• Welcome to the new COTI server. We've moved the Citizens to a new server. Please let us know in the COTI Website issue forum if you find any problems.
  • We, the systems administration staff, apologize for this unexpected outage of the boards. We have resolved the root cause of the problem and there should be no further disruptions.

Interesting article on the problems with passwords

Greylond said:
And in the process now it has been shown how weak the security of most controllers are. Like I said, to me that's more scary than regular computers being insecure only because a lot of companies don't even think about securing them even though they have tough IT Security Policies.
Click to expand...

Right, all the Iranians had to do was follow MS's recommendations for USB ports on sensitive machines. Good thing they didn't. :rofl:
 
HG_B said:
Right, all the Iranians had to do was follow MS's recommendations for USB ports on sensitive machines. Good thing they didn't. :rofl:
Click to expand...

Yea, that too!


Actually no one does. I'll have to look for it but a year or so ago there was a study done by the GAO on USB drives. They took a bunch of them and dropped them in the parking lots of several different government office buildings, including Homeland security. They had, IIRC, something like 90% of their USB drives taken into the buildings and plugged into a computer.

Users can be lazy and stupid. The only people surprised by this are people not in IT... :)
 
Greylond said:
Yea, that too!


Actually no one does. I'll have to look for it but a year or so ago there was a study done by the GAO on USB drives. They took a bunch of them and dropped them in the parking lots of several different government office buildings, including Homeland security. They had, IIRC, something like 90% of their USB drives taken into the buildings and plugged into a computer.

Users can be lazy and stupid. The only people surprised by this are people not in IT... :)
Click to expand...


My friend used to be the CIO DHS and congress wouldn't give him statutory authority to issue orders that were IT related for any network in the entire Dep.
 
HG_B said:
My friend used to be the CIO DHS and congress wouldn't give him statutory authority to issue orders that were IT related for any network in the entire Dep.
Click to expand...

I get people who tell me all the time that our government systems MUST be more secure than most civilian non-government networks and I just laugh... :)
 
aramis said:
http://www.wired.com/gadgetlab/2012/11/ff-mat-honan-password-hacker/all/

The implications for this are scary... even more so in Traveller... Ramifications of higher TL security?
Click to expand...

For Traveller I would think a body scan would be more common for higher tech worlds. I still think PWs are okay for most things. It's like having a lock on your front door. It'll deter the casual would be burglar, but not the professional who already has the tools or will with a method he knows works, to get into your home.

For really important stuff, I think verification with witnesses would be the safest way to go.
 
Greylond said:
I get people who tell me all the time that our government systems MUST be more secure than most civilian non-government networks and I just laugh... :)
Click to expand...

HG_B said:
That one always gives me a chuckle too.
Click to expand...

Given that most civilian networks are totally insecure except by accident, it's true.

The best civilian ones generally beat the best military ones, but the SCL5 systems have levels of security that are hard to beat in the civilian world. An SCL5 system has to be in a guarded secure facility on a secure installation with no connections to outside systems other than by secure courrier-carried media.

Pretty hard to beat in the civil world. It can be met, but most civil uses now involve network access.
 
Hi,

As a completely pointless aside, I'm reminded a bit about an incident from several years ago at one office that I worked at. To get into the office before or after regular office hours, or to enter through the side doors, each employee was issued a passcard that you were supposed to waive in front of a scanner. Most of us would either keep this on a lanyard around our necks or in our wallet.

Over time, however the scanner began to fail and you often had to try a couple times to get it to click. One day while showing a new employee around I saw a friend of mine standing in front of one of the scanners shaking his "backside" back and forth in front of one of the scanners (presumably since he had is card in his wallet in his back pocket). In response to the confused look on the 'new" employees face, I joked that the company had originally spec'd out a "retina" scanner for the door but the subcontractor misread the contract so that we ended up with a "rectal" scanner instead.

I'm pretty sure he didn't fall for that, but it did take him awhile to realize that he probably should only trust about 1/2 of what I said most of the time.
 
aramis said:
Pretty hard to beat in the civil world. It can be met, but most civil uses now involve network access.
Click to expand...

Funny story from years ago when I was working in D.C. Remember when IR wireless keyboards came out? Well, Foggy Bottom purchased for all their PC's. You could stand on the sidewalk outside and pick up the keyboard transmissions from about 1/2 the users. :rofl:

But yes, there are certain gov sites that are more secure than pretty much anything in the civvie world.
 
atpollard said:
I was surprised to learn that bio-metric scanners (like palm readers) were popular at schools where students could scan for a lunch without remembering a student ID number or fumbling for a student ID card.
Click to expand...

Seems it would be easier to just tattoo a number on their forehead..... :rolleyes: (Yes, that's a joke.)

BillDowns said:
Preventing stupid human mistakes is still the biggest obstacle.
Click to expand...

Definitely! It's a never-ending fight.

HG_B said:
My friend used to be the CIO DHS and congress wouldn't give him statutory authority to issue orders that were IT related for any network in the entire Dep.
Click to expand...

Sadly, that doesn't surprise me too awful much. :(

Greylond said:
They had, IIRC, something like 90% of their USB drives taken into the buildings and plugged into a computer.
Click to expand...

*facepalm* Fortunately, certain government facilities have *finally* taken some action to monitor and restrict that sort of thing nowadays.

aramis said:
Given that most civilian networks are totally insecure except by accident, it's true.
Click to expand...

That was my thought. But, no, most government networks aren't nearly as secure as they ought to be. Neither are a lot of the important corporate ones.

PFVA63 said:
I joked that the company had originally spec'd out a "retina" scanner for the door but the subcontractor misread the contract....
Click to expand...

ROFLMAO! :rofl: Given how high most of our scanners are (because you're supposed to wear the badge above the waist), that would have been some serious bending and waving!
 
HG_B said:
Funny story from years ago when I was working in D.C. Remember when IR wireless keyboards came out? Well, Foggy Bottom purchased for all their PC's. You could stand on the sidewalk outside and pick up the keyboard transmissions from about 1/2 the users.
Click to expand...

That's why I stay away from wireless keyboards. I will use a wireless trackball. As a matter of fact, I had to fight with the rulesmakers to get a wireless trackball on my system at work (since they no longer make the shape/style of trackball that works for me in a wired configuration). They were concerned about the wireless aspect. Since it wasn't a secure facility, however, and people could have cell phones and such, it shouldn't have been a problem. But there's that blanket wireless ban....

The reasoning I used that evidently worked was "Do you really think anything useful can be gathered by bad guys by knowing that I scrolled down... down... down... down... click! Over, over... up, down a little... right click! up a little and click!?"
 
It doesn't take a wireless keyboard to be tapped into. Any keyboard that isn't secured by something like the military/goverment Tempest program can be tapped from a distance.

IME, what breaks network security is usually Executives who insist on being able to do things that are against network security policies. Sometimes the only thing you can do is to inform them of the potential problems and perhaps get a signature from them acknowledging it. One of the things that I hear almost weekly, "I took my laptop home and now it doesn't work right since my kid did homework on it. But he wouldn't have gone to any bad websites..." When they say that, I just run through them through multiple anti-spyware programs and show them what they got infected with.

Or the other thing is someone taking a "Secure" laptop home and then they leave it visible in a car and are surprised when their car window gets broken and the computer stolen. We track lost/stolen pdas and phones with GPS all the time also. "I just left it in the truck for a few minutes..." :rofl:
 
Greylond said:
It doesn't take a wireless keyboard to be tapped into. Any keyboard that isn't secured by something like the military/goverment Tempest program can be tapped from a distance.
Click to expand...

A lot of sec gov installations tackle this via shielding the walls and windows (if any). That way if some brain dead exec swaps out his approved keyboard...
 
HG_B said:
A lot of sec gov installations tackle this via shielding the walls and windows (if any). That way if some brain dead exec swaps out his approved keyboard...
Click to expand...

Yea, I know. The USN used to have a program for that called Tempest, I don't know if they still call it that but I worked on those systems 20 years ago.
 
I won't get into what is and isn't current procedure or technique. But, there are some things still done to protect information systems that are based on the insecurities found in old technology.

Greylond said:
One of the things that I hear almost weekly, "I took my laptop home and now it doesn't work right since my kid did homework on it. But he wouldn't have gone to any bad websites..." When they say that, I just run through them through multiple anti-spyware programs and show them what they got infected with.
Click to expand...

Or, they simply take home classified information and put it on their home computer... then surf the internet... or let their daughter surf the internet...... :nonono:
 
Passwords, like locks, are for honest people.

One of the most prevalent ways of social engineering is going through the trash and getting people's names, then working that angle. From what I have read, various groups, notably east euros, can be persuasive at getting what they want, which has facilitated the rise of the "private security contractor".
 
Dragoner said:
Passwords, like locks, are for honest people.

One of the most prevalent ways of social engineering is going through the trash and getting people's names, then working that angle. From what I have read, various groups, notably east euros, can be persuasive at getting what they want, which has facilitated the rise of the "private security contractor".
Click to expand...

Yes, that works against the not quite bright...
 
You know, should Traveller have a tech that only allows intelligent people to actually operate computers as anything more than a totally locked down dumb terminal?
 
You must log in or register to reply here.

Similar threads

P
CT Only: The Traveller Book Dust Jacket Replica is now live on Travellers' Aid Society!
2 3
Replies
43
Views
2K
plazman30
P
Commander Truestar
General Locks at varying tech levels
2 3
Replies
42
Views
1K
Enoki
Enoki
T
Wiki Discussion: The Beyond Sector and other duplicate sectors
Replies
17
Views
902
Spinward Flow
Spinward Flow
robject
The Traveller Ansible (= FTL Comms)
2 3
Replies
43
Views
2K
aramis
aramis
Spinward Flow
Trade Codes + Population as limiter for Hull Sizes in construction capability
2 3
Replies
43
Views
2K
kilemall
kilemall
Back
Top