On Mon, 24 Apr 2017 13:25:09 +0100, KatolaZ wrote in message
<20170424122509.GT14814@???>:

> On Mon, Apr 24, 2017 at 03:05:42AM +0200, Arnt Karlsen wrote:
> > On Wed, 19 Apr 2017 22:47:59 +0100, KatolaZ wrote in message
> > <20170419214759.GC14814@???>:
> >
> > > On Wed, Apr 19, 2017 at 11:37:32PM +0200, Arnt Karlsen wrote:
> > >
> > > [cut]
> > >
> > > >
> > > > ..what nasty command line tricks do I use to get online with
> > > > devuan_jessie_RC_amd64_minimal_live_vdev.iso?
> > > > (Ideally wifi, but eth0 will work.)
> > > >
> > >
> > >
> > > Hi Arnt,
> > >
> > > if it comes from a minimal-live RC, you have setnet in there. Just
> > > run:
> > >
> > > # setnet.sh
> > >
> > > It also has a manpage, but simple comfiguration should be pretty
> > > straightforward. Any feedback is welcome.
> >
> > ..setnet.sh works nicely, but it and wicd should check for unchanged
> > default passwords and _refuse_ to go online until you do the "passwd
> > passwd devuan ||passwd heads " dance, espescially since we're here
> > because we don't trust systemd endpoint security in e.g. Tails-2.12.
> >
>
> uh? setnet and wicd are just *tools*, which allow to facilitate the
> interaction with *mechanisms* related to network configuration.
>
> What you are asking for (refuse to put a machine online if the
> password of a given user is such and such) is a *policy*, which has
> nothing to do with tools, since it ultimately (and rightfully) stays
> in the hands of the system administrator.

...who in the case of Tails and heads admins, might be the clueless
Ed Snowden types we wanna keep alive.

..we don't warn them before we drop them online on wired networks with
heads-0.2.
The vdev iso does this right though, it stays offline until you e.g.
run setnet.sh.

..I agree this is a policy issue, and we should set it so at least
clueless heads-0.2 etc people stay offline until they change their
passwords away from the default ones.

> Most of the problems we are facing nowadays with bloated software and
> ill-defined hypercomplicated solutions to non-existing problems is the
> lack of recognition that mechanisms and policy *must* remain separate.
>
> If a user does not understand that putting their machine online with a
> devuan/devuan user might be a security risk, there is no automagic
> tool that case save their ass.
>
> Knowledge is the cure. Automagic is just dust in your eyes, and
> enormous PITAs when somethings goes wrong.

..I have the Knowledge, but still found myself Automagically Online
with heads-0.2's Default Passwords, Because I Forgot I still had the
network wire plugged in on boot-up. I'm just a human who err. ;o)
In my case, this endpoint security breach was no problem.
But that same blunder could kill any needy heads user.


--
..med vennlig hilsen = with Kind Regards from Arnt Karlsen
...with a number of polar bear hunters in his ancestry...
Scenarios always come in sets of three:
best case, worst case, and just in case.