Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Real Security?

michael posted more than 10 years ago | from the lockdown dept.

Security 557

An anonymous reader writes "A recent article at Ask Tog raised the common argument about how much security is good. Tog says: 'I've been watching security people for years as they've slowly increased the security of everything they can get their hands on until any idiot can wander in.' Is this the case? Are we increasing security too much, so that the users circumvent it? Should we be allowing simple passwords?"

Sorry! There are no comments related to the filter you selected.

FP (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7613183)

I am woman
Hear me first post!

First Post Troll by a real female on slashdot EVER!!

Boys Fail It!

Join LSD Trolls (Lesbian SlashDot Trolls) NOW!

GNAA SUCKS! LSD Trolls FOREVER!

Re:FP (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7613226)

Cool. So can I hit it?

LSD - Lesbian SlashDot Trolls (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7613344)

Are you female? Do the boytrolls on here make you sick? Do you love the touch of another woman? Well then, join LSD trolls. Were here to show stupid boys how its really done. This was my first attempt ever to try and get a first post, and guess what, I beat everyone. Stupid guys couldnt get it, I am woman, hear me post. Trolls are annoying yes...trolling is typically a male activity yes...but I wanted to prove a woman (especially a lesbian) could do it better and faster than any stupid boy living in his parents basement.. and guess what... I did.

I understand there may be some males out there intrested in joining LSD... Well guess what, we will accept you, if you submit your entire being to becoming a woman. Contact a LSD Representative, and we will begin the process immediatly. You will first be broken, under a strict Mistress, who will teach you how to be a slave bitch. After months of hormones, plastic surgery, and the final SNIP, you too can be a LSD troll.

Re:FP (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7613433)

hello anonymous coward... what's happening?

uhhhhh... we got sort of a problem here... yeaah... you appearantly didn't put one of the new GNAA advertisements on your first post.

mmmh... yeahh.. you see, we're putting the GNAA advertisements on all first posts now before they go out. did you see the memo about this?

so if you could just go ahead and make sure you do that from now on, that would be great.

and i'll go ahead and make sure you get another copy of that text. mmmmkay?

First biometric post: (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7613185)

And that no one could buy or sell, save that he had the mark.

~~~

First post? (-1, Troll)

NetNinja (469346) | more than 10 years ago | (#7613186)

Secuirty is only as good as if you enforce it and follow up on it.

Definitely (4, Interesting)

sosume (680416) | more than 10 years ago | (#7613188)

Come on, who uses passwords like '%33#Gt(;' nowadays.. especially with multiple logins.

THANKS FOR TELLING EVERYONE MY PASSWORD, ASSHOLE (3, Funny)

Anonymous Coward | more than 10 years ago | (#7613219)

Re:thanks for telling everyone my password, asshol (0, Offtopic)

Kelz (611260) | more than 10 years ago | (#7613285)

Don't use capslock. Its like yelling

Re:thanks for telling everyone my password, asshol (2, Informative)

Darthnice (591865) | more than 10 years ago | (#7613305)

HE WAS YELLING!

Re:Definitely (5, Informative)

Prof. Pi (199260) | more than 10 years ago | (#7613355)

A pretty easy way to generate passwords that pass most picky password approval checkers is to take a phrase that you can easily remember, and then take the first letter of each word. Include punctiation to get the requisite non-alphanumeric characters. Make at least one numeric substitution if you're required to have a number. For instance:

N4N.Stm.

("News for Nerds. Stuff that matters.")

Re:Definitely (2, Funny)

glenebob (414078) | more than 10 years ago | (#7613381)

So... what's your IP address... Just curious :-)

Re:Definitely (0)

Anonymous Coward | more than 10 years ago | (#7613356)

And that's why my password is '12345'!

(did ya miss the reference [imdb.com] ?)

Re:Definitely (5, Funny)

G-funk (22712) | more than 10 years ago | (#7613370)

Oh my god.... I have the exact same password on my luggage!

Re:Definitely (1)

cmstremi (206046) | more than 10 years ago | (#7613404)

That's what Post-It Notes and that plastic frame around the monitor glass are for. Er - em...

Re:Definitely (5, Interesting)

Anonymous Coward | more than 10 years ago | (#7613431)

Me. But I probably do it in a very unique way.

I have a three tier password system, with passwords "expiring" every 30 days.

Tier 1 passwords are things like root passwords for systems. These are 100% unique to the server they belong to, and are changed without fail.

Tier 2 passwords are passphrases for my ssh keys for non priviliged accounts. These are the same for 2 or 3 boxes, and again change every 30 days. When I expire tier 1 passwords, they are sometimes moved down to tier 2 for ease of remembrance, tho never for the same servers.

Tier 3 passwords are for websites, like this one. Usually most of my website accounts share the same login details, as Im not really bothered if someone logged onto slashdot and stated that im a gay faggot or whatever. Tier 2 passwords are usually passed on when they expire.

I tend to treat passwords as something like special email addresses. You rarely forget an email address because its in a known format: something @ something . something. So therefor I base my passwords on a similar format, one that I can remember or work out, eg AAAA!AA.AA@A# gives me a more memorable password than #@##23$ssDx_ which would be an excellent password except for the fact that it sucks :/ Saying that, I change the format as often as I change the passwords, every 30 days.

Re:Definitely (1)

jonadab (583620) | more than 10 years ago | (#7613481)

> Come on, who uses passwords like '%33#Gt(;' nowadays

Are you kidding? That's too short by half.

Re:Definitely (5, Interesting)

xmath (90486) | more than 10 years ago | (#7613482)

Come on, who uses passwords like '%33#Gt(;' nowadays..

I do. :-)

The funny thing is, I don't actually remember the character sequence. Maybe it's because I play the piano, but I remember the hand motions of typing the password. So to pick a password I just generate a few random ones until I find one that "feels" okay.

I wonder how many people do this too

I use good passwords, and here's how (5, Insightful)

kaan (88626) | more than 10 years ago | (#7613518)

And I have to spend nearly zero brainpower remembering a password. Here's what I do...

Take a phrase (song lyric, phrase, personal mantra, etc.) and grab the first letter of each word. Then replace various letters with numeric digits.

So an example phrase might be: "i love to post on slashdot"

which would become: "iltpos", but then you could replace the "o" with the digit zero (0), and the "s" with the digit five (5), so now you've got:

"iltp05"

That's basically an unintelligible password, yet totally easy to remember because all you need to remember is your password geneation scheme and a tip for what your phrase is.

Yes (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7613195)

Or maybe not. Beats me.

Common Sense (4, Insightful)

The Snowman (116231) | more than 10 years ago | (#7613196)

Are we increasing security too much, so that the users circumvent it?

Simply increasing security is not the problem: the real problem is knee-jerk reactions that miss the mark and annoy users rather than provide actual security. People (politicians, corporate America, etc) try to look good by implementing new security measures, but fail to put any thought into what is needed to be effective.

I'm not circumcised. Will I ever get laid? (-1, Offtopic)

Anonymous Coward | more than 10 years ago | (#7613265)

How do you broach the subject with a woman? Will she allow me to have sex with her once she finds out i'm uncircumcised? Has any uncircumcised man in america ever succeeded in laying a woman?

I need your help in answering these questions! I'm ashamed and humiliated because at 30, I've never had sexual relations.

Thanks, and please answer because I'm desperate! This is an honest question on a forum that I know will give me a straight up answer.

Re:I'm not circumcised. Will I ever get laid? (1)

addaon (41825) | more than 10 years ago | (#7613362)

Dude, just buy some scissors.

Re:I'm not circumcised. Will I ever get laid? (-1, Troll)

Anonymous Coward | more than 10 years ago | (#7613446)

" Dude, just buy some scissors."

Will it hurt? Do you have instructions on how to accomplish this safetly? My insurance won't cover snipping, so I'll have to do as you suggested and do it myself.

If you have a how-to on this, I would like the link to it. Thank you in advance. Hopefully a successful scissor operation will lead to my getting sexual relations...but I know nothing about medicine so I need a how-to (I learned linux that way so medicine shouldn't be to hard to learn).

Re:Common Sense (5, Interesting)

arnie_apesacrappin (200185) | more than 10 years ago | (#7613426)

fail to put any thought into what is needed to be effective

I recently got into an argument with the head of the security program at the university I'm attending over a similar situation.

When resetting my password, which was not expired, I was required to go through a 20 minute online "security training" seminar. It was only 10 questions, but the site was so incredibly slow that clicking through the 10 questions (about 3 pages per question) took 20 minutes. The questions covered the basics of security (don't give out your password, etc.). Two of the "correct" answers were technically wrong.

After expressing my displeasure with the questionnaire and pointing out the technical problems, the administrator chastised me for "not thinking that security education was a good idea." I pointed out that I thought it was necessary, only he did a poor job of it. He missed the same thing that several security programs miss when educating the users:

Security training is useless if the user ignores it.

I was going to add is annoyed by it, but I can think of one security awareness activity that pissed off several people, but was highly effective.

After weeks of notifications about laptops needing to be secured when not attended (i.e. overnight), we went on a laptop finding mission. Any person that left a laptop not physically secured to his/her desk came in the next morning to find a slip of paper telling them where they could claim their laptop. Several people were very upset, but also remembered to lock up their laptops before leaving.

Ya.. (-1, Flamebait)

Anonymous Coward | more than 10 years ago | (#7613199)

Me says Tog not know what he talk about

Wait a second (2, Interesting)

bossesjoe (675859) | more than 10 years ago | (#7613200)

My ideas of the security world was it was more darwinistic then that. The good ideas survive because they work, the bad ones never get put into a final patch.

Re:Wait a second (1)

The Snowman (116231) | more than 10 years ago | (#7613245)

My ideas of the security world was it was more darwinistic then that. The good ideas survive because they work, the bad ones never get put into a final patch.

If all software were open-source, this would be true. But who knows how Windows security is handled on the inside, for example? Yes, we know the security sucks, but we do not know why. The bad ideas keep propogating and there are no sanity checks.

Re:Wait a second (4, Insightful)

ePhil_One (634771) | more than 10 years ago | (#7613385)

My ideas of the security world was it was more darwinistic then that. The good ideas survive because they work, the bad ones never get put into a final patch.

But unfortunately, security people are like PHB's, when they see the reaction to their security measures are circumvention (taping passwords to monitors, etc) they think they need more enforcement, not better ideas. Its far easier to blame the user than to admit your idea was a bust.

The greatest threat... (4, Insightful)

Da Fokka (94074) | more than 10 years ago | (#7613210)

to security in all fields always has been and always will be the human factor. At a certain point security measures will be so advanced that human nature is the most likely bottleneck.

Social engineering can get you a lot further than being a l33t h4x0r.

Re:The greatest threat... (0)

Anonymous Coward | more than 10 years ago | (#7613413)

shutup kevin!

Re:The greatest threat... (5, Interesting)

Total_Wimp (564548) | more than 10 years ago | (#7613416)

The human factor can screw you in more than just the social engineering scenerio. One of my favorites is personal firewalls. Since normal humans have no idea what *that* program file is or why it might want to talk on *that* port, they just hit 'yes', and let the attack right in, or they hit 'no', and dissallow a perfectly useful application.

My company now wants to deploy these magical devices to all employee computers and can't figure out what I mean when I say they'll make things less secure. I think this article was dead-on.

TW

Re:The greatest threat... (2, Interesting)

great_flaming_foo (561939) | more than 10 years ago | (#7613457)

The greatest threat to security in all fields always has been and always will be the human factor.

The wetware is always the weakest link because it is the hardest to patch.

Re:The greatest threat... (0)

Anonymous Coward | more than 10 years ago | (#7613536)

At a certain point security measures will be so advanced that human nature is the most likely bottleneck.


It's too bad that the threshold is so low.

Sliding Scale (2, Insightful)

the_argent (28326) | more than 10 years ago | (#7613211)

I've always tried to balance system security against how much of a pain in the ass it will be to the end user. If the PIA threshold is too high, the more likely the end user will try to navigate around it.

The nonobvious solution (0)

Anonymous Coward | more than 10 years ago | (#7613216)

login: login
password: ********

(hint: it begins with a p and ends with a d)
So simple even the most consummate hacker could absotively posilutely never guess it!

Re:The nonobvious solution (1)

Rosco P. Coltrane (209368) | more than 10 years ago | (#7613328)

password: ********

(hint: it begins with a p and ends with a d)


Hmmm ...

"powdered" ?
"predated" ?

No, dunno, I give up ...

Re:The nonobvious solution (0)

Anonymous Coward | more than 10 years ago | (#7613367)

It's "password".

Re:The nonobvious solution (0)

Anonymous Coward | more than 10 years ago | (#7613424)

Are you sure? It could be "poopooed" too, no ?

i know i know!!! *hand in air* (0)

Anonymous Coward | more than 10 years ago | (#7613379)

*waiting for permission to speak*

Enforcing passwords != Increasing security (4, Insightful)

Tony Hoyle (11698) | more than 10 years ago | (#7613221)

You can do all sorts of 'security' things and not increase security one little bit. You can also take a secure system, do more 'security' things an utterly destroy the existing security.

Anyone with a working knowledge of security knows how far to take it, where the critical points are, etc... if you let a bunch of amateurs do it then they're not 'increasing security' they're just 'increasing the bloody mess that someone will have to sort out when the company gets a clue and hires someone with some experience;'.

Two minds about it (5, Interesting)

Carnildo (712617) | more than 10 years ago | (#7613222)

Speaking as a cracker, I say "Yes! Short passwords! The shorter the better!"

As a sysadmin, though, I feel longer passwords are better. If systems supported it, I'd require medium-long sentences for passwords. A full sentence is fairly easy to remember, but not very vulnerable to a dictionary attack.

Re:Two minds about it (1)

Kelz (611260) | more than 10 years ago | (#7613309)

Or why not just use voice recognition?
It seems that something that is unique to you (the user) would be the most simple and effective way to secure a system.

Re:Two minds about it (5, Informative)

Carnildo (712617) | more than 10 years ago | (#7613376)

Voice recognition can by bypassed by a $10 piece of technology known as a "tape recorder".

And it can fail to recognize a valid user if they happen to have a sore throat.

Re:Two minds about it (4, Informative)

treat (84622) | more than 10 years ago | (#7613423)

Thanks for providing a classic example of a bad security idea. Your voice is not unique to you. Anyone can record it and play it back.

Also, biometrics are worthless as the sole factor because if copied they can not be changed.

If you care this much about security, use s/key (or OPIE) or any similar algorithm. Let the user carry around a device that calculates the next password. RSA securid is nice if you don't trust your users not to share their passwords, though not as secure as s/key.

All the hard problems are solved. Everything that's left is human factors.

Re:Two minds about it (1)

rsadelle (719824) | more than 10 years ago | (#7613449)

I don't actually know anything about voice recognition software, so maybe this has been thought of/dealt with, but what if people are sick? I have a cold, and I'm sure it's changed the way my voice sounds.

Re:Two minds about it (2, Informative)

treat (84622) | more than 10 years ago | (#7613330)

Most people are not able to type a full sentence without making an error. Now you have to either echo the password, or accept similar passwords as correct, both of which are horribly dangerous.

Those that are, probably also type the password too many times a day to make this practical.

The fact of the matter is that guessed passwords make up far less than a tenth of a percent of all intrusions.

By the way, all reasonable systems support long passwords. There's really no excuse. I don't know what "if systems supported it" is supposed to mean. I can't think of a modern system that doesn't support long passwords.

Re:Two minds about it (1)

WoTG (610710) | more than 10 years ago | (#7613438)

Yep. A full sentence is probably harder to attack with a dictionary, but it's also harder to remember (precisely). It took me a solid 10 minutes to guess the password to a encrypted file I had made about a year ago. PGP requested a sentence for a password, so I went with it. I actually parts of the sentence-password as a hint in a little password file of mine. Yet it still took me way too many guesses to finally open the file. Capitalization, abreviations, typing mistakes, punctuation... all bad memories. I've now written down most of the bloody password in case I forget again (it's not a file I access to often, but I want it secure).

Re:Two minds about it (2, Insightful)

segment (695309) | more than 10 years ago | (#7613397)

As a sysadmin, though, I feel longer passwords are better. Why would this be better? (longer passwords). Consider the following...
  • thisismylongasspassword
  • thi!$1smyp4$s
Make your password as long as you want, and experience cracker could splica words together from a dictionary file easily. Regardless of even that, if your network isn't using the proper mediums (VPN's, SSH, SSL), a simple sniffer will grab anything you choose to use, evenifyoumadethisyoursocalledlongpasswordwhichyout hingisgoingtosaveyou.

Shoddy concept of security. Password cracking as we all (hopefully all) know is based on someone's inability to do something different with themselves. People tend to stick with familiarity, and there's nothing wrong with using say your dog's name bowser as a pass, but how about mixing it up !30w$eR ... it's still familiar and most crackers aren't going to spend their time regexp'ing 100mb password files when time isn't on their side.

I would go on, but work calls...

Re:Two minds about it (2, Insightful)

RealProgrammer (723725) | more than 10 years ago | (#7613505)

If systems supported it, I'd require medium-long sentences for passwords

That was the point of the article, I thought.

What would happen if you did require medium long sentences? Users would find a way to avoid typing them. They would leave their sessions open all the time. Time them out? OK, they'll find a fancy keyboard driver insertion utility that makes the system think they're typing. And so on.

There is a balance between security and usability. You ignore it at your peril.

There is no substitute for training users. Until we see them as our allies and not our enemies or our chattel, we're condemned to these tail-chasing security games.

mirror (2, Informative)

Anonymous Coward | more than 10 years ago | (#7613224)

My personal solution to this problem has been to create a database with each site a record listing the user name and password chosen. I have a shorthand for my usual password, but all others I'm forced to create are "in the clear," typed in right there for anyone with access to my machine to see.

D'oh!

I've been watching security people for years as they've slowly increased the security of everything they can get their hands on until any idiot can wander in.

That sounds a bit contradictory, but I will soon prove my point. Before getting into the proof, however, I would like explain that it is not solely the security people's fault. They have all attended one D'ohLT University or another, where their professors have carefully groomed them for their current state of profound D'ohLTism. That's the problem with being D'ohLTed; you are very likely to turn around and D'ohLT someone else.

My wife, the Doctor, was working over the summer at a local hospital. They are fiercely into security, requiring no fewer than four sets of passwords to navigate their system. And why not? There are confidential patient records on those systems! By golly, they ought to have eight sets of passwords, and really make things secure!

So works the mind of a D'ohLTish security engineer, working feverishly away in his cubicle in the basement next to the steam plant.

Take him out for a walk. Let him see the sunshine for the first time in years. Introduce him to some normal human beings. Be gentle at first; these are creatures with whom he has had no contact since being sucked into the depths of the university system.

Then, when his pallor begins to fade and he begins to take on signs of socialization, take him into the offices in the hospital and let him see the four sets of user names and password clinging to the monitors on yellow stickies (e. g., Post-It Notes) or, for the more security-minded, slid into the top drawer where no one would think to look.

D'oh!

Only a D'ohLT would come up with a security scheme that is so overly complex that it's guaranteed people will write down their passwords. And yet, this kind of D'ohLTishness is par for the course with these guys. They are the most clueless profession I know, and they are showing no signs of getting any better.

Of course, there's always room for more retardation of productivity, and, if it can be found, these guys will do it. After the first six weeks, my wife had received only two of the four sets of usernames/passwords, and she'd had to speak to no fewer than seven people to get them. Two weeks of further extreme effort finally produced the last two sets.

What was she doing in the meantime? Instead of spending full-time repairing people, which is nominally her job, she wasted hours camping out in another doc's offices, using his computer (and passwords--they were right there on the sticky note) to do her work.

Meanwhile, the other doc, bumped from his office, would go and gets an extra cup of coffee. The security D'ohLTs had thus not only opened up your medical records to anyone schooled in the use of sticky notes, they were pouring money down the drain in the form of lost productivity and company-supplied coffee.

D'oh!

Fortunately, of course, this problem is self-limiting. Yes, she only worked at full throttle for the final two weeks of her ten-week stint, but when she returns in December to work for another three weeks, her user names and passwords will all be waiting for her.

Except unused user names and passwords expire after 90 days.

D'oh!

Even constant users have to make up (and post on their computer monitors) new passwords every 90 days, even if they keep their user names. Expiring stuff is the only way these guys can prevent the unthinkable: memorization. Once people memorize the little devils, they don't need their cheatsheets anymore, and then, suddenly, there's real security. They can't let that happen!

Hospitals all over the country now are freaking out at this moment because of the new security law that suddenly hit them by surprise, with no more than about six year's notice. My wife called down to Emergency a couple days after the law struck to ask them to fax a few pages from the record of a patient they had just sent up and they refused. Someone could steal the fax off the machine that sits right out in the hall, with easy patient access.

D'oh!

While these worthies spent years thinking up ways to require four sets of auto-expiring user names and passwords for all the doctors, they failed to set up physical security for either computers or fax machines.
Actual Security is the Goal

The goal of security is not to build a system that is theoretically securable, but to actually make it secure!

The universities, at least as evidenced by their graduates, are only interested in theory. That needs to change, and change now. The yellow sticky phenomenon has become so pandemic that it has received attention in both newspapers and business journals. I realized that many of these professors don't get out a lot, but they are at least supposed to read. Turning out graduates at this late date who are making security worse, instead of better, is just simply irresponsible.

These Primary D'ohLTs shouldn't shoulder all the responsibility. The Secondary D'ohLTs, in the form of practitioners, are not stupid people. In fact, they are, in my experience, uniformly bright. The evidence of the error of their ways is all around them, gracing the edges of monitors everywhere. They need to take some initiative. They must look outward, to the way things "really work," once people are in the mix.
Death by security

Excessive security can not only turn your financial and medical information into an open book, it can actually kill you.

Fifteen years ago, the approved method for gaining possession of a vehicle other than your own was to wait for the owner to wander off, then jimmy the door and hammer a screwdriver into the ignition. Bowing to auto-insurance industry pressure, auto makers have removed that option in many high-end cars, which are no longer practical to steal.

This has made the insurance companies very happy, but, unfortunately, it is getting a lot of their clients killed, since high-end cars are no longer being taken when the owners are away, but when the owners are there, car keys in hand.

D'oh!

Car theft only costs the insurance company money. Car jacking could cost you your life.

Even when the auto security D'ohLTs aren't killing us outright, they are raising our blood pressure to dangerous heights. We had a VW Rabbit several years ago which featured a theft-proof radio, rendered useless once it was removed from the vehicle. It could only be made to function again by performing an elaborate and secret ritual, involving pressing a whole bunch of buttons in sequence while holding your right foot with your left hand and crowing to the moon.

Of course, the radio didn't really know it had been stolen. It only knew that it had lost its connection to the car battery. So the first time the battery went dead, we no longer had a radio.

VW had given us a sheet with the magical incantations, but it had clearly warned us not to leave the sheet in the car, the equivalent to leaving passwords on a yellow sticky. Ever compliant, we put the sheet in "a safe place," where it probably rests today. (I can't know for sure, since we've never remembered where the safe place is.)

D'oh!

After waiting several weeks for VW to confirm our identity through DNA analysis, we received a copy of the magic sheet. This second copy remained in plain sight in the glove box as long as we owned the car.

Lately, the auto makers have been kowtowing to the insurance companies once again, by adding special lug nuts to each wheel, keyed to a special socket that must be used to remove the wheel.

Unfortunately, the special lug nut has only about 2% or 3% of the surface in contact with the tool, compared to a standard lug nut. If the wheel was overtightened at the factory, as happened with our Lexus RX-300, the custom part of the lug nut will crack right off the car when you attempt to change a spare tire on a dark road late at night, as happened to us, rendering removal of the wheel impossible.

D'oh!

Both our Lexus and new VW now have standard lug nuts on all wheels and to heck with the auto insurance company. We want to keep our life insurance company happy!
Holistic Security

A security design must be comprehensive, covering every aspect, every detail of the user experience. However, even the most perfect design can't cover every eventuality. You must also test thoroughly and actively solicit user feedback to catch holes in the security net of which you are not even aware.

A fellow wrote me not too long ago about his experience with an encryption application. He'd been doing a little work for the gummint (that's "politician-talk" for "government") and had to keep all his output encrypted, so he was using Tresor, a high-security encryption program for the Mac.

He noticed that every so often Tresor would "eat" a document, instead of encrypting it, removing every trace of the document from his system. After his initial shock, he quickly developed a work-around: He'd just drag a copy onto the Tresor icon, instead of the original. If it were eaten, he'd try it again until it worked. Once encryption was successful, he'd drag the unencrypted original and copy onto his software shredder.

This worked like a charm until one day when he attempted to launch Tresor by clicking on it. To his surprise, instead of launching the application, the document "opened up" into a window. That's because what he thought was a document, wasn't. Instead, it was an Apple "package," a clever object that looks like a folder to the developer, yet looks and acts like an application to the user.

A package allows the developer to have what appears to be a single application that might contain, for example, a System 9 application, along with its System X counterpart, and any supporting files associated with the applications.

This is an idea I first proposed back at Apple in 1987 for, I think System 6. The version I conceived, however, was intended to be bug-free. The released version is not, because, while the package acts like an application most of the time, once in a while, with no apparent pattern or visible feedback, it acts like a folder.

When my correspondent looked inside the suddenly-revealed folder, guess what he saw? All the missing, unencrypted, secret gummint documents, ripe for the taking.

D'oh!

Before Tresor, he would lock his hard disk up. With Tresor, he felt it was OK to leave the hard disk around. His security was actually reduced.

Unless you take a comprehensive approach to security, both at the human level and at the system level, you are likely to not only fail to increase the user's security, you may actually succeed in decreasing the user's security. In this case, the bug was Apple's, not Tresor's, but the Tresor folk had failed to "close the loop" by actively soliciting feedback. That one error seriously compromised their otherwise excellent, product.

And speaking of security, don't you just love those websites that continue to ask you to enter in your requested password, all done in 128 bit encryption mode, with the characters blanked out so you can't see what you're writing, only to parrot it back to you in an email that can be read by any 12 year old with a Radio Shack computer? Of course, it's the same password you use for every single site short of your bank, so now everyone has full access to your computer and your life.

D'oh!
Final Thoughts

If you are a security expert, unless you are addressing, testing for, and actively soliciting feedback about every eventuality, you are not doing your job.

If you teach security, unless you are teaching a holistic, comprehensive, and practical approach to this vital effort, you are doing your students and your country a disservice.

If you are a security expert who is competent, you need to work to change your profession. It is in deep trouble, and your colleagues are dragging you down.

If you are a designer who must work with a D'ohLT, don't despair. Treat him or her as mildly retarded, in need of help, not criticism, and you will get along fine. Take responsibility on yourself to form a comprehensive security plan. Ensure that user, field, and quality assurance testing, along with user-feedback will thoroughly and comprehensively prove out the security design.

If you are a linux user who gets to work with a big sweaty cock, thank your lucky stars. I've had the pleasure of working with more than a few, and it is a sheer joy.

Re:mirror (0)

Anonymous Coward | more than 10 years ago | (#7613338)

If you are a linux user who gets to work with a big sweaty cock, thank your lucky stars. I've had the pleasure of working with more than a few, and it is a sheer joy.

Now that's a good troll, save it until the very end.

Re:mirror (0)

Anonymous Coward | more than 10 years ago | (#7613511)

is this trolling a sport? - I just don't get it, why anyone would bother. Seems a lof of investment in time and energy --- for what?

Re:mirror (0)

Anonymous Coward | more than 10 years ago | (#7613484)

Unfortunately, the special lug nut has only about 2% or 3% of the surface in contact with the tool, compared to a standard lug nut. If the wheel was overtightened at the factory, as happened with our Lexus RX-300, the custom part of the lug nut will crack right off the car when you attempt to change a spare tire on a dark road late at night, as happened to us, rendering removal of the wheel impossible.
To remove stripped lugs or broken security lugs do the following. Force a piece of iron pipe over the lugnut (this should be a tight fit) with a 5 pound mallet. If the pipe doesn't fit snuggly, hammer it out of round with the mallet and try again. Use a pipe wrench to turn the pipe.

If the end of the iron pipe deforms and will no longer grip the lugnut, hammer it back into conformance. If the pipe splits saw off the split part with a hacksaw and try again.

If you can't get enough torque on the wrench by arm strength alone or you just don't want to use lots of muscle, slip a 3' section of iron pipe over the end of the pipe wrench and lean on that. Be careful doing this as the the lugnut, wrench or either pipe might suddenly fail, spitting sharpenel anywhere

I recommend eye protection when doing this. 8)

Re:mirror (0)

Anonymous Coward | more than 10 years ago | (#7613516)

I also recommend using a torque wrench when replacing the lugs to torque them to factory spec, which is probably 80 ft-lbs.

Passwords? (2, Funny)

R33MSpec (631206) | more than 10 years ago | (#7613227)

I haven't changed my password here on Slashdot since I joined^H^H^H^H^H^H^NO CARRIER

Re:Passwords? (0)

Anonymous Coward | more than 10 years ago | (#7613262)

can't seem to pray the gay away?

Re:Passwords? (0)

Anonymous Coward | more than 10 years ago | (#7613283)

i think you have a problem with ur keyboard dude

Re:Passwords? (0)

Anonymous Coward | more than 10 years ago | (#7613349)

Hey cool, your modem tries to delete your posts before hanging up. Probably a good idea for your modem. Also whats cool about your modem is that it send "NO CARRIER" to not only your side but the other modem's side.

Re:Passwords? (0)

Anonymous Coward | more than 10 years ago | (#7613389)

Aaww Jesus H. Christ on a skewer, another NO CARRIER joke, from another Slashdot poster with a strong herd instinct and the intellect of a potty ...

Re:Passwords? OT (2, Informative)

SlashdotLemming (640272) | more than 10 years ago | (#7613468)

"NO CARRIER" still getting a funny?
Interesting... that has to be one of the longest lived funny mod triggers.

Current funny triggers: SCO jokes, Golum speak.
Declining funny triggers: I, for one, welcome our new ... overlords
Recently deceased funny triggers: Yoda speak
Deceased, but still occasionally funny: All your base..., In Soviet Russia...

Re:Passwords? (1)

Have Blue (616) | more than 10 years ago | (#7613533)

This guy didn't change his password either. Idiot. And such a low account number, too!

I disagree with the article (3, Interesting)

HermesHuang (606596) | more than 10 years ago | (#7613235)

Too much security isn't the issue here at all. It's improperly implemented security. Yes, more passwords can be more secure. But only if the passwords themselves are secure. Which is why it's usually good at some level to let users set their own passwords, so that they might actually remember them. Of course, some will set simple passwords. It's up to you how to filter that. But simply assigning strange passwords to people is not the answer. And not having the secure passwords at all is definitely not the answer.

I would If I could ;] (3, Insightful)

Anonymous Coward | more than 10 years ago | (#7613249)

To bad many sites are disallowing special characters for fear of sql injection attacks. As for to much security? That depends on how important what you are securing is. Is your credit card information worth a little bother to protect? How about the information that the credit card companies use to issue you(or supposedly you) a credit card? Social Security number, Mothers Maiden name, Data of Birth. You can get all that from a DMV database. A system is only to secure until its been compromised, then it wasn't secure enough. Security, should be built in, form day one against a verifyable standards based frame work. Thems my two cents, please keep the change.

Re:I would If I could ;] (2, Informative)

The Snowman (116231) | more than 10 years ago | (#7613339)

To bad many sites are disallowing special characters for fear of sql injection attacks.

This is a shame, since it is a *very* easy fix (store MD5 hashes, not plaintext, or escape the string before storing it) and it only inconveniences users. Oh well. A simple text file on my hard drive fixes that problem :-)

Re:I would If I could ;] (1)

treat (84622) | more than 10 years ago | (#7613476)

To bad many sites are disallowing special characters for fear of sql injection attacks.

Ah, that's why they do it. They don't know how to use their database library properly.

I've seen seriously limited password space because of this. For example, a requirement that three characters be non-alphanumeric, but the only non-alphanumeric character supported be _, but it can't be the first or last character. Insane things like that.

password quandry (1)

jeeeeem (592106) | more than 10 years ago | (#7613252)

I've never seen a solution to the conflicting attributes of a good password. It should be hard to guess, involving a mix of upper and lower case letters and numbers, and involving no personal data. It should be different for each site or system. You should change it often. You shouldn't write it down or put it in a text file. Does anyone really follow these rules? How do you remember all your passwords if you do?

Re:password quandry (5, Insightful)

thecampbeln (457432) | more than 10 years ago | (#7613458)

No shit! At some places I've worked, passwords are required to contain X capital letters, Y numbers, and changed once a month. So what ends up happening? After forgetting the damned thing two or three times, most users (including myself, bad form I know but hey) come up with a pattern to their passwords. So, something like this begins to appear:

Pa55J4n
Pa55F3b
Pa55M4r
Pa55Apr

Sure, now you have 'secure passwords', but once someone recognizes the patter... This, IMHO is counter productive security wise. Have the ultra secure passwords, but don't make you're users change them too often or this shit begins to appear.

Re:password quandry (0)

Anonymous Coward | more than 10 years ago | (#7613462)

one way to do this is to have a phrase that you are familiar with and take the acronym. Like "my uncle is named david williams" turns into muindw. You can capitalize proper names or whatever and turn letters into numbers where you can so you end up with something like mun1DW. To deal with different logins, you can just append the name of the organization/machine to the password. Example:

mun1DWamazon
mun1DWlocalhost

That's one way I've found to get security (or at least sufficient obscurity), ease of recall and portability.

Annoying security leads to circumvention (5, Interesting)

Karcaw (28053) | more than 10 years ago | (#7613261)

In my case my employer added a re-curring RSA security key to read the outlook webmail, as i have been using evolution for, externally on my laptop for some time this rendered evolution useless, because it did not understand the promts for RSA keys. Then even if i use a web brwser i have to re-login every Hour. Really Annoying.

So a simple ssh tunnel into a work machine, and a modified transparent proxy setup(I had the GPL'ed source), and an iptables rule, and wow the webmail server always thinks i'm inside the firewall.

so while i'm doing the forward securely with ssh, they just annoyed me and i worked around it.

Forced password changes (5, Insightful)

Rex Code (712912) | more than 10 years ago | (#7613274)

Forcing users to change passwords is one example of something that doesn't help security. If there's anything that's going to make the common user write their password on a post-it note and stick it to their monitor, it's being forced to change it at random intervals.

If you've done a dictionary search when the password was originally set, or at least ensured that the password contained a couple numbers and symbols, then it's a good password and you have no reason to assume the user can't keep it secret. Plus, people might not be able to keep coming up with unique passwords once a month.

Re:Forced password changes (3, Insightful)

lewko (195646) | more than 10 years ago | (#7613350)

This fails however if the time between password changes is greater than the probable time to brute-force (or other wordlist) crack the password file. Don't assume that crackers all use the same 'dictionary' i.e. wordlist.

Did you know that many 31337 hax0r cracking tools will straight away defeat the more lame methods for using complex passwords?

This includes swapping every known integer/alpha replacement (e=3 0=o l=7) e.g. If someone used h3110 as their password (i.e 'hello' in hax0r spelling) it wouldn't take any longer than a standard dictionary attack.

Having a single password changed every 30-60 days is not that difficult. IT becomes a problem where users have to maintain multiple passwords for multiple systems. This is even more dangerous for admins who have to maintain even more, and they are used to protect sensitive systems.

Re:Forced password changes (5, Informative)

mo26101 (518770) | more than 10 years ago | (#7613409)

About a decade ago, I was a software deveopler working in a building with 2000 users. Back then we wrote apps for win 3.1. Most users 10 years ago were even more clueless that users today, so we often had to install software for them. We would show up and tell them that we need to install something, they would then usually say fine and go take a coffee break. Being win 3.1 we almost always had to reboot for one reason or another in the install. This would then leave us needing to log back on the users computer with the user not there. At this company passwords had to be changed every 30 days and include both letter and numbers. Nobody could remember there password, so when we needed to login and the user was not there, we would just open there top desk drawer. 9 times out of 10 the password was written on a sheet of paper in the drawer. It was amazing how many people did this.

Re:Forced password changes (1)

fmlug.org (695374) | more than 10 years ago | (#7613529)

As a sys admin I have to admit that forcing users to change their passwords in short intervals say 30 days seems to make a system very insecure. Just for the fact that I know users that pick just as bad a password as it was before or they just tape the sucker to their moniter. Can we really blame them? I have somewhere around 15 different root passwords to remember, not including all of my own user accounts. Took me years to learn to memorize them all. My mom works for a hospital she is always complaning about all the passwords she has to remember. One of the systems she logs into kicks her out if she is idle for more then 1 min, so she spends most of her time login in. I think that a lot of systems are getting over secure. Is there parinoia justified, dont really have a clue the current system seems to work and users seem not to mind it all that much, at least they dont complane. We are currently looking into a way of combining many systems with like a single sign on type system so users only have one password and have to change it more often. Ok back on track people are just not used to picking uniq and complicated passwords every month. Hopfully biometrics scanners can fix this for us. It would be really nice to not have to remeber all those passwords and just have to put my thumb of eye up to a little scanner. Ok so maybe this was just a long rant, ill let you be the judge.

Common sense (1)

Telastyn (206146) | more than 10 years ago | (#7613282)

The goal of all security measures is to make it inconvinient enough to enemies that it's not worth their time and effort to try and break in, while making it *not* inconvinient enough to users that it's not worth their time and effort to actually use the system.

Maybe no security at all (4, Interesting)

Rosco P. Coltrane (209368) | more than 10 years ago | (#7613284)

For example, back when I was going to the University and was living in a slummy student complex where everything that could be stolen was, I used to have a shitty car, and I used to leave my car doors unlocked at night. My car wasn't a good candidate for theft, but when it *was* stolen (it happened twice), it was for joyrides and at least the robbers didn't burst the locks.

So I guess, the software equivalent of that would be to not leave expensive data that could interest people on networked box, and make as much as your sensitive data as possible less sensitive, by simply publishing it. GPL code, for example, doesn't have to be protected.

I'm not saying everything should be released, far from it, but there's a lot of "hidden" data that could just be left readable by everybody, by changing some company policies and being a tad more open about everything, thus removing the desire/need to hack the box it's hosted on.

Re:Maybe no security at all (0)

Anonymous Coward | more than 10 years ago | (#7613475)

>>GPL code, for example, doesn't have to be protected.

Didn't someone recently try to plant a backdoor into the linux kernel?

Didn't Debian's source tree just get broken into?

passwords (4, Interesting)

Pompatus (642396) | more than 10 years ago | (#7613294)

The biggest problem I have with strong passwords for logins is that everyone seems to have a different idea of what a strong password is. Some people require the first 2 characters to be letters, some require length to be greater than 6 chars while others are a max of 6 chars, and so on.

I have developed a password that I use on systems I can control that consists of 13 characters, both letters and numbers, and a & sign in for good measure. It makes perfect sense to me, I will NEVER forget this password, and you would litterally have to be able to read my mind in order to guess it. But most systems wont accept it for whatever reason or another, so I vary it slightly to conform to whatever rules are in effect. This creates a problem of about 5 variations of what I want my password to be.

I think people need to be educated on how to make a strong password. It should be up to the user to provide a strong enough password, because if the user can't remember it, then the entire process is pointless. We're supposed to show photo id at school to have our password retrieved for us, but it happens so often, that the people behind the counter just do it. How many other places do this same thing, because EVERYONE forgets their password?

Sorry for the long rant, but I felt the need to get all this off my chest :)

Re:passwords (1)

addaon (41825) | more than 10 years ago | (#7613401)

But if someone manages to somehow sniff the password for one system, you're hosed. One of the most basic rules of good passwords (in addition to having reasonable length and avoiding dictionary attacks) is to use different passwords for different things.

Increasing versus Improving security (2, Insightful)

GillBates0 (664202) | more than 10 years ago | (#7613306)

Are we increasing security too much, so that the users circumvent it?

By "increased security", do you mean increased security measures, or the increased security of the resulting system?

If the resulting system is secure because of good security measures, then not every idiot can wander in.

On the other hand, if you mean just increased security measures, which, apparently aren't resulting in a more secure system, then the "security people" are idiots for using weak security mechanisms over and over again, in a hope of increasing the overall security of the system.

Improved security measures may not be large in number, but result in a secure system. You're better off using 1 strong encryption scheme rather than 4 weak ones.

Passwords in linux (3, Interesting)

3Suns (250606) | more than 10 years ago | (#7613313)

There was a time when I was upset by the fact that Linux accepts very strange characters in the passwords (the arrow keys for instance) that couldn't be typed into most GUI password fields. Now I realize that that's not a bug, it's an accidental feature. Effectively, root can't log in on a GUI (including gksu), on a machine so configured, which adds to the security of the system. Fake login screens are foiled by that trick.

(UP UP DOWN DOWN LEFT RIGHT LEFT RIGHT A B A B) anyone?

Re:Passwords in linux (0)

Anonymous Coward | more than 10 years ago | (#7613479)

YEAH!! KONAMI CODE!

Too many passwords - so I write 'em down! (4, Insightful)

gilgongo (57446) | more than 10 years ago | (#7613323)

I have to remember not one, not two, but SIX different passwords, PIN numbers and security questions simply to access my frikin' bank account online. And I currently have about 12 online accounts of various kinds, most of which impose their own rules to what they want for access (some systems allow numbers in passwords, others don't, some have a minimum of 8 characters, others 10, etc. etc.)

So what do I (and presumably everyone else) do? I write them down somewhere. How much LESS secure is that than having one (or maybe three at most) username/password combinations that I never write down or tell anyone?

So I called my bank a few weeks ago and told them that if I signed a disclaimer, would they allow me to go from six pass/PIN/IDs to just a username and password of my choosing? No no no! Far too insecure.

So would they indemnify me if my notebook was stolen and my account was accessed without my permission? No no no! I'm responsible for my passwords and should not divulge them to anyone!

But nobody can reliably remember SIX things to log in to one account, as well has having to remember all the other usernames/passwords, etc. they might have.

So, I've closed my account with them. Because I think they're too damn insecure.

Re:Too many passwords - so I write 'em down! (1)

rsadelle (719824) | more than 10 years ago | (#7613523)

There's an odd psychological element to password remembering. I sometimes forget the passwords I've used for websites I almost never log in to. However, I'm the entire IS Department for a small agency, and I can remember nearly all the passwords that our staff has to use to log on to our network and in to our database (two different passwords).

People can make them whatever they like. (1)

MC_Cancer_Pants (728724) | more than 10 years ago | (#7613326)

6 years ago i memorized a 16 character string of random characters, i use it for everything, the first 8 for less important things, just in case. People can choose passwords as neccesary as they see fit. requiring passwords to be so odd isn't really protecting anything, as users will voluntarily do so if it is anything they care about. all that setting these standards does is make people use "master password" apps, (which I for one don't trust for a minute) and cause the "coat-hanger" e-mails to tech-support. ;)

observe security processes in action (1)

jptwo (551230) | more than 10 years ago | (#7613329)

security plans should be beta-tested with non-geek testers over several weeks. after my favorite users forgot their PGP passphrases once or twice, i learned to accept that highly intelligent folks could not remember passwords that they didn't use every day. so, i compromised: i encouraged users who wanted a reminder to put mnemonics in their wallets... and to give me revokation privileges!

Myth... (3, Interesting)

Chagatai (524580) | more than 10 years ago | (#7613334)

Having a truly secure environment is impossible. The thing that is critical to remember is that security is about mitigating risk. As I always tell my customers, "It's not a matter of if you have a security issue, but a matter of when." Just like the article says, when too much security is applied to any area people will develop loopholes around them to avoid the "inconvenience." But by the same token without any inkling of security people will give out passwords over the phone. It's trying to find the happy middle that is the problem.

Does enforcement matter? I'd be lying if I said it didn't. However, the means in which it is dispensed is the issue. No one enforces a security policy? Don't be surprised when a stranger walks in the door. People enforce security like a police state? Don't be surprised when people in power abuse their abilities and allow their friends to skate around issues. Then, of course, there is the typical knee-jerk reaction when an event happens and everything is locked down to only be forgotten about two months later.

Use common sense, as it isn't common to most people. Tailor the security to the individual company; a meat processor protects their beef, Lockheed Martin protects missile technology--each is deadly in different ways.

geheim01 (0)

Anonymous Coward | more than 10 years ago | (#7613336)

there you have it, my passwd (not to /. though)

1. The article focusses mainly on passwords, which is only a small part of security.
2. It gets almost philosophical when you argue about rules for passwords. As soon as you define a system or a set of criteria for passwords, you limit the search space for a hacker.
3. Changing passwords every now and then is a good idea, and so is educating people on the creation of passwords. Guessing the password of people you know is usually trivial.

My password is (0)

n6kuy (172098) | more than 10 years ago | (#7613382)

"joshua".

And, yes, I WOULD like to play a game.

Security is a process (3, Informative)

Space cowboy (13680) | more than 10 years ago | (#7613387)

There's little point in having a security-review once per year and then assuming that you're then ok for the next year. If you don't have an ongoing approach to security, you don't have a secure system.

Every day I get reports from logwatch and tripwire on all the systems I look after. I look them over and query anything that catches my eye as unusual, or that doesn't correlate with the system-updates downloaded overnight. It takes about 10 minutes, and I do it over the first coffee in the office. It's just part of the routine. I insist on good passwords, and the machines are firewalled as much as possible. Got to leave that damn port 80 open though :-)

I don't have the most-secure servers in the world, but I'll notice pretty quickly if there's something wrong with one of them, and I get an SMS if the chkrootkit program discovers anything...

I have a client who had an annual security-review process, and was hacked into, about 3 months after the review. The attraction was the bandwidth they have, I guess, and the first thing they knew about it was when that 200mbit pipe went crazy spamming people left right and centre... Their attitude changed when they suddenly got charged a lot of money for doing something they didn't even know about!

Simon.

Trade-off (1)

Black Parrot (19622) | more than 10 years ago | (#7613400)


As best I can tell, there's a direct trade-off between security and ease-of-use. So set the level of security you need, no more and no less.

And if your stuff needs high security, hire people that will understand that and not write down their passwords. Sorry; there aren't any magic-bullet solutions that will allow an end run around that requirement. If you need stuff that requires special handling (computer security or otherwise), and you don't think it's worth paying experts to handle it, you need to rethink your business model.

Not the source, really (4, Interesting)

sphealey (2855) | more than 10 years ago | (#7613419)

So works the mind of a D'ohLTish security engineer, working feverishly away in his cubicle in the basement next to the steam plant.

Take him out for a walk. Let him see the sunshine for the first time in years. Introduce him to some normal human beings. Be gentle at first; these are creatures with whom he has had no contact since being sucked into the depths of the university system.

Then, when his pallor begins to fade and he begins to take on signs of socialization, take him into the offices in the hospital and let him see the four sets of user names and password clinging to the monitors on yellow stickies (e. g., Post-It Notes) or, for the more security-minded, slid into the top drawer where no one would think to look.

Besides being offensive, this scenario is, 99.5% of the time, blatently untrue. The security professionals are very much aware that the password systems don't work, and that the userids and passwords are sticky-noted to the monitor. But they have not choice: (1) no better system than passwords has yet been devised (2) they are responding to the demands of UPPER MANAGEMENT for "security NOW, dammit!" (3) upper management in turn is responding to the demands of auditors, regulatory agencies, and ultimately Congress.

The guy in the basement office has about as much control over this process as Pvt. Beetle Bailey does over the war in Iraq.

And really - would those same people who tape the password to the monitor tape their garage door key to the doorframe because "it is too much trouble to carry 3 keys around"? I have 15 keys on my keyring, personally, yet no one makes offensive statements about architects and locksmiths re: "door design".

sPh

And the answer is: (1)

djbrums (633961) | more than 10 years ago | (#7613420)

And the answer is:
No, we shouldn't.

Any other questions I can help you out with :)

A Simple Exercise In Self-Auditing (4, Funny)

Bowie J. Poag (16898) | more than 10 years ago | (#7613429)



Exercise: Make a drawing on paper of what your system looks like from the point of view of people on the outside. Draw it in a similar fashion to how one might draw a house, or a favorite car.

A) If your picture looks like or includes any of the following objects, proceed to step C:

. A block of swiss cheese
. A large question mark
. A fat mall-cop with powdered sugar around his mouth
. A small child in a corner, crying, holding a security blanket
. A Diebold voting terminal

B) If your picture looks like or includes any of the following objects, proceed to step C:

. Fort Knox
. A medieval castle under siege with the invaders having boiling tar poured on them.
. A resettable Viet-Cong boobytrap with dozens of pigs already skewered on it
. The business end of a .357 Magnum
. An illuminated Jesus standing atop an Sun E10K
. A solid, faceless slab of hyperdense radioactive metal extracted from the heart of a neutron star

C) You need to increase your system's security.

Business Practices and Security (1, Troll)

randall_burns (108052) | more than 10 years ago | (#7613437)

My experience is that many companies have business practices that stress their security procedures to the extreme. For example, look at Enron. Virtually their entire IT staff were H-1b/L-1 [outlander.com] workers from places where they weren't able to do background checks. They had a practice of hiring closeted gay accountants(so they could be blackmailed into doing what management wanted). Then this bunch of managers with degrees from Westpoint and Annapolis(yes, many of their upper managers were from those schools with their honor traditions) wonder why things went sour
(and at least $3 billion of the 12 billion in losses wound up in India).


The first key to decent security is building a community in which people have at least a degree of trust and respect for their leadership. If you have that, good security practices can go a long way. If management is playing a negative sum game with their staff and the larger community, sooner or later someone more devious and less honest is going to show up and take over that game. Those that live by the sword die by the arrow.

Schneier's Take (1)

jazman_777 (44742) | more than 10 years ago | (#7613451)

His take is that we are required to remember a lot of hard-to-remember passwords. Which we can't really do well. So the best compromise is, instead of just picking easy passwords, to write the passwords down, and protect the paper fanatically.

Simple Passwords are fine (1)

crow (16139) | more than 10 years ago | (#7613503)

Back when people were using Unix systems without shadow password files (or using NIS, which does the same thing), people could get access to the encrypted passwords and do an offline dictionary attack. Simple passwords were bad.

Now with most systems, you can't get at the encrypted passwords unless you've already compramised the system. Hence, any brute-force attack should be detected by the number of failed login attempts, and a full-fledged dictionary attack can be defeated by simply adding a second or two to the response from the authentication server.

So all you should need is a password that won't be guessed on the first few tries.

Real security! (1)

Dark Lord Seth (584963) | more than 10 years ago | (#7613510)

Set up Tripwire to send 10k volts down the appropriate network port in case something goes wonky!

Security's Theory of Relativity (2, Insightful)

Anonymous Coward | more than 10 years ago | (#7613517)

The obvious answer: It depends on the value of what you are protecting and what it would cost to replace it. The problem is after spending years of learning and loads of money on books, what security analyst is going to say "well, if the web server goes down, it would only take 15 minutes to restore from backup and cannot effect other systems, so there is no need for a $5000 firewall and the administration that goes with it." It is like asking a car dealer if we should replace our reliable sedan.

That said, the only effective way to maintain security when it is required is to keep it usable for lUsers. We all have our keychains for PGP, but how do you make an easy to use yet secure keychain for the end user? An encrypted program on a USB Key? A login on a secured central server? We still protect our own dwellings, the places we keep our most valuable items, with a 50 cent shaped peice of metal. How much more valubale is that forwarded joke sitting on your hard drive at work?

Too much security backfires (1)

0WaitState (231806) | more than 10 years ago | (#7613524)

As you layer on more and more security, the organization will start working around the security measures in order to get their jobs done in a timely manner. Any organization that is crippling itself with overly cumbersome security measures becomes very vulnerable to social engineering.

As an example, take forced password rotation. If you make your users change passwords once a month, I guarantee you about a third of them will include the current month in their password, and another third will have a yellow sticky with the password written down either in their wallet or in their desk.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?