delorie.com/archives/browse.cgi   search  
Mail Archives: geda-user/2021/01/11/16:38:12

X-Authentication-Warning: delorie.com: mail set sender to geda-user-bounces using -f
X-Recipient: geda-user AT delorie DOT com
X-Original-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
messagingengine.com; h=content-type:date:from:in-reply-to
:message-id:mime-version:references:reply-to:subject:to
:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender:x-sasl-enc; s=
fm1; bh=PIHNc2ENdek5peT1ipeVXSJdpdp5M7xTyU6xnRTtQog=; b=fICay7wf
49W71aQ5ANf3nHSuFvKuxactdknk9aSo3zZsxxJc5DpfHfld4uiKUVsbbgbORowq
P3iC0+XczbslmcXvL2nF/ZU9prOckXDgcan4FEcB7wvbfCZB6YFda8bOXrI4Vjq/
xKjelD8vKx6Qa1TVOrvITaxST3nuMopNjdCu0uCG6R7uKCE4I5AHBgt/sDDOGs7X
K8bQbtvnDvIWZTLtaKxMxcqKQExnztmgZP3/AvUz959/QiGlfxmkbwWUecpBIutx
glDK4rQguKRJHcU0cNS59xlKdDyYyr6rXl/b7m26dxM2gd3JBHwCRitaOr7Uoaol
3o4v9mBvsAP/KQ==
X-ME-Sender: <xms:jsD8X3bgSPVwVYsMDGxX0lfhDxLVQ0Q_YjGRZux5kAY_OQ5ekmWIoA>
<xme:jsD8X_XvdS7xGEMBlnZXIWYMTidvkx34AUaPFVS0Xxy26rDhJ9zWY8mYmN-VOTkDM
6YGTtbnWBz1RJKDAg>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedujedrvdehuddgudegkecutefuodetggdotefrod
ftvfcurfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfgh
necuuegrihhlohhuthemuceftddtnecunecujfgurheprhfuvfhfhffkffgfgggjtgesrg
dtreertdefjeenucfhrhhomhepifhirhhvihhnucfjvghrrhcuoehghhgvrhhrlhesfhgr
shhtmhgrihhlrdgtohhmqeenucggtffrrghtthgvrhhnpeehfefgteevteeileejueetve
ekjefhjedvteevffduffegffefgeekvdefhfeuleenucffohhmrghinheplhhinhhugihj
ohhurhhnrghlrdgtohhmpdhthhgvrhgvfhhorhgvrghrvggrlhhlohhffhhlihhmihhtsh
drihhnpdhhthhtphhsthhoughofihnlhhorggurdgrshenucfkphepuddtkedrvdduhedr
udelhedrvddtheenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfh
hrohhmpehghhgvrhhrlhesfhgrshhtmhgrihhlrdgtohhm
X-ME-Proxy: <xmx:jsD8X1iR4r_m-ep2H1HmJf3EZWoOcqFJ9s_pvvEShv1kKNEdkrhw9A>
<xmx:jsD8X9sznoaqxKzpp88_4iqNXw0mB4tAYDGqWi-fzPkP_aZuadzAMA>
<xmx:jsD8X-4wmnQflijwVQWzjrNLCr_PcrCXdS5B3A7fu2BNO-4dmKO6rg>
<xmx:j8D8X-wMdd3LiOPH7b0gOQxMHB1zW3Dw_glmq2A3TDgcfViDphMBCg>
Subject: Re: [geda-user] No https for pcb-rnd
To: geda-user AT delorie DOT com
References: <xnim84jsdh DOT fsf AT envy DOT delorie DOT com>
From: "Girvin Herr (gherrl AT fastmail DOT com) [via geda-user AT delorie DOT com]" <geda-user AT delorie DOT com>
Message-ID: <197408a7-1183-7805-6f84-7794386c52dc@fastmail.com>
Date: Mon, 11 Jan 2021 13:15:37 -0800
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:68.0) Gecko/20100101
Thunderbird/68.12.0
MIME-Version: 1.0
In-Reply-To: <xnim84jsdh.fsf@envy.delorie.com>
Reply-To: geda-user AT delorie DOT com
Errors-To: nobody AT delorie DOT com
X-Mailing-List: geda-user AT delorie DOT com
X-Unsubscribes-To: listserv AT delorie DOT com

This is a multi-part message in MIME format.
--------------EF371C8E63E2E51C56270C18
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit


On 1/10/21 3:15 PM, DJ Delorie wrote:
> "Girvin Herr (gherrl AT fastmail DOT com) [via geda-user AT delorie DOT com]"
> <geda-user AT delorie DOT com> writes:
>> I don't know why you are so resistant to computer security.
> Computer security takes time and effort, and it's wasted on static data
> that has no real value.  Do you really need to hide the fact that you're
> looking at EDA software?  Do you worry that terrorists are going to
> modify a wiki page you're reading?
>
>> Why did I post my concern about pcb-rnd on this forum? Good question. I
>> thought about it a while and decided that since pcb-rnd was on this
>> forum in the past, and that it may be polled by the pcb-rnd devs,
> Nope, none of them are here any more.  They left long ago.
>
>> Now that includes gEDA too.
> You didn't mention that at all in your original email ;-)
>
>> I hope the gEDA server maintainers create a https portal on the web
>> server(s) asap.
> The gEDA server is a very old arm-based device running a prototype
> operating system.  HTTPS is not an option at this point, unless someone
> (or many someones) steps up to migrate everything to a modern server.

Greetings,

My immediate concern is the software download site. I do not want to 
download corrupted software. The risk is low, but I think it is still 
there. On the other end, I am concerned that the gEDA site could get 
attacked with possible resultant data corruption. In that respect, I 
don't think computer security is "wasted". You are correct in that since 
the transactions do not involve the transmission of sensitive data, such 
as logins and passwords, the risk is low and maybe not worth the effort 
to upgrade, except for the program download site.

I didn't mention the gEDA sites in my original posting because I had not 
yet gotten to my gEDA site bookmarks, so at the time I wrote the 
original posting I did not know for sure if gEDA should be included. I 
suppose in hindsight, I should have waited until I had completed my 
year-end bookmarks purge before I posted my first posting on this 
subject. Sorry.

I had a suspicion that the problem may be with the server. I guess the 
best I can ask for is to consider upgrading to https, at least for the 
software download server part, when a need to upgrade the server is 
discussed.

Since we are trading URLs, here is an article, written by Mick Bauer, 
that I am using to harden my desktop computer at this time:

    https://www.linuxjournal.com/magazine/paranoid-penguin-brutally-practical-linux-desktop-security

Here is an applicable snippet under "Never Transmit Unencrypted 
Passwords" for consideration:

    Telnet, non-anonymous FTP, IMAP, POP3 and any browser-based login
    involving an http:// URL rather than https://, therefore, are all
    off limits. In the modern era, all these applications (remote shell,
    file transfer, e-mail and most Web applications) can and should be
    used in encrypted implementations, such as SSH, FTPS or SFTP, IMAPS,
    POP3S and https, at least for logons and other sensitive transactions.

Operative phrase: " at least ".

Note that pcb, under sourceforge, is using https to download.

As a side note, a while back I was looking to make a donation to gEDA to 
help out and partially compensate for the use I have gotten from 
gEDA/gaf. However, I could not find a place to make such a donation. I 
think a PayPal transaction could be made using an email address. I am 
not sure how to set it up. It may require a PayPal business account. 
Such donations could help purchase a new server and maybe pay the small 
fee for the certificate(s).

Thanks and take care.

Girvin



--------------EF371C8E63E2E51C56270C18
Content-Type: text/html; charset=utf-8
Content-Transfer-Encoding: 7bit

<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <p><br>
    </p>
    <div class="moz-cite-prefix">On 1/10/21 3:15 PM, DJ Delorie wrote:<br>
    </div>
    <blockquote type="cite" cite="mid:xnim84jsdh DOT fsf AT envy DOT delorie DOT com">
      <pre class="moz-quote-pre" wrap="">"Girvin Herr (<a class="moz-txt-link-abbreviated" href="mailto:gherrl AT fastmail DOT com">gherrl AT fastmail DOT com</a>) [via <a class="moz-txt-link-abbreviated" href="mailto:geda-user AT delorie DOT com">geda-user AT delorie DOT com</a>]"
<a class="moz-txt-link-rfc2396E" href="mailto:geda-user AT delorie DOT com">&lt;geda-user AT delorie DOT com&gt;</a> writes:
</pre>
      <blockquote type="cite">
        <pre class="moz-quote-pre" wrap="">I don't know why you are so resistant to computer security.
</pre>
      </blockquote>
      <pre class="moz-quote-pre" wrap="">
Computer security takes time and effort, and it's wasted on static data
that has no real value.  Do you really need to hide the fact that you're
looking at EDA software?  Do you worry that terrorists are going to
modify a wiki page you're reading?

</pre>
      <blockquote type="cite">
        <pre class="moz-quote-pre" wrap="">Why did I post my concern about pcb-rnd on this forum? Good question. I 
thought about it a while and decided that since pcb-rnd was on this 
forum in the past, and that it may be polled by the pcb-rnd devs,
</pre>
      </blockquote>
      <pre class="moz-quote-pre" wrap="">
Nope, none of them are here any more.  They left long ago.

</pre>
      <blockquote type="cite">
        <pre class="moz-quote-pre" wrap="">Now that includes gEDA too.
</pre>
      </blockquote>
      <pre class="moz-quote-pre" wrap="">
You didn't mention that at all in your original email ;-)

</pre>
      <blockquote type="cite">
        <pre class="moz-quote-pre" wrap="">I hope the gEDA server maintainers create a https portal on the web
server(s) asap.
</pre>
      </blockquote>
      <pre class="moz-quote-pre" wrap="">
The gEDA server is a very old arm-based device running a prototype
operating system.  HTTPS is not an option at this point, unless someone
(or many someones) steps up to migrate everything to a modern server.</pre>
    </blockquote>
    <br>
    <p>Greetings,</p>
    <p>My immediate concern is the software download site. I do not want
      to download corrupted software. The risk is low, but I think it is
      still there. On the other end, I am concerned that the gEDA site
      could get attacked with possible resultant data corruption. In
      that respect, I don't think computer security is "wasted". You are
      correct in that since the transactions do not involve the
      transmission of sensitive data, such as logins and passwords, the
      risk is low and maybe not worth the effort to upgrade, except for
      the program download site.</p>
    <p>I didn't mention the gEDA sites in my original posting because I
      had not yet gotten to my gEDA site bookmarks, so at the time I
      wrote the original posting I did not know for sure if gEDA should
      be included. I suppose in hindsight, I should have waited until I
      had completed my year-end bookmarks purge before I posted my first
      posting on this subject. Sorry.</p>
    <p>I had a suspicion that the problem may be with the server. I
      guess the best I can ask for is to consider upgrading to https, at
      least for the software download server part, when a need to
      upgrade the server is discussed.</p>
    <p>Since we are trading URLs, here is an article, written by Mick
      Bauer, that I am using to harden my desktop computer at this time:</p>
    <blockquote>
      <p><a class="moz-txt-link-freetext"
href="https://www.linuxjournal.com/magazine/paranoid-penguin-brutally-practical-linux-desktop-security">https://www.linuxjournal.com/magazine/paranoid-penguin-brutally-practical-linux-desktop-security</a><br>
      </p>
    </blockquote>
    <p>Here is an applicable snippet under "Never Transmit Unencrypted
      Passwords" for consideration:</p>
    <blockquote>
      <p> Telnet, non-anonymous FTP, IMAP, POP3 and any browser-based
        login involving an http:// URL rather than https://, therefore,
        are all off limits. In the modern era, all these applications
        (remote shell, file transfer, e-mail and most Web applications)
        can and should be used in encrypted implementations, such as
        SSH, FTPS or SFTP, IMAPS, POP3S and https, at least for logons
        and other sensitive transactions. </p>
    </blockquote>
    <p>Operative phrase: " at least ".</p>
    <p>Note that pcb, under sourceforge, is using https to download.</p>
    <p>As a side note, a while back I was looking to make a donation to
      gEDA to help out and partially compensate for the use I have
      gotten from gEDA/gaf. However, I could not find a place to make
      such a donation. I think a PayPal transaction could be made using
      an email address. I am not sure how to set it up. It may require a
      PayPal business account. Such donations could help purchase a new
      server and maybe pay the small fee for the certificate(s).</p>
    <p>Thanks and take care.</p>
    <p>Girvin</p>
    <p><br>
    </p>
  </body>
</html>

--------------EF371C8E63E2E51C56270C18--

- Raw text -


  webmaster     delorie software   privacy  
  Copyright © 2019   by DJ Delorie     Updated Jul 2019