Policies that require frequent password changes lead me to: - pick easy to remember (and therefor easy to guess) passwords - restrict the character space I use in passwords, e.g. when special characters are required I pick from only 2 special chars. - Reuse passwords. I have about 20 different password-protected accounts for work, all are changed every 90 days, except the one system where the requirement is 60 days. That's over 80 passwords per year. As a result I use 1 password internal systems and 1 for external, so at any time there are only 2 passwords I need to remember. - Write down passwords. Sometimes it seems as if just as I'm getting to the point where a password is really ingrained, where I can get it on the first try even before caffeine, it's time to replace it with a new password. So you better believe I write them down.
Frequently changing passwords exclude adherence to most other security good practices.
This is all true but password changes do reveal password compromises.
In this day and age, companies need to realize that they run on IT. If your IT infrastructure fails, your company comes to a halt and you loose money!
It is amazing to me how many companies do not realize this until they suffer a major outage.
I like to think that it is because many senior managers are still of the generation that did not grow up with computers being a central part of their lives/businesses.
However, the generation coming up now that has had that is almost as bad but in the other direction -- they want to use computers / tablets / phones / the cloud etc. for everything and are very quick to adopt new devices/apps / services... with very little thought to the long term viability, reliability, or maintainability of those products.
It is really time for IT to get a seat at the grownups table. Many companies don't have senior IT management and, at many of the ones that do, they report to the CFO.. not directly to the top. And when is the last time a CIO was a candidate for a CEO transition outside a pure tech company? Probably never.
What do we do when buildings and bridges fail, or when an aircraft falls out of the sky? We should do something like that. In a more enlightened age, we'd have the NTSB-equivalent for massive IT failures.
Having some minimum standards that are required for both the systems themselves and the people working on them would be great.
IT needs to get much more professional but that would mean doing battle with all the companies/lobbyists who like IT being cheap, easily outsourced (in the short term), and with a bunch of cowboys who don't want to unionize or group themselves under a true professional group in any way.
That embarassment will make sure they hire more staff and put more money in IT funding.
You haven't worked in enterprise IT for long, have you? An embarrassment like this will make them flog their existing staff harder, insist on more metrics to measure performance, more boxes on the audit form to tick, more mandatory unpaid overtime. But little chance they'll actually spend more money on the IT cost center.
Sadly true in most cases.
In most organizations whose businesses are not IT related, the only time anyone powerful enough to do anything about it cares about IT is when it breaks.
When things are working, what do we need more IT expenditures for?
When things are not working, why did we spend what we did?
one of BlackBerry's selling points was that they were secure end to end and even they could not see messages being transferred through their NOC by enterprise customers who had their own keys installed on BES?
Apple's stand on encryption is the correct one. You can't backdoor encryption and have only the "good guys" have access.
Anyone who believes that is a realistic possibility is idiotic.
Er, considering that we seem to have not been operating on an ideal version of any system, anyone could argue "well if things were done right, they would be good."
The first step towards doing things right is realizing that what we're doing now isn't working and trying to find a solution.
Corruption in general and regulatory capture specifically are completely out of control.
They need to hijack all network and file operations, so they do need hooks in the kernel. But these should be minimal, passing the data down to a sandbox without even peeking inside. The fact data that is *expected to be malicious* is allowed to interact directly with kernel level code is definitely FUBAR.
That is a good point.
Obviously they do need to be in the kernel to check the operations, but the way you have broken it down makes a lot more sense than actually parsing items that are suspected of being malicious in kernel mode.
Pretty sad when convenience trumps security even in a security product.
Slashdot Mirror
Policies that require frequent password changes lead me to:
- pick easy to remember (and therefor easy to guess) passwords
- restrict the character space I use in passwords, e.g. when special characters are required I pick from only 2 special chars.
- Reuse passwords. I have about 20 different password-protected accounts for work, all are changed every 90 days, except the one system where the requirement is 60 days. That's over 80 passwords per year. As a result I use 1 password internal systems and 1 for external, so at any time there are only 2 passwords I need to remember.
- Write down passwords. Sometimes it seems as if just as I'm getting to the point where a password is really ingrained, where I can get it on the first try even before caffeine, it's time to replace it with a new password. So you better believe I write them down.
Frequently changing passwords exclude adherence to most other security good practices.
This is all true but password changes do reveal password compromises.
the most unreliable.
That is why you buy in the sweet spot for best value and let someone else prove new technologies and HD densities for you..
I would want one for?
trying to navigate all of Microsoft's many convoluted username/password schemes.
For the love of all that is holy.. consolidate some of these logins, Microsoft!
Funny how "cheap" never seems to apply to their salaries and bonuses though.
Of course not! They are adding value and if they weren't sufficiently compensated they would take their talent elsewhere!
In this day and age, companies need to realize that they run on IT. If your IT infrastructure fails, your company comes to a halt and you loose money!
It is amazing to me how many companies do not realize this until they suffer a major outage.
I like to think that it is because many senior managers are still of the generation that did not grow up with computers being a central part of their lives/businesses.
However, the generation coming up now that has had that is almost as bad but in the other direction -- they want to use computers / tablets / phones / the cloud etc. for everything and are very quick to adopt new devices /apps / services... with very little thought to the long term viability, reliability, or maintainability of those products.
It is really time for IT to get a seat at the grownups table. Many companies don't have senior IT management and, at many of the ones that do, they report to the CFO.. not directly to the top. And when is the last time a CIO was a candidate for a CEO transition outside a pure tech company? Probably never.
IT is a dead end in most places.
What do we do when buildings and bridges fail, or when an aircraft falls out of the sky? We should do something like that. In a more enlightened age, we'd have the NTSB-equivalent for massive IT failures.
Having some minimum standards that are required for both the systems themselves and the people working on them would be great.
IT needs to get much more professional but that would mean doing battle with all the companies/lobbyists who like IT being cheap, easily outsourced (in the short term), and with a bunch of cowboys who don't want to unionize or group themselves under a true professional group in any way.
That embarassment will make sure they hire more staff and put more money in IT funding.
You haven't worked in enterprise IT for long, have you? An embarrassment like this will make them flog their existing staff harder, insist on more metrics to measure performance, more boxes on the audit form to tick, more mandatory unpaid overtime. But little chance they'll actually spend more money on the IT cost center.
Sadly true in most cases.
In most organizations whose businesses are not IT related, the only time anyone powerful enough to do anything about it cares about IT is when it breaks.
When things are working, what do we need more IT expenditures for?
When things are not working, why did we spend what we did?
I wish I had never gotten into this "career".
I hope they maintain their aircraft better than their computer systems and terminals. It sure doesn't inspire confidence.
These people are just incompetent and should be fired immediately. Up time is a solved problems if you engineer well.
You can be relatively sure they do the absolute bare minimum like every company does with their "cost centers".
People have been convinced they want cheap everything so the MBAs turn the screws down really good..
some people have way too much money.
I say this as a Star Trek fan too.
Maybe you've heard of Hyperloop?
I've heard of it but I can't seen it yet..
one of BlackBerry's selling points was that they were secure end to end and even they could not see messages being transferred through their NOC by enterprise customers who had their own keys installed on BES?
Apple's stand on encryption is the correct one. You can't backdoor encryption and have only the "good guys" have access.
Anyone who believes that is a realistic possibility is idiotic.
SHOCKED!!
Not really. We all knew she'd get away with it, right?
Take advantage of the suckers buying a new car every three years and pick up a really nice used car and save your money.
For cyber security to be any worse in general?
Er, considering that we seem to have not been operating on an ideal version of any system, anyone could argue "well if things were done right, they would be good."
The first step towards doing things right is realizing that what we're doing now isn't working and trying to find a solution.
Corruption in general and regulatory capture specifically are completely out of control.
Pulling up the ladder behind you is a STAPLE of the current tech company leadership.
Not just tech company leadership.
A *lot* of people have had a good long drink of the greed is good/reagonomics/greenspan business philosophy koolaid.
No amount of failure seems to convince them of the problems with it.
Good luck regulating math, morons.
They need to hijack all network and file operations, so they do need hooks in the kernel. But these should be minimal, passing the data down to a sandbox without even peeking inside. The fact data that is *expected to be malicious* is allowed to interact directly with kernel level code is definitely FUBAR.
That is a good point.
Obviously they do need to be in the kernel to check the operations, but the way you have broken it down makes a lot more sense than actually parsing items that are suspected of being malicious in kernel mode.
Pretty sad when convenience trumps security even in a security product.
of someone else making everything Elon Musk blows hot air about.
Sure Facebook, we believe you.
LeBron should have used an Elon Musk speech.
Get with the times LeBron!
Really. I mean it.
Let me know when he has *done* something. I mean other than take the attention and credit.
In the meantime maybe we could hear something of substance from the people actually doing the work?
The system for taking down content is obviously setup to be abused because no content owner could possibly keep up with all the postings.
This ship has sailed and Google gets to keep the lion's share of the $.
Teslas have been floating on government subsidies for years.
Impossible. Elon is a visionary business genius. Everyone in the media tells me so.