On Tue, Jul 28, 2015 at 6:32 PM, Warren Young <wyml@xxxxxxxxxxx> wrote:
> On Jul 28, 2015, at 4:37 PM, Nathan Duehr <denverpilot@xxxxxx> wrote:
>> Equating this to “vaccination” is a huge stretch.
>
> Why?
It's not just an imperfect analogy it really doesn't work on closer scrutiny.
Malware itself is not a good analog to antigens. Vaccinations provide
immunity to only certain kinds of antigens, and only specific ones at
that. Challenge-Response, which is what a login password is, is about
user authentication it is not at all meant or designed to provide
immunity from malware. That we're trying to use it to prevent
infections is more like putting ourselves into bubbles; and humans put
into bubbles for this reason are called immune compromised.
So this push to depend on stronger passwords just exposes how "immune
compromised" we are in these dark ages of computer security. There are
overwhelmingly worse side effects of password dependency than
immunization. The very fact SSH PKA by default is even on the table in
some discussions demonstrates the level of crap passwords are at.
Software patches, SELinux and AppArmor are closer analogs to certain
aspects of human immunity, but even that is an imperfect comparison.
And also, a large percent of malware doesn't even depend on brute
force password attacks. There are all kinds of other ways to
compromise computers, create botnets, that don't depend on passwords
at all. So vaccinations have something like 95% efficacy, while
passwords alone have nothing close to this effectiveness against
malware.
--
Chris Murphy
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
