Posts by mderouss

Be nice if they could make it secure *and reliable*

So I installed a Grub update today on my 20.04 Ubuntu box. I'm not certain it covered CVE-2020-10713, but it performed an effective DOS attack on my machine all by itself without any intervention by 'bad actors'. A quick look at Git showed that 28 commits had changed at least 87 files, possibly far more. It would appear that the update was made available just a few hours after this bunch of commits was applied. Over the course of the last couple of years, issues with GRUB have become common for me. Fortunately the 'Boot Repair' tool can sort them out by reinstalling a working copy of GRUB.

So I'm led to wonder two things - why does such a critical component not provide a rock-solid recovery mechanism in it's own right ( or better, a rock solid installation system ), rather than having to rely on a third party tool which seems to do a better job of analysing the target system, and why, given it's propensity for failure, are massive batches of changes being shipped mere hours after being pulled into mainline ? Possibly the distro has more to answer for than GRUB for the latter point, but the lasting impression is that there's more wrong with GRUB than simply some buffer overflows.

So where is the problem here ?

So are 3rd party VPN providers going to be classified as telecommunication providers/ISP's ?

That's certainly possible, but I don't see how this has much impact in practice. Many 3rd party VPN providers are not UK based, and it's hard to see how the British government could do much except force them to shut down their UK servers if they did not comply. And of course, they would comply - for those servers. But it's utterly irrelevant, since if you are exitting from a UK server, you lose VPN encryption at that point anyway - VPN's do not provide e2e encryption unless you own both 'e's'.

Of course, if VPN connections to overseas VPN servers are going to be forbidden period, that would be.... interesting :).

If *every* company that operates a VPN for corporate purposes is now classified as a telco/ISP, that would be a pandora's box of grief. I just don' t see that happening here.

Are end users going to be forced to install ISP root certificates ( to allow HTTPS MITM attacks ) before they are allowed to use an ISP's services ? I can't see this. That would require touching every endpoint connected to the ISP, it would be a nightmare for the ISP's, and pinning complicates even this.

If neither of these things is true, then I'm struggling to see what the fuss is about on the encryption front. When we talk about e2e, in what sense does 'e' ever refer to the ISP/Telco ? What capability does this proposal give that they don't already have ? All that it appears to do is to give the Government explicit power to demand that ISP's/telcos do certain things *if they can*.

So what we're left with, really, are overlay services like Skype ( but who trusts that anyway ? ) and WhatsApp. And to be pulled in to this, they would need to be classified as telecommunication providers. That's certainly arguable. But I'm completely confident that nefarious persons with more than one brain cell will still be able to communicate securely if they wish to. So as usual, this is a Government scale hammer that might just crack a few peanuts if they're lucky.

Everyday IT experiences, #666

No... no, the Oracle EULA still isn't making any sense, but.... I think there's an image forming in it... it's a man with a beard and a grin and... horns...