> On Jul 28, 2015, at 6:32 PM, Warren Young <wyml at etr-usa.com> wrote: > > On Jul 28, 2015, at 4:37 PM, Nathan Duehr <denverpilot at me.com> wrote: >> >>> On Jul 28, 2015, at 11:27, Warren Young <wyml at etr-usa.com> wrote: >>> >>> So no, your local password quality policy is not purely your own concern. >> >> Other than DDoS which is a problem of engineering design of how the network operates (untrusted anything can talk to untrusted anything) > > I’m not sure how you mean that comment. > > If you’re saying that the Internet is badly designed and that we need to rip it up and replace it before we can address DDoSes, you’re trying to boil the ocean. We have real-world practical solutions available to us that do not require a complete redesign of the Internet. One of those is to tighten down CentOS boxes so they don’t get coopted into botnets. > > If instead you’re saying that DDoSes are solvable with “just” a bit of engineering, then that’s wrong, too. It takes a really big, expensive slice of a CDN or similar to choke down a large DDoS attack. I do not accept that as a necessary cost of doing business. That’s like a 1665 Londoner insisting that city planning can only be done with close-packed wooden buildings. > > I don’t believe that the Internet must go through the equivalent of the Great Fire of 1666 before we can put our critical tech onto a more survivable foundation. You accepted that risk the day you put a public machine on it. He who has the most bandwidth, wins, in a DDoS. It’s the very nature of the network design. Anyone who can fill your pipe with garbage can take you offline until they stop. You can ask for help from the carriers and see how far you get, but the inherent risk was there from day one and you choose to play. >> what “risk” is created to other people’s machines who have done appropriate security measures by a cracked machine owned by an idiot > > Resource waste is enough by itself. How many billions of dollars goes into extra bandwidth, CDN fees, security personnel, security appliances, etc., all to solve a problem that is not necessary to the design of the Internet in the first place? > > Back before the commercialization of the Internet, if your box was found to be attempting to DoS another system, you’d be cut off the Internet. No appeal, no mercy. It’s all /dev/null for you. > > Now we have entrenched commercial interests that get paid more when you get DDoS’d. I’ll give you one guess what happens in such a world. What happens? Folks have to think harder about connecting stuff to a worldwide untrusted, and generally unfiltered network? One word: “Duh." > >> easily handled in minutes, if not seconds, by fail2ban? > > fail2ban isn’t in the stock package repo for CentOS 7, much less installed and configured default. Until it is, it’s off-topic for this thread. > > Mind, I’m all for fail2ban. If Fedora/Red Hat want to start turning it on by default, too, that’s great. Didn’t realize that. Brilliant move, removing it… (rolls eyes at RH)… > >> Equating this to “vaccination” is a huge stretch. > > Why? If you are unvaccinated and catch some preventable communicable disease, you begin spreading it around, infecting others. This is exactly analogous to a box getting pwned, joining a botnet, and attempting to pwn other boxes. > > When almost everyone is vaccinated, you get an effect called herd immunity, which means that even those few who cannot be vaccinated for some valid medical reason are highly unlikely to ever contract the disease because it cannot spread properly through the population. It’s not a disease. It’s someone using their machine for them because they’re too dumb to use a decent password. Nothing at all happens to the people who used decent passwords other than that aforementioned DDoS problem, which is completely unrelated. You’re making it sound like the OS should be responsible for dumb people… problem with that is, the dumber you let them be, the dumber they stay. And without any harm to the “neighbor” who “pre-vaccinated” I guess, in your world, but simply typing in a decent password, what’s the point? Let them lose data, and they’ll learn. >> It’s more like saying the guy who left his front door unlocked all day is a threat to the neighbor’s house. > > That’s only true in a world where you have armed gangs running through the streets looking for free fortifications from which to attack neighboring houses. That is the analogous situation to the current botnet problem. > > If that were our physical security situation today, then I would be advocating fortifying our physical dwellings, too. > > Thankfully, that is not the case where I live. > > The difference appears to be one of global society, rather than technology, but obviously we aren’t going to solve any of that here. Global society hasn’t changed, and neither has the network in decades. Why should the OS change to make people dumber? > >> You can’t “catch the insecure”… hahaha… it’s not a virus. > > Take an unvaccinated child on a long vacation to some 3rd world cesspit, then report back on how that worked out. No one reading this list is likely to be “unvaccinated”, but they’ll surely be annoyed if they need to install an “unvaccinated” machine on a properly secured network. Leave security to the end-user. The Internet has always been a meritocracy and using a decent password isn’t exactly a high bar to jump. It’s really none of the OS’s business. Nate