I had to CRACK my way out...
on
Disconnecting
·
· Score: 1
Some years ago I had a hardware problem, my modem burnt out, and in the hope that it would soon be solved I didn't cancelled my ISP subscription right away.
But as it happened, I went without a modem for some months and decided to cancel my ISP. Called them and cancelled it. At least I thought it was cancelled.
Some months latter I received another invoice from it. I called the ISP and was patched through to the OWNER himself. Great, this guy should be able to solve my problem.
He said, "look, you've terminated the service, but our system registered a login from you last month and AUTOMATICALLY re-opened your account." I said that I didn't logged-in and that even if I did the ISP had NO AUTHORITY to automatically sign me in. Then I went on saying that I didn't have any modem available and that he must be mistaken.
This was, it seems, the last drop for him. "We don't make mistakes," he said. "Someone clearly logged-in using your password... if it wasn't you, then you gave it to somebody else."
Since no one had my password, I told him that if that was the case, if someone CLEARLY logged-in with my password, that his system got a security flaw.
He said some ramblings, curses, bad words and all and that his "system is 100% secure. You don't believe it? Take your best shot. If you get in, it's free internet for you for the rest of your life."
Of course I got in, but not before getting what he said in a clear written and signed statement. While I walked into his office after his secretary announced me, I could hear him cursing. I went in and said "Here is your password list, shove it, don't want your crapy service!"
I've used BSCW to do shared workspace on a relatively large project. You have to consider, though, that my job was managing BSCW, not actually using it, but the people that used said it was great.
All the people involved were at the same state, but some of them were a city away.
BSCW is based on Python and the server can run on Windblows NT/2000 and most U*NIX. The instalation and configuration are really straightforward and the user interface is quite easy to understand.
Well, you could use ssh inside your shell scripts, just use DSA or RSA for authentication. You could say that it would be a pain to install OpenSSH (or any other SSH, FTM) on every system inside your net, and I agree with that. *BUT* I don't recommend using non-encrypted protocols even inside a secure network, just because it's never really as secure as we'd like it to be, there's always someone with DSniff and such.
In a large unix shop I consulted for, the directors said "we want security", to which I replied "ok, but there are implications...". Long story short, they changed every script they had to comply with the new security policy: no unencrypted sensitive data. And that means, no telnet, no r* tools, no ftp, et al.
I don't know how high-profile your father's clients are, but don't forget that cracking WEP is a days (hours?) matter.
If the clients are high-profile, it's more likely that someone would want to have (or alter) data that are so confidential as these, but even if their are not, there's always someone wanting to disrupt and make a mess.
Medical records are very sensitive information. Don't leave it unencrypted (or badly encrypted). Can you imagine the damage that an altered blood type could cause? Or some information about a disease a person has?
Slashdot Mirror
Some years ago I had a hardware problem, my modem burnt out, and in the hope that it would soon be solved I didn't cancelled my ISP subscription right away.
But as it happened, I went without a modem for some months and decided to cancel my ISP. Called them and cancelled it. At least I thought it was cancelled.
Some months latter I received another invoice from it. I called the ISP and was patched through to the OWNER himself. Great, this guy should be able to solve my problem.
He said, "look, you've terminated the service, but our system registered a login from you last month and AUTOMATICALLY re-opened your account." I said that I didn't logged-in and that even if I did the ISP had NO AUTHORITY to automatically sign me in. Then I went on saying that I didn't have any modem available and that he must be mistaken.
This was, it seems, the last drop for him. "We don't make mistakes," he said. "Someone clearly logged-in using your password... if it wasn't you, then you gave it to somebody else."
Since no one had my password, I told him that if that was the case, if someone CLEARLY logged-in with my password, that his system got a security flaw.
He said some ramblings, curses, bad words and all and that his "system is 100% secure. You don't believe it? Take your best shot. If you get in, it's free internet for you for the rest of your life."
Of course I got in, but not before getting what he said in a clear written and signed statement. While I walked into his office after his secretary announced me, I could hear him cursing. I went in and said "Here is your password list, shove it, don't want your crapy service!"
Aaahh, the satisfaction of being disconnected!
I've used BSCW to do shared workspace on a relatively large project. You have to consider, though, that my job was managing BSCW, not actually using it, but the people that used said it was great.
All the people involved were at the same state, but some of them were a city away.
BSCW is based on Python and the server can run on Windblows NT/2000 and most U*NIX. The instalation and configuration are really straightforward and the user interface is quite easy to understand.
Well, you could use ssh inside your shell scripts, just use DSA or RSA for authentication. You could say that it would be a pain to install OpenSSH (or any other SSH, FTM) on every system inside your net, and I agree with that. *BUT* I don't recommend using non-encrypted protocols even inside a secure network, just because it's never really as secure as we'd like it to be, there's always someone with DSniff and such.
In a large unix shop I consulted for, the directors said "we want security", to which I replied "ok, but there are implications...". Long story short, they changed every script they had to comply with the new security policy: no unencrypted sensitive data. And that means, no telnet, no r* tools, no ftp, et al.
I don't know how high-profile your father's clients are, but don't forget that cracking WEP is a days (hours?) matter.
If the clients are high-profile, it's more likely that someone would want to have (or alter) data that are so confidential as these, but even if their are not, there's always someone wanting to disrupt and make a mess.
Medical records are very sensitive information. Don't leave it unencrypted (or badly encrypted). Can you imagine the damage that an altered blood type could cause? Or some information about a disease a person has?
Be careful here, ok?!