• (disco)

    It's as if a seven-year-old was describing how secure the safe was. Jesus.

  • (disco)

    Well, at least it is an 8-digit code. That means it must inevitably be automatically more secure than my luggage!

    Why do people not require a password to resume from the screensaver? That's like having an expensive lock on a door that's always propped open with a rubbish bin…

  • (disco)

    I'm a little surprised he didn't try the default password off the bat. Mispronouncing common names is a pretty good hint you don't know what you're talking about. Half expected him to talk about "Upgrading to the fox fire!" soon.

  • (disco) in reply to Tsaukpaetra
    Tsaukpaetra:
    I'm a little surprised he didn't try the default password off the bat.

    Apparently he was IT... erm, IP blocked. And when he went to the boss's quarters, the post-it was already there, so...

  • (disco) in reply to Maciejasjmj
    Maciejasjmj:
    And when he went to the boss's quarters, the post-it was already there, so...

    And the authorized machine wasn't locked… :rolleyes:

  • (disco)
  • (disco)

    Des Moines - now that's TRWTF!

  • (disco)

    TRWTF is of course the fact that there is no automatic shutdown of screen entry after a short period of time unattended. Everybody always forgets to do the usual ctrl-alt-delete Lock This Computer when getting up to go to the pizza shop, so any professional concern will ensure that there is a timer to do just that. Subsequent attempts to access that terminal will result in "Please enter your password".

    And, get this, what you can do is change that password to something only you will know or can guess, like qwerty123 or hunter2 or something equally obscure and unhackable.

    And TR,RWTF is that the management team of GrocerSoft have not had the gumption to get their own concern professionally audited.

  • (disco)

    ... oh yeah, and in this line:

    "Toby didn’t care though. His employer got paid, he got paid, ..."

    ... presumably you mean "Connor didn't care though." Toby, from what I understand, cared very much, because he would have lost his job and subsequently every possibility of getting another one within the IT industry.

  • (disco)

    According to what safety versus security means, the data were safe. The only mention of anything security-related is teh Inter-Explorer Netword as opposed to chromed goggles. So, actually nobody demanded security. So, the problem is non-existent.

    What does NDA stand for? Notorious Dork Attendance?

  • (disco) in reply to PWolff
    PWolff:
    What does NDA stand for? Notorious Dork Attendance?

    Non Disclosure Agreement.

    basically "we're going to tell you things and you've got to keep the secret until certain conditions are met" (usually a period of time needs to elapse or the company holding the NDA needs to make a press release or something)

  • (disco) in reply to Quite
    Quite:
    ctrl-alt-delete Lock This Computer

    Ever since my university days, I do a quick :fa_windows:+L whenever I get up from any computer.

  • (disco) in reply to dkf

    Hey, it's not like the combination "00000000" has never been used to lock something important, like, say, nuclear missiles.

  • (disco)

    The real WTF is there was apparently not a single locked door, security guard, or person that cared about strangers wandering the halls and rummaging through the CTO's office in the entire building. It has nothing to do with browsers, passwords, or unlocked Windows sessions.

  • (disco) in reply to hungrier
    hungrier:
    Ever since my university days, I do a quick :fa_windows:+L whenever I get up from any computer.

    And I don't know about you, but my classmates and I were ruthless in teaching each other (and at least one of our profs) the importance of that lesson.

  • (disco) in reply to EatenByAGrue
    EatenByAGrue:
    And I don't know about you, but my classmates and I were ruthless in teaching each other (and at least one of our profs) the importance of that lesson.

    One of my roommates loved to leave Meatspin up on my gaming system since I didn't password-protect it. I fixed that, and was finally able to remove the password after I got him with the Blue Waffle and he declared a truce.


    Filed Under: If you have to ask, don't Google it, it's all NSFL.

  • (disco)

    Des Moines, yeah... This reminds me of this quote from Bill Bryson:

    I come from Des Moines. Somebody had to.
  • (disco)

    Continuing the discussion from Safe-ty First:

    mott555:
    Filed Under: If you have to ask, don't Google it, it's all NSFL.

    NSFL? I know NSFW, but what's "NSFL"? "Not safe for ladies"? I don't dare google ...

  • (disco) in reply to Quite
    Quite:
    NSFL?

    usually "Not safe for life"

  • (disco)
    “our new client needs to know our backups of their data are safe.”

    That's not much of a security audit.

  • (disco) in reply to accalia
    accalia:
    PWolff:
    What does NDA stand for? Notorious Dork Attendance?

    Non Disclosure Agreement.

    Thank for learneding me englisch. Me not opportunity have ask Goggle or VikingPædia.

    Jistuce:
    The real WTF is there was apparently not a single locked door, security guard, or person that cared about strangers wandering the halls and rummaging through the CTO's office in the entire building. It has nothing to do with browsers, passwords, or unlocked Windows sessions.

    Neizer of zem is a prublem. @Evrybuddy noes that hackers always get in via the Intarnets and are unable to use they're feets (if them have any)

  • (disco) in reply to dkf
    dkf:
    Why do people not require a password to resume from the screensaver? That's like having an expensive lock on a door that's always propped open with a rubbish bin…

    Heck, why doesn't the web application force a password reset after the first login?

  • (disco)

    On the subject of "data being safe," if the only copy is on location, regardless of the security protection, the data's not safely backed up. Gotta have an offsite copy as well.

    But you all know that, right? RIGHT??!!!???

  • (disco)

    I used to work in the grocery and tech space. It was not uncommon for supermarkets to build their first data centers in old converted bank vaults, for security. Remember, though, these might have dated back to the 80s where security best practices may have looked different. And everyone who shared these stories had the good sense to know how ridiculous it seemed today.

  • (disco) in reply to FrostCat
    FrostCat:
    force a password reset after the first login?
    Like this? [image]
  • (disco) in reply to Tsaukpaetra

    Yeah. I use a tool that does it, but I'd have had to reset it to have been able to post my own screenshot and that seemed too much like work, whereas just describing the problem was likely to get someone else to find a screenshot for me.

    Oh! You're like a worker thread!

  • (disco) in reply to FrostCat
    FrostCat:
    You're like a worker thread!

    One is glad to be a GIS Endpoint Interface.

    Edit: Also, it's not hard, I have almost ten empty routers I keep around that are ready configuration. didn't even really need to GIS, now that I think on it...

  • (disco) in reply to Jistuce
    Jistuce:
    The real WTF is there was apparently not a single locked door, security guard, or person that cared about strangers wandering the halls and rummaging through the CTO's office in the entire building.

    So the guy had a Visitor Pass from reception.

  • (disco) in reply to cellocgw
    The_Dark_Lord:
    That's not much of a security audit.

    Some process audit companies do that: look around until they find a problem and go home and fill out the bill.

    In this case, I think a full and proper security audit would have filled a shelf.

    cellocgw:
    On the subject of "data being safe," if the only copy is on location, regardless of the security protection, the data's not safely backed up. Gotta have an offsite copy as well.

    But you all know that, right? RIGHT??!!!???

    Backups aren't needed if the only criteria is, "Keep it secret." After all, if the master tapes get destroyed...the list is secret forever.

  • (disco) in reply to Quite
    Quite:
    ctrl-alt-delete Lock This Computer

    :wtf: :fa_windows:+L</kbd

    FTA:
    He saw private email passwords, shopping lists from 2011, phone numbers for women with names like Candy and Bunny, and a reminder to buy tickets for Attack of the Clones ahead of time.

    Those are some really sticky notes, I guess.

    dkf:
    So the guy had a Visitor Pass from reception.
    FTA:
    The doors were unlocked and no one was there to greet him. Being a security auditor, he decided to wander around for a bit. After a half hour, someone finally asked him if he was lost, and directed him to his contact’s office.

    What reception? I don't see no reception.

  • (disco) in reply to Dreikin
    Dreikin:
    :wtf: :fa_windows:+L

    Apparently this key combo can be hooked, while Ctrl+Alt+Del cannot.

    Dreikin:
    no reception.
    Agreed. How rude!
  • (disco) in reply to Tsaukpaetra
    Tsaukpaetra:
    Apparently this key combo can be hooked, while Ctrl+Alt+Del cannot.

    Oh. Hm. I'll have to remember that.

  • (disco) in reply to Dreikin
    Tsaukpaetra:
    Apparently this key combo can be hooked, while Ctrl+Alt+Del cannot.
    Dreikin:
    Oh. Hm. I'll have to remember that.

    Actually, it appears that it's special-cased like Ctrl+Alt+Del. I haven't found an MSDN doc for it yet, but I've seen several things saying you can't hook those two (e.g., this and this).

  • (disco) in reply to FrostCat
    FrostCat:
    Heck, why doesn't the web application force a password reset after the first login?
    Because there's little point in making someone *manually* reset their password to 00000000?
  • (disco) in reply to Scarlet_Manuka

    The web app I mentioned above would not let you use the same password as the default. You'd have to use 00000001 or something.

  • (disco) in reply to Tsaukpaetra
    Tsaukpaetra:
    Apparently this key combo can be hooked, while Ctrl+Alt+Del cannot.

    You're worried about someone running something malicious on your computer before you lock it, after you are already logged in? How is a program that is able to hook keys going to be any less dangerous if you lock yourself out of your computer first?

  • (disco) in reply to ben_lubar
    ben_lubar:
    You're worried

    Apparently it's not "me" that's worried. I didn't make that rule after all. :stuck_out_tongue:

  • (disco) in reply to Quite
    Quite:
    NSFL?

    I always thought it was Not Safe For Lunch, as in you won't be able to finish yours because you'll be feeling ill. Either way, meatspin isn't so bad unless you're scared of or sickened by a penis. Certainly Not Safe For Work but shouldn't bring anybody's lunch back up. Blue waffles is quite bad though, I'm quite sure many people would feel distressed from viewing it.

  • (disco) in reply to cellocgw
    cellocgw:
    On the subject of "data being safe," if the only copy is on location, regardless of the security protection, the data's not safely backed up. Gotta have an offsite copy as well.

    Also, a fire safe may protect paper for 4 hours, but data storage devices will probably be fucked in 15-30 minutes depending on intensity of the fire.

  • (disco) in reply to Polygeekery

    This is a !!data storage device!!.

  • (disco) in reply to ben_lubar

    And I hope it burns...

  • (disco) in reply to Polygeekery

    Once the !! appear, you don't have to waste energy hoping anymore.

  • (disco) in reply to Dreikin
    Dreikin:
    What reception? I don't see no reception.

    Oh, forgot that. Even less competent then, though places where they just hand out visitor passes and then ignore them aren't really that much better. It's still only security theatre…

  • (disco) in reply to Tsaukpaetra
    Tsaukpaetra:
    I'm a little surprised he didn't try the default password off the bat. Mispronouncing common names is a pretty good hint you don't know what you're talking about. Half expected himRemy to talk about "Upgrading to the fox fire!" soon.

    Half the story has the signature flair of a cartoonish Remy villain.

  • (disco) in reply to dkf

    Years ago, I worked for a electric power company. Just the admin offices, mind you. Every external door required a chipped badge to get through, except between 8-9 am. Then there were turnstyles that required a badge, with multiple armed security guards at each set (front/rear entrance), then each office area had a door that required the badge chip again. And if you forgot your badge, one of the security guards would hold you at the turn style and call your supervisor who would have to come "get" you and sign for you to have a temporary badge for the day. And, while you were wearing the temporary badge, you were not allowed to walk anywhere without an "escort" by someone who had a "real" badge or you would get stopped by security.

    They took physical security of the premises very seriously.

    It's a shame that their software was a horrible mess of VB5 upgraded to VB.NET that failed in some way at least once per day.

  • (disco) in reply to FrostCat
    FrostCat:
    You'd have to use 00000001 or something.
    12345678 would be quite popular, I'm sure.

    That's why there's no point. The users are going to, in many cases, go for the least secure password you allow them to have. So either you don't have a lot of rules and large swathes of your userbase all pick the same thing, or you have lots of rules and people give your product bad reviews because it's difficult to set up.

    A better approach would be to randomise them all at the factory and ship each user a bit of paper with their password. Of course, this has other costs, like when they inevitably lose it. If you don't keep a master list, then your customers are in trouble when this happens (you probably want to have some expensive bring-it-to-the-factory solution). If you do, then you've just made yourself a massive target.

    There's no perfect approach, and the manufacturers will presumably make whatever decision they feel is in their best commercial interest. Which may well be giving everybody a password of 00000000 by default.

    Security: It's hard because you have to try to get people to use it. (Among other reasons.)

  • (disco) in reply to tenshino
    tenshino:
    Then there were turnstyles that required a badge

    Some fifteen years ago I auditioned (sic, as in vendor-presented-to-me) a security system where the ID photo of the badgeholder (obtained, of course, from the central database and not from the photo printed on the badge) flashed up on the screen of the guard monitoring the turnstile or man-lock. I do hope that's standard now on all such systems.

    It's a shame that their software was a horrible mess of VB5 upgraded to VB.NET that failed in some way at least once per day.

    That's because their security wouldn't let real competent developers (hackers!!) enter the building.

  • (disco) in reply to Lawrence
    Lawrence:
    I do hope that's standard now on all such systems.

    It would seem sensible, now that we've got pretty solid networking all over the place. So no, it's probably virtually unheard of.

  • (disco)
    Google Crohns
    Quite a fitting term actually. If I didn't have to explain it to the 9 in 10 people who don't know Crohn's Disease, I'd appropriate that on the spot.
  • (disco) in reply to Scarlet_Manuka
    Scarlet_Manuka:
    A better approach would be to randomise them all at the factory and ship each user a bit of paper with their password. Of course, this has other costs, like when they inevitably lose it. If you don't keep a master list, then your customers are in trouble when this happens (you probably want to have some expensive bring-it-to-the-factory solution). If you do, then you've just made yourself a massive target.

    Verizon's FiOS routers use the serial number (printed on a label on the bottom of the router) for the factory-default password. It's not random, but it's not easily guessable either. And it's easy to look up if you forget it.

Leave a comment on “Safe-ty First”

Log In or post as a guest

Replying to comment #:

« Return to Article