[TCLUG] security consultant (not just linux)

Thu Aug 29 01:54:50 CDT 2002

On Thu, Aug 29, 2002 at 01:07:19AM -0500, Yaron wrote:
>   Hey,
> 
> If someone has physical access, you're screwed anyway. Give me physical
> access to any machine and I'm more than likely going to be able to get
> your data, be it by boot linux init=/bin/sh

only idiots leave lilo/grub unprotected for the init=/bin/sh hack, even
with physical access you can still prevent booting from floppy/cdrom, pw
protect the bios (and use a system that doesn't allow you to easily reset
the password) etc etc.

of course, you shouldn't be allowing employees to store data on their system,
and if you can, you should have them running thin clients anyway.

as for post-it notes, there are much better ways to authenticate someone, 
my girlfriends father has to use a usb keyfob device to activate his workstation,
you can also use devices such as retina scanners, fingerprint scanners, and
(much more cheaply) voice print identification.

> > Bob, when was the last time you changed you house keys?
> 
> When I moved in, and WHENEVER I LOSE A KEY. Furthermore, I am NOT doing
> the postit-equivalent - I don't hide a spare key under the rug, nor
> anywhere else! I also have home insurance.

Who needs keys? It's probably much easier to force a window open, or slide
a credit card in the door.

> I think what Bob was trying to say is it'd be NICE from a security
> standpoint to force password aging and facist-checking of new passwords,
> but you'll get massive user resistance and likely won't get it
> implemented. Heck, it'd be nice to make everyone use some kind of SecureID
> token, too, but good luck convincing Mr Computer Illiterate CEO of that.
> 

Users want to go to work, surf the web, and chat about how sue in accounting
is borking john the ceo. they won't want their gossip time taken up by
having to deal with 'that security crap'.

> But I guess that's what consultants are for.

consultants aren't helpful, they'll only tell you the same thing that any
good admin has been telling you since he/she was hired. the consultant is
usually ignored for the same reason the admin has been ignored: the users
are too lazy.

> -Yaron

-- 
Matthew S. Hallacy                            FUBAR, LART, BOFH Certified
http://www.poptix.net                           GPG public key 0x01938203