On Wed, February 4, 2015 16:55, Warren Young wrote:>> On Feb 4, 2015, at 12:16 PM, Lamar Owen <lowen at pari.edu> wrote: >> >> Again, the real bruteforce danger is when your /etc/shadow is >> exfiltrated by a security vulnerability > > Unless you have misconfigured your system, anyone who can copy > /etc/shadow already has root privileges. They do not need to crack > your passwords now. You are already boned. > > >My thought exactly. -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
On Thu, February 5, 2015 9:06 am, James B. Byrne wrote:> > On Wed, February 4, 2015 16:55, Warren Young wrote: >>> On Feb 4, 2015, at 12:16 PM, Lamar Owen <lowen at pari.edu> wrote: >>> >>> Again, the real bruteforce danger is when your /etc/shadow is >>> exfiltrated by a security vulnerability >> >> Unless you have misconfigured your system, anyone who can copy >> /etc/shadow already has root privileges. They do not need to crack >> your passwords now. You are already boned. >> >> >> > > My thought exactly. >After all this discussion about "is this enough for good security or should we add something else" the last not requiring tremendously larger effort, I'm left with the following feeling. I'm a "relict" left from long time ago when security was considered paramount, when if something can be done it had to be done, no matter that the same is allegedly covered by something else already in place. We always considered the word "paranoia" is in sysadmin's job description (I still do, yet I didn't check IT job descriptions lately, - maybe I should take a look; there seem to be many "Windows" brew people up on the top of IT ladder these days). I feel like there is brave new world of admins who feel it right to have "iPad-like" everything, i.e. boxes cooked up and sealed by vendor, and you have no way even to look inside, not to say re-shape interior to your understanding [of security or anything else]. Am I the only one? Not that this my comment meant as contradiction to any particular post (this post I'm replying to included). It is just the existence (and length) of this discussion (whether one should, or shouldn't, or anything) makes me think that what I was trained about security is not accepted by many these days. Or maybe I simply got tired following it instead of spending more time doing my own sysadmin's job ?? Good luck, everyone. Stay safe and keep your boxes secure! Valeri ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On Thu, Feb 5, 2015 at 9:27 AM, Valeri Galtsev <galtsev at kicp.uchicago.edu> wrote:> > ... there seem to be many > "Windows" brew people up on the top of IT ladder these days). I feel like > there is brave new world of admins who feel it right to have "iPad-like" > everything, i.e. boxes cooked up and sealed by vendor, and you have no way > even to look inside, not to say re-shape interior to your understanding > [of security or anything else]. Am I the only one?You are conflating two unrelated things. Being shipped with usable defaults has nothing to do with your subsequent ability to change them. Just the need and advisability of such work.> Not that this my comment meant as contradiction to any particular post > (this post I'm replying to included). It is just the existence (and > length) of this discussion (whether one should, or shouldn't, or anything) > makes me think that what I was trained about security is not accepted by > many these days. Or maybe I simply got tired following it instead of > spending more time doing my own sysadmin's job ??It's not that it is wrong - just that if there is one or a few way to do it right, the box might as well come that way or with just those few choices to get a working default instead of requiring individual attention to a million details. -- Les Mikesell lesmikesell at gmail.com
On Thu, 2015-02-05 at 09:27 -0600, Valeri Galtsev wrote:> .......... I feel like > there is brave new world of admins who feel it right to have > "iPad-like" everything, i.e. boxes cooked up and sealed by vendor, and > you have no way even to look inside, not to say re-shape interior to > your understanding [of security or anything else]. Am I the only one?Foolish and stupid implicit trust in a third party. Just look at the Windoze world ever since Win95 (first edition of many) materialised. Trust M$ and get a free virus every time ! I don't use my Android tablet after I discovered a default setting (semi-hidden away) was "Trust Google by automatically sharing all passwords with Google". I would like to use the tablet but only when there is a major free and entirely open source version of Linux available for it. Then there is the BIOS (or similar) with a functioning TCP/IP stack, so I am told. How good is security when a low level backdoor exists ? Keeping Uncle Sam and his associates out does not make everyone a dangerous threat to public safety and to national security. Don't forget about the Chinese switching equipment which some believe could be controlled remotely by the Chinese. Paper and pen (or Biro/ball-point) was massively more secure. Are we stupid because we place so much inherent trust in the honesty and integrity of others whilst never having an opportunity to verify their offerings ? Open Source, all the way down to the motherboard, is increasingly important for the efficient and safe functioning of our global society, from traffic lights to hospital live-saving machinery. When will Centos (RH) be able to replace Google on Android tablets ?> Good luck, everyone. Stay safe and keep your boxes secure!It is not only the "boxes" which must be kept secure. Increasing amounts of data mean security must be increased too and become a normal 'way of life'. In addition to my Centos Leaning mailing list suggestion, I would like to see a free web based Centos security questionnaire to ask users security related questions and then present a rating based upon their correct answers. Red Hat people and Fedora people too lurk on here, yet there is a reluctance (probably commercially inspired) not to fully respond to the challenges threatening all of us 'today'. -- Regards, Paul. England, EU. Je suis Charlie.