Monday, June 18, 2012

How Security actually works

Well, "works" is maybe not the right term.

Sadly, that's often just the way it works.  The moral is that if you can still see, you're not secure.


Broken Andy said...

Yeah, that pretty much sums up my experience with security wonks.

Dave H said...

I just had a conversation with Mordac today. I -almost- talked him into letting me install some software on one of his servers, but then he chickened out and told me to send him the instructions and he'd install it himself.

45er said...

I have a disc with a PDF for a manual on a device that is very important where I work. Thanks to the security settings, I can't view the manual to operate the very important device. Mordac strikes again.

Tyler said...

Well thats like how a lot of security matters have become in this day and age. The law abiding citizens are punished for the acts of the few who choose not to obey laws and standards.

Anonymous said...

I am a Mordac and the stupidity or the low IQ's of the user population never ceases to amaze me. Actually some of our users are in fact illiterate but damn can they operate a widget making machine better than anyone else.
It's a tough job explaining to our users, no you can't have internet access to look at pron on a process control machine or why clicking on the email of make it bigger cream was a bad idea and thank you for the 1/2 million dollars in lost productivity cleaning up your mess.

Old NFO said...

Yep, true dat... sigh...

Jake (formerly Riposte3) said...

Yup. And don't even get me started on the stupidity of the password dance. The system I have to use for my EMS reports has all the requirements you should never use and that everybody does anyway: it requires a new password every 3 months, 6-10 characters with one capital letter and one number or symbol, and it can't be any of your last TEN passwords.

Nearly every time I run I see someone who has forgotten their password and has to get someone else to log on so they can write their report using that person's account (it still gets tied to the right person, but still...). I've seen people write their current password down on a piece of tape on their name badge, so they don't forget it. Essentially, if you can imagine a way someone can compromise their password, it happens.

And, of course, now you have at least 10 different passwords linked in your mind to that one system, some of which are probably in your pool of "common" passwords that are used for other systems (because most people will use the same password for multiple systems so it's easier to remember which password goes with which system), so you have to remember which one you're using currently.

Sorry, I'll stop ranting now. It's just one of the more frustrating systems I've run into.

Broken Andy said...

Jake, that all sounds very familiar.

I once worked with a guy that found some ldap or samba script that would change the password on the AD server for him. So every time his password expired, he ran the script which consisted of a 10 password changes, the last being the password that just expired and the one he could remember. That way he got around the security policy that disallowed reusing the same password for the last 3 iterations or so.

Goober said...

Jake - the worst part about the whole thing is that you get a much more secure password by having them use more characters and just get rid of the alpha numeric BS all together. XKCD talked about it a while back, using the example of the word TROUBADOR only randomly substituting the number 4 for the A, random capitalization and even putting a symbol in there, and it was relatively easy to crack.

Then, he used the idea of randomly grabbing four random, well known words and entering them. in his example, he used "correcthorsebatterystapler"

That password is nearly impossible to crack because of how many characters there are, and instead of having to remember to substitute a 4 for the A and which letters to randomly capitalize, you've already memorized it.

I've also used nmonics for common phrases. For example, take the Birds song's first verse first line and take the first letter off each word, save capitalization and punctuation. So for "To everything, turn, turn, turn, there is a season, turn, turn, turn" you end up with "Tet,t,t,tias,t,t,t". Again, stupid easy to remember, much more difficult to crack.

AnarchAngel said...

Thus why I tell people (I am an information security professional), that our job is NOT technical, it's a business function, that of LOSS PREVENTION.

If you are preventing people from getting their job done, you are not preventing loss, you are causing it.

David said...

I was helping a friend wire up a small parochial school several years ago. The priest and principal were very worried about network security with computers in the class room all connected to the internet. We were in a meeting when he declared that we needed to: "Absolutely guarantee that no one would be able to access any objectionable websites, or do anything illegial with our network."

My friend started to explain that there was no way to guarantee those things he was interupted and told there was no negotiation - we had to guarantee it.

I stepped in and told him no problem I would take care of that. I walked over to the corner of the room where our modem and router were set up - unplugged both of them, disconnected the power cables, rolled them up, put them in my pocket and walked back over, sat back down and told him "there, you are absolutely secure. No one will use your network for porn or any thing else you don't want them to."

While everyone was staring at me the door opened and the school secretary stuck her head in and said "I just lost my internet connection. I was logged into the grade tracking program and everything just froze."

I told her "don't worry about it - you are secure., just go back and do your job."

The next half hour, and three more interuptions by teachers who had lost their network connection, we had an interesting discusion of network security with administrators who could barely use e-mail. It all ended in a rather shocking manner when the priest told me to "stop being a smartass and turn their damned network back on." I'd never had a man of the cloth talk to me that way - I think I touched a nerve somewhere. But we ended up working together for several years and got along just fine. Except that my first recommendation to solve every problem they had was to suggest that they just unplug it.