Eric J in MN
(1000+ posts)
Send PM |
Profile |
Ignore
|
Mon Jun-21-04 06:35 PM
Original message |
A website devoted to Stupid Security |
|
There is a website devoted to Stupid Security, security measures which don't really make us safer, at:
www.stupidsecurity.com
|
lapfog_1
(1000+ posts)
Send PM |
Profile |
Ignore
|
Mon Jun-21-04 06:58 PM
Response to Original message |
1. Or, as I used to call this kind of mentality... |
|
back when I was doing IT security as NASA, they had some real boneheaded security measures... and I used to call it The EBS system. As in "Everything BUT Security".
They would do things like randomly assign computer passwords and change them every month or so... usually the more critical the password, the more frequent the changes (and the more people that knew it). So, of course, people would never remember these passwords so they wrote them down (numerous passwords were issued to every member of the IT operations staff). So I would constantly find little slips of paper with things like "X1S: xff84T2" and so on (as an example). normally the ID badge that they would wear around their necks would have the entire list lamented on the back! Great security.
And, of course, in a Unix environment, one COULD create a list of "privileged users" and also a list of commands that each user is authorized to run.. all with complete safety, ONE password (their own), good across the entire complex of machines, with an audit trail of what user XXX did. Did we USE that feature. Of course not!
I was a big proponent of ONLY having encrypted traffic, even on the internal LAN networks... no clear text passwords traveling back and forth... did they USE that? Of course not. And some idiot eventually install a non secure machine which STRADDLED the fire wall (have connections to internal LANs) and some one outside installed a packet sniffer and compromised 1000s of passwords and used them to install 100s of virus and Trojan horse programs and all kinds of nasty stuff. Think that CHANGED anything? Of course not.
Everything BUT Security.
We have to do the investment in a proper security model, make sure the security model actually stops people attempting to circumvent it (hire the tiger teams, let them run white ops, PUBLISH the results AFTER you fix it), and, most importantly, do the police work to track down the real culprits and stop them before they get past planning stage (the military is NOT the most appropriate tool for doing this...).
Sigh.
|
Eric J in MN
(1000+ posts)
Send PM |
Profile |
Ignore
|
Mon Jun-21-04 07:02 PM
Response to Reply #1 |
2. You can submit stories to the website, if |
|
You can submit stories to the website, if you want to relate part of your experience to a news item.
|
DU
AdBot (1000+ posts) |
Fri Apr 19th 2024, 02:03 AM
Response to Original message |