Cutting Security To Cut Costs? 124
just currious asks: "I work for a large company (10,000+ pc's) who recently out sourced the help desk. After looking at about a year's worth of data we find the 30% to 50% of the calls to the helpdesk are password related (password resets, password changes, etc.) this is alot of calls (at 20+ dollars a pop). Now they want to reduce cost by cutting security, since if you don't have a password, you can't forget it. So here's what upper management wants to do: remove the security from all of our Windows 2000 machines. Has anybody else seen security cut just to save money?"
In order to assist you... (Score:5, Funny)
My dog could hack them (Score:1)
Here's a solution: Fire all the morons who set their password to "qwerty" so they won't forget and then forget it anyway.
Re:In order to assist you... (Score:2)
All his IP addresses start with 127. 127.0.0.1 is the master server.
give and take (Score:2)
just another thought (Score:2)
Re:give and take (Score:5, Informative)
NO! This is a fallacy. It doesn't matter if you have the last remaining digital copy of the secret FBI UFO cover-up or just your grandmother's recipies, your computer itself is still a resource that a hacker would love to use.
You machine could be hijacked and used for all sorts of nefarious purposes from DDoSing script kiddies to breaking into banks to being an staging point for a credit card fraud scheme or a terrorist network...
But... (Score:3, Funny)
Sounds to me like your Windows boxes will be about as secure as ever
A Better Solution (Score:3, Funny)
Re:A Better Solution (Score:2)
Better yet:
Re:A Better Solution (Score:2)
*Someone* sent me an email asking why their password wasn't working. What was it? Q-W-E-R-T-I
I thought they had to be kidding. "You mean to tell me that after pressing 5 keys in a fscking row you didn't think about pressing the next one?" I had to cry. How long can someone stare at a keyboard for and not even notice when a mysterious voice tells them to use qwerty?
On second thought, they may be like my dad:
me: "Type 'cat'. c-a-t"
him: "uhh.... A.. hrmm... B uhhh.. C! *click*C*click*
me: !
him: "uhh.... A! *click*A*click*
me: !
him: "uhh.... A.. hrmm... B uhhh.. C uhh.... D.. hrmm... E uhhh.. F............
me: ZZzzzzz...
Poor soul. I hear he's gotten better. Instead of spending 45 seconds trying to go through the alphabet and locate the first character of 'ZOO', he found a shortcut - He cheats. he now notices 'z' next to the 'a' and saves a sh*tload of time. Now THAT'S what I call productivity.
I've been through exactly the same. (Score:4, Interesting)
Am I bitter about it? To the point of quitting the instant I can. Thank god I'm not running the servers.
Re:I've been through exactly the same. (Score:2)
This is an excellent point. Many users have no concept of a directory structure and save files in almost random locations. When I was a network administrator we spent time locking down the users' NT boxes; not for any security reason, but to prevent the users from saving files anywhere but on the server.
Now instead of before where a user would call and the support person would change their password (a fairly easy problem to diagnose and correct), your support people are going to spend the first few minutes of any conversation trying to determine who the user is even logged in as. Account swapping is going to be a whole new fun area of technical support as users just use each other's accounts to accomplish tasks rather than deal with problems with their own accounts.
If your management isn't impressed with security concerns, maybe this line of reasoning will help. I guarantee you that your employees are already trading passwords and accounts in a limited fashion to get work done, removing passwords will cause an explosion of support issues. Good luck to you.
Re:I've been through exactly the same. (Score:2)
BOIH (Score:5, Funny)
You obviously not a BOIH(Bastard Operator In Hell):
"I lost my password."
"You've no password."
"What do you mean by no password? What's that big f%#*ing word on the screen saying 'Password'?"
"Just press Enter."
"small cap or all cap?"
"...."
Re:BOIH - BO*F*H (Score:1, Redundant)
I should know - I am one. I even have a PFY.
Re:BOIH - BO*F*H (Score:1, Funny)
Re:BOIH - BO*F*H (Score:2, Funny)
Re:BOIH - BO*F*H (Score:2)
Heh - quite
Yes Sir right away! (Score:2, Funny)
No sweat! *pause 3 sec.* It's being done!
*thank God not being asked to remove security holes*
While you're at it... (Score:2)
Nothing like running lean and mean!
My 2 cents (Score:5, Insightful)
Where i work the security is pretty tight (comp locks after 5mins of inactivity, many things turned off, and so on). It's sometimes a pain in the ass, but at least they really take security into account...
F^cked Company (Score:3, Insightful)
Re:F^cked Company (Score:3, Insightful)
How about this? (Score:2, Interesting)
*sigh* (Score:5, Interesting)
How many times have you heard this one?
(Regarding a server that is connected to the net for FTP / SSH) "But who would want to hack our server?"
I've often found that lusers actually do understand security concepts, however as soon as a computer is concerned they are thrown out of the window. For example:
Me: "Tell me - do you drive a car?"
Luser: "Yes"
Me: "And does anyone have a specific grudge against you? Would they specifically want to steal your car?"
Luser: "No!"
Me:"So do you lock your car after you park it somewhere?
Luser: "Of course I do!"
Me: "So if no one wants to steal your car, why do you lock it?
I've found they can't answer that one.
The real issue is that people just cant use computers. What would solve the problem would be some form of transparent biometric authentication. Think about how we as human beings authenticate people - we do it all the time from speaking to friends on the phone, to making a transaction at the bank. If speaking to someone you know, you dont use a password - you know what your friend looks, sounds and behaves like, and this is used for "authentication". With a bank, you may not know the person you are about to hand over all your cash to, however because the bank is a big building in the location it's in, you know that it can be "trusted" due to it's physical location.
Regarding passwords with Windows 2000 there are alternatives to this. The simple one is let them have no password, but make it so that their account can only log on from their computer. That will seriously limit the abuse that can happen. Alternatively just quietly delete all your CEO's MP3's and mail abusive messages and pr0n using his account - he'll soon wake up.
Re:*sigh* (Score:2)
1)What would I lose if someone stole my car?
2)What would I lose if someone hacked into my pc?
I'll answer that for you.
1)I dont have a car, but if I did, I would lose valuable property that cost me lots of cash and hard work.
2)NOTHING! There is nothing of value in my pc! Zero!
If someone came and deleted all my files, why should I care? I can restore everything to working order in 3 minutes by getting my disk image CD.
So I might lose some porn or mp3s. It's not like I dont delete everything on a regular basis myself!
Most people dont worry about security because they dont need it! A bigass company with mission critical data should definitely worry about security but you cant criticize someone for not locking their electronic toybox.
Speaking of which, have you locked your fridge recently? How about your oven? Your closet? Do you have locks on everything you own? You dont, do you? Well I dont either, and I dont use a firewall or anti virus or anything... and guess what, no computer problems whatsoever...
Re:*sigh* (Score:5, Insightful)
The question you MEANT to ask is: What would I lose if I someone hacked into my pc and placed child porn in my personal directories and then called the FBI on me?
A) 5-10 years of your life... You only need to possess it, not even have knowledge that it is there.
Re:*sigh* (Score:2)
No FBI for me. Or DMCA. Or any other kind of insane law enforcement. Or hardly any law enforcement, lol.
Maybe I should put my nationality in my sig or something. I am from Portugal
Why don't you all move here, there's also hardly any unemployment and a great lack of qualified people since half the ppl around here don't go beyond the mandatory 9th grade in their schooling.
And the weather's great too!
Re:*sigh* (Score:1)
Re:*sigh* (Score:2)
Don't worry, we're working hard on that.
Extrapolate people! (Score:2)
Re:*sigh* (Score:3, Insightful)
Jon Johanson is not only not an American, but has likely never been to America, and lives in a country where reverse engineering is supposedly still legal.
I'm going to take a wild guess and say that kiddie porn, sedition, and terrorism are still illegal in Portugal, despite the relative scarcity of law enforcement. Even if they aren't illegal, or are but aren't enforced, there's still this little thing called "extradition". There aren't that many countries in the world that don't have extradition treaties with the US, and I don't recall Portugal being on that list.
If you think the US can't put enough pressure on your governemnt to get you if it's important to them, I'm going to guess that you haven't gone much past the government mandated education yourself.
Remember, the program Skylarov wrote is not only explicitly legal in Russia, but Russian law makes Adobe the criminals for limiting access to purchased works. That didn't stop the FBI from nabbing him though, did it?
Re:*sigh* (Score:2)
Re:*sigh* (Score:2)
Re:*sigh* (Score:2)
If my fridge were exposed to the outside world, then I would lock it. I don't need to lock it because it is within my house, and my house is locked. My house is acting as a security provider in this scenario.
Well I dont either, and I dont use a firewall or anti virus or anything... and guess what, no computer problems whatsoever...
You're not trusted with anything important are you?
Re:*sigh* (Score:2)
Your computer has no CPU? No Hard Drive? No internet access?
Those are the only things of value on the vast majority of computers that get hacked, but they are of value.
What if a hacker is using your machine to hack into something important, like the NSA or a Defense Contractor? Or, of course, there's the kiddie porn example already presented. Or maybe you'd like your computer to be a zombie for a DDOS attack or a spammer?
Most of those could get you any combination of: Computer confiscated as evidence (the computer itself is of value to you, right?), heafty fines, or jail time. In the kiddie porn example it doesn't stop there, either. You'll be in a sex offender database for the rest of your life, which means every time a child disappears you're a possible suspect, and as an added bonus every time you move you'll likely have to go around your new neighborhood and introduce yourself and your crimes. "Hi, I'm your new neighbor, eggstacy. I just moved in down the street, and I'm required by law to inform you that I'm a convicted sex offender." Fun for the whole family!
Oh, and they did mention that it doesn't matter whether you knew the kiddie porn was on your HDD or not, right?
Re:*sigh* (Score:2)
1) Send spam in your name
2) DOS machines in your name
3) Wreak general mayhem about the 'net in your name
And ultimately, cause you to lose your precious internet access.
So what if they wanted to break into your computer? Then like other users suggested here, they could stick kiddie porn on your machine and call the FBI. Not my idea of a good time.
Moral of this message: you need security like you need to wear clothes. An inconvenience, but it keeps you from getting into trouble.
Re:*sigh* (Score:1)
Tell them to fuck off because they woke me up, then polietly tell them that you are going back to sleep.
Re:*sigh* (Score:2)
Locking a car is often a pointless task. It's much better at preventing casual entry by children then by actually deterring theives. In a corporate enviroment, the task should be to secure access to the hardware.
If you can keep the building secure, the only people who can penetrate the security system are the people who penetrated building security. Since anyone within the building usually has free reign to wander around until they find a PC that's still logged in, the final security measure of a log-in is relatively worthless.
Of course, the real test to keep in mind is the courts. If someone else's data is stored on the machine and that machine is not password protected, expect to lose the lawsuit. In the modern world, it's still important to do something after the horses have left the barn.
Re:*sigh* (Score:2)
Handwriting recognition?
(not on a computer)
Logs of physical location?
(not when all the data is accessible from one desk)
When a client give me an account to their system, I specifically ask for no production system access. I don't want the liability. I would be concerned working in an environment where trouble couldn't be tracked to someone else.
Joe
Re:*sigh* (Score:2)
You would be much better off using keycards or similar devices for tracking purposes as the changing of the user in that respect is a per-application change and the user is much more likely to take the card with them when they leave the workstation. (It's relitively painless and therefore a trainable behavior, where logging off and logging on is often painful and therefore avoided.)
Re:*sigh* (Score:2)
How is a key card different than logging off? Does the key card not change the effective user id? If it does, then how is it faster than logging of and back on? If not, what good is it for tracking users?
Joe
Re:*sigh* (Score:1)
Insurance Company = "Was the car locked?"
Car Thief = "Uh no"
Insurance Company = "You're free to go"
I do *know* that insurance companies sometimes/often make decisions for the "customers" without asking their customers, like paying out to people even though their customer wasn't at fault.
Re:*sigh* (Score:2)
The real issue is that people just cant use computers. What would solve the problem would be some form of transparent biometric authentication.
I'm sorry, but this isn't a solution. Your first sentence says, 'this is a training (i.e., non-technical) problem'. Your second says, 'let's solve it with technology'.
Since I'm a broken record, I will repeat:
What you really need to do is train your employees. Anything short of that won't solve your problems.Re:*sigh* (Score:2)
Just how wrong can one person be?
Cutting costs - false economy (Score:3, Insightful)
Wouldn't work in Europe (Score:3, Informative)
Re:Well it's about time. (Score:1)
What's better than no password? (Score:2, Interesting)
Yes, that's right, retain some security while still making it super easy on everyone. Perhaps you could even change the password monthly... to the name of the month! (Although that might confuse some people and create more problems.)
Anyway, one password for every user is the compromise that will make everyone happy.
Biometric or Java-ring or... (Score:2)
As for explaining to management why passwords are a good idea, ask them if they would like to see their salarys/bonuses/private email show up on F--CKED Company.com (not as a threat, just to point out what can happen when accounts aren't secured without a password or equivilent.)
Re:Biometric or Java-ring or... (Score:1)
Or show them how with no passwords someone can get to _their_ personal files.
You need to have authentication of users. If you have to allow no passwords, then make one user login with no password. Then by default uses that account. Those competent employees that can remember(not writing it down) a "decent" password should be allowed to aquire a personal passworded account. Then make it cost to reset a password.
The non-passworded account could then be controlled from running rampant. While the more competent users would be allowed the security of operating in a secured environment.
There is nothing on our netowrk worth stealing! (Score:5, Insightful)
No, you don't have anything on your network worth stealing
Not that I'm an expert, by any stretch..... (Score:2)
I get the distinct impression your employers aren't using the features that come with the very expensive software, that they're buying the very expensive service for. I can't really say whether its a security, or even a software issue. The problem seems obfuscated by significant human resource difficulties.
As an aside, I can't say I'd be opposed to learning what company we're speaking of. I've taken enough of a bath in the market, and this would certainly seem like a good indicator to sell.
Re:Not that I'm an expert, by any stretch..... (Score:1)
Yes it does. They're called OU's. They're a BASIC and fundamental part of Active Directory
And doesn't windows 2000 have a "taskpad" or something, that you could say use the delegation infrastructure to give someone close to the convienent units, embodied in the little containers, the very limited ability of modifying passwords.
Yes it does. In fact it can all be done with a wizard called interestingly enough the delegation of authority wizard
MOst companies would do just what you've proposed have one person designated for each area/department/site or whatever to just do password resets. Total cost = 0
Sadly enough... (Score:4, Funny)
Moronically, the highschool I was currently attending. I was the "Assistant Admin" (i WAS the admin, don't let the name fool you).
My principal started getting sick and tired of her front desk people having all of their time wasted by students asking their student numbers (also their password).
She came to me saying to take all passwords off, period. The only exception, mine.
It took 400 flunking students getting straight A report cards magically to set her straight.
How often to you force password changes? (Score:5, Insightful)
What is less obvious is that they don't lead to any significant increase in security. Most people, if forced to change their password every month, will use something easy to remember (and easily guessable), like qwerty1, qwerty2, qwerty3, etc. But they still can't remember which version they are currently on, hence the help desk calls.
If you force users to choose strong passwords but not to keep changing them, you'll get both an increase in security and a decrease in help desk calls.
Re:How often do you force password changes? (Score:2)
As an IT security administrator, the smart thing to do would be to require a password that is 10 characters minimum (with numbers or symbols required). Then give plenty of suggestions to users for how they can devise a rather random password (e.g., think of a favorite song, then use the first letters of lyrics from a verse of that song, with numbers or symbols separating sentences). Then force them to change it once a year or so.
Re:How often to you force password changes? (Score:1)
We've got a centralized password thingy, where you have one central password and all sorts of web applications, desktops, etc. all validate against this central server. But there are still problems with some applications that don't work off of this centralized lookup, etc. And centralized password control means that if one account is cracked, the others are wide open.
A good setup IMHO would be to give each user two or more graduated levels of passwords. One password is for their own personal info on HR's page, access to management evaluations of them, etc. - they can decide how secure to make it. Another password is for all business-critical information and apps; you rotate this one every month or two. Another password is for general non-confidential business info; you rotate it once a year or something like that. All applications at a particular "security level" use centralized validation and share the password per user per level. The user account for each is the same, so you maintain accountability even for non-important stuff.
So you have relatively few centralized passwords, but they still are changed based on the risk of what would happen if they became known.
Re:How often to you force password changes? (Score:2)
There's a decision to be made, obviously, as to how great a risk that is versus the cost of having someone deal with lost or forgotten passwords, but if 'qwerty1' is secure from a cracker (yes, I know, it's just an example) then 'qwerty2' is no less so--I've not seen a brute force cracker bright enough to extrapolate even simple tweaks like that, even though a human might do so.
Guessing is a different matter, but sufficiently enforced rules cut down on guessability as well.
Re:How often to you force password changes? (Score:2)
You don't force users to choose strong passwords. They probably have different opinions about what makes strong mustard, you think they're gonna understand your obscure criteria? You give them strong passwords and tell them to memorize. If they don't like '1mA1uZ@r', you can always give them '$m3L1Y@$5'.
security policies (Score:5, Insightful)
seany
Re:security policies (Score:2)
Re:security policies (Score:3, Interesting)
Re:security policies (Score:4, Interesting)
>would be to have a trusted member of staff in each
>building/department/whatever with the authority to
>reset passwords. Note, I said *reset* passwords -
>not the ability to read them.
I once worked at a place where getting your mainframe password reset required getting your manager to sign a form. You took this form down to the data center, where a smirking operator would reset the password.
This is excellent psychology -the user has to interrupt their manager to explain that he/she/it is a bonehead, please sign this form.
So now you've embarrassed the user, and better yet, the boss is annoyed at the user! If the user is a repeat offender, the boss doesn't get mad at those evil IT guys and their password policies, he gets mad at the bonehead who can't remember their password and keeps bothering them. Ah, sweet justice.
Re:security policies (Score:2)
You gotta get people to buy into the idea of security. If they don't, they'll only try to get around your security measures every chance they get.
Re:security policies (Score:2)
>write their password down and tape it to the bottom
>of their keyboard so they don't have to be
>humiliated by their boss.
One former job (not the same one) had a policy that "having a password written down is grounds for termination".
That policy worked well IMHO, I push for a similar password policy wherever I go.
They always shoot me down
However, subsequent events generally provide me a chance to do my "I told you so, but you wouldn't listen" song and interpretive dance.
Re:security policies (Score:2)
What a moron I am. Apparently trying to do your job by carrying your password around (required: at least 8 characters, with one uppercase, one lowercase, one nonalpha, and at least one ancient hebrew or easter island character) should be grounds for planting your foot in their ass Mr Dithers style (well come to think of it he rarely fired dagwood).
You are a system administrator. Let HR do their damn job, you do yours.
Re:security policies (Score:2)
>gross misbehavior or not doing your job
>effectively that would justify firing someone
OK, here's a true story for you.
A particular HR person *always* had their password written on a sticky on their monitor. This person's account would have access to payroll info, employee records, and other confidential information. Is that employee doing their job effectively? Does this qualify as gross misbehaviour that deserves firing?
>You are a system administrator. Let HR do their
>damn job, you do yours.
The guys at purchasing don't sit around scheming to fire people. Regardless, if I break the rules about how equipment is bought, I will be fired.
This is ridiculous (Score:2)
Instead, just make every password the same, and make sure it's printed on posters all around you workplace!
I must be bored... (Score:3, Funny)
The first few pages showed nothing, but then BINGO!!
http://www.nab.org/conventions/includes/
Finally MS is implementing the security policy they always wanted.
Re:I must be bored... (Score:2)
http://members.tripod.com/~MerlM/
http:
Or a national guardsman who lived through a tornado?
http://enquirer.com/editions/2000/09/23
A boozer?
http://www.stater.kent.edu/stories_old/0
Or maybe he's just not quite so googleable -- on the other hand, based on Microsofts security track record this isn't entirely unbelievable... Close, but not entirely...
Message from the CEO (Score:3, Interesting)
Complete and utter ability to impersonate your upper management, sent out emails supposedly from them and read all their files(assumming you're running AD for NT domains and the email uses the AD etc for authentication)....
What other risks to the business can you think of -
the cleaner can get as anyone...
people can update documents they aren't supposed to..
the list goes on.
What do you mean? (Score:1)
Setup a web page interface to a database that maps peoples names, zip codes, mothers maiden names, creditcard nos and passwords. Better yet add a phone interface, this will be cheaper and better than a full-fledged helpdesk.
At the least you could put up a webpage that allows users to reset their passwords to their credit card numbers or SS no. Simple effective and stable web/phone interfaces will do a better job than helpdesk staff.
All this is assuming you have LDAP or other central authentication service. If you do not, hire me
shouldnt this be... (Score:2)
or better yet... an entry on F*ckedCompany.com [fuckedcompany.com] ?
How did you get a job at idiots incorporated? (Score:1)
Howto AutoLogon (Score:2)
In the following registry key: HKEY_LOCAL_MACHINE -> Software -> Microsoft -> WinNT -> CurrentVersion -> WinLogon
Set the following registry values:
AutoAdminLogon -> 1
DefaultUser -> luzer
DefaultPassword -> password
DefaultDomain -> somedomain
Then reboot the system and logon as luzer. Now everytime the system is turned on, the system will automatically logon as luzer.
The above information was from memory, so you should verify it's accuracy before using it. Since Windows2000 likes to use Active Directory for everything, the DefaultDomain entry may have changed.
two issues of interest (Score:2)
A better response is to force the user to use a password including a capital letter, a lower case letter, a digit and a non-letter character; to be at least 8 characters long; to never expire and have no history. Then the user is forced to pick a (relatively) good password, and won't forget it.
My company forces a password reset every 90 days, and won't let you reuse the last 8 passwords. I have my normal 2 strong passwords, then I go into a cycle of fairly weak (but easy to remember) passwords. At least it's not like when I was at IBM, where everyone had their RETAIN passwords written on the whiteboards (5 characters, randomly assigned by the computer every 30 days!).
Re:two issues of interest (Score:1)
The users have having problems forgetting passwords, eg:
qwerty
qwerty1
qwerty2
"shit..I forget if my passwords qwerty1 or qwerty2.. I could try and figure out which one, but I'll just call the help desk."
Read the Fricken Ppppppppppppost.
Re:two issues of interest (Score:2)
Re:two issues of interest (Score:2)
Re:two issues of interest (Score:2)
Here's a cheap and semi-secure solution (Score:3, Interesting)
You can get by with only one dialer 'cause you can just batch up the requests and do them sequentially. I'm sure there are a jillion ways to get the telephony/voice synth part working. There's Bayonne, etc. Since you're only talking about letters, numbers, and punctuation, you could just have someone read the letters into WAV/MP3 files and stream them into a voicemodem. Just a thought!
Re:Here's a cheap and semi-secure solution (Score:2)
Re:Here's a cheap and semi-secure solution (Score:2)
if the phones aren't on a lock, then an automated touch tone system would work.
Company Name (Score:2)
If so, I'm going to buy a few shares so I can sue them for mismanagement.
Password Management Program (Score:1)
This is a very simple solution. (Score:2)
Hire a intern that does nothing but reset passwords. You can set up a script in NT/linux/solaris what ever that only has this ability.
Pay him nothing if it is and intern, or pay him the minimums. Force him to sign a security agreement first of course.
Now what you have is someone that is getting paid next to nothing that has taken 50% of your work load out of the picture costing less than anything upper management could ever dream.
My suggestion is that you find someone in your family, friends, or something like that. Someone just out of high school that you have a personal contact with. IE you can trust him more than the average joe. Then lay it out for them "look man, I have a job where all you have to do is change passwords all day and you can study, play games, etc..etc.. and get paid like you where flipping burgers.". Dream job for the average noob computer guy.
good luck,
Simple solution (Score:1)
You'll probably need to make it a secretary or similar, but ideally it would be the managers so they can actually appreciate which users are on the ball and which are completely inept.
You get to maintain reasonable security, you save the cost of all of those unneccesarry help desk calls, and your management gets a little more perspective on who they have working for them. Problem solved
Other than Microsoft, you mean? (Score:1)
Tell Management to talk to Legal FIRST! (Score:2)
Ask your General Counsel if he would be happy to have each and every one of your company's business records rendered inadmissible in court if the company gets sued or sues someone else.
Security features like (DUH!) forgettable passwords allow you to PROVE who has accessed the documents and databases on your network. This is why MOST company's make it a termination offense to reveal your username and password to anyone else, employee or not.
Without secure logins, documents and business records can be tracelessly forged or falsified. The ONLY reason business records are admissible in evidence over a hearsay objection is because normal record-keeping practices TEND to cause them to be more reliable than other hearsay evidence. A soon as these records can be accessed by multiple persons without being able to prove WHO actually accessed them they become worthless.
If this is a publicly-owned company, PLEASE let us know which one it is so we can divest ourselves of its stock BEFORE they do something this outrageously STUPID!
Full steam ahead (Score:1)
Folks around here are downright extreme about security (OK State Univ was mentioned on Slashdot a couple of times for it), so anyone who seriously tried to suggest such a silly idea would be out on the street in a heartbeat.
Re:Full steam ahead (Score:2)
Humans protect one another and share resources in innovative ways. The upper management would float away on a cloud of money while the people who weren't at fault find themselves in court tearing at what's left of the looted corporate carcass to get their pensions, 401k's or even just their last paycheck.
Look at Enron. The officers of that company left a swath of destruction so wide it's counted only to the nearest billion. You think Kenny Lay isn't going to be living in a mansion while he sees his kids off to ivy league schools and pulls down huge consulting fees after all is said and done? Christ, Bush is trying to appoint a friendly family friend who's being sued for fraud so he can "bring integrity back to the SEC!"
Appearently, the meaning of integrity has changed a lot over the years.
A funny aside. When I was a frisky metallurgical engineering student back in the day. We were told we had to take an ethics class. And unlike lawyers, we as engineers couldn't afford to pay it lip service. If we cheat, people might well die. In scores. Fair enough, I'd always thought of myself as a pretty ethical person; a trait I can't say has served me well, incidently. If you ever doubt the world is cast in shades of grey, subtle variations of hue, your ethics professor telling you it's ok to lie on your resume will swiftly disabuse you of that notion.
"Remove the security" ? Hardly. (Score:2)
is hardly "removing security". How do you see
that doing so would materially change the practical
security of your organization's data? Systems
are almost always logged in anyhow. That's why
nobody can remember their password. (You might
get the same sort of savings with a material
increase in "security" by enforcing password-protected
screensavers everywhere, because then the
passwords would always be in mind.)
"Security" is mostly a waste of time and money, and
only has value when it defends against an actual
breach. It is wise economic planning
to marshall your resources to address the cases
with favorable cost/benefit. Surely you don't mean
to argue that the decision is erroneous if it results
in a net savings? If you do, then "security" is a
religion for you, not a tool.
All too often, security means you can't do your job.
The $20 for the support call is just the tip of the
iceberg. It's the 2 hours that a meeting to close
a $500,000 deal gets delayed, or the hour that
two $300/hr consultants cool their heels while
Mr. PHB deals with support that are the real costs
here.
Re:"Remove the security" ? Hardly. (Score:2)
What you're doing is making it far easier for someone to access information that they shouldn't on the spur of the moment. I would hope that part of the reason they're getting all those calls about passwords is because users' workstations lock by default when they're idle. If not, every file on every machine is potentially available to the cleaning staff, visiting A/C or phone technicians, clients waiting in an empty office...if you have data on those machines (email? memos? unreleased product information?) that you don't want the outside world to have access to, you're incredibly foolish to make no effort to secure them.
"Security" is mostly a waste of time and money, and only has value when it defends against an actual breach. It is wise economic planning to marshall your resources to address the cases with favorable cost/benefit. Surely you don't mean to argue that the decision is erroneous if it results in a net savings?
Here I really disagree. If you're "defending against an actual breach," which is to say dealing with a situation where you're already been compromised, that's not security . Yes, you do a cost/benefit analysis, but that analysis isn't "it costs us $x per year to reset people's passwords, and $0 to simply do away with the passwords."
Maybe some of those workstations don't need to be locked, and you can cut down on calls by leaving them open...but you have to consider the potential costs associated with lowering security: what if the data from that computer is made public? Could someone install malicious software on that machine, and what would the potential damage to the network be? What other machines could someone access from that workstation? The potential costs in system damage, lost business, etc. may end up making the costs of those password calls look like a good investment.
If you don't evaluate the potential costs of a security breach, you're in no position to decide whether or not there's a net savings.
that's absolutely... (Score:2, Funny)
fantastic... probably the best idea I've ever heard... . ..say... where do you work? :)
You know, you could try this: (Score:2)
Author unknown, but it's a classic! (and for once, RELEVANT!)
Removing secuirty from Win2K? (Score:1)
So here's what upper management wants to do: remove the security from all of our Windows 2000 machines. Has anybody else seen security cut just to save money?
I've got some Windows 98 CD's you can have for free around here somewhere....
My Job is Busting Morons Like This (Score:2)
I work as a security auditor for an accounting firm. I go in ahead of the auditors and sign off on the systems in use in the company and basically give the OK for the auditors to come in and do their job.
If I discovered that a company hadn't taken as simple and easily implementable security precaution as passworded access to systems, I would simply say in my report that the auditors could not rely on the evidence provided to them from the company.
This is VERY VERY VERY bad. CIO's can, have and do get fired over less than this.
Auditing standards for security are (frustratingly) low, and yet if you don't pass them and you're a publicly traded company - you're fucked. If you're a private firm, a partnership or anything where someone else doesn't actually own the company - do what you want. If you're public, you're assuming an ENORMOUS risk. (Here I mean risk in the business-audit sense of the word.)
Basically, if you implement this, it will last up until the next audit at which time the people responsible for this decision will be forced to recant and if they don't have the word "chief" in their title, they'll probably be fired.
Some ideas (Score:2)
Can you impliment a secureId type solution? Person carries a token that identifies themselves to the system. This isn't perfect security, but it is a step above no passwords, and for high security needs is a part of the solution. These can be lost too, but that is a slightly different problem, so you might find it happens less often.
Have you looked at bio type ids? (fingerprint or eye scan?) these are not very good yet, but might be good enough.
Last, ask why users are forgetting thier passwords. I find that when I log onto a system every day I don't forget the password. This even if it changes fairly often. Perhaps you need to impliment a system where all passwords are always in sync so that users only have one password to remember.
Maybe you need to keep statistics that better reflect what is happening. It doesn't sound like your problem, but a small number of password resets is normal, but small when you have a lot of people around can still be a large number out of context.
Bill-back + Biometrics/Smart Card auth? (Score:2)
Have you considered billing back use of the outsourced helpdesk to the other departments? Hit them in the wallet, and in doing so they need to fill out paperwork everytime they want a password changed. No writing them down either - that should be grounds for termination.
If not, maybe you need to consider either biometrics or access cards. You could replace password auth with smart card auth, and if they lose it they need to report it immediately or they really will get fired.