On Mon, 2015-02-02 at 15:17 -0700, Warren Young wrote:> The answer is clear to me: general security principles. By the time EL8 comes out, we?ll have had ~3 years of warnings under EL7 that weak passwords would not be tolerated, and they?re finally disallowing them. Good! > > (More like 6 years, actually, because EL6 gives a red warning bar for weak passwords.) > > Let?s flip it around: what?s your justification *for* weak passwords?Wrong point. Wrong focus. Ultimately it is for the deployer (and the user if Root) to determine. To suggest otherwise is pure arrogance. M$ users do not own their machines. M$ does. M$ determines what they can do and what data M$ secretly collects on them, stores on the machine and prevents the user viewing. Seems like another move towards emulating M$. If testing then a one character password is very acceptable to me. Why should some arrogant nutter impose an arduous ultra secure password when a simple one character password will suffice ? Who knows the machine, the deploying environment and the circumstances better ? The user or some anonymous and arrogant nutter perhaps many thousands of miles (or kilometers) away ? Remember machines should be working for the convenience of Humanity - not for the convenience of anonymous nutters who know absolutely nothing about the user's work situation ! Generally having strong passwords is good however generalised circumstances should never be forced down the throats of loyal users. An English (as in England, Europe) saying is:- Rules were made for the guidance of wise men, but for the obedience of fools ! If everyone is willing to donate USD 1, then perhaps we could lend him to M$ where security is so lax he could do some enormous good. No need to waffle Warren. You've lost this one :-) -- Regards, Paul. England, EU. Je suis Charlie.
On 03/02/15 10:31, Always Learning wrote:> Remember machines should be working for the convenience of Humanity - > not for the convenience of anonymous nutters who know absolutely nothing > about the user's work situation !'anonymous nutters'? I guess those people on the cited mail lists are using fake names. Given you're carrying on about being English, maybe you should contemplate the slander, libel and defamation laws in that country as well as in other countries where your post may be being read.> No need to waffle Warren. You've lost this one :-)I don't think it's Warren who's waffling. I certainly don't think the people on the referenced mail lists are anonymous, or nutters. And just to be 100% clear, you're certainly not speaking for me. Pete.
On Mon, February 2, 2015 5:31 pm, Always Learning wrote:> > On Mon, 2015-02-02 at 15:17 -0700, Warren Young wrote: > > >> The answer is clear to me: general security principles. By the time EL8 >> comes out, we???ll have had ~3 years of warnings under EL7 that weak >> passwords would not be tolerated, and they???re finally disallowing >> them. Good! >> >> (More like 6 years, actually, because EL6 gives a red warning bar for >> weak passwords.) >> >> Let???s flip it around: what???s your justification *for* weak >> passwords? > > > Wrong point. Wrong focus. Ultimately it is for the deployer (and the > user if Root) to determine. To suggest otherwise is pure arrogance. > > M$ users do not own their machines. M$ does. M$ determines what they can > do and what data M$ secretly collects on them, stores on the machine and > prevents the user viewing. Seems like another move towards emulating M$. > > If testing then a one character password is very acceptable to me. Why > should some arrogant nutter impose an arduous ultra secure password when > a simple one character password will suffice ? Who knows the machine, > the deploying environment and the circumstances better ? The user or > some anonymous and arrogant nutter perhaps many thousands of miles (or > kilometers) away ? > > Remember machines should be working for the convenience of Humanity - > not for the convenience of anonymous nutters who know absolutely nothing > about the user's work situation ! Generally having strong passwords is > good however generalised circumstances should never be forced down the > throats of loyal users. An English (as in England, Europe) saying is:- > > Rules were made for the guidance of wise men, > but for the obedience of fools !Yet, the "fools" are so inventive, they often find a way around rules. Valeri> > If everyone is willing to donate USD 1, then perhaps we could lend him > to M$ where security is so lax he could do some enormous good. > > No need to waffle Warren. You've lost this one :-) > > -- > Regards, > > Paul. > England, EU. Je suis Charlie. > > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On 3 February 2015 at 10:31, Always Learning <centos at u64.u22.net> wrote:> If testing then a one character password is very acceptable to me. Why > should some arrogant nutter impose an arduous ultra secure password when > a simple one character password will suffice ? Who knows the machine, > the deploying environment and the circumstances better ? The user or > some anonymous and arrogant nutter perhaps many thousands of miles (or > kilometers) away ?I know its hard to believe, but you are not the only one using this OS. There are a broad range of users with a broad range of experience using the OS in a broad range scenarios. One important group is new users with limited experience and knowledge about security. This is an important group to protect. More experienced users understand this and put up with, or work around, the occasional inconvenience. This is not arrogance, this is about being a responsible member of a community. It is important for all of us to encourage (and discuss) good security practices, as well as discourage (and refute) poor practices. Ultimately, this make our community a safer place. It is my, perhaps naive, hope that members of our community are Always Learning about good security practices and emerging threats to the OS. The root password is close to, if not actually, our last line of defense (SELinux helps us here by the way). Using a one character password is problematic if you are connected to the internet, for example, if you are _testing_ the OS and want to run updates after the install. This is problematic since, by default, new installs typically allows SSH access and root logins over SSH. Yes, firewalls help, but they need to be configured correctly, and there are subtle tricks that sophisticated attackers can exploit to subvert poorly configured firewalls. If you really want to do this, I'd suggest running your test system in some kind of DMZ to prevent any exploit cascading into the rest of your network. It may just be easier to pick a "good" but easy to type root password that you use for all your test machines. Also, its a good idea to make sure you always turn off your test machines when not in use, and to disable them once you are finished testing (so they can't be accidentally turned on in the future). Hope this helps. Kal
On Tue, 2015-02-03 at 10:44 +1100, Peter Lawler wrote:> On 03/02/15 10:31, Always Learning wrote: > > > Remember machines should be working for the convenience of Humanity - > > not for the convenience of anonymous nutters who know absolutely nothing > > about the user's work situation ! > 'anonymous nutters'? I guess those people on the cited mail lists are > using fake names. Given you're carrying on about being English, maybe > you should contemplate the slander, libel and defamation laws in that > country as well as in other countries where your post may be being read.Didn't cite any mailing list. One can not defame an anonymous nutter/expert/genius/fool. Can't be slander because that is oral defamation. When the changes (a.k.a. improvements) are introduce, just how many users will be aware of the identities of those who promoted and implement those changes ? Very few, if any. Hence 'anonymous' is definitely justified in that context. Nutters seems justified because a wise decision maker will always permit informed users to make their own choice.> And just to be 100% clear, you're certainly not speaking for me.Writing for myself is sufficient. This list does not yet circulate audio messages. -- Regards, Paul. England, EU. Je suis Charlie.
On Tue, Feb 03, 2015 at 10:44:31AM +1100, Peter Lawler wrote:> On 03/02/15 10:31, Always Learning wrote: > > > Remember machines should be working for the convenience of Humanity - > > not for the convenience of anonymous nutters who know absolutely nothing > > about the user's work situation ! > 'anonymous nutters'? I guess those people on the cited mail lists are > using fake names.Whether anonymous or not, they continually show that they have no idea of a work situation. Each time we work around it. As I understand it, the rationale is because RH allows ssh root login by default. I'd rather they change that, but I also want to have millions of dollars and be admired by everyone. -- Scott Robbins PGP keyID EB3467D6 ( 1B48 077D 66F6 9DB0 FDC2 A409 FA54 EB34 67D6 ) gpg --keyserver pgp.mit.edu --recv-keys EB3467D6
On Tue, 2015-02-03 at 11:57 +1100, Kahlil Hodgson wrote:> One important group is new > users with limited experience and knowledge about security. This is > an important group to protect.> It is important for all of us to encourage (and discuss) > good security practices, as well as discourage (and refute) poor > practices. Ultimately, this make our community a safer place.Perhaps a topic for the Centos Wiki entitled Basic Security on Your New Machine ?> The root password is close to, if not actually, our last line of > defense (SELinux helps us here by the way).Surely the whole idea is to prevent nasty things getting in. Disable FTP. Change SSH ports. Restrict access to sensitive parts from known IPs. Run Logwatch or similar (and amend the reports using /etc/logwatch ...). Read the logs. Allocate file and directory permissions to users lacking any log-on ability. There is a lot that can be done.> Using a one character > password is problematic if you are connected to the internet, for > example, if you are _testing_ the OS and want to run updates after the > install.But if one is doing things on a isolated machine unconnected to anything why the password aggro ? Best never to speculate when attempting to justify a hash and arrogant policy of DO WHAT RHEL DEMANDS. I prefer a clear warning and then let the user make an informed choice. After their first hacking they will not make a similar mistake again.> This is problematic since, by default, new installs typically > allows SSH access and root logins over SSH.Then block it as part of the installation process and let the user open what they think they need. Not use if you are correct about SSH. Root usually (if I remember correctly) needs to be permitted.> Yes, firewalls help, but > they need to be configured correctly, and there are subtle tricks that > sophisticated attackers can exploit to subvert poorly configured > firewalls.Again another opportunity for a good Centos Wiki article. A basic firewall setup. Then a series of examples: to achieve this, do that. Obviously good and clear explanations are needed to enable impeccable understanding of the firewall logic. Yes help the new users. Perhaps even a Centos NewUsers list devoid of all the more technical things. It could cater for single machine users.> If you really want to do this, I'd suggest running your > test system in some kind of DMZ to prevent any exploit cascading into > the rest of your network.Not really sure what a (USA military) DMZ looks like. Security has always been my highest priority. "When in doubt, lock 'em out" is my motto.> It may just be easier to pick a "good" but > easy to type root password that you use for all your test machines. > Also, its a good idea to make sure you always turn off your test > machines when not in use, and to disable them once you are finished > testing (so they can't be accidentally turned on in the future).Unnecessary in my working environment. I write and test virtually even day, 7 days a week. No machine, test or production, has unrestricted access to/from the Internet. Unused ports are blocked. Unused applications are removed or disabled. SSH is allowed from only 3 IPs. Instant IP blocking for suspicious activity has been a basic component for the last 3 or 4 years, or longer. It was the first security enhancement I programmed. To save electricity equipment is turned-off when not in use. -- Regards, Paul. England, EU. Je suis Charlie.
On Mon, Feb 02, 2015 at 11:31:35PM +0000, Always Learning wrote:> If testing then a one character password is very acceptable to me. Why > should some arrogant nutter impose an arduous ultra secure password when > a simple one character password will suffice ? Who knows the machine, > the deploying environment and the circumstances better ? The user or > some anonymous and arrogant nutter perhaps many thousands of miles (or > kilometers) away ?I'm curious, were you upset when Java (and various other software packages that use SSL) were updated to stop using SSLv3? Surely this would have caused problems with any testing infrastructure that wasn't open to the world that used pre-generated SSL certificates. The decision to disable it was made by the packagers of the software because of security implications. Sure, SSLv3 still works, it's just not secure. It's just some arrogant nutter who thinks that maybe we shouldn't be using it anymore. -- Jonathan Billings <billings at negate.org>
On Tue, 2015-02-03 at 09:24 -0500, Jonathan Billings wrote:> I'm curious, were you upset when Java (and various other software > packages that use SSL) were updated to stop using SSLv3?No. I do not use Java. Updating to prevent security breeches is *always* a good idea. -- Regards, Paul. England, EU. Je suis Charlie.