(Mods, feel free to move this as you think necessary.)
My work mates and I have been asked to write some short articles about computer security for the base newsletter. These would be general interest articles, not just for computer people. We need some topics, so I thought I’d ask my fellow SDMBers for help.
What do you hate about computer security? What do you want to have explained to you? What would you change if you could?
Let fly, and thanks for your input!
You mean what about corporate computer security? This article explains things best.
Passwords. Hands down.
The rules are different from system to system. The rules keep changing, as far as how many characters are required, how many different types of characters. So you come up with an algorithm so that you can remember your password, and they change the rules so your algorithm doesn’t work any more.
Then these same systems don’t treat your password securely anyway. I’ve had systems force me to use long, secure passwords, that they then openly email back to me. Great.
And you have to have an algorithm, because every system is independent, and has its own user name for you (which is another rant; remembering my user name is often as hard as remembering the password.).
The thing is, it’s so ridiculous now, I’ve given up on even trying to remember my password on some systems. It’s easier to just get it reset using the security question, which makes the whole situation a joke. Because what do they use for security questions? The same things they tell you not to use for passwords, because they’re insecure. Friends names, pets names, etc. I try to at least add punctuation, but different systems allow different sets of punctuation in the answer, so I can never be sure exactly what the answer is.
Or you just write your passwords down. They say don’t do that, but all the changing rules encourage that. I try to get my browser to remember all my passwords, although I imagine that’s frowned upon also.
RealityChuck, good article! I’ll take corporate criticism! I work for a large company as a government contractor, so I see all sides. I, too, know the pain of being stuck with Internet Exploiter. (Grumble, grumble, don’t trust M$ software any further than I can throw Redmond grumble)
ZenBeam, that is just what I thought someone would say. There are reasons for the password mess, mostly inertia. It royally sucks. Alternatives don’t look much better. I think we’ll have flying cars before we have Single Sign On systems that connect to all appropriate applications, are more secure than the current password mire, and actually work. Why, yes, I am bitter.
As far as not writing down passwords, the best advice I’ve heard is to write them down and treat them like your credit cards. Don’t let your password cheat sheet off your person. It’s the sticky notes on the computer that are the problem, IMO.
Keep 'em coming!
Yes, yes, and yes.
Passwords are a failed security scheme, on multiple levels, for multiple reasons.
Most/all alternatives are impractical and expensive and not worth the cost.
As much of a pain as it is, avoid using the same login/password for everything. Yes, this sucks. But the bad things that can happen as a result are Very Bad.
Write down your passwords if you absolutely must, but keep it safe, not under your keyboard or whatever. And please, please, please don’t save them to a text file/word doc/xls spreadsheet on your computer! Not even if you password protect the document! (oh, delicious irony)
Forwarding chain letters is bad, I don’t care how much you believe in the message or the cause or the platitude of the day/week/month.
Opening emails from sources you don’t recognize is risky. Actually clicking on any links or opening any attachments in said emails amounts to network suicide. The same holds true of surfing the web. Firefox+Noscript/Adblock is your friend.
Does spam count as a security issue?
I run a small mail server and it seems like no one understands spam. Like, what a problem it is, how much it costs to fight spam, why some email is flagged as spam and some isn’t, why their IP/domain might get on a blacklist, why their email boxes fill up with spam (even if it’s the junk/spam folder filling up), blacklisting, whitelisting, unsubscribing from newsletters you really did sign up for instead of reporting them as spam.
And that just covers email spam. It doesn’t cover forum spam and captchas, or search engine spam.
Spam sucks. It’s a plague. People need to chill out about it more because however much you think your email provider’s spam solution sucks, the provider thinks it sucks 10x more.
Passwords. I have over 80 now. They’re all written down. I CAN’T use the same one for everything because some require letters only, some numbers only, and some a mix. Some must be at least 8 characters. Some are limited to 4 or 5.
Zone Alarm. I bought it, paid for it, two different versions, but unless I turned every single feature off, I couldn’t get out to the web at all. EVERY SWITCH caused the web to stop.
Norton. There are entire web forums about how to get rid of it.
WebRoot. It doesn’t matter how many times I tell it to automatically quarantine things and don’t back up my files on the web, it keeps asking.
Windows Genuine Advantage. It tries to protect me from using the only copy of Windows that has ever been on this machine I bought brand new from Dell, every time I start.
Internet Explorer. It warns me about an abnormal closure of the session last time every time I start it, even though nothing looked abnormal last time.
Ad-Aware and Spy-Bot, that let my system get infected so bad I couldn’t fix it myself.
Microsoft automatic security updates that shut my computer down what seems like weekly.
And, especially, whatever it is that makes my hard drive run constantly and makes opening a window, typing a character, or anything else, take a minute or more, for the first twenty minutes after I turn the damn machine on.
ZipperJJ, IMO spam does count as a security issue. It’s killing email. IM, text messaging and cell phones are not far behind. 
If it affects the confidentially, integrity and availability of a system, then it’s a security issue. I’ll see spammers in hell.
I had the same problem years ago…and it has only gotten worse as security measures and rules for passwords have increased. I do the “reset by answering the security question” often rather than trying to remember my password, but I have (I think) a good way around it being something that someone who knows me could guess or a common answer thus making it insecure. I just pick an answer that I am going to use for everything whether it makes sense or not and use it for everything. For a while I used “A. Poodle”. So…“Mother’s maiden name?” Answer: A. Poodle. “First car?” Answer: A. Poodle and so on. And of course I never told anyone what the word(s) was.
Then as passwords became more and more complex I picked some random letters, numbers and symbols to use always. If is long enough it will work (except for systems that still won’t let you use symbols) something like: pR*lV59$d&Qtb2J7 and after typing that several times it becomes committed to memory so I only have to have it written down for a while.
But it sure is annoying that I have to do any of it at all. It seems like there should be an easier solution.
ETA:
If you have a “master password” that you use for everything (I know that is not advised) you can just vary it for systems that don’t conform. So in my example above, if I encountered a system that limited the password to 5 characters I would use: pR*lV, and if it didn’t accept symbols I could use pRlV5, and so on…that way I still only have to remember one complex password for (most) everything.
Do captchas count as security? Because I hate most of them with a passion, especially the ones that end up looking like squiggly lines that I defy anyone to make sense of. I was very pleased in the new trend I saw forming that used a simple question instead. "To prove you are human answer the following question: 2+2= " Such an improvement from a user standpoint.
Ugh. Passwords.
I don’t know if this is a security issue or not, but it definitely plays into the password-overload thing:
The one that’s been getting me lately is how you have to register for an “account” for so many websites. It’s out of hand.
Example: I have a Brother P-touch label maker at work. The print was coming out streaky. I looked on the site FAQs, but couldn’t find an answer. So I went to send them an email, but I had to set up an account with all my info and a password before I could do it. I know that they want to get as much info as they can for their own purposes, but it’s ridiculous, and it just makes me more careless with passwords. And exposes my password to more people. (I do have multiple ones, but it’s not an infinite set) Anyway, they sent me a pre-fab response with the fix for the problem. Which was fine. But why did I have to give them all my information for that?
Another thing that’s just plain annoying is the McAfee thing at work that makes a bubble pop up in the upper left corner of the screen to tell me that a site is okay. I don’t want to know if a site is okay. I want to know if it’s NOT okay. And it is a pop-over, so I have to mouse over to it to close it, and of course, whatever I was trying to do on the screen gets lost. One notable day, it popped up about every three minutes to reassure me that the site I was using was okay. It was Staples.com. :rolleyes: Yeah. I’m not really too worried about that one.
Besides passwords, let’s talk anti-virus (AV) pet peeves!
a) At least for the layman user on a residential PC, I often cannot tell what my PC is doing when my anti-virus provider takes control of my PC via automatic updates and pushdowns. And, once done, it is unclear why my PC is still not fully protected (when checking the status of my PC) - even after an AV update!
b) Mandatory reboots will invariably come at the worst time! Even my work PC tries to give warnings about a pending reboot, but there are bugs in these messages from some automated scheduler. For example, the reboot message says the PC will reboot automatically in 3 hrs, so do I want to reboot now or in 2 hrs? Wait a minute! What’s wrong with this picture? What happened to the 3hr option?
c) Failure for IT folks to communicate in terms a layman can understand. Big need for IT folks to bring it down a few notches.
d) Customer relations between an anti-virus (AV) provider and the end-user paying the bill. This relates back to items stated above, but beyond this, it is very difficult to reach someone at my AV provider who can help me.
This should give you a good start. If I think of more (and I know there is), I will post again.
This happens when you don’t run all the protection an anti virus program can have.
For example, I use AVG but I found if I use “link protecter” and “email scanner” it slows my computer to a crawl. And this makes sense. I mean after all when link protecter is turned on, AVG is actually checking all the links on every webpage before it’ll allow me to see that page.
Now I don’t see that as necessary, so I turned off the “link scanner.” Now my computer runs great, but I get the message, “Your computer is not fully protected.” This is true, but it’s protected enough 
Absolutely, I used to be the system admin/analyst for a huge hotel and a large portion of my job consisted of translating between the MIS director and the regular department heads
This is common to most programs. Ever try to call Dell Support. Good grief 
Ditch your anti-virus and use AVG or Avast Free versions
As a systems person, my biggest pet peeve was passwords and giving people rights.
Computer designers never adapt right’s usage to real world events. Like at the hotel you could only void a post if you were a manager. But there were lots of times when there were no managers only supervisors or not even that. At the hotel Christmas and Thanksgiving were so slow only clerks worked. They had no way to void a post. So they’d get creative and the next day the controller would be yelling, “Mark help, what did they do down there.”
Lastly the ability for system to talk with one and other. We used three systems in our hotel. Micros, Delphi and SAP (Front Desk, Sales, and Accounting). A huge poriton of my job was to make sure the systems blanced.
The reason for that was that vendors would try to sell you the whole system when you only need on part of it.
I do this, but the answer I came up with had punctuation. After using it a few times, I started running into systems that wouldn’t accept punctuation, or would only allow some but not others.
On our systems, passwords need to be changed every 90 or 180 days, so either you need a new one each time, or only change some part of it. If you do the latter, they get out of sync. Also, at least one system I’m on has some kind of check that you changed enough of your password, so no changing just one or two characters.
My husband’s military accounts were like this. And he is a Luddite who could never remember them at all. He started just going kitty corner down the rows of keys (starting at 1) and using the symbol on that key as well…that way he could count the months too to remember what it was. The first would be: 1qazZAQ1! (down then up with a shift) and if he had changed it 3 times that year it would be 4rfvVFR$. The military system wouldn’t let him use the same password twice in a row I don’t think, but would let him repeat it after some amount of time had passed, so when he got to 9 which is the last row that method worked on (he had to have letters and numbers as well as symbols) he could start over again at 1.
Pain in the tuckus no matter how you try to get around it, huh? And as I believe it was you mentioned before, all the fancy maneuvering to conform to the rules and be able to remember what you have done only serve to make it more insecure. We should go back to letting everyone use “letmein” or “password” as the passwords for everything because now anyone trying to guess one is going to be trying 22 characters of gibberish and not even considering the obvious. 
Inadvertantly I hit on the perfect solution for this.
Say I needed to register for an account with Brother to figure out why their product doesn’t work. I would make “HateBrother” the password.
Now I have so many “HateCompany” passwords I don’t even record them (they don’t count toward my 80).
Passwords - like everyone else. Ultra-strong password systems are so damn difficult to use that they defeat themselves by provoking the users to write them down.
Disk usage in Windows - I can see what application is using how much CPU and memory, but it’s hard to identify something that is thrashing my hard drive.
Viruses, scams, spam and to a lesser extent, dishonest manipulation of search engines. I wish there was a way to visit instant karma on the people that create these things.
Online stores that require me to register before they will reveal their shipping charges. I just click away now.
RealityChuck, that’s a great article. Quoting for truth:
I think this goes to the heart of it. IT security is clearly important, but IT departments rarely seem concerned with (or, sometimes, even aware of) the negative repercussions of their work.
Of course the same sometimes goes for other departments, like the accounting office at my most recent job, which suddenly decided that all salaried workers must start keeping track of exactly how long we spent doing what every day, because otherwise they couldn’t … well, they couldn’t do something terribly important, which they never explained, not even to department vice-presidents, who complained along with the rest of us. To do this track-keeping, we all had to learn to use a terrifically outdated and user-unfriendly little program and memorize all kinds of codes and keystrokes. Its built-in categories of work didn’t match our actual tasks and were full of arbitrary exceptions, but we had to assign every quarter-hour of every day to one of them anyway.
Upper management burned through dumpsters full of goodwill on that one, and they probably didn’t even know it was happening. Come to think of it, this was IT’s fault too, since they allowed the accountants to foist that horrible program on us.
come up with a solid root password or two like “1q2w3e” based on a keyboard pattern, thus no link to personal data for guessing.
Then add a prefix or suffix of the first 3 letters of the site or application
by this pattern a hotmail account password would be “1q2w3ehot” or"hot1q2w3e"
the root password is unguessable, and needs for password rotation could be covered by flipping prefixes or suffixes or alternating between one or two roots.
This is not a bad idea, but may suffer from limited portability - if you have to log in from a different machine with a different keyboard layout (azerty or dvorak, or say, a Blackberry or on-screen virtual keyboard, or some of those weird ergonomic split keyboards), it might be a problem.