons to use it. Valid reasons, or just for convenience. As a similar example, have you ever tried to tell a guy on the business side of a company that he's not allowed to suck data into a local spreadsheet to analyze it? That instead he has to wait for the DB or Reporting group to create a new report for him? That NEVER works. They either do it without telling you, or escalate the issue to their boss. In the same way, people will insist on doing their own backups of data that's critical to them. And on taking data home, if possible, to work with it there. People will ALWAYS do whatever's convenient to try to get their work done faster and better. Unless it's explicitly prevented by file permissions or something. But Windows has no real file permissions. Doh!
2. Ransomware/phishing/etc attacks are getting more common, and securing the local PC helps keep this stuff out.
Not at all. Phishing and other forms of social engineering are the biggest attack vector for ransomware. If someone needs and has access to the data, and can be tricked into doing something foolish and insecure, no amount of disk encryption or even file permissions will help. For that, you need active security measures like monitoring outgoing connections (including email), and logwatch, fail2ban, tripwire, etc. See: - http://bristle.com/Tip/Linux.htm#unix_security
A lot of what you say might have been true 20 years ago, but I think it is less true today.
OK. Windows now is better than Windows then? Maybe so. But has it reached an acceptable level yet? Has it even reached table stakes to be justified in calling itself an "operating system"? Or is it just a better toy than it used to be?
Also, we're talking about antivirus software in this thread. Almost all corporate antivirus software phones home. If you go fiddling with it, and it doesn't phone home with the expected status, you're probably going to get a visit. I imagine that this sort of thing is not going to be tolerated for just about anybody. Maybe a star performer gets a very stern talking to and a chance to never do it again. Really though it isn't a situation you want to be in.
True. But the original poster said that the AV software was consuming his entire CPU. If so, and he can't get his work done, perhaps turn it off now ad then, and let it run flat out when he goes home? It's hard to see getting fired for that. Much more likely to get fired for not making any progress on his assigned task, week after week after week. True?
My advice is to just let the company IT manage THEIR computer the way THEY want to, and just stick to the SOP. If you can't get your work done as a result, talk to your boss about it, and make it IT's problem. There are almost always ways to escalate such things.
Good idea! Exactly what I recommend (when feasible).
I stopped caring about how the company manages their hardware a long time ago - if I want to do something not company related I use my own PC for this. If I'm traveling or whatever I bring my own PC with me alongside the company one. I tend to pick ultralight laptops/etc as a result since they're mainly for travel. If I ever had to carry a company phone I'd just carry my own phone alongside it for the same reason - don't mix personal and employer stuff.
Good idea! And do you ALWAYS respect their likely wishes that you NEVER move data between the two, via WiFi, USB, Dropbox, or even email? No, neither do I, but I try to act responsibly and in their best interest. --Fred ------------------------------------------------------------------------ Fred Stluka -- http://bristle.com -- Glad to be of service! Open Source: Without walls and fences, we need no Windows or Gates. ------------------------------------------------------------------------ On 4/8/21 9:44 PM, Rich Freeman via plug wrote:
On Thu, Apr 8, 2021 at 9:27 PM Fred Stluka via plug <plug@lists.phillylinux.org> wrote:Yes, physical access does open up a lot of possibilities. But Microsoft keeps claiming that it doesn't.I think most competent companies are using TPM-backed encryption for this reason. You can take advantage of OS exploits, but you can't just bypass the OS security entirely. Their main concern is laptop theft, but user tampering is also something that it prevents. Chromeboxes use TPM-backed encryption for user data only, but they use boot verification for the OS, which also prevents tampering. Those have a slightly different security model than typical Windows desktops. To be fair, most Linux distros do not support TPM-backed full disk encryption. They might let you set a disk encryption password, but in this case the user typically knows the password, and thus the user can bypass the encryption when booting from a rescue disk. This probably reflects that most big companies don't care about Linux on the desktop.Windows doesn't really have file permissions at all, or at least they're pretty much always not being used, or are being deleted from files all the time.Maybe if you're talking about small companies. I can't imagine most Fortune 500 companies are deploying desktops without file permissions. Granted, some of them just worry about security on fileservers and don't worry about client PCs so much. Companies have been moving away from this in recent years for a couple of reasons: 1. They want to prevent users from storing data on local PCs where it is more vulnerable. 2. Ransomware/phishing/etc attacks are getting more common, and securing the local PC helps keep this stuff out. 3. Targeted laptop theft for espionage/etc instead of just petty theft is becoming more common, so they want to make sure the OS security settings aren't disabled if this happens. A lot of what you say might have been true 20 years ago, but I think it is less true today. Also, we're talking about antivirus software in this thread. Almost all corporate antivirus software phones home. If you go fiddling with it, and it doesn't phone home with the expected status, you're probably going to get a visit. I imagine that this sort of thing is not going to be tolerated for just about anybody. Maybe a star performer gets a very stern talking to and a chance to never do it again. Really though it isn't a situation you want to be in. My advice is to just let the company IT manage THEIR computer the way THEY want to, and just stick to the SOP. If you can't get your work done as a result, talk to your boss about it, and make it IT's problem. There are almost always ways to escalate such things. I stopped caring about how the company manages their hardware a long time ago - if I want to do something not company related I use my own PC for this. If I'm traveling or whatever I bring my own PC with me alongside the company one. I tend to pick ultralight laptops/etc as a result since they're mainly for travel. If I ever had to carry a company phone I'd just carry my own phone alongside it for the same reason - don't mix personal and employer stuff.
___________________________________________________________________________ Philadelphia Linux Users Group -- http://www.phillylinux.org Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug