著者: Arnt Karlsen 日付: To: parazyd CC: dng 題目: Re: [DNG] ..setnet.sh, wicd and heads-0.2 scorn,
was:..vdev box recovery ideas?
On Mon, 24 Apr 2017 17:21:53 +0200, parazyd wrote in message
<20170424152153.GA12944@fq>:
> On Mon, 24 Apr 2017, Arnt Karlsen wrote:
>
> > On Mon, 24 Apr 2017 13:25:09 +0100, KatolaZ wrote in message
> > <20170424122509.GT14814@???>:
> >
> > > On Mon, Apr 24, 2017 at 03:05:42AM +0200, Arnt Karlsen wrote:
> > > > On Wed, 19 Apr 2017 22:47:59 +0100, KatolaZ wrote in message
> > > > <20170419214759.GC14814@???>:
> > > >
> > > > > On Wed, Apr 19, 2017 at 11:37:32PM +0200, Arnt Karlsen wrote:
> > > > >
> > > > > [cut]
> > > > >
> > > > > >
> > > > > > ..what nasty command line tricks do I use to get online with
> > > > > > devuan_jessie_RC_amd64_minimal_live_vdev.iso?
> > > > > > (Ideally wifi, but eth0 will work.)
> > > > > >
> > > > >
> > > > >
> > > > > Hi Arnt,
> > > > >
> > > > > if it comes from a minimal-live RC, you have setnet in there.
> > > > > Just run:
> > > > >
> > > > > # setnet.sh
> > > > >
> > > > > It also has a manpage, but simple comfiguration should be
> > > > > pretty straightforward. Any feedback is welcome.
> > > >
> > > > ..setnet.sh works nicely, but it and wicd should check for
> > > > unchanged default passwords and _refuse_ to go online until you
> > > > do the "passwd passwd devuan ||passwd heads " dance,
> > > > espescially since we're here because we don't trust systemd
> > > > endpoint security in e.g. Tails-2.12.
> > > >
> > >
> > > uh? setnet and wicd are just *tools*, which allow to facilitate
> > > the interaction with *mechanisms* related to network
> > > configuration.
> > >
> > > What you are asking for (refuse to put a machine online if the
> > > password of a given user is such and such) is a *policy*, which
> > > has nothing to do with tools, since it ultimately (and
> > > rightfully) stays in the hands of the system administrator.
> >
> > ...who in the case of Tails and heads admins, might be the clueless
> > Ed Snowden types we wanna keep alive.
>
> Snowden is far from clueless. He might be a shill, but he's far from
> clueless.
...and, he promotes Tails and Qubes OS, both running systemd.
Ed came forward with the ugly truth on NSA etc espionage
on their own people, not on his own IT expertise.
..the next guys having such ugly thruths to tell us humans,
will probably have less IT expertise than Ed, and will be up
against regimes who has learned from the Snowden case, so
they will need better tools to survive their attempt to tell
us the truth.
> > ..we don't warn them before we drop them online on wired networks
> > with heads-0.2.
> > The vdev iso does this right though, it stays offline until you
> > e.g. run setnet.sh.
> >
> > ..I agree this is a policy issue, and we should set it so at least
> > clueless heads-0.2 etc people stay offline until they change their
> > passwords away from the default ones.
>
> heads only connects to the Internet if there is a way for it to
> connect. If your ethernet cable is out, you won't be online. And if
> you have your ethernet cable plugged in, the expected behaviour is to
> connect to the Internet.
..for you and me, that's ok, because we know we must change the
defaults.
A whistleblower on the run from a bad regime, might not know this,
and he needs to know this and much more, or he's going to breach
his own endpoint security.
> > > Most of the problems we are facing nowadays with bloated software
> > > and ill-defined hypercomplicated solutions to non-existing
> > > problems is the lack of recognition that mechanisms and policy
> > > *must* remain separate.
> > >
> > > If a user does not understand that putting their machine online
> > > with a devuan/devuan user might be a security risk, there is no
> > > automagic tool that case save their ass.
> > >
> > > Knowledge is the cure. Automagic is just dust in your eyes, and
> > > enormous PITAs when somethings goes wrong.
> >
> > ..I have the Knowledge, but still found myself Automagically Online
> > with heads-0.2's Default Passwords, Because I Forgot I still had the
> > network wire plugged in on boot-up. I'm just a human who err. ;o)
> > In my case, this endpoint security breach was no problem.
> > But that same blunder could kill any needy heads user.
> >
>
> Which is why heads offers no way of remote login by default. We also
> have grsec doing its job for us.
..excellent. Now, if I find awesome and zsh awesomely clunky,
how will our next whistleblower hero find these?
He will be going to try install something he's familiar with,
that he probably doesn't know "phones home", above all because
we don't know what he's familiar with before he tells us.
..if he has what tools he needs in heads, and the guides to learn
to use them, offline, he will able to make it safely out of harms
way.
..the number one mission for heads is endpoint security.
Zsh may well be an awesome development tool, but it does
not work the way our next hero expects it to, if he comes
from the mainstream OS or distro worlds.
..that means we help "his" bad regime trap him, rather help him
escape traps like Ecuadorian embassies or 35 years in jail for
e.g. reporting on W's war crimes in Iraq.
..we have work to do on heads. One way could be mimic Tails or
QubesOS so heads becomes a viable backup OS with familiar tools
once systemd becomes known as the spying backdoor I suspect it is.
--
..med vennlig hilsen = with Kind Regards from Arnt Karlsen
...with a number of polar bear hunters in his ancestry...
Scenarios always come in sets of three:
best case, worst case, and just in case.