On Mon, Jul 15, 2024 at 9:57 PM Tim via users <users@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > > Tim: > >> I wonder if anyone vets that information? > > Jonathan Billings: > > Just check the references: > > > > https://static.open-scap.org/ssg-guides/ssg-fedora-guide-standard.html#xccdf_org.ssgproject.content_rule_accounts_maximum_age_login_defs > > Although I picked a specific portion (about passwords), I meant overall > if anyone vets all the advice. > > Just clicking on some of the reference links, I see many of them lead > to pages which pop up a PR page for the organisation, and one which > actually displays a "withdrawn NIST technical series publication" (in > otherwise the reference is invalid). I wasn't going to try them all, > because (a) I don't have the time to put up with that crap, and (b) > burying anything that might actually be useful in a mound of crap > doesn't engender any faith in following their operating procedures. It > looks like it's designed to make you just give up and do what they say. > > The "rationale" rather lamely explains the idea behind the practice. > Neither it, or any of the links I tried offer any proof that it was a > good idea. It doesn't give anything to back up the theory. It doesn't > address counterarguments. It doesn't withstand my own scrutiny. > > It reminds me of something I looked up regarding some medical quackery > device. They proudly proclaimed its use in some hospital (singular) as > proof that it had sound medical backing. But if you followed up the > recommendation, the hospital's paper said absolutely nothing about the > medical benefits of the device, nor its ilk, it just mentioned that > when staff handled those kinds of device that particular brand didn't > break as easily as alternatives. It was a false endorsement. > > I have a strong distrust of security advice like this, particularly > when explanations are so obscure, and the advice doesn't even stand up > to your own scrutiny. I'm reminded of things like: "9 out of 10 > doctors support out product." They actually asked 100 doctors a > question about it, most of them were negative or refused, but 9 gave a > positive response. So they just used 10 samples out of the 100 for > their PR bullcrap. It's not a lie, technically, but it's also a > completely misrepresentation of the truth. That's called an Appeal to Authority. On the password expiration item, the authority was the DoD. It is a fallacious argument. They should have appealed to a god, like Yahweh, Jesus or Allah. They would get more blind followers. Jeff -- _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
