Comment by otabdeveloper4

1 day ago

Those same security guys also think that "just hope that no bad guy ever gets root access, lol" is a valid threat model analysis, so whatever.

7 comments

otabdeveloper4

Reply
anonymous908213  1 day ago

That is a completely valid threat model analysis, though? "Just hope no bad guy ever gets into the safe" is rather the entire point of a safe. If you have a safe, in which you use the contents of the safe daily, does it make sense to lock everything inside the safe in 100 smaller safes in some kind of nesting doll scheme? Whatever marginal increase in security you might get by doing so is invalidated by the fact that you lose all utility of being able to use the things in the safe, and we already know that overburdensome security is counterproductive because if something is so secure that it becomes impossible to use, those security measures just get bypassed completely in the name of using the thing. At some level of security you have to have the freedom to use the thing you're securing. Anything that could keep a bad guy from doing anything ever would also keep the good guy, ie. you, from doing anything ever.

  • otabdeveloper4  14 hours ago

    > That is a completely valid threat model analysis, though?

    No it isn't. Here in 2026 timesharing accounts aren't a thing anymore and literally everyone who ever logs into your server has root access.

    "Just make sure all those outsourced sysadmins working for a contractor you've never met are never bad guys" is not a valid security threat model.

    • KAMSPioneer  5 hours ago

      > literally everyone

      Perhaps figuratively? I manage several servers where the majority of (LDAP) accounts have no special privileges at all. They get their data in the directories and can launch processes as their user, that's...pretty much it.

      Though the upstream comment is gone and I am perhaps missing some important context here.

fwip  20 hours ago

When the question is "how do I communicate securely with a third party," there's nothing you can do if the third party in question gets possessed by a demon and turns evil. (Which is what happens if an attacker has root.)

  • otabdeveloper4  14 hours ago

    Incorrect.

    Random sysadmins who have access to your server have the permissions to steal whatever is communicated between third parties unrelated to this sysadmin.

    Just because some random outsourced nightshift dude has the permissions to do "sudo systemctl restart" shouldn't mean he gets to read all the secret credentials the service uses.

    As it is now, the dude has full unfettered access to all credentials of all services on that machine.

    • fwip  5 hours ago

      I guess if your org usually gives the keys to the castle to random idiots, then yeah, I can see why you'd wish the master key didn't exist.