- Feature Articles
- CodeSOD
- Error'd
-
Forums
-
Other Articles
- Random Article
- Alex's Soapbox
- Announcements
- Best of…
- Best of Email
- Best of the Sidebar
- Bring Your Own Code
- Coded Smorgasbord
- Mandatory Fun Day
- Off Topic
- Representative Line
- News Roundup
- Editor's Soapbox
- Software on the Rocks
- Souvenir Potpourri
- Sponsor Post
- Tales from the Interview
- The Daily WTF: Live
- Virtudyne
Admin
It's as if a seven-year-old was describing how secure the safe was. Jesus.
Admin
Well, at least it is an 8-digit code. That means it must inevitably be automatically more secure than my luggage!
Why do people not require a password to resume from the screensaver? That's like having an expensive lock on a door that's always propped open with a rubbish bin…
Admin
I'm a little surprised he didn't try the default password off the bat. Mispronouncing common names is a pretty good hint you don't know what you're talking about. Half expected him to talk about "Upgrading to the fox fire!" soon.
Admin
Apparently he was IT... erm, IP blocked. And when he went to the boss's quarters, the post-it was already there, so...
Admin
And the authorized machine wasn't locked… :rolleyes:
Admin
Admin
Des Moines - now that's TRWTF!
Admin
TRWTF is of course the fact that there is no automatic shutdown of screen entry after a short period of time unattended. Everybody always forgets to do the usual ctrl-alt-delete Lock This Computer when getting up to go to the pizza shop, so any professional concern will ensure that there is a timer to do just that. Subsequent attempts to access that terminal will result in "Please enter your password".
And, get this, what you can do is change that password to something only you will know or can guess, like qwerty123 or hunter2 or something equally obscure and unhackable.
And TR,RWTF is that the management team of GrocerSoft have not had the gumption to get their own concern professionally audited.
Admin
... oh yeah, and in this line:
"Toby didn’t care though. His employer got paid, he got paid, ..."
... presumably you mean "Connor didn't care though." Toby, from what I understand, cared very much, because he would have lost his job and subsequently every possibility of getting another one within the IT industry.
Admin
According to what safety versus security means, the data were safe. The only mention of anything security-related is teh Inter-Explorer Netword as opposed to chromed goggles. So, actually nobody demanded security. So, the problem is non-existent.
What does NDA stand for? Notorious Dork Attendance?
Admin
Non Disclosure Agreement.
basically "we're going to tell you things and you've got to keep the secret until certain conditions are met" (usually a period of time needs to elapse or the company holding the NDA needs to make a press release or something)
Admin
Ever since my university days, I do a quick :fa_windows:+L whenever I get up from any computer.
Admin
Hey, it's not like the combination "00000000" has never been used to lock something important, like, say, nuclear missiles.
Admin
The real WTF is there was apparently not a single locked door, security guard, or person that cared about strangers wandering the halls and rummaging through the CTO's office in the entire building. It has nothing to do with browsers, passwords, or unlocked Windows sessions.
Admin
And I don't know about you, but my classmates and I were ruthless in teaching each other (and at least one of our profs) the importance of that lesson.
Admin
One of my roommates loved to leave Meatspin up on my gaming system since I didn't password-protect it. I fixed that, and was finally able to remove the password after I got him with the Blue Waffle and he declared a truce.
Filed Under: If you have to ask, don't Google it, it's all NSFL.
Admin
Des Moines, yeah... This reminds me of this quote from Bill Bryson:
Admin
Continuing the discussion from Safe-ty First:
NSFL? I know NSFW, but what's "NSFL"? "Not safe for ladies"? I don't dare google ...
Admin
usually "Not safe for life"
Admin
That's not much of a security audit.
Admin
Thank for learneding me englisch. Me not opportunity have ask Goggle or VikingPædia.
Neizer of zem is a prublem. @Evrybuddy noes that hackers always get in via the Intarnets and are unable to use they're feets (if them have any)
Admin
Heck, why doesn't the web application force a password reset after the first login?
Admin
On the subject of "data being safe," if the only copy is on location, regardless of the security protection, the data's not safely backed up. Gotta have an offsite copy as well.
But you all know that, right? RIGHT??!!!???
Admin
I used to work in the grocery and tech space. It was not uncommon for supermarkets to build their first data centers in old converted bank vaults, for security. Remember, though, these might have dated back to the 80s where security best practices may have looked different. And everyone who shared these stories had the good sense to know how ridiculous it seemed today.
Admin
Admin
Yeah. I use a tool that does it, but I'd have had to reset it to have been able to post my own screenshot and that seemed too much like work, whereas just describing the problem was likely to get someone else to find a screenshot for me.
Oh! You're like a worker thread!
Admin
One is glad to be a GIS Endpoint Interface.
Edit: Also, it's not hard, I have almost ten empty routers I keep around that are ready configuration. didn't even really need to GIS, now that I think on it...
Admin
So the guy had a Visitor Pass from reception.
Admin
Some process audit companies do that: look around until they find a problem and go home and fill out the bill.
In this case, I think a full and proper security audit would have filled a shelf.
Backups aren't needed if the only criteria is, "Keep it secret." After all, if the master tapes get destroyed...the list is secret forever.
Admin
:wtf: :fa_windows:+L</kbd
Those are some really sticky notes, I guess.
What reception? I don't see no reception.
Admin
Apparently this key combo can be hooked, while Ctrl+Alt+Del cannot.
Agreed. How rude!Admin
Oh. Hm. I'll have to remember that.
Admin
Actually, it appears that it's special-cased like Ctrl+Alt+Del. I haven't found an MSDN doc for it yet, but I've seen several things saying you can't hook those two (e.g., this and this).
Admin
Admin
The web app I mentioned above would not let you use the same password as the default. You'd have to use 00000001 or something.
Admin
You're worried about someone running something malicious on your computer before you lock it, after you are already logged in? How is a program that is able to hook keys going to be any less dangerous if you lock yourself out of your computer first?
Admin
Apparently it's not "me" that's worried. I didn't make that rule after all. :stuck_out_tongue:
Admin
I always thought it was Not Safe For Lunch, as in you won't be able to finish yours because you'll be feeling ill. Either way, meatspin isn't so bad unless you're scared of or sickened by a penis. Certainly Not Safe For Work but shouldn't bring anybody's lunch back up. Blue waffles is quite bad though, I'm quite sure many people would feel distressed from viewing it.
Admin
Also, a fire safe may protect paper for 4 hours, but data storage devices will probably be fucked in 15-30 minutes depending on intensity of the fire.
Admin
This is a !!data storage device!!.
Admin
And I hope it burns...
Admin
Once the !! appear, you don't have to waste energy hoping anymore.
Admin
Oh, forgot that. Even less competent then, though places where they just hand out visitor passes and then ignore them aren't really that much better. It's still only security theatre…
Admin
Half the story has the signature flair of a cartoonish Remy villain.
Admin
Years ago, I worked for a electric power company. Just the admin offices, mind you. Every external door required a chipped badge to get through, except between 8-9 am. Then there were turnstyles that required a badge, with multiple armed security guards at each set (front/rear entrance), then each office area had a door that required the badge chip again. And if you forgot your badge, one of the security guards would hold you at the turn style and call your supervisor who would have to come "get" you and sign for you to have a temporary badge for the day. And, while you were wearing the temporary badge, you were not allowed to walk anywhere without an "escort" by someone who had a "real" badge or you would get stopped by security.
They took physical security of the premises very seriously.
It's a shame that their software was a horrible mess of VB5 upgraded to VB.NET that failed in some way at least once per day.
Admin
That's why there's no point. The users are going to, in many cases, go for the least secure password you allow them to have. So either you don't have a lot of rules and large swathes of your userbase all pick the same thing, or you have lots of rules and people give your product bad reviews because it's difficult to set up.
A better approach would be to randomise them all at the factory and ship each user a bit of paper with their password. Of course, this has other costs, like when they inevitably lose it. If you don't keep a master list, then your customers are in trouble when this happens (you probably want to have some expensive bring-it-to-the-factory solution). If you do, then you've just made yourself a massive target.
There's no perfect approach, and the manufacturers will presumably make whatever decision they feel is in their best commercial interest. Which may well be giving everybody a password of 00000000 by default.
Security: It's hard because you have to try to get people to use it. (Among other reasons.)
Admin
Some fifteen years ago I auditioned (sic, as in vendor-presented-to-me) a security system where the ID photo of the badgeholder (obtained, of course, from the central database and not from the photo printed on the badge) flashed up on the screen of the guard monitoring the turnstile or man-lock. I do hope that's standard now on all such systems.
That's because their security wouldn't let real competent developers (hackers!!) enter the building.
Admin
It would seem sensible, now that we've got pretty solid networking all over the place. So no, it's probably virtually unheard of.
Admin
Admin
Verizon's FiOS routers use the serial number (printed on a label on the bottom of the router) for the factory-default password. It's not random, but it's not easily guessable either. And it's easy to look up if you forget it.