Nick R on Thu, 9 Sep 1999 17:55:46 -0400 (EDT)


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [Plug] Re:NT/W95 Login Authentication Schemes


I've been told 3 people's combinations. It's the 3rd day of school. In none of those cases did I really have a pressing need to know their combinations. With logins and passwords it's a lot easier to abuse them once you've got them. Already people get stuff stolen and put in their lockers.

       -Laktar, a.k.a. Nick Rosen, laktar.dyndns.org


If I Ever Became An Evil Overlord:
9. I will not include a self-destruct mechanism unless absolutely necessary.
If it is necessary, it will not be a large red button labelled "Danger: Do Not
Push". The big red button marked "Do Not Push" will instead trigger a spray of
bullets on anyone stupid enough to disregard it. Similarly, the ON/OFF switch
will not clearly be labelled as such.
-- Peter's Evil Overlord List, http://www.eviloverlord.com/lists/overlord.html



From: umweber@mcs.drexel.edu
Reply-To: plug@lists.nothinbut.net
To: plug@lists.nothinbut.net
Subject: Re: [Plug] Re:NT/W95 Login Authentication Schemes
Date: Thu, 9 Sep 1999 14:07:46 -0400 (EDT)

Well, if they can handle a locker combination, even if some of them have
to learn the hard way, don't you think they could handle usernames and
passwords about the same? And when they get out in the real world, they
are going to have to know how to handle usernames and passwords in the
typical business setting, so it would actually teach them something..
kinda the whole point of high school.

--
Michelle Weber
umweber@mcs.drexel.edu


On Thu, 9 Sep 1999, Nick R wrote:

> You're talking ideal. I'm talking actual. Ideally, you'd have a small enough
> number of trouble makers and so that occasionally having to replace a
> cracked account woulnd't pose a problem. But the reality of the situation is
> that kids will share passwords just as they do locker combinations. People
> will violate each other's accounts and it will become a full time job for at
> least one person to reissue passwords and sort out problems.
>
> I agree w/ you that NT can be fairly secure, but if you want people to
> actually be able to do stuff, then that security goes down the drain unless
> you have excellent people working on it who set all the permissions properly
> and install all updates. Even then it's a bit iffy. And even if you don't
> have much you can do w/ the computer, an NT box is still pretty insecure.
>
> -Laktar, a.k.a. Nick Rosen, laktar.dyndns.org
>
>
> If I Ever Became An Evil Overlord:
> 86. I will make sure that my doomsday device is up to code and properly
> grounded.
> -- Peter's Evil Overlord List,
> http://www.eviloverlord.com/lists/overlord.html
>
>
> >From: "Jason S." <jason@sn.com>
> >Reply-To: plug@lists.nothinbut.net
> >To: plug@lists.nothinbut.net
> >Subject: Re: [Plug] Re:NT/W95 Login Authentication Schemes
> >Date: Thu, 9 Sep 1999 09:45:54 -0400 (EDT)
> >
> >The problem with this scheme is that you're trying to insulate the
> >students from reality. The reality of the situation is that security
> >is as much a personal responsibility as it is an administrative
> >task. Yes, someone _could_ try to watch you type your password.
> >Pay attention to your surroundings. If you think your password is
> >compromised, change it and immediately tell the admin.
> >
> >Do not use win9x. Fat file systems are totally insecure. Even with a
> >bios password there's still no security, there's too many ways arround
> >it. Use NT, use a domain controler, set permissions for users carefully,
> >and select a decent 3rd party quota system.
> >
> >An intelligent user policy/login defaults will save you no end of
> >trouble. So will monitoring the network. Use somethign like big
> >brother and investigate any unexpected downtime.
> >
> >What exactly does the administration want to assign blame to? Porn?
> >Filter it at the firewall. There's packages out there for exactly this.
> >
> >Before you defend the poor innocent students, consider this.
> >Communicating with them isnt hard. You're not asking them to learn
> >how to build rockets. You're asking them to take responsibilty for
> >their password/actions on the network. You're not a knight in
> >shining armor. If people wont defend themselves, then there really
> >isnt much you can do about it. The careless students will have to learn
> >to not be careless. You're almost saying "I want to be able to drive
> >when I'm 15, but if something goes wrong I want it to be someone elses
> >fault."
> >
> >People know who the troublemakers are. Usually the students know, long
> >before the teachers do.
> >
> >You can run a fairly secure network on NT. Its not like kids are going
> >to be bringing in their own linux boxes with the specific task of
> >DoSing people.
> >
> >You could set it up so that on login, they only have write access to
> >a profile directory. Let them store everything there. Hell, it could be
> >on the domain controler. Audit it daily/weekly/whatever. You know who to
> >look out for. A competant admin shouldnt have _too_ much trouble as long
> >as a policy can be agreed upon. Disallow installing your own software.
> >I dunno. I dont see whats so terribly complicated. Well... besides the
> >win9x idea. That just wont work with out LOTS of headaches.
> >
> >The bottom line is, if every student goes into the computer lab thinking
> >"I wonder how much damage I can do before I'm kicked out" then it wont
> >work. If you have an upfront policy about security, most of them will
> >think twice. The others.... well, there's troublemakers everywhere.
> >They make thier own choices, dont try saving them from themselves.
> >
> >I dont see why a highschool would need a more complex system than most
> >corporations. Maybe I'm misunderstanding something, but it just seems to
> >me that by the time they reach high school, some degree of
> >responsibility isnt unreasonable to ask.
> >
> >Check out www.bhs.com, there's a ton of 95/NT tools.
> >
> >At any rate, this isnt so much about security as it is about
> >responsibility. It also has nothing to do with linux. Anyways, thats
> >my take on it. Sorry if it doesnt help.
> >
> >J.
> >
> >When I grow up, I wanna be more like me.
> >I had a clue. I didn't like it. I took it back and exchanged it for an
> >attitude.
> >
> >On Wed, 8 Sep 1999, Nick R wrote:
> >
> > > Administration wants to be able to assign blame. Students will share
> > > passwords, steal passwords, and it will just generally have bad
> > > consequences.
> > >
> > > -Laktar, a.k.a. Nick Rosen, laktar.dyndns.org
> > >
> > >
> > > If I Ever Became An Evil Overlord:
> > > 41. Once my power is secure, I will destroy all those pesky time-travel
> > > devices.
> > > -- Peter's Evil Overlord List,
> > > http://www.eviloverlord.com/lists/overlord.html
> > >
> > >
> > > >From: Morgan Wajda-Levie <mpwl@locke.ccil.org>
> > > >Reply-To: plug@lists.nothinbut.net
> > > >To: plug@lists.nothinbut.net
> > > >Subject: Re: [Plug] Re:NT/W95 Login Authentication Schemes
> > > >Date: Wed, 8 Sep 1999 21:55:29 -0500
> > > >
> > > >On Wed, Sep 08, 1999 at 06:23:05PM -0700, Nick R wrote:
> > > > > Later versions of Foolproof are pretty good. The earlier versions
> >were
> > > > > pretty easy to get around (actually extremely easy). But, (and I
> >forget
> > > > > whether this is an NT security bug or a Foolproof one) there's an
> > > >obscure
> > > > > bug that allows you (once in a while) to access files you're not
> > > >supposed to
> > > > > through IE. You just have to keep trying and eventually you'll get
> >in. I
> > > > > hope somebody can clear up the confusion as to where this security
> >flaw
> > > >lies
> > > > > (NT or Foolproof). It's been too long.
> > > > >
> > > > > Just to clarify, I want a scheme that does NOT just require a
> >password.
> > > >It
> > > > > must use something harder to just look at somebody's keyboard or
> >tell a
> > > > > buddy, like a keycard or something.
> > > >
> > > >Isn't this a bit overkill? If everbody's going to have an account,
> > > >and people with super accounts are careful, you don't have much to
> > > >lose. If a student types really slowly, then he's just asking to have
> > > >his password copied. And it's not as if there aren't easier ways to
> > > >impersonate a kid through e-mail.
> > > >
> > > >If you really do have a reason for keycards and all that stuff, go to
> > > >it. I just think it's a bit unecessary, and probably *very*
> > > >expensive.
> > > >
> > > >My 2 cents.
> > > >
> > > >--
> > > >Morgan Wajda-Levie
> > > >http://www.worldaxes.com/wajdalev
> > > >PGP fingerprint:
> > > >A353 C750 660E D8B6 5616 F4D8 7771 DD21 7BF6 221C
> > > >http://www.worldaxes.com/wajdalev/public.asc for PGP key
> > > >encrypted mail preferred
> > > ><< attach3 >>
> > >
> > > ______________________________________________________
> > > Get Your Private, Free Email at http://www.hotmail.com
> > >
> > > _______________________________________________
> > > Plug maillist - Plug@lists.nothinbut.net
> > > http://lists.nothinbut.net/mail/listinfo/plug
> > >
> >
> >
> >_______________________________________________
> >Plug maillist - Plug@lists.nothinbut.net
> >http://lists.nothinbut.net/mail/listinfo/plug
>
> ______________________________________________________
> Get Your Private, Free Email at http://www.hotmail.com
>
> _______________________________________________
> Plug maillist - Plug@lists.nothinbut.net
> http://lists.nothinbut.net/mail/listinfo/plug
>



_______________________________________________ Plug maillist - Plug@lists.nothinbut.net http://lists.nothinbut.net/mail/listinfo/plug

______________________________________________________ Get Your Private, Free Email at http://www.hotmail.com

_______________________________________________
Plug maillist  -  Plug@lists.nothinbut.net
http://lists.nothinbut.net/mail/listinfo/plug