Telling users never to write down a password is a bad approach, IMO. Far better is to tell them "if you have to write down your password to remember it, treat the piece of paper on which you write it as you would a credit card." In other words, put it in your wallet, don't let others borrow it, and if it is lost, make sure to change it immediately. If you prohibit them from writing them down at all, your chances of getting them to choose relatively secure passwords are close to slim and none.
The older (pre-1990s) Straight Dope columns tend to be pretty amusing in general. Cecil's wit was more raw back then, and he never hesitated to sling insults around like Mardi Gras beads on Fat Tuesday. It's a shame his style has moderated in the last 10 years or so, as that was at least half the attraction of the column for me.
You're forgetting another key advantage to the seller - rebates generate float. Put simply, they hold your money in interest-bearing investments until the point, 6-8 weeks after the purchase, at which you receive and cash the rebate check. This is why, unlike mail/internet orders that also say to allow 6-8 weeks for delivery yet typically are delivered within 10 days, rebate checks invariably take the full 6-8 week period to actually arrive in your mailbox. Also notice how the checks are always drawn on obscure banks in places like Lake Lillian, MN; this gives them an extra day or two of interest while the check waits to be cleared after you deposit it. The Straight Dope goes into this in more detail.
You also can accelerate the process greatly by making use of leverage (i.e. buying on margin). Of course, a true time traveller might have trouble providing the necessary credit history to setup a margin account...
I have a (legitimate) copy of Empire Deluxe from sometime in the early 90s that I still play occasionally, so I invariably install it whenever I get a new personal machine. It uses a copy protection scheme that blocks installation or configuration unless you can provide a specified word from the manual (e.g. "What is the 4th word on the 2nd line of page 37?"). Unfortunately, I lost the manual years ago. However, since the copy protection prompt helpfully provides the first letter of the desired word, I spend a few minutes cursing at the thing while making educated guesses at the word ([t]errain, [i]nfantry, [a]ttack, etc.) Great example of useless copy protection - it only takes a couple minutes' persistence to defeat, but annoys the hell out of anybody who tries to reinstall it (even if you keep your manuals, you have to root through all your years-old computer crap to find the right one).
They are the same. For those too lazy to click through the link, the 100-degree thermometer (freezing point of water - boiling point of water) was called Centigrade until 1948, when it was renamed in honor of its inventor, Anders Celsuis. Presumably you can figure out on your own why they called the 100-grade thermometer "Centigrade".
Basically, there could be another bug in another dll of windows that WebDAV may someday call, and the same security hole is open again. Especially worrysome since a single software install/update could place a new DLL in place that contains the bug...
Good point. This is why anybody who doesn't need WebDAV should disable it immediately, even if they already applied the patch. Patching specific vulnerabilities while leaving the attack vectors in place is just asking for trouble. I'm still amazed at the number of IIS admins who continue to leave the default script mappings and virtual directories in place while insisting that they're secure because they patched that.ida thing and the MSADC thing and that other thing.
My guess is that the root of the problem is in ntdll.dll, but it could be mitigated by filtering WebDAV requests using the URLScan utility.
Yup. According to the ISS advisory, the overflow is "in a path conversion function within NtDLL, which is called from a common API exported from the Kernel32 library." WebDAV is just the attack vector. Filtering WebDAV requests removes the known remote attack vector, but you really need to patch the underlying problem (ntdll) in order to be sure.
I didn't see anything posted to the lists (Bugtraq, Vulnwatch, Full Disclosure, etc.) about this either, until the Gentoo announcement yesterday. For an issue Macromedia calls critical, they sure are being quiet about it.
Of course security professionals didn't think this up. The marketing guys convinced them that nobody would stand for a PIN like {44EC053A-400F-11D0-9DCD-00A0C90391D3}. Remember that PINs have to be simple enough that even PHBs can remember them. This rules out pretty much everything more complicated than the 4-digit numeric we're all used to.
Mostly it affects where banks choose your pin for you (which happens in the UK among other places) based upon a hash of your account number.
While technically true, the catch is that this applies to a lot of PINs, even those chosen by the cardholder. When you set your own PIN, the bank just stores an offset that is used in conjunction with the autogenerated PIN. The vulnerability paper goes into this in section 3.
I've been arguing this very point around here for a couple of years now. If your people are inclined to fuck off around the office, they are going to find a way to do it, whether it's surfing the web, talking on the phone, reading the paper, hanging around the water cooler or simply staring off into space. Trying to restrict any or all of these things does nothing to motivate the unmotivated, while at the same time reducing the motivation of the productive people by sending the message that management doesn't trust them.
In the case of IT workers, filtering web access can significantly reduce their ability to do their jobs by making it prohibitively difficult to perform routine research. Typical blocked categories include such things as eCommerce, personal website portals, usenet archives and hacker sites. To the suits, there is no reason anybody would need these to do their jobs. But what if I need to buy a book to get up to speed on a new technology? What if Google points me to a Geocities page that appears to answer fully the question I have on some obscure technical topic? What if I want to search usenet archives for some inscrutible Windows error that I can't find on MSDN? What if I'm trying to figure out if some new IE vulnerability affects me, and the discoverer's site is classified as a hacker site?
The answer around here is "if you can demonstrate that you need access to this site and your manager will sign off on it, we will either let you access this specific site or print off a hardcopy of the document for you." Unfortunately, this does nothing to help me research similar things in the future. What it does do very effectively is instill in the employees resentment against the corporate bureaucracy, and rob them of any inclination to do more than the absolute minimum required to get a paycheck.
Managers need to identify which employees are pulling their weight and which are not, and focus their efforts on the laggards while staying out of the way of the performers. Micromanaging the whole team is not the way to get people to work harder.
Nah; marketing droids can pique interest in anything. It'd more likely go something like this:
Is one of the largest global technology companies ripping YOU off? If you use a laptop computer, you won't want to miss this revealing expose! Channel 5 investigates at 10.
I wouldn't say firewalls make people lazy; it's more a problem of people not understanding security.
These people are just as likely to say things like "I'm 3DES encrypting my data, so there's no way anybody can read it", because they fail to understand the meaning of statements like "cracking 3DES is computationally infeasible". When you try to explain to them that their webserver and applications are much more likely to be their weakness than their encryption algorithm, they give you blank looks and mutter about the Computerworld article that said 3DES is "unbreakable encryption". It's not a problem with 3DES (or any strong algorithm); it's a problem with people not understanding that any security measure can be negated by poor design in other parts of their architecture.
It's the same thing with firewalls. Only the unknowledgable would drop in a firewall and then go off to the bar to celebrate their newly "secure" network. That doesn't mean that the firewall is useless; it is still a crucial tool for securing one's network. The problem is the people who have no idea how to use the tool properly, and no concept of what a real-world attack actually looks like.
I wonder if they count variations as separate games like Sears used to do with their versions of Atari 2600 cartridges. I remember the Space Invaders label boasted something like "120 Games!", which meant standard, moving bunkers, no bunkers, invisible invaders, fast missles, zigzagging missles, moving bunkers + fast missles, moving bunkers + zigzagging missles, moving bunkers + fast missles + zigzagging missles, etc.
Ummmm... the laws and cultural taboos against paedophilia? He makes it pretty clear that he believes that the wishes of a 13-year-old trump any societal desire to protect her from her own innocence.
That's not what I had in mind though; I'd conveniently forgotten about that aspect, disturbing as it is. I was thinking about the rest of his not-so-subtle commentary on treatment of refugees and migrant workers, mindless bureaucracy and corruption in government, a political system that strongly favors incumbents and those beholden to special interests, and violent opposition to those seeking to change the status quo.
I kinda dug the Bio of a Space Tyrant series too. Yeah, it was a thinly veiled commentary on US politics, but it was still pretty entertaining reading.
You could whip up a series of pages that drop a cookie and then navigate to the next script in the series. The pages would return different content depending on the cookie's value (which would indicate which pages had already been accessed), and the last one in the series would use window.history.go() to return to the original page, at which point the Forward list will have been populated. If/when the user visits one of the pages on the Forward list, the page(server-side script) would see from the cookie that he had already been there and return some sort of content (presumably something useful like pr0n, x10 ads or goatse traps).
He didn't say anything about going home; he said he was backtracking towards home. So, if point C is a dead-end at a river, you might go back to point B (towards home) and from there take the left fork towards point D instead of the right fork to point C that you took initially.
Hmmph. I was going to post something similar to the parent (Undo == Back), but this is interesting. I guess it's a matter of how one conceptualizes Back/Undo then. I always looked at it as analagous to going back to a prior point in a sequence of events, from which point one chooses a new sequence going forward. I guess some (e.g. emacs users) look at it as forward progress through a sequence of events that happens to reverse the effects of prior events in the sequence. Maybe this would make for a good user configurable option ([X] Back/Undo erases events from history)?
Slashdot Mirror
Telling users never to write down a password is a bad approach, IMO. Far better is to tell them "if you have to write down your password to remember it, treat the piece of paper on which you write it as you would a credit card." In other words, put it in your wallet, don't let others borrow it, and if it is lost, make sure to change it immediately. If you prohibit them from writing them down at all, your chances of getting them to choose relatively secure passwords are close to slim and none.
The older (pre-1990s) Straight Dope columns tend to be pretty amusing in general. Cecil's wit was more raw back then, and he never hesitated to sling insults around like Mardi Gras beads on Fat Tuesday. It's a shame his style has moderated in the last 10 years or so, as that was at least half the attraction of the column for me.
You're forgetting another key advantage to the seller - rebates generate float. Put simply, they hold your money in interest-bearing investments until the point, 6-8 weeks after the purchase, at which you receive and cash the rebate check. This is why, unlike mail/internet orders that also say to allow 6-8 weeks for delivery yet typically are delivered within 10 days, rebate checks invariably take the full 6-8 week period to actually arrive in your mailbox. Also notice how the checks are always drawn on obscure banks in places like Lake Lillian, MN; this gives them an extra day or two of interest while the check waits to be cleared after you deposit it. The Straight Dope goes into this in more detail.
You also can accelerate the process greatly by making use of leverage (i.e. buying on margin). Of course, a true time traveller might have trouble providing the necessary credit history to setup a margin account...
Sweet! Thanks, man.
I would love to get a copy of that. Is it online somewhere?
I have a (legitimate) copy of Empire Deluxe from sometime in the early 90s that I still play occasionally, so I invariably install it whenever I get a new personal machine. It uses a copy protection scheme that blocks installation or configuration unless you can provide a specified word from the manual (e.g. "What is the 4th word on the 2nd line of page 37?"). Unfortunately, I lost the manual years ago. However, since the copy protection prompt helpfully provides the first letter of the desired word, I spend a few minutes cursing at the thing while making educated guesses at the word ([t]errain, [i]nfantry, [a]ttack, etc.) Great example of useless copy protection - it only takes a couple minutes' persistence to defeat, but annoys the hell out of anybody who tries to reinstall it (even if you keep your manuals, you have to root through all your years-old computer crap to find the right one).
They are the same. For those too lazy to click through the link, the 100-degree thermometer (freezing point of water - boiling point of water) was called Centigrade until 1948, when it was renamed in honor of its inventor, Anders Celsuis. Presumably you can figure out on your own why they called the 100-grade thermometer "Centigrade".
Basically, there could be another bug in another dll of windows that WebDAV may someday call, and the same security hole is open again. Especially worrysome since a single software install/update could place a new DLL in place that contains the bug...
.ida thing and the MSADC thing and that other thing.
Good point. This is why anybody who doesn't need WebDAV should disable it immediately, even if they already applied the patch. Patching specific vulnerabilities while leaving the attack vectors in place is just asking for trouble. I'm still amazed at the number of IIS admins who continue to leave the default script mappings and virtual directories in place while insisting that they're secure because they patched that
My guess is that the root of the problem is in ntdll.dll, but it could be mitigated by filtering WebDAV requests using the URLScan utility.
Yup. According to the ISS advisory, the overflow is "in a path conversion function within NtDLL, which is called from a common API exported from the Kernel32 library." WebDAV is just the attack vector. Filtering WebDAV requests removes the known remote attack vector, but you really need to patch the underlying problem (ntdll) in order to be sure.
I didn't see anything posted to the lists (Bugtraq, Vulnwatch, Full Disclosure, etc.) about this either, until the Gentoo announcement yesterday. For an issue Macromedia calls critical, they sure are being quiet about it.
Of course security professionals didn't think this up. The marketing guys convinced them that nobody would stand for a PIN like {44EC053A-400F-11D0-9DCD-00A0C90391D3}. Remember that PINs have to be simple enough that even PHBs can remember them. This rules out pretty much everything more complicated than the 4-digit numeric we're all used to.
Mostly it affects where banks choose your pin for you (which happens in the UK among other places) based upon a hash of your account number.
While technically true, the catch is that this applies to a lot of PINs, even those chosen by the cardholder. When you set your own PIN, the bank just stores an offset that is used in conjunction with the autogenerated PIN. The vulnerability paper goes into this in section 3.
I've been arguing this very point around here for a couple of years now. If your people are inclined to fuck off around the office, they are going to find a way to do it, whether it's surfing the web, talking on the phone, reading the paper, hanging around the water cooler or simply staring off into space. Trying to restrict any or all of these things does nothing to motivate the unmotivated, while at the same time reducing the motivation of the productive people by sending the message that management doesn't trust them.
In the case of IT workers, filtering web access can significantly reduce their ability to do their jobs by making it prohibitively difficult to perform routine research. Typical blocked categories include such things as eCommerce, personal website portals, usenet archives and hacker sites. To the suits, there is no reason anybody would need these to do their jobs. But what if I need to buy a book to get up to speed on a new technology? What if Google points me to a Geocities page that appears to answer fully the question I have on some obscure technical topic? What if I want to search usenet archives for some inscrutible Windows error that I can't find on MSDN? What if I'm trying to figure out if some new IE vulnerability affects me, and the discoverer's site is classified as a hacker site?
The answer around here is "if you can demonstrate that you need access to this site and your manager will sign off on it, we will either let you access this specific site or print off a hardcopy of the document for you." Unfortunately, this does nothing to help me research similar things in the future. What it does do very effectively is instill in the employees resentment against the corporate bureaucracy, and rob them of any inclination to do more than the absolute minimum required to get a paycheck.
Managers need to identify which employees are pulling their weight and which are not, and focus their efforts on the laggards while staying out of the way of the performers. Micromanaging the whole team is not the way to get people to work harder.
I thought it was the other way around...
Nah; marketing droids can pique interest in anything. It'd more likely go something like this:
Is one of the largest global technology companies ripping YOU off? If you use a laptop computer, you won't want to miss this revealing expose! Channel 5 investigates at 10.
I wouldn't say firewalls make people lazy; it's more a problem of people not understanding security.
These people are just as likely to say things like "I'm 3DES encrypting my data, so there's no way anybody can read it", because they fail to understand the meaning of statements like "cracking 3DES is computationally infeasible". When you try to explain to them that their webserver and applications are much more likely to be their weakness than their encryption algorithm, they give you blank looks and mutter about the Computerworld article that said 3DES is "unbreakable encryption". It's not a problem with 3DES (or any strong algorithm); it's a problem with people not understanding that any security measure can be negated by poor design in other parts of their architecture.
It's the same thing with firewalls. Only the unknowledgable would drop in a firewall and then go off to the bar to celebrate their newly "secure" network. That doesn't mean that the firewall is useless; it is still a crucial tool for securing one's network. The problem is the people who have no idea how to use the tool properly, and no concept of what a real-world attack actually looks like.
I wonder if they count variations as separate games like Sears used to do with their versions of Atari 2600 cartridges. I remember the Space Invaders label boasted something like "120 Games!", which meant standard, moving bunkers, no bunkers, invisible invaders, fast missles, zigzagging missles, moving bunkers + fast missles, moving bunkers + zigzagging missles, moving bunkers + fast missles + zigzagging missles, etc.
Ummmm ... the laws and cultural taboos against paedophilia? He makes it pretty clear that he believes that the wishes of a 13-year-old trump any societal desire to protect her from her own innocence.
That's not what I had in mind though; I'd conveniently forgotten about that aspect, disturbing as it is. I was thinking about the rest of his not-so-subtle commentary on treatment of refugees and migrant workers, mindless bureaucracy and corruption in government, a political system that strongly favors incumbents and those beholden to special interests, and violent opposition to those seeking to change the status quo.
I kinda dug the Bio of a Space Tyrant series too. Yeah, it was a thinly veiled commentary on US politics, but it was still pretty entertaining reading.
Don't forget the electric hammer. Everybody knows Edison only got credit for that because Homer left it behind in the museum.
Nah. We still need them for leather. This way we can go back to the noble tradition of killing animals solely for their hides.
You could whip up a series of pages that drop a cookie and then navigate to the next script in the series. The pages would return different content depending on the cookie's value (which would indicate which pages had already been accessed), and the last one in the series would use window.history.go() to return to the original page, at which point the Forward list will have been populated. If/when the user visits one of the pages on the Forward list, the page(server-side script) would see from the cookie that he had already been there and return some sort of content (presumably something useful like pr0n, x10 ads or goatse traps).
He didn't say anything about going home; he said he was backtracking towards home. So, if point C is a dead-end at a river, you might go back to point B (towards home) and from there take the left fork towards point D instead of the right fork to point C that you took initially.
Hmmph. I was going to post something similar to the parent (Undo == Back), but this is interesting. I guess it's a matter of how one conceptualizes Back/Undo then. I always looked at it as analagous to going back to a prior point in a sequence of events, from which point one chooses a new sequence going forward. I guess some (e.g. emacs users) look at it as forward progress through a sequence of events that happens to reverse the effects of prior events in the sequence. Maybe this would make for a good user configurable option ([X] Back/Undo erases events from history)?