On Mon, 24 Apr 2017, Arnt Karlsen wrote:

> On Mon, 24 Apr 2017 13:25:09 +0100, KatolaZ wrote in message
> <20170424122509.GT14814@???>:
>
> > On Mon, Apr 24, 2017 at 03:05:42AM +0200, Arnt Karlsen wrote:
> > > On Wed, 19 Apr 2017 22:47:59 +0100, KatolaZ wrote in message
> > > <20170419214759.GC14814@???>:
> > >
> > > > On Wed, Apr 19, 2017 at 11:37:32PM +0200, Arnt Karlsen wrote:
> > > >
> > > > [cut]
> > > >
> > > > >
> > > > > ..what nasty command line tricks do I use to get online with
> > > > > devuan_jessie_RC_amd64_minimal_live_vdev.iso?
> > > > > (Ideally wifi, but eth0 will work.)
> > > > >
> > > >
> > > >
> > > > Hi Arnt,
> > > >
> > > > if it comes from a minimal-live RC, you have setnet in there. Just
> > > > run:
> > > >
> > > > # setnet.sh
> > > >
> > > > It also has a manpage, but simple comfiguration should be pretty
> > > > straightforward. Any feedback is welcome.
> > >
> > > ..setnet.sh works nicely, but it and wicd should check for unchanged
> > > default passwords and _refuse_ to go online until you do the "passwd
> > > passwd devuan ||passwd heads " dance, espescially since we're here
> > > because we don't trust systemd endpoint security in e.g. Tails-2.12.
> > >
> >
> > uh? setnet and wicd are just *tools*, which allow to facilitate the
> > interaction with *mechanisms* related to network configuration.
> >
> > What you are asking for (refuse to put a machine online if the
> > password of a given user is such and such) is a *policy*, which has
> > nothing to do with tools, since it ultimately (and rightfully) stays
> > in the hands of the system administrator.
>
> ...who in the case of Tails and heads admins, might be the clueless
> Ed Snowden types we wanna keep alive.

Snowden is far from clueless. He might be a shill, but he's far from
clueless.

> ..we don't warn them before we drop them online on wired networks with
> heads-0.2.
> The vdev iso does this right though, it stays offline until you e.g.
> run setnet.sh.
>
> ..I agree this is a policy issue, and we should set it so at least
> clueless heads-0.2 etc people stay offline until they change their
> passwords away from the default ones.

heads only connects to the Internet if there is a way for it to connect.
If your ethernet cable is out, you won't be online. And if you have your
ethernet cable plugged in, the expected behaviour is to connect to the
Internet.

> > Most of the problems we are facing nowadays with bloated software and
> > ill-defined hypercomplicated solutions to non-existing problems is the
> > lack of recognition that mechanisms and policy *must* remain separate.
> >
> > If a user does not understand that putting their machine online with a
> > devuan/devuan user might be a security risk, there is no automagic
> > tool that case save their ass.
> >
> > Knowledge is the cure. Automagic is just dust in your eyes, and
> > enormous PITAs when somethings goes wrong.
>
> ..I have the Knowledge, but still found myself Automagically Online
> with heads-0.2's Default Passwords, Because I Forgot I still had the
> network wire plugged in on boot-up. I'm just a human who err. ;o)
> In my case, this endpoint security breach was no problem.
> But that same blunder could kill any needy heads user.
>

Which is why heads offers no way of remote login by default. We also
have grsec doing its job for us.

--
~ parazyd
GPG: 0333 7671 FDE7 5BB6 A85E C91F B876 CB44 FA1B 0274