[sane-devel] Remove user authorization support from net backend / saned frontend?

Kelly Price strredwolf at gmail.com
Fri Apr 8 13:00:15 BST 2022


On Fri, Apr 8, 2022 at 7:41 AM Johannes Meixner <jsmeix at suse.de> wrote:
> Why?
> I described why even some weak authentication
> could be useful in a trusted environment.
>

Authentication is not encryption.  Authentication is *access control*.
Encryption is *data privacy*. Don't confuse the two.

Remember, we don't know what is being scanned in.  It could be orders
with written credit card numbers.  It could be trade secrets.  It
could be some kid's fridge art.

>
> > if some rogue actor has root control over a server
>
> Such a case does not need to be considered
> for things inside a trusted environment.
>

Hacking of a server to drop a root access trojan program happens in
"trusted environments."  Have you not heard the news of it happening
to Microsoft and Okta?

In this case, a "trusted environment" is one that is fully isolated
from the Internet.  If there's any connection that lets it go out, no
matter what medium, it's not isolated. Everything else is "more
secured."

>
> > Having folks get asked for a username/password
> > will prevent the curious.
>
> Yes, that's the idea of it.
> Prevent in particular accidental use.
> Just like door plates at toilets.
>
> If you like access for everyone
> do not set up authentication.
>

Lets settle one thing:  I'm for preventing the curious.  I'm also for
preventing the rogue.  "Secure the connection" means "encrypt the
connection and authenticate while encrypted."  Are you not for
securing the connection?


Kelly "STrRedWolf" Price
http://redwolf.ws



More information about the sane-devel mailing list