[CentOS] an actual hacked machine, in a preserved state

Les Mikesell lesmikesell at gmail.com
Thu Jan 5 17:24:44 UTC 2012


On Wed, Jan 4, 2012 at 8:12 PM, Bennett Haselton <bennett at peacefire.org> wrote:
>>
>>> Yes, the totality of SELinux restrictions sounds like it could make a
>>> system more secure if it helps to guard against exploits in the services
>>> and the OS.  My point was that some individual restrictions may not make
>>> sense.
>> There is a wrong premise here as well. The idea of SELinux is "if it is not
>> known to be safe/necessary, restrict it", regardless of whether that
>> restriction "makes sense" or not.
>>
> Even if my random password generator has nonrandomness which
> takes away 20 bits of randomness from the result, your odds of guessing
> it are still only 1 in 10^15 -- not so worrisome anymore.
>
> Look, people are perfectly free to believe that 12-char passwords are
> insecure if they want.  Nobody's stopping you, and it certainly won't
> make you *less* secure, if it motivates you to use to ssh keys.  Again,
> my problem was that the "passwords" mantra virtually shut down the
> discussion, and I had to keep pressing the point for over 100 messages
> in the thread before someone offered a suggestion that addressed the
> real problem, which is exploits in the web server and the operating system.

The real point which you don't seem to have absorbed yet, is that it
doesn't work to count on some specific difficulty in the path of an
expected attack.   The attacker will use a method you didn't expect.
You are right that there is a low probability of a single attacker
succeeding starting from scratch with brute force network password
guessing on a single target.  But that doesn't matter, does it?

-- 
  Les Mikesell
    lesmikesell at gmail.com



More information about the CentOS mailing list