[CentOS] Fedora change that will probably affect RHEL

Wed Jul 29 20:15:25 UTC 2015
Warren Young <wyml at etr-usa.com>

On Jul 28, 2015, at 8:50 PM, Chris Murphy <lists at colorremedies.com> wrote:
> On Tue, Jul 28, 2015 at 6:32 PM, Warren Young <wyml at etr-usa.com> wrote:
>> On Jul 28, 2015, at 4:37 PM, Nathan Duehr <denverpilot at me.com> wrote:
>>> Equating this to “vaccination” is a huge stretch.
>> Why?
> It's not just an imperfect analogy it really doesn't work on closer scrutiny.

Every analogy will break down if you look too closely.  The question is, is it a *useful* analogy?

> ...a login password is...about
> user authentication...not...meant or designed to provide
> immunity from malware.

Fine.  If you want to be picky, a better analogy to a good password and reasonable limits on SSH logins is a healthy integument and healthy cell walls.

Has that changed any of the conclusions about bad passwords?  No.  Therefore we have succeeded in clarifying nothing except our application of biology, which is interesting, but not on topic here.

> That we're trying to use it to prevent
> infections is more like putting ourselves into bubbles; and humans put
> into bubbles for this reason are called immune compromised.

Now it is you who are off the rails.  The hygiene hypothesis explains a great deal about human disease because we have an active immune system to deal with an evolving set of biological challenges.

CentOS’s immune system doesn’t get stronger purely by subjecting it to more attacks.  It improves only through human intervention.

> So this push to depend on stronger passwords just exposes how "immune
> compromised" we are in these dark ages of computer security.

While true, that doesn’t tell us that it is a good idea to allow weak passwords.

If you will allow me to return to biology, it’s like saying that prophylaxis is a bad idea because it points out how imperfect our immune systems are.  Stop covering your face when you sneeze, stop using condoms, stop going to the dentist: we need stronger humans, so let’s evolve some!

> There are
> overwhelmingly worse side effects of password dependency than
> immunization.

That seems like a falsifiable statement, so I expect you will be able to point to a scientific paper that supports that assertion.

> And also, a large percent of malware doesn't even depend on brute
> force password attacks.

So let’s dial back my previous proposal.  We’ll just stop using dental prophylaxis, then, because it doesn’t prevent the contraction of oral STIs.

Just because one particular method of prophylaxis fails to protect against all threats doesn’t mean we should stop using it, or increase its strength.