SELinux eh?
People still trust that?
The sexy-named Communications Electronics Security Group (CESG) – the bit of GCHQ that helps Brits protect stuff from foreign spies (never mind Blighty's) – has issued fresh advice for securing BlackBerry OS 10, Android and Chrome OS 32. It also, handily, identifies "significant risks" in the operating systems. The guidelines …
Obviously not since we've read his words here.
That said, I would counter that same argument by stating that the computer I use to post on Internet forums is not the one I use for work.
And I can actually agree with that kind of separation, to the point where I do believe that the military should not have ANY computer attached to the WWW.
But if you're using Chrome, you really shouldn't be surprised that it phones home to The Google To Which All Data Belongs.
>>> I do believe that the military should not have ANY computer attached to the WWW
By WWW, I assume you mean "the Internet" - they are different, after all.
How effective do you think the military would be if it was unable to exchange information with people outside the armed forces via e-mail, and had no access to the vast information available on the many web sites that are out there?
Imagine if you are in charge of specifying a new fighter for the RAF, or a new class of battleship for the Navy. Are you seriously suggesting that the military should type out all communications and post them using the physical mail? That's what "no computers connected to the internet" actually means.
>>> "the computer I use to post on Internet forums is not the one I use for work."
And let me guess - it doesn't send and receive e-mails from outside the organisation and you only ever use the browser to visit intranet sites, don't you?
The World Wide Web is indeed not the Internet and I think the GPP is right and you have misunderstood.
Rejecting everything with a WWW protocol from a firewall isn't impossible, and it would certainly drasrtically reduce the attack surface.
Email is not the only communications option. There's XMPP, which is much more secure. You can even remove unwanted modules from ejabberd to reduce the attack surface. And this is before we get started on VPNs. If you use email, your firewall can strip out attachments and links. You're going to be exchanging documents via FTP and a VPN, aren't you?
Back in the early years of the Internet, we didn't have kittens, doge and nude celebrities, but we certainly managed messaging and file exchange just fine.
Pascal Monet Says: And I can actually agree with that kind of separation, to the point where I do believe that the military should not have ANY computer attached to the WWW.
Well, that would make it impossible to do any work with SME type businesses. CESG Crypto isnt cheap nor can you just buy it.
Try to think before typing.
<blockquote>I prefer option 3:
3) Be like George R R Martin and do all of his work on a computer not connected to the internet.</blockquote>
Has nothing to do with trust, since a) it's open source and thus fully auditable, and b) the NSA washed their hands of it years ago (indeed they regret ever having released it, which is a very good sign), and thus no longer have any influence over it (and it's not like there's any obscure encryption code in there that could have been deliberately weakened).
No, the problem with SELinux is it's just too damned complicated for the average user to understand and maintain, which itself represents a security risk, because if you can't understand it then you can't use it effectively, in fact you're literally lulled into a false sense of security. You end up completely dependent on upstream and/or distro maintainers to provide secure SELinux policies (so in that sense I suppose it really is a question of trust), and sadly they are not only fallible but indeed sometimes appear to have a rather contemptuous attitude toward security.
See PolicyKit as another equally complex and obfuscated example.
I'm a firm believer in the KISS principle, or as da Vinci once put it; "Simplicity is the ultimate sophistication". The complexity of SELinux makes it utterly useless, IMO, and quite possibly dangerous.
Fresh guidance is also available for iOS7, Windows 7 and 8.1.
Not-so-fresh guidance is available for other platforms.
https://www.gov.uk/government/collections/end-user-devices-security-guidance
I mean they are the slimiest bunch of crooks, more than the NSA if that's possible (ie NSA at least gets most of the flak while GCHQ seem to be hiding behind them), I simply do not trust anything that comes from either of them, at this point it must be obvious to everyone that their #1 concern is to maintain their full and unlimited access to every system out there...
You're confusing things.
GCHQ grabs data from wherever it can and is not the topic here, whereas CESG (the club giving the advice) is tasked with government security. They generally do a reasonable job, and I think their advise is valuable and worth paying attention to.
Presumably people have said the same about NIST in the US.
CESG is similar, which is good in principle - one just has to hope that the same 'cooperation' found in practice between NIST and the NSA isn't replicated in the UK equivalents.
I just the got the image of GCHQ hierarchy all laughing their heads off at how NSA is getting all the flak and GCHQ is virtually ignored. They are probably rubbing their hand with gleem at getting even more money from the NSA to run their operations as well.
Indeed, it isn't a question of if, but what their motives are. It certainly isn't helping us inprove our corporate or personal security. That would be counter to their slimy bosses, and paymasters, motives.
GCHQ, NSA, CIA, MI5, MI6, SIS etc, they've proved they don't trust us by their actions.
Why should we trust them or any related of their departments?
Secure by design - I use my BB10 device for work only ... No searching interwebs to find out how to disable syncing sensitive data to a cloud (iOS, Android). I can locate/wipe/brick my device remotely without paying a yearly fee. I know it is futile to brick an Android or iPhone, not so sure about bb10, though ... No, I have not tested and will not "test" it ... ;-)
Edit: removed WP from self-syncing OS' as it is opt-in, afaik.
They recommend upgrading to KitKat, but neither of the Android devices I own have even received updates past the OS that they shipped with, save for the individual app updates....
If they, or anyone else for that matter, can advise on how to update a "Gateway Tab TP-A60" (honeycomb) or a Polaroid PTAB 8000 (IceCreamSandwich on under-spec hardware) to the latest android without rooting (not possible for Gateway, already done on PTAB, but the device was not Google Cert'd to begin with so it doesn't get updates), I would appreciate the help.