Slashdot Mirror
Cutting Security To Cut Costs?
just currious asks: "I work for a large company (10,000+ pc's) who recently out sourced the help desk. After looking at about a year's worth of data we find the 30% to 50% of the calls to the helpdesk are password related (password resets, password changes, etc.) this is alot of calls (at 20+ dollars a pop). Now they want to reduce cost by cutting security, since if you don't have a password, you can't forget it. So here's what upper management wants to do: remove the security from all of our Windows 2000 machines. Has anybody else seen security cut just to save money?"
We need to first know where you work. Actually, just the IPs will be fine.
it depends on whether or not there's anything worth keeping secret on the machines; though someone who wanted in could probably get in anyhow. if i were an employee i'd actually be more immediately concerned about other employees logging in as me and f***ing with my stuff.
on the plus side: if you know or can find out managements' usernames you can see what they've been working on ;)
I thought you said they were cutting security?
:-)
Sounds to me like your Windows boxes will be about as secure as ever
Fire the morons who forget their password or set it to "QWERTY" so they won't forget. :)
Repeal the DMCA!
I've been through exactly the same. Problems with passwords vanished within weeks as everything was swapped over. Then piece by piece, random pain in the fucking ARSE problems with other users fucking with fileserver files grew into a major problem. Users saved files anywhere they could with no restrictions. Other users who 'claimed' parts of the server space as their own threw out files that appeared there from other users. Management however, are still happy with their decision to cut security like this, despite nobody having a clue where anything is.
Am I bitter about it? To the point of quitting the instant I can. Thank god I'm not running the servers.
Now they want to reduce cost by cutting security, since if you don't have a password, you can't forget it.
You obviously not a BOIH(Bastard Operator In Hell):
"I lost my password."
"You've no password."
"What do you mean by no password? What's that big f%#*ing word on the screen saying 'Password'?"
"Just press Enter."
"small cap or all cap?"
"...."
So here's what upper management wants to do: remove the security from all of our Windows 2000 machines.
No sweat! *pause 3 sec.* It's being done!
*thank God not being asked to remove security holes*
You should hock your building's alarm system, and the lock cylinders in the doors; that'll bring you a few quick bucks.
Nothing like running lean and mean!
Where i work the security is pretty tight (comp locks after 5mins of inactivity, many things turned off, and so on). It's sometimes a pain in the ass, but at least they really take security into account...
Tsuyoikoto ha taisetsu da ne, dakedo namida mo hitsuyousa (Strength is an important thing, but tears too are necessary)
Once they do it, you should post the name of your company here and and at FuckedCompany.com so we can all avoid giving this company any of our personal information.
Keep the passwords and charge anyone who forgets their's twenty dollars.
Unfortunately this is a fact of IT - there are those who because they dont understand the need for IT security, means that you are reduced to working at their level.
How many times have you heard this one?
(Regarding a server that is connected to the net for FTP / SSH) "But who would want to hack our server?"
I've often found that lusers actually do understand security concepts, however as soon as a computer is concerned they are thrown out of the window. For example:
Me: "Tell me - do you drive a car?"
Luser: "Yes"
Me: "And does anyone have a specific grudge against you? Would they specifically want to steal your car?"
Luser: "No!"
Me:"So do you lock your car after you park it somewhere?
Luser: "Of course I do!"
Me: "So if no one wants to steal your car, why do you lock it?
I've found they can't answer that one.
The real issue is that people just cant use computers. What would solve the problem would be some form of transparent biometric authentication. Think about how we as human beings authenticate people - we do it all the time from speaking to friends on the phone, to making a transaction at the bank. If speaking to someone you know, you dont use a password - you know what your friend looks, sounds and behaves like, and this is used for "authentication". With a bank, you may not know the person you are about to hand over all your cash to, however because the bank is a big building in the location it's in, you know that it can be "trusted" due to it's physical location.
Regarding passwords with Windows 2000 there are alternatives to this. The simple one is let them have no password, but make it so that their account can only log on from their computer. That will seriously limit the abuse that can happen. Alternatively just quietly delete all your CEO's MP3's and mail abusive messages and pr0n using his account - he'll soon wake up.
If they think it's expensive to run now, just wait until they get the repair bill after it's been run with no security for a while.
Here in Europe, some countries have laws sayingthat the management is liable if the get broken in (cracked) and the IT security was too lose ! That's the only language Managers are understanding, so I think it's a good idea, no ?
n-e
ONE PASSWORD!
Yes, that's right, retain some security while still making it super easy on everyone. Perhaps you could even change the password monthly... to the name of the month! (Although that might confuse some people and create more problems.)
Anyway, one password for every user is the compromise that will make everyone happy.
Since the lusers can't remember, then switch to a system that relies on a physical item for the security. Do the employees have ID cards? If so, chances are those could be used for a login system (RFID tags?).
As for explaining to management why passwords are a good idea, ask them if they would like to see their salarys/bonuses/private email show up on F--CKED Company.com (not as a threat, just to point out what can happen when accounts aren't secured without a password or equivilent.)
You don't get it. Whether you are BOFH or BOIH is depending on whether you make people suffering or people make you suffering. :)
Whether you are BOFH or BOIH is depending on whether you make people suffering or people make you suffering. :)
;)
Heh - quite
Yeah, but the hackers don't want you DATA, fool. They want a place to put thier kiddy porn and tcp reflectors for hacking NSA computers and sending death threats to the president...
... especially now that all your machines have been confiscated as evidence. :)
No, you don't have anything on your network worth stealing
"Your superior intellect is no match for our puny weapons!"
But doesn't the directory design in 2000 let you organize things into nice little containers where you could then delegate responsibilities? And doesn't windows 2000 have a "taskpad" or something, that you could say use the delegation infrastructure to give someone close to the convienent units, embodied in the little containers, the very limited ability of modifying passwords.
I get the distinct impression your employers aren't using the features that come with the very expensive software, that they're buying the very expensive service for. I can't really say whether its a security, or even a software issue. The problem seems obfuscated by significant human resource difficulties.
As an aside, I can't say I'd be opposed to learning what company we're speaking of. I've taken enough of a bath in the market, and this would certainly seem like a good indicator to sell.
--Jimmy has fancy plans; and pants to match.
Yes, I have.
Moronically, the highschool I was currently attending. I was the "Assistant Admin" (i WAS the admin, don't let the name fool you).
My principal started getting sick and tired of her front desk people having all of their time wasted by students asking their student numbers (also their password).
She came to me saying to take all passwords off, period. The only exception, mine.
It took 400 flunking students getting straight A report cards magically to set her straight.
Of all the Universal Constants, here's one I know: Nice guys finish last
Forced password changes => lots of help desk calls.
What is less obvious is that they don't lead to any significant increase in security. Most people, if forced to change their password every month, will use something easy to remember (and easily guessable), like qwerty1, qwerty2, qwerty3, etc. But they still can't remember which version they are currently on, hence the help desk calls.
If you force users to choose strong passwords but not to keep changing them, you'll get both an increase in security and a decrease in help desk calls.
Surely the most sensible way of sorting this out would be to have a trusted member of staff in each building/department/whatever with the authority to reset passwords. Note, I said *reset* passwords - not the ability to read them.
seany
Having no password is just asking for trouble.
Instead, just make every password the same, and make sure it's printed on posters all around you workplace!
I was reading a few posts in this thread and started thinking "Hmmm, so he works for a BIG company. There might be some chance such a person would be googleable." So I looked at the email of the poster, griffis@mailexcite.com and google away at griffis.
p articipan tbio.asp?id=10985.
;)
The first few pages showed nothing, but then BINGO!!
http://www.nab.org/conventions/includes/
Finally MS is implementing the security policy they always wanted.
"I'm tired of all this 'Aren't humanity great' bullshit. We're a virus with shoes" - Bill Hicks
OK so point what no passwd will give you.
Complete and utter ability to impersonate your upper management, sent out emails supposedly from them and read all their files(assumming you're running AD for NT domains and the email uses the AD etc for authentication)....
What other risks to the business can you think of -
the cleaner can get as anyone...
people can update documents they aren't supposed to..
the list goes on.
an Ask Slashdot?
or better yet... an entry on F*ckedCompany.com ?
Note that doing this is not smart, but here is how it can be done in WindowsNT. The registry in Windows2000 is not much different so it should work. MS's KnowledgeBase has an article on how to set this up if you need more details.
In the following registry key: HKEY_LOCAL_MACHINE -> Software -> Microsoft -> WinNT -> CurrentVersion -> WinLogon
Set the following registry values:
AutoAdminLogon -> 1
DefaultUser -> luzer
DefaultPassword -> password
DefaultDomain -> somedomain
Then reboot the system and logon as luzer. Now everytime the system is turned on, the system will automatically logon as luzer.
The above information was from memory, so you should verify it's accuracy before using it. Since Windows2000 likes to use Active Directory for everything, the DefaultDomain entry may have changed.
Go not unto/. for advice, for you will be told both yea and nay (but have nothing to do with the question)
First, if you are behind properly-maintained firewalls, and the Win2K boxes are properly configured (running no externally-accessible services unless they are a server, etc), then it's likely that you could get away with this without getting hacked externally. However, disgruntled employees are going to be a problem.
A better response is to force the user to use a password including a capital letter, a lower case letter, a digit and a non-letter character; to be at least 8 characters long; to never expire and have no history. Then the user is forced to pick a (relatively) good password, and won't forget it.
My company forces a password reset every 90 days, and won't let you reuse the last 8 passwords. I have my normal 2 strong passwords, then I go into a cycle of fairly weak (but easy to remember) passwords. At least it's not like when I was at IBM, where everyone had their RETAIN passwords written on the whiteboards (5 characters, randomly assigned by the computer every 30 days!).
-- Two men say they're Jesus. One of them must be wrong. - Dire Straits
You can get by with only one dialer 'cause you can just batch up the requests and do them sequentially. I'm sure there are a jillion ways to get the telephony/voice synth part working. There's Bayonne, etc. Since you're only talking about letters, numbers, and punctuation, you could just have someone read the letters into WAV/MP3 files and stream them into a voicemodem. Just a thought!
Tiller's Rule: Never use a word in written form that you've only heard and never read. You will end up looking foolish.
And do they offer public stock?
If so, I'm going to buy a few shares so I can sue them for mismanagement.
III.IIVIVIXIIVIVIIIVVIIIIXVIIIXIIIIIIIIVIIIIVVIII
Hire a intern that does nothing but reset passwords. You can set up a script in NT/linux/solaris what ever that only has this ability.
Pay him nothing if it is and intern, or pay him the minimums. Force him to sign a security agreement first of course.
Now what you have is someone that is getting paid next to nothing that has taken 50% of your work load out of the picture costing less than anything upper management could ever dream.
My suggestion is that you find someone in your family, friends, or something like that. Someone just out of high school that you have a personal contact with. IE you can trust him more than the average joe. Then lay it out for them "look man, I have a job where all you have to do is change passwords all day and you can study, play games, etc..etc.. and get paid like you where flipping burgers.". Dream job for the average noob computer guy.
good luck,
Neck_of_the_Woods
#/usr/local/surf/glassy/overhead
I am not an IT security professional, but from my limited experience, this is 100% on the mark. It's much easier to remember a single 10+ letter/number/symbol password than it is to be forced to change a password once every month with only a six-letter minimum requirement. Some people have devised calendar schemes of changing their secure password, but these people are few and far between.
As an IT security administrator, the smart thing to do would be to require a password that is 10 characters minimum (with numbers or symbols required). Then give plenty of suggestions to users for how they can devise a rather random password (e.g., think of a favorite song, then use the first letters of lyrics from a verse of that song, with numbers or symbols separating sentences). Then force them to change it once a year or so.
"I may be quite wrong." - Socrates
Before I get into WHY I say that, allow me to comment that I cannot envision ANY company the size of yours being run by people who are so goddamned bone-headed.
Ask your General Counsel if he would be happy to have each and every one of your company's business records rendered inadmissible in court if the company gets sued or sues someone else.
Security features like (DUH!) forgettable passwords allow you to PROVE who has accessed the documents and databases on your network. This is why MOST company's make it a termination offense to reveal your username and password to anyone else, employee or not.
Without secure logins, documents and business records can be tracelessly forged or falsified. The ONLY reason business records are admissible in evidence over a hearsay objection is because normal record-keeping practices TEND to cause them to be more reliable than other hearsay evidence. A soon as these records can be accessed by multiple persons without being able to prove WHO actually accessed them they become worthless.
If this is a publicly-owned company, PLEASE let us know which one it is so we can divest ourselves of its stock BEFORE they do something this outrageously STUPID!
utter rubbish
Making systems boot up and login non-interactively
is hardly "removing security". How do you see
that doing so would materially change the practical
security of your organization's data? Systems
are almost always logged in anyhow. That's why
nobody can remember their password. (You might
get the same sort of savings with a material
increase in "security" by enforcing password-protected
screensavers everywhere, because then the
passwords would always be in mind.)
"Security" is mostly a waste of time and money, and
only has value when it defends against an actual
breach. It is wise economic planning
to marshall your resources to address the cases
with favorable cost/benefit. Surely you don't mean
to argue that the decision is erroneous if it results
in a net savings? If you do, then "security" is a
religion for you, not a tool.
All too often, security means you can't do your job.
The $20 for the support call is just the tip of the
iceberg. It's the 2 hours that a meeting to close
a $500,000 deal gets delayed, or the hour that
two $300/hr consultants cool their heels while
Mr. PHB deals with support that are the real costs
here.
-I like my women like I like my tea: green-
fantastic... probably the best idea I've ever heard... . ..say... where do you work? :)
Oh god, that woman is John Romero!
Author unknown, but it's a classic! (and for once, RELEVANT!)
"Lawyers are for sucks."
- Doug McKenzie
Are you saying that there is nothing at all that is illegal in your country that can be done on your computer? If your machine were being used to host a terrorist information network, a conspiracy to kill leaders in your government, commit credit card fraud, hack into banks, etc, you could escape all accoutability just by saying "Hey, my machine was hacked, it wasn't me, I swear!"?
"Your superior intellect is no match for our puny weapons!"
Yeah too bad natural selection doesn't really apply to human social networks. An observation Darwin himself first made if I'm not mistaken.
Humans protect one another and share resources in innovative ways. The upper management would float away on a cloud of money while the people who weren't at fault find themselves in court tearing at what's left of the looted corporate carcass to get their pensions, 401k's or even just their last paycheck.
Look at Enron. The officers of that company left a swath of destruction so wide it's counted only to the nearest billion. You think Kenny Lay isn't going to be living in a mansion while he sees his kids off to ivy league schools and pulls down huge consulting fees after all is said and done? Christ, Bush is trying to appoint a friendly family friend who's being sued for fraud so he can "bring integrity back to the SEC!"
Appearently, the meaning of integrity has changed a lot over the years.
A funny aside. When I was a frisky metallurgical engineering student back in the day. We were told we had to take an ethics class. And unlike lawyers, we as engineers couldn't afford to pay it lip service. If we cheat, people might well die. In scores. Fair enough, I'd always thought of myself as a pretty ethical person; a trait I can't say has served me well, incidently. If you ever doubt the world is cast in shades of grey, subtle variations of hue, your ethics professor telling you it's ok to lie on your resume will swiftly disabuse you of that notion.
--Jimmy has fancy plans; and pants to match.
Well, not exactly.
I work as a security auditor for an accounting firm. I go in ahead of the auditors and sign off on the systems in use in the company and basically give the OK for the auditors to come in and do their job.
If I discovered that a company hadn't taken as simple and easily implementable security precaution as passworded access to systems, I would simply say in my report that the auditors could not rely on the evidence provided to them from the company.
This is VERY VERY VERY bad. CIO's can, have and do get fired over less than this.
Auditing standards for security are (frustratingly) low, and yet if you don't pass them and you're a publicly traded company - you're fucked. If you're a private firm, a partnership or anything where someone else doesn't actually own the company - do what you want. If you're public, you're assuming an ENORMOUS risk. (Here I mean risk in the business-audit sense of the word.)
Basically, if you implement this, it will last up until the next audit at which time the people responsible for this decision will be forced to recant and if they don't have the word "chief" in their title, they'll probably be fired.
What you're doing is making it far easier for someone to access information that they shouldn't on the spur of the moment. I would hope that part of the reason they're getting all those calls about passwords is because users' workstations lock by default when they're idle. If not, every file on every machine is potentially available to the cleaning staff, visiting A/C or phone technicians, clients waiting in an empty office...if you have data on those machines (email? memos? unreleased product information?) that you don't want the outside world to have access to, you're incredibly foolish to make no effort to secure them.
"Security" is mostly a waste of time and money, and only has value when it defends against an actual breach. It is wise economic planning to marshall your resources to address the cases with favorable cost/benefit. Surely you don't mean to argue that the decision is erroneous if it results in a net savings?
Here I really disagree. If you're "defending against an actual breach," which is to say dealing with a situation where you're already been compromised, that's not security . Yes, you do a cost/benefit analysis, but that analysis isn't "it costs us $x per year to reset people's passwords, and $0 to simply do away with the passwords."
Maybe some of those workstations don't need to be locked, and you can cut down on calls by leaving them open...but you have to consider the potential costs associated with lowering security: what if the data from that computer is made public? Could someone install malicious software on that machine, and what would the potential damage to the network be? What other machines could someone access from that workstation? The potential costs in system damage, lost business, etc. may end up making the costs of those password calls look like a good investment.
If you don't evaluate the potential costs of a security breach, you're in no position to decide whether or not there's a net savings.
* * *
It is a dada story -- it has no moral.
Can you impliment a secureId type solution? Person carries a token that identifies themselves to the system. This isn't perfect security, but it is a step above no passwords, and for high security needs is a part of the solution. These can be lost too, but that is a slightly different problem, so you might find it happens less often.
Have you looked at bio type ids? (fingerprint or eye scan?) these are not very good yet, but might be good enough.
Last, ask why users are forgetting thier passwords. I find that when I log onto a system every day I don't forget the password. This even if it changes fairly often. Perhaps you need to impliment a system where all passwords are always in sync so that users only have one password to remember.
Maybe you need to keep statistics that better reflect what is happening. It doesn't sound like your problem, but a small number of password resets is normal, but small when you have a lot of people around can still be a large number out of context.
There have already been some great posts about questions to ask ("You don't need a password? Do you lock your car"?) policy to set ("have to fill out a form and walk it to IT to have the password changed"), but I have two additional suggestions:
Have you considered billing back use of the outsourced helpdesk to the other departments? Hit them in the wallet, and in doing so they need to fill out paperwork everytime they want a password changed. No writing them down either - that should be grounds for termination.
If not, maybe you need to consider either biometrics or access cards. You could replace password auth with smart card auth, and if they lose it they need to report it immediately or they really will get fired.
"All I ever wanted was to see Larry Wall give Bill Gates a Perl necklace."
http://www.eisenschmidt.org/jweisen