On Thu, Mar 16, 2017 at 05:30:36PM -0400, Barry Warsaw wrote:
On Mar 15, 2017, at 09:47 PM, Rich Kulawiec wrote:
What all of this means is that once a list passes N members, where we can debate about N, the probability that at least one of those members has already been compromised even before they've joined the list starts rapidly increasing.
That assumes an open membership policy. Wouldn't much of this be mitigated with a closed subscription policy?
It *might* be.
The problem is that the list owner and other list members have no way to know. From their point of view, there is no way to know that whether the latest list member -- whether that's list member #8 or #7,221 -- is using a reasonably secure mail client on a reasonably secure operating system in a reasonably secure environment -- or whether they're reading list traffic on an iPhone that was fully compromised eight months ago. Morever, even if that newest list member is doing the former today, nothing from prevents them from doing the latter tomorrow.
(Yes, one could ask them not to, even make not doing so a condition of membership. That won't work. Somebody is going read email on their fridge or their car or their Android phone because they can, because they're lazy, because it's convenient, because they feel like it.)
It's thus impossible to (a) estimate the risk or (b) control the risk or (c) know when a full compromise has taken place, absent outside indicators.
That's a really bad combination to have in anything that's trying to be secure.
Yet there still may be value in encrypting the communication channels into and out of Mailman, even if that can be compromised at the end-points.
I agree.
I can sadly report that the problem is getting worse and will continue to get worse, because (a) all of the various factors contributing to it are also getting worse and (b) there are no reasons for anyone to significantly invest in making it better.
(b) is not necessarily true. There is lots of work going on to provide secure base platforms on which to implement IoT devices.
I'm aware of at least some of that, and I'd like to hope for the best.
But economic incentives being what they are, there is little motivation for vendors to bother. Moreover, many vendors are deliberately compromising end-user privacy and security (e.g., Vizio) because it's profitable to do so and the penalties, if any, are a mere slap-on-the-wrist. (I know you see a lot of this because of what you do; other folks might want to browse through TechDirt's ongoing partial catalog of IoT failures.)
My view -- at the moment, ask again tomorrow ;) -- is that so many IoT devices have been rushed to market with no consideration for security and privacy issues that the present situation is untenable. The best thing would be to recall *all* of them: all the smartphones, all the watches, all the TVs, everything...and start over. That's of course ludicrous and won't happen. Which means all those devices will persist in the field, joined by new ones in large numbers every day. And the slow backfill of fixes which *might*, in a vacuum, actually suffice, aren't going to be enough because so much of the rest of the IoT ecosystem is a mess.
In a relatively short time we've taken a system built to resist
destruction by nuclear weapons and made it vulnerable to toasters.
--- Jeff Jarmoc---rsk