On 16/10/17 01:51 PM, Carlos E. R. wrote:
I understand that every openSUSE machine is vulnerable till every machine in the same network is patched. Once a single one is successfully attacked, they are in. In the network, that is.
That applies at the more general level as well; if the proverbial and nefarious "they" get in to a programmable device then 'they" can do pretty much whatever is within their capability to any information on your network. Many of the protocols that would otherwise be encrypted to the outside world are either in the clear or are stored, temporarily or otherwise in files. I may use TLS and IMAPS and SMTP-S to my server but the mail message I send is in cleartext in my local 'sent' folder, and I might save critical files that I read locally. in my DatabaseOfDotSigQuotes, subsection 'security', there is: "If you have only one layer of protection you are only as safe as the next bug-de-jour" - Brad M Powell, Snr Network Security Architect, Sun Microsystems
Besides, any communication protocol that uses encryption is safe, even if they get entry to our WiFi: ssh, https... but not, I think, smb, nfs, most email...
If and only if "they" are limited , somehow, to only sniffing the network traffic, then source-encrypted traffic is 'safe', for varying levels and interpretations of 'safe'. In which case the argument against broadcast traffic, the use of switches, aggressive subletting, or putting each device on its own port on a router (or sophisticated switch), that is every device on its own DMZ, and having a "deny all except" filtering policy (the wifi router doesn't need to have a SMTP connection the the SAN, in fact the SAN it doesn't need anything except SMB and NFS and HTTPS from and only from the management device) should be considered the baseline. More realistically, what seems to be a reasonable level of security in this day and age is requiring a great deal of administration & configuration management. I'm seeing products that can do all this, but I still feel that are overwhelming. Why do need three doublewide screens to display the dashboard of this software telling me what's going on on my network. Marcus Ranum once commented that while umbrellas are only of limited use and have other problems, at least they don't annoy you by notifying you of every raindrop they stop. In a broader sense, if we are so perverse as to call computer malware "bugs" and "viruses" and "worms", and use other biological analogies, then why do we deny what biological systems really do about attacks? My skin, my gut, my whole immune system is the end point of millennia of an evolutionary war the scale of which the computer world has never seen. I shrug off, every hour, thousands of 'attacks' by a wide variety of, also highly evolved, micro-organisms. it's not a perfect scheme; it breaks down sometimes. The old advert "kills 99% of known germs" applies. it's the unknown and the 1% that matter". But even so, so that 99% my body has no dashboard to tell me what's going on, and even for the 1% there are artificial aids ("antibiotics") when I am alerted. I think we have a technology and approach to technology that seems more interested in feeding the inner geek of the sysadmins than in securing our technological infrastructure. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org