Nick R on Thu, 9 Sep 1999 13:57:06 -0400 (EDT)


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [Plug] Re:NT/W95 Login Authentication Schemes


Sorry. I just posted it here because the inspiration for this was the security talk at the last PLUG meeting and some people seemed to know a fair amount about this. I wasn't thinking.

       -Laktar, a.k.a. Nick Rosen, laktar.dyndns.org


If I Ever Became An Evil Overlord:
92. If I ever talk to the hero on the phone, I will not taunt him. Instead I
will say this his dogged perseverance has given me new insight on the futility
of my evil ways and that if he leaves me alone for a few months of quiet
contemplation I will likely return to the path of righteousness. (Heroes are
incredibly gullible in this regard.)
-- Peter's Evil Overlord List, http://www.eviloverlord.com/lists/overlord.html



From: tburba@GLCORPIS01.usvision.com
Reply-To: plug@lists.nothinbut.net
To: plug@lists.nothinbut.net
Subject: Re: [Plug] Re:NT/W95 Login Authentication Schemes
Date: Thu, 9 Sep 1999 10:07:50 -0400





Interesting stuff -- but why on the plug list? Isn't this NT/Win95/8 stuff
a bit off topic? `:-)




jason@sn.com on 09/09/99 09:45:54 AM

Please respond to plug@lists.nothinbut.net

To:   plug@lists.nothinbut.net
cc:    (bcc: Thomas A Burba/USVISION)
Subject:  Re: [Plug] Re:NT/W95 Login Authentication Schemes




The problem with this scheme is that you're trying to insulate the
students from reality. The reality of the situation is that security
is as much a personal responsibility as it is an administrative
task. Yes, someone _could_ try to watch you type your password.
Pay attention to your surroundings. If you think your password is
compromised, change it and immediately tell the admin.
Do not use win9x. Fat file systems are totally insecure. Even with a
bios password there's still no security, there's too many ways arround
it. Use NT, use a domain controler, set permissions for users carefully,
and select a decent 3rd party quota system.
An intelligent user policy/login defaults will save you no end of
trouble. So will monitoring the network. Use somethign like big
brother and investigate any unexpected downtime.
What exactly does the administration want to assign blame to? Porn?
Filter it at the firewall. There's packages out there for exactly this.
Before you defend the poor innocent students, consider this.
Communicating with them isnt hard. You're not asking them to learn
how to build rockets. You're asking them to take responsibilty for
their password/actions on the network. You're not a knight in
shining armor. If people wont defend themselves, then there really
isnt much you can do about it. The careless students will have to learn
to not be careless. You're almost saying "I want to be able to drive
when I'm 15, but if something goes wrong I want it to be someone elses
fault."
People know who the troublemakers are. Usually the students know, long
before the teachers do.
You can run a fairly secure network on NT. Its not like kids are going
to be bringing in their own linux boxes with the specific task of
DoSing people.
You could set it up so that on login, they only have write access to
a profile directory. Let them store everything there. Hell, it could be
on the domain controler. Audit it daily/weekly/whatever. You know who to
look out for. A competant admin shouldnt have _too_ much trouble as long
as a policy can be agreed upon. Disallow installing your own software.
I dunno. I dont see whats so terribly complicated. Well... besides the
win9x idea. That just wont work with out LOTS of headaches.
The bottom line is, if every student goes into the computer lab thinking
"I wonder how much damage I can do before I'm kicked out" then it wont
work. If you have an upfront policy about security, most of them will
think twice. The others.... well, there's troublemakers everywhere.
They make thier own choices, dont try saving them from themselves.
I dont see why a highschool would need a more complex system than most
corporations. Maybe I'm misunderstanding something, but it just seems to
me that by the time they reach high school, some degree of
responsibility isnt unreasonable to ask.
Check out www.bhs.com, there's a ton of 95/NT tools.
At any rate, this isnt so much about security as it is about
responsibility. It also has nothing to do with linux. Anyways, thats
my take on it. Sorry if it doesnt help.
J.
When I grow up, I wanna be more like me.
I had a clue. I didn't like it. I took it back and exchanged it for an
attitude.
On Wed, 8 Sep 1999, Nick R wrote:
> Administration wants to be able to assign blame. Students will share
> passwords, steal passwords, and it will just generally have bad
> consequences.
>
> -Laktar, a.k.a. Nick Rosen, laktar.dyndns.org
>
>
> If I Ever Became An Evil Overlord:
> 41. Once my power is secure, I will destroy all those pesky time-travel
> devices.
> -- Peter's Evil Overlord List,
> http://www.eviloverlord.com/lists/overlord.html
>
>
> >From: Morgan Wajda-Levie <mpwl@locke.ccil.org>
> >Reply-To: plug@lists.nothinbut.net
> >To: plug@lists.nothinbut.net
> >Subject: Re: [Plug] Re:NT/W95 Login Authentication Schemes
> >Date: Wed, 8 Sep 1999 21:55:29 -0500
> >
> >On Wed, Sep 08, 1999 at 06:23:05PM -0700, Nick R wrote:
> > > Later versions of Foolproof are pretty good. The earlier versions
were
> > > pretty easy to get around (actually extremely easy). But, (and I
forget
> > > whether this is an NT security bug or a Foolproof one) there's an
> >obscure
> > > bug that allows you (once in a while) to access files you're not
> >supposed to
> > > through IE. You just have to keep trying and eventually you'll get
in. I
> > > hope somebody can clear up the confusion as to where this security
flaw
> >lies
> > > (NT or Foolproof). It's been too long.
> > >
> > > Just to clarify, I want a scheme that does NOT just require a
password.
> >It
> > > must use something harder to just look at somebody's keyboard or tell
a
> > > buddy, like a keycard or something.
> >
> >Isn't this a bit overkill? If everbody's going to have an account,
> >and people with super accounts are careful, you don't have much to
> >lose. If a student types really slowly, then he's just asking to have
> >his password copied. And it's not as if there aren't easier ways to
> >impersonate a kid through e-mail.
> >
> >If you really do have a reason for keycards and all that stuff, go to
> >it. I just think it's a bit unecessary, and probably *very*
> >expensive.
> >
> >My 2 cents.
> >
> >--
> >Morgan Wajda-Levie
> >http://www.worldaxes.com/wajdalev
> >PGP fingerprint:
> >A353 C750 660E D8B6 5616 F4D8 7771 DD21 7BF6 221C
> >http://www.worldaxes.com/wajdalev/public.asc for PGP key
> >encrypted mail preferred
> ><< attach3 >>
>
> ______________________________________________________
> Get Your Private, Free Email at http://www.hotmail.com
>
> _______________________________________________
> Plug maillist - Plug@lists.nothinbut.net
> http://lists.nothinbut.net/mail/listinfo/plug
>


_______________________________________________
Plug maillist  -  Plug@lists.nothinbut.net
http://lists.nothinbut.net/mail/listinfo/plug








_______________________________________________ Plug maillist - Plug@lists.nothinbut.net http://lists.nothinbut.net/mail/listinfo/plug


______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com

_______________________________________________
Plug maillist  -  Plug@lists.nothinbut.net
http://lists.nothinbut.net/mail/listinfo/plug