Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cutting Security To Cut Costs?

Posted by Cliff on from the silver-bullets-and-severed-toes dept.

just currious asks: "I work for a large company (10,000+ pc's) who recently out sourced the help desk. After looking at about a year's worth of data we find the 30% to 50% of the calls to the helpdesk are password related (password resets, password changes, etc.) this is alot of calls (at 20+ dollars a pop). Now they want to reduce cost by cutting security, since if you don't have a password, you can't forget it. So here's what upper management wants to do: remove the security from all of our Windows 2000 machines. Has anybody else seen security cut just to save money?"

12 of 124 comments (clear)

  1. In order to assist you... by drfrank · · Score: 5, Funny

    We need to first know where you work. Actually, just the IPs will be fine.

  2. I've been through exactly the same. by Anonymous Coward · · Score: 4, Interesting

    I've been through exactly the same. Problems with passwords vanished within weeks as everything was swapped over. Then piece by piece, random pain in the fucking ARSE problems with other users fucking with fileserver files grew into a major problem. Users saved files anywhere they could with no restrictions. Other users who 'claimed' parts of the server space as their own threw out files that appeared there from other users. Management however, are still happy with their decision to cut security like this, despite nobody having a clue where anything is.

    Am I bitter about it? To the point of quitting the instant I can. Thank god I'm not running the servers.

  3. BOIH by jsse · · Score: 5, Funny

    Now they want to reduce cost by cutting security, since if you don't have a password, you can't forget it.

    You obviously not a BOIH(Bastard Operator In Hell):

    "I lost my password."
    "You've no password."
    "What do you mean by no password? What's that big f%#*ing word on the screen saying 'Password'?"
    "Just press Enter."
    "small cap or all cap?"
    "...."

  4. My 2 cents by RyoSaeba · · Score: 5, Insightful
    I guess it depends on many different factors. You have to ask yourself (or make the managers ask themselves ^_-) at least those questions:
    • are there sensitive documents on the network, which shouldn't be readable by some users ? If yes, you'd better leave those passwords, since if you remove'em, anyone can log in as a manager & read that data. And forget those nifty Word / Access / whatever password protection, people need 10sec to find the password... The only way is to prevent users from reading files using groups access control & such, something easily defeated if no password...
    • do you trust all your users ? again, removing passwords will enable anyone to log as anyone & create havoc w/o being able to find who did it, since the login won't help (maybe combination of which computer that was from & the time, but that may not be enough)
    • are your users sufficiently educated to know how to use computers ? Meaning, are they responsible enough to understand what no passwords will mean, and act smartly accordingly ?
    • study with your manager the security risk involved with having much data erased by someone who used a high-level account to trash many important files. Are your backups done often enough ? How long to recover everything ? Is it worth the spending of removing passwords ? (ok, that's a question you probably ask yourself often enough, but removing passwords will increase the risk of random file deletions IF users want to create havoc)


    Where i work the security is pretty tight (comp locks after 5mins of inactivity, many things turned off, and so on). It's sometimes a pain in the ass, but at least they really take security into account...
    --
    Tsuyoikoto ha taisetsu da ne, dakedo namida mo hitsuyousa (Strength is an important thing, but tears too are necessary)
  5. *sigh* by skinfitz · · Score: 5, Interesting

    Unfortunately this is a fact of IT - there are those who because they dont understand the need for IT security, means that you are reduced to working at their level.

    How many times have you heard this one?

    (Regarding a server that is connected to the net for FTP / SSH) "But who would want to hack our server?"

    I've often found that lusers actually do understand security concepts, however as soon as a computer is concerned they are thrown out of the window. For example:

    Me: "Tell me - do you drive a car?"
    Luser: "Yes"
    Me: "And does anyone have a specific grudge against you? Would they specifically want to steal your car?"
    Luser: "No!"
    Me:"So do you lock your car after you park it somewhere?
    Luser: "Of course I do!"
    Me: "So if no one wants to steal your car, why do you lock it?

    I've found they can't answer that one.

    The real issue is that people just cant use computers. What would solve the problem would be some form of transparent biometric authentication. Think about how we as human beings authenticate people - we do it all the time from speaking to friends on the phone, to making a transaction at the bank. If speaking to someone you know, you dont use a password - you know what your friend looks, sounds and behaves like, and this is used for "authentication". With a bank, you may not know the person you are about to hand over all your cash to, however because the bank is a big building in the location it's in, you know that it can be "trusted" due to it's physical location.

    Regarding passwords with Windows 2000 there are alternatives to this. The simple one is let them have no password, but make it so that their account can only log on from their computer. That will seriously limit the abuse that can happen. Alternatively just quietly delete all your CEO's MP3's and mail abusive messages and pr0n using his account - he'll soon wake up.

    1. Re:*sigh* by gnovos · · Score: 5, Insightful

      2)What would I lose if someone hacked into my pc?

      The question you MEANT to ask is: What would I lose if I someone hacked into my pc and placed child porn in my personal directories and then called the FBI on me?

      A) 5-10 years of your life... You only need to possess it, not even have knowledge that it is there.

      --
      "Your superior intellect is no match for our puny weapons!"
  6. There is nothing on our netowrk worth stealing! by gnovos · · Score: 5, Insightful

    Yeah, but the hackers don't want you DATA, fool. They want a place to put thier kiddy porn and tcp reflectors for hacking NSA computers and sending death threats to the president...

    No, you don't have anything on your network worth stealing ... especially now that all your machines have been confiscated as evidence. :)

    --
    "Your superior intellect is no match for our puny weapons!"
  7. Sadly enough... by iq+in+binary · · Score: 4, Funny

    Yes, I have.

    Moronically, the highschool I was currently attending. I was the "Assistant Admin" (i WAS the admin, don't let the name fool you).

    My principal started getting sick and tired of her front desk people having all of their time wasted by students asking their student numbers (also their password).

    She came to me saying to take all passwords off, period. The only exception, mine.

    It took 400 flunking students getting straight A report cards magically to set her straight.

    --
    Of all the Universal Constants, here's one I know: Nice guys finish last ;)
  8. Re:give and take by gnovos · · Score: 5, Informative

    it depends on whether or not there's anything worth keeping secret on the machines;

    NO! This is a fallacy. It doesn't matter if you have the last remaining digital copy of the secret FBI UFO cover-up or just your grandmother's recipies, your computer itself is still a resource that a hacker would love to use.

    You machine could be hijacked and used for all sorts of nefarious purposes from DDoSing script kiddies to breaking into banks to being an staging point for a credit card fraud scheme or a terrorist network...

    --
    "Your superior intellect is no match for our puny weapons!"
  9. How often to you force password changes? by iangoldby · · Score: 5, Insightful

    Forced password changes => lots of help desk calls.

    What is less obvious is that they don't lead to any significant increase in security. Most people, if forced to change their password every month, will use something easy to remember (and easily guessable), like qwerty1, qwerty2, qwerty3, etc. But they still can't remember which version they are currently on, hence the help desk calls.

    If you force users to choose strong passwords but not to keep changing them, you'll get both an increase in security and a decrease in help desk calls.

  10. security policies by doofusclam · · Score: 5, Insightful

    Surely the most sensible way of sorting this out would be to have a trusted member of staff in each building/department/whatever with the authority to reset passwords. Note, I said *reset* passwords - not the ability to read them.

    seany

    1. Re:security policies by Clover_Kicker · · Score: 4, Interesting

      >Surely the most sensible way of sorting this out
      >would be to have a trusted member of staff in each
      >building/department/whatever with the authority to
      >reset passwords. Note, I said *reset* passwords -
      >not the ability to read them.

      I once worked at a place where getting your mainframe password reset required getting your manager to sign a form. You took this form down to the data center, where a smirking operator would reset the password.

      This is excellent psychology -the user has to interrupt their manager to explain that he/she/it is a bonehead, please sign this form.

      So now you've embarrassed the user, and better yet, the boss is annoyed at the user! If the user is a repeat offender, the boss doesn't get mad at those evil IT guys and their password policies, he gets mad at the bonehead who can't remember their password and keeps bothering them. Ah, sweet justice.