Re: an actual hacked machine, in a preserved state

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Wed, Jan 4, 2012 at 8:12 PM, Bennett Haselton <bennett@xxxxxxxxxxxxx> wrote:
>>
>>> Yes, the totality of SELinux restrictions sounds like it could make a
>>> system more secure if it helps to guard against exploits in the services
>>> and the OS.  My point was that some individual restrictions may not make
>>> sense.
>> There is a wrong premise here as well. The idea of SELinux is "if it is not
>> known to be safe/necessary, restrict it", regardless of whether that
>> restriction "makes sense" or not.
>>
> Even if my random password generator has nonrandomness which
> takes away 20 bits of randomness from the result, your odds of guessing
> it are still only 1 in 10^15 -- not so worrisome anymore.
>
> Look, people are perfectly free to believe that 12-char passwords are
> insecure if they want.  Nobody's stopping you, and it certainly won't
> make you *less* secure, if it motivates you to use to ssh keys.  Again,
> my problem was that the "passwords" mantra virtually shut down the
> discussion, and I had to keep pressing the point for over 100 messages
> in the thread before someone offered a suggestion that addressed the
> real problem, which is exploits in the web server and the operating system.

The real point which you don't seem to have absorbed yet, is that it
doesn't work to count on some specific difficulty in the path of an
expected attack.   The attacker will use a method you didn't expect.
You are right that there is a low probability of a single attacker
succeeding starting from scratch with brute force network password
guessing on a single target.  But that doesn't matter, does it?

-- 
  Les Mikesell
    lesmikesell@xxxxxxxxx
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos



[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux