Jan 5, 17 / Aqu 05, 01 20:23 UTC

A suggestion about login  

lot of people are using win10 as their os in win10 you can add a user by simple using an email so why not having our local mail address and using them into login in an asgardian account in our pc?

  Last edited by:  Christos Faroupos (Asgardian, Global Mod, NCM)  on Jan 7, 17 / Aqu 07, 01 14:38 UTC, Total number of edits: 1 time
Reason: Correcting the title

Jan 5, 17 / Aqu 05, 01 21:35 UTC

Hi Chris3,

Can you clarify regarding where you are referring to "logging in?

Are you referring to logging into the forums having this automatically saved, or actually logging into your actual PC?

I believe I understand that you are referring to logging onto your PC using an Asgardian email address?

Jan 6, 17 / Aqu 06, 01 00:46 UTC

Both using an asgardia mail we can have an interface dedicated to our needs and an easier verification mode (roaming profile)

  Last edited by:  Christos Faroupos (Asgardian, Global Mod, NCM)  on Jan 6, 17 / Aqu 06, 01 00:47 UTC, Total number of edits: 1 time

Jan 6, 17 / Aqu 06, 01 00:50 UTC

And we can also any internal mails that we might sent and recieve have them in our machine and not in the server

Jan 6, 17 / Aqu 06, 01 01:12 UTC

Hi Chris3.

Thanks for the feedback. This will certainly be forwarded to the Asgardia IT team for consideration of feasibility

Jan 6, 17 / Aqu 06, 01 09:55 UTC

You are welcome Sorry for my english it's not my native language and i have a very long time to use them

Jan 6, 17 / Aqu 06, 01 10:27 UTC

But be consider the case of a virus infection in the pc of an asgardian or even a hacking of a pc (it's safer to use twin machines one of us and the other for the ministries and the leaders completed seperated )

Jan 6, 17 / Aqu 06, 01 22:42 UTC

A virus ridden PC? you mean like win10? Which will forward full access to the desktop or filingsystem on demand, even to "friends and partners of Microsoft", along with routine collection of any keyboard activity, mouse movements and gestures - or any other input device it can get near. If "hacking" was a concern then they wouldn't be using a backdoored operating system. I did postulate about using PKCS 11/X.509 embedded into passports as auth for forums, and other services, with possibility of including some read-only(to the user) storage in which to contian a secure OS - which would mitigate most concerns with most user's PC practices. Unless in the case of Win10 i'm right about it adjusting firmwares to install a set of persistent infections.

Twin machines would be sensible if you can assure the second is "clean". However, the unsafe user practices that lead to the first being compromised is incredibly likely to lead to the same unsafe practices being utilised on the second machine leading to the compromise of that. Or at least in my experience, the larger number of users conform to that statement. In most security models, the least safe component is the user.

The problem with the "Authentication method" you describe would be that it requires giving third parties access to the authentication details, then trusting their claims these will not be collected, which would raise questions within itself, or later used. You even have a clue where this "roaming profile" is stored? or even what they do with it once stored...

The way email systems tend to work is a "postmaster" running on the server recieves the mail, then sorts to applicable inboxes where the user then later picks it up. Only POP3 (optionally, not required) deletes the messages server-side after retrieval. There's possibly a reason why POP3 isn't commonly used anymore, too. The messages are still required to be server-side until the point of pickup. In a "roaming" senario you list there, you'll just be leaving lots of emails on lots of systems and never be able to get at all of them at the same time - worse, as you leave physical contact with the system you leave any hope of assuring the security of this system - and by extension, all the emails you've just put on there.

Jan 7, 17 / Aqu 07, 01 10:40 UTC

No i am talking about the case of an infection from a virus in someones pc and what the effects could be in the entire asgardia system. Can you please tell me an os that is safe?

  Last edited by:  Christos Faroupos (Asgardian, Global Mod, NCM)  on Jan 7, 17 / Aqu 07, 01 11:32 UTC, Total number of edits: 2 times

Jan 8, 17 / Aqu 08, 01 04:59 UTC

Infections of that nature are likely to effect the individual user's computer, more than "the system". Somewhat in this realm, we're currently "under the radar" and I don't imagine many to be tailoring things to explicity exploit our systems. The key word being currently, this is likely to adjust. Possibly rapidly. But to analyse "possible threats" from the user being infected model, the common condition inflicted on users of note currently is "ransomware" - this is undergoing evolutions currently to infect IoT devices too. Ransomware can be trivially mitigated by two simple principles, you have everything you need access to read-only, and only allow write access to the smallest possible areas as the needs require - massively limiting the possible damage such a thing can cause. The other goes hand in hand, and like any good strategy in case of failure in the first mitigation policy it will cover any deficits - and that's laugh, then restore from backup. If you cared enough about your data to consider paying a "ransom" to restore access, you'll of cared enough about it to have backups... If/when we have collective access to a storage pool, this being mounted when some user gets infected with such malware could potentially extend to lock those files equally. If that's a shared pool, then it can impact access to multiple users. The previously mentioned solutions - specifically backups, preferably in father/son/grandfather rotation - should serve to minimise impact. Other potential infections a user picks up could be able to leverage the stored authentication for accessing these forums - and at a later date, other services - and begin onslaughts of spam. Currently this isn't viable for most breeds responsible, but they can be trivially adjusted. Assuming this isn't covered by any existing IDS, Tools like "fail2ban" can be used to patrol logs and if you can define a set of "behavioural constraints" (say, issuing eleven posts in ten seconds - clearly not "normal user activity") along with a way to respond (Say, Pass timestamped event log to admin, and trigger a script that will get lists of associated posts, and deliver them to applicable mods for clean-up, after locking forum access to the account) it can act on your behalf with ruthless efficiencies. It should be trivial to mitigate total damages to "the system".

As to an infection getting a foothold into "the system" from an infected user... Reasonably unlikely. The OS appears to be a breed with a naturally good security model, so if regularly updated and patrolled with things like clam and rkhunter it should prove to be reasonably resilient. Assuming sensible deployment, say in a container, the HTTP server - what devlivers contents to browsers and the software specifically interfaced with the user(s) currently - should be running as it's own user. This user will have quite limited permissions, so in the event of compromise to that element, it's unlikely be able to do much to "the system" - But the permissions it needs could lead situations where it can be used to deliver hostile content. The next layer up from that would be the "software" used in the web pages itself. Deployed sensibly and regularly updated, this should equally prove to be resilient. With a sane development cycle, there will always be available copies of it in it's last "known-good" form, so should provide for trivial "restore to factory" in the event that this is somehow manipulated.

I wouldn't of said there is a "safe" OS, just differnt levels of vulnerabilty. The "safest" OS is commonly considered "open source" - The code it is built from is publicaly displayed. Anyone can poke through it and look for nasties, amongst other things. Sure not everyone reports these problems so they may be fixed, but most do. Over time, over everyone, every problem should be found. Eventually. Most open source projects take "community contributions" and as a result have large nummbers of people adding to the source, improving it, solving bugs, patching holes - This is how we should be doing things, IMHO, we can work in paralell on the same project and many hands make light work - Selecting one with active development is almost essential, as this is still undergoing the production cycle, recieving bugfixes and security updates.

Most frequently, this will be *nix - some breed evolved from unix, commonly linux. Linux appears to have some reputation as something difficult to use, but almost any "modern" distrobutions will default to a pretty clickable GUI which is just as easy to use as winhoes, and in some cases offers more features. The inherent security model makes infection without express permission of the user unlikely. Where windows has in some cases millions of varients of a single "virus", and almost as many breeds to have varients of, linux has but a handful - the larger number appearing in more recent years in response to it's increased adoption, and almost all requiring some form of permission element to do anything outside of the user's /home, limiting the range of damage possible to the user's personal files. These are commonly mitigated in the natural update cycle, meaning most available virus is denied the method it uses to leverage control in the first place - rather than attack the symptoms, neutralise the cause.

For a winhoes user's first forray into Linux I would suggest Linux Mint. Mint has a few interesting project goals, one of them being to eliminate the requirement to use the terminal(command line interface) - which they have done remarkably well, it's not eliminated entirely, but the average user can do almost anything they would need without it - and have a active support community that should be able to assist you with any issues you face. You can freely download a "live disc" which can be written to a usb stick using tools like unetbootin or pendrivelinux, or burned to optical media for booting. Hashes are provided so should you choose to download from any mirror or torrents, it's possible to check what you downloaded is what the team uploaded. It should unpack itself entirely to RAM and thusly not impact the existing system, until you select to install it. From that generated media, it should be possible to boot and use the OS. As it's running in RAM installing extra things it doesn't come with won't be too clever, to ignore possible space limitations a simple reboot will destroy changes. This "effect" is also useful for learning to play with a new OS, as if you manage to break it, and this shouldn't be easy, a reboot will fix it. For the average user it comes with a reasonable range of open source tools installed, notably libre office, but will be able to do many "common" tasks you'd expect to do. A "nice" feature is it comes with an IRC client, which when opened automatically connects you to their help room, making it really easy to get questions answered.

  Updated  on Jan 8, 17 / Aqu 08, 01 05:01 UTC, Total number of edits: 1 time
Reason: typo

Jan 8, 17 / Aqu 08, 01 21:36 UTC

To change the password is not a clear process.

Jan 8, 17 / Aqu 08, 01 21:55 UTC

Hi Antonio,

Regarding changing passwords. The only way currently is to log out and select the "Reset Password" link before logging on. As we have received numerous questions on this, therefore I have posted this in the Feedback Thread located here: https://asgardia.space/en/forum/forum/feedback-11/topic/change-password-without-using-reset-password-facility-1728/

  Last edited by:  Alan Player (Asgardian)  on Jan 8, 17 / Aqu 08, 01 23:30 UTC, Total number of edits: 1 time
Reason: gramatical correction

Jan 9, 17 / Aqu 09, 01 16:41 UTC

EyeR when i am write "virus" i mean the intire family of them (trojan,ransomware e.t.c.) the problem with the open source os and the community support is that you don't know the person who fixed the error is it realy fixed it or he just "fixed " it and put something in it , and the vanurabilities of a system os depence of how many people or companies use it (thats why the apple and linux were "safer" than windows ) personaly i prefer using an asgardia os constracted from scrach by asgardias it department

  Last edited by:  Christos Faroupos (Asgardian, Global Mod, NCM)  on Jan 9, 17 / Aqu 09, 01 19:19 UTC, Total number of edits: 1 time
Reason: correction

Jan 9, 17 / Aqu 09, 01 16:42 UTC

And some hashes are not safe anymore

Jan 10, 17 / Aqu 10, 01 02:14 UTC

Entire family or just one varient, there should be no way for the infected user's infection to travese the interwebs and infect the server, as it shouldn't have write permissions to do so. Even if it does somehow manage that, or the "IT team" have paid the previously demonstrated amount of attention to such topics and simply ignored it - then it's still just a file, containing data like any other. It needs to be executed. Lets assume the previously mentioned attention to detail holds across the board, and there's no IDS to spot this upload, or attempts to access an unexpected file, and to further assume no SEB(Security Enhanced BSD - basically an open source port of what the NSA use to secure their systems) policies to limit the httpd from acessing the unexpected file then it'd still be limited in scope to that of the user, in this case the httpd and therefore limited only to the public served space. Once noticed, the production copy gets overwritten from backup, or from straight off the last known good incriment on the develserver. Solved.

Actually, no. With closed source you just hope the problem was fixed, and not done a microsoft and just made the backdoor harder to spot. The only option then is to reverse engineer it in a debugger, which isn't as simple.

Sure, not everyone can read and understand code - but it being open means anyone can look, and there's more than enough interested geeks poking into things. Twice as many want-to-be geeks. It's just a matter of time before everything is spotted and fixed. For the "put something in it" then most are not stupid enough to think it'd never be found - so don't bother trying - and when it inevitably is found, should they not fix the issue, someone will fork the project rename it and everyone will just start using the clean version. Kind of like what happened to truecrypt when that became veracrypt(which doesn't have backdoors, but I'd still not suggest using it).

Vulnerabilities in a system are a function of it's code, not the uses/users - although that said the users are commonly the largest danger to system integrity - which is why sane companies strictly follow the laws of least priviliges and thusly no user should be able to do anything they are not explicitly allowed to do. The reason apple and linux are still safer than winhoes is due to their common heritige in unix(apple using a fork of BSD) and it's native permissions model being orientated around the laws of least privlige.

As for the "IT team" making an OS... That's quite a large undertaking. You realise they seem to of struggled with a website? Many (many, many, many) mistakes and it took them weeks to do it too. Took them nearly three weeks to deploy this forum alone(something I'd expect to take less than fifteen mins then a few days of testing to make sure). An OS is a lot more complex beast. To take an average linux kernel, that's about 125MB - 1MB is about 460 A4 pages in raw ASCII, so it'd take them months, if not years, just to write a kernel. That's nothing else you'd need, and you would need lots else. a few GB of else maybe.

From scratch really isn't the "best" option - Open source allows you to fork their project and start from there, which would make a lot more sense. Instead of wasting time solving problems already solved by someone else, you can just pick up their solutions and stack them together, much like lego. If a ½ sensible OS was picked as base, there'd be v. little required to change - as the only things to adjust would be installed software payloads and possibly some theming it'd at best qualify as a "spin" more than a fork, too.

Yes, some hashes are not safe. Luckily no-one sane uses them anymore. But in this instance we are not worried about someone reversing the hashing method and ending up with what we started before hashing, or more sensibly, just looking up the values in a rainbow table. The purpose is to take advantage of the algorythm's natural properties of yeilding a different hash if a single bit of what is being hashed has changed. Thusly by comparing the "fingerprints" this hashing function creates you can confirm that what you have downloaded is what was uploaded. This method spots both intentional interference with the product and "damaged downloads".

  Updated  on Jan 10, 17 / Aqu 10, 01 02:22 UTC, Total number of edits: 2 times
Reason: typo