On Tue, February 3, 2015 14:01, Valeri Galtsev wrote: > > On Tue, February 3, 2015 12:39 pm, Les Mikesell wrote: >> On Tue, Feb 3, 2015 at 12:24 PM, Valeri Galtsev >> <galtsev at kicp.uchicago.edu> wrote: >>> >>> Sounds so I almost have to feel shame for securing my boxes no >>> matter what job vendor did ;-) >> >> Yes, computers and the way people access them are pretty much a >> commodity now. If you are spending time building something exotic >> for a common purpose, isn't that a waste? > > Do I have to take that people who are not sysadmins themselves just > hate an existence of sysadmins? > I had a friend, now deceased, who worked as an RCA colour TV technician when he was very young. In the 1950s he would be sent to the homes of people having trouble adjusting the colour settings on their new RCA's. That was system administration then. Who needs them now? We are dinosaurs. People do not hate us. They just do not understand why we are still around. Other than lifting the display into a comfortable position for viewing the latest MacBooks cannot even be physically opened for servicing (by a user) as far as I can discover. An iPhone is a sealed unit. Both devices are orders of magnitude more powerful computers than the i486 I first installed RH on. The point Les makes is entirely correct. The systems we install should not require the degree of slavish attention to arcane details that is necessary to make them both useful and safe to use. That said, the original issue remains, making manual configuration slightly more cumbersome than it already is. That this is done solely in order to make a claim that it somehow improves security is, in my opinion, self-defeating. It is certainly a deceit. Whether it is self-delusion or overt pretence I have no idea. One might question why *nix distributions insist on providing a known point of attack to begin with. Why does user 0 have to be called root? Why not beatlebailey, cinnamon or pasdecharge? If brute forcing passwords is the problem then why not make it ever more difficult by forcing crackers to guess what the superuser name is to begin with? Oh, I know. Too much software exists that presumes that the superuser name is root. Evidently adherence to that convention is valued more highly than providing security. God forbid that one simply check for user 0. I seldom use root other than for peer-to-peer rsync via password-less login. Consequently I do not really care whether Anaconda forces me to use 32 character Base64 encoded passwords for root or none at all. I just cannot bear to stand by and read the BS about how anything of that nature improves security. It is just self-deception. Twenty years ago it might have had some validity, although I doubt it. Things that are hard to remember tend to get written down. Things that are written down tend to be read by eyes other than those that were intended. The whole matter of attending to the risk of brute force password discovery rather misses the point. Amateurs hack systems, professionals hack people. No matter how resistant your password is to brute force discovery, it only takes one careless mistake to have it revealed by an incautious or suitably deceived sysadmin. Look up 'Robin Sage' and the follow on study 'Emily Williams' and then ask yourself: How does a strong password on the root account deal with that? I really wonder sometimes if the software development people that write so much about security 'best-practice' have much of a clue about how penetrations are actually carried out. For example, how many of you have ever plugged a USB key into one of your hosts? If you have then you have permanently compromised the security of that system and nothing, short of pulling the entire USB controller, can ever undo it; and not even then I suspect. You may not, probably have not (yet), have been infected, but then you will never know for sure whether you have or not. There are so many computer control systems that are embedded in the devices we call computers that the attack surface is incomprehensibly large. And most of these embedded systems are completely open to exploitation; at the fabrication level. The Internet is not even the preferred vector. Have you ever used a USB charging station in an airport for your laptop, tablet or phone? Too bad. Have you ever plugged a personal device into one of your hosts at work via USB or Thunderbolt (not likely for the latter I admit)? Oh well. At least you can increase the strength of your root password. Is your home or business network device provided to you by your provider? Has it been changed (upgraded) recently without your request (or even with it)? I have to SSH tunnel all of my traffic on my home network now because traffic through my (recently upgraded) xxxxxx provided yyyyy router phones home to yyyyy; and I cannot stop it short of jail-breaking, which is in violation of my terms of service (AND I have to pay rent for this device). This is not paranoia, this is observed activity. (Sorry about the xxxxx yyyyy stuff, but on consideration I would rather not run the risk of being harassed by either or both of the two major corporations involved.) Sometimes I just cannot bear to think about this stuff anymore. -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB at Harte-Lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3