Ofcom Do Security

ken k.brown at bbk.ac.uk
Fri Aug 6 15:34:26 BST 2010 

> On Fri, Aug 06, 2010 at 08:23:13AM +0100, Francis Davey wrote:
> He was given my team to manage and managed to do considerable
> damage in his short career.

We had one of those last year.

> One day he breezed in and said "right, we are going
 > to have a password system that resets everyone's password
 > on the first of each month and that will store all
 > previous passwords and prevent you from re-using
> any". He absolutely could not see any problem with this.

We got handed one of those systems that lets you change your 
forgotten password if you can answer certain questions. The 
questions the manager wanted to use  included date and place  of 
birth, school attended and so on, EVERY SINGLE ONE OF WHICH 
could be answered with information on the student database, 
available to almost all staff (we are a university) and easily 
guessible to anyone who knew the user personally. Or was 
reasonably skilled at using Google. And he didn't see the 
privacy problem with this.

 > Even this didn't persuade him at first. Initially he tried a
 > "and that's an order" (her literally used those words -
 > amazing)

Our bloke tried that too (tho not on me as he managed a 
different team). When it didn't work to his satisfaction he took 
to making changes himself and not telling anybody.  He also 
ordered his staff not to talk to other groups in the department 
and not to attend any meeting he hadn't been invited to himself. 
Really.

 > Worse, we had a mixture of machines using NT style
 > windows passwords and linux/solaris boxes. At the
 > time there was no straightforward way of managing
 > passwords for both sets of systems

Same. Except we did have a home-grown system for distributing 
encrypted passwords, and we could also use new features of 
Windows AD to do it by LDAP (this was only last year!) But 
instead got lumbered with a method that not only briefly stored 
the new password in a database but also showed in clear on the 
server console logs. Again, this manager (and some of his 
colleagues) simply didn't see why this might be a bad idea.

On 06/08/2010 11:28, Jon Ribbens wrote:

> Well this matches my suspicion, contrary to what Ian assumes above,
> that most of the time that such stupid anti-security policies exist
> they have come from management and not from the "geeks".

More than "most". Damn near 100% I think.

More information about the ukcrypto mailing list