Schneier On Un-Authentication 336
Trailrunner7 writes "Bruce Schenier writes on Threatpost.com: 'In computer security, a lot of effort is spent on the authentication problem. Whether it is passwords, secure tokens, secret questions, image mnemonics, or something else, engineers are continually coming up with more complicated — and hopefully more secure — ways for you to prove you are who you say you are over the Internet. This is important stuff, as anyone with an online bank account or remote corporate network knows. But a lot less thought and work have gone into the other end of the problem: how do you tell the system on the other end of the line that you are no longer there? How do you un-authenticate yourself? My home computer requires me to log out or turn my computer off when I want to un-authenticate. This works for me because I know enough to do it, but lots of people just leave their computer on and running when they walk away. As a result, many office computers are left logged in when people go to lunch, or when they go home for the night. This, obviously, is a security vulnerability.'"
Re:Effective way to keep screens locked (Score:2, Insightful)
This is brilliant!
Or it would be if I, as the sysadmin, couldn't easily send email in anyone's name...
Re:Effective way to keep screens locked (Score:2, Insightful)
Article states the obvious (Score:3, Insightful)
Designing systems for usability is hard, especially when security is involved.
Meh.. I was hoping for some deeper insights than that.
Re:Effective way to keep screens locked (Score:5, Insightful)
So, you are a thief?
Re:Effective way to keep screens locked (Score:3, Insightful)
All that means is I have to watch for you leaving and get there before the screen saver kicks in.
This is more a policy issues then a technical one (Score:3, Insightful)
While yes, there are technical measures that you can put in place to automatically lock screens and accounts and such after a pre determined time period, the best solution is a policy, and actual enforcement of that policy. There in lies the problems in many organizations, enforcement is not being done consistently.
With technical controls, there is always that time frame, for example idle accounts, usually 30 days from last login and then automatically lock the account, well a malicious user has 30 days to which to attempt access to that account. Same goes for screen locks, 15 min is a common default, well you walk away and I have 15 min to make my way over and have fun with the account. You can reduce the amount of time, but that has other issues, users get annoyed at the screen locking while they are on the phone, or whatever while they are at their desk, results in crappy passwords.
With a policy, and enforcement behind it, accounts can be removed, users will lock their screens (hopefully) within a timely manner.
Re:I lock my computer when I walk away (Score:3, Insightful)
I am more referring to the email part, not the lock part. Locking is fine. The automated email doesn't.
And for god's sake, this is not AOL. Please don't type like you are.
Re:Effective way to keep screens locked (Score:1, Insightful)
There's one of those at my local Kroger store, a Regions, I think. They've got the exact same setup.
I asked about it once, they said they weren't worried: If the grocery employees didn't notice or care, walking behind the counter would trigger the alarm, plus that XP machine just had regular internet access anyway: Bankers logged into a https site to enter loan applications. I could imagine getting in and out quickly enough to install a keylogger maybe, but that's it.
I suppose if you want to go to jail for browsing myspace though, that's your perogative.
Re:How do you un-authenticate? (Score:5, Insightful)
Think of a remote connection to Remote Desktop for Windows. When does the server know when to sever the connection? Is it after some time delay of minimal activity? If it's left authenticated for time X, and the ability for the traffic to be hijacked is Y, are X and Y proportional?
It's not as simple as I walk away from a physical machine anymore. My favorite is when an application doesn't close when you press the X in windows (upper right) or OS X (upper left). It's connections are still left open, leaving authentication on opening the application worthless.
Re:Effective way to keep screens locked (Score:4, Insightful)
No, moron, you are basically having a charge appear on someone else's account for services you got.
And the services are not purely electronic. You got a service that really cost someone else money.
And on top of that, you assume I download music/other files illegally. I don't.
So, not only are you a thief, but you are not very bright. And you jump to conclusions that are not supported by the facts.
Re:Effective way to keep screens locked (Score:3, Insightful)
Re:Effective way to keep screens locked (Score:5, Insightful)
How is using physical paper and toner paid for by someone else with their money the same as downloading a digital version of a movie that you already have the VHS for, but it got chewed up when your VCR died?
There's a very good reason why the laws of virtually every country in the world DO NOT consider downloading data to be theft.
Because it's not.
It's copyright infringement.
I'm not saying it's right, or justified, or anything to do with the moral right or wrong of it. If you come out with a comment about how I'm a scofflaw just because I don't think it's stealing, you've just shown your own immaturity, and complete lack of awareness of the situation, as well as sheer arrogance in putting words in my mouth.
The simple legal fact is, the two are not connected in any way, regardless of entertainment industry propaganda.
Re:Paper? (Score:3, Insightful)
Hardcopy Playboy. It gets around the web monitoring software.
Re:Effective way to keep screens locked (Score:5, Insightful)
Hi Commodore,
You again make assumptions about my behavior. I can quite honestly tell you I have not done any of the above except ad blocking, which is neither illegal nor amoral.
You again fail to see the very obvious. You charged your services to someone else's account. This isn't complicated.
As far as my "sinning", yes I have done things I wish I hadn't. However, you come here bragging about what you have done, and then continue to justify your actions using absolutely moronic logic. if you want to follow your "sin" analogy, then you have not "repented". While you are unrepentant, you are to be treated as though you an outside, shunned and ignored.
The bottom line is that you stole from the people you did this to.
Re:How do you un-authenticate? (Score:3, Insightful)
On a Mac, that closes the window, but the application is still running.
Re:Solutions that work, but are too bulky. (Score:4, Insightful)
Re:I lock my computer when I walk away (Score:3, Insightful)
Why? They work great as the "meta" key in Linux, at least for the US keyboard layout I end up getting.
Re:I lock my computer when I walk away (Score:3, Insightful)
Yeah, that'll teach the establishment a lesson, you little rebel!
Fuck the system, man!
Oh, and I nearly forgot: "Arise, chicken! Chicken, arise!"
(for the uninitiated: ATHF [wikipedia.org])
Re:Bad company policies then (Score:3, Insightful)
Then the screaming started. Folks would walk away from their computers and come back to a locked screen... But they wouldn't know how to log in. They didn't know what username and password to put in there because it looked ever so slightly different from what they saw when they first showed up in the morning.
You have to have the cooperation of the people at the top of the organization, who would send a memo to everyone saying that for security reaons, this is what you WILL do, and failure will result in discplinary action. If you're a hospital or something you would be insane not to. It worked where I work.
Or someone would walk away for an hour or two without logging off, and someone else would have to use their computer while they were gone.
You need more computers then. Everyone here has one on their desk, I thoght that was pretty much the norm at any company.
Or someone would want to quickly glance at some information, but the computer would be locked and they'd either have to unlock it themselves or find someone else to unlock it.
It only takes a few seconds to log back in. And once it's explained to them how to do it, they shouldn't have to ask again.
If I were in your position I'd be looking for a job somewhere that's likely to still be in business in five yeras, because it sounds to me like you sre surrounded by idiots from the CEO on down. I'd hate to have a job like that, and if they're as stupid as you make them out to be, I don't know how they're going to stay solvent.
Of course, in a lot of instances you don't really need security; if it's a small shop with a dozen people working there, everyone with a key to the building whose doors stay locked the physical security should suffice. I have my home PC set up so I don't have to enter a PW at all unless I need to do something as root.
Re:Effective way to keep screens locked (Score:2, Insightful)
So, you view this as immoral behavior, yet you admit (in other threads) to still doing this as well. Wow.
Re:Dictionary (Score:3, Insightful)
I disagree. Google is a search engine and doesn't always know which is the best answer (or even the right one).
A Merrian-Webster dictionary or OED is considered a primary source for standard word definition (or existence). In the academic and engineering world we care about where the 'facts' come from. So sources do matter.
If you know where to look in a trusted and accurate source, you should always go there before a search engine. Yesterday, I needed to know the syntax for srncpy. So I typed man strncpy, I didn't goto google.
Re:Effective way to keep screens locked (Score:3, Insightful)
No. What I did was no more stealing than when you (and lots of other people) download movies, songs, or tv shows. It's not real property - it's just internet data.
Think about it. If I'm right - it's not stealing. If you're right, then it is stealing and so too is downloading/bittorenting and you too are a thief. (ponder) Ooops.
When I download a song (which I will readily admit to doing) I use my own disk space and bandwidth, which I paid for, to make duplicates of bits stored on another server. While I may very well be failing to pay for the song (actually, I usually do pay for it) I am not actually taking anything away from anyone. The act of making my own copy of those bits does not remove those bits from the original owner's possession. That's why it's called copyright infringement and not theft.
You, on the other hand, made printouts. Those printouts used paper and toner. That paper and toner was removed from the printer by your hands. You took those printouts with you. You physically removed those printouts from the original owner's possession.
You, making those printouts and not paying for them, is the same as me walking out of Staples with a box of printer paper that I didn't pay for. It is theft.
The fact that you used another student's login to hide your actions does not make it any better.
The fact that other human beings on this planet have "sinned" does not make it any better.
Re:Effective way to keep screens locked (Score:1, Insightful)
That's also stealing, and if you're willing to pursue it you can probably be compensated. As everyone else has been trying to tell you, just because other people or organizations do things that are illegal or immoral, that does not make your illegal *and* immoral activity any more justifiable.
Also, just because you don't listen and keep replying with the same shit doesn't mean that any of the people on the internet reading this will agree with you (and your posts will probably keep being modded down).
Re:Effective way to keep screens locked (Score:2, Insightful)
But surely you can just sit down at a locked computer, then look at the sticky note and log in anyway.