Re: Another Fedora decision

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Tue, February 3, 2015 14:01, Valeri Galtsev wrote:
>
> On Tue, February 3, 2015 12:39 pm, Les Mikesell wrote:
>> On Tue, Feb 3, 2015 at 12:24 PM, Valeri Galtsev
>> <galtsev@xxxxxxxxxxxxxxxxx> wrote:
>>>
>>> Sounds so I almost have to feel shame for securing my boxes no
>>> matter what job vendor did ;-)
>>
>> Yes, computers and the way people access them are pretty much a
>> commodity now.  If you are spending time building something exotic
>> for a common purpose, isn't that a waste?
>
> Do I have to take that people who are not sysadmins themselves just
> hate an existence of sysadmins?
>

I had a friend, now deceased, who worked as an RCA colour TV
technician when he was very young.  In the 1950s he would be sent to
the homes of people having trouble adjusting the colour settings on
their new RCA's.  That was system administration then.  Who needs them
now?

We are dinosaurs.  People do not hate us. They just do not understand
why we are still around.

Other than lifting the display into a comfortable position for viewing
the latest MacBooks cannot even be physically opened for servicing (by
a user) as far as I can discover.  An iPhone is a sealed unit.  Both
devices are orders of magnitude more powerful computers than the i486
I first installed RH on.  The point Les makes is entirely correct. 
The systems we install should not require the degree of slavish
attention to arcane details that is necessary to make them both useful
and safe to use.

That said, the original issue remains, making manual configuration
slightly more cumbersome than it already is. That this is done solely
in order to make a claim that it somehow improves security is, in my
opinion, self-defeating. It is certainly a deceit. Whether it is
self-delusion or overt pretence I have no idea.

One might question why *nix distributions insist on providing a known
point of attack to begin with.  Why does user 0 have to be called
root?  Why not beatlebailey, cinnamon or pasdecharge?  If brute
forcing passwords is the problem then why not make it ever more
difficult by forcing crackers to guess what the superuser name is to
begin with?

Oh, I know. Too much software exists that presumes that the superuser
name is root.  Evidently adherence to that convention is valued more
highly than providing security.  God forbid that one simply check for
user 0.

I seldom use root other than for peer-to-peer rsync via password-less
login. Consequently I do not really care whether Anaconda forces me to
use 32 character Base64 encoded passwords for root or none at all.  I
just cannot bear to stand by and read the BS about how anything of
that nature improves security.  It is just self-deception.  Twenty
years ago it might have had some validity, although I doubt it. 
Things that are hard to remember tend to get written down.  Things
that are written down tend to be read by eyes other than those that
were intended.

The whole matter of attending to the risk of brute force password
discovery rather misses the point.  Amateurs hack systems,
professionals hack people.  No matter how resistant your password is
to brute force discovery, it only takes one careless mistake to have
it revealed by an incautious or suitably deceived sysadmin.  Look up
'Robin Sage' and the follow on study 'Emily Williams' and then ask
yourself: How does a strong password on the root account deal with
that?

I really wonder sometimes if the software development people that
write so much about security 'best-practice' have much of a clue about
how penetrations are actually carried out.  For example, how many of
you have ever plugged a USB key into one of your hosts?  If you have
then you have permanently compromised the security of that system and
nothing, short of pulling the entire USB controller, can ever undo it;
and not even then I suspect.  You may not, probably have not (yet),
have been infected, but then you will never know for sure whether you
have or not.

There are so many computer control systems that are embedded in the
devices we call computers that the attack surface is incomprehensibly
large.  And most of these embedded systems are completely open to
exploitation; at the fabrication level.  The Internet is not even the
preferred vector.  Have you ever used a USB charging station in an
airport for your laptop, tablet or phone?  Too bad.  Have you ever
plugged a personal device into one of your hosts at work via USB or
Thunderbolt (not likely for the latter I admit)? Oh well.  At least
you can increase the strength of your root password.

Is your home or business network device provided to you by your
provider?  Has it been changed (upgraded) recently without your
request (or even with it)?  I have to SSH tunnel all of my traffic on
my home network now because traffic through my (recently upgraded)
xxxxxx provided yyyyy router phones home to yyyyy; and I cannot stop
it short of jail-breaking, which is in violation of my terms of
service (AND I have to pay rent for this device). This is not
paranoia, this is observed activity. (Sorry about the xxxxx yyyyy
stuff, but on consideration I would rather not run the risk of being
harassed by either or both of the two major corporations involved.)

Sometimes I just cannot bear to think about this stuff anymore.

-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB@xxxxxxxxxxxxx
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos




[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux