From owner-freebsd-questions@freebsd.org Sat Aug 15 13:00:06 2020 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 869723B98D3 for ; Sat, 15 Aug 2020 13:00:06 +0000 (UTC) (envelope-from aryeh.friedman@gmail.com) Received: from mail-io1-xd36.google.com (mail-io1-xd36.google.com [IPv6:2607:f8b0:4864:20::d36]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4BTL4j1vwvz44t6 for ; Sat, 15 Aug 2020 13:00:05 +0000 (UTC) (envelope-from aryeh.friedman@gmail.com) Received: by mail-io1-xd36.google.com with SMTP id z6so13322279iow.6 for ; Sat, 15 Aug 2020 06:00:05 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=QKh5eBNtiYzQPWHGYqTgrZF7f1tG8OwjRxy2EWNfT0U=; b=lD9UiYeA9fNvhjWDHqDHUwnc/DLiyyw43ETxa33JWdApvF+bCMxM4gL7lg6j8gg+U8 kmHreBSr8P+wogsJdajPpAV/7A8q5X8TvDPaK7gxXUUYgdUZnLAzRWzKzJteeP6xZk+I MvGvs5gWPtVh1Ydqu9yNcJ+EIETiA5z1PykDWi8uY/8OkEGntdwMi6KBN4M6LkO6iGW7 ktTpNZWP4O7a39FxRdivMeKR35x1O4diibxJRaYhGhsJNgjSTI8PSdY8ov+ewvJhEIJL sma7k1atJ0gRbINGagiffj5vPH8xGcPwuD+CcZQYcqC2YDfT3w9AY69VWBYzfQqSpJfL yqEQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=QKh5eBNtiYzQPWHGYqTgrZF7f1tG8OwjRxy2EWNfT0U=; b=kAFeomXP6mZWR0tRHY5CEMi8zc4aaq3Qjdrmch1g/iaxcgUad3KqH38iDBamiY+1Ea haVgKCao3o/6l4qT4yaCRZDUuU9r8NZn8h7LnmROtQLdXzbdPFCV2CVv9brsuYHsMmEh bZTgLLVTWY3foKma6d68JL253Bug63m8XI4/LdYnLlB6vmtpqoyC93ML0yR4fKRFc/oD /yUksAzLs81L1dwzWBqLZmu6BhtRn2T+pygQwHR4b75Tr46CIwMgVuJplbnFUrNTreYd bWaAbA34FXu6gLwqhe17ktk+2Zl5VXcFZBWLDFXoQ4VgmRL2IdWq8ZX4y71yGyNcSzAK cLjQ== X-Gm-Message-State: AOAM5329VWj7O7XYD+IsSK9/MgqGp+EUdW8Ty7faxhMGgL2Auy96cEmP 8S8Xg0CgCgmmIc+rDc5mtxxVm4l46d+Ah+qqYB8pI/fdBjo= X-Google-Smtp-Source: ABdhPJwA9NdMMDyeheBGfHTd56FwMVbIiEONVaEAkiRTuhV7AGrvYzOGBeJlOPiPtxA0Ou9qwzILymoJGFRep493dgY= X-Received: by 2002:a05:6602:220f:: with SMTP id n15mr5857393ion.103.1597496403831; Sat, 15 Aug 2020 06:00:03 -0700 (PDT) MIME-Version: 1.0 References: <40xvq0.qf0q3x.1hge1ap-qmf@smtp.boon.family> <20200814004312.bb0dd9f1.freebsd@edvax.de> <20200814065701.2b390145ac6d189161bc31b4@sohara.org> <173ed205550.27bc.0b331fcf0b21179f1640bd439e3f4a1e@tundraware.com> <4d320acd-a995-7a35-5c0e-c2c22e7e6f96@radel.com> <20200814213706.18eb16b9.freebsd@edvax.de> <20200815081600.55107873@scorpio.seibercom.net> In-Reply-To: <20200815081600.55107873@scorpio.seibercom.net> From: Aryeh Friedman Date: Sat, 15 Aug 2020 08:59:52 -0400 Message-ID: Subject: Re: OT: Dealing with a hosting company with it's head up it's rear end To: User Questions X-Rspamd-Queue-Id: 4BTL4j1vwvz44t6 X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=gmail.com header.s=20161025 header.b=lD9UiYeA; dmarc=pass (policy=none) header.from=gmail.com; spf=pass (mx1.freebsd.org: domain of aryehfriedman@gmail.com designates 2607:f8b0:4864:20::d36 as permitted sender) smtp.mailfrom=aryehfriedman@gmail.com X-Spamd-Result: default: False [-3.91 / 15.00]; RCVD_TLS_ALL(0.00)[]; ARC_NA(0.00)[]; R_DKIM_ALLOW(-0.20)[gmail.com:s=20161025]; NEURAL_HAM_MEDIUM(-1.04)[-1.041]; FROM_HAS_DN(0.00)[]; FREEMAIL_FROM(0.00)[gmail.com]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-questions@freebsd.org]; NEURAL_HAM_LONG(-1.02)[-1.023]; RCPT_COUNT_ONE(0.00)[1]; TO_DN_ALL(0.00)[]; DKIM_TRACE(0.00)[gmail.com:+]; DMARC_POLICY_ALLOW(-0.50)[gmail.com,none]; RCVD_IN_DNSWL_NONE(0.00)[2607:f8b0:4864:20::d36:from]; NEURAL_HAM_SHORT(-0.85)[-0.848]; R_SPF_ALLOW(-0.20)[+ip6:2607:f8b0:4000::/36]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; FREEMAIL_ENVFROM(0.00)[gmail.com]; RCVD_COUNT_TWO(0.00)[2]; ASN(0.00)[asn:15169, ipnet:2607:f8b0::/32, country:US]; TAGGED_FROM(0.00)[]; DWL_DNSWL_NONE(0.00)[gmail.com:dkim] Content-Type: text/plain; charset="UTF-8" X-Content-Filtered-By: Mailman/MimeDel 2.1.33 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 15 Aug 2020 13:00:06 -0000 On Sat, Aug 15, 2020 at 8:22 AM Jerry wrote: > On Fri, 14 Aug 2020 21:37:06 +0200, Polytropon stated: > >On Fri, 14 Aug 2020 10:44:35 -0400, Aryeh Friedman wrote: > >> On Fri, Aug 14, 2020 at 10:32 AM Jon Radel wrote: > >> > >> > On 8/14/20 09:48, Aryeh Friedman wrote: > >> > > On Fri, Aug 14, 2020 at 9:20 AM Tim Daneliuk > >> > > > >> > wrote: > >> > > > >> > >> On August 14, 2020 12:58:49 AM "Steve O'Hara-Smith" > >> > >> wrote > >> > >> > >> > >> Again many corporate firewalls don't allow ssh out (or in > >> > >> directly) > >> > >>> because tunnelling bypasses the firewalls. And again it seems > >> > >>> odd for a hosting company. > >> > >>> > >> > >> ssh out is typically prohibited to lower the risk of employee > >> > >> transfer > >> > of > >> > >> sensitive data to external destinations - So called Data Loss > >> > Prevention. > >> > >> This, along with email scanning and man in the middle cert > >> > >> management is pretty common. > >> > >> > >> > > Unless it is 100% air gapped with no ability to plug in portable > >> > > media and/or record the screen then nothing is 100% immune from > >> > > such loss and thus not allowing it makes very little sense. If > >> > > on the other hand the idea is to limit the damage that > >> > > malware/spyware can do then it makes > >> > sense > >> > > (even if someone does in [accidentally] install malware/spyware > >> > > it can > >> > not > >> > > send the results of its dirty work anywhere). > >> > > > >> > Untrue. As the CISO at my latest employer said to me (paraphrasing > >> > some, as it's been a while): > >> > > >> > You and I know how to circumvent the restrictions, but the vast > >> > majority of the staff hasn't a clue. This cuts down the noise I > >> > have to wade through. > >> > >> Oh great security by obfuscation! Sounds like the CSIO missed the > >> first day of security 101. False sense of security is always a > >> bad idea. > > > >But but but we are ISO-9660 certified! And we have that expensive > >snake oil sprinkled everywhere! ;-) > > > >There are measures that do not "add security", but can help to > >limit the line noise. A typical example is moving SSH to some > >non-standard port: That doesn't prevent anyone to perform a > >port scan and connect to that non-standard port, but it limits > >the fun for skript kiddies that connect as "Administrator" on > >the default SSH port. > > > >Those who _want_ to extract data will find a way. As it has > >been mentioned, a screen capture send per e-mail, or a screen > >photo taken with the private smartphone will work. There are > >so many possibilities of data extraction that you cannot stop > >with a firewall rule... > > > >> > And back to the main topic of this thread: What does your lawyer > >> > say about your client that is huffing and puffing threats over your > >> > inability to perform magic to paper over their unwise contracting > >> > actions in regard to a different vendor? Seems to me that you > >> > left the land of technology a ways back on this one. > >> > > >> Actually the client has signed the one piece of paper we needed to > >> move forward which is a waiver of liability for stuff we said was > >> inherently risky (in writing) before we started the work. It > >> should also be noted that due to lack of competance by the hosting > >> company and by the equipment supplier we have become the client's > >> defecto IT dept. Even though we were originally hired as programmers > >> only (this means when push comes to shove the client almost always > >> trusts us over anyone else and for the most part "I will find > >> someone else '' is just his lack of social graces and not an actual > >> threat). > > > >Tell them you're "devops" now. :-) > > I have a suggestion on how to rectify this supposed problem that is > causing Aryeh Friedman all this frustration and agita. > Says someone who refuses to help fix a bug because some hardware vendor refuses to give them free equipment, even though the bug affects equipment you already have. > The basis behind any successfully capitalistic society is the ability > of an individual or consortiums to create and manage their own > businesses. Since Aryeh obviously feels that he is the smartest man or > woman in the room, and the ultimate authority on the operation of > 'cable/hosting companies', why doesn't he simply assemble a group of > supporters and other financial institutions to back his creation of a > new "Supreme" hosting company, created in his own likeness and bound to > his rules. > A small piece of advice before you suggest something that someone else should do: you should check to see if they have already done it. Case in point I helped start and/or was the technical head of 5 different ISP's in the mid-90's to late 90's, including the first commercial grade ISP in Los Angeles and a different one that became the fifth largest ISP in California (every single one sold at a profit when the owners got out of the business). I left that world because the capital requirements became too great for anyone smaller than a small country to be in the game. Only problem is: to have that level of capital investment you need to involve the "suits" who are universally idiots when it comes to technical matters. Thus, from a purely technical standpoint (vs. what was technically possible) ISPs have gone steeply downhill from when most of the small ones were forced to leave since they didn't have the ability (or legal right) to lay their own fiber to every house in the known universe. > Now that sounds like a perfect solution to me. Besides, as my old > grandpa use to say, "You can curse the darkness or light a candle. In > either case, shut the f*%K up." > How about a better idea: people who make incorrect negative assumptions about others should bite their tongues. P.S. A trivial amount of internet research should have told you the above about my background. -- Aryeh M. Friedman, Lead Developer, http://www.PetiteCloud.org