From nobody Tue Mar 15 04:01:02 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id C7CEA1A1077B; Tue, 15 Mar 2022 04:01:04 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: from mail-vs1-xe36.google.com (mail-vs1-xe36.google.com [IPv6:2607:f8b0:4864:20::e36]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1D4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KHfpR6q65z3GR4; Tue, 15 Mar 2022 04:01:03 +0000 (UTC) (envelope-from grarpamp@gmail.com) Received: by mail-vs1-xe36.google.com with SMTP id d64so19410349vsd.12; Mon, 14 Mar 2022 21:01:03 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=IbRrkX07OJwXUIevLPICdr0nBxwT1a1WJI6GubTw51o=; b=ewrd6VemfjSfHaeOaPpTPCfugo42hgh7n9mwZfkoLhpvJQ97aV9KHcvahL/UTU6Go5 sYOsw5p8RvYuqoJnGXvA/Nxk75DSWwiYPe5XJnskpr3Q97GFXk+0BltZXAamwbZBYJ7A 3HXODfFn8W6tDyVDNR3RgwN59nce7VBug7uCfyOsSLSQFzT623M4eRzbd8r0Xxh1vHMO SjH1DNMDLmBly3xG4ucnqkpX15x9QIp/HSZBTv3HhZSKDCS8CaStSOZZfQHrtGGuIMBR vhTZx48GD10paSJCTlABjnjoXz38BqzORkSPYS+s6il/9B8j5g0+fmCL43XO5p75P11V WqvA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=IbRrkX07OJwXUIevLPICdr0nBxwT1a1WJI6GubTw51o=; b=OFoFWEOp6S46NqcpV91wJbPxSvfx9VcXAwBaKaxJv2cLXc4k4fvhA0d9N9JFf3AfnZ eSuxfxN5hnZU3MDuKqlEluiQpt6Dj4Hlo+83+xSqu2QJZtTYuvNsnEiJ57FPG/wcVGG8 5aDeaMa8dN63bUOJZrtI1aj/P80UoVjkqLtaCQiPXyVdEjoIHgwtiqvqNlvaNscEfYAC RomfmHyIKlitANq+OwcdTUzdxvjw2qlry2fdPxDafO84VZWhzBXTMa/6ke1QlDOwuP05 ojUX/SWoHZVKIE2LM7MuKFqH5SFBs8Rvi2idH7isS4g6QdHnaE5OoJZfH2wnOj77ySjo qltw== X-Gm-Message-State: AOAM5327HeQ7dsA4VNxStS6Kh86PHIPLZW9WYIfrZJgb7rKri21rArDZ 1leOgDMRLcM3pCB/XXOLylmX5BOIJ5DDc6k7TAFh6O5QyERH6fFvB+/HoHWz X-Google-Smtp-Source: ABdhPJxXpZLVooobfPbRZob3DLQYAaR4ukpIS1eusMWhSd84utFmk9rksEjzZzwcvdxQ2DuoCzrTXMbdhS19EmUlyuY= X-Received: by 2002:a05:6102:3a10:b0:322:3bf6:a54d with SMTP id b16-20020a0561023a1000b003223bf6a54dmr9996095vsu.51.1647316862940; Mon, 14 Mar 2022 21:01:02 -0700 (PDT) List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Received: by 2002:a59:d703:0:b0:297:bdd7:cb22 with HTTP; Mon, 14 Mar 2022 21:01:02 -0700 (PDT) In-Reply-To: References: From: grarpamp Date: Tue, 15 Mar 2022 00:01:02 -0400 Message-ID: Subject: Re: I am worried about security in FreeBSD To: freebsd-questions@freebsd.org Cc: freebsd-security@freebsd.org Content-Type: text/plain; charset="UTF-8" X-Rspamd-Queue-Id: 4KHfpR6q65z3GR4 X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20210112 header.b=ewrd6Vem; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of grarpamp@gmail.com designates 2607:f8b0:4864:20::e36 as permitted sender) smtp.mailfrom=grarpamp@gmail.com X-Spamd-Result: default: False [-4.00 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20210112]; FROM_HAS_DN(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; MID_RHS_MATCH_FROMTLD(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::e36:from]; MLMMJ_DEST(0.00)[freebsd-questions,freebsd-security]; NEURAL_HAM_SHORT(-1.00)[-1.000]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; FREEMAIL_ENVFROM(0.00)[gmail.com]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; RCVD_COUNT_TWO(0.00)[2]; RCVD_TLS_ALL(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] X-ThisMailContainsUnwantedMimeParts: N > https://web.archive.org/web/20210401214138/https://lists.freebsd.org/pipermail/freebsd-arch/2018-March/018892.html The planet's computing prioritization problem, not even 2018 but back to 1998 and before. "Responsible Disclosure" "Embargoed Releases" etc... these are nothing more than scams, a whitewashing coverup over peoples eyes, an illusion of well run security, literally security theatre, a subjugation, whose sole purpose is to keep dirty vendors from getting embarassed, and a prayer, a race already being won by unseen competition, and nothing more than a cover shell for GCHQ CIA Mossad FSB and worse, to keep exploiting you via their Zerodium etc. The better thing to do is "full disclosure" "0-day" FreeSpeech and vendors to own up their crappy security or get rightfully abandoned by the market, instead of continuing artificially propped up like worthless unneeded politicians with their propaganda censorship partnership buddy friends cabal bullshit. Either way, your security is still the same today... none, every OS kernel and userland from every vendor... exploitable at will. But at least with full disclosure it is forced to be honestly admitted, and you have forces working in your favor, and status out in the open to help you evaluate choices, that all can expose and help support and fix that festering abcess. And when did you last setup recurring significant monthly donation stream to your vendors, money specifically dedicated for and exclusively directed to security... And when did you last demand, create, and refuse to buy anything that was not... #OpenFabs , #OpenHW , #OpenAudit , #FormalVerification , #CryptoCrowdFunding , #OpenTrust , ... Until you open your wallet and invest and do and prioritize all the security things... you won't be getting any improved security. Good news is that given the pathetically sad state of computing security, even modest investment in it and new models of doing it can yield outsized results. It's greenfield early days with reward to first movers, so which will you choose...