RE: [fw-wiz] Stanford break in
From: Chuck Vose (vosechu_at_roman-fleuve.com)
To: email@example.com Date: Thu, 22 Apr 2004 15:15:23 -0700
This would make a fine new thread, one that I would enjoy theorizing
about. Hint hint, nudge nudge. What are mailing lists for but to think
about common problems in new lights with new members trailing in and
out, brining new experiences and new ideas.
On Thu, 2004-04-22 at 14:51, R. DuFresne wrote:
> Aside from frisking every user that walks into and out of the nortel
> campuses <honeywell used to do this at the corp HQ in MN, and they lost
> alot of proprietary info anyways>, what would you suggest that would
> mitigate the issues that non-perm contrators and sigruntled soon-to-be-non
> employees and those just stealing corp resources outright to fund their
> private enterprises might work in this setting?
> Experinces has taught me that unless one can keep someone out of something
> they should not have a finger or eyeball into; asking, telling, demanding
> they not look/peak/grab etc is useless at best, and like telling a child
> not to stick beans up their nose and then making sure the DR's emergency
> number is posted on the fridg and each bathroom mirror in the home as well
> as on each phone.
> I'm not saying stregthening passwords is totally a waste of time, as long
> as the encrypted hashes are not in plain sight, and with systems that lack
> a shadow password system, and when TCB is a burden best avoided, then
> strong passwords and all the efforts and time invested in trying to keep
> them so might be an effort of some waste.
> Of course, like most HUGE corporations, nortel was and is a beast unto
> itself, and often in such settings fingers on the same hand have problems
> knowing what the other fingers are doing let alone trying to track the
> other hand.
> Ron DuFresne
> On Thu, 22 Apr 2004, Laura Taylor wrote:
> > You need some user behavior/rules of engagement policies to deal with users
> > bringing home password files and cracking them. And they should be enforced.
> > Laura
> > -----Original Message-----
> > From: firstname.lastname@example.org
> > [mailto:email@example.com]On Behalf Of R.
> > DuFresne
> > Sent: Thursday, April 22, 2004 1:11 PM
> > To: Carric Dooley
> > Cc: Chuck Vose; firstname.lastname@example.org
> > Subject: Re: [fw-wiz] Stanford break in
> > >
> > > Network synced passwords are the only way to manage a large number of
> > > users. If you have 10 workstations and 1 server, it might be fine to have
> > > no network directory, but with 300,000 users, I would say it's impossible.
> > > I would consider: LDAP, NDS, AD, SecureID, RADIUS, TACACS. (notice the
> > > conspicuous absence of NIS, and I wanted to leave out AD, but it seems to
> > > be unavoidable these days.
> > >
> > HP made this usless, unless they have finally enabled a shadow setup in
> > new versions of the OS. We played the single sing-on game at nortel, and
> > played with password cracking and all that, but, since 80% of the servers
> > were hp's and they lacked any seperation of passwords from the required
> > /etc/passwd file, users wanting to up their privs on a system just took
> > copies of the /etc/passwd file home and cracked to the point they felt
> > they needed. And our CISSP's spent alot of time putting together all
> > these metrics on strong passwords and how effective they were making
> > security of the network, without facing the reality of the 80% exposure
> > faced. HP folks a few years ago hinted that HP was going to change theit
> > OS to include shadow password implimentations, but, I've long since moved
> > on and these days don;t have to play on much but SUN's and AIX systems, so
> > I do not know if they have something beside the horrid TCB that would
> > break most interal apps for companies and require alot of retrofitting.
> > Thanks,
> > Ron DuFresne
> > --
> > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> > admin & senior security consultant: sysinfo.com
> > http://sysinfo.com
> > "Cutting the space budget really restores my faith in humanity. It
> > eliminates dreams, goals, and ideals and lets us get straight to the
> > business of hate, debauchery, and self-annihilation."
> > -- Johnny Hart
> > testing, only testing, and damn good at it too!
> > _______________________________________________
> > firewall-wizards mailing list
> > email@example.com
> > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
firewall-wizards mailing list