similar to: Fedora change that will probably affect RHEL

On Thu, Jul 30, 2015 at 12:20 PM, Warren Young <wyml at etr-usa.com> wrote: > On Jul 29, 2015, at 5:40 PM, Chris Murphy <lists at colorremedies.com> wrote: >> >> On Wed, Jul 29, 2015 at 4:37 PM, Warren Young <wyml at etr-usa.com> wrote: >> >>> Security is *always* opposed to convenience. >> >> False. OS X by default runs only signed

On Wed, Jul 29, 2015 at 4:37 PM, Warren Young <wyml at etr-usa.com> wrote: > Security is *always* opposed to convenience. False. OS X by default runs only signed binaries, and if they come from the App Store they run in a sandbox. User gains significant security with this, and are completely unaware of it. There is no inconvenience. What is the inconvenience of encrypting your device

On Thu, Jul 30, 2015 at 1:20 PM, Warren Young <wyml at etr-usa.com> wrote: > On Jul 29, 2015, at 5:40 PM, Chris Murphy <lists at colorremedies.com> wrote: > > > > On Wed, Jul 29, 2015 at 4:37 PM, Warren Young <wyml at etr-usa.com> wrote: > > > >> Security is *always* opposed to convenience. > > > > False. OS X by default runs only

On Tue, Jul 28, 2015 at 4:34 PM, Warren Young <wyml at etr-usa.com> wrote: > That?s only true if the majority of people will in fact override the default policy. The current behavior in Fedora and CentOS lets you click Done twice and bypass the weak password complaint. > But as I have repeatedly pointed out here, the stock rules really are not that onerous. They basically encode

On Jul 29, 2015, at 5:40 PM, Chris Murphy <lists at colorremedies.com> wrote: > > On Wed, Jul 29, 2015 at 4:37 PM, Warren Young <wyml at etr-usa.com> wrote: > >> Security is *always* opposed to convenience. > > False. OS X by default runs only signed binaries, and if they come > from the App Store they run in a sandbox. User gains significant > security

On 07/30/2015 12:35 PM, Chris Murphy wrote: > No fail2ban, no firewall rules, sshd by default, challengeresponseauth > by default, ChallengeResponseAuth is not on by default, on Red Hat derived systems. I'm pretty sure that was already clarified, much earlier in this thread. > and a 9 character (even random) passphrase, and that shit > is going to get busted into. Against a

Once upon a time, Warren Young <wyml at etr-usa.com> said: > Much of the evil on the Internet today ? DDoS armies, spam spewers, phishing botnets ? is done on pnwed hardware, much of which was compromised by previous botnets banging on weak SSH passwords. Since most of that crap comes from Windows hosts, the security of Linux SSH passwords seems hardly relevant. > Your freedom to use

On Wed, Jul 29, 2015 at 2:15 PM, Warren Young <wyml at etr-usa.com> wrote: > Just because one particular method of prophylaxis fails to protect against all threats doesn?t mean we should stop using it, or increase its strength. Actually it does.There is no more obvious head butting than with strong passwords vs usability. Strong login passwords and usability are diametrically opposed.

On Jul 29, 2015, at 3:16 PM, Chris Murphy <lists at colorremedies.com> wrote: > > On Wed, Jul 29, 2015 at 2:15 PM, Warren Young <wyml at etr-usa.com> wrote: >> Just because one particular method of prophylaxis fails to protect against all threats doesn?t mean we should stop using it, or increase its strength. > > Actually it does.There is no more obvious head

On Jul 29, 2015, at 6:19 PM, Nathan Duehr <denverpilot at me.com> wrote: > >> On Jul 28, 2015, at 6:32 PM, Warren Young <wyml at etr-usa.com> wrote: >> >> Now we have entrenched commercial interests that get paid more when you get DDoS?d. I?ll give you one guess what happens in such a world. > > What happens? Folks have to think harder about connecting

On Sat, Jul 25, 2015 at 9:40 AM, Scott Robbins <scottro at nyc.rr.com> wrote: > This might show up twice, I think I sent it from a bad address previously. > If so, please accept my apologies. > > > In Fedora 22, one developer (and only one) decided that if the password > chosen during installation wasn't of sufficient strength, the install > wouldn't continue.

On 25/07/15 18:24, Scott Robbins wrote: > On Sat, Jul 25, 2015 at 11:16:18AM -0600, Chris Murphy wrote: >> On Sat, Jul 25, 2015 at 9:40 AM, Scott Robbins <scottro at nyc.rr.com> wrote: >>> This might show up twice, I think I sent it from a bad address previously. >>> If so, please accept my apologies. >>> >>> >>> In Fedora 22, one

On 07/25/2015 05:00 PM, Gordon Messmer wrote: > On 07/25/2015 11:45 AM, Jake Shipton wrote: >> I think a better solution to suite both worlds would be to simply have a >> boot flag on the installation media such as maybe >> "passwordcheck=true/false" > > https://xkcd.com/1172/ > > It's practically a law that every time someone's workflow is

On Jul 25, 2015, at 6:22 PM, Bob Marcan wrote: > > 1FuckingPrettyRose > "Sorry, you must use no fewer than 20 total characters." > 1FuckingPrettyRoseShovedUpYourAssIfYouDon'tGiveMeAccessRightFuckingNow! > "Sorry, you cannot use punctuation." > 1FuckingPrettyRoseShovedUpYourAssIfYouDontGiveMeAccessRightFuckingNow > "Sorry, that password is

On 07/28/2015 02:06 PM, Chris Adams wrote: > Once upon a time, Warren Young <wyml at etr-usa.com> said: >> Much of the evil on the Internet today ? DDoS armies, spam spewers, phishing botnets ? is done on pnwed hardware, much of which was compromised by previous botnets banging on weak SSH passwords. > > Since most of that crap comes from Windows hosts, the security of Linux

On 07/28/2015 01:46 PM, Chris Murphy wrote: > Future concern is IPv6 stuff, now that Xfinity has forcibly changed > their hardware to include full IPv6 support. I have no idea if this is > NAT'd or rolling IPs or what. All of the routers I've seen merely firewall inbound traffic, allowing none. There's no need for NAT or rolling IPs.

On 7/28/2015 1:46 PM, Chris Murphy wrote: > Windows Server has power shell disabled by default. The functional > equivalent, sshd, is typically enabled on Linux servers. to be pedantic about it, the equivalent of PowerShell is NOT sshd, its bash/ksh/csh/zsh/sh ... PowerShell does not by itself allow external connections, you'd need to configure a telnetd or sshd server to allow

On Tue, Jul 28, 2015 at 3:04 PM, Gordon Messmer <gordon.messmer at gmail.com> wrote: > On 07/28/2015 01:46 PM, Chris Murphy wrote: >> >> Future concern is IPv6 stuff, now that Xfinity has forcibly changed >> their hardware to include full IPv6 support. I have no idea if this is >> NAT'd or rolling IPs or what. > > > All of the routers I've seen

On Tue, Jul 28, 2015 at 6:17 PM, Timothy Murphy <gayleard at eircom.net> wrote: > Warren Young wrote: > > >> No, I am making the assumption that the vast majority of CentOS installs >> are racked up in datacenters, VPS hosts, etc. > > Is that true, I wonder? > For some reason Fedora and CentOS seem reluctant to find out anything > about their users (or what

On 07/28/2015 04:29 PM, Warren Young wrote: > They turned off "PermitRootLogin yes" and "Protocol 1" in EL6 or EL7, the previous low-hanging fruit. Do you think those were bad decisions, too? As far as I know, PermitRootLogin has not been set to "no" by default. At least, I've never seen that on a system I've installed. Am I missing something?