×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Schneier On Un-Authentication

CmdrTaco posted more than 4 years ago | from the gimme-back-my-keys dept.

Security 336

Trailrunner7 writes "Bruce Schenier writes on Threatpost.com: 'In computer security, a lot of effort is spent on the authentication problem. Whether it is passwords, secure tokens, secret questions, image mnemonics, or something else, engineers are continually coming up with more complicated — and hopefully more secure — ways for you to prove you are who you say you are over the Internet. This is important stuff, as anyone with an online bank account or remote corporate network knows. But a lot less thought and work have gone into the other end of the problem: how do you tell the system on the other end of the line that you are no longer there? How do you un-authenticate yourself? My home computer requires me to log out or turn my computer off when I want to un-authenticate. This works for me because I know enough to do it, but lots of people just leave their computer on and running when they walk away. As a result, many office computers are left logged in when people go to lunch, or when they go home for the night. This, obviously, is a security vulnerability.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

336 comments

Effective way to keep screens locked (4, Funny)

stefanb (21140) | more than 4 years ago | (#29566669)

A bank I did some consulting work for had a very effective cultural rule to force people to lock their machines when they left their desks: if you find an unlocked machine, pull up the email client and send a message to everyone: "today's my birthday, drinks on me after work!" (other NSFW messages left to the readers imagination.)

Apparently, very few people left their machines unlocked more than once...

Re:Effective way to keep screens locked (1, Insightful)

Opportunist (166417) | more than 4 years ago | (#29566785)

This is brilliant!

Or it would be if I, as the sysadmin, couldn't easily send email in anyone's name...

Re:Effective way to keep screens locked (1)

suso (153703) | more than 4 years ago | (#29567691)

Who says you need to be the sysadmin? Since email is insecure and most people can't read headers anyways, anyone could do that from their own system.

Re:Effective way to keep screens locked (0)

Anonymous Coward | more than 4 years ago | (#29566849)

A bank I did some consulting work for had a very effective cultural rule to force people to lock their machines when they left their desks: if you find an unlocked machine, pull up the email client and send a message to everyone: "today's my birthday, drinks on me after work!" (other NSFW messages left to the readers imagination.)

$ (sleep 600 ; cat sally.au > /dev/audio) &
$ clear

Ah, undergrad computer labs with Sun workstations...

Re:Effective way to keep screens locked (0, Offtopic)

suso (153703) | more than 4 years ago | (#29567809)

Just curious what sally.au is? Can't find it online.

Re:Effective way to keep screens locked (0)

Anonymous Coward | more than 4 years ago | (#29566881)

Screen Saver - On Resume Password Protect

Then no one needs to think!

Re:Effective way to keep screens locked (2, Insightful)

clone53421 (1310749) | more than 4 years ago | (#29567071)

All that means is I have to watch for you leaving and get there before the screen saver kicks in.

Re:Effective way to keep screens locked (2, Insightful)

DevStar (943486) | more than 4 years ago | (#29566909)

We used to do the same thing at my job, until someone quoted the employee guide to point out that using someone elses computer without permission was against company policy and potentially a firing offense. That ended that.

Re:Effective way to keep screens locked (2, Interesting)

Ephemeriis (315124) | more than 4 years ago | (#29566931)

The bank in one of our local grocery stores has frighteningly lax security...

There's a computer running Windows XP there, against the back wall, with the screen in plain view of anyone walking by. It is pretty much always on and always logged in, sitting at the Windows XP desktop. Usually with a couple programs minimized in the taskbar. It's also got a desktop wallpaper set with BGINFO, so it's displaying the computer name and IP address and whatever else.

The grocery store itself stays open long after the bank closes, and that computer is sitting there logged in and vulnerable. I don't know how many people (dozens? a hundred?) walk past it in a night. There's no security gate or anything, so somebody could probably just vault over the countertop and do something malicious if they wanted to... The security cameras would probably pick that up, but it might be too late. Of course there's a distinct possibility you wouldn't even need to do that... You might be able to get something useful just by standing at one of the checkout lines and snapping pictures with a decent digital camera.

And there's a couple more computers set up with their backs towards the customer... I assume these are for tellers to sit down and consult with people. They're set up kind of like a private consultation booth or something - maybe for folks looking to discuss a loan or whatever.

These two computers are literally sitting on the counter top with their backs towards the customer. Sure, you can't see the screen, which is an improvement... But I bet you could slip on a hardware keylogger without looking too suspicious. People are constantly walking through or idling there, waiting for someone to finish up in the store.

Re:Effective way to keep screens locked (1, Insightful)

Anonymous Coward | more than 4 years ago | (#29567275)

There's one of those at my local Kroger store, a Regions, I think. They've got the exact same setup.

I asked about it once, they said they weren't worried: If the grocery employees didn't notice or care, walking behind the counter would trigger the alarm, plus that XP machine just had regular internet access anyway: Bankers logged into a https site to enter loan applications. I could imagine getting in and out quickly enough to install a keylogger maybe, but that's it.

I suppose if you want to go to jail for browsing myspace though, that's your perogative.

Re:Effective way to keep screens locked (0, Flamebait)

commodore64_love (1445365) | more than 4 years ago | (#29566951)

>>>if you find an unlocked machine, pull up the email client and send a message to everyone: "today's my birthday, drinks on me after work!"

When I was in college, I used to get free printouts from people who left their computers turned-on and logged-in. For example I was part of a club that ran off ~1000 flyers each month to advertise various events. I would create the flyers in advance and then simply carry a disk around until I saw a turned-on computer. I would surf the net for a half hour, waiting to see if the delinquent student, and if not then I'd start printing.

I bet after mommy/daddy received the $100 bill, that student learned not to walk away until the computer was OFF.

Re:Effective way to keep screens locked (5, Insightful)

MyLongNickName (822545) | more than 4 years ago | (#29566971)

So, you are a thief?

Re:Effective way to keep screens locked (-1, Troll)

commodore64_love (1445365) | more than 4 years ago | (#29567295)

No. What I did was no more stealing than when you (and lots of other people) download movies, songs, or tv shows. It's not real property - it's just internet data.

Think about it. If I'm right - it's not stealing. If you're right, then it is stealing and so too is downloading/bittorenting and you too are a thief. (ponder) Ooops.

Re:Effective way to keep screens locked (3, Insightful)

MyLongNickName (822545) | more than 4 years ago | (#29567417)

No, moron, you are basically having a charge appear on someone else's account for services you got.

And the services are not purely electronic. You got a service that really cost someone else money.

And on top of that, you assume I download music/other files illegally. I don't.

So, not only are you a thief, but you are not very bright. And you jump to conclusions that are not supported by the facts.

Re:Effective way to keep screens locked (-1, Troll)

commodore64_love (1445365) | more than 4 years ago | (#29567539)

>>>having a charge appear on someone else's account for services you got.

Sooooo just like when you block ads on various websites, and you make a charge appear on that webowner's account for services you took
.

>>>you assume I download music/other files illegally. I don't.

I don't believe you. At some point whether now or over the last two decades, I bet you took a song, movie, or tv show without paying the original owner. Not that I really care because I do it myself. My point is this: If you believe you are without sin, then you are mistaken, so maybe you ought to put down that stone.

Re:Effective way to keep screens locked (5, Insightful)

MyLongNickName (822545) | more than 4 years ago | (#29567657)

Hi Commodore,

You again make assumptions about my behavior. I can quite honestly tell you I have not done any of the above except ad blocking, which is neither illegal nor amoral.

You again fail to see the very obvious. You charged your services to someone else's account. This isn't complicated.

As far as my "sinning", yes I have done things I wish I hadn't. However, you come here bragging about what you have done, and then continue to justify your actions using absolutely moronic logic. if you want to follow your "sin" analogy, then you have not "repented". While you are unrepentant, you are to be treated as though you an outside, shunned and ignored.

The bottom line is that you stole from the people you did this to.

Re:Effective way to keep screens locked (1)

xalorous (883991) | more than 4 years ago | (#29567785)

Actually ad-blocking is amoral, but not immoral. Try a dictionary. Hell, use google if you have to.

Re:Effective way to keep screens locked (0, Troll)

commodore64_love (1445365) | more than 4 years ago | (#29567865)

Yes well... I was 17 and stupid. I wasn't really thinking about the consequences of my actions - I just thought "free paper!" and went to work causing about two hundred in damages. I obviously wouldn't do the same thing today. ...

Unless it was Bank of America. I wouldn't have any qualms sticking-it to that corrupt organization, especially after they stole 20 billion in bailout money from taxpayer wallets*...... stupid thieves. Plus they charged me a $30 "underlimit fee" on my account that I had emptied last month and asked them to close that same day. Grrrr. If they had closed it when I asked them to close it, there wouldn't be a fine.

*
* legalized theft is still theft

Re:Effective way to keep screens locked (3, Insightful)

Velorium (1068080) | more than 4 years ago | (#29567423)

Well see here, you actually created a charge for somebody else to pay. The first thing of know-how to piracy is that stealing is removing an item (what you did). Piracy is making a copy of an item (downloading). If you're trying to justify actually stealing something, do so in a way that's at least somewhat logical.

Re:Effective way to keep screens locked (-1, Troll)

commodore64_love (1445365) | more than 4 years ago | (#29567627)

>>>you actually created a charge for somebody else to pay.

That's true. Likewise the production of a song or movie "creates a charge" on somebody's account which they have to pay. And you've taken that item without compensating them for that charge, so really it's no different than what I did back in 1990.

Re:Effective way to keep screens locked (2)

bsharp8256 (1372285) | more than 4 years ago | (#29567425)

No. What I did was no more stealing than when you (and lots of other people) download movies, songs, or tv shows. It's not real property - it's just internet data.

Think about it. If I'm right - it's not stealing. If you're right, then it is stealing and so too is downloading/bittorenting and you too are a thief. (ponder) Ooops.

You can't make that comparison. Internet data may or may not be real property, but paper, ink, and parents' money IS real property. If you didn't have permission to use it, it is stealing.

Re:Effective way to keep screens locked (0)

Anonymous Coward | more than 4 years ago | (#29567467)

Except that you took physical property -- large amounts of ink and paper -- that cost someone actual money. Nice troll though.

Re:Effective way to keep screens locked (5, Insightful)

cbiltcliffe (186293) | more than 4 years ago | (#29567487)

How is using physical paper and toner paid for by someone else with their money the same as downloading a digital version of a movie that you already have the VHS for, but it got chewed up when your VCR died?

There's a very good reason why the laws of virtually every country in the world DO NOT consider downloading data to be theft.

Because it's not.

It's copyright infringement.

I'm not saying it's right, or justified, or anything to do with the moral right or wrong of it. If you come out with a comment about how I'm a scofflaw just because I don't think it's stealing, you've just shown your own immaturity, and complete lack of awareness of the situation, as well as sheer arrogance in putting words in my mouth.

The simple legal fact is, the two are not connected in any way, regardless of entertainment industry propaganda.

Re:Effective way to keep screens locked (0)

Anonymous Coward | more than 4 years ago | (#29567677)

I can't work out whether you're an idiot or a troll. Keep posting, though, because you give me a hearty laugh either way.

Re:Effective way to keep screens locked (1)

nacturation (646836) | more than 4 years ago | (#29567755)

And that several reams of paper and new toner that someone had to physically replace? Your analogy would be correct if you received 1000 PDFs, but you received a physical product that costs real money to produce.

On top of that, if the club reimbursed you for the printing costs then that's fraud as well. Or were they complicit in this scheme to rip others students off?

Re:Effective way to keep screens locked (1)

aardwolf64 (160070) | more than 4 years ago | (#29566979)

I did that, but I usually IM'd the boss with something wacky... like "Man, I'm soooo drunk right now. :-)"

Re:Effective way to keep screens locked (5, Funny)

aardwolf64 (160070) | more than 4 years ago | (#29566997)

Of course, the fun rose exponentially when two people had their machines unlocked. I would frequently carry on a whole phantom conversation.

"Hey, let's go to lunch tomorrow"
"I can't, I have to wax my hamster"
"I didn't know you had a hamster"
"..."

Re:Effective way to keep screens locked (1, Funny)

Anonymous Coward | more than 4 years ago | (#29567389)

I make a screenshot of the desktop and use that as new wallpaper.

Re:Effective way to keep screens locked (3, Funny)

HAKdragon (193605) | more than 4 years ago | (#29567529)

The real fun is to create a new folder before doing the screenshot and then deleting it right after.

Re:Effective way to keep screens locked (0)

Anonymous Coward | more than 4 years ago | (#29567751)

Or taking the shot, then moving the icons into a folder, so everything becomes unmoveable.

I used to find computers on my campus network that had their whole C drive shared without passwords (ah, good ol' Win98). If I did find something like that, I'd leave a txt file in the startup folder to let the idiot know they could be crashed without warning because they left everything open, and gave them instuctions on how close the door.

Though, sometimes it was just fun to put shortcuts to goatse.cx in their startup folder instead.

Enterprise level security policies (0)

Anonymous Coward | more than 4 years ago | (#29567569)

Just force all machines to have password-protected screen savers. You can enforce that at an enterprise level so users can't disable it.

Much kinder than public humiliation, and safer too since it doesn't rely on someone else noticing.

How do you un-authenticate? (1, Informative)

Anonymous Coward | more than 4 years ago | (#29566675)

By disconnecting. Problem solved. Next story, please.

Re:How do you un-authenticate? (4, Insightful)

spydabyte (1032538) | more than 4 years ago | (#29567291)

You're the first person to address the real issue he's talking about and not the simple example of leaving a computer unlocked.

Think of a remote connection to Remote Desktop for Windows. When does the server know when to sever the connection? Is it after some time delay of minimal activity? If it's left authenticated for time X, and the ability for the traffic to be hijacked is Y, are X and Y proportional?

It's not as simple as I walk away from a physical machine anymore. My favorite is when an application doesn't close when you press the X in windows (upper right) or OS X (upper left). It's connections are still left open, leaving authentication on opening the application worthless.

Re:How do you un-authenticate? (2, Insightful)

Stormwatch (703920) | more than 4 years ago | (#29567665)

My favorite is when an application doesn't close when you press the X in windows (upper right) or OS X (upper left).

On a Mac, that closes the window, but the application is still running.

I lock my computer when I walk away (2, Informative)

yincrash (854885) | more than 4 years ago | (#29566685)

ctl + alt + del -> k on windows, and ctrl + alt + l on ubuntu. that's all. a lot of offices also have windows security policies set to lock the screen after 5 minutes idle.

Re:I lock my computer when I walk away (4, Informative)

Deag (250823) | more than 4 years ago | (#29566721)

I'll save you a keystroke, windows-L works too.

Re:I lock my computer when I walk away (1, Informative)

Anonymous Coward | more than 4 years ago | (#29566731)

Yup. And/or hopefully your competent sysadmins have configured (and locked down the ability to change) the screensaver timeout to a reasonable threshold of 15 minutes or so.

Re:I lock my computer when I walk away (1)

Geoffrey.landis (926948) | more than 4 years ago | (#29566901)

Actually, I find this extremely annoying, since they have also mandated complicated and impossible-to-remember passwords that take a long time to type and have to be changed to different complicated and un-rememberable passwords on a frequent basis.

Re:I lock my computer when I walk away (1)

Ohrion (814105) | more than 4 years ago | (#29567363)

You find this annoying? Why? Do you commonly sit next to your computer at work while doing absolutely nothing on it for extended periods of time?

Re:I lock my computer when I walk away (1)

fuzzyfuzzyfungus (1223518) | more than 4 years ago | (#29567609)

That isn't at all an uncommon use case. There are certainly jobs where you are solidly on the computer all day; but getting up for 20 minutes to poke at the whiteboard, or have an extended conversation about something, or rearrange a recalcitrant piece of hardware, or work something out on paper, or take a phone call without background typing noises, isn't exactly a freakish event.

Re:I lock my computer when I walk away (1)

canajin56 (660655) | more than 4 years ago | (#29567765)

Just write it on a sticky note and stick it to your monitor. Problem solved!

Re:I lock my computer when I walk away (1)

Ephemeriis (315124) | more than 4 years ago | (#29566747)

ctl + alt + del -> k on windows

For XP and newer there's an even easier way...

WinKey + L

Instantly locks your computer.

Re:I lock my computer when I walk away (0, Flamebait)

MozeeToby (1163751) | more than 4 years ago | (#29566753)

Windows-L is even easier in Windows.

I would think this is the easiest security problem in the world to solve. If no activity for X minutes, lock the PC and send an email reminder to the user that says "Hey Dumbass, lock your PC when you leave".

Re:I lock my computer when I walk away (2, Informative)

MyLongNickName (822545) | more than 4 years ago | (#29566887)

If no activity for X minutes, lock the PC and send an email reminder to the user that says "Hey Dumbass, lock your PC when you leave".

Yeah, because I never sit at my desk for ten minutes on a phone call or reviewing paper notes.

Re:I lock my computer when I walk away (1)

Gi0 (773404) | more than 4 years ago | (#29567215)

Then make the lock at 11 minutes or u can give your mouse a click while u re talking.Doesnt sound that hard.U just have to adopt.

Re:I lock my computer when I walk away (2, Insightful)

MyLongNickName (822545) | more than 4 years ago | (#29567257)

I am more referring to the email part, not the lock part. Locking is fine. The automated email doesn't.

And for god's sake, this is not AOL. Please don't type like you are.

Re:I lock my computer when I walk away (4, Funny)

Ephemeriis (315124) | more than 4 years ago | (#29567587)

Then make the lock at 11 minutes or u can give your mouse a click while u re talking.Doesnt sound that hard.U just have to adopt.

But... I don't want any more children.

Re:I lock my computer when I walk away (1)

TooMuchToDo (882796) | more than 4 years ago | (#29567705)

Ok. Use a webcam and memory resident software. See the big blob that is a person who is usually there walk away? Lock right away!

Re:I lock my computer when I walk away (1)

MyLongNickName (822545) | more than 4 years ago | (#29567805)

I believe similar technology is used in some high security installations. I believe it was someone from Diebold (new company name escapes me) that talked about this.

Re:I lock my computer when I walk away (1)

rwv (1636355) | more than 4 years ago | (#29566757)

Windows Button + L also locks your desktop on Windows (assuming you have a keyboard with the Windows button).

Re:I lock my computer when I walk away (1)

tlhIngan (30335) | more than 4 years ago | (#29566809)

ctl + alt + del -> k on windows

Other than Win-L, you can save yourself a hunt for the 'K' key and realize that "Lock Computer" is the first button in the "security dialog" that pops up. Ctrl-Alt-Del-Enter works far faster since Enter on the numpad works and is a convenient location to hit it whilst standing up.

Doesn't work for everyone (especially those where group policy disables lock) - but hitting enter to "Log Off" doesn't do anything disaterous until you hit it again (it pops up a dialog asking for confirmation).

Re:I lock my computer when I walk away (1)

pla (258480) | more than 4 years ago | (#29567343)

Doesn't work for everyone (especially those where group policy disables lock)

Okay, I realize you can disable locking via GP, but why would you? Most IT staffs fight with their users to lock their machines, or try to negotiate a reasonable timeout (I keep my own workstation at a timeout of one minute, with a lock-grace period of 15 seconds (so if it accidentally comes on while reading something, I can just bump the mouse without needing to reenter my password).

Not like the admins can't get into your machine when they need to anyway, which seems like the only possible reason for such a policy...

Then again, in fairness, the admins may well not know how to get into your account. I used to work for a multinational as an engineer, and once got into an argument with IT staff over an email asking for passwords so they could do maintenance at night. I responded that they should feel free to change my password to whatever they liked, but no, they could not have my normal password (I also explained that their request looked exactly like a classic phishing expedition, but can't claim to have actually managed to convince them of the error of their ways in that regard). This did not go over well, but I did "win" the battle (which went up a good three or four layers of management before someone sane noticed that it would take considerably more effort to maintain an up-to-date list of passwords than to simply reset them as (rarely) needed).

Re:I lock my computer when I walk away (1)

xalorous (883991) | more than 4 years ago | (#29567685)

The only reaction I can put into words is, "They're doing it wrong!"

If you're on my network I can see your stuff and the only person who knows your password had better be you.

Re:I lock my computer when I walk away (1)

fuzzyfuzzyfungus (1223518) | more than 4 years ago | (#29567709)

Disabling locking makes more sense in multi-user lab environments than in one user/one desk setups.

Admins can always log users out; but having a few putzes lock their machines and wander away can substantially reduce the throughput of a public drop-in lab. For schools and the like, this is the primary motivation.

Now, a better solution would be to allow any user to log out a locked user, or have locked accounts automatically become eligible for one-click logout after x minutes, or a combination of the two; but checking the "disable lock" box is faster and easier(I'm not even sure if the nicer alternatives are supported).

Re:I lock my computer when I walk away (1)

cbiltcliffe (186293) | more than 4 years ago | (#29567543)

Other than Win-L, you can save yourself a hunt for the 'K' key and realize that "Lock Computer" is the first button in the "security dialog" that pops up.

Errm....
How crappy a typist do you have to be to have to "hunt" for the K key? It's not like it moves around on a frequent basis.....

Re:I lock my computer when I walk away (1)

vinson (147794) | more than 4 years ago | (#29567861)

What finger do you use to hit the del key in ctrl-alt-del? I use the middle finger and I bet a lot of people do. Guess where your index finger is as a side effect. Efficiency rules.

Re:I lock my computer when I walk away (1)

Patch86 (1465427) | more than 4 years ago | (#29567503)

Indeed. And the company I work for has an effective way of ensuring employees complete the above steps, too: if you don't, you get fired. Or a formal disciplinary, at any rate.

You'd be amazed how effective a method that is for ensuring "un-authentication". There's a 5 minute screensaver for good measure, and most network services on the intranet have a very short time-out.

What more do you need?

User education. (1)

millia (35740) | more than 4 years ago | (#29566729)

User education. It won't go away, you always need to do it, and for most users, you have to do it multiple times. Proximity systems may help, but...

For the record, on a winders machine, window-L. Two keystrokes, you're done. Well, mostly, but that'll keep most people out.

Incentives, too. (1)

SanityInAnarchy (655584) | more than 4 years ago | (#29567623)

Catch a coworker with their screen unlocked, get a small bonus.

Get caught that way more than x number of times, get fired. The pink slip is the most effective LART, when it's feasible to use it.

Oh, and make it easy. On KDE, ctrl+alt+l locks my screen. Logging out isn't much harder (win+backspace, then alt+l), but it's not significantly more secure, and it is less convenient (I have to close everything, and I have to watch the logout process to make sure it completes -- lock screen is instantaneous).

Easy fix already available (0)

Anonymous Coward | more than 4 years ago | (#29566773)

Just set it to have password protected screen saver.

Bad company policies then (1)

mcgrew (92797) | more than 4 years ago | (#29566805)

This works for me because I know enough to do it, but lots of people just leave their computer on and running when they walk away. As a result, many office computers are left logged in when people go to lunch, or when they go home for the night. This, obviously, is a security vulnerability.

Sounds like lazy IT PHBs. At my company you're required to have a password-protected screen saver that kicks in after fifteen minutes, with policies set up so that you're automatically logged off an hour after your quitting time.

Re:Bad company policies then (1)

Ephemeriis (315124) | more than 4 years ago | (#29567069)

This works for me because I know enough to do it, but lots of people just leave their computer on and running when they walk away. As a result, many office computers are left logged in when people go to lunch, or when they go home for the night. This, obviously, is a security vulnerability.

Sounds like lazy IT PHBs. At my company you're required to have a password-protected screen saver that kicks in after fifteen minutes, with policies set up so that you're automatically logged off an hour after your quitting time.

Yeah... I did that once...

It's easy enough to do, a couple clicks of the mouse. Group Policy lets you do all sorts of stuff. Set it up to lock the computers after about 15 minutes of inactivity, and log everyone off about an hour after closing time. Seemed like a great idea to me, especially since it was a medical office and they had expressed numerous concerns about security and confidentiality.

Then the screaming started. Folks would walk away from their computers and come back to a locked screen... But they wouldn't know how to log in. They didn't know what username and password to put in there because it looked ever so slightly different from what they saw when they first showed up in the morning. Or someone would walk away for an hour or two without logging off, and someone else would have to use their computer while they were gone. Or someone would want to quickly glance at some information, but the computer would be locked and they'd either have to unlock it themselves or find someone else to unlock it.

I sent around some emails explaining things. Detailed how long you could leave a machine idle before it locked. Explained which username and password to use. Made sure people had the ability to unlock other computers if they had to.

After about two days they made me disable those policies. They didn't even want the account to automatically log off after work, because it was easier to leave everything up and running overnight and come back to it in the morning...

Re:Bad company policies then (1)

zippthorne (748122) | more than 4 years ago | (#29567413)

You got that in writing, right? So you have some lawsuit insurance when someone figures out how easy it would be to steal some identifying information and they blame the IT guy?

Re:Bad company policies then (1)

SanityInAnarchy (655584) | more than 4 years ago | (#29567675)

Or someone would walk away for an hour or two without logging off, and someone else would have to use their computer while they were gone.

Doesn't windows support multiple sessions, these days? Leave their session alone and log in to yours. "Switch user", I think it's called.

They didn't even want the account to automatically log off after work, because it was easier to leave everything up and running overnight and come back to it in the morning...

What about automatically locking, at least?

But yes, I aggree with zippthorne -- get it in writing, especially if you can get them to sign something along the lines of "I understand that this will significantly decrease security, below what many professionals consider to be acceptable."

Electronic Noses ... (1)

foobsr (693224) | more than 4 years ago | (#29566819)

... that would detect if the logged in user is around would probably solve the problem. Automatic locking of the screen is a nightmare if you have other things to do (phone etc.) but in case need the computer immediately.

CC.

Re:Electronic Noses ... (1)

j_sp_r (656354) | more than 4 years ago | (#29567285)

I set my screensaver to appear after 5 minutes, and then lock after 10 seconds. If I see the screensaver starting I just touch the mouse and I can snoozy another 5 minutes. Don't know if it works with Windows, but I like the (KDE) option very much.

Re:Electronic Noses ... (2, Interesting)

fuzzyfuzzyfungus (1223518) | more than 4 years ago | (#29567779)

If you are running KDE, and want proximity detection, you can set it up to listen for your phone's bluetooth radio and lock/unlock in response to the absence/presence of that signal.

Kbluelock.

Smartcards (1)

gilesjuk (604902) | more than 4 years ago | (#29566845)

In organisations where data is sensitive they use smartcards.

If you make the same smartcard open the doors to the building then you ensure that nobody will leave it in their PC while they go out for a break.

Re:Smartcards (0)

Anonymous Coward | more than 4 years ago | (#29566921)

Unless they go with Jim and he brings his...

applies the burninator (1)

Tim4444 (1122173) | more than 4 years ago | (#29566919)

When people at the office leave their systems unlocked we see a teachable moment. Choose from any number of good techniques and have some fun. Some good ones include changing the keyboard layout, installing keyloggers, switching their homepage to something horribly inappropriate, impersonating them on IM. Interestingly enough, most people learn fast after that.

Article states the obvious (2, Insightful)

jbezorg (1263978) | more than 4 years ago | (#29566925)

Designing systems for usability is hard, especially when security is involved.

Meh.. I was hoping for some deeper insights than that.

Solutions that work, but are too bulky. (5, Informative)

Animats (122034) | more than 4 years ago | (#29567049)

Back before ease of use eclipsed security, I once encountered a military system where the access terminal was surrounded by a small fence. Opening the gate in the fence forced an immediate logout.

Nobody would tolerate that today. Except, maybe, for an ATM.

Re:Solutions that work, but are too bulky. (1)

greed (112493) | more than 4 years ago | (#29567747)

There's a local catalogue store that has a neat system. They've got paper catalogues and merchandise on display, like most such stores, and you fill out a paper form and bring it to an order taker to get the stuff you want.

But you can also use an in-store computer terminal and use your member ID to get a ready-to-scan completed order form, plus it's already done the inventory verification step.

To protect your personal info, you must stand on a rubber pressure mat like they used to have for opening grocery store doors. When you step off the mat, it wipes the session and brings the machine back to the "Please stand on mat to start a session" logo screen.

You still have to trust that they actually work, but you're handing your membership info over to the store if you want to buy something anyway....

I could see something similar triggering a screen locker instead. Get up off your desk chair for more than 5 seconds and the screen locks.

Re:Solutions that work, but are too bulky. (3, Insightful)

fuzzyfuzzyfungus (1223518) | more than 4 years ago | (#29567817)

Trouble is, anywhere except a building full of guys with guns, you would also have encountered an ingenious arrangement of paper clips and/or packing tape holding the door sensor permanently in the closed position...

Reauthenticate when suspicious (3, Interesting)

Geoffrey.landis (926948) | more than 4 years ago | (#29567075)

Requiring re-authentication whenever a logged-in user does something suspicious-- i.e., tranferring large amounts of money, installing a keylogger, sending out ten thousand e-mail messages, scanning networks for open ports, etc.-- might be useful.

If you really do need to do this kind of thing (I suppose people sometimes do have legitimate requirements to wire large amounts of money to offshore accounts), it's not a big hassle to log in again.

Re:Reauthenticate when suspicious (1)

SanityInAnarchy (655584) | more than 4 years ago | (#29567737)

That always annoys me. No one should be able to steal my session, if it's encrypted (replace with "session cookie" and "https" if we're talking about the Internet) -- if they could, they could probably steal my password, too. If they've got my password, that's a trivial annoyance. And if you're worried about leaving people logged in, add an inactivity timeout.

MS solved this problem, but removed it with W2K+ (4, Funny)

Tumbleweed (3706) | more than 4 years ago | (#29567141)

Windows 95/98/ME had a built-in solution to this problem, but MS removed it in the Win 2K and newer. They simply had the machine crash every 2 hours. Heavy handed, sure, but it worked.

This is more a policy issues then a technical one (2, Insightful)

bleh-of-the-huns (17740) | more than 4 years ago | (#29567195)

While yes, there are technical measures that you can put in place to automatically lock screens and accounts and such after a pre determined time period, the best solution is a policy, and actual enforcement of that policy. There in lies the problems in many organizations, enforcement is not being done consistently.

With technical controls, there is always that time frame, for example idle accounts, usually 30 days from last login and then automatically lock the account, well a malicious user has 30 days to which to attempt access to that account. Same goes for screen locks, 15 min is a common default, well you walk away and I have 15 min to make my way over and have fun with the account. You can reduce the amount of time, but that has other issues, users get annoyed at the screen locking while they are on the phone, or whatever while they are at their desk, results in crappy passwords.

With a policy, and enforcement behind it, accounts can be removed, users will lock their screens (hopefully) within a timely manner.

xlock (1)

gweihir (88907) | more than 4 years ago | (#29567239)

Or rather the locking option of xscreensaver has worked very well for years for me. You just need to make it a habit.

Otherwise logging out has been solved for half a century now, just use a reasonably security aware OS.

kerberos AFS token flush (0)

Anonymous Coward | more than 4 years ago | (#29567301)

As early as the mid-90s the command-line Unix clients for AFS had a command to flush your credentials.

Students where I went to school were encouraged to flush unnecessary credentials or log off.

These were network credentials, not local ones.

Pwning (2, Interesting)

al3 (1285708) | more than 4 years ago | (#29567399)

In my office an unlocked computer is fair game for harmless pranks that have become known simply as pwning.

Nothing too nasty happens as the shame is in having been pwnd, not in the severity of damage inflicted.

There, my computer just announced "it's one thirty" in a robot voice. Nice. Thanks a lot, guys.

Put the onus on the client (2, Informative)

SuperBanana (662181) | more than 4 years ago | (#29567471)

You make the client system re-authenticate after a configurable amount of time, and that authentication comes via central storage of authentication passwords/tokens. For example, Keychain.

My laptop is set up with SSHKeychain, and it has options for locking my Keychain. If I activate the screensaver and don't come back within 3 minutes or so, it locks the keychain, and any program that wants to use a stored password triggers a password authenticaton dialog box for the system keychain password.

This puts the power of security in the hands of the user or organization. Computer at home, no roommates? Probably not an issue to lock your keychain any time except when you shut down your computer. Work in a cube? After 5-10 minutes of inactivity or whenever you lock your screensaver.

bluetooth? (1)

jagee (520284) | more than 4 years ago | (#29567661)

So i can remember to logout or lock the screen as muck as the other, but I keep my phone in my pocket at work so using bluetooth is quite handy for me. I lowered the sensitivity so a few steps from my desk and instant screen lock. Keeps other employees from abusing my irc client when im close but not paying attention. http://blueproximity.sourceforge.net/ [sourceforge.net] Have not seen this for windows but who cares us linux at work.

Location based devices.. (2, Informative)

Bert64 (520050) | more than 4 years ago | (#29567735)

Some places use smartcards, the card must be in the slot or it locks your screen... The same card is also used to open the doors so if you leave the room without taking the card then you can't get back in. Most people had the card attached to their belt or similar.

Another idea is to track the location of your phone using bluetooth (10 meters range), if you walk too far away it loses signal and locks the screen.

Un-Authenticating Teachers (0)

Anonymous Coward | more than 4 years ago | (#29567753)

I spent three years as the sysadmin for a high school with about 150 faculty. Thanks to teachers' unions going too far, it's practically illegal to fire [or even evaluate the performance of] a tenured public school teacher, even if they flat out refuse to do their job. Needless to say, I was dealing with a pretty big group of spoiled brats who cared nothing about security or confidentiality, which includes blabbing students' online grade retrieval passwords over the phone to any caller claiming to be a parent.

I set the screen lockout timer to 60 minutes, which was enough for a teacher to display an exam on a video projector and have it show through an entire 50-minute class. This sounds like a long time, but before I started working there, teachers would stay logged on and unlocked all summer.

Needless to say, there was one teacher who was _furious_ about the 60-minute lockout. She was furious at the fact that, every morning, she had to press Ctrl+Alt+Del and type per password; a whole 10 or so keystrokes. She went to an assistant principal and threatened to go to the district's IS chief.

When the assistant principal asked me if there was a way to make the group policy apply to everyone except her, I lied and said no. Anyone who knows Group Policy knows that you can scope a GPO to not apply to one user, but if I had admitted that I could do that, I'd be forced to, district security policy be damned.

This is De-Authorizing, not De-Authenticating (4, Interesting)

zentechno (800941) | more than 4 years ago | (#29567811)

One other system used more prevalently is the simple locking screen saver. The idea is only the user, and sysadmin have the password to unlock the screen, and access through the system is prohibited until the screen saver password is entered. I'm not a fan of this, as generally screen-saver passwords are more-often assigned by the users themselves, and so are easier to guess than the back-end passwords which on occasion are set by the site, or by the sysadmin in the case of accessing corporate systems via corporate-policy. Now a minor, but important distinction. This isn't "un-authentication" this is de-authorizing the computer from which you're logged in accessing the place you're logged in to. You want to "authenticate a de-authorization" that is verify that you are the person removing access privileges. If the system doesn't require authentication to de-authorize access, then a denial of service attack is made (somewhat) trivial, and if more thought process went into understanding the difference I think more places would realize how serious the solution needs to be.

RFID (1)

Demonantis (1340557) | more than 4 years ago | (#29567833)

I like the rfid card cars that detect when the user is near by and unlocks. The car starts with a button when the rfid is near by to make things even easier. Of course it has to be a secure challenge, answer style system like SIM cards or it is just as bad as those enhanced id things.

Enforced Group Polcies (1)

lymond01 (314120) | more than 4 years ago | (#29567855)

Our Group Policy is set to auto-lock the system after 15 minutes of non-use. Everyone gets it, almost no exceptions.

Bring the hammer!

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...