[CentOS] Fedora change that will probably affect RHEL

Thu Jul 30 19:35:39 UTC 2015
Chris Murphy <lists at colorremedies.com>

On Thu, Jul 30, 2015 at 12:20 PM, Warren Young <wyml at etr-usa.com> wrote:
> On Jul 29, 2015, at 5:40 PM, Chris Murphy <lists at colorremedies.com> wrote:
>>
>> On Wed, Jul 29, 2015 at 4:37 PM, Warren Young <wyml at etr-usa.com> wrote:
>>
>>> Security is *always* opposed to convenience.
>>
>> False.  OS X by default runs only signed binaries, and if they come
>> from the App Store they run in a sandbox. User gains significant
>> security with this, and are completely unaware of it. There is no
>> inconvenience.
>
> You must not use OS X regularly, else you’d know there is plenty of inconvenience in this policy.

Really, I must not, even though it's roughly 80/20 OS X to Fedora...


>  There’s a whole lot of good software that is both unsigned and not in the App Store.  Examples:

Spare me. The fact it is imperfect is meaningless to the discussion.
The original argument was that security increase always cause user
inconvenience. That is not true. Millions of users using tens of
thousands of applications in an eco system they see no problem with,
unaware that those applications are code signed, and no concern at all
about the alternatives. Good for them, they're safer than without code
signing and their life has not been made inconvenient as a result.

That this needs to be expanded, made easier, made more open, so that
it's not just customers using proprietary software who benefit from
stronger security measures with minimal usability impact.


>
>> What is the inconvenience of encrypting your device compared to the
>> security?
>
> I can’t hook my iPad up to my PC and browse it as just another filesystem, as I can with any other digital camera or MP3 player.  Apple must do this in order to prevent sideloading malicious apps.

OK one of us must have the self control to stop, because your
arguments are terrible and I'm losing patience.

What you just claimed, has nothing to do with encryption. It has
everything to do with Apple simply not treating their devices as mass
storage devices which they haven't done since forever - even without
encryption.

And Android is the same. Whether encrypted or not, it's not a mass
storage device, you can't mount the file system. It supports MTP,
whether encrypted or not. JFC....


>> I will not participate in security theatre
>
> Really?  You’re going to lay *that* card in this game?
>
> When you stretch words and phrases beyond their original meaning, they lose shape and utility.
>
> 6-9 character password limits are *not* "security theatre”.

Ok well I consider passwords that keep the dog out and probably most
family members to be security theater.

No fail2ban, no firewall rules, sshd by default, challengeresponseauth
by default, and a 9 character (even random) passphrase, and that shit
is going to get busted into. Against a targeted attack by a botnet,
you need something stronger than a 9 character password, today. Let
alone 6 years from now.

Those other measures need to get better (PKA only, put it behind a
VPN). Not the password getting slightly longer.

ATMs and credit cards in the U.S. The weak link is the magnetic
stripe, not the 4 digit PIN. The enhancement for credit cards due this
year is not 5 or 6 digit PINs. It's EMV chips. And the end user will
be minimally affected in terms of usability, the security will be
vastly better than even if 5 or 6 digit PINs were employed and besides
no one would accept that anyway.

And that's where we are with computers and passwords.


> Meanwhile over here in CentOS land, you still see SSH password guessers banging on every public IP that responds to port 22.  Why?  Because it still occasionally works.  Increase the password strength minima, and this class of worm, too, will quickly die out.

No they just get better, like they have been, at an exponential rate
compared to our ability to recall login passwords.



>
>> Computers with strong passphrases still sometimes get pwned
>
> The occasional failure of a prophylactic measure does not tell you that you should discontinue its use.
>
>> and at a much higher rate than vaccines not working.
>
> I thought you threw out a 95% number for vaccine effectiveness above.  You are saying that more than 5% of all computers with strong passphrases are currently infected with something?  Prove it.


Define strong. Diceware puts the minimum for large botnet protection
at 5 word passphrases. 6 word passphrases for protection against a
government entity. Your idea of strong thus far is 9 characters which
seems to be b.s. today and certainly laughable in 6 years when we do
the autopsy on today's policy successes and failures.


> So your solution is to wait for unspecified innovations to come?  All these problems will go away in the indefinite future, so we should do nothing now?

I did say disable sshd by default, and several other suggestions many
of which could be done right now. That you gloss over this and turn it
into this pile of crap leading questions is fairly disqualifying in
debate. Each suggestion has greater security efficacy than a 2-3
character increase in password length.


-- 
Chris Murphy