[CentOS] Another Fedora decision

Wed Feb 4 21:53:10 UTC 2015
Warren Young <wyml at etr-usa.com>

> On Feb 4, 2015, at 8:17 AM, James B. Byrne <byrnejb at harte-lyne.ca> wrote:
> 
> I had a friend, now deceased, who worked as an RCA colour TV
> technician when he was very young.  In the 1950s he would be sent to
> the homes of people having trouble adjusting the colour settings on
> their new RCA's.  That was system administration then.  Who needs them
> now?

This is what I was getting at with my half-joking definition of “technology” in the prior “please stop changing things on us, Red Hat” thread.  TVs aren’t technology any more, by that definition: they’re appliances.

(This Smart TV movement is turning them *back* into “technology,” though.  Sigh.)

> We are dinosaurs.  People do not hate us. They just do not understand
> why we are still around.

Yes.

I do not believe general purpose computers will ever become anything other than “technology.”

What will happen instead is that pieces of the current computing world will continue to be sliced off and turned into appliances and tools.  My toaster has a microcontroller in it, but it’s still an appliance, not a funnily-shaped computer.

> Too much software exists that presumes that the superuser
> name is root.

I think Ubuntu and OS X have beaten that nonsense out of the majority of software by now.

On Internet-facing CentOS systems I personally manage, I follow Ubuntu and OS X in this regard: disable root logins via SSH, and set up sudo.  I usually don’t go so far as to disable the root account, but I do give it a stupidly-long purely random password.

> Things that are hard to remember tend to get written down.

You’re really going to have a hard time remembering an 8-character password that doesn’t violate the pwquality rules?

This change is merely enforcing security minima we established about 20 years ago.

> Amateurs hack systems,
> professionals hack people.

Yes.  This is why Bruce Schneier wrote only one book on cryptography, then instead of updating it, he wrote a whole bunch of books on what we might call the peopleware problems.

> Look up
> 'Robin Sage' and the follow on study 'Emily Williams' and then ask
> yourself: How does a strong password on the root account deal with
> that?

While these are good things to keep in mind, none of this is a good argument for allowing truly weak passwords.

Just because people are the weak point in most security systems doesn’t mean we should give up and allow passwords that can be guessed in a few months at a throttled rate of 5 guesses per minute.

We need to fix *both* problems.

> how many of
> you have ever plugged a USB key into one of your hosts?  If you have
> then you have permanently compromised the security of that system and
> nothing, short of pulling the entire USB controller, can ever undo it;

If you are referring to BadUSB, you’re overblowing the problem.  All BadUSB was is a proof of concept showing that *some* USB devices are reprogrammable in a way that allows them to mimic other types of devices.

In that sense, a USB memory stick is no more dangerous than a USB keyboard.  Both could contain a keylogger, or other things.

So, buy from trusted suppliers, and don’t stick USB keys you find in the parking lot into any system you care about:

  https://www.schneier.com/blog/archives/2012/07/dropped_usb_sti.html

> Sometimes I just cannot bear to think about this stuff anymore.

Fine, don’t.  :)

Let those of us who *do* want to think about it work out how to deal with all of it, and trust that we’re not ignorant of the wider scope of things.