CentOS - Jul 2015 - Fedora change that will probably affect RHEL

> On Jul 28, 2015, at 6:32 PM, Warren Young <wyml at etr-usa.com>
wrote:
> 
> On Jul 28, 2015, at 4:37 PM, Nathan Duehr <denverpilot at me.com>
wrote:
>> 
>>> On Jul 28, 2015, at 11:27, Warren Young <wyml at etr-usa.com>
wrote:
>>> 
>>> So no, your local password quality policy is not purely your own
concern.
>> 
>> Other than DDoS which is a problem of engineering design of how the
network operates (untrusted anything can talk to untrusted anything)
> 
> I?m not sure how you mean that comment.
> 
> If you?re saying that the Internet is badly designed and that we need to
rip it up and replace it before we can address DDoSes, you?re trying to boil the
ocean.  We have real-world practical solutions available to us that do not
require a complete redesign of the Internet.  One of those is to tighten down
CentOS boxes so they don?t get coopted into botnets.
> 
> If instead you?re saying that DDoSes are solvable with ?just? a bit of
engineering, then that?s wrong, too.  It takes a really big, expensive slice of
a CDN or similar to choke down a large DDoS attack.  I do not accept that as a
necessary cost of doing business.  That?s like a 1665 Londoner insisting that
city planning can only be done with close-packed wooden buildings.
> 
> I don?t believe that the Internet must go through the equivalent of the
Great Fire of 1666 before we can put our critical tech onto a more survivable
foundation.

You accepted that risk the day you put a public machine on it.  He who has the
most bandwidth, wins, in a DDoS.  It?s the very nature of the network design. 
Anyone who can fill your pipe with garbage can take you offline until they stop.
You can ask for help from the carriers and see how far you get, but the inherent
risk was there from day one and you choose to play.

>> what ?risk? is created to other people?s machines who have done
appropriate security measures by a cracked machine owned by an idiot
> 
> Resource waste is enough by itself.  How many billions of dollars goes into
extra bandwidth, CDN fees, security personnel, security appliances, etc., all to
solve a problem that is not necessary to the design of the Internet in the first
place?
> 
> Back before the commercialization of the Internet, if your box was found to
be attempting to DoS another system, you?d be cut off the Internet.  No appeal,
no mercy.  It?s all /dev/null for you.
> 
> Now we have entrenched commercial interests that get paid more when you get
DDoS?d.  I?ll give you one guess what happens in such a world.

What happens? Folks have to think harder about connecting stuff to a worldwide
untrusted, and generally unfiltered network?  One word: ?Duh."

> 
>> easily handled in minutes, if not seconds, by fail2ban?
> 
> fail2ban isn?t in the stock package repo for CentOS 7, much less installed
and configured default.  Until it is, it?s off-topic for this thread.
> 
> Mind, I?m all for fail2ban.  If Fedora/Red Hat want to start turning it on
by default, too, that?s great.

Didn?t realize that. Brilliant move, removing it? (rolls eyes at RH)?

> 
>> Equating this to ?vaccination? is a huge stretch.
> 
> Why?  If you are unvaccinated and catch some preventable communicable
disease, you begin spreading it around, infecting others.  This is exactly
analogous to a box getting pwned, joining a botnet, and attempting to pwn other
boxes.
> 
> When almost everyone is vaccinated, you get an effect called herd immunity,
which means that even those few who cannot be vaccinated for some valid medical
reason are highly unlikely to ever contract the disease because it cannot spread
properly through the population.

It?s not a disease. It?s someone using their machine for them because they?re
too dumb to use a decent password.  Nothing at all happens to the people who
used decent passwords other than that aforementioned DDoS problem, which is
completely unrelated.  You?re making it sound like the OS should be responsible
for dumb people? problem with that is, the dumber you let them be, the dumber
they stay.  And without any harm to the ?neighbor? who ?pre-vaccinated? I guess,
in your world, but simply typing in a decent password, what?s the point?  Let
them lose data, and they?ll learn.

>> It?s more like saying the guy who left his front door unlocked all day
is a threat to the neighbor?s house.
> 
> That?s only true in a world where you have armed gangs running through the
streets looking for free fortifications from which to attack neighboring houses.
That is the analogous situation to the current botnet problem.
> 
> If that were our physical security situation today, then I would be
advocating fortifying our physical dwellings, too.
> 
> Thankfully, that is not the case where I live.
> 
> The difference appears to be one of global society, rather than technology,
but obviously we aren?t going to solve any of that here.

Global society hasn?t changed, and neither has the network in decades.  Why
should the OS change to make people dumber?

> 
>> You can?t ?catch the insecure?? hahaha? it?s not a virus.  
> 
> Take an unvaccinated child on a long vacation to some 3rd world cesspit,
then report back on how that worked out.

No one reading this list is likely to be ?unvaccinated?, but they?ll surely be
annoyed if they need to install an ?unvaccinated? machine on a properly secured
network.  Leave security to the end-user.  The Internet has always been a
meritocracy and using a decent password isn?t exactly a high bar to jump.  It?s
really none of the OS?s business.

Nate

On 07/29/2015 05:19 PM, Nathan Duehr wrote:
>> fail2ban isn?t in the stock package repo for CentOS 7, much less
installed and configured default.  Until it is, it?s off-topic for this thread.
> Didn?t realize that. Brilliant move, removing it? (rolls eyes at RH)?
I don't think it was removed... I don't see it in the default repos for 
RHEL 5, 6, or 7.  It's in EPEL for each, though.

On Jul 29, 2015, at 6:19 PM, Nathan Duehr <denverpilot at me.com>
wrote:
> 
>> On Jul 28, 2015, at 6:32 PM, Warren Young <wyml at etr-usa.com>
wrote:
>> 
>> Now we have entrenched commercial interests that get paid more when you
get DDoS?d.  I?ll give you one guess what happens in such a world.
> 
> What happens? Folks have to think harder about connecting stuff to a
worldwide untrusted, and generally unfiltered network?  One word: ?Duh.?
No, what happens is that you call up your ISP to ask them for help blocking off
the DDoS attack, and you either get blown off or transferred to their sales
department to buy a ?solution? to a problem they allow to exist because it
brings in extra revenue.

Your ISP could block this kind of thing at its border.  Your ISP could also use
their alliances with fellow ISPs to block DDoSes at their source.  They do
neither.
>> fail2ban isn?t in the stock package repo for CentOS 7
> 
> Didn?t realize that. Brilliant move, removing it? (rolls eyes at RH)?
It wasn?t removed.  fail2ban has *never* been in the stock CentOS package repos.
It?s always been a third-party thing.

Fedora has it, but that?s not the same thing as saying ?Red Hat removed it from
RHEL.?
>> When almost everyone is vaccinated, you get an effect called herd
immunity,
> 
> It?s not a disease. It?s someone using their machine for them because
they?re too dumb to use a decent password.
What do you think biological parasites are, then, if not fauna using your body
to sustain themselves because your body can?t destroy them fast enough?

Computer worms, viruses, and trojans are computer diseases.
> You?re making it sound like the OS should be responsible for dumb people?
Well, I do generally take a libertarian stance on things, but there is a limit
on fobbing everything off on personal responsibility.  Society should be able to
impose a certain level of sensible limits on some things.

CentOS is our society in this context.  It is the group we choose to be a member
of, which sets the ground rules and provides the resources we use.  It is
perfectly legitimate for us to decide it should support us better by default.
> the dumber you let them be, the dumber they stay.
How?s that working out in your personal life?  Is Uncle Bob a virus-fighting
crusader these days, 20 years after the commercial Internet got started?  Surely
all of your relatives are fully trained up by now?
> Let them lose data, and they?ll learn.
And yet, people continue to not do backups, and fail to test the backups they do
make.

So, Apple came out with Time Machine, and Microsoft cloned it in Windows 8,
calling it File History.

Are these bad features, because people should have known better already?
> Global society hasn?t changed
Go read "The Better Angels of Our Nature?, by Stephen Pinker:

  https://en.wikipedia.org/wiki/The_Better_Angels_of_Our_Nature

There?s plenty to argue with in his conclusions and data, but the book does at
least neatly wrap up a huge serving of ?the world is a whole lot different today
than it once was.?
> and neither has the network in decades.
Three decades ago, network security was nonexistent.  There were X Window
programs that would run an animation from my computer across my screen, then
across your screen, and then across all the other screens in the computer lab. 
All with zero need to lower any security barriers.  Then we had rlogin, rcp, and
completely-insecure NFS.

Two decades ago, best security practice was deny-by-configuration.  Turn off
services you aren?t using, use tcpwrappers to block known bad actors, etc.

Then we moved to allow-by-default firewalls, and then to deny-by-default
firewalls.

Now we?re moving toward encrypt-everything and 2FA apps in everyone?s pocket.

No change?!
> Why should the OS change to make people dumber?
Current thinking is that human intelligence hasn?t increased ? or decreased! ?
at all in many thousands of years.

What *has* changed is that the scope of individual expertise has continually
shrunk.

I no longer have to know how to knap my own stone axes because I can buy a camp
hatchet from Amazon to split the wood I buy at the convenience store on the way
to the campground, which has paved roads, an enclosed privy, concrete pads for
the picnic tables, and enclosed fire pits with cooking grates.

And we call all of that ?primitive living? today!

This would be pure luxury to a Stone Age person, but Computer Age me probably
couldn?t reproduce any of it on my own.  I spend my life acquiring expertise in
other things.

I should no longer have to do my own arithmetic to figure out what kind of
password I should be using for my computers.  The computer is perfectly capable
of doing that arithmetic for me.
>>> You can?t ?catch the insecure?? hahaha? it?s not a virus.  
>> 
>> Take an unvaccinated child on a long vacation to some 3rd world
cesspit, then report back on how that worked out.
> 
> No one reading this list is likely to be ?unvaccinated?
You completely missed the Disneyland measles outbreak story, didn?t you?
> The Internet has always been a meritocracy
The Internet hasn?t been a meritocracy since 1993:

  https://en.wikipedia.org/wiki/Eternal_September

On 7/30/2015 12:17 PM, Warren Young wrote:
> No, what happens is that you call up your ISP to ask them for help blocking
off the DDoS attack, and you either get blown off or transferred to their sales
department to buy a ?solution? to a problem they allow to exist because it
brings in extra revenue.
>
> Your ISP could block this kind of thing at its border.  Your ISP could also
use their alliances with fellow ISPs to block DDoSes at their source.  They do
neither.
I got DDOS'd over a stupid email list spat (I banned an obnoxious 
spammer, he picked up my email address off of past messages 'recieved 
from') a few years ago, it just about totally knocked my ISP's backbone 
connections (a couple DS3's) offline.    ISP apologized but said if it 
happens again we can't afford to keep you as a customer.




-- 
john r pierce, recycling bits in santa cruz