On Jul 28, 2015, at 4:37 PM, Nathan Duehr <[email protected]> wrote:
>
>> On Jul 28, 2015, at 11:27, Warren Young <[email protected]> wrote:
>>
>> So no, your local password quality policy is not purely your own concern.
>
> Other than DDoS which is a problem of engineering design of how the network
> operates (untrusted anything can talk to untrusted anything)
I’m not sure how you mean that comment.
If you’re saying that the Internet is badly designed and that we need to rip it
up and replace it before we can address DDoSes, you’re trying to boil the
ocean. We have real-world practical solutions available to us that do not
require a complete redesign of the Internet. One of those is to tighten down
CentOS boxes so they don’t get coopted into botnets.
If instead you’re saying that DDoSes are solvable with “just” a bit of
engineering, then that’s wrong, too. It takes a really big, expensive slice of
a CDN or similar to choke down a large DDoS attack. I do not accept that as a
necessary cost of doing business. That’s like a 1665 Londoner insisting that
city planning can only be done with close-packed wooden buildings.
I don’t believe that the Internet must go through the equivalent of the Great
Fire of 1666 before we can put our critical tech onto a more survivable
foundation.
> what “risk” is created to other people’s machines who have done appropriate
> security measures by a cracked machine owned by an idiot
Resource waste is enough by itself. How many billions of dollars goes into
extra bandwidth, CDN fees, security personnel, security appliances, etc., all
to solve a problem that is not necessary to the design of the Internet in the
first place?
Back before the commercialization of the Internet, if your box was found to be
attempting to DoS another system, you’d be cut off the Internet. No appeal, no
mercy. It’s all /dev/null for you.
Now we have entrenched commercial interests that get paid more when you get
DDoS’d. I’ll give you one guess what happens in such a world.
> easily handled in minutes, if not seconds, by fail2ban?
fail2ban isn’t in the stock package repo for CentOS 7, much less installed and
configured default. Until it is, it’s off-topic for this thread.
Mind, I’m all for fail2ban. If Fedora/Red Hat want to start turning it on by
default, too, that’s great.
> Equating this to “vaccination” is a huge stretch.
Why? If you are unvaccinated and catch some preventable communicable disease,
you begin spreading it around, infecting others. This is exactly analogous to
a box getting pwned, joining a botnet, and attempting to pwn other boxes.
When almost everyone is vaccinated, you get an effect called herd immunity,
which means that even those few who cannot be vaccinated for some valid medical
reason are highly unlikely to ever contract the disease because it cannot
spread properly through the population.
> It’s more like saying the guy who left his front door unlocked all day is a
> threat to the neighbor’s house.
That’s only true in a world where you have armed gangs running through the
streets looking for free fortifications from which to attack neighboring
houses. That is the analogous situation to the current botnet problem.
If that were our physical security situation today, then I would be advocating
fortifying our physical dwellings, too.
Thankfully, that is not the case where I live.
The difference appears to be one of global society, rather than technology, but
obviously we aren’t going to solve any of that here.
> You can’t “catch the insecure”… hahaha… it’s not a virus.
Take an unvaccinated child on a long vacation to some 3rd world cesspit, then
report back on how that worked out.
“Like every other creature on the face of the earth,
Godfrey was, by birthright, a stupendous badass, albeit
in the somewhat narrow technical sense that he could
trace his ancestry back up a long line of slightly less
highly evolved stupendous badasses to that first self-
replicating gizmo — which, given the number and variety
of its descendants, might justifiably be described as
the most stupendous badass of all time. Everyone and
everything that wasn't a stupendous badass was dead.”
― Neal Stephenson, Cryptonomicon
We don’t have time to wait for CentOS to become autonomous and evolve its own
badass immune system. We have to give it one ourselves.
_______________________________________________
CentOS mailing list
[email protected]
http://lists.centos.org/mailman/listinfo/centos
