Re: Gitlab Migration

[Tim Cross]

<tomas@tuxteam.de> writes:

> [[PGP Signed Part:Undecided]]
> On Sat, Aug 28, 2021 at 11:52:48AM +0300, Eli Zaretskii wrote:
>> > From: Tim Cross <theophilusx@gmail.com>
>> > Date: Sat, 28 Aug 2021 17:53:34 +1000
>> > Cc: Daniel Fleischer <danflscr@gmail.com>, emacs-devel@gnu.org
>> > 
>> > Despite what others have claimed, the security problems with email have
>> > NOT been addressed. It is still one of the major vectors for
>> > compromising access via social engineering [...]
>
>> And other means of communications aren't?  Are there _any_ means that
>> are immune to these attacks?
>
> Yes, this made me wonder a bit, too, at how diverse perceptions
> can be. A code execution platform executing random scripts off
> the internet (aka Web browser) beats mail any day, in my view.
>
> Smartphone operating systems with their app "ecosystems" are
> fashioned after the same model.
>
> I'd have to see some statistics to support Tim's "major vector"
> assertion above.
>

There are lots of reports, analysis and case studies released by a
number of reputable security firms. Just do a basic google and you will
find plenty of evidence and statistics. Talk to any reputable security
firm and ask them what their experiences are. Most countries have some
form of government cyber security body - check any of them and you will
likely find statistics which show the percentage of major security
incidents where email was the initial vector used.

For example, NIST has a whole bunch of documents and frameworks dealing
solely with email security. Quoting from the NIST Cybersecurity
Framework and Email compliance document from August 25 2021
https://www.tessian.com/blog/nist-cybersecurity-framework-and-email-security/ 

"Ransomware is becoming the most severe cybersecurity threat in the
current threat landscape. Because many, if not most, ransomware attacks
start via email, improving your organization’s email security and its
ransomware defense posture go hand-in-hand."

Frameworks like the NIST framework can go a long way to improving the
security of email. However, the big problem is the human factor.
Companies are spending huge amounts on training and education of staff
to make them less vulnerable to social engineering, but this has high
costs and is difficult to maintain. Often, the business response is to
reduce or minimise the exposure by adopting alternative solutions. It
isn't an argument about how good the technology is or how it can be more
efficient than web based alternatives or case studies showing how a team
using email was more efficient than one using product X. This is largely
about risk mitigation, streamlining administration, reducing dependency
on in-house technical skills and avoiding negative PR. Like it or not,
email has got a sour taste for management in many corporations and this
is driving the change. Focusing on the technical aspects is misguided as
it fails to recognise the real drivers behind the shift. 

To be honest, I'm a little surprised this seems to be 'news', but then
again, I spent the last 10 years working in the security space and that
has probably skewed my view on what is 'known' more broadly. Attend
enough conferences, seminars and workshops and you soon forget what you
know is not always general knowledge. 

As to the question of other communication channels also having security
vulnerabilities - yes of course. No system is 100% secure. However, many
of the alternatives being proposed in many companies allow strong or
more effective mitigation strategies. In a large part this is due to
greater control over who can inject information into the system, greater
control over what users can do and more control over keeping core
components up-to-date. There is also the 'obscurity' aspect - Things
like ransomeware are a numbers game - the more people you can target,
the higher chance of success. With email, it is easy because you just
craft an appropriate email with the right payload. With other
communications channels, you have to be more specific and target
vulnerabilities within that specific product to get your payload into
the system and then get it delivered to the user's browser (or app or
whatever). Basically, the ROI isn't as good.

Mobile devices and apps are definitely a significant challenge and
increasingly so as time passes. However, I never stated these other
channels are secure or without problems. It is almost certainly the case
that if a majority of companies moved away from email to other
platforms, those platforms will begin to be targeted more because they
will provide a higher ROI. However, they will also likely require a
higher skill set level than the current situation with email. This too
will change as more 'canned' exploits become available in the market,
but that will take time. Look at the macOS platform. There are still
lots of people who believe that platform is not vulnerable to viruses.
In reality, it is probably just as vulnerable as modern MS Windows, but
the ROI for development of macOS viruses is much lower than for Windows.
It is a numbers game. 

On a side note, I was just talking to my daughter - she is 20. I asked
her about her use of email. She showed me the email 'icon' on her phone.
Her current count of unread email messages is 8400! I asked her how many
of her friends email addresses she knew. She said 1. 

I cannot convince anyone really. All I can do is put forward my view and
experience. After leaving my last permanent position, I spent a few
years consulting, mainly in the Identity and Access management area. I
know from speaking to many executives in medium and large organisations,
email is one of their highest concerns and they are actively moving to
reduce dependency and incorporation of email in core business processes.
I know from talking to my children (one 20, the other 25) that email
doesn't even get considered in their communications and I know from the
last project I worked at in the University that younger students are not
at all interested in email.

Personally, I love email. As a blind programmer, it is much more
accessible than any of the alternatives. I've had an email account since
the 80s. I love the power of email based workflows. However, this makes
no difference. If Emacs wants to encourage contributions from younger
users and wants to appear relevant, we probably need to seriously
consider providing alternatives to a community centred around email.
This doesn't mean we have to replace existing channels, but instead
add/augment them with additional interfaces.