From mboxrd@z Thu Jan 1 00:00:00 1970 Path: news.gmane.io!.POSTED.blaine.gmane.org!not-for-mail From: Tim Cross Newsgroups: gmane.emacs.devel Subject: Re: Gitlab Migration Date: Sat, 28 Aug 2021 19:54:59 +1000 Message-ID: <87lf4lg194.fsf@gmail.com> References: <87o89kw0hl.fsf@gnus.org> <0c369b25-aedd-1fdf-4813-503f27e42c7c@yandex.ru> <874kbbznwv.fsf@gmail.com> <8735qvwcqt.fsf@gmail.com> <877dg65j3d.fsf@gmail.com> <87pmtyezjr.fsf@gmail.com> <83eeaene73.fsf@gnu.org> <20210828091027.GF29375@tuxteam.de> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Injection-Info: ciao.gmane.io; posting-host="blaine.gmane.org:116.202.254.214"; logging-data="36046"; mail-complaints-to="usenet@ciao.gmane.io" User-Agent: mu4e 1.6.5; emacs 27.2.50 Cc: emacs-devel@gnu.org To: tomas@tuxteam.de Original-X-From: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Sat Aug 28 15:15:03 2021 Return-path: Envelope-to: ged-emacs-devel@m.gmane-mx.org Original-Received: from lists.gnu.org ([209.51.188.17]) by ciao.gmane.io with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1mJyAn-00097q-R8 for ged-emacs-devel@m.gmane-mx.org; Sat, 28 Aug 2021 15:15:01 +0200 Original-Received: from localhost ([::1]:48824 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1mJyAm-0005yc-4W for ged-emacs-devel@m.gmane-mx.org; Sat, 28 Aug 2021 09:15:00 -0400 Original-Received: from eggs.gnu.org ([2001:470:142:3::10]:45338) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1mJyAD-0005JG-Hy for emacs-devel@gnu.org; Sat, 28 Aug 2021 09:14:25 -0400 Original-Received: from mail-pl1-x632.google.com ([2607:f8b0:4864:20::632]:43572) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1mJyA9-0004Cr-Gs for emacs-devel@gnu.org; Sat, 28 Aug 2021 09:14:25 -0400 Original-Received: by mail-pl1-x632.google.com with SMTP id n12so5824432plk.10 for ; Sat, 28 Aug 2021 06:14:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=references:user-agent:from:to:cc:subject:date:in-reply-to :message-id:mime-version:content-transfer-encoding; bh=9KMi7ZbEWV5tu7SE64jQ9f765rdtLYCQsI60tMmqc0w=; b=qDqiyLgFDk9cBtvpH3l/h8LWp6+jmV3XjoRKDjr8nkBt7uY7bSGIk1+QQTQMiUxgwP X0/XCirjHAGey23NINXpKnZQkf+lMEK5g0P5QEdwmfkU+nyrLgFkWI51rDAbcYE3YalE tHB57itfr93YypvocYzMPbm8Yyro4n7zuHzKPKScsBlXi5+GBjLXYTA3z5nWFa6rtXr5 eIRAUKCVBZKadHiAazX2CqlDZ6AA1B2Dg4KYYT9CxsZkm3Leo9/Xo0RpCTsHhSbecLoD 5NZ4cRotjDOIOIpRHIfSkti4Cx6VMciKl22puUV0z9nOKZGpsCOjTOYxmtCtoov0NuGP 0WEA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:references:user-agent:from:to:cc:subject:date :in-reply-to:message-id:mime-version:content-transfer-encoding; bh=9KMi7ZbEWV5tu7SE64jQ9f765rdtLYCQsI60tMmqc0w=; b=fgzg4kF9bppl7u3q0oeHZTlsimAhgjHdX1npg6LS2ezj2Z2utkHREc5vhKJGL5ZWws 8GZh59DdX5YFgBqwxKPzWYIPw7VELVE9lbkHt0staF5oQcFbF6AmJrzT0uXoT2H/WBpv zAhAqDX4fwdYONFhEZtOju9rhyWN5+fAtyd0LG8VFhOHCOGdF5/U9lLhiUaSkHHwIo2I 7WijLgD6TCupddrrA8arkVQ4KB1Q2WqA3HI5k5lAOx8UrwyU7AJJzRfrTUMtRSfhAMNG pCq/jX/HRPt7jhrNhs6rd9LYxJb3eVe+4VlGM2zBxZBPMFwaSNgkHT58XAZViR+1c7tb +Xsw== X-Gm-Message-State: AOAM533WYU9j2vx05sA4mbr+hEs7bzbJ1OHnZLdZdtGeuEIvHJHdulld RsEDiANUqZRint7LNJp3bcKfJUra7BM= X-Google-Smtp-Source: ABdhPJw8J5AU9dMFPhcLKTk0gbRRkSS5q47rNY1ljwcVjcokwVjOG/TyHPJoZckkP5f8PMuBZB6MDw== X-Received: by 2002:a17:902:a986:b029:12d:21a9:74e5 with SMTP id bh6-20020a170902a986b029012d21a974e5mr13676409plb.1.1630156459831; Sat, 28 Aug 2021 06:14:19 -0700 (PDT) Original-Received: from tim-desktop (106-69-152-38.dyn.iinet.net.au. [106.69.152.38]) by smtp.gmail.com with ESMTPSA id t10sm14882816pji.30.2021.08.28.06.14.17 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 28 Aug 2021 06:14:19 -0700 (PDT) In-reply-to: <20210828091027.GF29375@tuxteam.de> Received-SPF: pass client-ip=2607:f8b0:4864:20::632; envelope-from=theophilusx@gmail.com; helo=mail-pl1-x632.google.com X-Spam_score_int: -4 X-Spam_score: -0.5 X-Spam_bar: / X-Spam_report: (-0.5 / 5.0 requ) BAYES_00=-1.9, DATE_IN_PAST_03_06=1.592, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001 autolearn=no autolearn_force=no X-Spam_action: no action X-BeenThere: emacs-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Emacs development discussions." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: emacs-devel-bounces+ged-emacs-devel=m.gmane-mx.org@gnu.org Original-Sender: "Emacs-devel" Xref: news.gmane.io gmane.emacs.devel:273293 Archived-At: writes: > [[PGP Signed Part:Undecided]] > On Sat, Aug 28, 2021 at 11:52:48AM +0300, Eli Zaretskii wrote: >> > From: Tim Cross >> > Date: Sat, 28 Aug 2021 17:53:34 +1000 >> > Cc: Daniel Fleischer , emacs-devel@gnu.org >> >=20 >> > Despite what others have claimed, the security problems with email have >> > NOT been addressed. It is still one of the major vectors for >> > compromising access via social engineering [...] > >> And other means of communications aren't? Are there _any_ means that >> are immune to these attacks? > > Yes, this made me wonder a bit, too, at how diverse perceptions > can be. A code execution platform executing random scripts off > the internet (aka Web browser) beats mail any day, in my view. > > Smartphone operating systems with their app "ecosystems" are > fashioned after the same model. > > I'd have to see some statistics to support Tim's "major vector" > assertion above. > There are lots of reports, analysis and case studies released by a number of reputable security firms. Just do a basic google and you will find plenty of evidence and statistics. Talk to any reputable security firm and ask them what their experiences are. Most countries have some form of government cyber security body - check any of them and you will likely find statistics which show the percentage of major security incidents where email was the initial vector used. For example, NIST has a whole bunch of documents and frameworks dealing solely with email security. Quoting from the NIST Cybersecurity Framework and Email compliance document from August 25 2021 https://www.tessian.com/blog/nist-cybersecurity-framework-and-email-securit= y/=20 "Ransomware is becoming the most severe cybersecurity threat in the current threat landscape. Because many, if not most, ransomware attacks start via email, improving your organization=E2=80=99s email security and i= ts ransomware defense posture go hand-in-hand." Frameworks like the NIST framework can go a long way to improving the security of email. However, the big problem is the human factor. Companies are spending huge amounts on training and education of staff to make them less vulnerable to social engineering, but this has high costs and is difficult to maintain. Often, the business response is to reduce or minimise the exposure by adopting alternative solutions. It isn't an argument about how good the technology is or how it can be more efficient than web based alternatives or case studies showing how a team using email was more efficient than one using product X. This is largely about risk mitigation, streamlining administration, reducing dependency on in-house technical skills and avoiding negative PR. Like it or not, email has got a sour taste for management in many corporations and this is driving the change. Focusing on the technical aspects is misguided as it fails to recognise the real drivers behind the shift.=20 To be honest, I'm a little surprised this seems to be 'news', but then again, I spent the last 10 years working in the security space and that has probably skewed my view on what is 'known' more broadly. Attend enough conferences, seminars and workshops and you soon forget what you know is not always general knowledge.=20 As to the question of other communication channels also having security vulnerabilities - yes of course. No system is 100% secure. However, many of the alternatives being proposed in many companies allow strong or more effective mitigation strategies. In a large part this is due to greater control over who can inject information into the system, greater control over what users can do and more control over keeping core components up-to-date. There is also the 'obscurity' aspect - Things like ransomeware are a numbers game - the more people you can target, the higher chance of success. With email, it is easy because you just craft an appropriate email with the right payload. With other communications channels, you have to be more specific and target vulnerabilities within that specific product to get your payload into the system and then get it delivered to the user's browser (or app or whatever). Basically, the ROI isn't as good. Mobile devices and apps are definitely a significant challenge and increasingly so as time passes. However, I never stated these other channels are secure or without problems. It is almost certainly the case that if a majority of companies moved away from email to other platforms, those platforms will begin to be targeted more because they will provide a higher ROI. However, they will also likely require a higher skill set level than the current situation with email. This too will change as more 'canned' exploits become available in the market, but that will take time. Look at the macOS platform. There are still lots of people who believe that platform is not vulnerable to viruses. In reality, it is probably just as vulnerable as modern MS Windows, but the ROI for development of macOS viruses is much lower than for Windows. It is a numbers game.=20 On a side note, I was just talking to my daughter - she is 20. I asked her about her use of email. She showed me the email 'icon' on her phone. Her current count of unread email messages is 8400! I asked her how many of her friends email addresses she knew. She said 1.=20 I cannot convince anyone really. All I can do is put forward my view and experience. After leaving my last permanent position, I spent a few years consulting, mainly in the Identity and Access management area. I know from speaking to many executives in medium and large organisations, email is one of their highest concerns and they are actively moving to reduce dependency and incorporation of email in core business processes. I know from talking to my children (one 20, the other 25) that email doesn't even get considered in their communications and I know from the last project I worked at in the University that younger students are not at all interested in email. Personally, I love email. As a blind programmer, it is much more accessible than any of the alternatives. I've had an email account since the 80s. I love the power of email based workflows. However, this makes no difference. If Emacs wants to encourage contributions from younger users and wants to appear relevant, we probably need to seriously consider providing alternatives to a community centred around email. This doesn't mean we have to replace existing channels, but instead add/augment them with additional interfaces.