8:07 a.m.
If you're doing electronic filing, isn't your information
being put on the
net anyway?
--
Matthew Miller mattdm(a)mattdm.org
Actaully no. No more than using ssh is sending your
password over the net. Electronic filing uses a secure
tcp/ip protocol.
9:24 a.m.
New subject: TurboTax - Linux?
STYMA, ROBERT E (ROBERT) wrote:
Actaully no. No more than using ssh is sending your
password over the net. Electronic filing uses a secure
tcp/ip protocol.
If you do your tax filing over the web, it is done using secure network
protocol. Actually, for HTTPS, I can check what encryption scheme is
used (just click on the lock icon). If I don't like it, I can simply
disconnect and do my taxes elswhere or using some other method. For net
filing, I have no idea what they are using and how secure it is. I can
only hope that they are using same encryption algorithm (for example
3DES or AES) as the ones used for HTTPS protocol. That would mean net
filing has exactly the same security as HTTPS. If they are using some
propriatory protocol (instead of the standard ones), I'd stay clear from
net filing and use good old paper and pen. All propriatory protocols in
history of mankind have proven to be trivial to brake.
Even if you do it all on your PC, your information is going to be stored
on two networked computers. Your desktop PC running Windows will be one
of them. And we all know how secure is desktop PC. Once you transfer
it over, it is going to exist for some amount of time on another
networked computer. Your government's tax agency computer.
The only good reason against doing taxes over the web is that you trust
third party (privatly owned entity) with your private data. But on the
other hand, as soon as you hire some agency and/or accountant to do your
taxes, you are doing basically the same thing. As long as you live in
country with sufficient legal regulations that requires anybody doing
taxes (including over the web) to protect your privacy, you should be fine.
Have in mind that braking into your desktop PC is almost zero-risk
thing. There'll probably be no consequences for attacker even in
unlikely case that he is detected. You do not have sufficient funds to
do much about it. Your funds are barely enough to set up basic defenses
for that matter. On the other hand breaking into accounting company's
computers or government computers is completely different story. They
have funds to hunt down the attacker. Unlike you, they have funds to
create secure environment. If I have to keep my confidential data
anywhere, the last place I'd like to see them stored is desktop Windows
machine.
--
Aleksandar Milivojevic <amilivojevic(a)pbl.ca> Pollard Banknote Limited
Systems Administrator 1499 Buffalo Place
Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
7:51 p.m.
New subject: confidential data storage: home PCs v. company servers (was Re: TurboTax - Linux?)
On 2005-02-14 at 09:24-06 Aleksandar Milivojevic <amilivojevic(a)pbl.ca> wrote:
Have in mind that braking into your desktop PC is almost zero-risk
thing. There'll probably be no consequences for attacker even in
unlikely case that he is detected. You do not have sufficient funds
to do much about it. Your funds are barely enough to set up basic
defenses for that matter.
I think you underestimate the strength of the defenses that can be
prepared from some second-hand PC hardware, the Fedora Core
distribution, and the application of a little knowledge and time.
On the other hand breaking into accounting company's computers
or
government computers is completely different story. They have funds
to hunt down the attacker.
And those same funds are what make them a juicy target for attackers
in the first place.
Script kiddies will be stopped by trivial defenses. Intelligent and
determined attackers aren't going to waste their time targeting Joe
User's home PC; they're going to go after more rewarding targets.
Even when intelligent and determined attackers *do* target home PCs
(e.g., because spammers are paying for spam zombies), for every PC
with even moderate defenses, there are at least 100 that can be
successfully attacked with virtually no effort. Why climb 50 feet up
the tree to pluck a single fruit when there's plenty of fruit that's
just as juicy at ground level, just waiting to be picked?
Unlike you, they have funds to create secure environment.
Unlike me, they have to hire employees to run and maintain that secure
environment.
This is significant, because it's relatively well-established that
most security breaches originate from the inside (not from external
attackers). Here's a recent study:
http://www.itsecurity.com/tecsnews/feb2005/feb78.htm
Why do you trust more? Yourself, or some random companies' hundreds
of employees?
If I have to keep my confidential data anywhere, the last place
I'd
like to see them stored is desktop Windows machine.
In terms of network threats, I assert that a home Windows desktop
machine, competently managed (up-to-date on security updates, running
anti-virus software, running anti-spyware software, etc.) and used
(using Firefox instead of IE, all accounts set up as restricted users,
et. al.), protected by an intelligently configured Linux-based
firewall, is a more secure location for one's confidential data than
the fileservers of a big corporation.
Of course, with a home PC, physical access attacks (e.g., a burglar
breaking into your house and stealing your computer) are more
difficult to defend against, but even physical access attacks can be
mitigated to some degree...
--
James Ralston, Information Technology
Software Engineering Institute
Carnegie Mellon University, Pittsburgh, PA, USA
9:47 a.m.
New subject: confidential data storage: home PCs v. company servers (was Re: TurboTax - Linux?)
James Ralston wrote:
On 2005-02-14 at 09:24-06 Aleksandar Milivojevic
<amilivojevic(a)pbl.ca> wrote:
>Have in mind that braking into your desktop PC is almost zero-risk
>thing. There'll probably be no consequences for attacker even in
>unlikely case that he is detected. You do not have sufficient funds
>to do much about it. Your funds are barely enough to set up basic
>defenses for that matter.
I think you underestimate the strength of the defenses that can be
prepared from some second-hand PC hardware, the Fedora Core
distribution, and the application of a little knowledge and time.
>On the other hand breaking into accounting company's computers or
>government computers is completely different story. They have funds
>to hunt down the attacker.
And those same funds are what make them a juicy target for attackers
in the first place.
Script kiddies will be stopped by trivial defenses. Intelligent and
determined attackers aren't going to waste their time targeting Joe
User's home PC; they're going to go after more rewarding targets.
Even when intelligent and determined attackers *do* target home PCs
(e.g., because spammers are paying for spam zombies), for every PC
with even moderate defenses, there are at least 100 that can be
successfully attacked with virtually no effort. Why climb 50 feet up
the tree to pluck a single fruit when there's plenty of fruit that's
just as juicy at ground level, just waiting to be picked?
>Unlike you, they have funds to create secure environment.
Unlike me, they have to hire employees to run and maintain that secure
environment.
This is significant, because it's relatively well-established that
most security breaches originate from the inside (not from external
attackers). Here's a recent study:
http://www.itsecurity.com/tecsnews/feb2005/feb78.htm
Why do you trust more? Yourself, or some random companies' hundreds
of employees?
>If I have to keep my confidential data anywhere, the last place I'd
>like to see them stored is desktop Windows machine.
In terms of network threats, I assert that a home Windows desktop
machine, competently managed (up-to-date on security updates, running
anti-virus software, running anti-spyware software, etc.) and used
(using Firefox instead of IE, all accounts set up as restricted users,
et. al.), protected by an intelligently configured Linux-based
firewall, is a more secure location for one's confidential data than
the fileservers of a big corporation.
Of course, with a home PC, physical access attacks (e.g., a burglar
breaking into your house and stealing your computer) are more
difficult to defend against, but even physical access attacks can be
mitigated to some degree...
One thing that is missed is the increased usage of telecommuting. If
home machines are hacked, that can allow a backdoor into the secure
company domain. How many people that telecommute also get company
computers? Many get the pleasure of using their own, home computer.
Sure the company may use VPN and encryption between work and home but
if the home machine gets compromised, all bets are off. More
justification for higher security at home for telecommuters.
--
Robin Laing
12:25 p.m.
New subject: confidential data storage: home PCs v. company servers (was Re: TurboTax - Linux?)
James Ralston wrote:
I think you underestimate the strength of the defenses that can be
prepared from some second-hand PC hardware, the Fedora Core
distribution, and the application of a little knowledge and time.
I perfectly agree with almost everything what you wrote, and don't find
what I wrote to be really contradicting.
I was talking in general, what you can find in an average home. Not
abuot what you can do if you have a bit of salt in your head. Average
user has AV software with license that expired at least year or two ago
(so his AV isn't really working), crappy firewall with UPnP enabled (so
that any piece of spyware can dig holes through it) and nice collection
of at least dozen trojans happily running oh his/hers machine. Average
home user goes to the store, buys a box, and it simply works. He uses
it once a week, and does absolutely no configuration/maintence on it
(nor wants to be bothered with it). He thinks he has AV, because that's
what sales person told him (in reality he got 90-day license bundled
with his PC, most pepople will never extend it). You say Linux.
Average home users responds with "is it something for eating, or new
soap brand"? Hack, I even saw people connecting ADSL modems to LAN
ports of those small router/firewall boxes you can buy cheap nowdays
(because local ADSL provider gives instructions/support (and software
for connecting, which you really do not need at all) that only works
with ADSL modem connected directly to PC). Configuring broadband router
to authenticate over PPPoE (two clicks in web browser) was too complex
task for them. That same average user will turn off Windows firewall
first time something doesn't work (and some "tech support" person asks
him to try turning it off and walks him through the steps), and simply
leave it off so that his favorite MP3 sharing application works...
Should I continue or simply stop now and have my lunch?
--
Aleksandar Milivojevic <amilivojevic(a)pbl.ca> Pollard Banknote Limited
Systems Administrator 1499 Buffalo Place
Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7
10:59 a.m.
New subject: TurboTax - Linux?
On Mon, Feb 14, 2005 at 08:07:15AM -0600, STYMA, ROBERT E (ROBERT) wrote:
> If you're doing electronic filing, isn't your
information
> being put on the net anyway?
Actaully no. No more than using ssh is sending your
password over the net. Electronic filing uses a secure
tcp/ip protocol.
Of course. And Turbo Tax for the Web (and all of the other companies) also
use https. I guess the question is: a secure protocol _to what_?
--
Matthew Miller mattdm(a)mattdm.org <http://www.mattdm.org/>
--> Fedora Users & Developers Conference, hosted by Boston University <--
February 18th, 2005 <http://fedoraproject.org/fudcon/>
7008
days inactive
7011
days old
5 comments
5 participants
participants (5)
-
Aleksandar Milivojevic -
James Ralston -
Matthew Miller -
Robin Laing -
Styma, Robert E (Robert)