Ran across this today:
https://gabrielsieben.tech/2022/07/25/the-power-of-microsoft-pluton-2/
I'm concerned... -- Dave Ihnat dihnat@dminet.com
Welp.
"Microsoft’s other use of DICE+RIoT, in their own words, is to enable “Zero Trust Computing.”" I mean, that's a pretty cool and appropriate name: Zero trust in that I don't trust it :).
Per the article: "Now, Microsoft might look at the above and laugh this off as fear mongering, as that is much further than what Pluton is being pitched as right now, as a firmware security device to prevent malware". I think these kinds of things do not work because at the end of the day the user will want to install whatever software they want, so whatever that thing is can't really prevent most malware a typical PC user will come accross.
On 7/26/22 20:14, Dave Ihnat wrote:
Ran across this today:
https://gabrielsieben.tech/2022/07/25/the-power-of-microsoft-pluton-2/
I'm concerned...
Dave Ihnat dihnat@dminet.com _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
On Tue, 2022-07-26 at 21:04 +0200, Alex wrote:
Pluton is being pitched as right now, as a firmware security device to prevent malware". I think these kinds of things do not work because at the end of the day the user will want to install whatever software they want, so whatever that thing is can't really prevent most malware a typical PC user will come accross.
I think it's a fairly safe bet that much of the PC's woes is down to software piracy. People don't want to buy software, so they get a cracked version, or use something to crack it. And in doing so, they compromise their own system.
Why the hell would you trust a hacker not to screw up your PC when they don't give a damn about screwing the developers of the software they're cracking.
Are people completely stupid, or do they just do it part time?
It's not beyond my imagination that not only do crackers not give a damn about stuffing up your PC, they're probably doing it (letting you crack software, or letting you have cracked software) on purpose as a way of building up their bot army. They're not just "sticking it to the man" and letting you have a free Photoshop in protest against capitalism, it's you that they're actually scamming.
So, yes, I do see the value in locking down closed-source systems, to make them a reliable and safer system. The world would be a better place if Windows wasn't such an utter disaster. You might think you don't care if Windows self destructs while you never use it, but your medical data, your financial data, etc, is on other people's computers using those systems.
On the other hand, I don't want it so it's impossible to get general PC hardware so we can't run open-source systems where we can create the systems we need.
On 7/27/22 7:36 AM, Tim via users wrote:
So, yes, I do see the value in locking down closed-source systems, to make them a reliable and safer system. The world would be a better place if Windows wasn't such an utter disaster. You might think you don't care if Windows self destructs while you never use it, but your medical data, your financial data, etc, is on other people's computers using those systems.
You never know what is processing your medical/tax data, etc.
Maybe they are still using MUMPS (https://thedailywtf.com/articles/A_Case_of_the_MUMPS), maybe ancient COBOL code are still chugging along. Maybe it's a long-discontinued proprietary OS that has seen last security update a decade ago.
But you still have to use them.
Lily
The "Speculations" section sound's to me like the wet dream of every InfoSec in every company. I believe many would pay the weight of Bill Gates in gold for that ... should it work flawlessly.
Outside of networks requiring very strict content access control, it is - I believe - sentenced to the fate of any standardization effort: https://xkcd.com/927/ I mean, there is billion of Android and Apple devices from thousands of manufacturers used by people who wants to access documents on which they worked on their Windows PCs. So I don't see any dystopian future regarding that coming (just) yet.
Or did I miss something?
--
Michal Schorm Software Engineer Core Services - Databases Team Red Hat
--
On Tue, Jul 26, 2022 at 8:14 PM Dave Ihnat dihnat@dminet.com wrote:
Ran across this today:
https://gabrielsieben.tech/2022/07/25/the-power-of-microsoft-pluton-2/
I'm concerned...
Dave Ihnat dihnat@dminet.com
users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
On Wed, Jul 27, 2022 at 5:46 AM Michal Schorm mschorm@redhat.com wrote:
The "Speculations" section sound's to me like the wet dream of every InfoSec in every company. I believe many would pay the weight of Bill Gates in gold for that ... should it work flawlessly.
Outside of networks requiring very strict content access control, it is - I believe - sentenced to the fate of any standardization effort: https://xkcd.com/927/ I mean, there is billion of Android and Apple devices from thousands of manufacturers used by people who wants to access documents on which they worked on their Windows PCs.
Most of those documents are of little interest to bad actors and could be made public without significant consequences. Those working on Windows PCs are expected to exercise good judgement, but there are cases where people accessing documents on personal devices have been called out by others motivated by personal antagonism, racism, sexism, etc.
So I don't see any dystopian future regarding that coming (just) yet.
Or did I miss something?
Corporations and governments generally have policies for who has access to which documents. In practice, documents do leak to people who were not in the intended group of readers and leakers can be punished.
Most organizations rely on individuals for proper handling of sensitive documents, but there are always those who have been taken in by sellers who promise technological controls that will prevent leaks and identify "leakers". Those same factions often engage in misclassification (making everything "top secret" and adding barriers to make it hard to change the initial classification), reducing more conventional security efforts such as training and intrusion detection, and selective enforcement.
We are in for another round of over-promising and abuse of technological controls. Unfortunately, the current political climate has enabled many who will see a new tool to push their own agendas.
-
Alex -
Dave Ihnat -
George N. White III -
Lily White -
Michal Schorm -
Tim