Weekly Edition
Return to the Security page
| |||||||||||||
|
| |||||||||||||
The other security problem
People who deal with systems security spend a lot of time worrying about
buffer overflows, format string vulnerabilities, file creation races, and
so on. These problems can all lead to the compromise of an important
system, with the usual array of unpleasant consequences. So conscientious
administrators pay attention to new vulnerabilities, apply their patches,
and so on.
This Register article, however, serves as a good reminder that there are other aspects to the security problem:
Nine in ten (90 per cent) of office workers at London's Waterloo
Station gave away their computer password for a cheap pen, compared
with 65 per cent last year.
What a pain; all that patching and careful administration, then the users hand their passwords over to a stranger when asked. Unfortunately, patches for loose-lipped users are hard to come by. The security advantages of free software also fail to offer much help in the way of blabbermouth mitigation. Lack of security consciousness is a real problem. Careless users will not increase your exposure to the next Internet worm. But an attacker who has set his sites on a specific target may well want to have a little discussion with your users. Pens are cheap, after all. (Log in to post comments)
The other security problem Posted Apr 24, 2003 1:56 UTC (Thu) by mark (guest, #1921) [Link] The problem IMO is not that people are stupid, as the article seems to suggest. All this demonstrates is that *passwords* are stupid. They are a throwback to the same days that brought us SMTP and telnet.There are at least two important reasons why passwords are stupid. Firstly, people share passwords to solve problems caused by software and business processes that don't adequately support their needs. Sharing passwords is orders of magnitude easier than fixing software or business problems. Second, we store passwords in cleartext in people's heads when we would never consider doing so in our computer. But it's much easier to get access to someone's head than to someone's hard drive. Why do we keep blaming the people for being "stupid" when it's the way that we store the password that's at fault? Cheers
The other security problem Posted Apr 24, 2003 2:19 UTC (Thu) by Ross (subscriber, #4065) [Link] So you only store encrypted passwords in your brain? :) Do you use symmetric or public key encryption? Where do you store your encryption password?
The other security problem Posted Apr 24, 2003 6:31 UTC (Thu) by amikins (guest, #451) [Link] I just use rot13; I don't have enough wetware cycles for anything more advanced.
The other security problem Posted Apr 24, 2003 19:45 UTC (Thu) by iabervon (subscriber, #722) [Link] I store my passwords as motor programs. They're must harder to blurt out accidentally than character sequences...
The other security problem Posted Apr 24, 2003 8:26 UTC (Thu) by Robin.Hill (subscriber, #4385) [Link] The question is: how many gave their real password?You could say anything as your password and still get the free pen!
The other security problem Posted Apr 25, 2003 13:17 UTC (Fri) by beejaybee (guest, #1581) [Link] The other side to this is, my credit card company sent with my last statement a leaflet stating that, in future, I might have to give away the "security information" associated with my account in order to identify myself at a retail outlet - as a _safeguard_ against fraud. The fact that most fraud occurs through retail outlet staff and it is presumably to them I will be making the disclosure does not seem to have occurred to the idiots in charge of "security" at a major UK bank.Pass me a couple of aspirins, please.
|
|
||||||||||||