Slashdot Mirror
Social Engineering Still Best Way to Crack Security
binaryDigit writes "The Register has an amusing article about a study done in the UK where office workers were asked tricky questions like 'What is your password', and 75% of the respondents answered... They were also asked ethical questions, 'If you found a file with your coworkers salaries, would you look', 75% would, and 38% would pass the information around! Read on to be both amused (esp. the CEO) and scared."
Aren't salaries in most UK businesses public?
Free Pilot rolling ball gel pen to the first person who gives me their Slashdot password!
"We are all in the gutter, but some of us are looking at the stars." - Oscar Wilde
According to the article 90% of them gave their password away,
not 75%. 95% of the men and 85% of the women did.
It's sad because no matter how much I know this, people are
still able to shock me. 90% of them gave their passwords away!
I would've thought maybe 10% or 20%, but 90%?!?
As a corollary to this article, Kevin Mitnick's book "The Art of
Deception" is fantastic. I tend to think of myself as fairly
security conscious, but this book opened my eyes.
Social Engineering is a very real threat, something IMO will
take decades to be addressed. At a certain level I think Social
Engineering can never be totally defeated or even necessarily
defeated to any large degree. The problem lies with
efficiency. Any large organization that works with a large
number of external organizations is *extremely* vulnerable to
this type of attack, even with incredibly strong security
measures in place.
The company that I work for has very, very stringent control
policies for security. They are by far the most security
conscious company that I have ever worked for, yet I am
supremely confident that even a poorly executed Social
Engineering attack would be highly successful. There is no
doubt about it, when it comes to security humans are definately
the weakest link.
I wonder if the reason the numbers were a little low last year
was due to the september 11th attacks. After the attacks people
were highly conscious of security, but as time passes people
relax more and begin to trust other people more. They just
don't realize how small pieces of information can incur such a
large cost.
Doug Tolton
"The destruction of a value which is, will not bring value to that which isn't." -John Galt
As long as people are A) retarded or B) don't listen to corporate policies against this, social engineering will always be an effective tool.
People.
Are.
Stupid.
it's a1k5n2
wow, that was compelling social engineering at work... maybe mitnick will hire you into his ruse
Naughty.
I love the way the register slipped that in on it's own between paragraphs.
Sure, most people might not be smart enough. But I'd have fun with it.
Guy: "What's your password."
Me: "My favorite tool. Dickfore."
Guy: "What's a dick-"
Me: "Nahahaha!" *scamper off*
What is music when you despise all sound?
Many people in my office will proudly announce what their password is. Infact sometimes they like to have a good laugh about who has the most simple password. A lot of times they'll spit out their password in a room full of clients. I tell ya it is a regular laugh riot
I turned on strong password authentication when I was promoted.
Now they just leave the passwords on a post-it-note on their monitor and still share it with everyone else. Lately during the monthly meetings I've been stressing the importance of security.
-Eod
in a related study, engineering isn't necessarily the best way to be social.
that jerk on the tour that told you chicks dig engineers was a lying bastard.
There are some odd things afoot now, in the Villa Straylight.
It's the combination of my luggage!
Never trust a bald barber; he has no respect for your hair
They were also asked ethical questions, 'If you found a file with your coworkers salaries, would you look', 75% would, and 38% would pass the information around!
Who defines this is being an ethical question? It's not in my book.
If someone came up to me in a train station and said "I'll give you this free pen if you tell me your password", I'd just make something up and collect the pen.
... free pen.
'Cause, you know
Until the people who ran this survey actually *test* their findings, their data isn't very valid.
Tuus crepidae innexilis sunt.
I was neither amused nor scared... can I have my money back now?
A potential security flaw has been discovered in Human Employee. Please update all of your employees to Microsoft Android 2.0.
Honestly, does this sort of thing really come as a surprise to anyone?
People are generally the weakest link as far as almost any sort of security is concerned.
"What do you think of Western Civilization, Mr. Gandhi?"
"It would be a good idea."
Unless the interviewer also asked where they worked, or what their name was, or was going to secretly stalk everyone afterwards, what does it matter? Also, who's to say everyone wasn't lying to get a free pen?
This survey was taken at one of my local trainstations. It's completely stupid, some guy walks up to you and says 'I'll give you this pen if you tell me your computer password', person says anything to get free pen. wow 9 out of 10 people pretended to give out their passwords and in return they got a free pen, was any of these passwords tested to see if they worked? Were they asked where they worked, the type of computer they logged on to, the location, any other network questions? NO If it was done in a seriously way, such as inside an office building it'd be far lower, it's ridiculous to draw any conclusion from this, hell I'd say "my password is donkey" (i bet ppl will try that as my slashdot password now haha) in order to get a free crappy pen, who wouldn't?
WTF is a sig?
Most of them probably lied. After all they are getting a free pen. The passwords weren't tested. This is survey was worthless.
Seriously... If they did this survey by only asking the sysadmin's out there, how many would give out the root password?
Don't mistake me as a troll, I'm still a Linux newbie. But if all the systems were some form of *nix, how much danger would there really be if the person was unable to get root access?
Who says the people gave their real passwords?
If someone says, here I'll give you this shiny object in return for your password, I'd just make up a random password, get my bobble, and be done with it.
As far as they know they have my password, what are they going to do come up to me later and say that they tried to use my password even though they promised not to and it didn't work?
Never underestimate the power of human stupidity -RAH
As far as I know, all of my passwords are ********
Easier to remember that way.
actually, for a lot of my passwords I use bad math - like "16x12=42" - the biggest problem I've seen from it is it screws up my ability to do math.
The worst password system I've seen is in the online banking system that BankOne uses (which also applies to the credit cards that they run).
It won't allow you to use certain characters on the keyboard - it forces them to be 6 (!!!) alphanumeric characters.
They might have changed their system since I last saw it - I cancelled my account and wrote them a letter telling them they were retarded when they implemented that.
Nothing like severely limiting the keyspace for making good security.
There are some odd things afoot now, in the Villa Straylight.
The organization needs security to protect its data, but the inconvenience of security precautions falls on the employees. That disconnect means that security procedures have to be mandatory. Where I work I established a policy that passwords expire after 120 days. Furthermore, old passwords cannot be re-used and passwords cannot be changed more than once every two days. I know every employee personally, so when somebody forgets his password I know I am dealing with the actual owner of the account. I still get occasional complaints about having to change passwords, but after 6 years people are pretty well accustomed to it.
John Sauter (J_Sauter@Empire.Net)
Sometimes the easiest way to obtain information is just to ask for it. It doesnt matter how many locks you have on your door and bars on your windows if you open up for anyone that knocks...
maybe they were giving their passwords away because they knew the interviewer was writing for the register.
but then again i could probably pretend i'm from the register and grab a bunch of passwords too.
from the treatment the employees get from the employeer and the government. They hand around your info freely. If perhaps we were treated with a modicrum of dignity and respect, it just maybe it might get returned, NOT. Treat your employees and idiots and crooks, and you will get morons and thieves :)
Why is salary and compensation secret ? I can remeber getting bonuses in front of people to HIGHLIGHT your work and effort and to illuminate to the rest of the staff that such things happened and extra effort was rewarded. Now we are told this is confidential information not to be discussed with anyone, SCREW YOU, we get tohether and compare notes all the time. If the company wants to play games and not pay based on solid criteria and reviews and performance, vs private negotiations then they had better be prepared to deal with the kind of environment that generates...
errr....umm...*whooosh* *whoosh* Is this thing on ?
Fingerprint password protection would solve the password problem...
Actually, that'll be something I'd do. Give them a no good password (such as "t3st") to collect the pen and during audit logs, keep an eye out for usage of that password.
Of course, a password alone isn't much good. I could give them one of my many real passwords, yet without knowing the user name associated with the password and which system it's for - the password is as good as useless (If they said "Oh - what's the password to the admin account for server X", you'll know it wasn't a "random survey")
I have a great idea for the next Slashdot poll. Here we go ...
My computer password is:
- 12345
- jennajameson
- password
- Other, type here: _____________
- cowboyneal
Cyde Weys Musings - Scrutinizing the inscrutable
When I was in college, Sears was giving away cups if you applied for a credit card. My friends and I must have applied for 50 of them. Yes, my name is Hugh Ugly. And I live at 314 Pi Street.
ok, here's my passwd: Q9xst.&fM
without context of which host and which account, that's useless. Were these face-to-face interviews? an email survey? Were there any expectations of anonymity?
Putting aside the fact that many people just gave out their password when asked directly, they probably didn't go on and say "You didn't tell me your password right away, but here's this shiny new pen - will you tell me now?"
Instead it was probably something rather simple like a website that they were directed at which had an "appreciation award" or something, and they had to supply their password in order to "confirm" that they were the right person collecting the "award".
That is similar to tons of fake porn sites which "accept" your credit card for age verification and/or a minimal charge. They don't actually verify your credit card or charge you $3.99 for unlimited porn, but instead use the card numbers to buy other stuff.
When I was at college, I was asked to do some work on the Principal's PC. Whilst fitting a new hard drive or something, I couldn't resist a snoop round his files, and included were the salaries of all my teachers. That was good fun, and I didn't feel at all that it was 'wrong', so I'm glad to hear most people would do the same.
okay - I really laughed when I read this article ... but ...
The number of things that I have to remember a fscking account name and password for in my life in insane.
To make it worse, at work the sysadmins decided that we have to change network passwords every two months!!
So, I have in my head a 'password pool' of my eight favourites, and continuously cycle through them. At worst, when I am trying to login to something I haven't used in awhile, I have to try at most eight times (usually four times). I admit this is bad.
Social engineering attacks work because the rate these systems are introduced (all with their own unique authentication scheme) vastly exceeds the rate of the human and society's ability to organize information.
I worked at Sea World San Diego for a little over 2 years total. There are some people (heck, MOST people) who shouldn't be allowed to bath themselves because they're so freaking stupid. If you were to compare the demographic of the people who gave out their passwords to the demographic of people who tried to fasten their safetybelts SIDEWAYS on the Shipwreck Rapids ride, the numbers would probably be the same.
I have no tag line
I had an account with them too (long since canceled) and used the following password for it:
E6l7rs
Which, naturally, stands for "Exactly 6 le7ters".
Even with crappy restrictions, you can usually come up with something that's not going to be easily crackable.
Nine in ten (90 per cent) of office workers at London's Waterloo Station gave away their computer password for a cheap pen, compared with 65 per cent last year.
The free pen index is not a security index, but correlates inversely with security of the supply closet which is proportional to the current economic condition.
Probably well over 50% of users use a common password within the top 10 category. (source silicon.com and Egg (UK bank))
Top 10 list:
1. Blank
2. password.
3. Cartoon(s).
4. Footbal team or player.
5. Pets.
6. Date of birth.
7. Girfriend name.
8. Something nasty; words like sex, fu** or prOn.
9. Sci-fi or fantasy (Gandalf, Yoda, etc.).
10. Company name.
Other common alternatives:
-Names on children
-qwerty and asdf
-Same password and login (root and root)
It's sad; but Joe-users are (generally) very ignorant about this problem.
Melius mori in libertate quam vivere in servitute.
Thinking: "Don't say Homer, don't say Homer."
Saying: "Homer!"
You are right. Everyone believes when they are told "don't let anyone else know, but you are getting paid above average" When word get around who is payed what it only causes problems for PHB's. I absolutly would (and actually have done exactly) pass around salary info that my boss accidently left on the copier,
Free cell phone tracking
was "none", which even after telling people, they still would have have problems getting into the account, not thinking literally.
The most common password was "password" (12 per cent) and the most popular category was their own name (16 per cent) followed by their football team (11 per cent) and date of birth (8 per cent).
Ok, so that's 47% of the company had a password that anyone could guess in 10 seconds! WHAT?? OK, I believe people are stupid, even REALLY stupid. But this I'm not sure I can believe. This study has to be tainted or something-- did they test all these passwords to make sure people weren't making them up? Seems to me that 90% of the people I know would lie about their password for a free pen.
This is of course assuming that nobody's name was password, or their birthdate was 4/9/ers or anything.
"Probably the toughest time in anyone's life is when you have to murder a loved one because they're the devil." -Philips
Users have to actually *do* something with their machines. This is often things like database access, web content access, etc. If you got the user password of someone in, say, payroll, you could really cause some havoc. Or if you got the password of a user with the permissions to post content to your high-profile public website. And so on.
If you have a user whose account cannot screw up your orginization is anyway, why the hell does that person even have a computer/account?
Sounds like they need to have a "Hey, Asshole!" note e-mailed to the boss from their account. Then let them try to figure out which of their trusted co-workers sent it.
A little paranoia would work wonders here.
You were 80% angel, 10% demon. The rest was hard to explain. - Over The Rhine
"Math in a song is good."-Linford
No you can't... But if you tell me your password you will get this nice shiny pen :)
The best weapon of a dictatorship is secrecy, but the best weapon of a democracy should be the weapon of openness.
That's because most employees are wage slaves with no meaningful stake in the data.
The GIs in WWII used to have a saying when they abused a jeep by running it over a pothole or something: "Oh well, it's not my jeep."
Same thing with passwords: "Oh well, it's not my data."
Sure, I'll bite. My slashdot password is "vIcNRc++j2". Now you only have ~640,000 slashdot user id's to try and see who I am, since I'm posting AC. Hope you have some programming skills. I'll change my password tonight at 8pm CST, you have until then.
So your passwords are mostly digits, with maybe 3 other characters mixed in. Can be brute forced in no time. Better change your slashdot and wso.williams.edu passwords before anyone here gets an idea.
At my company we use RSA SecurID cards for the passwords for everything. (for those that don't know, a securID card has a 6-8 digit number that dynamically changes every 2 minutes or so. everyone has their own unique card, making even simple password sharing not effective for more than 2 minutes.)Pretty secure, IMO.
Except for that fact that everyone leaves their securID taped to their keyboard...
I turned on strong password authentication when I was promoted.
Did you ever consider going biometric?
A bunch of U.are.U (or similar) fingerprint readers would probably be a fair bit safer than any system that forces difficult-to-remember passwords, and many users would like the instant-login possibility.
Ooh, a sarcasm detector. Oh, that's a real useful invention.
I don't get it. My only job working for someone else was at a state university where our salaries were public information. Everybody knew everybody else's salaries. It was incredibly handy when it came time to negotiate raises.
Do you have ESP?
The best passwords from a technical standpoint are the worst from a social standpoint - the average net user probably has to remember a dozen or so passwords, and obscure combinations of characters are just not going to be remembered by people in this information-overloaded environment.
I don't have a solution - but calling the users stupid certainly isn't one. Indeed, perhaps we're the ones not paying attention.
At this point don't you think the "You are an idiot, I'm going to educate you," "awareness raising" security efforts by IT (and HR) people have basically failed? An irritatingly intrusive security approach combined with condescension to the users -- that should work, right? So let's force them to change passwords every month, but then chide them about writing down their passwords anywhere. Good idea. Makes things less secure, but as long as they're more secure in theory...
(I have a big plastic "pill" on my cabinet here; on the side is printed "A security breach is a tough pill to swallow. Your password is yours alone." This came from a major corporate IT department. Did they think an expensive internal advertizing campaign was the way to prevent people writing down passwords on post-its? These same people were behind dot-com advertizing, probably. Pretty lame.)
"Fundamentalism" isn't about divine morality. It's about human authority.
My PIN number is the same as a large cheese pizza and soft drink in 1999. 17.86. ::fast forward to a mock up of pizzaria where Fry is at the register::
Here is your large cheese pizza and soft drink, thats 17.86, the same as my PIN!
god I love that show (and yes, the number is probably off, I've only seen that one once!)
This is my sig. Its pathetic.
http://geodsoft.com/cgi-bin/pwcheck.pl
This seems to be a good password evaluator. Only problem, your password is displayed on the screen... so you have to make sure no one is watching you as you type (and to clear your history once your done using it...)
'Please enter a new password'
Penis
'Password too short'
"Two thirds of workers have given their password to a colleague... and three quarters knew their co-workers passwords."
With this statistical anomaly, I can only surmise that there are people out there posing as people's co-workers in order to harvest passwords, before disappearing into the night!
People, I implore you, please double-check that the "colleague" you give your password to, is infact a co-worker, and not a... who knows... terrorist... or something.
The security of your account, even your company, could depend on it!
Corporation, n. An ingenious device for obtaining individual profit without individual responsibility. - Ambrose Bierce
One user is proud of the fact that her password ended up being
ifuk92
to break it up
I FU K9 2
now everybody knows her email password!
they didn't tell me their "n" -- the number of people in the study. They could have asked 20 men and 20 women, making thestatistical power quite low, or many more.
Apparantly in California, your employer can no longer tell you that you cannot discuss salary information.
Our CEO is a gadget freak so I might actually be able to impliment something along the lines of biometric authentication. We have a good amount of sales folks who check in from remote also though. So no way of economically getting around passwords.
-Eod
The real problem is the proliferation of passwords combined with increased complexity requirements. To access the systems I use on a daily basis at work, I have six separate passwords. To access systems I use a few times a month I have seven or eight more. Then there's five or six more for the systems I access a few times a year. Toss in complexity requirements and the need to change them every thirty days to a password I haven't used in the last year. I'm left with the option of using the same password for everything or writing them down somewhere.
Both options are bad practice from a security standpoint but the reality is that most people do not have a good enough memory to keep all those passwords straight. There are a few efforts in the corporation to migrate to a single-signon but that's really just the same as using the same password for everything. Just don't have to keep them in sync.
What's the solution? The best bet is probably biometrics. Many of the problems encountered with biometric authentication can be mitigated through a trusted hardware platform. Regardless of your feelings on Microsoft's TCPA initiative, there is a real need for a trusted computing architecture in the business world. It doesn't have to be perfect. It just has to be better than what we have now.
But isn't this article tied in with the 'raising awareness abilities" of Kevin D.? Like the previous article, and the ad for his book on top of this page? Mmm.
I have been asked for my password on a street interview like the one described so I responded
P one five, s zero double f...
This wasn't questioned (my password not _really_ being p15s0ff ) but the interviewer just noted it down.
I currently have eight or nine password to remember - each for different systems/subsystems, emails, slashdot, bank accounts etc..
Sometimes its embarrassing to phone up your bank (credit card, mobile phone operator, etc.) and when you fail to remember your password ask for a clue for it
Worringly is the amount of "hints" when I ask for said clue - try it the next time you call up your bank!
I still remember one guys password, because when he left the company he told me what it was in case I needed any of the information locked up in his account. It was CIrpotb,
It was the first letter of every word in a line from Jeremy, by Pearl Jam. "Clearly I remember picking on the boy," I am sure the comma was thrown in for variety. The other rule of the algorithm is to have one thing that violates the algorithm.
My beliefs do not require that you agree with them.
no mention of the "n" in the study. so we have no idea the statistical power of the %s they throw out. How many people did they interview? 20, 200, 2000? this leads to a big difference in the importance of the results.
True, in this case just the password does nothing. But if they have cased a specific business and tracked a person to a subway, there's a decent shot it will work.
An example is the movie Sneakers. Now ignoring the technical aspects of the movie for this discussion, it did show a complicated but valid social method of obtaining a password. If they hadn't known the phrase beforehand, it's not unlikely that she could have seduced him to the point of telling her.
A less obvious example is Ocean's Eleven, where they used the dancer to get the ID card from a guard.
R: That voice. Where have I heard that voice before? B: In about 365 other episodes. But I don't know who it is either.
That's not true! The the most common used passwords are love, secret and sex. Everybody knows that! Oh and don't forget God. It's that whole sysadmin male ego thing. ;)
You know it makes sense, a little reminder from jointm1k.
I'm constantly amused by the couples I know who give each other passwords. It seems mandatory sometimes, that when online friends break up, one of them (or both) will access the other's email/bank account/isp/whatever and snoop about.
As much as couples, too, often it's just people who're sort-of-friends who'll give each other passwords freely. I don't understand that at all. Perhaps I just don't trust my friends enough?
Naaaah
At the school I go to, in 7th grade (on a Novell network), we were assigned joe passwords (password=username). I hated this, but there was no way to change the password. It was all done through Novell's application explorer. The Upper School students (I'm in 9th grade now) got to use a change password icon, while we were stuck with our joe passwords. But I found a SETPASS.EXE in one of the shared folders and changed mine. I got in a lot of trouble and was *banned* from using the computers for a few months.
The point is here: both sysadmin and users need to know about good security. How can I as a user protect my account if the sysadmin is assigning unchangable joe passwords?
...there is an underlying reason why people are predisposed to trust other people. I wonder if anyone's done any studies on whether such a predisposition is somehow an evolutionary strategy? Perhaps overall it's good for society to be cooperating instead of distrustful and angst-ridden?
Maybe *gasp* Stallman was right after all?
Protection from cheaters (con men) is fine and dandy, but perhaps the structures that require that level of protection are the problem, and not the people who are unnaturally forced to conform to security standards they don't want to?
I get such a kick out of all these Slashdot geeks sitting back, smug that their anti-social, paranoid behaviour makes them less of a target for con-men trying to "score big," while completely ignoring the corrolary: A lack of cooperation or trust in general means you don't get to reap the benefits of normal socialization.
I'm not sure which person is more sad: The one who trustingly gives away meaningless "passwords" to systems that are flawed and poorly designed anyway, or the ones who think they are somehow superior for being paranoid nutjobs about things that Don't Really Matter.
Many of you seem to think your systems are the target of every smooth-talking "social engineer" out there--get over yourselves. Nobody is interested in getting access to your porn-ridden home directories.
Kevin Mitnick's book was an interesting read, but he wasn't describing social engineering, he was describing a con artist whose prize wasn't money, but the thrill of lying convincingly to otherwise normal people. This is an asset? What the hell man? Here's an analogy that pops into mind: I can walk up to someone and sucker-punch them in the gut. Even the most seasoned martial-artists can be taken in by a sucker-punch. So what?! Should we all wander around in an extreme state of combat readiness? Should I be crowing about my own superiority just because I can sucker-punch a Ninjitsu nth-degree blackbelt god?
I call bullshit. Bull-effin-shit.
A good way to avoid that would be to FORCE people to have naughty words combinations for passwords, say like FUCK+ASS, PISS+BALLS, SHIT+TITS and whatnot... That way, no one would DARE reveal their passwords...
Retinal Scan
Would somebody please put this in Linux?
Are the one you can't remember until you have to use them. For example, I can't purposly remember any of my passwords, yet when I have to use them, they just pop into my mind, then I can't remember them anymore. They are all +20 alpha-numeric, so I think that that makes me more important than you all becuase I can remember that! HAH! ;)
Sig
Ooops! Here are all of my employer's salaries for 2003 http://www.press-citizen.com/salaries2003/uihome.h tm
Seriously, why not just make salary figures public? In Iowa, all state employee salaries are public information, and most newspapers publish them at least once each year. It just keeps everybody honest.
The subject says it all!
Password (must be at least 1 letter and 1 number, e.g. "boston1") ____________
Want to guess what percentage of the passwords were "boston1"??
During integration of this system to a legacy database I had to write a password cracker. So of course I used it for white hat purposes only and played with the existing database. The vast majority of passwords were actually the company name. Followed by things like "yacht" or "porsche". Since this was a financial company, a friend pointed out to me that for a site that manages your money, you pick a password that represents what you want to do with that money. Interesting.
Easy.
Take a pro (should not be too good to be true, geeks aint that stupid) and give her unlimited allowance for drinks on top of her regular fee.
In my personal life, I have about half that. So yeah, I do use the same password in different places. But I usually have a "low" "medium" and "high" security password algorithm that I use. My more secure ones are up to 15 characters, my least secure are blank. (for dumb apps at work)
Managing passwords can get pretty cumbersome, but I do it because I know it needs to be done. Most people don't realize that.
I still remember working in the computer lab in college, and having to reset people's passwords daily because they would forget them. In true suave-geek fashion, every hot chick got her password changed to my name. (that never did work out the way I had hoped) :-)
My beliefs do not require that you agree with them.
I used to have a friend who did work for bank ATMs. He told me a significant number of people pick 1234 or 6969 as their security code. This is their money were talking about can you image how careless the average wage slave must be with data that doesn't directly affect them?
My experiences with lesser security situations like professional BBSs & such is that people use their family members or pets names.
My current girlfriend of 5 years doesn't know any of my higher level security passwords. She complains when I won't tell her, but really there is no need for her to know.
:)
We have certain shared passwords but looking at an overall security perspective it'll only get her so far.
I think it comes down to people's perspective on passwords. A lot of slashdotters have been dealing with password authentication for a while before it has become a large part of mainstream life. Now that it is really starting to come in to play in people's lifestyles there are a lot of people who really don't understand password security in the overall picture. Heh.. These people still write checks in the express lanes at the market also.
-Eod
why is it so bad to know other people's salaries? why should that be confidential? the only reason I can think of is that company x is embarrassed to be paying most it's employees so little and a few employees so much. reminds of ben franklin's saying: "a countrymen between two lawyers (or employers in this case) is like a fish between sharks."
Many years ago when I was a mere IS lacky at a credit union an audit came up which FINALLY recognized that credit unions had IS departments. The CU software we used stored all of the user passwords in a file on system which could be retrieved and seen (mainly by us IS folks - but then again, we had access to the HW). One of the auditors asked for a printout of all the passwords to make sure people were following the password procedure (ie no "password", names, birthdays, etc). I told him no. He called his boss, the BIG Auditor. HE told me to give it. I again said NO. HE called the CIO/CFO of the CU to make me give it to them. I did - then I sent out a company wide e-mail announcing what I did and told people to IMMEDIATELY change thier password. That lit a fire under the auditors butts. I was called into a meeting with the auditors and the top execs at the CU. We had a nice chat about security. In the end, the Auditors didn't get another printout. Oh, and when the auditors left for the day I took the password printout off of the desk of the one who requested it and put it through the shredder.
"If you are on fire you can just stop, drop, and roll. If you fall into Lava you are just dead." - my 5yr old daughter
If I found a file with salary records, I'd pass 'em around too. I still have not heard a single good reason to keep that information for only the accountant and CEO to see.
Not only would open accounting force a company to be honest about what it does financially, but it would also be a potential morale boost to the staff (and that's even when the company is down in the hole...openness means understanding and makes people work together). Plus it would put an end to the stupidity of male-female salary inequities...like work would mean like payment and any extra pay would have to be defended on the basis of what that person brings extra to the company, as it should be.
-- Waht? Tehr's a preveiw buottn?
No problem, get the SecurID card merged with the door access cards, then wander around the office and take them all. Anyone that gets locked outside the next day no longer needs their job.
Give a man a fish, he'll eat for a day, but teach a man to phish...
I turned on strong password authentication when I was promoted.
Now they just leave the passwords on a post-it-note on their monitor and still share it with everyone else.
Don't solve human problems with technical measures. Solve them with human measures. Would you expect the HR department to set up the company network? Then you shouldn't try to control employees. Quick solution to your problem is to:
Problem solved. There is one caveat- you MUST make it easy for them to change their passwords. CLEARLY document how to do it, and even go so far as to set up a time when people can drop by your office/cube and get help changing their password, and you MUST give them proper time for
Please help metamoderate.
iris scan. it's actually more secure and easier to get people to do.
for some reason people don't like having a laser read across the back of their eyeball. weirdos
If I give out my password do I get Karma points on /.?
Fat, drunk, and stupid is no way to go through life, son.
CowboyNeal, Taco? Got a daughter?
-- It's 5:30 am - do you know where your stack pointer is?
Pollster: If you tell me your password, I'll give you this free pen.
Pollee: (distracted) Huh? Password?
Pollster: Here you go (gives free pen, ticks off "gave password for pen", writes down password as "password".)
--Rob
"Mother says there are rats in the rockery." --Ratman's Notebooks (1968)
Towards the Singularity.
By browbeating her password out of her this way, you reduced her resistance to future social engineering attempts. You should be teaching your users that they don't ever need to give out their passwords, regardless of who asks or in what circumstances. That's an easy rule to remember. Any complication you add to it just introduces confusion that an attacker can use.
Honest and open accounting is probably a good thing, but only if the company its self is entirely on the up and up. And I am not talking about various strictly illegal activities either.
Do you think that there would be a morale increase when it becomes common knowledge that the owners unqualified son in a junior position is paid more then people with greater amounts of skill?
Or when the 2 highest paid employees ae the owner and his secretary (who is also his girl friend).
How about when the executives get a raise that is roughly equal to the amount of payroll reduction in the last round of lay offs?
Odds are that if office morale is in the crapper already, that there is a good reason for it.
END COMMUNICATION
Since the HGP has just released the complete source code, I think we should use the open-source model of development:
Let the user community build, test, and report bugs. Every couple weeks, developers can release a new test version to thousands of users.
Distribution of the code should not be a problem:
everything.com
"Reality is that which, when you stop believing in it, doesn't go away." - Philip K. Dick
An acquaintance of mine got fired from EDS for being overheard mentioning a salary in the dining area (I'm not sure if it was his or someone else's). Some of them take it pretty seriously...
Thanks to Michael Moore's Bowling for Columbine, everyone now knows that up here in Canada, we don't even bother to lock our doors (unless we live in a border town).
I might as well also mention that we don't use passwords either. We don't really worry too much about crackers - most of them are just bored kids with nothing better to do.
"I have never let my schooling interfere with my education." - Mark Twain
In my engineering school there was this story about a guy in the CS department who had been "living" in front of one of the workstations for years.
On one occasion, he was helping some newbie with something; and he allowed the guy to log into his account. Naively, the newbie asked for the password across the room; everyone else in the computer center listened up expecting a refusal.
But instead, this CS guy just started to tell his password "j3Y9_fg..." loudly; the newbie started to type. But the password just kept comming; it was up towards 50 completely random characters long!
It turned out that the system insisted on a changed password every month; but the default selection was the old password. Rather than coming up with something new every month, this guy had just added one more character every time. Of course, it is not too hard to memorize one more character per month month either.
Tor
I always go into their accounts and mess stuff up. Like adding random slides with their animated password to the powerpoint presentation they're going to give in half an hour.
A Government Is a Body of People, Usually Notably Ungoverned
Then I'd have fun :-)
Maybe it is more than having nothing, but it could be just obsolete (as in I gave you the PW to a dead acct).
Despite the sloppiness, the outcome of the study is clear, and I'd like to see a more rigorous study...
Other good ones are 'obscure' and 'secret', always fun if someone asks you for the password.
-What's your password?
-It's obscure.
-Good, but what is it?
-I told you, it's obscure.
-OK, let's start at the top, what's your login?
-It's secret. No, really! No, not the comfy chair!
Money for nothing, pix for free
The more often I have to change my password, the more likely I am to write it down. Oddly, the frequent changes are usually required on machines with trivial stuff on it, like my PC or my voicemail. I don't keep any documents on my PC, it's just for mail and /., and the only mail that goes to it is the corporate stuff which everyone gets (like "Easter party this Friday" - really important stuff) - oh, and the spam.
(As for social engineering - I asked my mom to try to guess my password and she couldn't. If she can't, nobody can)
i have three passwords to remember at work. maybe four, i can't remember. but i have to change at least 3 of them every month. man, my memory just ain't that good. sometimes i can't even remember the fact that i have changed a password, let alone remember what the word is. and the door to my office has a digital lock, nevertheless anytime anybody knocks they are let in with no questions asked.
I've had British co-workers who were astonished at the secrecy level US workers attach to their salaries (and frankly I agree with them - what's the big deal?)
They also didn't see salary size as something to brag about - there was still a bit of the "it's your social class, not your salary that counts" attitude.
Just breathing on some scanners is enough to "reactivate" the previous user's print (from the oil they left behind). Or, when the scanner also checks for temperature, press a baggy filled with warm water against the sensor.
Iris scanners were defeated by pasting a picture of the user's iris on your glasses, or in some cases just holding a picture of the person up to the camera. A video of the person, played back on a laptop held in front of the camera, also worked.
Remember - the more complicated the technology, the more points of failure/compromise are possible.
I've been in companies that do periodic unannounced audits, looking for this stuff. They will fire on the spot someone who fails in order to scare others into adhering to policy. If the indications (not that I trust the actual statistics presented) are correct and there are still more than half of workers who would fail at any given time, perhaps positive reenforcement would improve those numbers. Negative doesn't appear to be doing the trick. People face the prospect of losing there jobs on a moments notice for meriad other reasons - giving out their password probably just doesn't rate high on a "Things to do to keep your job" list.
I AM, therefore I THINK!
Magnetic stripe cards? Like the bank cards that are cloned by the gas-station attendant/convenience store clerk when you're not looking? Hardware cost for a card reader: $250 - $500, + $200 for a decent used laptop.
All this does is make it harder to prove that you are actually the victim of identity theft, because, after all, it was YOUR smart card/mag card (try to prove otherwise).
In his book "Security Engineering"
"In conclusion, the main thing we did wrong when designing ATM security systems in the early to mid 1980s was to worry about criminals being clever; we should rather have worried about our customers - the bank's system designers, implementers, and testers - being stupid."
Let's be realistic - it's not hard getting/guessing other people's passwords - but someone keeps walking off w. my damn pen!
Ah, you don't need a password to do that.. But to make all the headers perfect, do it from their workstation, or at least don't do it from yours. :)
:)
------------------
> telnet smtp.yourcorp.com 25
helo yourcorp.com
mail from: victim@yourcorp.com
rcpt to: ceo@yourcorp.com
data
Cc: supervisor@yourcorp.com
Bcc: victim@yourcorp.com
Subject: Asshole!
Hey asshole,
I'd just like to remind you that you really suck donkey dong! I'd tell you to go screw yourself, but it seems the VP is already in "the position".
P.S., don't go home early tonight, I'll be there banging your wife and daugher.
Love,
victim
.
quit
------------------
Sometimes they call me a troublemaker. I don't know why.
Back in the day, I used to do this for personal entertainment, but it wasn't anything rude like this. I'd do messages from Bill Gates offering jobs and crap like that. One guy almost quit and went to Microsoft, til he saw me laughing my ass off when he was showing everyone in the office the printed Email.
Serious? Seriousness is well above my pay grade.
Here are the details.
And, btw, U.S. labor law protects concerted activity even if you aren't actively organizing a union.
You don't let consumers design keys to their house do you? How many people would pick a key with a really simple to determine scheme? The fact is the end-user is too gullible to be allowed to have keys which they think they understand to any kingdom. For this reason, I think real hardware keys are a better bet for computer security. End user security needs to be redesigned from the ground up to take away the user's power.
Remember, with great power comes great responsibility. The sad fact is most end users are not ready for such responsibility.
Some time back, everyone connected to the US Air Force (military, civil service, contractors, you name it) had to go through basic "here's how to not fuck up your password security" training. Everyone from generals to secretaries.
Few weeks later, an AF-wide email was sent out from the internal security people. It was very short (I forget the exact text), and it pointed people at a .mil website.
The website had a simple "type in your username and password" form.
Ungodly numbers of people blindly typed it in. Everyone from generals to secretaries. Clicking on the "submit" button logged your username in a database of Incredibly Stupid Gullible People who immediately had their accounts locked. :-)
(Some of the smart people in my branch just killed the web browser without entering anything. I think my coworker and I entered name/pass pairs like "verycutetrick/nicetry".)
A few days later, another AF-wide email from the security people, scolding everyone. Those who had fucked up were required to write a half-page essay justifying why they should have their account re-enabled even though they just handed access to an unknown group of people. I was pleased.
A few days after that, the essay requirement was revoked. Seems some N-star general with more stars than functioning neurons felt he shouldn't have to justify himself to anyone. I was disappointed.
Now we have card readers in addition to passwords. Pull out the card, the terminal locks. And the "if you mess up, your account is revoked" rule is (finally!) enforced by official AF directive.
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
I used to have a friend who did work for bank ATMs. He told me a significant number of people pick 1234 or 6969 as their security code.
It's not comforting to know bank workers can see our pin numbers. I guess I should have known this from last time I called my former bank's customer service line and the recording asked me to type in my pin number (I didn't). Stupid banks aren't helping.
"Probably the toughest time in anyone's life is when you have to murder a loved one because they're the devil." -Philips
One problem with that kind of poll is you don't know the quality of the responces.
If someone walked up to me on the street and said "I'll give you this pen for your password" I'd say "fluffy" or something like that, take the pen and be on my way. "fluffy" Isn't my password anywhere, but they wouldn't know that.
How many people did they ask that just wanted the pen? (This wouldn't count for tbe people like the CEO who they actually tricked in to giving the password, just the ones who answered right away).
"Hi, my name is Kevin Mitnick. I'm a convicted hacker, but your company has hired me to test your security. What's your password please? Mmm-hmmm...mm-hmmm...great!"
"Hi, my name is Kevin Mitnick. I'm a convicted hacker, but your company has hired me to test your security. What's your password please? Mmm-hmmm...mm-hmmm...great!"
Let me guess. You own stock in Post-It Notes, right?
Erm, that's a pretty nasty 'test' to try. Heck, that might even fool *me*. Not only are they giving their password to a system rather than a person (vastly more secure to start with), but it was a .mil website? How exactly are they meant to determine when a website is to be trusted then? You have to give your password out to some machine *sometime*.
== Jez ==
Do you miss Firefox? Try Pale Moon.
This all assumes, of course, that people are telling the truth. Leaving aside the fact that people tend to lie when answering anonymous surveys (like all too often off the mark pre-election polls show, or like those surveys that conclude that the average number of sex partners men have in one year is like a couple of scores - what many would of course like,) just try and put yourself in the position of one of those guys.
The deal is, I give you my password, you give my a pen. Sure! My password is girl&friend. Give me the pen. How difficult is it to come up with a bogus password?
This survey is worse than useless.
I have no account, you insensitive clod!
I don't tell my co-workers what I earn for one very good reason - I know for a fact that I'm on more money than most of them, even people who are technically doing the same job. They already have enough reasons to dislike me without me handing ammunition to them! :p
You must think in Russian.
FWIW, he wasn't the hoi polloi. He was a programmer type working for corporate. I doubt they have pin numbers pasted up in the break room or anything like that.
The place I work for used to have no passwords, meaning that any time an employee was asked to login, they just had to type their login name and hit enter. Not only that, but they were all running windows 2000 with administrative shares enabled, and every user was a member of the "domain admins" group. Anyone sitting at any computer in the company had full read/write access to every computer in the office, with no need to break any logins. In addition, none of them ever installed patches on their systems. Any time they opened an infected email attachment, which happened really quite often, especially at the CEO level, the virus would often spread to all the computers, and the network admin, who was actually just a shipping manager who had some computer experience, would have to clean all the computers again and sometimes restore them from previous backups.
They're doing much better now, but they still have a long way to go. Many of them still don't use passwords, and the rest use very predictable ones, but enforcing sound security practices is not in my job description.
At least there's the double firewalls, one in the office and one at the isp. There's also the frequent backups. They keep tape backups for the last 5 days and 1 tape goes to offsite storage every week. In addition, I took the liberty of writing a program to backup all the changes to the databases 3 times a day, so that they can be restored to any point in the last 8 months. If I can't force them to be secure, at least I can protect their data and patch any really major holes, like disabling the administrative shares.
Social Engineering still works. It will continue to work and it's unlikely that this will ever change.
I'd like to say something like "the chinese have been doing this for centuries", while that's true Social Engineering is rarely at that level of deceptive prowess. I mean come on "what's your password?" the fact that alone works is amazing.
I know the feeling, I do on-site tech work too, and I'm amazed at how frequently they'll just tell me their password (without even being prompted) and the babble about how her friend uses it too becuase it's so easy to remember. *sigh*
This is my digital signature. 10011011001
Call up Me and Eds or Pizza Hut and tell them you want to order a pizza for delivery. Give them your phone number and name, and they will happily read you back their address. Then hang up.
-Pat
The statistics are not that shocking.
Now, of the people out there who do real sysadmin for real businesses... how many of you have ever asked a user for their password? Maybe to log into an application to test something, or to see if their account is working right, or whatever.
It's very, very common. This desensitizes people.
Furthermore, if people percieve the person who is asking them for their password to be in any position of authority over them, they will give it up. This is NORMAL human behavior.. if the boss or hr manager, or anyone else who you percieve to have more authority to you and/or who is helping you asks for your keys, or your password, or any other piece of information maybe they shouldn't know, but which won't hurt in that instance, they give it up.
Of all those who are going to pipe up and say "no way I'd never give out my password", how many of you have actually been in that position and refused to give it out? That's the number that really matters.
Without strict, enforced policies that everyone adheres to religiously, this will always happen. Unless people are regularly tested by cold calls, and other things, and then disciplined harshly for divulging their passwords, these kind of statistics are to be expected.
I fed it "p@$$|/\|or|)", which is of course leet speak for "password", and it came back with a strength rating of 10. Admittedly, it did take me several trys to get one that worked, substituting @ for a, and replacing w with all the lines, but it still gave me a high rating for a fairly obvious leet speak variant.
Of course, I guess it's better than nothing, and would weed out a lot of clueless passwords.
ehintz
IIRC, the fact that it was actually a
What I do remember clearly was that the training emphasizes that username/password should only be given out when you expect in advance to give it out (e.g., logging into your desktop) or are told by confirmed authority well in advance (e.g., "next week you will need to do blah blah blah, this will require your password. yours truly, signed by SSL/PKI, Brigadier General God"). Unexpected requests for passwords should be treated as suspicious.
It's supposed to be a paranoia-inducing test. We get network breakin attempts (and I mean this literally) constantly.
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
We regularly have to log in as our users to their systems. They HATE changing their passwords, and have enough trouble remembering them. I usually give them the option of,
A: gimme your password,
b: Ill change your password, but youll have to make it something different
c: Get called ery half hour to come to my office and log into your laptop.
Its bad security, but good customer relations.
All Troll + "offtopic" mods are meta moderated as "Unfair", because you abused the system.
1 - it's against US federal law.
2 - do you really want your neighbors, your inlaws, your poor relatives, your children (allowance), etc. knowing how much you make? (think www.whatcompanynameemployeesmake.com).
3 -
nope. morale would almost immediately go down the toilet. "mary makes more than me??? she's out with her sick kids at least half a day every week. Who do they think is doing her work then?" "that new hotshot negotiated a higher starting salary than I did." etc. ad nauseum, ad infinitum.
4 - I take it that you're not one of the pro privacy /.ers? Your salary is one of the most important pieces of information about you. Everyone wants to know it - the IRS, The state IRS, the county, telemarketeers, spammers, your poor relatives,......
Disagree with me? Prove it: post a scan of your paystub on the internet.
If I was that sysadmin, and I asked you for a password, and you refused, I would walk away, and tell your boss you refused to cooperate.
It's not your choice.
Unless, of course, it was against some company policy or contract you had signed....
Otherwise, you are just being a smartass.
I agree, biometrics are not very useful right now. It's getting better. You can't fake an iris scan with a gummy bear. The hardware is pretty good, it's the software matching algorithms that need the most work.
And it depends on the device. Not every fingerprint device is susceptible to the things you mention. For one thing, not all fingerprint readers are optical based and can't be fooled by simple tricks.
Smartcards on the other hand are useful right now. Especially with the cards that require no card reader (they plug into the USB port directly).
The ratio of people to cake is too big
The usb devices are actually a nasty security hole, susceptible to man-in-the-middle, sniffing, copying, etc.
The only real security is trained and diligent users. Which is why the good ole password still works if used as intended.
Anyway, I'm leaving the office, so have a nice weekend :-)
BTW I quote this under the terms of the GNU Free Documentation License.
To be honest, if you consider the intellects of any grown adults who would volunarily BE on Shipwreck Rapids, you probably have your answer.
Whoa, wait a minute.
Which fingerprint scanners failed exactly? You tested every fingerprint reader there is? I'm just curious more than anything.
Your smartcard comment doesn't make any sense. How exactly can you query a private, protected key on something like a Cryptoflex? That data can not be read, cloned, or queried. ???
Most devices are suseptable to man in the middle attacks but you can't get the private key. You could get the PIN though... but you'd still need the card to use it.
Trained users with passwords is no better than a smartcard. They're just as suseptable to man in the middle attacks. However, they can't remember a 1024+ bit private key nor a 8k certificate.
Portable certs are a good thing. And most of that data is public.
The ratio of people to cake is too big
Smart cards? You mean like the ones for DSS, that are so easily hacked? Hardware cost for a reprogrammer: $50 - $150
Uh, riiight. DSS "smartcards" arn't that great. From a security standpoint their implementation is stupid. It's as plain as that. There are plently better smartcards out there that can't just be "reprogrammed" or emulated.
The ratio of people to cake is too big
Perhaps the best way to avoid salary spying is to make them open. Check out what Whole Foods Market does: http://www.fastcompany.com/online/02/team1.html "he open-salary policy is undeniably radical. But its trust-building payoff is substantial. CEO Mackey initiated the policy in 1986: "I kept hearing from people who thought I was making so much money. Finally, I just said, 'Here's what I'm making; here's what [cofounder] Craig Weller is making -- heck, here's what everybody's making.'" At the risk of an "interesting" vs "off topic" mod choice, I wanted to point out this open alternative.
And everyone else is soo stupid.
90% quickly give up there passwords to strangers.
all slashdot have secure hard to guess passwords that they guard with their life.
all slashdot are highly intelligent and know that everyone else is highly stupid.
either all slashdot come from 10% anal password freaks or all slashdot are liars
We get network breakin attempts (and I mean this literally) constantly.
Really? I thought the "street knowledge" among "blackhats" was "Don't fuck with the government, they have limitless resources to track you down and make your life hell".
I guess with the advent of the script kiddie, all bets are off.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
I have a very good security trick when it comes to credit card numbers. I use a number for some time... then forget it. Happens mostly when I run out of money. Then I go down to the bank and ask for new one. I get another one within few days.
That works, and I don't even have to remember anything - actually, NOT remembering is essential.
Get a Ximian monkey to replace them. And they come with four hands and a tail enabling multiparallel work!
__
Men with no respect for life must never be allowed to control the ultimate instruments of death.
GW Bu
See subject
1 - it's against US federal law.
Which federal law is this? Thanks.
Just because I doubt myself does not mean I find your position compelling.
Greatings good friend,
My name is Mkimbo Mbuto, and I am from the glorius republic of Nigeria. I am writing you to inform you of a most urgent situation of financial interest.
Three years ago, my family was killed in a horrific coup. I have US$20,000,000 that I need to launder into a bank account in the US. Please provide your slashdot username/password so I can contact.
Love, peace, and god Bless,
M.M.
Before I say anything, I would like to point out I am in no way associated with the Sysadmins of this company. Thank God. It would be a huge embarrassment.
Where I work, there's around 25 users, none of whom are able to use a computer for more than typing up a shopping list. Yet they all know the Administrator password (we use Win2k) which is BLANK!. In addition to this, the payroll system's password is blank, and the system which holds customer's names, addresses and bank details doesn't even ask for a password.
Who needs to crack security when there's none in place?!?!?!
Two thirds of workers have given their password to a colleague (the same as last year) and three quarters knew their co-workers passwords. :-/
Which means that 1/12th of the workers know their co-workers passwords via other co-workers or by another way like watching some one type.
In need of reliable and affordable server monitoring?
Smart cards? You mean like the ones for DSS, that are so easily hacked?
Totally different technology. DSS cards sacrificed security for convenience and cost. They weren't intended to be truly secure. Also note that (for the most part) DSS is a strictly one-way transmission, thus a public/private key pair wouldn't work, unless it dialed up every time you changed channels.
True "Smart Cards" keep a private key internally, that cannot be read or accessed in any way from the outside. The better ones will, for all practical purposes, self-destruct if physically tampered with.
If the Smart Card simply decrypts data with the private key, then authentication becomes:
Server encrypts some random data using Public key
Card decrypts data, gives it back to the server
Server compares decrypted data with original
Unless you can somehow pull the private key from the card itself, which is *extremely* difficult (if not impossible), you won't comprimise it.
Combine it with a PIN, and now you have two obstacles. Once the user notices the card missing, in most cases they'll report it, and that card will be denied any access, PIN or no PIN.
Much more secure than password authentication...
NGWave - Fast Sound Editor for Windows
New-->Text Document
File-->Save As message.bat or how about net send
You are going to Heaven ;) I'll be personally lobbying with Saint Peter for a nice cloud for you up there.
Buy a Nintendo DS Lite
I was speaking with some colleagues about password security awhile ago and we were talking about how some passwords are more secure than others. One of my less-computer-adept friends was curious about the concept and I explained that some passwords are easier to crack than others because of patterns, length, etc. My password is composed of a variation on an English word with some letters replaced by similar looking symbols, and it is very long. It's an OK password, would take a while to crack, but it isn't like one of those ones that is 25 random characters. Now, my friend's name is Tom.. and somehow he decided that TOM would also make a great password. Upon telling him that longer passwords are better, he went and changed it to something 9 letters long. Of course, he forgot his new password right away and needed my help to crack his password. It took about 30 seconds of running a brute force attack to find his new password. TOMTOMTOM. I guess he didn't listen to my rant about patterns.
I don't know what's scarier; that your auditors were able to demand a list of all passwords or that you were able to give it to them.
Passwords should not be stored in plaintext format. Only the results of a reasonable one-way hash of the password should be stored.
Then again, you did say this was many years ago.
Of course you also said it was for a bank.
"their Slashdot password!"
There ya go -- now, where's my pen!?
Peuk?
Who is Tom Lehrer and why is he a genius?
I'm pro privacy, but not the extreme some here are.
:)
As for your points, well first of all I'm not up on that US law...I read the Patriot act and I stopped afterwards
Point 2: so? It's a rather dumb tabboo anyway, not talking 'bout what you make.
3. It is exactly for those reasons why salaries should be made public.
4. Well, the first three are basically taxes...these pay for education, mail, healthcare and whatnot...you're talking taxfraud, while I say it's your moral obligation to pay for the (potential) benefits you'll recieve (like clean water and mental patients not having to roam the streets).
Then there's the telemarketers...they have your adress anyway, what do you think giving them the hight of your salary is going to do which they aren't already? At least you'll get to say no to offers you can afford. Spammers; same difference.
And posting my paystub on the internet is something different from having open accounting.
-- Waht? Tehr's a preveiw buottn?
wtf
At least, it is for any account where there powers that be give me root.
/might/ be really expressing, how little they care.
Otherwise, it depends how much I care. I always hated voice-mail so I left my password 12345. A hacker tried to take over my voicemail.... I still left it 12345.
Voicemail was just consistently garbage: either the message was gibberish, or the specifics would be completed changed by the next day.... Why would I feel at all threatened if someone were to delete that for me????
People who are telling you how simple their passwords are,
I cared about my unix accounts --- that's why I'm working there. So, I used decent passwords. I'd look at the acccess someone has before I raised a stink about simple passwords... If they're password is just for officemail and browsing, no access to dbs or fileservers,shares, etc then why care? Most office workers don't get remote login....
When I have root, I use passwords that are pretty much "unpronoucable linenoise", and that I could type it fast while looking at the guy hovering 'round my keyboard "chatting", right in the eye.
Diceware looks like a nice way to generate random yet fairly memorable passphrases, for people whose typing is better than their memory. All you need is a list of 6^5 memorable words or almost-words, like the two English lists provided on that website (they've included almost-words like aaaa and 123 as well as real words, to keep the average word length down). Roll 5 dice (5D6 for roleplayers/Warhammer players :-) and pick a word from the list. Repeat until you have a strong passphrase.
Assuming an attacker knows you used Diceware and has a copy of the word list you used, a 5-word passphrase chosen like this is about as hard to brute-force as 64-bit encryption, and a 10-word passphrase is about as strong as the 128-bit symmetric encryption component of PGP.
I work tech support for my school's Housing Department. Most of our computers have Deep Freeze on them so people can't screw up Windows too badly. One particular computer was at the front desk of a residence hall.. Bored kids playing on the computer all day made Deep Freeze a necessity. The hall director wanted the workers to save Excel files on the hard drive instead of a floppy or zip disk. So he emails my boss and asks her to remove Deep Freeze. Instead of sending a tech over, she just emails him the password. This password is used on every system that has Deep Freeze, and is also her personal password for everything she uses (admin account on Novell and Win2k machines, school email, etc). She just emailed it right off without thinking.
When she hires a new tech, one of the first things she tells em is her password so they can get in to systems and do admin type things. Luckily, most of them are clueless and couldn't figure out how to do any damage if they wanted to.
Last summer when we were upgrading computers for staff I would ask folks to login to the computer so I could go setup Outlook and put some icons on their desktop. I'd say a good 50% would just tell me their password.. Passwords that they use for every system they need to get in to. Imagine what kinds of info Housing Dept employees have access to -- student records, payroll type stuff, etc. They just hand over their passwords, without even being asked, to some college kid they really don't know.
Back when I was in college, a guy I knew visited his girl at her school for the weekend. While there, he FTP'ed into his dormroom machine to get a paper he was working on. Her graphical FTP client had a "remember password" checkbox he didn't see... When he got home and checked his logs, he realized that she had logged back in after he left and found his secret porno stash. I still remember him running through the hall, his eyes bugging out. "Oh shit, guys! She's gonna break up with me for sure: she downloaded dripping.mpeg!"
--All your stolen base are belong to Rickey Henderson
Sounds like you're trying to undermine security everywhere.
The only place I've ever asked for a password from a user is their screensaver or bios password on a laptop that wasn't assigned by myself. If they've decided to put personal passwords on company materials without using corporate security systems that are in place for such things, they will be told to change it.
If its a network or login password of some form, I don't need it; I've got root.
- Michael T. Babcock (Yes, I blog)
Sending of mail do not require authentication. So nobody believes that mail was really sent from their account.
Go watch the movie 'Takedown' where Skeet Ulrich plays Kevin Mitnick and Russel Wong plays Tsutomu Shimomura. Its based on the book 'Takedown' written by John Markov and Tsutomu Shimomura. Allthough the book seems to be a real 'takedown' of Kevin, the movie is IMHO a fair representation of what happened. Oh yeah don't forget to watch the Documentary Movie Freedom Downtime (2001) directed by Emmanuel Goldstein. Its available at 2600.com .
Robert
We moved one of our departments to another building during renovation, and we took bets on the number of people who would forget their password because they were in a new environment. Out of 50 users, 10 obviously situationally unaware people said "What is this? ctrl-alt-what? I have never had to do this before. Password? What password?" I am not afraid of social engineering at my company..what I am afraid of is that these same people drive on the same roads as I do at the same time..I changed my schedule, now I work late :) On a somewhat related note, we had a remote branch user who complained he could not access the network. After a little investigation, it turned out he had a laptop that had not been powered off for 2 years. The branch had a power outage and when the power was restored, his computer booted up but prompted him for a logon. He thought the power outage destroyed his computer. User un-awareness on this level is the ultimate defense against social engineering ;)
A bunch of us IT people would go out at least once a week to eat and share corporate dirt, and one of the sysadmin gals did data entry on the HR system for a few hours a week. She knew what everyone made, and wasn't shy about telling us (tsk, tsk). I actually was surprised how *low* executive and director salaries were....and yes, there were a few goof-offs who were friends with the owners who made alot more than they should have. But it was a private company, so we weren't made disgruntled or shocked.
People seem to think that passwords are always one person one password. In the case of high security that is true. For most non-military applications giving someone else your password is easier than creating a new account, and should be just as safe.
Case one: college job as fast food manager. 2am while doing closing books I discovered a problem that I didn't have access to fix. Call my boss (he had done some upgrades and forgot a step, tech support couldn't have helped as they don't get root equivelent, the boss should take care of anything that needs that access), and he gave me his password instead of driving in to fix it himself. Sure I shouldn't have gotten that technically, but I'm trusted not to abuse it.
Case two: same job, this time a manager in a different store got married, and everyone wanted to attend. I fill in for the night. They could create me an account on the computer, but why go through that effort for one night, I got the password of someone else there, and was left to do things.
In both of the above situations I was also trusted with the safe combonation, so if I did want to do something evil I had much better means of it than some computer access.
Note, there were some enforced security policies in place that make the above violaions not quite as bad as they sound. I won't disucess them though. Security through obsecurity is no security, but in many situations actualy mathamatical (provable) security is not possibal.
Interestingly, your sig seems quite appropriate for this discussion...
Our hell(p)desk still sends out quarterly e-mails with a subject of "Virus - Do Not Open". The mail has a read-recipt rule applied. We usually get about 90% of the targeted list opening the mail.
Then some poor hell(p)desk soul has to call every person on the list and politely tell them not to open strange e-mails. The funny thing is that the schmuck who does the calling is usually the first person in our Network Control Center who opened the e-mail.
We also do an annual "Hi, I work in the NCC, can I have your password" type program. About 20% of the people we call will give it us easily. About 1% follow the proper procedure of calling the cops to report an attempted break-in.
I'd rather you do it wrong, than for me to have to do it at all.
The only good security is trained, alert users and trained, alert, paranoid sysadmins who put their foot down regarding stupid practices.
Yes, the DSS smartcard implementation was stupid. But so was their business model, too. Much better to give everyone free access to the signal, and snip out the commercials in real-time and substitute ads paid for by others.
I have worked in a few different security fields and believe that it is impossible to explain to management that security is inversely proportionate to usability. You want to keep data 100% secure? Lock it in a fireproof safe.
You want that data useable that is another matter.
But until you make security non intrusive people will do things like post it notes. So where exactly is the problem coming from?
1024-bit encryption cards made by IBM and used by ATMs world-wide were cracked several years age (see 2600 for details).
... an average of 15 attempts led to the cracking of the users' pin by insiders.
I couldn't find anything about that IBM card on 2600. Can you be more specific about where it is? What type of encryption was it?
That is absolute nonsense. For short 4-char numeric-only PIN's maybe. However, nearly every smartcard supports long binary data PIN's and this is what is typically used when security matters. If someone can guess an 8-character alphanumeric, upper/lower case password in 15 tries then you could break into just about ANY system, smartcard or not if that were true. Besides, 15 attempts won't do you any good if your card locks after 3 attempts at the PIN. ???
Give more hard evidence, otherwise I have a hard time believing anything you say. You seem to be just bashing smartcards by picking specific examples of weak systems. I've been working as a programmer with some of the top firms in the crypto and smartcard arena for many years.
The ratio of people to cake is too big
Tools for a distributed cracker are here
Slashdot's reference is here
The card was about 5 years ago, and may not be on-line, turned out there was a bug that returned the same limited set of codes.
As for cards locking after 3 attempts, you can always unlock them (done all the time with looped ppv cards) or stop after 2 atttempts. Besides, many systems actually store the PIN (or a portion of it) on the card.
Keep in mind that you don't have to crack every 1024-bit message, just a few of them, to give you access to enough information to go after the rest.
Yeah, I knew about the 1024-bit RSA thing. This is not smartcard specific though and effects anything using 1024-bit RSA keys.
I would guess that IBM bug doesn't effect all smartcards.
You seem to be stuck on satellite/cable smartcards which is just a tiny minority of cards out there (I assume you mean PPV as in Pay Per View? Or something else?).
Unless you know something I don't, most smartcards can not be unlocked once they are locked. Some have an admin PIN that can unlock the user's PIN, but it's not any easier to crack and on most cards that functionality can be disabled completely if desired.
Storing the PIN on the card? What PIN? Again, are you talking sat/cable type cards with their crappy implementation? Are you talking about storing a PIN in an open EF that an application would read and then use? That would be stupid as there would be no point in having a PIN in the first place. Please explain.
The ratio of people to cake is too big
Many bank cards used to store the users pin. Many, if not most, still do. Didn't say it was smart. Want proof? Do a withdrawal when the network is down, You're still authorized for $50 per shot. That's why so many people were able to commit ATM fraud in the days after 9/11. It's also the basis of the suit against the banks out in California. where the banks want an injunction against revealing this. They can go fuck themselves, 'cause I'm in Canada, and not affected by any such injunction :-)
Unless there's a fusible linke that burns out (like write-once eeproms) most cards can be reactivated. Heck, some of the first cash cards were reactivated by nuking them for 3 seconds (talk about "recharging" a card).
Smart cards aren't the solution. Educating users and programmers is. And in the long run, it's also cheaper.