Archived from groups: (
More info?)
On Fri, 16 Sep 2005 17:27:35 -0300, Derek Broughton
<news@pointerstop.ca> wrote:
>and that's the problem. It's safe (afaik
) from wireless snooping, but
>those pieces of paper can probably be found in virtually every desk at most
>people's workplaces.
Sure. I did some security audits a while back. On 52 desktops, I
found approx 15 pieces of paper with the passwords. On 2 of them, I
found the password scribbled directly onto the monitor with a pen.
As I mentioned, if I ever lose the printed password list, I'm toast.
So, I have a rather crude scrambling scheme for what's printed on the
sheet. At first glance, it looks like real logins and passwords, but
a bit of mental shuffling is required to extract the real passwords.
Easy to do in Excel with an easily tweaked formula. Anyone with some
experience in codes and ciphers can figure it out in about 10 minutes,
but until I find a better way to store a large number of passwords
(approx 400), it's the best I can do.
>Sorry, should have snipped. You didn't say, "only use an encrypted pipe",
>though, you said VPN or Squirrel Mail, and I'm pointing out that there are
>simpler methods than VPN for most of us, that solve the problem of getting
>your email - of course, for anything else VPN is sometimes the only
>acceptable solution.
Oh, right. There are other ways besides VPN and Squirrel Mail.
http://www.squirrelmail.org
VPN is overkill for just email, but it does the job and fixes a few
other security issues at the same time.
I guess I should mention that good old ftp and telnet have the same
problem with unencrypted logins and passwords. Switch to SSH and SFTP
as in WinSCP:
http://winscp.net/eng/index.php
>> Good advice. TLS (transport layer security) is an incompatible
>> extension of SSL. However, I still see a substantial number of ISP's
>> that offer unencrypted POP3 logins for email. I would be gratified if
>> they would dump these in favour of more secure solutions.
>Completely agreed. I'm assuming they're worried about the support costs of
>just dumping the insecure method and forcing SSL or TLS access, but there's
>no reason they need to. Set up a second server, only allow secure access,
>change all your help files to specify how to access it instead of the
>insecure server, and give this to all new customers. Then advertise it to
>the old customers and encourage them to use it. Finally, when you have
>many people using the secure method and everyone's comfortable with it
>start pushing the Luddites off the old server.
Not a bad deployment plan. That's roughly the way one ISP I deal with
has done it. Eventually, they plan to dump the older insecure
protocols. However, since I'm still using UUCP over TCP with a TLI
interface and SMTP client polling, I suspect that the old junk will be
around forever.
The real "problem" is that most users don't have a clue how their
programs work. They don't know the risks, the mechanics, what hackers
can do with a login and password, or which applications are safe to
use. I don't know how to educate the users.
>OK, I promise never to use the same password again
(Well, except the
>innocuous password I use for all the email lists I subscribe to - if
>someone is so desperate to hijack those and pretend to be me, they're
>welcome to it).
Also guilty. Do like I say, not like I do. I just looked at my
printed list. Out of about 150 entries that are mine, 15 have
identical passwords. Same issue. Mailing lists, weblogs, and
worthless accounts all get the same password. OK, so I'm lazy.
Incidentally, speaking of identity theft. Many years ago, I was
leaving my business cards at local computer stores, restraunts,
markets, stores, and any place that might send me some repair biz.
Someone grabbed a few of my cards and drifted into one of my larger
customers claiming that I had sent him to "pickup" a machine or two
for repair. He used my business card as proof that I had sent him.
However, he was such a poor actor that the customer became suspicious
and paged me. He disappeared. Perhaps I should encrypt my business
cards?
--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831.336.2558 voice Skype: JeffLiebermann
#
http://www.LearnByDestroying.com AE6KS
#
http://802.11junk.com
# jeffl@comix.santa-cruz.ca.us
# jeffl@cruzio.com