Slashdot Mirror

← Back to Stories (view on slashdot.org)

IT and Security Professionals Think Normal People Are Just the Worst (zdnet.com)

Posted by msmash on from the we-knew-that-already dept.

Two new studies reaffirm every computer dunce's worst fears: IT professionals blame the employees they're bound to help for their computer problems -- at least when it comes to security. From a report: One, courtesy of SaaS operations management platform BetterCloud, offers grim reading. 91 percent of the 500 IT and security professionals surveyed admitted they feel vulnerable to insider threats. Which only makes one wonder about the supreme (over-)confidence of the other 9 percent.

[...] Yet now I've been confronted with another survey. This one was performed by the Ponemon Institute at the behest of security-for-your-security company nCipher. Its sampling was depressingly large. 5,856 IT and security professionals from around the world were asked for their views of corporate IT security. They seemed to wail in unison at the lesser and more unwashed. Oh, an objective 30 percent insisted that external hackers were the biggest cause for concern. A teeth-gritting 54 percent, however, said the most extreme threat to corporate IT security came from employee mistakes.

45 of 296 comments (clear)

  1. User have been the problem forever by DarkRookie2 · · Score: 5, Insightful

    This is not new news. User have forever been a problem.

    --
    http://progressquest.com/spoltog.php?name=Son+Of+Son+Of+DarkRookie
    1. Re:User have been the problem forever by Anonymous Coward · · Score: 2, Insightful

      I am pretty sure that electricians in the 19th century blamed electrocutions mostly on user error. A lot fewer of those happen these days and users have not become smarter. Instead, appliance and building engineering standards and certification requirements have evolved.

    2. Re:User have been the problem forever by ewibble · · Score: 5, Insightful

      Yes a computer system without users would be very safe but not that useful. But the real problem is that systems themselves allow users do stupid things in the first place or provide no easy alternative. Here is an example:

      I want to download and run an application from the internet, seems like reasonably common thing to do. However how do I know it is safe? Search the internet OK, but there maybe fake sites saying it is safe or it maybe piggybacking on a valid program. Run a virus checker, well OK but it could be virus that isn't picked up by that checker, and the virus checker should run automatically anyway. But you need to run the program so you do.

      What would be nice is option like run un-trusted, which starts a VM automatically and runs that, checks that nothing bad has happened to your computer as well

      I believe the responsibility lies mainly with IT, we should make easy for the user to do what they need to do, we are the experts, we need to take responsibility for it. Yes it is hard and you cannot always fix it but we should always be trying and not just blame it on the user.

    3. Re:User have been the problem forever by Major_Disorder · · Score: 5, Funny

      A few years back I worked for a company that produced a network security device (Not saying who, NDAs are still in place) sticky notes on monitors with passwords on them were everywhere. We sent out multiple requests for them to me removed, and you can guess the result. We eventually got management buy in, and after more warnings, one Saturday we went around the office and removed every sticky note that even remotely resembled a password. After photographing the placement, and placing each note into an envelope, all were removed. I can still hear the echos of the screaming on Monday morning. :)
      The best part is two weeks later we did it again. Several people were found with new sticky notes. (One under the keyboard.) these people were given written notice that they would be terminated if it happened again. One person did not believe them, he was terminated for cause about a month later.
      I really enjoyed removing his accounts. :)

      --
      First law of people: People are generally stupid.
    4. Re:User have been the problem forever by Anonymous Coward · · Score: 3, Interesting

      What I hate as a sysadmin is when I do wander from dark, trance music-filled office, I get ambushed by people wanting everything. I'm sorry, I cannot and will not teach you how to format a Word document. It's your tool, learn how to use it. Ditto Excel formulas, wanting me to troubleshoot your email on your phone (I will not touch personal devices), and it goes on and on and on. I hate dealing with end users. Just let me write my code on my servers and leave me be. It's not my job to educate you on how to use the tools you were hired to use. Watch a YouTube video on Excel formulas; you'll get further along with that than with me.

    5. Re: User have been the problem forever by Spazmania · · Score: 3, Insightful

      I'm in the 9%. I'm not overconfident... I just realize that treating staff like potential enemies is a losing proposition.

      I have lawyers to deal with employees who violate my trust. Until it's time to get the lawyers involved, it's better for everyone if I assume they're trustworthy.

      I focus my efforts on the authentication and accounting side of the problem and handle authorization with a very light touch. Make sure you are who you claim to be and make sure I know what you did. Then get out of the way and let you do your job.

      --
      Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
    6. Re: User have been the problem forever by Wulf2k · · Score: 2

      But staff are potential enemies.

      Having a record showing that Jane Doe in accounting downloaded every document in the office and sent it to China does you no good when she explains that she was just trying to run some excel macro she found online.

      So you can't just get out of their way. How much you get in their way is the balance that must be found.

    7. Re:User have been the problem forever by skids · · Score: 5, Insightful

      It ain't the users. It's the products.

      They market themselves as easy to use and then ship with innumerable security holes and deficiencies. Half of them think they are in a living room with everyone in the same broadcast domain and spew exploitable multicast everywhere or want you to punch holes in your network to accommodate them. Cloud services tell users just put you data up here, no mention that they keep getting p0wned by leaving it up in unprotected mongodbs/repos accidentally. CDN-based apps with their thousands of IP addresses all shared by other services make L4 security filers impossible to define. Wifi supplicants and VPN clients which don't have any sane way to install, much less find, a corporate configuration profile that actually locks down the protocol sanely. Unmerited complete trust in DNS results. Self-help support operations that take opaque data dumps including PII, IP, and crypto keys over email to some outsourced support center who knows where.

      So its nearly 2020 and the bright side is you almost never see telnet servers in products anymore. That took decades. In the meantime we are inundated with new attack surface daily.

      90+% of all my problems, many of them security related, are because people want to use product X and product X is a dumpster fire. I don't blame the people for wanting to use it. It's what they were shown in an advertisement, and everyone they know is using it. I blame the manufacturers of product X for shipping crap.

      --
      Someone had to do it.
    8. Re:User have been the problem forever by omfglearntoplay · · Score: 2

      Yeah this is a tricky area. Oftentimes, you see lazy employees who want you to train them... if you do, you just make your life worse and potentially help a subpar employee stay employed. I think the idea of pointing them to learning videos is the way to go... if they are willing to learn they will, if they aren't, tough.

    9. Re:User have been the problem forever by jeff4747 · · Score: 2

      Did you advise the client that their password policy may be too onerous?

      I've worked at places that required unique passwords for many different systems, all expiring on different schedules, no reuse, ever. Which means the passwords get written down because remembering all that is not all that feasible.

      For those who would respond with "Just use a password manager!!!!" you've just violated the policy since all those systems now have one password. Also, little hard to use a password manager for initial login in areas that forbid any outside electronics.

    10. Re:User have been the problem forever by Major_Disorder · · Score: 3, Interesting

      Did you advise the client that their password policy may be too onerous?

      For those who would respond with "Just use a password manager!!!!" you've just violated the policy since all those systems now have one password. Also, little hard to use a password manager for initial login in areas that forbid any outside electronics.

      Nope, because their password policy was fairly lenient for a company with a security focus.
      We allowed and encouraged people to use password managers. I personally offered training sessions on a number of diffrent password managers. (Almost no takers.)
      If they had written down their login password and stuck it in their wallet we would have had no problem with that. We were really going after the lowest of the low hanging fruit.

      --
      First law of people: People are generally stupid.
    11. Re:User have been the problem forever by rtb61 · · Score: 2

      OK it is not them it is us. The IQ average 100, 50% of people are below that. I've used computers for quite some time and well, they are tricky to use and get the most or even a reasonable amount out of them, they just are. I reckon, that below an IQ of 115 they are a struggle to use and you have to go over IQ 125 to be really good at them and even then, you have to keep up.

      In the IT field, the IQs are pretty high and they tend to define usability based upon their experience, which compared to the normies, is hugely different because yeah higher IQ to figure out stuff. When I used to right instructions for the less skilled employees, one thing I would always do is follow the letter of the instructions and see If I could carry out the task because relying on missing skills for missing instructions don't fucking work.

      Yeah, they are much worse at using computers that the IT team because, on the whole, their IQs are much lower, often quite a lot and computers are not their speciality, making it even worse. When you run the IT department and you users are not using the computer system properly, accept the fact, that it is your fault and not theirs, you have failed to establish a system, establish training and computer use policies and updating them to continue to reduce problems and system use failures.

      Yes, the IT department, has to do the computer thinking for the rest of the company because basically, they can not. They pretend they do not want to but the reality is, they simply can not figure it all out. You basically dumb down the system so the, cough, cough, dummies can use it (hey, I understood the problem and learnt to deal with it, does not mean I enjoyed it, oh so painfully frustratingly slow, just take a deep breath zone out and ponder solutions for other problems and wait for them to catch up and tell them how great they are doing, build their confidence).

      --
      Chaos - everything, everywhere, everywhen
    12. Re:User have been the problem forever by AmiMoJo · · Score: 2

      Isn't this what browsers are now? A VM that web apps run in, safely isolated from the rest of the system?

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    13. Re: User have been the problem forever by c6gunner · · Score: 3, Insightful

      The problem with this advice is people cracking passwords don't just go through the alphabet, they use dictionaries. Since you're using words, you made their attack far more likely to succeed because the space of possible solutions is much, much smaller than "every character, number and symbol"

      Using dictionaries makes it easier, but that doesnt mean the passwords aren't any good.

      Pick 4 words at random from a very simple 2,000 word dictionary and it's roughly the equivalent of a 7 character password using alphanumeric and basic symbols. If you pick them from a 6,000 word dictionary then it's the same as 9 character password. That's assuming a dictionary attack.

      You can also repeat words without much penalty. "purpletablepurpletablepurpletable" is 6 words; even using a 2,000 word dictionary that's equivalent to a 10 character password. With a 6,000 word dictionary it's 12 characters. And it's insanely easy to remember no matter which words you pick.

      You can also do fun things like combine languages. This is easier for people who are multilingual, but anyone can do it. Pick 3 words from 3 different languages. Random example; "I like cheese" in Albanian, Japanese, and Danish: "une suki ost". There's a 10 character password (12 if you use spaces) which is very memorable and which makes dictionary lists useless. Want it longer? Add the word "green" in English, now you're up to 15-18 characters. That's only slightly weaker than the password "!e?@D71?kkvA", but infinitely easier to memorize.

      I use random passwords too, but those get stored in a password manager. For the password manager itself, or for any passwords which I have to type frequently, using actual words is the only way to go.

  2. Wish I could mod this entire "story" as Flamebait by schitso · · Score: 2

    n/t

  3. Technophobes by grasshoppa · · Score: 2

    We all know it's true; when it comes to technology, most employees are idiots. Management too.

    I want to blame the technology companies a bit here; UX design is the root cause of a lot of these problems. It's bad enough on it's own, but companies like MS continually make radical UX changes between versions making it even worse.

    Back to employees, however; a lot of them don't see the need to increase their skillset. They grudgingly use the technology, but refuse to becoming proficient with it. They adamantly refuse to accept that were they more knowledgeable with the tech they were using they'd do their jobs better.

    So these results don't surprise me at all.

    --
    Mod me down with all of your hatred and your journey towards the dark side will be complete!
    1. Re:Technophobes by mjwx · · Score: 2

      I want to blame the technology companies a bit here; UX design is the root cause of a lot of these problems. It's bad enough on it's own, but companies like MS continually make radical UX changes between versions making it even worse.

      The whole field of "UX" is the problem. It's a bollocks discipline made up by companies trying to disguise how their interfaces do not conform with HCI (Human-Computer Interaction) standards.

      I was being demo'd a new product yesterday and their web interface was a "clean UX" design of white and very pale blues with very few harsh (read black) lines. I had trouble seeing this against the London skyline in the background which was as is so uncommon for London... completely fecking white. When I asked if they had a dark theme because the contrast made it difficult to read, you could hear the hipster UX designer grinding his teeth over the presenter. The seething rage that I'd dare question his "clean" design was so hot we could have turned off the building's heaters.

      Microsoft, up until quite recently had managed to do quite good, readable UI's, One of the few things they did get right.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
    2. Re:Technophobes by Ol+Olsoc · · Score: 2

      A lot of assumptions going on there. I don't treat any of my employees poorly. My private opinions are just that; private.

      Well there ya go. Pretending to be a nice guy while holding the people responsible for your employment in contempt. Now we're coming to an understanding.

      I'm the IT guy everyone goes to because I'm the only one who gets shit done ( suits or no ).

      The problem is a large swath of minimum wage employees suck up an inordinate amount of time for stupid shit; constantly forgetting passwords, forgetting how to use the same software they've used for over a decade, complain their computer is broken when the monitors are powered off, ect...and every one of them blames me by proxy because I'm the computer guy.

      I'll bet your contemptuous attitude comes right out. So is it unbearable when you fix something simple? Just terrible that a person such as yourself has to stoop to working with these idiots who in no way are your equal?

      Now seriously, your attitude comes across loud and clear even in these posts.

      Look, I'm happy for you; you get the sweet job of only supporting a small subset of competent people. Try working a real IT job, where you have to support folks top to bottom.

      Here we go. By the way, they actually were not competent in matters of computing. What they were was tired of the problems associated with the IT people, who all displayed the very attitude expressed in the subject line and story, that "IT and security people think that normal people are the worst." And my experience is that is exactly the case, and your postings merely reinforce that.

      The very existence of what I was doing was because I wasn't a real IT person.I was polite, never condescending, talked with them as a peer (which I was anyhow) completely socialized, and was very knowledgable about keeping computers in line.

      If the "IT Professionals" could do their job without being a pain in the ass, I could have just been a normal participant in the meetings.

      Where you have to worry about things like PCI, HIPAA,

      All of those things, as well as national security. A mistake could have landed me in jail.

      Any IT admin who has a positive opinion of their user base simply isn't doing their job.

      You poor, sad man. Something somewhere has gotten your wires crossed. People aren't supposed to hold their customers in contempt. You are the very example of what I am talking about. You are the epitome of this story on Slashdot.

      I'm perfectly capable of holding individuals in great contempt and acting on that contempt. But was never able to hold a non-positive opinion of an entire user base. I deal with individuals - some people need to have a simpler outlook where they can brand an entire group as idiots. Good luck with that.

      I do feel rather sorry for you, because that is a toxic attutiude you bring, and toxic attitudes poison the workplace and end up being harmful to the person who bings that attitude. Good luck! Considering a different career where your customers aren't held in contempt might be a good move.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    3. Re:Technophobes by Ol+Olsoc · · Score: 2

      Yea, you're not actual IT. You're a computer concierge.

      Okay, apparently I lack the deep seated insecurity and bitterness to be an actual real IT person.

      Which is fine, if that's the job you want, and the people actually want to pay for it. Some do, and get that. Some don't.

      That wasn't actually the job I wanted. It wasn't even my actual career.

      Even the janitors are not called to operate the toilet for users.

      Don't ever let anyone tell you you don't have an amusing attitude. It is pretty obvious you don't take telling. Unfortunate that people can get some good advice and be held in contempt for it. I'm just another person for you to dislike, just like the people you support.

      As I noted, my support wasn't my "job" as it were. I didn't actually want to do the support for these guys and gals. But since I was in many of the meetings, it was expedient and actually saved money. Rooms full of 6 figure people have an impressive burn rate.

      But aside from expediency, the attitude that is so often displayed by IT people is so obvious to the so called "idiots" they fix computers for. You might think they are idiots , but they are orders of magnitude more perceptive than you.

      As perhaps not an "Actual IT" person, I lacked that attitude. I liked these guys and gals, and they all liked me. Some were complete computer illiterates. I didn't care. I was happy to help.

      But really, don't be too surprised that IT departments are held in the low esteem they have worked so hard to achieve. That attitude is not the path to success. Being a cost center is just telling you that they wouldn't employ you if they could figure out a good way to get rid of you. But then I'm wasting my time telling something to someone who doesn't take telling.

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
  4. And conversely... by herve_masson · · Score: 5, Insightful

    ...normal people think IT guys are just the worst, and they're both right from their point of view.
    What a scoop...

  5. We've forced our workforce to use advanced... by MindPrison · · Score: 2, Insightful

    ...passwords and two factor authentication simply because they'd chose such simple passwords to remember.

    People hate having to learn something complex to remember, even if it just takes the effort of putting a small note in your wallet for 4 days to help you remember, you'd be SHOCKED if you just knew what passwords even professionals choose, it's hopeless.

    So what we did at our big corporate, was to implement an Password A.I guide engine that helps people avoid bad passwords, so it picks stuff from a HUGE database of simpleton passwords (you know, guitar1234567) etc. it will simply explain to people why their passwords are not very good (we're polite, so we don't tell them that theyr'e simple and ...essentially not very IT savvy, they're good at something else, right?)

    People just want an easy life, most people working with computers as just a tool to get the job done, don't want a huge advanced routine to do their job, and when the password becomes a chore and hard to remember, it will stop them from doing their job, and since we're nagging people to change their password 4 times a year, with reminders that pop up every day for 14 days before it expires, people simply get seriously annoyed. And they will go through hellfire to find an easy to memorize password before they even try to train for a complex one (Here's a complex one for you, for those who simply don't get what that would be:

      J4Al4&/rO1.P9DeErxL ) Yes, that's the kind of passwords you should use, even with a secondary two factor authentication device, and it's not hard to learn to remember it, sure - it's not as easy as guitar1234567, and it takes effort to learn it - but most people (if they just kept that note for a few days in the wallet, had to enter it 10 times a day) they WILL remember it, even the average Joe - and their personal security on the net would sky rocket in comparison.

    But...people are ...simple.

     

    --
    What this world is coming to - is for you and me to decide.
    1. Re:We've forced our workforce to use advanced... by hublan · · Score: 3, Interesting

      This needs to be voted up to the heavens, where it can shine above the insular heels that come up with corporate password policies.

      Has it ever occurred to them that all those cracked-out, contradictory password requirements actually reduce entropy rather than the other way around? You can't come up with policies based on how you'd like people to act, you have to come up with policies based on how they do act.

      --
      My spoon is too big.
    2. Re:We've forced our workforce to use advanced... by sjames · · Score: 4, Insightful

      Remember way back in public school where each teacher individually assigned "just" 45 minutes of homework and proclaimed that 45 minutes is no big deal? And how by the end of the day you had accumulated 4.5 hours of homework?

      Same here. Everyone thinks their password requirements are not that big of deal forgetting that their little assignment is far from the only one people are dealing with.

      Don't tell them not to write it down, tell them where to write it down. And don't make them keep entering it every time something times out.

    3. Re:We've forced our workforce to use advanced... by Jason+Levine · · Score: 2

      Relevent XKCD: https://xkcd.com/936/

      Don't force your users to use passwords like "J4Al4&/rO1.P9DeErxL )" because then they'll simply write them down on sticky notes and your enhanced security will collapse to zero. There's a third option between "12345" and "J4Al4&/rO1.P9DeErxL )". Encourage them to use password phrases ("correct horse battery staple" or "We're Off To See The Wizard"). You'll have increased security AND they'll be able to remember their passwords without resorting to sticky notes.

      --
      My sci-fi novel, Ghost Thief, is now available from Amazon.com.
  6. Re: where's the lie? by Anonymous Coward · · Score: 3, Insightful

    I dont think long passwords are an issue, more like not being able to use the last 4 previously used passwords and having to change every 2 months. Yeah no, that's going on a post it. My job isn't my life.

  7. What you have actually done by SuperKendall · · Score: 2, Insightful

    We've forced our workforce to use advanced passwords and two factor authentication

    What you've actually done: Doubled the workplace's sticky note budget.

    If you are doing two factor why torture everyone with bullshit complexity requirements? For the LOLs?

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  8. A few things... by roc97007 · · Score: 4, Informative

    A few points:

    - Users are "unwashed" compared to IT personnel? Have you *worked* in IT?

    - The first thing IT professionals forget (speaking as one) is that computer management isn't the user's job. It may be *your* expertise, but it isn't *theirs*. They have a different job to do which you would probably suck at. Expecting them to be IT professionals on top of their regular job is an unreasonable expectation. So stop fussing about it.

    - That said, often security issues really are kinda the user's fault. We told 'em and TOLD 'em, don't do that, you'll infect your.. ok, too late.

    --
    Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
    1. Re:A few things... by Anonymous Coward · · Score: 3, Funny

      Sure, you've told us. Then some genius at JP Morgan decides that the only way I can get the tax documents I need from their secure portal is by clicking a link in an email that they send me. Which, by the way, gmail offers to translate from Slovak, for some reason--extra-special comforting.

      When I write them and say, just send me the url so I can log in with my credentials, and not have to click some phish-bait link, they only offer to fax me the document instead.

      Oh yeah, sure, users are the problem....

    2. Re:A few things... by Dragonslicer · · Score: 2

      Is clicking on the wrong email, which opens up a browser, which launches a 0-day driverby vulnerability really the users fault, or is it the developer who screwed up and created the 0-day drive by vulnerability? Or is it the project manager's fault who insisted on that shiny new feature over doing code review? Or is it the corporations fault for pushing the PM for features over security? Or is it everyones fault for not insisting on security over features? I could go on, but I hope you get the point.

      The thing you have to keep in mind is that users need to be able to do their jobs. Even without any security vulnerabilities in any software, a malicious script can always perform any action that the user can do themselves. If a user needs write permission to the files on some network share, then a malicious script could delete all of those files. Determining that some script is malicious, as opposed to what the user wants to do, is not always a trivial task.

    3. Re:A few things... by roc97007 · · Score: 2

      There is some correlation to how well an IT professional knows his [1] job and his attitude towards users, I think. I may be wrong about this. In my first few years as an admin, I used to tease mercilessly the users who couldn't figure out where their document went, when they'd accidentally suspended their edit session. (Yeah, I started in the days of VT100s.). It took me some years, a lot more experience, and more time spent outside the machine room to lose the hubris. You can always tell when an admin hasn't been through that process yet. Maybe some never get past it.

      On the other hand, there are software developers whom I'd call "aggressively naive" about the resources they use to get their job done. I still remember the guy who called me at 3 AM because his code wouldn't compile. He'd visually checked his code and was sure it was correct, and he wanted me to drive in and fix the compiler. (I did no such thing, had a meeting with his boss the following day to discuss service levels. Turns out, the problem was in his code.)

      [1]. Not meaning to disparage female admins. Please assume I meant his-or-her so I don't have to type that in a bunch of times.

      --
      Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
  9. Computers are Insecure by bill_mcgonigle · · Score: 2

    Here's the thing - every computer out there is insecure. We basically don't have the knowledge on how to build a secure computer that most of the population can use while remaining connected to the Internet.

    There are really only two choices now: 1) disconnect from the Internet and don't face these risks 2) expect risks and pay to avoid incidents and/or clean up after them.

    IT people are the worker bees of 2). Blaming the users for using faulty equipment is a waste of time.

    Nobody seems to want to do 1) because overall there are profits to be made by being Internet connected. If your place of business wants to do 1) but not 2), then just run for the exits before it's too late.

    --
    My God, it's Full of Source!
    OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  10. The network is great, but... by marquis111 · · Score: 4, Funny

    A developer for one of my past organizations, a true rocket scientist, posited it the best: "The network would be great, if it wasn't for all of those users!" Cheers, Ron.

  11. Ponemon Institute? by 93+Escort+Wagon · · Score: 2

    Professor Oak, director of the Ponemon Institute, had this to say about security bugs: "Gotta catch 'em all!"

    --
    #DeleteChrome
  12. Re:where's the lie? by darkwing_bmf · · Score: 2

    A password on a post-it at least requires physical access. More troubling are short easy to remember passwords that don't need to be written down, like "passsword" (or if you need a capital, number and special character, "Passw0rd.")

    I apologize to everyone whose password I've just exposed.

  13. Hardware solution by Tablizer · · Score: 2

    J4Al4&/rO1.P9DeErxL ) Yes, that's the kind of passwords you should use

    You're kidding, right? Otherwise, it sounds like a narcissistic case of "I'm capable of remembering long random gobbledygook, so you should be also."

    And, I don't understand why the password file cannot be implemented in a dedicated-hardware "lock-box" such that it cannot be file-copied, preventing say 500,000,000,000,000 attempts at it. Using regular-file-based password repositories is just a speed-race to the bottom.

    Typically you'd have 2 of these lock-boxes, 1 as a mirror spare*. The only way to get file access would be to break it open, or find the physical key. Otherwise, all access is through a throttled API. The per account throttling would be tighter than the per lock-box throttling. I'm not saying such is completely unhackable, but far less so than a regular server file because it's designed to do one and only one job. (Crap, I sound like Al Gore.)

    * If one breaks, the other is physically unlocked and a new spare hooked up directly up for re-mirroring, cable to cable.

    --
    Table-ized A.I.
  14. This confirms ... by PPH · · Score: 3, Funny

    ... the research done by Simon BOFH

    --
    Have gnu, will travel.
  15. Re: where's the lie? by lactose99 · · Score: 2

    A thousand times this. Having to change your password every X months to something you're never going to remember anyway is the polar opposite of good security policy.

    --
    Fully licensed blockchain psychiatrist
  16. Users don't realize how bad they look by Revek · · Score: 2

    Users will constantly say things like "I just don't understand technology." or "I don't care whats wrong, I just want it to work". This used to put me in a bad frame of mind. I find it hard these days not to laugh at them. I wonder how long it took them to learn that fire will burn or not to walk down the middle of the freeway. They live in the same world as us but refuse to put a minimum amount of effort into learning how it works.

  17. Look in the mirror, what do you see? by az-saguaro · · Score: 3, Interesting

    No matter what profession each of us is in, I am certain that we all have stories about "stupid users". They surely do exist. But there is a flip side to this story.

    Many "stupid users' are not stupid at their jobs or life in general. They just do not cooperate well with the paradigms of computing and technology they are handed to them by "the industry". The makers of the technology are quite savvy about such things. But, they might forget that not everyone is so, or be dismissive of ordinary smart (or dumb) people who are not as learned about those things as the manufacturers and technical folk are. Those people decrying the IT "stupid user" are likely to be the butt of jokes about how dumbass they are when it comes to accounting their taxes or fixing their car or managing their own diabetes.

    If there are too many stupid users, perhaps it is not the users. Perhaps the technologists who make techno products ought to produce better devices and software and computing paradigms that place greater emphasis on user interface, usability, human factors engineering, ergonomics, and just plain wtf common sense. It seems to me that too many IT people are so wrapped up in the technology and their own familiarity with it that they are suffocating from a lack of reality and some sympathy to how their mom or grandma might use the technologies they are making or managing. Turn your propeller head beanies upside down and air out some of the supercilious cobwebs in your IT skulls.

  18. Re: where's the lie? by Anonymous Coward · · Score: 2, Interesting

    Just print out and laminate individual password cards. 12 columns and 6 rows fits easily on a CC sized card. Users can stick them in their wallet. Make a bunch of different ones and let the users pick a card, any card, so yiu don't even know it.

    Need a password? Pick a starting point and go right/left/up/down, or Fibonacci it if you want to make your life difficult. If you force password changes, have them go down a row and follow the same pattern if they want.

    It's a really cheap, effective and simple solution. Even physical access isnt a complete failure like with a postit, because the actual password has 72 starting points, 8 bits of directionality times ten plus characters.

  19. Re: where's the lie? by alvinrod · · Score: 2

    It's pointless. If it doesn't get written down, then it just gets incremented. I had a former co-worker who was up to $password43. Not exactly difficult to guess either.

    If you can't trust the average user not to do something stupid like this or can't impress upon them the importance of security, then set up two-factor authentication of some sort or a security system that takes user apathy into account. Otherwise you're just asking for trouble.

  20. Obligatory XKCD by sfcat · · Score: 2, Insightful

    I'm burning mod points to post this but I just can't let this go by. A huge part of the problem with security is IT itself. We have learned that long passwords are good and use of weird characters (numbers, capital letters, punct, etc) are bad. Plus most users shouldn't be required to know more than 2 passwords (normal and maybe an elevated one). But many IT personal keep with the same broken password policies from the past that we now know are bad. If you still use these outdated and problematic password policies, you can't blame the users, IT is still at fault...

    --
    "Those that start by burning books, will end by burning men."
  21. Victim blaming is NOT a solution by shanen · · Score: 3, Insightful

    That comment does NOT deserve "insightful" moderation.

    It's just cheap-shot victim blaming. The people who are supposed to make things better blaming the victims they failed to help and protect.

    Actually I blame Microsoft. One of the main keys to Microsoft's "success" and perhaps the main source of their YUGE profits was their leadership in escaping responsibility for mistakes. Read your EULA. Whatever happens to you, whatever damage you, your company, or your customers suffer, no matter how egregious the phuckup, you will find that Microsoft's "legal" liability is quite precisely limited, and in most cases limited to nothing at all. It didn't have to be that way, and if Microsoft (and other corporate cancers) had been held liable for their their mistakes, you can be certain they would have been more careful. There's a reason they call it moral hazard.

    (Microsoft's other key tactic was minimizing direct sales to the suckers... Er victims... Er, I mean end users. The very honorable end users, and it doesn't matter how much they wind up cursing Microsoft after the fact. Just recently I provided some technical advice on some new machines, but I could not persuade them to even consider skimping on one of the Microsoft taxes. They insisted on paying the OS tax and the MS Office tax to boot.)

    Not the saddest part. That's the lack of a solution approach. The solution is obvious, but it will never happen.

    Imagine cutting Microsoft into competing companies. NOT vertically, but horizontally. Each baby Microsoft would start with a copy of the source code and an equal share of all the corporate resources. Windows and Office would be standards, and the people would actually have the freedom to buy from the baby company that gets most serious about improving the security of the software.

    (My delusional implementation strategy would involve a progressive profits tax linked to market share. It is not a penalty for success. Rather the higher tax rate is a penalty for reducing freedom and the lower tax rate (after dividing the company as needed) is a reward for reproducing the good ideas into separate companies.)

    As usual, time's up, but I bid you ADSAuPR, atAJG.

    --
    Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
    1. Re:Victim blaming is NOT a solution by shanen · · Score: 2

      And ignoring the customers is even worse than victim blaming. However you go even farther down when you start attacking the customers, especially when you are attacking them for having problems that gave you the opportunities to solve those problems.

      Must be some kind of troll response.

      I think it is a waste of time to attempt to be more clear, but I'll invest a few keystrokes.

      If the customer wants to do something that is too dangerous, then you have to explain why it can't be done. Or, even better, you have to figure out a safe way to do it. Legitimate alternatives include finding alternative solutions or finding bypasses to avoid the problem space.

      Here is NOT a legitimate solution: Handing the victim a noose in a shrink-wrap package with a EULA that absolves you of all blame or responsibility for anything that happens after the package is opened.

      --
      Freedom = (Meaningful - Coerced) Choice != (Speech | Beer^2), and sad sock puppets' bad mods avail them naught.
  22. In Soviet Russia, Trojan Expolits YOU! by Deathlizard · · Score: 2

    These rules have been in my sig (and are better explained there) going on for a decade now. For how old these rules are, they still apply. Every virus in that last 10 years exploits 1 or more of these rules. The more you are aware of them as an IT professional, the better your system design will be to mitigate risk.

    Laws of computer stupidity
    1) 99% of computer users do not know what they are doing.
    2) Computer users do not read.
    3) If a computer user can click on it, they will. conversely, if a computer user needs to click on it, they won't.
    4) You can patch software, but you can't (legally) patch stupid.
    5) The premise of monkey rule: If you can't train a monkey to use it, you can't train a human to use it.

    --
    In Soviet Russia, Trojan exploits YOU!