[CentOS] what percent of time are there unpatched exploits against default config?

Thu Dec 29 14:53:54 UTC 2011
夜神 岩男 <supergiantpotato at yahoo.co.jp>

On 12/29/2011 10:21 PM, Marko Vojinovic wrote:
> On Thursday 29 December 2011 13:07:56 Reindl Harald wrote:
>> Am 29.12.2011 12:56, schrieb Leonard den Ottolander:
>>> Hello Reindl,
>>> On Thu, 2011-12-29 at 12:29 +0100, Reindl Harald wrote:
>>>> Am 29.12.2011 09:17, schrieb Bennett Haselton:
>>>>> Even though the ssh key is more
>>>>> random, they're both sufficiently random that it would take at least
>>>>> hundreds of years to get in by trial and error.
>>>> if you really think your 12-chars password is as secure
>>>> as a ssh-key protcected with this password you should
>>>> consider to take some education in security
>>> Bennett clearly states that he understands the ssh key is more random,
>>> but wonders why a 12 char password (of roughly 6 bits entropy per byte
>>> assuming upper&  lower case characters and numbers) wouldn't be
>>> sufficient.
>> so explain me why discuss to use or not to use the best
>> currently availbale method in context of security?
> Using the ssh key can be problematic because it is too long and too random to
> be memorized --- you have to carry it on a usb stick (or whereever). This
> provides an additional point of failure should your stick get lost or stolen.
> Human brain is still by far the most secure information-storage device. :-)
> It is very inconvenient for people who need to login to their servers from
> random remote locations (ie. people who travel a lot or work in hardware-
> controlled environment).
> Besides, it is essentially a question of overkill. If password is not good
> enough, you could argue that the key is also not good enough --- two keys (or
> a larger one) would be more secure. Where do you draw the line?
> Best, :-)
> Marko

Hi Marko!
What about IC cards? I use that a lot, and its reduced my need for a 
password to something tiny (6 numbers) and requires a physical key (my 
card). I have the root certificates, private keys, etc. stored offline 
just in case my card goes nuts, which has happened before, but I've 
never had a problem with this.

When traveling I log in to my home server and work servers with my 
laptop. Its really a *lot* easier than using a bunch of pasword schemes. 
I was initially worried that I'd run into a situation where I'd either 
lose my card traveling, or it would get crushed, or whatever -- but that 
hasn't happened in 5 years. What has happened in 5 years of doing this 
is intermittent network outages, work server crashing, web applications 
failing, database corruption, etc.

So from experience (mine and coworkers, at least), it is a lot more 
likely that problems will arise from totally different vectors than 
having ssh keys and ic cards making life complicated -- because from 
this user's perspective its made things a LOT simpler.

But it requires a bit of study. Which most people don't do. More to the 
point most people don't even read popups on the screens, even the big 
red scary ones, so...