• doc0tis (unregistered) in reply to noehch
    noehch:

    Okay...so, what you're implying is that a PostIt, with user/pass, isn't a WTF cause it only can allow physical security to be comprimised? I doubt many will agree with you.

    Now...you may not have meant to imply that...but, the relationship (through comparison) was made at the end of the initial post...

    Alex Papadimoulis:
    It was the perfect addition to the name and passwords that manylaptop users had taped to the top of their screen. And just as secure.

    It may not be a shocker...but, simply pointing out that the director of security didn't learn from the mistakes of idiots in business--and even improved on the stupidity--still makes it a WTF. Especially, after considering the cost comparison between a simple account management system to making [possibly] pointless the security measures done by an [assuming] external agency that had to be paid.

    Ok, my initial reaction may have been too strong. It <i>is</i> a bad policy, but still secures the computer system, unless there is physical access. I do believe that sticky notes with user/pass is a terrible idea.

    But... the point I didn't make well in my initial post was, this is probably not their least secure issue.

    I've worked for my Federal gov't and they've got these SecureID's and this is probably one of the more secure policies (at least they've got VPN). Try the good ole social engineering, phone in say you're from the IT dept and ask for their user/pass, it'll work 90+% of the time. This is a far larger security concern than having the SecureID's attached to the laptop.

     

    --doc0tis 

  • (cs) in reply to some schlepp
    Anonymous:

    I'm disappointed that nobody mentioned the obvious solution:

    Place the postit (with login and password), and rsa key face down on a wooden table, next to a sign saying "turn over for access", take a picture, print, and tape to top of monitor!

    You, sir, are the kind of person that makes me disappointed that The Daily WTF forums do not allow me to mark a "5, Funny" on posts :)

  • Anonymouse (unregistered) in reply to JamesKilton
    JamesKilton:

    Anonymous:
    "Oblivity"?

    Aye, good word.
     

    No quack.

  • Olddog (unregistered) in reply to doc0tis

    Security and Convenience should never be used in the same context. It's either one or the other - never both.

  • (cs) in reply to KattMan
    KattMan:
    The constatly changing passcode is what is on the keyfob, fully displayed, no need to remember it.  It changes once every 60 seconds.  If you are a slow typer, most of these have a count down bar to show how long before the next change happens so you can wait for it to change and have a full 60 seconds to type it in and submit.
    I'm pretty certain that's not neccessary because the server will accepty not only a single code but those before and after it (maybe even a bigger window) in the sequence as well to allow for clock drift on the token and synchronize the server to it. A typical quartz clock has a drift of about a second per month. You don't want the token to become useless after a year.
  • (cs) in reply to Lionstone
    Anonymous:

    Ouch.

     And this guy is DIRECTOR of security? *sigh*

    Usually such positions are more of a Director of Risk Management (aka CYA). They make sure that the company can't get sued, or at least won't lose, when something inevitably goes wrong, even if it's actually their fault. Total cluelessness in technical matters never seems to stop them from exerting their authority though.

    Anonymous:

    The weak (or stupid) get electrocuted and are subsequently found slumping over their laptops, twitching, enduring a (hopefully) long and excruciatingly painful death.

    Sadly, 19V/5A is only enough to give you a nice buzz, if your skin is already moist.

    Anonymous:
    Anonymous:

    Perhaps winning a Darwin Award in the process?

    As long as it's postha.... posthum... $*#&%@ ... after they die!

    Er, there's no such thing as a Darwin Award given while alive. Posthumus, btw. (Even that bright young lad from the interview story, who drove off a cliff for want of a squeegiing, would warrant only an honorable mention.)

    Anonymous:

    Anonymous:
    Somehow carrying a laptop, a securID, and a power brick is less convenient than carrying a laptop and a securID?

    Perchance, did you mean "less convenient than carrying a laptop and power brick"?

    Uh, no dude. Half the point of having a laptop is not having to cart the damn brick around with you everywhere. Unless it's some kind of P4HT beast with a battery life measured in minutes. Or maybe I'm misreading the intention of the post, it only seems to make sense if "less" is replaced by "more".

  • Krenn (unregistered)

    Sheesh.

    Do these people not have lanyards with their photo ID on them?  Just hang the bloody thing off the lanyard as well.  Need a token?  Just flip the card upwards with the left hand while keying with the right.  After a while it becomes reflexive, and I should know, I have to punch in a token code about 30 times a day as I bounce between servers.

    Attaching a SecurID token to a real key chain is a BAD idea, too - the impact of the keys tends to break them quickly.

     

  • (cs) in reply to foxyshadis
    foxyshadis:
    Anonymous:
    Anonymous:

    Perhaps winning a Darwin Award in the process?

    As long as it's postha.... posthum... $*#&%@ ... after they die!

    Er, there's no such thing as a Darwin Award given while alive. Posthumus, btw. (Even that bright young lad from the interview story, who drove off a cliff for want of a squeegiing, would warrant only an honorable mention.)

    The Darwin Awards are for people who remove themselves from the gene pool, not necessarily die. They do occasionally give them out to peole who sterilise or castrate themselves, too.
  • Tom Dibble (unregistered) in reply to brazzy
    brazzy:
    KattMan:
    The constatly changing passcode is what is on the keyfob, fully displayed, no need to remember it.  It changes once every 60 seconds.  If you are a slow typer, most of these have a count down bar to show how long before the next change happens so you can wait for it to change and have a full 60 seconds to type it in and submit.
    I'm pretty certain that's not neccessary because the server will accepty not only a single code but those before and after it (maybe even a bigger window) in the sequence as well to allow for clock drift on the token and synchronize the server to it. A typical quartz clock has a drift of about a second per month. You don't want the token to become useless after a year.

    Hmm.

    Well, in my experience it is fairly common for the server to not accept the code immediately after it changes and/or right before it is about to change.  This happened to me twice in five years of using the buggers (once not acccepting a just-changed code, the other time not accepting an about-to-expire code), and each time required a call in to IT to re-sync my fob with what the server expected ("Okay, now let me know right when it changes ...").  The third time it happened I decided to just live with it and "smell the roses" until one bar of the display was gone.

    So, no, I don't think it'll accept old and/or nascent codes, just the one which is currently being displayed.  Of course, that might be a configurable option on the IT dept's side, or it might be a vendor-specific detail (ours were RSA, just like what you see in the picture, although they've changed since).
  • woohoo (unregistered) in reply to JamesKilton
    JamesKilton:
    Well a customer I'm working for has a per-user prefix along with the RSA dongle, so that's a bit more secure than this.

    a per-user prefix, which will be - without doubt - taped to the screen on 90% of the notebooks... *g*

    and don't all be so harsh with the security guy - after all, the picture is blurry, which will throw all the bad guys off the scent ;o))

    captcha: mustache - ok, ok, if I've got to grow one to post here, so be it...

  • (cs) in reply to foxyshadis
    foxyshadis:
    Er, there's no such thing as a Darwin Award given while alive. Posthumus, btw. (Even that bright young lad from the interview story, who drove off a cliff for want of a squeegiing, would warrant only an honorable mention.

    It's not common, but once every year or two someone gets a Darwin for losing their reproductive organs in a particularly stupid manner.
  • Walter (unregistered) in reply to OneFactor
    OneFactor:

    Reminds me of my university days before I knew anything about encryption. We were told by the unix admins to use SSH rather than RSH to connect from one machine to another because SSH was "more secure" and that RSH would no longer be supported in about a month. So we switched but it bothered me that SSH worked "just like" RSH. I didnt know much but I did know that the SSH scheme ought to involve generating keys and using passPHRASES which do NOT get sent over the network.  But we just logged in, entered our username and passWORD after connecting just like we did before.

    So I read the man pages and learned how to generate public-private keys and get SSH to use these keys (that was a fun learning experience). What puzzled me was why I could remote log in with SSH before setting up my keys. But then I learned that SSH could be configured by admins to default to RSH protocol in the absence of any keys though the man pages warned that in this case all the security benefits of SSH would be lost. I asked the admins if they were planning to eventually disable the "default to RSH in the absence of keys" thus forcing users to generate keys and benefit from the extra security. After all, if they are going to the disable RSH command due to security reasons, what sense is there in having SSH default to the insecure RSH protocol in the absence of keys? They told me that it would be too much trouble to get everyone to generate keys and train people out of using passwords. They also said that they didnt generate keys or anything. They just used SSH instead of RSH and typed passwords in just like usual.

    So the net result was that people experienced a slight inconvenience (typing ssh instead of rsh), received no actual benefit or protection, but believed themselves to be secure. And to think that the wikipedians suggest that the http://en.wikipedia.org/wiki/Security_theater is a recent phenomenon.

     Um, afaik SSH never uses the RSH protocol, even if you use passwords. You still have end-to-end encryption even when using password login over SSH, it doesn't require you to generate public and private keys.

     

  • woohoo (unregistered) in reply to Olddog
    Anonymous:
    Security and Convenience should never be used in the same context. It's either one or the other - never both.

    I think that unfortunately the infamous security history of windows is to blame, especially the fact that up to and including win98 there was nothing like user account management and no user was forced to log in. I know quite some people who find the login process of their win2000 or win xp "inconvenient" ("I never had to do this in win 3.11/95/98") and are therefore using admin accounts without passwords and the like.... it's really terrifying how illiterate most of the end users are when it comes to security, and windows is partly to blame for that. security directors are seemingly to be blamed for the rest ;o))

  • Franz Kafka (unregistered) in reply to woohoo
    Anonymous:
    Anonymous:
    Security and Convenience should never be used in the same context. It's either one or the other - never both.

    I think that unfortunately the infamous security history of windows is to blame, especially the fact that up to and including win98 there was nothing like user account management and no user was forced to log in. I know quite some people who find the login process of their win2000 or win xp "inconvenient" ("I never had to do this in win 3.11/95/98") and are therefore using admin accounts without passwords and the like.... it's really terrifying how illiterate most of the end users are when it comes to security, and windows is partly to blame for that. security directors are seemingly to be blamed for the rest ;o))

     

    Simple solution for most people: no password. This won't work in corporate land, but it'll help you if you're one of those people running xp at home. If you have no password, you can't authenticate over the network, so it's better than a crappy password. 

  • (cs) in reply to Calli Arcale
    Anonymous:

    That said, it frustrates me whenever I see somebody do things like this.  We all like to moan about IT, but IT deserves a chance to moan at us users too, because of things like this.  There is no system so secure that some impatient user can't compromise it.

    While true, there's something to be said for physical smart cards (such that removing the card from the slot terminates your session immediately), combined with a regular sweep through random parts of the building at lunchtime every day, confiscating every unattended smart card you find. The hassle of having to go and get a new smart card from security tends to rapidly teach people not to leave the damn things lying around. Doesn't solve the laptop problem though...

    What I'm waiting for is somebody to invent a smart card that can be chained to an iron collar around the user's neck. 

  • (cs) in reply to Reed
    Anonymous:

    At least with SSH passwords aren't sent over the network in pure plain text, which prevents casual network sniffing etc.

    No it doesn't. See sshmitm, from dsniff (which also contains tools for busting the switch barrier, or even crossing several ISPs). Only an intelligent user who understands how ssh works and validates their host keys can prevent casual network sniffing. Nothing will help an ignorant user, except possibly a cluestick.

  • SuzieQ (unregistered) in reply to Krenn
    Anonymous:

    Sheesh.

    Do these people not have lanyards with their photo ID on them?  Just hang the bloody thing off the lanyard as well.  Need a token?  Just flip the card upwards with the left hand while keying with the right.  After a while it becomes reflexive, and I should know, I have to punch in a token code about 30 times a day as I bounce between servers.

    Attaching a SecurID token to a real key chain is a BAD idea, too - the impact of the keys tends to break them quickly.

     

    I worked for a company once that expressly forbad us from attaching any access key or RSA device to our ID badges, lanyards etc. on the basis that, if we lost our ID, then someone could find our building (based on the company name) and get access.

     

    The security guy was driven crazy trying to enforce this rule.

  • Michael Snyder (unregistered) in reply to webzter

    <shameless plug>

    At my company, we write a VPN that can pull your credentials from winlogon so the user isn't inconvenienced more and tempted to write down their passwords.  We can also use RSA fobs or force users to enter a second set of credentials for the VPN if you like.

    www.nmwco.com

    </shamless plug>

    I have heard of worse.  One financial institution deployed active directory with null DACLs on everything because "windows is not secure, why pretend". 

  • CraigB (unregistered) in reply to Olddog

    I disagree slightly.

    Secure - Convenient - Cheap ---- pick any two.

     You can make a secure and convenient system but it will cost a lot.

    B
     

  • (cs)

    I am not quite certain that I see the WTF in this posting.

    If users had taped their password to the top of their screen, that is a HUGE WTF. It is so huge, that it does not really matter what they do with their RSA tokens.

    But if we assume that they did not write down their passwords, then I do not see any security risk. They have a two part authentication: something they know (the password) and something they have (the RSA token). Unless the laptop is a third part to the authentication, e.g. because it contains a certificate, the security is not really reduced if the RSA token is attached to the laptop. That is, if they could connect from any computer (if the correct client is installed, etc.), then attaching the RSA token to the laptop is no more than a convenience to the hacker. The danger is when you attach the two parts that they need to authenticate together (e.g. writing the password to the back of the RSA token or indeed attaching password and RSA token to the laptop), there is no danger in attaching only one part to the laptop.

    In fact one could argue, that it has the positive effect of making it more likely that users notice if their RSA token has been stolen (because they miss their laptop).

  • Erk (unregistered) in reply to KattMan

    As a matter of fact, I've used that kind of dongle and the system I used it on required username, password, 4 number secret pin and the changing number from the dongle.  But then again, this was remote access via a web browser via... i think Citrix... (not sure about that name though).

    /E
     

  • the HairOfMy ChinnyChinChin (unregistered) in reply to OneFactor

    OneFactor wrote:

    But then I learned that SSH could be configured by admins to default to RSH protocol in the absence of any keys though the man pages warned that in this case all the security benefits of SSH would be lost.

    I'm not an expert on ssh but I think there's a little confusion here.

    First, I think that by default ssh won't fall back to RSH. I think it will only do so if it's configured to do so.

    Second, I think that even if configured to fall back to rsh, I don't think it will unless the server doesn't have ssh at all, in which case you weren't going to be able to do better than rsh anyway.

    Third I think there are two different sets of keys being referred to here. The server has a public key. When you connect to the server the first thing ssh does is request the public key from the server. If this is the first time you've connected to this server then ssh will show you the fingerprint of the key supposedly sent by the server. If you have the fingerprint written down you can check it to see if it's right and thereby confirm that someone isn't playing a man in the middle attack on you. If you verify the fingerprint then ssh records that fingerprint in a file so that when you connect in the future your ssh can verify that there is no man in the middle without you having to bother checking the fingerprint manually. All further communication is now encrypted so you can enter your username and password securely. The server's public key can also be installed on all the workstations by the administrators before the first connection so you would never see the fingerprint verification process (but you still have to enter your username and password so the server knows it's you).

    However since usernames and passwords are a little slow and not always too secure, you can use a different option instead. You can have a keypair generated and installed on the client(or your usb flash drive) and server so that instead of using username and password the server can authenticate you using your keypair. This is a different keypair than the server uses for the initial connection and is unique to each user like a username and password are.

    I personally don't use a keypair for login because I think it's a minor vulnerability to leave my keypair lying around in the clear on my workstation where it could be compromised at any time. I don't log in to my remote server too often so there's a significant chance that if my workstation was compromised I would discover it before a keylogger got the chance to get my username and password. If I was logging in to my remote systems a lot though, I might go ahead and set up a keypair and accept the minor extra risk for the faster login process.

    Another advantage of a keypair is that it's longer and more random than a password. I just use nice long random passwords. ssh can't accept login attempts all that fast so a 10 or 15 digit random password should be plenty. Beware about making your passwords too short though because ssh servers are routinely hit with attempts to simply go through huge numbers of passwords. They take advantage of the fact that many login attempts can be made simultaneously and thus many more passwords can be checked than you might imagine. I think current ssh severs have taken measures to mitigate this risk.

    The thought of using rsh instead of ssh gives me shivers. Brrrrrrrr.

  • (cs) in reply to the HairOfMy ChinnyChinChin

    Sorry about that mess.

    Where did all my line breaks go?<p>I didn't think I would need to insert html tags for line breaks.

    I didn't see any preview option and because I didn't have javascript turned on there was no little editing menu. I'm giving this apology in part so I can do a little <i>experimenting</i> with the <b>formating</b>.

  • Keng (unregistered)

    and worst of all....that's not a half hitch....and, if it were, you'd be endangering the electrical integrity of the cord...can anyone say, "Meltdown at Madame Tussaud's"?

  • C Gomez (unregistered) in reply to Keng

    I think we can safely assume this setup required the prefix pin.  Let's say it did.  Hooking the SecurID up to your laptop defeats the point of two-factor authentication.  If they are going to do this, they might as well just use semi-strong passwords and change them regularly.  If the "what I have" can't be taken with me, then I no longer have it, and all the attacker has to do is get the pin (which is like getting a password... same amount of social engineering required).

    Is it that simple?  Well, yes and no... its only as simple as the users (or systems) are able to be tricked into revealing the PINs.  That's the same level of security as a password.

  • Hugh Brown (unregistered) in reply to foxyshadis

    Posthumous, actually. Humus is "the dark organic material in soils, produced by the decomposition of vegetable or animal matter and essential to the fertility of the earth." Arguably, we are all pre-humus.

     

  • Braechnov (unregistered) in reply to brazzy
    brazzy:
    KattMan:
    The constatly changing passcode is what is on the keyfob, fully displayed, no need to remember it.  It changes once every 60 seconds.  If you are a slow typer, most of these have a count down bar to show how long before the next change happens so you can wait for it to change and have a full 60 seconds to type it in and submit.
    I'm pretty certain that's not neccessary because the server will accepty not only a single code but those before and after it (maybe even a bigger window) in the sequence as well to allow for clock drift on the token and synchronize the server to it. A typical quartz clock has a drift of about a second per month. You don't want the token to become useless after a year.
    Umm, did you read the post?  He's suggesting waiting until the new code ticks over, so the person has a full 60 seconds to type it 'if [they] are a slow typer'.  Whether the server accepts a previous code or not is irrelevant to the poor sap trying to hunt-and-peck the code in a digit at a time.
  • skillet-thief (unregistered)

    It is secure thanks to the half-hitch.

  • woohoo (unregistered) in reply to Hugh Brown
    Anonymous:

    Posthumous, actually. Humus is "the dark organic material in soils, produced by the decomposition of vegetable or animal matter and essential to the fertility of the earth." Arguably, we are all pre-humus.

     

    In fact there *is* a wrong ethymology which derives "posthumous" from latin "post humus" ("post"=after being put in the "humus"=soil).

    In german there are two spellings: "postum", correctly derived form latin "postumus"="the last", and - from the 18th century - the second variant, "posthum" (see above). We just drop the latin endings in german, as you see ;o). This spelling is also used in english and french ("posthume"). It doesn't seem that there is a form like "postumous" in english AFAIK, is there?

    captch: craptastic ;o)

  • Homer (unregistered)

    ...and people wonder why IT gets such a bad name.  We have too many morons in our industry and we don't do any self-policing...

  • Clueless by Design (unregistered)

    I have both a username and password taped to the monitor of my Unix workstation.

    Mind you, all that happens if you use it is that the webcam takes a picture of you and then you get logged out.  Sadly, nobody has fallen for it yet.

  • codewolf (unregistered) in reply to Clueless by Design

    We used to have one guy who was our only Tech. (we now have a help desk department)  This guy got so frustrated at a certan user forgetting how to login that he wrote his username and password on his monitor in permanant ink.  He is no longer with us. We use an RSA dongrel but have a secret code that is keyed in with the RSA number. Without that the person can not login to the network.

  • he sed awk (unregistered) in reply to Stephen

    They will not be shorted at all ...

    Generally ...


    The ground is on the outer ring ... the power is on the inner connector.  One would REALLY have to work at it to get this ring to short the power connections ... and then you are only talking about 12 vdc ... hardley life threatening at all to healthy human beings ...  

    so no Darwin deaths here - unless they maybe put the ring on the other end of the cord ...  

     

     

     

  • Pat (unregistered) in reply to Jeff Bell
    Anonymous:

    This is far more secure than password alone systems since it stops any man-in-the-middle or keylogger attacks.

     

    You don't understand what a "man in the middle" attack is. 
     

  • bretticus (unregistered) in reply to John Smallberries
    John Smallberries:
    JamesKilton:

    Anonymous:
    "Oblivity"?

    Aye, good word.
     


    Perfectly cromulent.
    Oblivity

     I like how this is apparently a verb. I'm going to go oblivity something. :)

     captcha: error

  • Master TMO (unregistered) in reply to bretticus

    Semi-off topic post, but similar enough to warrant posting:

    Back in '03 they rolled out a new time tracking system for the department.  I went up to the site, clicked on the New User link to register myself, selected my name from a drop-down, and there on the screen was my SSN.  O_O  I was just a teensy bit worried about this, as I hadn't entered a password at all to get there.  So to test it I selected my bosses name from the list... and lo!  There was HIS SSN too!

     I reported it to my boss, but he didn't seem too concerned about it, and didn't take any action about it, even after I provided him with his SSN on a post-it note.  I'm guessing he just wasn't as paranoid as I am. ;)

     So I found the 'get help on this page' link, clicked it and submitted a ticket to the web developers.  To clinch it I pulled down the SSN for the person receiving tickets and included it in the email.  It's AMAZING how quickly the problem was fixed after that.  :D 

  • Me (unregistered) in reply to Pat
    Anonymous:
    Anonymous:

    This is far more secure than password alone systems since it stops any man-in-the-middle or keylogger attacks.

     

    You don't understand what a "man in the middle" attack is. 
     

    Agreed. I've never felt these token devices to be as secure as everyone seems to believe.

  • (cs)

    I ran into two companies that used this idiotic system. One truism seems to be that security people have no concept of risk assessment. If your network stores blue prints to nuclear weapons then having this level of security is reasonable. However, most businesses do not have data that requires this level of VPN sophistication. A standard VPN will provide more than enough security to keep out most hackers. If a hacker really wants to get into your system, social engineering is by far the most effective solution.

    In both cases I solved the evil dongle problem using a secure web cam hosted on my home machines. The web cam was pointing at the dongles 24-7. When I need to connect via VPN, I connected to my web cam, read the next number from the appropriate dongle and logged in. Problem solved and I never have to carry that damndable thing around again.

     

  • cyberguy (unregistered) in reply to El Quberto

    They already have - the're called USB slots. You can get SecurID in other form factors than fobs, including USB "connected" tokens. And then there are "software based tokens that run on PDA's and cell phones.

  • Thomas (unregistered) in reply to Lionstone

    Well, do you think such ideas come from security specialists? No, they only can come from DIRECTORS

     

    But it really looks like a hoax ;) 

  • (cs)

    Ahh, this obviously isn't the large financial institution that we provide some contract work for. That place requries the SecurID to be mounted on your lanyard with your photo ID and the tongue depressor that lets you use the elevator (which is programmed to only let you out on certain floors).

     And the secret password that goes with the VPN software? That password has a very special name (one of those IBM mainframe programs from the late 60s/early 70s) and is your first ever password you every had with that institution. It cannot be changed. Ever. Everything else has to change every 90 days.
     

  • MJ (unregistered) in reply to Olddog

    I hope your joking by this.  Or maybe you work for the TSA.  If you knew anything about security, you'd know that if a security measure isn't easy to use (aka, not inconvenient) then the user will not accept it and find ways around it.  Thats actually why this whole fob attached to computer started, people tried to get around the inconvenience of having to use it. If it were simple to use, more people would have accepted it and not found ways around the policies.

  • William (unregistered) in reply to JamesKilton

    ... but then, all you'll end up with is (at best) the prefix written on another piece of paper (or the prefix might be written on the same piece of paper as the password!)

    Never underestimate the ability of users to do the opposite of what YOU want ... and still stay within the rules

     

    William 

  • cshardie (unregistered) in reply to SheridanCat

    But if you're going to have it attatched to the computer where anyone who might decide to use the computer can see it why use it at all? It may not be less secure than username/password alone, but it's certainly not any more secure? Just makes it a waste of time and money.

  • mnature (unregistered) in reply to Jeff Bell
    Anonymous:

    We have the same thing at my company.  To connect by VPN I have to enter a VPN specific password, as well as the 6 digit number from the gizmo.

    This is far more secure than password alone systems since it stops any man-in-the-middle or keylogger attacks.  I would tend to notice if my laptop were stolen and report it to IT.

    -Jeff

    We had a highly paid staff member who absolutely needed a laptop so he could do work at home.  During the first week he went out to his car, carefully placing the laptop on the ground so he could open the car door, and then drove away without the laptop.  Someone went into the parking lot and saw a computer on the ground, and turned it in to security, who finally tracked down the owner, who had not even noticed that he didn't have the laptop with him.  The next week, he walks out to his car, putting the laptop on the ground again, gets into the car and drives away, again leaving the laptop on the ground.  This time, however, he drove over the laptop.  His management decided that he really didn't need a company computer at home anymore.

    Not everyone is smart enough to notice things.

  • mnature (unregistered) in reply to Thomas
    Thomas:

    I ran into two companies that used this idiotic system. One truism seems to be that security people have no concept of risk assessment. If your network stores blue prints to nuclear weapons then having this level of security is reasonable. However, most businesses do not have data that requires this level of VPN sophistication. A standard VPN will provide more than enough security to keep out most hackers. If a hacker really wants to get into your system, social engineering is by far the most effective solution.

    I work at a place that does have a network containing the blueprints to nuclear weapons, and it cannot even be accessed from off-site.  I tend to be appalled at what little some businesses do for security.  Risk assessment should be based upon worst-case scenarios.  Many businesses have failed because someone was able to steal vital information.  A release of confidential information can lead to identity theft and other predatory behavior. 

  • Fizzl (unregistered)

    It's not a problem. It is perfectly safe to duct-tape your RSA SecureID to your laptop. It doesn't really decrease your security. It seems you are not very familiar with SecureID. I used it for a while in one multinational corporation thou. To enlighten everyone, here's how it works:

    You select 'Connect' from your VPN. The VPN asks you for a key. Look at you SecureID. It has a countdown indicator, of how long the current challenge is valid. (Yes, they are quite accurate clocks which are re-sychronized on demand). You type in your password into the SecureID and it will give you a key. Now you type it into the VPN and you are connected. The connection will fail if:

    1. It takes over 60 seconds for you to enter your pass and enter the key.
    2. Key is incorrect
    3. Correct, but old key is used (you generated the key in timeframe but failed to type it in in time)

    Atleast our SecureID's demanded a 8 digit code, returning a 8-12 digit code. (can't remember anymore, but i can still remember my old passphrase code)

    The hard part of this key-exchange scheme is timing. Interestingly enough, I never had a problem with the system. I had the same SecureID card for 3 years and I never had to resynchronize it with the keyserver. My card saw temperatures from -40 to +90 and never malfunctioned. Seriously it works.

    And i'm not astroturfing here. I'm kinda crypto-geek and I have to say this scheme is the best practical, real world application I have seen.

  • Herohtar (unregistered)
    ...it's a bit of an inconvenience to carry your laptop AND an RSA token on your key ring.

    It sure is! Do you have any idea how hard it is to get the key ring into your pocket with even just a laptop on it? Man, talk about inconvenience...

Leave a comment on “Security by Oblivity”

Log In or post as a guest

Replying to comment #:

« Return to Article