| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu Jun 9 09:33:05 2005 From: chromazine at sbcglobal.net (Steve Kudlak) Subject: Off topic rant to my friends I dunno if this is any worse than the many, many replies one sees to some hot topic about Microsoft and stuff like that.. Overall everytime I went to a security conference users got insulted. They were stupid, they fell for things, hook line and sinker etc. etc. etc. Of course sometimes the "professionals" never mentioned that the poor users are bombarded by a bunch of directives that are not explained and are hard to follow and seem like another stupid directive handed down from on-high that ask them to do something difficult without explaining how, for example how to pick passwords that are not in the dictionary. The take a phrase and take the first letter technique is something that does not intuitively spring to mind to everyone. It took a lecture to explain that "F*CK SUSAN and BOB" were not good passwords. N.B. I have been around for awhile and on the old TOPS-20 Systems passwords were not intially encrypted. So it was easy to find actual passwords and tell people not to use those. Now things are encrypted and all that but still a weakpassword doesn't work and other small things that people could do to be just reasonably careful they don't. Dunno how much verbage to waste on random issues. Have Fun, Sends Steve I read the article and it was interesting. I don't quite know how much of it to believe. It is clear some people are up to something questionable. Whether it fits the model the authors have of well coordinated effort to deliver services to organized crime maybe a bit much on the conspiracy side for me tyo swallow. Security experts often miss that they use FUD without knowing it. But it is still to be careful because there are people who don't realise one's machine might be for something important and not just a plaything for others to mess with and ruin if they had a bad day or wanted to play weird "process war games". Have Fun, Sends Steve J.A. Terranson wrote: >You don't have a blogspot account you could have posted this to? > > >On Sun, 5 Jun 2005, Randall M wrote: > > > >>Date: Sun, 5 Jun 2005 10:32:20 -0500 >>From: Randall M <randallm@...mail.com> >>To: full-disclosure@...ts.grok.org.uk >>Subject: [Full-disclosure] Off topic rant to my friends >> >>Sorry to rant to this list. This list though has the only people on it who >>totally understand this ranting. >> >>Every morning before heading for work I read all my security alert emails >>and website collections about possible Trojans, worms and viruses found. >>Being a faithful worker I do this on the Weekends too. >> >>Once at work I check my web appliances, gateway, Exchange boxes and data >>servers for dat updates and check log files. I spend the first two-three >>hours of my work day doing this every day. >> >>Why do I do this? I do it to protect my company's investment. To ensure that >>the employee's have a job that day. To make sure that customers will have on >>time delivery and so new customers can make orders, etc., etc. >> >>Today I read this article: >>http://www.eweek.com/article2/0,1759,1823633,00.asp?kc=EWRSS03129TX1K0000614 >> >>For some reason, maybe the coffee, I sat there thinking what the hell am I >>doing all this for? Am I being paid by my company to set up and protect only >>for some future use as a botnet for some organized crime boss!! >> >>I continually spend time, money and research on ways to protect. All of my >>mechanisms I use are actually as helpless as I am!! It's the blind leading >>the blind!! >> >>Then, like a message from God, a memory of a phone call from one of our >>users came to me: >> >>"Hey, I received this email about my account being suspended for security >>reasons, I immediately deleted it but just wanted to let you know". >> >>My small employee awareness program was slowly paying off. A year ago that >>same phone call would have been the "I think I did something bad" type. I >>now realize that my investments and my time have been spent MORE in the >>wrong place. I'm turning that around and heading back to the user. They are >>MY PROACTIVE, PREEMPTIVE protection!! I am no longer depending on the >>Anti-Virus dats or the front-end Appliances or the Gateways because a simple >>"Click" by the user makes them all useless. And it looks as though I can't >>depend on them to keep that "click" opportunity from the user. >> >>Praise be to God for the User! They are powerful! They are trainable! They >>are my BEST defense! >> >>There. I fell better now. >> >> >>thank you >>Randall M >> >> >> >>_______________________________________________ >>Full-Disclosure - We believe in it. >>Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>Hosted and sponsored by Secunia - http://secunia.com/ >> >> >> > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050609/df0ab90c/attachment.html
Powered by blists - more mailing lists