Eric J in MN
(1000+ posts)
Send PM |
Profile |
Ignore
|
Mon Jun-21-04 06:35 PM
Original message |
| A website devoted to Stupid Security |
|
There is a website devoted to Stupid Security,
security measures which don't really make us safer, at:
www.stupidsecurity.com
|
| lapfog_1
(1000+ posts)
Send PM |
Profile |
Ignore
|
Mon Jun-21-04 06:58 PM
Response to Original message |
| 1. Or, as I used to call this kind of mentality... |
|
back when I was doing IT security as NASA, they had some real
boneheaded security measures... and I used to call it The EBS
system. As in "Everything BUT Security".
They would do things like randomly assign computer passwords
and change them every month or so... usually the more critical
the password, the more frequent the changes (and the more people
that knew it). So, of course, people would never remember these
passwords so they wrote them down (numerous passwords were issued
to every member of the IT operations staff). So I would constantly
find little slips of paper with things like "X1S: xff84T2" and so
on (as an example). normally the ID badge that they would wear
around their necks would have the entire list lamented on the back!
Great security.
And, of course, in a Unix environment, one COULD create a list of
"privileged users" and also a list of commands that each user
is authorized to run.. all with complete safety, ONE password (their
own), good across the entire complex of machines, with an audit
trail of what user XXX did. Did we USE that feature. Of course not!
I was a big proponent of ONLY having encrypted traffic, even on
the internal LAN networks... no clear text passwords traveling
back and forth... did they USE that? Of course not. And some
idiot eventually install a non secure machine which STRADDLED the
fire wall (have connections to internal LANs) and some one outside
installed a packet sniffer and compromised 1000s of passwords and
used them to install 100s of virus and Trojan horse programs and
all kinds of nasty stuff. Think that CHANGED anything? Of course
not.
Everything BUT Security.
We have to do the investment in a proper security model, make
sure the security model actually stops people attempting to
circumvent it (hire the tiger teams, let them run white ops,
PUBLISH the results AFTER you fix it), and, most importantly,
do the police work to track down the real culprits and stop them
before they get past planning stage (the military is NOT the most
appropriate tool for doing this...).
Sigh.
|
| Eric J in MN
(1000+ posts)
Send PM |
Profile |
Ignore
|
Mon Jun-21-04 07:02 PM
Response to Reply #1 |
| 2. You can submit stories to the website, if |
|
You can submit stories to the website, if you want to relate part of your experience to a news item.
|
DU
AdBot (1000+ posts)     |
Fri Apr 19th 2024, 02:03 AM
Response to Original message |
Printer-friendly format
Email this thread to a friend
Bookmark this thread
