memfd_secret() in 5.14 [LWN.net]

memfd_secret() in 5.14

Posted Aug 7, 2021 21:35 UTC (Sat) by Wol (subscriber, #4433)
In reply to: memfd_secret() in 5.14 by mpr22
Parent article: memfd_secret() in 5.14

No they aren't.

But if the company DEMANDS that I put company data on *my* laptop, and the company DEMANDS that company data is not put on any unsecured device, that combo will land the company in serious trouble if they insist!

They are demanding that I put company approved security software on a personal device. That falls foul of both employment law and the Computer Fraud And Abuse Act or whatever it's called.

And actually, my employer has just fallen foul of that combo this last week. No foul intent on either side, but they've supplied me with a company laptop that requires 2FA. That requires the authentication software to be installed on a secured mobile, and I refused point-blank to secure my personal mobile. Actually, the company had supplied me with a company mobile, but I was having problems setting it up, so they just had to accept that I was unable to log in to the corporate network. The equipment they'd supplied didn't work, and if I didn't want to use my equipment instead, there was nothing they could do about it. (They were happy about me using my personal phone, I wasn't!)

(If I choose not to secure my personal phone, that is down to me. I also choose to actively avoid putting anything sensitive on said phone, so I have no problem with that. And I also choose not to put any sensitive data on Google, so losing my phone won't compromise what isn't there to be compromised.)

You're making the same mistake as Khim - you're assuming everything is work, and work over-rides everything. It doesn't - what I do in my personal time with my personal kit is down to me, which is why I often find myself without electric - I go "off grid". From choice.

Cheers,
Wol

to post comments

memfd_secret() in 5.14

Posted Aug 7, 2021 21:56 UTC (Sat) by mpr22 (subscriber, #60784) [Link] (9 responses)

> You're making the same mistake as Khim - you're assuming everything is work, and work over-rides everything.

Mostly, I'm assuming that if my employer wanted me to run a specific secure build of an operating system, they would provide the equipment to run it on.

Like, I have to run a 2FA app on my phone to use the company VPN, but I wasn't asked to install a special build or security profile or anything (and if they did, I would say "give me a company phone then, because you're not putting fancy nonsense on my personal device").

memfd_secret() in 5.14

Posted Aug 8, 2021 10:24 UTC (Sun) by khim (subscriber, #9252) [Link] (8 responses)

And here, again, you are not looking on large picture but specifically on your own company in your own tiny corner of the world.

Look outside, please. What usually happens is not that companies demand you to do something to your hardware. No, absolutely not. It's always your choice. You may follow BYOD route or not. If you wouldn't lock down your hardware and wouldn't install company software — that's fine, too. You would just have no access to VPN and would only be able to read mail while physically in office.

But, of course, at the end of the year your performance would be compared to performance of people who are not this finicky and if your KPI would be not sufficient… you would get smaller bonus or may even be fired.

That is how it usually works and that is how 90% of devices end up bound to the companies policies. Yes, there are some outliers and there would always be, probably, some expensive toys for freedom-lovers who are ready to pay for the privilege. But they would just not matter much for the big picture and can be, usually, ignored.

That is what I have meant and that is what is happening today. You may not like the fact that the overwhelming majority of phones are locked devices and laptops are slowly drifting in that direction, too — but that's just what objectively happens. Independently of our wishes.

I don't like it, too. But I, unlike Wol, can see a bit farther than the end of my own nose and can see what and why happens because of that change.

memfd_secret() in 5.14

Posted Aug 8, 2021 16:03 UTC (Sun) by anselm (subscriber, #2796) [Link] (5 responses)

Personally I would not be prepared to work for an employer who is unwilling to provide me with a suitable computer and phone to use for company business. The IT job market being what it is these days, paying for decent tools is a prerequisite for companies that want to attract (and keep) top-quality talent – and compared to a software developer's compensation, the price of even very good hardware is virtually negligible, so putting off potential applicants by requiring them to supply their own work equipment at their own expense (and then insisting on controlling what software is installed on that equipment and how it is configured) doesn't even make good business sense.

memfd_secret() in 5.14

Posted Aug 8, 2021 16:55 UTC (Sun) by khim (subscriber, #9252) [Link] (4 responses)

> Personally I would not be prepared to work for an employer who is unwilling to provide me with a suitable computer and phone to use for company business.

They probably can. If you are really fussy. But it's often just easier for both user and company when you only need one phone and one laptop to travel somewhere.

> The IT job market being what it is these days, paying for decent tools is a prerequisite for companies that want to attract (and keep) top-quality talent – and compared to a software developer's compensation, the price of even very good hardware is virtually negligible, so putting off potential applicants by requiring them to supply their own work equipment at their own expense (and then insisting on controlling what software is installed on that equipment and how it is configured) doesn't even make good business sense.

Who said anything about IT job market? It's tiny. Various estimates put number of software developers worldwide between 20 and 30 million. But there are half-billion of laptops in use and many billions of smartphones. Simple math shows that the software developers are tiny, almost negligible percentage of all users.

Yes, there are shortage of software developers and yes, because of that they can enjoy luxury of being treated differently. But majority of people are not in that position. They couldn't really play “oh, I want to do whatever I want with the device I own — and you have to bend over backward to accommodate my wishes” games. If accountant or a simple clerk would try that game — they would be fired and someone else would take their place. It's not that hard.

And the needs of these people are what drives the development of software and hardware. Most of them want to have locked down device — if that would bring more money for food and other spendure.

Just ask your friends who are not a software developers.

And if that's what they want then Industry would provide that. And kernel development, today, is part of the Industry. It doesn't matter if you like that or not — it's just the fact.

memfd_secret() in 5.14

Posted Aug 8, 2021 23:54 UTC (Sun) by anselm (subscriber, #2796) [Link] (3 responses)

Just ask your friends who are not a software developers.

Guess what, my friends who are not software developers usually also have company laptops and phones – and like it that way. After all it's a lot easier to ignore or switch off the company phone outside business hours, over the weekend, or during your vacation than your own phone, especially given that with such an arrangement your boss and colleagues don't need to know your private phone number, which is none of their business.

From a company POV, apart from the recruitment issues mentioned earlier, my friends' employers' IT operations and support people presumably prefer dealing with mostly-uniform hardware from known suppliers (including on-site support contracts, and having spares on hand if a machine breaks) and a common standardised software and UI setup, and definitely don't want the security nightmare of employees maintaining VPN connections into the company from their own machines that are also independently connected to the public Internet for non-company stuff (because of course they don't want to route all their employees' Netflix traffic through the company VPN, either). Many companies tend to figure out eventually that giving people centrally-maintained company hardware to use on the job is cheaper in the long run than dealing with the ongoing hassle and expense of getting people's random privately-bought computers to work properly (and securely) on the company's network. The lucky ones do so before the first malware infestation of the company's network via an employee's BYOD computer.

memfd_secret() in 5.14

Posted Aug 9, 2021 7:51 UTC (Mon) by khim (subscriber, #9252) [Link] (2 responses)

> Guess what, my friends who are not software developers usually also have company laptops and phones – and like it that way.

Interesting. So you have certainly managed to avoid the trend. Because statistic doesn't support your words at all: 87% of businesses are dependent on their employee’s ability to access mobile business apps from their smartphone and 67% of employees use personal devices at work.

I would guess this percentage is smaller in US and EU and bigger in third-world countries (almost all my friends from Egypt, Iran and Russia don't know about BYOD or any such fancy acronyms because no one ever thought about providing them with company smartphone and very rarely they got a company-provided laptop), but Bitglass, the Next-Gen CASB company, is based in Silicon Valley with offices worldwide — and it observes what I observe and not what you and Wol are observing.

And while your words sound convincing — they don't explain why things you observe and independent statistic observes don't match.

Because statistic very clearly shows that use of personal devices for work purposes is growing, not shrinking and the mitigation strategy chosen by the Industry is to make them… “less pesonal”, I guess: make sure bootloader is locked or security enclaves are installed (things like Intel SGX are developed for that purpose) and so on.

Add to that the fact that states (not just China or Iran, but also EU and US) increasingly want to ensure that nefarious sites they want to ban remain inaccessible to the most of the population — and you can easily imagine where all that is going.

memfd_secret() in 5.14

Posted Aug 9, 2021 9:15 UTC (Mon) by anselm (subscriber, #2796) [Link]

There can also be regulatory-environment issues that work against BYOD. Here in Germany (as in the rest of the EU) there are very strict personal-data protection requirements that need to factor into companies' risk assessments. Many companies reasonably conclude that having customer or client data stored on (or even accessible from) employee-owned hardware is not a Good Idea, due to compliance issues and the increased risk of data breaches and associated fines/bad PR.

(The article you cite looks interesting but the statistics it quotes seem fishy in various respects. It is also tainted by the fact that the author himself seems to be a big fan of BYOD. I probably wouldn't want to lean on it too heavily for support.)

memfd_secret() in 5.14

Posted Aug 9, 2021 10:32 UTC (Mon) by kleptog (subscriber, #1183) [Link]

The statistics are interesting, but I wonder if they're skewed by many companies having people log in remotely via Citrix or just using an online website or some such. Then sure, users can use any computer they like, it doesn't matter. Similarly, if the phone is only used for phone calls and no actual data is stored I can imagine the "using own phone for work" is doable.

The GDPR basically makes storing company data on uncontrolled personal computers a non-starter for most businesses. But remote access gives the user a controlled system, and web-browsers promise not to cache data fetched via TLS.

They can of course say you have to bring your own device otherwise they won't hire you. On the flip side, they're not allowed to just randomly add monitoring to your personal device and if anything goes wrong (like your home laptop gets hacked) you as employee bear no liability. Which is why companies often hand out laptops anyway because as owner they have many more possibilities to secure the device.

memfd_secret() in 5.14

Posted Aug 8, 2021 16:32 UTC (Sun) by Wol (subscriber, #4433) [Link] (1 responses)

> I don't like it, too. But I, unlike Wol, can see a bit farther than the end of my own nose and can see what and why happens because of that change.

You probably don't have to look that far to find plenty of posts by me where I see what is happening, and indeed, I rail against people who are blind to the realities of life. After all, there are plenty of occasions - on LWN - where I rail *against* this blind belief in some thing called "freedom".

But thanks for making me look like RMS. Thanks for making me look like a person who actually DOES BELIEVE in personal choice. This whole thread is because you're advocating TAKING AWAY OTHER PEOPLES' CHOICE.

So on a site full of people dedicated to Freedom, and Choice, thanks for making me look good!

I believe Fascism is defined as "Rule By Corporation". If you want to actively help that, that's down to you. As soon as we lose the WILL to defend freedom, we lose the war. Personally, I don't want to be a corporate slave.

Cheers,
Wol

memfd_secret() in 5.14

Posted Aug 8, 2021 17:19 UTC (Sun) by khim (subscriber, #9252) [Link]

> This whole thread is because you're advocating TAKING AWAY OTHER PEOPLES' CHOICE.

Seriously? You think I want to see people who don't have a choice? I don't.

But if people don't care about fighting for that choice (doesn't matter if that's because of ignorance or because they don't really want to have choice in the first place) then it would be taken from it.

I'm only discussing the implications.

> As soon as we lose the WILL to defend freedom, we lose the war.

Who are these mythical “we”? 2½ geeks? They don't really matter much in the grand theme of things. The majority of people? They don't care and thus it's not even worth discussing if war would be lost or not. We can can only discuss how and when that loss would happen.

> But thanks for making me look like RMS. Thanks for making me look like a person who actually DOES BELIEVE in personal choice.

He is also a person who went from someone whose voice was important to someone who is ostracized and [almost] kicked out from his own organization, don't forget that.

It's only matter of time when both his and yours opinions would become irrelevant.

Mine don't matter much, too, I freely admit that. But at least I don't pretend that I can do things which I can not, really, do.