[CentOS] Fedora change that will probably affect RHEL

Wed Jul 29 00:32:08 UTC 2015
Warren Young <wyml at etr-usa.com>

On Jul 28, 2015, at 4:37 PM, Nathan Duehr <denverpilot at me.com> wrote:
>> On Jul 28, 2015, at 11:27, Warren Young <wyml at etr-usa.com> wrote:
>> So no, your local password quality policy is not purely your own concern.
> Other than DDoS which is a problem of engineering design of how the network operates (untrusted anything can talk to untrusted anything)

I’m not sure how you mean that comment.

If you’re saying that the Internet is badly designed and that we need to rip it up and replace it before we can address DDoSes, you’re trying to boil the ocean.  We have real-world practical solutions available to us that do not require a complete redesign of the Internet.  One of those is to tighten down CentOS boxes so they don’t get coopted into botnets.

If instead you’re saying that DDoSes are solvable with “just” a bit of engineering, then that’s wrong, too.  It takes a really big, expensive slice of a CDN or similar to choke down a large DDoS attack.  I do not accept that as a necessary cost of doing business.  That’s like a 1665 Londoner insisting that city planning can only be done with close-packed wooden buildings.

I don’t believe that the Internet must go through the equivalent of the Great Fire of 1666 before we can put our critical tech onto a more survivable foundation.

> what “risk” is created to other people’s machines who have done appropriate security measures by a cracked machine owned by an idiot

Resource waste is enough by itself.  How many billions of dollars goes into extra bandwidth, CDN fees, security personnel, security appliances, etc., all to solve a problem that is not necessary to the design of the Internet in the first place?

Back before the commercialization of the Internet, if your box was found to be attempting to DoS another system, you’d be cut off the Internet.  No appeal, no mercy.  It’s all /dev/null for you.

Now we have entrenched commercial interests that get paid more when you get DDoS’d.  I’ll give you one guess what happens in such a world.

> easily handled in minutes, if not seconds, by fail2ban?

fail2ban isn’t in the stock package repo for CentOS 7, much less installed and configured default.  Until it is, it’s off-topic for this thread.

Mind, I’m all for fail2ban.  If Fedora/Red Hat want to start turning it on by default, too, that’s great.  

> Equating this to “vaccination” is a huge stretch.

Why?  If you are unvaccinated and catch some preventable communicable disease, you begin spreading it around, infecting others.  This is exactly analogous to a box getting pwned, joining a botnet, and attempting to pwn other boxes.

When almost everyone is vaccinated, you get an effect called herd immunity, which means that even those few who cannot be vaccinated for some valid medical reason are highly unlikely to ever contract the disease because it cannot spread properly through the population.

> It’s more like saying the guy who left his front door unlocked all day is a threat to the neighbor’s house.

That’s only true in a world where you have armed gangs running through the streets looking for free fortifications from which to attack neighboring houses.  That is the analogous situation to the current botnet problem.

If that were our physical security situation today, then I would be advocating fortifying our physical dwellings, too.

Thankfully, that is not the case where I live.

The difference appears to be one of global society, rather than technology, but obviously we aren’t going to solve any of that here.

> You can’t “catch the insecure”… hahaha… it’s not a virus.  

Take an unvaccinated child on a long vacation to some 3rd world cesspit, then report back on how that worked out.

    “Like every other creature on the face of the earth,
     Godfrey was, by birthright, a stupendous badass, albeit
     in the somewhat narrow technical sense that he could
     trace his ancestry back up a long line of slightly less
     highly evolved stupendous badasses to that first self-
     replicating gizmo — which, given the number and variety
     of its descendants, might justifiably be described as
     the most stupendous badass of all time. Everyone and
     everything that wasn't a stupendous badass was dead.” 

     ― Neal Stephenson, Cryptonomicon

We don’t have time to wait for CentOS to become autonomous and evolve its own badass immune system.  We have to give it one ourselves.