Security consists of:
- Confidentiality (attackers can't read my data)
- Integrity (attackers can't modify my data)
- Availability (I can still read and write my data)

Availability is often overlooked.

I think people caring about security should also consider including things like "what if I forget to renew a cert" or "what if I forget to pay for a domain" in their threat models.

@Wolf480pl Frankly not paying for domain breaks confidentiality as well. Attacker can then buy your domain, obtain HTTPS cert, and he owns whatever people send to him ;)

@jacek and also integrity, if you `curl |bash` from that domain :P

Follow

@jacek yeah it's ridiculous.

But it's a symptom of a bigger problem:

On one hand, people make excessively complex software, which requires a complex installation procedure.

On the other hand, those who want to install that software became impatient and don't really try to understand what's going on on their machine.

IMO this is sad.

@Wolf480pl Also these scripts are sometimes needlessly complex, you know --- like page worth of PATH detection ;)

Usually it's always: "Dump some binaries to folder A, and then some text files to folder B" ;)

Sadly such instructions are often missing.

@jacek
Sometimes it's even just "assume it's an apt-based distribution, add a repo and an apt key", which is like...

Anyone who is in charge of a server, but doesn't know what package repositories that server is using, and with which pin priorities, etc., that person should IMO be fired.

@Wolf480pl Actually I'd very happily read about "securely" adding trusted-but-not-totally repositories to your system (e.g. adding google CLI without enabling it to install new libc ;)).

@jacek
Not sure if that's implemented right now, but yeah, sounds interesting.

What I meant though is making sure you dont _accidentally_ install libc from that google repository when doing `apt upgrade`.

I've seen a friend add debian testing to sources.list "just for one package", but then he fucked up /etc/apt/preferences, and some random packages got upgraded to versions from testing.

Now I can only imagine how much worse it could be if it was a vendor script adding wrong repos.

@Wolf480pl Yeah it's not perfect (right now I'm on buster/sid hybrid). Weirdly **everything** works like a charm ;)

But since most development I do is inside docker, my local laptop setup is much simpler than it was.

Sign in to participate in the conversation
niu.moe

Welcome to your niu world ! We are a cute and loving international community O(≧▽≦)O !