On Tue, February 3, 2015 14:01, Valeri Galtsev wrote:
On Tue, February 3, 2015 12:39 pm, Les Mikesell wrote:
On Tue, Feb 3, 2015 at 12:24 PM, Valeri Galtsev galtsev@kicp.uchicago.edu wrote:
Sounds so I almost have to feel shame for securing my boxes no matter what job vendor did ;-)
Yes, computers and the way people access them are pretty much a commodity now. If you are spending time building something exotic for a common purpose, isn't that a waste?
Do I have to take that people who are not sysadmins themselves just hate an existence of sysadmins?
I had a friend, now deceased, who worked as an RCA colour TV technician when he was very young. In the 1950s he would be sent to the homes of people having trouble adjusting the colour settings on their new RCA's. That was system administration then. Who needs them now?
We are dinosaurs. People do not hate us. They just do not understand why we are still around.
Other than lifting the display into a comfortable position for viewing the latest MacBooks cannot even be physically opened for servicing (by a user) as far as I can discover. An iPhone is a sealed unit. Both devices are orders of magnitude more powerful computers than the i486 I first installed RH on. The point Les makes is entirely correct. The systems we install should not require the degree of slavish attention to arcane details that is necessary to make them both useful and safe to use.
That said, the original issue remains, making manual configuration slightly more cumbersome than it already is. That this is done solely in order to make a claim that it somehow improves security is, in my opinion, self-defeating. It is certainly a deceit. Whether it is self-delusion or overt pretence I have no idea.
One might question why *nix distributions insist on providing a known point of attack to begin with. Why does user 0 have to be called root? Why not beatlebailey, cinnamon or pasdecharge? If brute forcing passwords is the problem then why not make it ever more difficult by forcing crackers to guess what the superuser name is to begin with?
Oh, I know. Too much software exists that presumes that the superuser name is root. Evidently adherence to that convention is valued more highly than providing security. God forbid that one simply check for user 0.
I seldom use root other than for peer-to-peer rsync via password-less login. Consequently I do not really care whether Anaconda forces me to use 32 character Base64 encoded passwords for root or none at all. I just cannot bear to stand by and read the BS about how anything of that nature improves security. It is just self-deception. Twenty years ago it might have had some validity, although I doubt it. Things that are hard to remember tend to get written down. Things that are written down tend to be read by eyes other than those that were intended.
The whole matter of attending to the risk of brute force password discovery rather misses the point. Amateurs hack systems, professionals hack people. No matter how resistant your password is to brute force discovery, it only takes one careless mistake to have it revealed by an incautious or suitably deceived sysadmin. Look up 'Robin Sage' and the follow on study 'Emily Williams' and then ask yourself: How does a strong password on the root account deal with that?
I really wonder sometimes if the software development people that write so much about security 'best-practice' have much of a clue about how penetrations are actually carried out. For example, how many of you have ever plugged a USB key into one of your hosts? If you have then you have permanently compromised the security of that system and nothing, short of pulling the entire USB controller, can ever undo it; and not even then I suspect. You may not, probably have not (yet), have been infected, but then you will never know for sure whether you have or not.
There are so many computer control systems that are embedded in the devices we call computers that the attack surface is incomprehensibly large. And most of these embedded systems are completely open to exploitation; at the fabrication level. The Internet is not even the preferred vector. Have you ever used a USB charging station in an airport for your laptop, tablet or phone? Too bad. Have you ever plugged a personal device into one of your hosts at work via USB or Thunderbolt (not likely for the latter I admit)? Oh well. At least you can increase the strength of your root password.
Is your home or business network device provided to you by your provider? Has it been changed (upgraded) recently without your request (or even with it)? I have to SSH tunnel all of my traffic on my home network now because traffic through my (recently upgraded) xxxxxx provided yyyyy router phones home to yyyyy; and I cannot stop it short of jail-breaking, which is in violation of my terms of service (AND I have to pay rent for this device). This is not paranoia, this is observed activity. (Sorry about the xxxxx yyyyy stuff, but on consideration I would rather not run the risk of being harassed by either or both of the two major corporations involved.)
Sometimes I just cannot bear to think about this stuff anymore.
On 2015-02-04, James B. Byrne byrnejb@harte-lyne.ca wrote:
One might question why *nix distributions insist on providing a known point of attack to begin with. Why does user 0 have to be called root? Why not beatlebailey, cinnamon or pasdecharge?
That is more or less what OS X does. User 0 still exists, and it's labelled as "root", but there is no way (unless the owner goes way out of his way) to actually log in as root. The first account created is given full sudo access, and can choose to grant sudo to subsequently created users. (Users with sudo can still get a root shell, but that's not the same as logging in as root.)
I thought Ubuntu did this as well, but I haven't installed Ubuntu for quite a while. Anyone know?
--keith
On Wed, Feb 04, 2015 at 08:18:23AM -0800, Keith Keller wrote:
On 2015-02-04, James B. Byrne byrnejb@harte-lyne.ca wrote:
One might question why *nix distributions insist on providing a known point of attack to begin with. Why does user 0 have to be called root? Why not beatlebailey, cinnamon or pasdecharge?
That is more or less what OS X does. User 0 still exists, and it's labelled as "root", but there is no way (unless the owner goes way out of his way) to actually log in as root. The first account created is given full sudo access, and can choose to grant sudo to subsequently created users. (Users with sudo can still get a root shell, but that's not the same as logging in as root.)
I thought Ubuntu did this as well, but I haven't installed Ubuntu for quite a while. Anyone know?
Yes, I think they were one of the first ones to do it. I remember thinking at the time, ah, copying Apple.
On Wed, February 4, 2015 10:35 am, Scott Robbins wrote:
On Wed, Feb 04, 2015 at 08:18:23AM -0800, Keith Keller wrote:
On 2015-02-04, James B. Byrne byrnejb@harte-lyne.ca wrote:
One might question why *nix distributions insist on providing a known point of attack to begin with. Why does user 0 have to be called root? Why not beatlebailey, cinnamon or pasdecharge?
That is more or less what OS X does. User 0 still exists, and it's labelled as "root", but there is no way (unless the owner goes way out of his way) to actually log in as root. The first account created is given full sudo access, and can choose to grant sudo to subsequently created users. (Users with sudo can still get a root shell, but that's not the same as logging in as root.)
I thought Ubuntu did this as well, but I haven't installed Ubuntu for quite a while. Anyone know?
Yes, I think they were one of the first ones to do it. I remember thinking at the time, ah, copying Apple.
Note: Ubuntu was first released in 2004. As a matter of fact Ubuntu is one of the clones of Debian which was first released in 1993. Apple OS 10 (based on opendarwin) - the only one of Mac OSes "root - sudo" talk can be relevant to was first shipped on their machines later than 2002 as I recall (wikiedia is really vague on the date MacOS 10 was first shipped, I have to rely on my memory). So, I would say, Ubuntu wasn't copying Apple, they are just a clone of Debian. And Debian is older system than MacOS 10.
I'm not a historian, so someone probably will correct me, if I'm wrong here.
Just my $0.02
Valeri
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On Feb 4, 2015, at 10:04 AM, Valeri Galtsev galtsev@kicp.uchicago.edu wrote:
wikiedia is really vague on the date MacOS 10 was first shipped
It depends on what you mean by “shipped.”
The first OS X product released into the market was OS X Server 1.0, in March 1999:
http://en.wikipedia.org/wiki/Mac_OS_X_Server_1.0
It was basically OPENSTEP with a Mac OS 8 like skin on top. It didn’t even include Finder, because the first usable version of the Carbon API wouldn’t be completed for another two years.
About a year and a half later, in September 2000, Apple shipped the OS X Public Beta. This was the public’s first look at the new Quartz/Aqua interface.
This wasn’t a “beta” in the sense of “This isn’t released yet.” You paid for the disc and Apple shipped it to you. It was more like “We know this is still pretty broken, but we’ve ben promising a new OS since 1997, so if you want to see what we’ve been spending the last 4 years working on, we’ll sell you a copy cheap."
Apple shipped Mac OS X 1.0 in March 2001:
http://en.wikipedia.org/wiki/Mac_OS_X_10.0
So, there you have have it, a 2-year span during which OS X could be said to be commercially available.
OS X 1.0 did include sudo. I don’t know if root was actually disabled by default at that point, though.
I haven’t been able to find out if prior versions of the OS — including OPENSTEP and NeXTSTEP — also included it. I couldn’t even find old manual PDFs or even a man page archive.
So, I would say, Ubuntu wasn't copying Apple, they are just a clone of Debian. And Debian is older system than MacOS 10.
Nope.
Though sudo has been in the Debian package repo since at least Debian 3 (2002), the base install has never included sudo. Debian’s sudo package didn’t install with a useful default configuration until Debian 7; you had to manually configure it in Debian 6 and earlier before you could actually use it.
Needless to say, the root account is never disabled by default on Debian, as it is on OS X and Ubuntu.
I’ve written up the full details of the non-universality of sudo here:
http://unix.stackexchange.com/questions/48522/
Bottom line, Ubuntu *did* copy Apple in this respect, as they have so many times before. (Upstart, Unity, etc.)
On Wed, February 4, 2015 10:18 am, Keith Keller wrote:
On 2015-02-04, James B. Byrne byrnejb@harte-lyne.ca wrote:
One might question why *nix distributions insist on providing a known
point of attack to begin with. Why does user 0 have to be called root? Why not beatlebailey, cinnamon or pasdecharge?
That is more or less what OS X does. User 0 still exists, and it's
labelled as "root", but there is no way (unless the owner goes way out of his way) to actually log in as root. The first account created is given full sudo access, and can choose to grant sudo to subsequently created users.
Which I consider almost as "security through obscurity" (I said "almost"!)
I'm neutral to sudo (even though I was taught "the smaller number of SUID/SGID files you have, the better). Yet, I'm considering it less safe to have regular user who can log in with GUI interface, and likely to be doing regular user stuff to have almighty abilities. Yes, I know, I know he has to prepend "sudo"... OK, this seems to be kind of question of taste in the majority opinion.
(Users with sudo can still get a root shell, but that's not the same as logging in as root.)
I thought Ubuntu did this as well, but I haven't installed Ubuntu for
quite a while. Anyone know?
Yes, Debian and its clones have full fledged root account, only with empty password hash (thus making it account for which no password will match). You can enable it by grabbing root shell using sudo, then using command passwd to set password. voila.
And they are more or less neutral, they do not insist that having disabled root account adds security of the machine (which it doesn't) - as far as I recollect reading their docs.
Valeri
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On 2015-02-04, Valeri Galtsev galtsev@kicp.uchicago.edu wrote:
On Wed, February 4, 2015 10:18 am, Keith Keller wrote:
On 2015-02-04, James B. Byrne byrnejb@harte-lyne.ca wrote:
[SNIP]
(Users with sudo can still get a root shell, but that's not the same as logging in as root.)
I thought Ubuntu did this as well, but I haven't installed Ubuntu for quite a while. Anyone know?
Yes, Debian and its clones have full fledged root account, only with empty password hash (thus making it account for which no password will match). You can enable it by grabbing root shell using sudo, then using command passwd to set password. voila.
The behaviour you describe is to be found on Ubuntu, but not Debian. The Debian installer prompts for a root password, whereas the Ubuntu installer does not. The 'sudo' package is optional (in APT terminology) in the case of Debian.
On 2015-02-04, Valeri Galtsev galtsev@kicp.uchicago.edu wrote:
I'm neutral to sudo (even though I was taught "the smaller number of SUID/SGID files you have, the better). Yet, I'm considering it less safe to have regular user who can log in with GUI interface, and likely to be doing regular user stuff to have almighty abilities. Yes, I know, I know he has to prepend "sudo"... OK, this seems to be kind of question of taste in the majority opinion.
I think it's basically six of one, half-dozen of the other. Is a user any more or less likely to screw up his box if he has to log in as root or has to use sudo? I really don't know. OTOH, forcing sudo does have one advantage, in that every sudo command is logged. (If you do sudo su you lose that.)
Yes, Debian and its clones have full fledged root account, only with empty password hash (thus making it account for which no password will match). You can enable it by grabbing root shell using sudo, then using command passwd to set password. voila.
I believe that on recent OS Xs this method no longer works (it used to).
As to the original topic (heh), isn't it a bit counterproductive to complain about changes in Fedora or RHEL on this list? Those distributions are separate entities with their own decision making processes. If you want to complain about Fedora, go to their list (which IIRC the OP pointed people to). If you want to complain about RHEL, buy a RedHat suport contract. It seems to me that the only legitimate complaints one could make about CentOS would be if they went out of their way to make CentOS different from RHEL in a very suboptimal way. Do you really have any justification for complaining if CentOS enforces the same password requirements on install as RHEL?
--keith
On Thu, February 5, 2015 12:49 am, Keith Keller wrote:
On 2015-02-04, Valeri Galtsev galtsev@kicp.uchicago.edu wrote:
I'm neutral to sudo (even though I was taught "the smaller number of SUID/SGID files you have, the better). Yet, I'm considering it less safe to have regular user who can log in with GUI interface, and likely to be doing regular user stuff to have almighty abilities. Yes, I know, I know he has to prepend "sudo"... OK, this seems to be kind of question of taste in the majority opinion.
I think it's basically six of one, half-dozen of the other. Is a user any more or less likely to screw up his box if he has to log in as root or has to use sudo? I really don't know. OTOH, forcing sudo does have one advantage, in that every sudo command is logged. (If you do sudo su you lose that.)
Yes, Debian and its clones have full fledged root account, only with empty password hash (thus making it account for which no password will match). You can enable it by grabbing root shell using sudo, then using command passwd to set password. voila.
I believe that on recent OS Xs this method no longer works (it used to).
As to the original topic (heh), isn't it a bit counterproductive to complain about changes in Fedora or RHEL on this list? Those distributions are separate entities with their own decision making processes. If you want to complain about Fedora, go to their list (which IIRC the OP pointed people to). If you want to complain about RHEL, buy a RedHat suport contract. It seems to me that the only legitimate complaints one could make about CentOS would be if they went out of their way to make CentOS different from RHEL in a very suboptimal way. Do you really have any justification for complaining if CentOS enforces the same password requirements on install as RHEL?
I second that.
Valeri
--keith
-- kkeller@wombat.san-francisco.ca.us
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On Wed, February 4, 2015 9:17 am, James B. Byrne wrote:
On Tue, February 3, 2015 14:01, Valeri Galtsev wrote:
On Tue, February 3, 2015 12:39 pm, Les Mikesell wrote:
On Tue, Feb 3, 2015 at 12:24 PM, Valeri Galtsev galtsev@kicp.uchicago.edu wrote:
Sounds so I almost have to feel shame for securing my boxes no matter what job vendor did ;-)
Yes, computers and the way people access them are pretty much a commodity now. If you are spending time building something exotic for a common purpose, isn't that a waste?
Do I have to take that people who are not sysadmins themselves just hate an existence of sysadmins?
I had a friend, now deceased, who worked as an RCA colour TV technician when he was very young. In the 1950s he would be sent to the homes of people having trouble adjusting the colour settings on their new RCA's. That was system administration then. Who needs them now?
Not exact analogy. But I know what you are leading to. Once my department decides they will not need me as they will get what is necessary done by faceless big corporation shipping unified services, then I'm out of my job, and will go slaving for that corporation to do what I'm told to do how I'm told to do (which has to yield unified standard product allegedly good). We are not going to break machines and conveyors resisting progress as individual craftsmen of the past did. Even more, few best craftsmen stayed as such even after conveyors were there. But I'm not considering myself such.
We are dinosaurs. People do not hate us. They just do not understand why we are still around.
I didn't say sysadmins. My language was deliberate, I said an existence of sysadmins.
Other than lifting the display into a comfortable position for viewing the latest MacBooks cannot even be physically opened for servicing (by a user) as far as I can discover. An iPhone is a sealed unit. Both devices are orders of magnitude more powerful computers than the i486 I first installed RH on. The point Les makes is entirely correct. The systems we install should not require the degree of slavish attention to arcane details that is necessary to make them both useful and safe to use.
That said, the original issue remains, making manual configuration slightly more cumbersome than it already is. That this is done solely in order to make a claim that it somehow improves security is, in my opinion, self-defeating. It is certainly a deceit. Whether it is self-delusion or overt pretence I have no idea.
Yes, these are decisions of incompetent bosses who cover their backsides, and if something bad has happened, they are covered by saying "We did an appropriate thing but still end users defeated our good effort". And they will get away with it (as they always do) as they will be judged by another bunch of yet also incompetent people.
One might question why *nix distributions insist on providing a known point of attack to begin with. Why does user 0 have to be called root? Why not beatlebailey, cinnamon or pasdecharge? If brute forcing passwords is the problem then why not make it ever more difficult by forcing crackers to guess what the superuser name is to begin with?
Oh, I know. Too much software exists that presumes that the superuser name is root. Evidently adherence to that convention is valued more highly than providing security. God forbid that one simply check for user 0.
I'm a creature of habit. Unix is in agreement with me on that (as I like to flatter myself ;-) So, I endorse "do not change anything unless it is absolutely necessary". Another way of stressing it is: if you change things people are less likely to do right things until they accommodate to your newly changed environment, so in my judgement, no change here promotes higher average security of computer community.
[ Of course I mean meaningful things, i.e. do not change root to another name, UID=0 to another number. Staying abreast with password requirements (i.e. password should be better that three lowercase letter which might have been sufficient at some point in time, but not anymore) is not fundamental change. It's tiny increment. Not the fundamental changes I meant above ]
I seldom use root other than for peer-to-peer rsync via password-less login. Consequently I do not really care whether Anaconda forces me to use 32 character Base64 encoded passwords for root or none at all. I just cannot bear to stand by and read the BS about how anything of that nature improves security. It is just self-deception. Twenty years ago it might have had some validity, although I doubt it. Things that are hard to remember tend to get written down. Things that are written down tend to be read by eyes other than those that were intended.
Well, I build Linux boxes with kickstart (after I built manually this kind of box with this release of OS). My root passwords in kickstart are really strong ones. They are being changed however as soon as newly built system is booted (as kickstart content has to be remotely accessible, I don't care if it is only on "secure" private network. No network medium can be considered secure if more than one - yours - machine is connected to it. Those who disagree... please, consider of taking yet another computer security course).
That said, I still agree with your feelings about nonsense we are forced to follow. You can not do good to the person who does not wish to do god for himself. And yes, some may follow their own security practice (still I for one will take all of A, B and C security measured even if only A meets the goal).
The whole matter of attending to the risk of brute force password discovery rather misses the point. Amateurs hack systems, professionals hack people. No matter how resistant your password is to brute force discovery, it only takes one careless mistake to have it revealed by an incautious or suitably deceived sysadmin. Look up 'Robin Sage' and the follow on study 'Emily Williams' and then ask yourself: How does a strong password on the root account deal with that?
Yep. I've seen sysadmin typing root password in one of his user's shell (and got owned) - I mentioned that in this thread. That, BTW, was nice justification to always do excessive typing and type the whole path to the command beginning from leading slash - when you do sysadmin task at least. There also can be a blunder like changing root password instead of changing user password to trivial temporary password. I've seen that done by someone (and mentioned it at some point). I myself was pressed once by very powerful (and knowledgeable!) department member to give him root password for the server. Up to the threat to take it up to the highest boss. I didn't, but were it the highest boss himself, I can't make my judgement about outcome even now after over a decade... So, holes vary, yet bad passwords do have their teeny-tiny share IMHO.
I really wonder sometimes if the software development people that write so much about security 'best-practice' have much of a clue about how penetrations are actually carried out. For example, how many of you have ever plugged a USB key into one of your hosts? If you have then you have permanently compromised the security of that system and nothing, short of pulling the entire USB controller, can ever undo it; and not even then I suspect. You may not, probably have not (yet), have been infected, but then you will never know for sure whether you have or not.
Indeed, you need to think what you are plugging into what. The same as you initiate all connections only in the direction from more trusted machine to less trusted. Never other way around. (Does everybody always follow this rule? No, do not confess ;-)
There are so many computer control systems that are embedded in the devices we call computers that the attack surface is incomprehensibly large. And most of these embedded systems are completely open to exploitation; at the fabrication level. The Internet is not even the preferred vector. Have you ever used a USB charging station in an airport for your laptop, tablet or phone? Too bad. Have you ever plugged a personal device into one of your hosts at work via USB or Thunderbolt (not likely for the latter I admit)? Oh well. At least you can increase the strength of your root password.
Is your home or business network device provided to you by your provider? Has it been changed (upgraded) recently without your request (or even with it)? I have to SSH tunnel all of my traffic on my home network now because traffic through my (recently upgraded) xxxxxx provided yyyyy router phones home to yyyyy; and I cannot stop it short of jail-breaking, which is in violation of my terms of service (AND I have to pay rent for this device). This is not paranoia, this is observed activity. (Sorry about the xxxxx yyyyy stuff, but on consideration I would rather not run the risk of being harassed by either or both of the two major corporations involved.)
Yes, so true. The list goes on. Android devices that have proprietary google code in the kernel. You just reverse engineer it and tell what it does, and even it is evil, it is you who will go to jail for crimes you just admitted above. Or binary proprietary drives, that are in the variety of places - who ever audited these? How about "firmware" - the programs that more sophisticated computer boards run (RAID controllers are the simplest example)?
Well, luckily I trust most of the board manufacturers (I hate some of BIOSes or EFIs of some, but that is different story). So, the life is not that bad as we have depicted above (hopefully), but at least we realize what we deal with...
Valeri
Sometimes I just cannot bear to think about this stuff anymore.
-- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB@Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On 02/04/2015 10:17 AM, James B. Byrne wrote:
I had a friend, now deceased, who worked as an RCA colour TV technician when he was very young. In the 1950s he would be sent to the homes of people having trouble adjusting the colour settings on their new RCA's. That was system administration then. Who needs them now?
Broadcasters. You still need color balance chops in the TV station or other video production facility; you still need sysadmins in the content delivery facilities, even if they are a bit redundant in the content consumer area.
We are dinosaurs. People do not hate us. They just do not understand why we are still around. ... Sometimes I just cannot bear to think about this stuff anymore.
Hey, James, go get a cookie, a cup of hot tea, and relax a spell....maybe fire up the old Altix box for a space heater and get nice and toasty warm or something....
Sysadmins are still around; the areas in which sysadmins are needed and the skills sysadmins need to have are just changing, that's all. TV repairmen still exist; their skillset just is very different today than what it was a few years back. High-end LED/LCD and plasma TV's are still expensive enough to merit servicing, which most of the time involves module changing, service-remote-driven diagnostic menus, and similar. I still remember needing diddlesticks to do a full convergence job; the equivalent job today involves service menus and diagnostic single-board-computers that talk to the service port.
On Feb 4, 2015, at 8:17 AM, James B. Byrne byrnejb@harte-lyne.ca wrote:
I had a friend, now deceased, who worked as an RCA colour TV technician when he was very young. In the 1950s he would be sent to the homes of people having trouble adjusting the colour settings on their new RCA's. That was system administration then. Who needs them now?
This is what I was getting at with my half-joking definition of “technology” in the prior “please stop changing things on us, Red Hat” thread. TVs aren’t technology any more, by that definition: they’re appliances.
(This Smart TV movement is turning them *back* into “technology,” though. Sigh.)
We are dinosaurs. People do not hate us. They just do not understand why we are still around.
Yes.
I do not believe general purpose computers will ever become anything other than “technology.”
What will happen instead is that pieces of the current computing world will continue to be sliced off and turned into appliances and tools. My toaster has a microcontroller in it, but it’s still an appliance, not a funnily-shaped computer.
Too much software exists that presumes that the superuser name is root.
I think Ubuntu and OS X have beaten that nonsense out of the majority of software by now.
On Internet-facing CentOS systems I personally manage, I follow Ubuntu and OS X in this regard: disable root logins via SSH, and set up sudo. I usually don’t go so far as to disable the root account, but I do give it a stupidly-long purely random password.
Things that are hard to remember tend to get written down.
You’re really going to have a hard time remembering an 8-character password that doesn’t violate the pwquality rules?
This change is merely enforcing security minima we established about 20 years ago.
Amateurs hack systems, professionals hack people.
Yes. This is why Bruce Schneier wrote only one book on cryptography, then instead of updating it, he wrote a whole bunch of books on what we might call the peopleware problems.
Look up 'Robin Sage' and the follow on study 'Emily Williams' and then ask yourself: How does a strong password on the root account deal with that?
While these are good things to keep in mind, none of this is a good argument for allowing truly weak passwords.
Just because people are the weak point in most security systems doesn’t mean we should give up and allow passwords that can be guessed in a few months at a throttled rate of 5 guesses per minute.
We need to fix *both* problems.
how many of you have ever plugged a USB key into one of your hosts? If you have then you have permanently compromised the security of that system and nothing, short of pulling the entire USB controller, can ever undo it;
If you are referring to BadUSB, you’re overblowing the problem. All BadUSB was is a proof of concept showing that *some* USB devices are reprogrammable in a way that allows them to mimic other types of devices.
In that sense, a USB memory stick is no more dangerous than a USB keyboard. Both could contain a keylogger, or other things.
So, buy from trusted suppliers, and don’t stick USB keys you find in the parking lot into any system you care about:
https://www.schneier.com/blog/archives/2012/07/dropped_usb_sti.html
Sometimes I just cannot bear to think about this stuff anymore.
Fine, don’t. :)
Let those of us who *do* want to think about it work out how to deal with all of it, and trust that we’re not ignorant of the wider scope of things.
-
James B. Byrne -
Keith Keller -
Lamar Owen -
Liam O'Toole -
Scott Robbins -
Valeri Galtsev -
Warren Young