> On Jul 28, 2015, at 11:27, Warren Young <wyml at etr-usa.com> wrote: > > On Jul 25, 2015, at 6:22 PM, Bob Marcan wrote: >> >> 1FuckingPrettyRose >> "Sorry, you must use no fewer than 20 total characters." >> 1FuckingPrettyRoseShovedUpYourAssIfYouDon'tGiveMeAccessRightFuckingNow! >> "Sorry, you cannot use punctuation." >> 1FuckingPrettyRoseShovedUpYourAssIfYouDontGiveMeAccessRightFuckingNow >> "Sorry, that password is already in use.? > > The new rules are nowhere near that stringent: > > http://manpages.ubuntu.com/manpages/trusty/man8/pam_pwquality.8.html > >> Who thinks the password policy in my machines are my concern. > > Much of the evil on the Internet today ? DDoS armies, spam spewers, phishing botnets ? is done on pnwed hardware, much of which was compromised by previous botnets banging on weak SSH passwords. > > Your freedom to use any password you like stops at the point where exercising that freedom creates a risk to other people?s machines. > > In the previous thread on this topic, 6 months ago, I likened reasonable password strength minima to state-mandated vaccination. Previously-defeated diseases have started to reappear as the antivax movement has gained momentum. Polio came back in Pakistan, measles in California, and whooping cough in Australia, all within the last year or two. > > https://en.wikipedia.org/wiki/Vaccine_controversies > > So no, your local password quality policy is not purely your own concern.Other than DDoS which is a problem of engineering design of how the network operates (untrusted anything can talk to untrusted anything), what ?risk? is created to other people?s machines who have done appropriate security measures by a cracked machine owned by an idiot, that isn?t easily handled in minutes, if not seconds, by fail2ban? Equating this to ?vaccination? is a huge stretch. It?s more like saying the guy who left his front door unlocked all day is a threat to the neighbor?s house. Other than the perennial brokenness of a worldwide untrusted network piped straight into your home or business without an appropriate firewall and/or monitoring of said silly network, there?s almost zero risk at all to the ?house next door with a deadbolt and security bars?. You can?t ?catch the insecure?? hahaha? it?s not a virus. -- Nate Duehr denverpilot at me.com
On Jul 28, 2015, at 4:37 PM, Nathan Duehr <denverpilot at me.com> wrote:> >> On Jul 28, 2015, at 11:27, Warren Young <wyml at etr-usa.com> wrote: >> >> So no, your local password quality policy is not purely your own concern. > > Other than DDoS which is a problem of engineering design of how the network operates (untrusted anything can talk to untrusted anything)I?m not sure how you mean that comment. If you?re saying that the Internet is badly designed and that we need to rip it up and replace it before we can address DDoSes, you?re trying to boil the ocean. We have real-world practical solutions available to us that do not require a complete redesign of the Internet. One of those is to tighten down CentOS boxes so they don?t get coopted into botnets. If instead you?re saying that DDoSes are solvable with ?just? a bit of engineering, then that?s wrong, too. It takes a really big, expensive slice of a CDN or similar to choke down a large DDoS attack. I do not accept that as a necessary cost of doing business. That?s like a 1665 Londoner insisting that city planning can only be done with close-packed wooden buildings. I don?t believe that the Internet must go through the equivalent of the Great Fire of 1666 before we can put our critical tech onto a more survivable foundation.> what ?risk? is created to other people?s machines who have done appropriate security measures by a cracked machine owned by an idiotResource waste is enough by itself. How many billions of dollars goes into extra bandwidth, CDN fees, security personnel, security appliances, etc., all to solve a problem that is not necessary to the design of the Internet in the first place? Back before the commercialization of the Internet, if your box was found to be attempting to DoS another system, you?d be cut off the Internet. No appeal, no mercy. It?s all /dev/null for you. Now we have entrenched commercial interests that get paid more when you get DDoS?d. I?ll give you one guess what happens in such a world.> easily handled in minutes, if not seconds, by fail2ban?fail2ban isn?t in the stock package repo for CentOS 7, much less installed and configured default. Until it is, it?s off-topic for this thread. Mind, I?m all for fail2ban. If Fedora/Red Hat want to start turning it on by default, too, that?s great.> Equating this to ?vaccination? is a huge stretch.Why? If you are unvaccinated and catch some preventable communicable disease, you begin spreading it around, infecting others. This is exactly analogous to a box getting pwned, joining a botnet, and attempting to pwn other boxes. When almost everyone is vaccinated, you get an effect called herd immunity, which means that even those few who cannot be vaccinated for some valid medical reason are highly unlikely to ever contract the disease because it cannot spread properly through the population.> It?s more like saying the guy who left his front door unlocked all day is a threat to the neighbor?s house.That?s only true in a world where you have armed gangs running through the streets looking for free fortifications from which to attack neighboring houses. That is the analogous situation to the current botnet problem. If that were our physical security situation today, then I would be advocating fortifying our physical dwellings, too. Thankfully, that is not the case where I live. The difference appears to be one of global society, rather than technology, but obviously we aren?t going to solve any of that here.> You can?t ?catch the insecure?? hahaha? it?s not a virus.Take an unvaccinated child on a long vacation to some 3rd world cesspit, then report back on how that worked out. ?Like every other creature on the face of the earth, Godfrey was, by birthright, a stupendous badass, albeit in the somewhat narrow technical sense that he could trace his ancestry back up a long line of slightly less highly evolved stupendous badasses to that first self- replicating gizmo ? which, given the number and variety of its descendants, might justifiably be described as the most stupendous badass of all time. Everyone and everything that wasn't a stupendous badass was dead.? ? Neal Stephenson, Cryptonomicon We don?t have time to wait for CentOS to become autonomous and evolve its own badass immune system. We have to give it one ourselves.
On Tue, Jul 28, 2015 at 6:32 PM, Warren Young <wyml at etr-usa.com> wrote:> On Jul 28, 2015, at 4:37 PM, Nathan Duehr <denverpilot at me.com> wrote:>> Equating this to ?vaccination? is a huge stretch. > > Why?It's not just an imperfect analogy it really doesn't work on closer scrutiny. Malware itself is not a good analog to antigens. Vaccinations provide immunity to only certain kinds of antigens, and only specific ones at that. Challenge-Response, which is what a login password is, is about user authentication it is not at all meant or designed to provide immunity from malware. That we're trying to use it to prevent infections is more like putting ourselves into bubbles; and humans put into bubbles for this reason are called immune compromised. So this push to depend on stronger passwords just exposes how "immune compromised" we are in these dark ages of computer security. There are overwhelmingly worse side effects of password dependency than immunization. The very fact SSH PKA by default is even on the table in some discussions demonstrates the level of crap passwords are at. Software patches, SELinux and AppArmor are closer analogs to certain aspects of human immunity, but even that is an imperfect comparison. And also, a large percent of malware doesn't even depend on brute force password attacks. There are all kinds of other ways to compromise computers, create botnets, that don't depend on passwords at all. So vaccinations have something like 95% efficacy, while passwords alone have nothing close to this effectiveness against malware. -- Chris Murphy
> On Jul 28, 2015, at 6:32 PM, Warren Young <wyml at etr-usa.com> wrote: > > On Jul 28, 2015, at 4:37 PM, Nathan Duehr <denverpilot at me.com> wrote: >> >>> On Jul 28, 2015, at 11:27, Warren Young <wyml at etr-usa.com> wrote: >>> >>> So no, your local password quality policy is not purely your own concern. >> >> Other than DDoS which is a problem of engineering design of how the network operates (untrusted anything can talk to untrusted anything) > > I?m not sure how you mean that comment. > > If you?re saying that the Internet is badly designed and that we need to rip it up and replace it before we can address DDoSes, you?re trying to boil the ocean. We have real-world practical solutions available to us that do not require a complete redesign of the Internet. One of those is to tighten down CentOS boxes so they don?t get coopted into botnets. > > If instead you?re saying that DDoSes are solvable with ?just? a bit of engineering, then that?s wrong, too. It takes a really big, expensive slice of a CDN or similar to choke down a large DDoS attack. I do not accept that as a necessary cost of doing business. That?s like a 1665 Londoner insisting that city planning can only be done with close-packed wooden buildings. > > I don?t believe that the Internet must go through the equivalent of the Great Fire of 1666 before we can put our critical tech onto a more survivable foundation.You accepted that risk the day you put a public machine on it. He who has the most bandwidth, wins, in a DDoS. It?s the very nature of the network design. Anyone who can fill your pipe with garbage can take you offline until they stop. You can ask for help from the carriers and see how far you get, but the inherent risk was there from day one and you choose to play.>> what ?risk? is created to other people?s machines who have done appropriate security measures by a cracked machine owned by an idiot > > Resource waste is enough by itself. How many billions of dollars goes into extra bandwidth, CDN fees, security personnel, security appliances, etc., all to solve a problem that is not necessary to the design of the Internet in the first place? > > Back before the commercialization of the Internet, if your box was found to be attempting to DoS another system, you?d be cut off the Internet. No appeal, no mercy. It?s all /dev/null for you. > > Now we have entrenched commercial interests that get paid more when you get DDoS?d. I?ll give you one guess what happens in such a world.What happens? Folks have to think harder about connecting stuff to a worldwide untrusted, and generally unfiltered network? One word: ?Duh."> >> easily handled in minutes, if not seconds, by fail2ban? > > fail2ban isn?t in the stock package repo for CentOS 7, much less installed and configured default. Until it is, it?s off-topic for this thread. > > Mind, I?m all for fail2ban. If Fedora/Red Hat want to start turning it on by default, too, that?s great.Didn?t realize that. Brilliant move, removing it? (rolls eyes at RH)?> >> Equating this to ?vaccination? is a huge stretch. > > Why? If you are unvaccinated and catch some preventable communicable disease, you begin spreading it around, infecting others. This is exactly analogous to a box getting pwned, joining a botnet, and attempting to pwn other boxes. > > When almost everyone is vaccinated, you get an effect called herd immunity, which means that even those few who cannot be vaccinated for some valid medical reason are highly unlikely to ever contract the disease because it cannot spread properly through the population.It?s not a disease. It?s someone using their machine for them because they?re too dumb to use a decent password. Nothing at all happens to the people who used decent passwords other than that aforementioned DDoS problem, which is completely unrelated. You?re making it sound like the OS should be responsible for dumb people? problem with that is, the dumber you let them be, the dumber they stay. And without any harm to the ?neighbor? who ?pre-vaccinated? I guess, in your world, but simply typing in a decent password, what?s the point? Let them lose data, and they?ll learn.>> It?s more like saying the guy who left his front door unlocked all day is a threat to the neighbor?s house. > > That?s only true in a world where you have armed gangs running through the streets looking for free fortifications from which to attack neighboring houses. That is the analogous situation to the current botnet problem. > > If that were our physical security situation today, then I would be advocating fortifying our physical dwellings, too. > > Thankfully, that is not the case where I live. > > The difference appears to be one of global society, rather than technology, but obviously we aren?t going to solve any of that here.Global society hasn?t changed, and neither has the network in decades. Why should the OS change to make people dumber?> >> You can?t ?catch the insecure?? hahaha? it?s not a virus. > > Take an unvaccinated child on a long vacation to some 3rd world cesspit, then report back on how that worked out.No one reading this list is likely to be ?unvaccinated?, but they?ll surely be annoyed if they need to install an ?unvaccinated? machine on a properly secured network. Leave security to the end-user. The Internet has always been a meritocracy and using a decent password isn?t exactly a high bar to jump. It?s really none of the OS?s business. Nate