Re: [PLUG] that's nice

[Thomas Delrue via plug <plug@lists.phillylinux.org>]

On 4/9/21 14:09, Fred Stluka wrote:
> On 4/8/21 9:44 PM, Rich Freeman via plug wrote:
>> I think most competent companies are using TPM-backed encryption 
>> for this reason.
> "Competent companies"!  I love it!  Seems like a rare critter to me. 
> We should do a survey to see how many PLUG folks work at companies 
> where all file-systems on all computers are encrypted.  Even with
> the highly competent technical folks who are the typical PLUG user,
> I'm guessing that's a pretty low percentage.
> 
> Anyone want to tell us what they see at work?

Look, we're a Linux User Group and so we have our 'preferences', likes,
and dislikes; but I don't think your accusations and derision toward
other professionals who happen to work (majority) on/with/for Windows
are accurate, or even helpful for whatever interpretation you may have
thereof - regardless of them being on this list or not. I find your
summary and blanket dismissal of their qualifications and
professionalism very unpleasant (and do with that what you want).

And I'm saying that as someone who tries as hard as I can to not have to
touch Windows. I don't like that platform and I have fundamental
differences of opinions with it, but that's where it stops.
I don't feel the need to belittle other professionals purely because of
the majority platform they happen to work with, on, for, what have you.
That's like lambasting and ridiculing a car mechanic for only working on
Honda's when they /could/ be working on Maybachs(*) or whatever. It
makes no sense.

And for what it's worth: in my organization, every device in scope has
all their storage TPM-backed, full disk encrypted. Every, single, one!
(and we're a small shop)

(*) I'm not implying Windows is a Honda and Linux a Maybach. This is
purely for illustrative purposes. No explicit value judgement is
attached to operating systems in this particular instance.

> BTW, you and I had this same discussion on this same PLUG mailing 
> list on 5/19/2020.  Remember this excerpt, where you conceded that 
> TPM has some big flaws?
> 
> X X You seem to put a lot of faith in TPM (hardware support for X X 
> encrypted disks).  Does it worry you that I can so easily Google X X 
> things like: X X - 
> https://www.nextofwindows.com/how-to-clear-and-manage-tpm-on-windows-10
> 
X X
> X X It talks about how to clear the TPM.  And says you should always
>  X X do so before disposing of a computer because people can steal X
> X your keys out of the TPM itself!  Even if you follow that advice, X
> X what about stolen laptops?  No one warned you it was about to X X
> be stolen, so you didn't get a chance to clear the keys from the X X
>  TPM.  Doh! X X Obviously TPMs, like everything else, are physical 
> implementations and X they can have flaws.  Unfortunately there have 
> been some big ones X lately.

Conceding that something has flaws is not the same as dismissing it nor
is it equivalent to arguing for its dismissal. That would be like saying
"Some people still get killed in car crashes, so clearly whatever safety
mechanisms in cars that exist, don't work and should be eliminated
whole-sale".
Instead, it's recognizing that this piece is just one layer in your
Onion of Security and shouldn't be The One, Single Thing you rely on for
all your security needs. It is one of the pieces in the broader puzzle
that is security.

> [... snip ...]
> 
>> You can take advantage of OS exploits, but you can't just bypass 
>> the OS security entirely.  Their main concern is laptop theft, but 
>> user tampering is also something that it prevents.
> Yeah, sort of.  Would have absolutely zero effect on any exploit
> I've ever used.  I'm almost always already logged in to a valid
> account, and just finding ways to bypass "security" that lets some
> users do things, but not others.  I don't have to crack the
> encryption.  I just do normal file access using normal techniques
> that conveniently encrypt and decrypt on the fly, all built into the
> encrypted filesystem.

Do tell me more about which exploits you've used and where to gain
(potentially) unauthorized access to computer systems. Pray, continue...

>> Chromeboxes use TPM-backed encryption for user data only, but they 
>> use boot verification for the OS, which also prevents tampering. 
>> Those have a slightly different security model than typical Windows
>> desktops.
> Yeah, that's nothing to do with Windows.  Chromebooks run Chrome OS, 
> which is based on Linux.  Do you know anyone running Windows on a 
> Chromebook?

Let's also not kid ourselves in the opposite direction here: sure,
Windows has issues. It's not because it's Linux that it has no issues.
I think the comment here is about TPM and its specific usage, less so
about Windows vs Linux.
There are a wide variety of Windows devices that use TPM. I don't
understand what you're getting at here.

>> To be fair, most Linux distros do not support TPM-backed full disk
>>  encryption.  They might let you set a disk encryption password,
>> but in this case the user typically knows the password, and thus
>> the user can bypass the encryption when booting from a rescue
>> disk. This probably reflects that most big companies don't care
>> about Linux on the desktop.
> 
> Exactly!  Except in the case of a stolen laptop, or a person 
> wandering around your office trying to break into desktops via live 
> CDs, full disk encryption is useless.  If you have a valid account
> on the computer, you can login and have the filesystem encrypt and 
> decrypt on the fly.

FDE is specifically trying to protect against the scenarios you
acknowledge and is not attempting to protect against the scenarios where
you say it is useless. It's not part of its coverage and it makes no
claims that it would protect you from anything in those scenarios.
You'll have to explain more what you mean here.

Since we're discussion encryption of disk data, have you looked at EFS?
User folders (the equivalent of ${HOME}) or really any file or folder,
can be encrypted using EFS which would give you some protection for "I'm
logged onto a device with FDE so everything on disk is unlocked, right?"?

>> Maybe if you're talking about small companies.  I can't imagine 
>> most Fortune 500 companies are deploying desktops without file 
>> permissions.
> 
> I can imagine it easily.  Let's take a survey.  Anyone?

You'll get back to us with the results compiled from the Fortune500, yeah?

> And as I said, even if they do, permissions get gradually stripped 
> off silently as people move files across the network or via USB to 
> computers and devices that aren't using permissions.
> 
> It's kind of an all or nothing things.  Any 90% solution fails 
> quickly.  It doesn't take many iterations of 90% x 90% x 90% x 90% 
> ... to get to "mostly unprotected".

You are describing a flaw rooted in human nature here that any IT system
will have to deal with. I am eager to hear your solution to this problem
so that I may implement it at my place of employ.

> [ ... snip... ]
>> 
>> Companies have been moving away from this in recent years for a 
>> couple of reasons:
>> 
>> 1.  They want to prevent users from storing data on local PCs
>> where it is more vulnerable.
> Not going to happen.  As long as there's local storage, people will 
> find reasons to use it.  Valid reasons, or just for convenience.

Prevention is not the same as Prohibition nor non-occurrence. They are
totally different things.

The systems that we do have at our disposal (of which FDE is but one
example) are some of the ways to mitigate some of the risk(s) and
problems associated with this behavior, specifically because we -as
professionals- recognize that we can't eliminate all risk. So we may as
well make it as secure as we can there where we can.

Nothing is 0% risk. Anyone who tells you otherwise is angling for your
money. Heck, you could be playing tic-tac-toe with a crayon and
accidentally stab yourself in the eye with the sharp end. It's a small
probability but it's not zero...

> As a similar example, have you ever tried to tell a guy on the 
> business side of a company that he's not allowed to suck data into a 
> local spreadsheet to analyze it?  That instead he has to wait for the
> DB or Reporting group to create a new report for him?  That NEVER 
> works.  They either do it without telling you, or escalate the issue 
> to their boss.

Not really, because I've worked with that type of person. Excel is their
world. That's their standard MO. Why would I tell someone who's paid to
use Excel to analyze data, to not use Excel to analyze data? That's on
of the main functions that Excel is for.
Besides, they've got that beefy laptop they wanted, they better use all
of that computing power to do that fancy slicing and dicing of their
data on their machine without eating up my server's cycles.
After all, once he has the data, provided it is properly secured on his
device, why not?

You can connect Excel up to a DB directly as well and use it as a
'window into your database', BTW. Maybe that would satisfy your use case?

> In the same way, people will insist on doing their own backups of 
> data that's critical to them.  And on taking data home, if possible, 
> to work with it there.

Like... on company-provided laptops with FDE configured so that only
authorized users can boot up the device and gain access to the data?
That way?

Seriously though, there is truth in this: if they can't make sure that
the data they care about is backed up, then they must have a mechanism
that easy for them to include it in backups. This seems like a different
kind of problem to me.

> People will ALWAYS do whatever's convenient to try to get their work 
> done faster and better.  Unless it's explicitly prevented by file 
> permissions or something.  But Windows has no real file permissions. 
> Doh!

This is something I've learned from Rich while on this list: security is
never 100%, it's a trade-off between security and convenience (and some
other factors) and every individual falls elsewhere on the spectrum in
between. Only a few people are on either hard-extreme of that spectrum
and that's fine, we need those people too (in fact, I'm typically one of
those or used to be one of those).

I used to be of the opinion that it was /totally/ fine to require users
to enter their username, super-complex password, 2FA code, retina-scan,
saliva sample, fingerprint, blood type, and finally also the last three
dates on which they had intercourse together with the names of their
partners and positions they used, just to be able to log into a machine.
But that was then and now I'm older and wiser. (the above is a joke,
except for me being older - that, sadly, is true)

Over time, I recognized that my tolerance for these types of things is
significantly higher than it is for other people. So cool, I'll enforce
that on myself and subject myself to it, but I gain nothing from
enforcing that level of security on others. In fact, chances are they'll
struggle even harder to get out of my fancy little 'security harness'
that I've put them in, which will put me in an even worse situation;
because now I gotta keep an eye on whether they try to escape as well.
Either that or I lose them as users, they have jobs to complete as well,
you know.

There's some basics that I'm not going to compromise on, but lack of
convenience bears a very significant opportunity cost as well. Measured
moderation combined with situational awareness to guide applicability in
everything is advised!

Launching nukes, yeah I want a lot of security measures. Same for if you
want to talk to any one of the servers on my home network... but other
things, maybe I don't need you to double-validate the codes on the
Biscuit for me... ya know?

>> 2.  Ransomware/phishing/etc attacks are getting more common, and 
>> securing the local PC helps keep this stuff out.
> 
> Not at all.  Phishing and other forms of social engineering are the 
> biggest attack vector for ransomware.  If someone needs and has 
> access to the data, and can be tricked into doing something foolish 
> and insecure, no amount of disk encryption or even file permissions 
> will help.  For that, you need active security measures like 
> monitoring outgoing connections (including email), and logwatch, 
> fail2ban, tripwire, etc.  See: - 
> http://bristle.com/Tip/Linux.htm#unix_security

You should have stopped at "no amount of disk encryption or even file
permissions will help" because your statement would have been correct then.

None of the things you mention will prevent this problem from happening
either. Most of the items you list are passive security measures as well
and none of them prevent against phishing and its variants.
They /may/ tell you post-factum, but there's nothing that's going to
prevent it from happening ante-factum. And then the badness is done already.

Phishing and social engineering do not exploit technology, they exploit
humans. If you have a system that prevents someone from sending e-mail
yet still lets them get work done, I'm all ears to hear about it!

I deal with real humans with real jobs who - when they need to send an
e-mail - need to be able to count on the fact that that e-mail they send
will arrive, as opposed to having to fill out 5 forms to include the
destination's address in some allow-list... maybe... somewhere in the
future... after review, rejection, re-review and subsequent successful
appeal by the "e-mail security board", that meets once per quarter,
except on months with an 'R', 'A', or 'N' in their name.

>> A lot of what you say might have been true 20 years ago, but I 
>> think it is less true today.
> OK.  Windows now is better than Windows then?  Maybe so. But has it 
> reached an acceptable level yet?  Has it even reached table stakes
> to be justified in calling itself an "operating system"? Or is it
> just a better toy than it used to be?

Yes to all your questions, no to your last.
Although I have to admit, I don't like your phrasing as it sounds a bit
too much like "Have you stopped beating your wife yet?" (a form of
"begging the question").

>> [... snip ...]
>> I stopped caring about how the company manages their hardware a 
>> long time ago - if I want to do something not company related I
>> use my own PC for this.  If I'm traveling or whatever I bring my
>> own PC with me alongside the company one.  I tend to pick
>> ultralight laptops/etc as a result since they're mainly for travel.
>> If I ever had to carry a company phone I'd just carry my own phone
>> alongside it for the same reason - don't mix personal and employer
>> stuff.
> 
> Good idea!  And do you ALWAYS respect their likely wishes that you 
> NEVER move data between the two, via WiFi, USB, Dropbox, or even 
> email?  No, neither do I, but I try to act responsibly and in their 
> best interest.

Another important, and frequently overlooked, aspect of security
(another layer in your Onion of Security) is compartmentalization.
I am *incredibly* strict when it comes to that and I don't joke around
in that realm! Letting things bleed across is a stop on the road to badness.

So yes, I do always, ALWAYS, respect that! Not respecting that would
open me up to a whole host of liabilities that I don't _ever_ want to be
involved in. That's just me making sure I'm covering _my_ ass, and by
extension, my company, client, their customers, or whoever it may be.
Their data, their rules, their devices. Not mine!
For other things, I'll use my device. And this cuts both ways: by me not
claiming unwarranted jurisdiction over their devices, plus maintaining
that strict compartmentalization, I can avoid external parties making
any claims of jurisdiction over my devices.
I don't just compartmentalize for /them/, I do it for /me/ too...

Compartmentalization is super important, and those who break it are a
serious matter of concern to me. Experience has taught me that there is
a higher probability of, and severity in breaches & other badness when
actors who do not adhere to the requested compartmentalization are
involved. That badness tends to spread faster, and easier too in those
cases. But that's just anecdotal.

But again, pray, do tell me more about the times and places where, and
the methods of how you performed and enabled, or committed unauthorized
data access, or when, where, and how you duplicated information onto
unauthorized systems.
Please, take as much time as you need and be as open as you want to be!

Attachment: OpenPGP_signature
Description: OpenPGP digital signature

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug