Ofcom Do Security
k.brown at bbk.ac.uk
Fri Aug 6 15:34:26 BST 2010
> On Fri, Aug 06, 2010 at 08:23:13AM +0100, Francis Davey wrote:
> He was given my team to manage and managed to do considerable
> damage in his short career.
We had one of those last year.
> One day he breezed in and said "right, we are going
> to have a password system that resets everyone's password
> on the first of each month and that will store all
> previous passwords and prevent you from re-using
> any". He absolutely could not see any problem with this.
We got handed one of those systems that lets you change your
forgotten password if you can answer certain questions. The
questions the manager wanted to use included date and place of
birth, school attended and so on, EVERY SINGLE ONE OF WHICH
could be answered with information on the student database,
available to almost all staff (we are a university) and easily
guessible to anyone who knew the user personally. Or was
reasonably skilled at using Google. And he didn't see the
privacy problem with this.
> Even this didn't persuade him at first. Initially he tried a
> "and that's an order" (her literally used those words -
Our bloke tried that too (tho not on me as he managed a
different team). When it didn't work to his satisfaction he took
to making changes himself and not telling anybody. He also
ordered his staff not to talk to other groups in the department
and not to attend any meeting he hadn't been invited to himself.
> Worse, we had a mixture of machines using NT style
> windows passwords and linux/solaris boxes. At the
> time there was no straightforward way of managing
> passwords for both sets of systems
Same. Except we did have a home-grown system for distributing
encrypted passwords, and we could also use new features of
Windows AD to do it by LDAP (this was only last year!) But
instead got lumbered with a method that not only briefly stored
the new password in a database but also showed in clear on the
server console logs. Again, this manager (and some of his
colleagues) simply didn't see why this might be a bad idea.
On 06/08/2010 11:28, Jon Ribbens wrote:
> Well this matches my suspicion, contrary to what Ian assumes above,
> that most of the time that such stupid anti-security policies exist
> they have come from management and not from the "geeks".
More than "most". Damn near 100% I think.
More information about the ukcrypto