[CentOS] Fedora change that will probably affect RHEL

Tue Jul 28 22:37:05 UTC 2015
Nathan Duehr <denverpilot at me.com>


> On Jul 28, 2015, at 11:27, Warren Young <wyml at etr-usa.com> wrote:
> 
> On Jul 25, 2015, at 6:22 PM, Bob Marcan wrote:
>> 
>>   1FuckingPrettyRose
>> "Sorry, you must use no fewer than 20 total characters."
>> 1FuckingPrettyRoseShovedUpYourAssIfYouDon'tGiveMeAccessRightFuckingNow!
>> "Sorry, you cannot use punctuation."
>>   1FuckingPrettyRoseShovedUpYourAssIfYouDontGiveMeAccessRightFuckingNow
>> "Sorry, that password is already in use.”
> 
> The new rules are nowhere near that stringent:
> 
>  http://manpages.ubuntu.com/manpages/trusty/man8/pam_pwquality.8.html
> 
>> Who thinks the password policy in my machines are my concern.
> 
> Much of the evil on the Internet today — DDoS armies, spam spewers, phishing botnets — is done on pnwed hardware, much of which was compromised by previous botnets banging on weak SSH passwords.
> 
> Your freedom to use any password you like stops at the point where exercising that freedom creates a risk to other people’s machines.
> 
> In the previous thread on this topic, 6 months ago, I likened reasonable password strength minima to state-mandated vaccination.  Previously-defeated diseases have started to reappear as the antivax movement has gained momentum.  Polio came back in Pakistan, measles in California, and whooping cough in Australia, all within the last year or two.
> 
>  https://en.wikipedia.org/wiki/Vaccine_controversies
> 
> So no, your local password quality policy is not purely your own concern.


Other than DDoS which is a problem of engineering design of how the network operates (untrusted anything can talk to untrusted anything), what “risk” is created to other people’s machines who have done appropriate security measures by a cracked machine owned by an idiot, that isn’t easily handled in minutes, if not seconds, by fail2ban?

Equating this to “vaccination” is a huge stretch.  It’s more like saying the guy who left his front door unlocked all day is a threat to the neighbor’s house.  Other than the perennial brokenness of a worldwide untrusted network piped straight into your home or business without an appropriate firewall and/or monitoring of said silly network, there’s almost zero risk at all to the “house next door with a deadbolt and security bars”.

You can’t “catch the insecure”… hahaha… it’s not a virus.  

--
Nate Duehr
denverpilot at me.com