On Wed, February 4, 2015 16:55, Warren Young wrote:
On Feb 4, 2015, at 12:16 PM, Lamar Owen lowen@pari.edu wrote:
Again, the real bruteforce danger is when your /etc/shadow is exfiltrated by a security vulnerability
Unless you have misconfigured your system, anyone who can copy /etc/shadow already has root privileges. They do not need to crack your passwords now. You are already boned.
My thought exactly.
On Thu, February 5, 2015 9:06 am, James B. Byrne wrote:
On Wed, February 4, 2015 16:55, Warren Young wrote:
On Feb 4, 2015, at 12:16 PM, Lamar Owen lowen@pari.edu wrote:
Again, the real bruteforce danger is when your /etc/shadow is exfiltrated by a security vulnerability
Unless you have misconfigured your system, anyone who can copy /etc/shadow already has root privileges. They do not need to crack your passwords now. You are already boned.
My thought exactly.
After all this discussion about "is this enough for good security or should we add something else" the last not requiring tremendously larger effort, I'm left with the following feeling. I'm a "relict" left from long time ago when security was considered paramount, when if something can be done it had to be done, no matter that the same is allegedly covered by something else already in place. We always considered the word "paranoia" is in sysadmin's job description (I still do, yet I didn't check IT job descriptions lately, - maybe I should take a look; there seem to be many "Windows" brew people up on the top of IT ladder these days). I feel like there is brave new world of admins who feel it right to have "iPad-like" everything, i.e. boxes cooked up and sealed by vendor, and you have no way even to look inside, not to say re-shape interior to your understanding [of security or anything else]. Am I the only one?
Not that this my comment meant as contradiction to any particular post (this post I'm replying to included). It is just the existence (and length) of this discussion (whether one should, or shouldn't, or anything) makes me think that what I was trained about security is not accepted by many these days. Or maybe I simply got tired following it instead of spending more time doing my own sysadmin's job ??
Good luck, everyone. Stay safe and keep your boxes secure!
Valeri
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On Thu, Feb 5, 2015 at 9:27 AM, Valeri Galtsev galtsev@kicp.uchicago.edu wrote:
... there seem to be many "Windows" brew people up on the top of IT ladder these days). I feel like there is brave new world of admins who feel it right to have "iPad-like" everything, i.e. boxes cooked up and sealed by vendor, and you have no way even to look inside, not to say re-shape interior to your understanding [of security or anything else]. Am I the only one?
You are conflating two unrelated things. Being shipped with usable defaults has nothing to do with your subsequent ability to change them. Just the need and advisability of such work.
Not that this my comment meant as contradiction to any particular post (this post I'm replying to included). It is just the existence (and length) of this discussion (whether one should, or shouldn't, or anything) makes me think that what I was trained about security is not accepted by many these days. Or maybe I simply got tired following it instead of spending more time doing my own sysadmin's job ??
It's not that it is wrong - just that if there is one or a few way to do it right, the box might as well come that way or with just those few choices to get a working default instead of requiring individual attention to a million details.
On Thu, 2015-02-05 at 09:27 -0600, Valeri Galtsev wrote:
.......... I feel like there is brave new world of admins who feel it right to have "iPad-like" everything, i.e. boxes cooked up and sealed by vendor, and you have no way even to look inside, not to say re-shape interior to your understanding [of security or anything else]. Am I the only one?
Foolish and stupid implicit trust in a third party. Just look at the Windoze world ever since Win95 (first edition of many) materialised. Trust M$ and get a free virus every time !
I don't use my Android tablet after I discovered a default setting (semi-hidden away) was "Trust Google by automatically sharing all passwords with Google". I would like to use the tablet but only when there is a major free and entirely open source version of Linux available for it.
Then there is the BIOS (or similar) with a functioning TCP/IP stack, so I am told. How good is security when a low level backdoor exists ? Keeping Uncle Sam and his associates out does not make everyone a dangerous threat to public safety and to national security. Don't forget about the Chinese switching equipment which some believe could be controlled remotely by the Chinese.
Paper and pen (or Biro/ball-point) was massively more secure. Are we stupid because we place so much inherent trust in the honesty and integrity of others whilst never having an opportunity to verify their offerings ? Open Source, all the way down to the motherboard, is increasingly important for the efficient and safe functioning of our global society, from traffic lights to hospital live-saving machinery.
When will Centos (RH) be able to replace Google on Android tablets ?
Good luck, everyone. Stay safe and keep your boxes secure!
It is not only the "boxes" which must be kept secure. Increasing amounts of data mean security must be increased too and become a normal 'way of life'.
In addition to my Centos Leaning mailing list suggestion, I would like to see a free web based Centos security questionnaire to ask users security related questions and then present a rating based upon their correct answers. Red Hat people and Fedora people too lurk on here, yet there is a reluctance (probably commercially inspired) not to fully respond to the challenges threatening all of us 'today'.
On Thu, Feb 5, 2015 at 9:59 AM, Always Learning centos@u64.u22.net wrote:
Foolish and stupid implicit trust in a third party. Just look at the Windoze world ever since Win95 (first edition of many) materialised. Trust M$ and get a free virus every time !
I wouldn't go there unless you want to compare against, say Red Hat 4 (original, not RHEL) of the same era where virtually every service had remote exploits - and we are still finding them. Or unless you have some sort of proof that a current Windows 2012 server is less secure or stable than a Linux distro.
In addition to my Centos Leaning mailing list suggestion, I would like to see a free web based Centos security questionnaire to ask users security related questions and then present a rating based upon their correct answers. Red Hat people and Fedora people too lurk on here, yet there is a reluctance (probably commercially inspired) not to fully respond to the challenges threatening all of us 'today'.
Let's start with why your /etc/shadow has read access. That's one of the things that was right out of the box. What changed it and why?
On Thu, 2015-02-05 at 10:10 -0600, Les Mikesell wrote:
On Thu, Feb 5, 2015 at 9:59 AM, Always Learning centos@u64.u22.net wrote:
Or unless you have some sort of proof that a current Windows 2012 server is less secure or stable than a Linux distro.
Not every 'home' or business user uses, or can afford to purchase, Windoze 2012 Server. Besides that is far too large for end-users. Conversely everyone can use and afford (because it is free) to install Linux as a server, as a end-user (non-server) or as a mixture of the two. The Linux flexibility is one of its many strong points.
Let's start with why your /etc/shadow has read access. That's one of the things that was right out of the box. What changed it and why?
Yes that is what I would like to know. Can't tell. That disk was wiped, partitioned differently and reformatted. But it remains a puzzle I am unlikely to forget for a long time. I carried-out a check on every machine and was happy to see ---------- .
-
Always Learning -
James B. Byrne -
Les Mikesell -
Valeri Galtsev