That you're too stupid to find a better job is no one's fault but your own. The company is fucking you up the ass like a cheap whore and all you're doing is asking them to shove it in deeper. They know you'll put up with anything they do to you without even a peep and they've wringing you for all you're worth. Then when you finally snap and hang yourself they'll find another moron to fill your space.
So stop blaming everyone else and instead actually get rid of what's making you miserable. Stop being a rug for every single person who wants to step on you. Grow a damn spine already.
First of all, I *like* my job. I've spent most of my career as an IT consultant, both on my own and working for small and large consulting organizations. As such, I've worked at many different organizations and the job I currently have, while it does have certain downsides, provides me with a number of advantages and perquisites.
I have extensive experience in a variety of areas within IT, and am gaining experience in others at this job. I am not help desk or desktop support, rather I am an engineer, architect, analyst and 3rd level support. I choose to be here. If I like I could move to many other jobs which might not include as many hours, or as much responsibility. For the moment, however, I'm getting experience that I couldn't get elsewhere due to the structure of the organization. Also, and very importantly, I have a wonderful boss who works even harder than I do. My compensation is considerable, which is a consideration, of course, but I also like to be challenged to improve myself. All that said, why don't you make me that latte I ordered and shut the fuck up?
My point, for jerkboy was that not all IT folks, as he put it, are "...spending their 8-5 lamenting the ignorance of the office staff (mixed in with an inordinate amount of smoke breaks)." In fact, smart, resourceful and competent folks work very hard to make IT work because IT (as has been pointed out over and over on this thread) is generally understaffed, underfunded and requires a lot of hard work. You've heard of hard work, I assume? I also point out (since reading comprehension doesn't seem to be your strong suit) that rather than complaining, I asked, how many hours a day your fellow jackass works as a comparison.
A couple of questions for you, and I'll use small words so you'll be sure to understand: Who is this "everyone" I'm blaming, and where exactly in my post do I attempt to lay this blame? And where did I say I was miserable either? Since you clearly didn't understand the implications of what I wrote, I'll dumb it down for you -- I contrasted my own current experience with the mindless garbage spewed by Mr. Dumbass. Get it now, brainless one?
In any case, rather than ignore your half-witted attempt to critique my employment choices, I'll say again, this time to you: Fuck you jerk!
Primarily dealing with end users, they are ignorant (not stupid most of the time)
And what's the problem again? Nearly all people who bring their cars in for service can't service it themselves. They are ignorant. No harm in that...that's why we have IT departments. It's the IT department spending their 8-5 lamenting the ignorance of the office staff (mixed in with an inordinate amount of smoke breaks) instead of, you know, helping them that makes everyone hate IT.
You know, I work at least ten hours a day every weekday and often 12-14 hours a day. I haven't had a weekend completely off in *months*. Why is that? Because we have ten people running a global IT infrastructure. People think it's fine to call me at 10PM because it's only 7PM on the West coast. If our folks in Asia are having a problem at 2PM, it's 1AM for me and I'm expected to resolve the issue post haste.
I'm on salary and do not receive overtime. Why do I do this? Because it's my job. Because if a job is worth doing, it's worth doing properly. How many hours a day do you work, scumbag?
No in my experiences it is IT's insistence on security practices with zero thought on how this will impact the end user. A few examples:
I was looking after a Jenkins server for a project we were running, Jenkins was running on the latest version of Tomcat with a Java 6 runtime. However due to customer requirements there was also a Java 5 runtime which as being used to generate the build. IT felt the need to un-install the JDK 5 and upgrade the the machine's Java 6 (to the version with Oracle in its name). The removal didn't update the Java_Home directory causing Tomcat not to work. They decided to do this just as we were starting an Integration & Test phase for a major release. The Jenkins server was linked to me on their records but at no point did they think to mention it to me.
Same Jenkins server, this was running fine and suddenly the builds starting failing. 3 hours of investigation later I find out its because the Jenkins server password has been changed. Never mind the server username was the name of the project (e.g. projectXYZ). IT came up with a new policy which stated all server accounts needed to be > 48 characters and they had changed them all without notifying a single person on the project.
How about when IT decided that in a software house no one needed Admin access, which would be fine except they tried to forbid admin access on projects which were developing software which required Admin access (for a number of reasons). Those projects had to go up to the business director and have him shout at the IT head to fix it.
Or the fact they decided no one should have USB. A great idea except I was working on an embedded project (along with a dozen other projects) which required an unencrypted usb stick to load the software on to the test rig. Once they realised how many people had a problem they tried to limit it. But when your working on a 5 man team only allowing 1 person to transfer files causes you to loose a lot of man hours.
I can think of dozens of other examples, none of them were dictated by upper management. People hate IT because IT doesn't look at how to better help people work.
These issues are not an indictment of the IT staff, rather they very clearly show a lack of Change Control processes. That may well be IT's fault, but they may just be implementing edicts (or their understanding of same) from upper management. Either way, it does suck. However, instead of just bitching about how IT is fucking you over repeatedly, why not do something productive like reviewing IT policies and making sure that your team is in compliance. If exceptions are required to do the business of the organization, then make the case for the exceptions.
You might even do something breathtakingly rational (a pipe dream, I'm sure) like cultivating relationships with IT staff and management and work *with* them to create change control policies that don't put the business at risk.
four extensive experiences with IT.
three were very, very bad.
i've eliminated the everyday he-said she-said stuff.
one to the good: IT explained, click-by-click ("push button down and hold down") how to make it work.
1 bad: never returned calls. calls...voice to voice...live. never happened.
2.bad: the one IT in-person meeting was full of 13-year-old 'dismissive' body language
by the IT people. (rolling of eyes, etc....if you're a parent, you know it when you see it.)
everyone noticed and still refers to it as a Career-Shortening-Gesture.
3.bad: Christmas Party of 2007.
I hope you don't need to write anything as a key part of your job. I read your post three times and I'm *still* not exactly sure what the hell you're talking about. If English is not your native language, I apologize. If it is, I pity you.
However, as I've seen in many places, your time costs money to the company, but it's not money from MY budget! Going "out of the way" for a single person or even just a few, is not "cost effective" to IT because it __increases__ IT's budget (which is already considered over inflated). Never made sense to me, but if IT can save 10% (say $100,000 just for a number) of its budget by costing other departments to increase their budget (say by a total or $200,000), then "so be it" because separate budgets are approved separately and increasing the users' budgets doesn't get IT yelled at by corporate management. Stupid and short sighted. Blame it on the bean counters who put the various department into conflict to reduce budgets for their individual department without any concern about collateral damage.
I wish I'd read this before I posted a response to an earlier (more thoughtful) comment (cf my comments) about this. It's a *good* thing to force business units to pony up for one-off technologies because you can compare their costs against the revenue they generate. With IT, it's just a cost center and, as far as many (certainly not all) C-Level types are concerned, needs to be cut to the bone.
That said, it is stupid to put departments in competition with each other. In the end, all the budgets come from the same pool of money. At the job I mentioned above (see link), this was so rampant that when IT had *millions* of dollars worth of surplus equipment (from a failed IT project), other departments would rather purchase new equipment rather than just assume the depreciation costs associated with equipment *we already owned*. It made no economic sense from a company perspective, but each manager with a budget was only concerned with *their* budget and not with the overall profitability of the company. Now *that's* short-sighted and stupid -- with nary an IT person in sight. sigh!
Your comments are fine; I agree. We'll meet you half way once you help us get the budget to do it.
This reminds me of my first big company (70,000 employees) job back in the mid 90s. I was a Unix Admin/evangelist in a primarily mainframe shop. We had a pretty clear standard for implementing new technologies -- The first guy over the bridge pays to build the bridge.
This cut way back on the jackasses who wanted the "latest and greatest" just because some sales moron who needed to make his quota that month told him/her that they just "had to have" whatever crap they happened to be selling. When you have to justify the expense well enough that you will spend part of your own budget, there is a much greater likelihood that it will actually be something that will enhance the business, not just the latest crap that the 36DD sales lady with the short skirt and no gag reflex wants to sell you.
I said:
You can take a published string and make it a reasonably secure passphrase by adding enough entropy to it, but you still have to remember the entropy that you've added. Why not just start with a diceware passphrase and memorize the entropy directly?
I think that's still a valid point. How well can you misremember a quote? What is the maximum hamming distance between the original quote and a passphrase that you can remember? If you can remember 64 or more bits of entropy to add to an existing quote, you might as well remember a shorter diceware passphrase with the same entropy.
Additionally; how secret is your choice of source material? You can only have a finite number of books in your house, and a larger but finite number within driving distance. The likelihood of you traveling far and wide to generate a passphrase is pretty low. Can you be sure that Echelon didn't record the text (or at least the URLs) it's seen you fetch over your Internet connection? Reducing the search space to only a few thousand sources makes the problem almost embarrassingly simple. Build a probabilistic model of your writing/typing and then use it to find the nearest likely passphrases generated by altering the substrings of sources to better fit your writing style. Most likely you don't choose truly randomly from a set of altered quotes; you look for things in the text that seem easy to remember if they are changed, or that trigger some other memory that makes it easier to remember the other changes. Humans are bad at generating truly random text.
Not being a cryptographer by trade, I'll take your word for it. However, I suspect that my suggestion would keep most folks out of PMITA prison, assuming they're not forced to divulge the key..
Unless, of course, the US Government wants to get you badly enough to initiate surveillance complete enough to identify *all* the IP addresses that you specifically have used and when, grab the data collected via Echelon, search your house and identify every book you have, every book you've ever had, every book you borrowed from libraries, friends, enemies, etc. Identify every song, poem, doggerel, Spoonerism ('one swell foop' comes to mind), etc, etc, etc you've every heard, read or sung and analyze all of it to figure out what you *might* be using for an encryption key, I'm thinking they're going to get you no matter what.
As is pointed out here, we all break the law pretty much every day. So, assuming I'm not considered the next Osama bin Laden, I think my TV, Furry, axle-grease fetish porn is safe
I don't mean to sound derisive, I sincerely admire your level of paranoia. I like to think of myself as pretty paranoid when it comes to InfoSec matters, but I guess I'm out of my class here. Thank you for your interesting, if (IMHO) rather extreme point of view. It's definitely food for thought.
Then don't put stuff that would require such measures on your phone. Why would you do so anyway?
My phone accesses many of the same resources my desktop does. Virtually all the online services I use, VPNs, and wireless access points I use,... hell I even remote to my own desktop from my phone.
To be honest, other than a BIOS boot password on my desktop PC, I'm hard pressed to think of a password I'd never have to enter on my phone...
The discussion is about law enforcement whining about cracking encryption, not how to compromise your own security. I guess law enforcement in your area will have no problem discovering whatever it is that will put you in PMITA prison.
Good luck using your phone to log into your desktop from jail. I guess we'll be hearing from you again when you get out.
It takes a pretty exceptional human to actually remember a useful crypto key
Not really. How hard is to remember a paragraph from your favorite novel or lyrics from a popular song.
That is not a key, that is a pass-phrase.
A key is a "random" file with 16k-bytes of numbers. It is only not random when compared to another 16k-byte file that is it's key-pair.
The pass-phrase protects the key file, but things are encrypted with the key, not the pass-phrase.
If you destroy the key, which is the only thing protected with the pass-phrase, then none of the files can ever be recovered.
This is what the GP is speaking of.
The GP is correct that keys are damn near impossible to commit to memory. It's so difficult, I don't see why anyone would try -- rather just create an extremely long passphrase to encrypt the key. That said, one *could* use song lyrics and such directly as an encryption key, making my point valid, as long as the software you use allows it.
A minor point -- Crypto keys are, "In encryption, a key specifies the particular transformation of plaintext into ciphertext, or vice versa during decryption." I'm not sure where in the definition that a key is either "random" or "16k-bytes of numbers." Perhaps you could show me the part I missed.
It's obviously foolish to use public text verbatim as a key. Common Crawl has a 40 TB dataset that costs approximately $150 to MapReduce on EC2. Any key that happens to be a (reasonably short, say under 1KB) substring of that data costs $150 to break. Any key within a short hamming distance of a substring in that database costs roughly 2^hamming_distance more to break; two changed bytes is only worth $600. I imagine that large organizations who care have much larger databases including the text of most published books. It's such an obvious idea and until you realize that attackers have access to all the public source data that you do it sounds like a good idea to just pick a random string from a book to use as a passphrase. Don't kid yourself; no matter how obscure or unpopular a song is there will be lyrics for it somewhere on the Internet, not to mention in published books.
You can take a published string and make it a reasonably secure passphrase by adding enough entropy to it, but you still have to remember the entropy that you've added. Why not just start with a diceware passphrase and memorize the entropy directly?
I guess reading comprehension isn't your strong suit. I'll assume that you are an ESL person rather than a moron. I said:
...It's even better if you *mis-remember* the quote/lyrics so that you're the only one who would come up with the result even if someone tried to brute force the key by scanning all your books and listening to all your music.
It's even better if you *mis-remember* the quote/lyrics
Who knew that kissthisguy.com would become the #1 password dictionary.
that's exactly the kind of stuff I was talking about. You know what you *think* the lyrics are and once you add punctuation and some deliberate mistakes, even plain language crackers will have an awful time of it.
The only disadvantage is that such a long passphrase is quite annoying
Or you have to enter it in on a phone. And i don't want to ever have to do that on a phone.
Then don't put stuff that would require such measures on your phone. Why would you do so anyway? If someone gains physical control over your mobile device, even incredibly long passphrases become crackable. Especially if the government or police have physical control of said device. They will (presumably) exist for the centuries it would take to crack long passphrases.
I was going to comment that this doesn't make a good key because human languages have so much redundancy and therefore rather little entropy per word, but then I actually checked and came to the opposite conclusion: While an n-bit paragraph wouldn't make a good n-bit key, a much longer paragraph actually does. If we assume 7-8 bits of entropy per word (a number a quick Google search turned up), then your examples would all make for very good 256-bit keys.
The only disadvantage is that such a long passphrase is quite annoying if you have to type it often, and it's hard to type correctly at speed if you can't see what you've written on the screen.
Agreed. It's a pain in the ass to type such a long passphrase. *However* If you want to keep your cocaine sales records or your child porn safe, I expect that it would be worth it.
My point was in relation to the OP who made the incredibly stupid claim that long passphrases are hard to remember.
It takes a pretty exceptional human to actually remember a useful crypto key
Not really. How hard is to remember a paragraph from your favorite novel or lyrics from a popular song. It's even better if you *mis-remember* the quote/lyrics so that you're the only one who would come up with the result even if someone tried to brute force the key by scanning all your books and listening to all your music.
Perhaps something like:
While the music played you worked by candle light, those San Francisco nights - you were the best in town, Just by chance you crossed the diamond with the pearl, you turned it on the world, that's when you turned the world around
Or maybe:
I was alone I took a ride, I didn't know what I would find there. Another road where maybe I could see another kind of mind there. ooh and I suddenly see you, ooh did I tell you I need you? Every single day of my life.
Try and brute force those keys. Using punctuation makes it even harder. And these are the first verses to well known songs. Use the third verse of an obscure song (one you don't like would be even better). The music makes it much easier to remember and just about anyone can remember songs/lyrics.
I have tried a myriad of different things. Under the pillow, strapped to my leg, it just doesn't work for me. On the nights I am on call, I sleep on the couch. I would be interested to see different approaches.
This seems like a really foolish thing for a convicted monopoly to do. I could see a clear case being made that Microsoft is leveraging their postion in the PC market to dominate in the mobile phone market.
As opposed to a leveraging a monopoly position in web search to dominate the mobile phone market by giving away a free product that competitors can't afford to compete with on price? This situation seems familiar...
I'd just point out that Microsoft (or Nokia or Apple, for that matter) can license Android for free and compete with the other Android phone makers. How is that leveraging a monopoly position? "Hey, let's dominate the market by giving away GPL'd software and licensing the non GPL'd code for free!" Please.
Or, even better, if you can get their fax number how about full-color Goatse in the mail or by fax? By email too, but Goatse coming out of a fax machine seems like it would be a nice gift to send them.
iPhone encryption is the issue. Anyone who gains physical access to your iPhone can quite easily access whatever data is on that device, emails included. Just google for "iphone encryption" and you'll find more articles and even videos about how easy it is to bypass this encryption than there are about the encryption itself. Just to clarify here -- the biggest risk is the iphone itself.
Actually, ActiveSync isn't the issue. iPhone encryption is the issue. If you can bypass the screen lock, IOS will transparently decrypt any encrypted data on your iPhone, including your ActiveSync/Exchange email.
Say'n what? That you buy into marketing hype that can not possibly be true? First I've heard of them, but reading their claims for what they can do for iPad/iPhone devices.... hhahhaha bullshit:)
I don't buy into the marketing hype. I did something which may be alien to you. I *implemented* it. And not by my choice either.
I'll also point out that I mentioned, in another post in this thread that GFE is crappy software. The only advantage it has over every other competing product is that it provides strong encryption on-board the iphone/ipad/android. That's critical for my organization and the *only* way we would allow those devices to store company emails. I don't really like it. It has many quirks and doesn't always work. However, it does, substantially, what my organization needs it to do.
So stop talking out of your ass. You're stinking up the place. Have a nice day!
This has been the IT Challenge since VisiCalc sold Apple ][s.
If you want to have a bitch session about it, I'm not entirely without sympathy. Just don't let it blind you from forming real strategies to meet the challenge.
Maybe I got lucky. I got to watch our Burroughs mainframe high priests do nothing but bitch while the workers gave up on them and bought and tended their own DOS boxes. In a very few years those priests were gone. It was a sharp lesson. You've got to deliver what your internal clients want, or you're history.
You're 126.4% correct. However, it's insecure and foolish to attempt supporting products that you do not have the skill sets to succeed. As I (and others) mentioned in earlier posts on this thread, the way it goes is that if you allow something into your environment, 95% of the time that's tantamount to sending a broadcast to the entire organization that whatever it is is now fully supported (and supportable) by IT.
I have no problem implementing new or existing technologies which can improve performance and, most importantly, the bottom line of my organization. Introducing technologies which cannot be effectively supported (and effectively supporting something means having the skills, processes and resources to do so) is only going to be detrimental to the entire organization. Please note that I'm talking about *large* organizations.
Identifying and implementing technologies that can enhance the ability of users to *do their jobs* is a core function of IT. If your IT organization isn't doing that, they're doing it wrong. That said, implementation is more than just installing the software or hardware and tweaking the configuration. Processes need to be developed, redundancy and fail-over needs to be designed and implemented, IT resources need to learn how to use and support the technology, users need to learn how to effectively use the technology, infrastructure may need to be upgraded, enhanced or even completely replaced. I could go on, but hopefully you get the point.
And that's just the technology aspect. How do you pay for the new technology? How do you deal with senior management that's afraid of change? How do you realign your human resources to support the new technology? Do you need more people? How are you going to pay for them? Again, I could go on and on.
My point is not that IT shouldn't innovate or support new technologies. It's that if you just deliver a pallet full of iPads to the loading dock and start handing them out (or open the doors to unknown, untrustworthy personal devices) without the appropriate planning, engineering and implementation, you're setting yourself up to fail.
This was pretty much the argument used IBM 25 years ago to keep cheap commodity PCs out of the enterprise. MS used it to keep Macs out of the office even though Macs were more solidly built than the crap many offices used to run MS software. Yet commodity PCs took over the office, and Macs were integrated by the IT staff of the time.
Now, I will entertain the idea that modern IT people are not nearly as cleaver as 20 years ago. I mean, what do you need to know now a days, how to plug in a cable, randomly check GUI boxes, and say "Have you turned the computer off and on"? But then given the level of standards and integration between all equipment that exists, I can't really imagine that such support should be beyond the budgets and ability of even the most unqualified IT department.
You're a moron. I tell you what. You come and do my job for one week...no, you couldn't handle an hour unless it was lunch hour! I don't know you, but based on two paragraphs I can tell that you couldn't engineer your way out of a paper bag in an enterprise IT environment.
Slashdot Mirror
That you're too stupid to find a better job is no one's fault but your own. The company is fucking you up the ass like a cheap whore and all you're doing is asking them to shove it in deeper. They know you'll put up with anything they do to you without even a peep and they've wringing you for all you're worth. Then when you finally snap and hang yourself they'll find another moron to fill your space.
So stop blaming everyone else and instead actually get rid of what's making you miserable. Stop being a rug for every single person who wants to step on you. Grow a damn spine already.
First of all, I *like* my job. I've spent most of my career as an IT consultant, both on my own and working for small and large consulting organizations. As such, I've worked at many different organizations and the job I currently have, while it does have certain downsides, provides me with a number of advantages and perquisites.
I have extensive experience in a variety of areas within IT, and am gaining experience in others at this job. I am not help desk or desktop support, rather I am an engineer, architect, analyst and 3rd level support. I choose to be here. If I like I could move to many other jobs which might not include as many hours, or as much responsibility. For the moment, however, I'm getting experience that I couldn't get elsewhere due to the structure of the organization. Also, and very importantly, I have a wonderful boss who works even harder than I do. My compensation is considerable, which is a consideration, of course, but I also like to be challenged to improve myself. All that said, why don't you make me that latte I ordered and shut the fuck up?
My point, for jerkboy was that not all IT folks, as he put it, are "...spending their 8-5 lamenting the ignorance of the office staff (mixed in with an inordinate amount of smoke breaks)." In fact, smart, resourceful and competent folks work very hard to make IT work because IT (as has been pointed out over and over on this thread) is generally understaffed, underfunded and requires a lot of hard work. You've heard of hard work, I assume? I also point out (since reading comprehension doesn't seem to be your strong suit) that rather than complaining, I asked, how many hours a day your fellow jackass works as a comparison.
A couple of questions for you, and I'll use small words so you'll be sure to understand: Who is this "everyone" I'm blaming, and where exactly in my post do I attempt to lay this blame? And where did I say I was miserable either? Since you clearly didn't understand the implications of what I wrote, I'll dumb it down for you -- I contrasted my own current experience with the mindless garbage spewed by Mr. Dumbass. Get it now, brainless one?
In any case, rather than ignore your half-witted attempt to critique my employment choices, I'll say again, this time to you: Fuck you jerk!
Have a nice day!
Primarily dealing with end users, they are ignorant (not stupid most of the time)
And what's the problem again? Nearly all people who bring their cars in for service can't service it themselves. They are ignorant. No harm in that...that's why we have IT departments. It's the IT department spending their 8-5 lamenting the ignorance of the office staff (mixed in with an inordinate amount of smoke breaks) instead of, you know, helping them that makes everyone hate IT.
You know, I work at least ten hours a day every weekday and often 12-14 hours a day. I haven't had a weekend completely off in *months*. Why is that? Because we have ten people running a global IT infrastructure. People think it's fine to call me at 10PM because it's only 7PM on the West coast. If our folks in Asia are having a problem at 2PM, it's 1AM for me and I'm expected to resolve the issue post haste.
I'm on salary and do not receive overtime. Why do I do this? Because it's my job. Because if a job is worth doing, it's worth doing properly. How many hours a day do you work, scumbag?
And so, to sum up, fuck you, jerk!
No in my experiences it is IT's insistence on security practices with zero thought on how this will impact the end user. A few examples: I was looking after a Jenkins server for a project we were running, Jenkins was running on the latest version of Tomcat with a Java 6 runtime. However due to customer requirements there was also a Java 5 runtime which as being used to generate the build. IT felt the need to un-install the JDK 5 and upgrade the the machine's Java 6 (to the version with Oracle in its name). The removal didn't update the Java_Home directory causing Tomcat not to work. They decided to do this just as we were starting an Integration & Test phase for a major release. The Jenkins server was linked to me on their records but at no point did they think to mention it to me. Same Jenkins server, this was running fine and suddenly the builds starting failing. 3 hours of investigation later I find out its because the Jenkins server password has been changed. Never mind the server username was the name of the project (e.g. projectXYZ). IT came up with a new policy which stated all server accounts needed to be > 48 characters and they had changed them all without notifying a single person on the project. How about when IT decided that in a software house no one needed Admin access, which would be fine except they tried to forbid admin access on projects which were developing software which required Admin access (for a number of reasons). Those projects had to go up to the business director and have him shout at the IT head to fix it. Or the fact they decided no one should have USB. A great idea except I was working on an embedded project (along with a dozen other projects) which required an unencrypted usb stick to load the software on to the test rig. Once they realised how many people had a problem they tried to limit it. But when your working on a 5 man team only allowing 1 person to transfer files causes you to loose a lot of man hours. I can think of dozens of other examples, none of them were dictated by upper management. People hate IT because IT doesn't look at how to better help people work.
These issues are not an indictment of the IT staff, rather they very clearly show a lack of Change Control processes. That may well be IT's fault, but they may just be implementing edicts (or their understanding of same) from upper management. Either way, it does suck. However, instead of just bitching about how IT is fucking you over repeatedly, why not do something productive like reviewing IT policies and making sure that your team is in compliance. If exceptions are required to do the business of the organization, then make the case for the exceptions.
You might even do something breathtakingly rational (a pipe dream, I'm sure) like cultivating relationships with IT staff and management and work *with* them to create change control policies that don't put the business at risk.
four extensive experiences with IT. three were very, very bad. i've eliminated the everyday he-said she-said stuff. one to the good: IT explained, click-by-click ("push button down and hold down") how to make it work. 1 bad: never returned calls. calls...voice to voice...live. never happened. 2.bad: the one IT in-person meeting was full of 13-year-old 'dismissive' body language by the IT people. (rolling of eyes, etc....if you're a parent, you know it when you see it.) everyone noticed and still refers to it as a Career-Shortening-Gesture. 3.bad: Christmas Party of 2007.
I hope you don't need to write anything as a key part of your job. I read your post three times and I'm *still* not exactly sure what the hell you're talking about. If English is not your native language, I apologize. If it is, I pity you.
However, as I've seen in many places, your time costs money to the company, but it's not money from MY budget! Going "out of the way" for a single person or even just a few, is not "cost effective" to IT because it __increases__ IT's budget (which is already considered over inflated). Never made sense to me, but if IT can save 10% (say $100,000 just for a number) of its budget by costing other departments to increase their budget (say by a total or $200,000), then "so be it" because separate budgets are approved separately and increasing the users' budgets doesn't get IT yelled at by corporate management. Stupid and short sighted. Blame it on the bean counters who put the various department into conflict to reduce budgets for their individual department without any concern about collateral damage.
I wish I'd read this before I posted a response to an earlier (more thoughtful) comment (cf my comments) about this. It's a *good* thing to force business units to pony up for one-off technologies because you can compare their costs against the revenue they generate. With IT, it's just a cost center and, as far as many (certainly not all) C-Level types are concerned, needs to be cut to the bone.
That said, it is stupid to put departments in competition with each other. In the end, all the budgets come from the same pool of money. At the job I mentioned above (see link), this was so rampant that when IT had *millions* of dollars worth of surplus equipment (from a failed IT project), other departments would rather purchase new equipment rather than just assume the depreciation costs associated with equipment *we already owned*. It made no economic sense from a company perspective, but each manager with a budget was only concerned with *their* budget and not with the overall profitability of the company. Now *that's* short-sighted and stupid -- with nary an IT person in sight. sigh!
Your comments are fine; I agree. We'll meet you half way once you help us get the budget to do it.
This reminds me of my first big company (70,000 employees) job back in the mid 90s. I was a Unix Admin/evangelist in a primarily mainframe shop. We had a pretty clear standard for implementing new technologies -- The first guy over the bridge pays to build the bridge.
This cut way back on the jackasses who wanted the "latest and greatest" just because some sales moron who needed to make his quota that month told him/her that they just "had to have" whatever crap they happened to be selling. When you have to justify the expense well enough that you will spend part of your own budget, there is a much greater likelihood that it will actually be something that will enhance the business, not just the latest crap that the 36DD sales lady with the short skirt and no gag reflex wants to sell you.
I said: You can take a published string and make it a reasonably secure passphrase by adding enough entropy to it, but you still have to remember the entropy that you've added. Why not just start with a diceware passphrase and memorize the entropy directly? I think that's still a valid point. How well can you misremember a quote? What is the maximum hamming distance between the original quote and a passphrase that you can remember? If you can remember 64 or more bits of entropy to add to an existing quote, you might as well remember a shorter diceware passphrase with the same entropy. Additionally; how secret is your choice of source material? You can only have a finite number of books in your house, and a larger but finite number within driving distance. The likelihood of you traveling far and wide to generate a passphrase is pretty low. Can you be sure that Echelon didn't record the text (or at least the URLs) it's seen you fetch over your Internet connection? Reducing the search space to only a few thousand sources makes the problem almost embarrassingly simple. Build a probabilistic model of your writing/typing and then use it to find the nearest likely passphrases generated by altering the substrings of sources to better fit your writing style. Most likely you don't choose truly randomly from a set of altered quotes; you look for things in the text that seem easy to remember if they are changed, or that trigger some other memory that makes it easier to remember the other changes. Humans are bad at generating truly random text.
Not being a cryptographer by trade, I'll take your word for it. However, I suspect that my suggestion would keep most folks out of PMITA prison, assuming they're not forced to divulge the key..
Unless, of course, the US Government wants to get you badly enough to initiate surveillance complete enough to identify *all* the IP addresses that you specifically have used and when, grab the data collected via Echelon, search your house and identify every book you have, every book you've ever had, every book you borrowed from libraries, friends, enemies, etc. Identify every song, poem, doggerel, Spoonerism ('one swell foop' comes to mind), etc, etc, etc you've every heard, read or sung and analyze all of it to figure out what you *might* be using for an encryption key, I'm thinking they're going to get you no matter what.
As is pointed out here, we all break the law pretty much every day. So, assuming I'm not considered the next Osama bin Laden, I think my TV, Furry, axle-grease fetish porn is safe
I don't mean to sound derisive, I sincerely admire your level of paranoia. I like to think of myself as pretty paranoid when it comes to InfoSec matters, but I guess I'm out of my class here. Thank you for your interesting, if (IMHO) rather extreme point of view. It's definitely food for thought.
Then don't put stuff that would require such measures on your phone. Why would you do so anyway?
My phone accesses many of the same resources my desktop does. Virtually all the online services I use, VPNs, and wireless access points I use,... hell I even remote to my own desktop from my phone.
To be honest, other than a BIOS boot password on my desktop PC, I'm hard pressed to think of a password I'd never have to enter on my phone...
The discussion is about law enforcement whining about cracking encryption, not how to compromise your own security. I guess law enforcement in your area will have no problem discovering whatever it is that will put you in PMITA prison.
Good luck using your phone to log into your desktop from jail. I guess we'll be hearing from you again when you get out.
It takes a pretty exceptional human to actually remember a useful crypto key
Not really. How hard is to remember a paragraph from your favorite novel or lyrics from a popular song.
That is not a key, that is a pass-phrase.
A key is a "random" file with 16k-bytes of numbers. It is only not random when compared to another 16k-byte file that is it's key-pair.
The pass-phrase protects the key file, but things are encrypted with the key, not the pass-phrase.
If you destroy the key, which is the only thing protected with the pass-phrase, then none of the files can ever be recovered. This is what the GP is speaking of.
The GP is correct that keys are damn near impossible to commit to memory. It's so difficult, I don't see why anyone would try -- rather just create an extremely long passphrase to encrypt the key. That said, one *could* use song lyrics and such directly as an encryption key, making my point valid, as long as the software you use allows it.
A minor point -- Crypto keys are, "In encryption, a key specifies the particular transformation of plaintext into ciphertext, or vice versa during decryption." I'm not sure where in the definition that a key is either "random" or "16k-bytes of numbers." Perhaps you could show me the part I missed.
It's obviously foolish to use public text verbatim as a key. Common Crawl has a 40 TB dataset that costs approximately $150 to MapReduce on EC2. Any key that happens to be a (reasonably short, say under 1KB) substring of that data costs $150 to break. Any key within a short hamming distance of a substring in that database costs roughly 2^hamming_distance more to break; two changed bytes is only worth $600. I imagine that large organizations who care have much larger databases including the text of most published books. It's such an obvious idea and until you realize that attackers have access to all the public source data that you do it sounds like a good idea to just pick a random string from a book to use as a passphrase. Don't kid yourself; no matter how obscure or unpopular a song is there will be lyrics for it somewhere on the Internet, not to mention in published books. You can take a published string and make it a reasonably secure passphrase by adding enough entropy to it, but you still have to remember the entropy that you've added. Why not just start with a diceware passphrase and memorize the entropy directly?
I guess reading comprehension isn't your strong suit. I'll assume that you are an ESL person rather than a moron. I said:
...It's even better if you *mis-remember* the quote/lyrics so that you're the only one who would come up with the result even if someone tried to brute force the key by scanning all your books and listening to all your music.
Get it now?
It's even better if you *mis-remember* the quote/lyrics
Who knew that kissthisguy.com would become the #1 password dictionary.
that's exactly the kind of stuff I was talking about. You know what you *think* the lyrics are and once you add punctuation and some deliberate mistakes, even plain language crackers will have an awful time of it.
The only disadvantage is that such a long passphrase is quite annoying
Or you have to enter it in on a phone. And i don't want to ever have to do that on a phone.
Then don't put stuff that would require such measures on your phone. Why would you do so anyway? If someone gains physical control over your mobile device, even incredibly long passphrases become crackable. Especially if the government or police have physical control of said device. They will (presumably) exist for the centuries it would take to crack long passphrases.
I was going to comment that this doesn't make a good key because human languages have so much redundancy and therefore rather little entropy per word, but then I actually checked and came to the opposite conclusion: While an n-bit paragraph wouldn't make a good n-bit key, a much longer paragraph actually does. If we assume 7-8 bits of entropy per word (a number a quick Google search turned up), then your examples would all make for very good 256-bit keys.
The only disadvantage is that such a long passphrase is quite annoying if you have to type it often, and it's hard to type correctly at speed if you can't see what you've written on the screen.
Agreed. It's a pain in the ass to type such a long passphrase. *However* If you want to keep your cocaine sales records or your child porn safe, I expect that it would be worth it.
My point was in relation to the OP who made the incredibly stupid claim that long passphrases are hard to remember.
It takes a pretty exceptional human to actually remember a useful crypto key
Not really. How hard is to remember a paragraph from your favorite novel or lyrics from a popular song. It's even better if you *mis-remember* the quote/lyrics so that you're the only one who would come up with the result even if someone tried to brute force the key by scanning all your books and listening to all your music.
Perhaps something like:
While the music played you worked by candle light, those San Francisco nights - you were the best in town, Just by chance you crossed the diamond with the pearl, you turned it on the world, that's when you turned the world around
Or maybe:
I was alone I took a ride, I didn't know what I would find there. Another road where maybe I could see another kind of mind there. ooh and I suddenly see you, ooh did I tell you I need you? Every single day of my life.
Try and brute force those keys. Using punctuation makes it even harder. And these are the first verses to well known songs. Use the third verse of an obscure song (one you don't like would be even better). The music makes it much easier to remember and just about anyone can remember songs/lyrics.
Some people just have zero imagination. Sigh!
A subatomic particle, like its companion, the fermione
Somehow related to the hermione I'm guessing? Ouch! That really hurt. I'm giving myself a time out for that one!
I have tried a myriad of different things. Under the pillow, strapped to my leg, it just doesn't work for me. On the nights I am on call, I sleep on the couch. I would be interested to see different approaches.
Crystal Meth?
As opposed to a leveraging a monopoly position in web search to dominate the mobile phone market by giving away a free product that competitors can't afford to compete with on price? This situation seems familiar...
I'd just point out that Microsoft (or Nokia or Apple, for that matter) can license Android for free and compete with the other Android phone makers. How is that leveraging a monopoly position? "Hey, let's dominate the market by giving away GPL'd software and licensing the non GPL'd code for free!" Please.
Or, even better, if you can get their fax number how about full-color Goatse in the mail or by fax? By email too, but Goatse coming out of a fax machine seems like it would be a nice gift to send them.
Doesn't KDE run on Windows these days? You could probably just run KMail directly...
It sure does. cf. The Cygwin Project
iPhone encryption is the issue. Anyone who gains physical access to your iPhone can quite easily access whatever data is on that device, emails included. Just google for "iphone encryption" and you'll find more articles and even videos about how easy it is to bypass this encryption than there are about the encryption itself. Just to clarify here -- the biggest risk is the iphone itself.
Are you reading from an old data sheet?
http://developer.apple.com/library/ios/#featuredarticles/FA_Exchange_ActiveSync_and_iOS4_Devices/Introduction/Introduction.html
Actually, ActiveSync isn't the issue. iPhone encryption is the issue. If you can bypass the screen lock, IOS will transparently decrypt any encrypted data on your iPhone, including your ActiveSync/Exchange email.
I see your link and raise you this one
6. You know it's encrypted because you googled iPhones and know that the any iPhone 3GS or above has encrypted memory that can be hacked quite easily
FTFY
Really.
Really.
Easily.
Say'n what? That you buy into marketing hype that can not possibly be true? First I've heard of them, but reading their claims for what they can do for iPad/iPhone devices .... hhahhaha bullshit :)
I don't buy into the marketing hype. I did something which may be alien to you. I *implemented* it. And not by my choice either.
I'll also point out that I mentioned, in another post in this thread that GFE is crappy software. The only advantage it has over every other competing product is that it provides strong encryption on-board the iphone/ipad/android. That's critical for my organization and the *only* way we would allow those devices to store company emails. I don't really like it. It has many quirks and doesn't always work. However, it does, substantially, what my organization needs it to do.
So stop talking out of your ass. You're stinking up the place. Have a nice day!
This has been the IT Challenge since VisiCalc sold Apple ][s.
If you want to have a bitch session about it, I'm not entirely without sympathy. Just don't let it blind you from forming real strategies to meet the challenge.
Maybe I got lucky. I got to watch our Burroughs mainframe high priests do nothing but bitch while the workers gave up on them and bought and tended their own DOS boxes. In a very few years those priests were gone. It was a sharp lesson. You've got to deliver what your internal clients want, or you're history.
You're 126.4% correct. However, it's insecure and foolish to attempt supporting products that you do not have the skill sets to succeed. As I (and others) mentioned in earlier posts on this thread, the way it goes is that if you allow something into your environment, 95% of the time that's tantamount to sending a broadcast to the entire organization that whatever it is is now fully supported (and supportable) by IT.
I have no problem implementing new or existing technologies which can improve performance and, most importantly, the bottom line of my organization. Introducing technologies which cannot be effectively supported (and effectively supporting something means having the skills, processes and resources to do so) is only going to be detrimental to the entire organization. Please note that I'm talking about *large* organizations.
Identifying and implementing technologies that can enhance the ability of users to *do their jobs* is a core function of IT. If your IT organization isn't doing that, they're doing it wrong. That said, implementation is more than just installing the software or hardware and tweaking the configuration. Processes need to be developed, redundancy and fail-over needs to be designed and implemented, IT resources need to learn how to use and support the technology, users need to learn how to effectively use the technology, infrastructure may need to be upgraded, enhanced or even completely replaced. I could go on, but hopefully you get the point.
And that's just the technology aspect. How do you pay for the new technology? How do you deal with senior management that's afraid of change? How do you realign your human resources to support the new technology? Do you need more people? How are you going to pay for them? Again, I could go on and on.
My point is not that IT shouldn't innovate or support new technologies. It's that if you just deliver a pallet full of iPads to the loading dock and start handing them out (or open the doors to unknown, untrustworthy personal devices) without the appropriate planning, engineering and implementation, you're setting yourself up to fail.
This was pretty much the argument used IBM 25 years ago to keep cheap commodity PCs out of the enterprise. MS used it to keep Macs out of the office even though Macs were more solidly built than the crap many offices used to run MS software. Yet commodity PCs took over the office, and Macs were integrated by the IT staff of the time.
Now, I will entertain the idea that modern IT people are not nearly as cleaver as 20 years ago. I mean, what do you need to know now a days, how to plug in a cable, randomly check GUI boxes, and say "Have you turned the computer off and on"? But then given the level of standards and integration between all equipment that exists, I can't really imagine that such support should be beyond the budgets and ability of even the most unqualified IT department.
You're a moron. I tell you what. You come and do my job for one week...no, you couldn't handle an hour unless it was lunch hour! I don't know you, but based on two paragraphs I can tell that you couldn't engineer your way out of a paper bag in an enterprise IT environment.