Reply
 
Thread Tools Display Modes
  #51  
Old 11-18-2019, 07:40 PM
alphaboi867 is offline
Member
 
Join Date: Feb 2005
Location: the Keystone State
Posts: 14,436
Quote:
Originally Posted by Shodan View Post
...On a related note, my phone wasn't working, and nobody could call me because it didn't ring, but went straight to voice mail. I IM'ed the helpless desk. Their first question was "what is your call back number?" And they couldn't accept my cell number because it had to be a company-owned device...
A few months ago I got locked out of all systems at work including my email. The IT "Help" Desk kept insisting they had to send me a password reset email and that it was the only way to reset my password. They were very insistent that it was impossible to reset it any other way. To be fair he did offer to send it to my personal email; which is blocked on company computers, we have no wifi for ordinary employees, and data service in our building sucks. Eventually I had to escalate 2 management levels to get it resolved. And our parent company is a global technology company to boot.
__________________
No Gods, No Masters

Last edited by alphaboi867; 11-18-2019 at 07:44 PM.
  #52  
Old 11-20-2019, 04:18 PM
gotpasswords is offline
Charter Member
 
Join Date: Mar 1999
Location: San Francisco area
Posts: 16,436
Quote:
Originally Posted by Die Capacitrix
And we also had a system with an interesting feature. People would set their password to password12 and the system would accept it. But when they input the password, it got truncated to password before being sent to the system. They could never log in again.
Sounds like there may have been an old mainframe in there somewhere. Until just a couple of years ago, our mainframes running CA Top Secret would cheerfully ignore the ninth and any further characters typed into the password field at login. You couldn't create a password longer than eight characters, but if your password was password you could enter passwordsarethetoolofthedevilandadda#anda7forthehellofit and you'd get in. That's been fixed and users can use anything from 6 to 128 characters.
  #53  
Old 11-21-2019, 02:46 PM
Llama Llogophile is online now
Guest
 
Join Date: Apr 2002
Location: 50% chord point
Posts: 4,096
Hey, I've got another one.

Got assigned an online course for company training. I've used this system before but can't find my credentials. I get on the site and the only way to recover a password is if you already know your user name. I call them up, they readily acknowledge that I am, in fact me, because I can spell my complex last name, and I know the email and phone number associated with the account.

But... no. They won't give me my user name, which would enable me to reset my password. Because "security". I have to contact some damn administrator at my company. We are truly living in Terry Gilliam's Brazil.

What's really laughable about this is the training and tests I'm supposed to do are very industry specific and esoteric information. They even give you the answers as part of the course! What am I going to do, hire a 15-year old Asian kid to take it for me like it's the SAT? This is absurd.

Last edited by Llama Llogophile; 11-21-2019 at 02:47 PM.
  #54  
Old 11-21-2019, 02:57 PM
manson1972's Avatar
manson1972 is offline
Member
 
Join Date: Jan 2004
Posts: 12,586
I don't understand this one. They shouldn't just give you your username over the phone. And you have to call someone to get it? So what? It's for your own protection.

Security is not there for your convenience. It's for your protection. Read some of Mitnick's books about what he could accomplish simply because people told him stuff over the phone.
  #55  
Old 11-21-2019, 03:10 PM
Llama Llogophile is online now
Guest
 
Join Date: Apr 2002
Location: 50% chord point
Posts: 4,096
Quote:
Originally Posted by manson1972 View Post
I don't understand this one. They shouldn't just give you your username over the phone. And you have to call someone to get it? So what? It's for your own protection.

Security is not there for your convenience. It's for your protection. Read some of Mitnick's books about what he could accomplish simply because people told him stuff over the phone.
As I said in the last paragraph of my post, it's more because the stakes are so low that I find this ridiculous.

But even so, the information I gave them (on the phone because there was no other method provided) should pretty well establish my identity. Counting the email address, I gave them about 5 factors of authentication. My own protection? Maybe in theory. But in actuality here's what was accomplished today - they prevented an authentic user from accessing the system legitimately.
  #56  
Old 11-21-2019, 03:14 PM
manson1972's Avatar
manson1972 is offline
Member
 
Join Date: Jan 2004
Posts: 12,586
Quote:
Originally Posted by Llama Llogophile View Post
As I said in the last paragraph of my post, it's more because the stakes are so low that I find this ridiculous.

But even so, the information I gave them (on the phone because there was no other method provided) should pretty well establish my identity. Counting the email address, I gave them about 5 factors of authentication. My own protection? Maybe in theory. But in actuality here's what was accomplished today - they prevented an authentic user from accessing the system legitimately.
Sometimes that happens. Perhaps the system also prevented 25 malicious users from accessing the system illegitimately?

I'm curious though, did you give them all your 5 factors of authentication before or after they told you that you had to call someone else to get your username?
  #57  
Old 11-21-2019, 03:25 PM
Llama Llogophile is online now
Guest
 
Join Date: Apr 2002
Location: 50% chord point
Posts: 4,096
Quote:
Originally Posted by manson1972 View Post
Sometimes that happens. Perhaps the system also prevented 25 malicious users from accessing the system illegitimately?
I seriously doubt that, again because this a very esoteric undertaking with not very much at stake. There would be no reason to hack it. The only thing I can imagine their precautions would guard against would be someone else logging in as me to take the tests for me. But if I were going to do that, I'd just give my credentials to that person. Or, if physically present, log in and let them have at it.

More to the overall point though, when we design security systems that are meant to thwart the .0000whatever percentage of people with nefarious intentions and inconvenience the vast majority of people who aren't up to no good... well, that's bad. I grant you, sometimes it's necessary when the stakes are high. But even then, we see things go awry (hello TSA!) and have good reason to question how we do things.

I see a lot of creep on this, both online and in the physical world and I'm getting a bit fed up. Hence the title of this thread. I'm not up to no good, never have been, never will be and I'm tired of being thwarted from doing what I need to do by security that is poorly designed, overly aggressive and sometimes of questionable necessity in the first place.

Quote:
Originally Posted by manson1972 View Post
I'm curious though, did you give them all your 5 factors of authentication before or after they told you that you had to call someone else to get your username?
I spoke with two people and gave them both some information to identify myself. They seemed about to help, then put me on hold, came back and said no.
  #58  
Old 11-21-2019, 03:47 PM
manson1972's Avatar
manson1972 is offline
Member
 
Join Date: Jan 2004
Posts: 12,586
Quote:
Originally Posted by Llama Llogophile View Post
More to the overall point though, when we design security systems that are meant to thwart the .0000whatever percentage of people with nefarious intentions and inconvenience the vast majority of people who aren't up to no good... well, that's bad.
Seems to me to only inconvenience those who forget their username, and don't know the policy on who to call to get it. Clear instructions on what to do to get your username should be on the web site. If they are not, that's not security's fault.

Quote:
I spoke with two people and gave them both some information to identify myself. They seemed about to help, then put me on hold, came back and said no.
Those two people wasted your time because they didn't know the policy. Again, not security's fault.
  #59  
Old 11-21-2019, 04:16 PM
squidfood is offline
Guest
 
Join Date: Nov 2006
Posts: 470
I did science for a Federal agency. I worked on a campus with several federal buildings. The building next to mine was a different branch of our agency, but we collaborated a lot. Also, this campus was a loong way from Washington DC.

We had a project the required the regular transfer of many many GB back and forth (but a high-speed network was still faster than carrying a hard drive back and forth). Unfortunately, the two agency branches had their own separate IT security divisions headquartered in DC. So the setup meant every byte had to go from our campus to DC, be inspected by one branch's security outbound, go to the other branch in DC, be inspected inbound, then sent back to the other building on our campus. This was incredibly slow AND kept breaking/timing out. After many many tickets and lots of head-scratching, and many many refusals from national IT to bypass, someone in DC (and I got this in writing) said: there's no policy we can find against just running a stealth cable between buildings and treating one computer in building A as if it was located in building B. So that's what we did.
  #60  
Old 11-21-2019, 04:19 PM
manson1972's Avatar
manson1972 is offline
Member
 
Join Date: Jan 2004
Posts: 12,586
Quote:
Originally Posted by squidfood View Post
I did science for a Federal agency. I worked on a campus with several federal buildings. The building next to mine was a different branch of our agency, but we collaborated a lot. Also, this campus was a loong way from Washington DC.

We had a project the required the regular transfer of many many GB back and forth (but a high-speed network was still faster than carrying a hard drive back and forth). Unfortunately, the two agency branches had their own separate IT security divisions headquartered in DC. So the setup meant every byte had to go from our campus to DC, be inspected by one branch's security outbound, go to the other branch in DC, be inspected inbound, then sent back to the other building on our campus. This was incredibly slow AND kept breaking/timing out. After many many tickets and lots of head-scratching, and many many refusals from national IT to bypass, someone in DC (and I got this in writing) said: there's no policy we can find against just running a stealth cable between buildings and treating one computer in building A as if it was located in building B. So that's what we did.
When was this?
  #61  
Old 11-21-2019, 04:26 PM
squidfood is offline
Guest
 
Join Date: Nov 2006
Posts: 470
Quote:
Originally Posted by manson1972 View Post
When was this?
8-10 years ago - a couple years back the agency actually listed to scientists greenlighted/contracted some cloud services (shocker I know)
  #62  
Old 11-21-2019, 04:39 PM
manson1972's Avatar
manson1972 is offline
Member
 
Join Date: Jan 2004
Posts: 12,586
Quote:
Originally Posted by squidfood View Post
8-10 years ago - a couple years back the agency actually listed to scientists greenlighted/contracted some cloud services (shocker I know)
That's good. Because now, I can think of several Federally mandated policies and security controls that make running a rogue cable between buildings a very bad idea

As an aside, the good security folks should work with the people involved to determine a safe and secure method to do what they want to do.

The bad ones just say "Nope!"

I hate the bad ones too. US Army, I'm looking at you!

Last edited by manson1972; 11-21-2019 at 04:40 PM.
  #63  
Old 11-21-2019, 04:46 PM
Llama Llogophile is online now
Guest
 
Join Date: Apr 2002
Location: 50% chord point
Posts: 4,096
Quote:
Originally Posted by manson1972 View Post
Seems to me to only inconvenience those who forget their username, and don't know the policy on who to call to get it. Clear instructions on what to do to get your username should be on the web site. If they are not, that's not security's fault.

Those two people wasted your time because they didn't know the policy. Again, not security's fault.
So it's everyone's fault except the people who do security. Got it.

My best friend (now deceased) was a computer security expert, a specialist in cryptography. He used to complain about "users" too. He and I had an ongoing argument about users vs. systems, and my point was that if the system continually induces the same kinds of problems for multiple people, then there's something wrong with the system.
  #64  
Old 11-21-2019, 04:50 PM
manson1972's Avatar
manson1972 is offline
Member
 
Join Date: Jan 2004
Posts: 12,586
Quote:
Originally Posted by Llama Llogophile View Post
So it's everyone's fault except the people who do security. Got it
Yeah. There's a policy that everyone is supposed to follow but nobody knew it. How's that security's fault?

Quote:
My best friend (now deceased) was a computer security expert, a specialist in cryptography. He used to complain about "users" too. He and I had an ongoing argument about users vs. systems, and my point was that if the system continually induces the same kinds of problems for multiple people, then there's something wrong with the system.
Of course I agree that if a system is hampering a significant amount of people, then yes, it needs to be looked at.

But every user thinks they are "significant"
  #65  
Old 11-21-2019, 04:53 PM
squidfood is offline
Guest
 
Join Date: Nov 2006
Posts: 470
Quote:
Originally Posted by manson1972 View Post
That's good. Because now, I can think of several Federally mandated policies and security controls that make running a rogue cable between buildings a very bad idea

As an aside, the good security folks should work with the people involved to determine a safe and secure method to do what they want to do.
I sure as hell wouldn't have done it without that CYA email from headquarters, that's for damn sure! I thought at the time "are you suuure it doesn't violate something" but it was their call. (also, there were existing telephony conduits so it wasn't like we were stringing cables in trees).

They (DC IT) actually worked on earnestly to try to get the "through HQ" routing working and we were never sure where in the chain it was timing out. I got the impression that someone above them was preventing them from setting up a direct pipe and there were HQ politics involved - the cable solution may have been a bit of malicious compliance towards their own bosses.
  #66  
Old 11-21-2019, 05:29 PM
Dr. Strangelove's Avatar
Dr. Strangelove is online now
Guest
 
Join Date: Dec 2010
Posts: 8,165
Quote:
Originally Posted by Llama Llogophile View Post
I seriously doubt that, again because this a very esoteric undertaking with not very much at stake.
You might be surprised. Automated hacking systems are always running; scanning the internet for exposed services and exploiting bad passwords, known backdoors, etc.

I have a web server that's run a few no-stakes services over the years: a webforum that was never used, a WordPress blog site, a simple photo album. All of them were hacked. They were filled with spam, probably the password DBs harvested, and the scripts were changed to themselves send out spam.

Fortunately, these sites were never very important, so it was no loss just to delete them and move on. The automated systems that hack them don't care about that, though.

If your work services have any public-facing aspect at all, then there will be hack attempts. That's not to say that IT is doing the right thing here, but assuming that you'll never be hacked because you're unimportant is false.
  #67  
Old 11-21-2019, 05:30 PM
squidfood is offline
Guest
 
Join Date: Nov 2006
Posts: 470
Quote:
Originally Posted by gotpasswords View Post
Sounds like there may have been an old mainframe in there somewhere. Until just a couple of years ago, our mainframes running CA Top Secret would cheerfully ignore the ninth and any further characters typed into the password field at login. You couldn't create a password longer than eight characters, but if your password was password you could enter passwordsarethetoolofthedevilandadda#anda7forthehellofit and you'd get in. That's been fixed and users can use anything from 6 to 128 characters.
There was one app I used where it sent username and password as a combined (hopefully encrypted but I dunno) string to the server like this: username@domain/password.

When you set the password, you were allowed to use the @ in the password (and of course you were encouraged to include at least one special character). Unfortunately when the system then parsed the combined string, the @ would read as the domain separator and you could never log on.
  #68  
Old 11-21-2019, 10:58 PM
Nava is offline
Member
 
Join Date: Nov 2004
Location: Hey! I'm located! WOOOOW!
Posts: 43,053
Quote:
Originally Posted by manson1972 View Post
Seems to me to only inconvenience those who forget their username, and don't know the policy on who to call to get it. Clear instructions on what to do to get your username should be on the web site. If they are not, that's not security's fault.
That would depend on whether security has actually made the instructions available. From what he's saying, security hasn't even made them available for security personnel.
__________________
Some people knew how to kill a conversation. Cura, on the other hand, could make it wish it had never been born.
  #69  
Old 11-22-2019, 12:41 AM
ENugent is offline
Charter Member
 
Join Date: Mar 1999
Location: Seattle area
Posts: 3,853
Quote:
Originally Posted by Colibri View Post
However, I had registered under my name without my middle initial, while I had obtained my NATO number using my middle initial. Although I tried repeatedly to reconcile the registrations, and called the help center, it proved utterly impossible to renew my registration. Fortunately I haven't had any new government contracts. In the event I do, I'm sure I'll be better off starting all over rather than trying to renew my former one.
I have been having the same problem when we changed our health insurance. My beloved husband didn't put any middle initials (or his own Jr.) on the form, and now it is impossible for me to log in to the new insurance site unless I nuke all of the old information first. Since a bunch of medical providers are still billing the wrong insurance, I'm not willing to do that until we have it all straightened out. It is driving me batshit.
__________________
This post is not intended to provide reliable legal advice, nor is any other post by me in this or any other thread. I am not your lawyer and you are not my client. Odds are good that I'm not even licensed in your jurisdiction. If you follow what you think is advice in this post and get screwed, don't come crying to me.
  #70  
Old 11-22-2019, 08:07 AM
manson1972's Avatar
manson1972 is offline
Member
 
Join Date: Jan 2004
Posts: 12,586
Quote:
Originally Posted by Nava View Post
That would depend on whether security has actually made the instructions available. From what he's saying, security hasn't even made them available for security personnel.
Sorry, but the help desk is not "security personnel". And they DID have them, or else they wouldn't have been able to relate the instructions on who to call.

People blaming "security" for lack of operational policies, training, or inconsistent help desk direction is a pet peeve of mine.
  #71  
Old 11-22-2019, 10:51 AM
Miller's Avatar
Miller is offline
Sith Mod
Moderator
 
Join Date: Dec 2000
Location: Bear Flag Republic
Posts: 44,635
Quote:
Originally Posted by manson1972 View Post
Yeah. There's a policy that everyone is supposed to follow but nobody knew it. How's that security's fault?
Isnít it securityís job to disseminate security practices?
  #72  
Old 11-22-2019, 11:01 AM
manson1972's Avatar
manson1972 is offline
Member
 
Join Date: Jan 2004
Posts: 12,586
Quote:
Originally Posted by Miller View Post
Isnít it securityís job to disseminate security practices?
Who to call to get your username is not a "security practice".

Similarly, who to call to get your password reset is not a "security practice".

How to verify a caller is the user they say they are IS a "security practice"
  #73  
Old 11-22-2019, 11:36 AM
Atamasama's Avatar
Atamasama is offline
Member
 
Join Date: Sep 2009
Posts: 4,754
Quote:
Originally Posted by manson1972 View Post
Who to call to get your username is not a "security practice".

Similarly, who to call to get your password reset is not a "security practice".

How to verify a caller is the user they say they are IS a "security practice"
So it’s not the job of security to determine who has permission to access sensitive information like a person’s username or who can reset a password?

Your definition of “security” is a bit fucked up.

Last edited by Atamasama; 11-22-2019 at 11:37 AM.
  #74  
Old 11-22-2019, 11:46 AM
manson1972's Avatar
manson1972 is offline
Member
 
Join Date: Jan 2004
Posts: 12,586
Quote:
Originally Posted by Atamasama View Post
So itís not the job of security to determine who has permission to access sensitive information like a personís username or who can reset a password?

Your definition of ďsecurityĒ is a bit fucked up.
Depends on what you mean by "determine who has permission"

Let's say I am the CIO of a business. I determine that the help desk, and ONLY the help desk can reset passwords. I send out a memo to this effect including the number of the help desk.

Neither of those is a "security practice"

"Security" does a review of permissions and determines the exact permissions people at the help desk need in order to reset passwords. This is a "security practice". Operations changes the permissions of anyone working at the help desk so they can do their job.

Now, if you call the wrong number? Not a security issue.

The help desk person doesn't know how to change the password? Not a security issue.

The help desk person doesn't have the right permissions? Not a security issue.

If the help desk person doesn't know he/she is supposed to be resetting passwords? Not a security issue.

Does that help?
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 11:02 PM.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2019, vBulletin Solutions, Inc.

Send questions for Cecil Adams to: cecil@straightdope.com

Send comments about this website to: webmaster@straightdope.com

Terms of Use / Privacy Policy

Advertise on the Straight Dope!
(Your direct line to thousands of the smartest, hippest people on the planet, plus a few total dipsticks.)

Copyright © 2019 STM Reader, LLC.

 
Copyright © 2017