BOFH: Don't threaten us with a good time – ensure it
- Reference: 1731058206
- News link: https://www.theregister.co.uk/2024/11/08/bofh_2024_episode_21/
- Source link:
"Just going over your general security settings … Can you tell me your password policy for users?" Brian, the guy from the insurance company, asks.
"Oh, they definitely have to have one!" I answer.
[1]
"Yes, but what is your policy?"
[2]
[3]
"That they have to have a password," I reply.
"No, I meant something like: eight or more characters, a mix of alphanumeric and special characters, minimum and maximum password lifetimes, you know."
[4]
"Hmm," the PFY hmms, "You know, I think there's some good ideas there."
"Do you mean to say that you don't have a password policy?"
"The users don't really like them – but I'm sure we could get them up to six characters if they added the year to their birthday …"
[5]
"Or even eight if we made them use a four-digit year," I suggest.
"Sorry, are you saying your users use their birthdate as their password?"
"Goodness no. It's usually their partner's birthday. Or their favorite child."
"So, you don't have any password policy?" Brian asks.
"No, like I said, our users have to have passwords. That's the policy. But we do like your ideas."
"What about administrator passwords?" Brian asks, scribbling away on his checklist with a red pen.
"Yes, we have those," the PFY says.
"I meant your administrator password policy?"
"Oh, well that's a whole different story. We have an absolute MINIMUM of two characters."
"Sorry, you mean you could have a password that's two characters long?"
"For emergency use, yes," I reply.
"For emergencies?" Brian asks.
"Yeah sure. Say there's been some security incident or something's gone wrong – do our users really want to wait while we type in some complicated password, which we'd probably have to waste time finding in a password book that we'd locked in a safe somewhere? Of course not. But with a two-letter password we'd probably have fixed the problem while one of your 'best-practice' people is still trying to get a two-factor response out of their iPhone."
We wait a while for Brian to scribble a few more notes with his red pen. "Uh … OK … what about document security?"
"We have a safe!" the PFY beams proudly, pointing at a small box across the room.
"That's a safe?"
"Well, it's a lockbox," I reply. "When the Beancounters stopped having a petty cash system they had a bunch of those left over, so we grabbed some."
"And what do you use them for?"
"Well that one has a backup of all our files on it, the one on MY desk has the building master keys, an all-access swipe card, and our password book in it. Oh, and the one on the floor by the door is full of lead shot – we use it as a doorstop. "
"And they're not bolted down?" Brian asks.
"Of course not. We wouldn't be able to put them in the cupboard when we go home."
"And you believe that's secure?" Brian asks.
"Yes – because we use a different cupboard sometimes – to mix it up a bit." the PFY replies smugly/
>scribble< >scribble<
"… … … OK. Talking about workday routine. How often would you say you use privileged or administrator access?"
"Hmm. Once a day," I reply.
"Ah," Brian says happily, reaching for his blue pen.
"Yes, we'll log in as domain admin and root in the morning and log out … when we go home."
"So you don't use a non-privileged user for day-to-day work?"
"We're not non-privileged users," the PFY explains, as if to a child.
Brian can see the way this is going and puts his blue pen away.
What firewall do you use?" he sighs.
"Between here and the server room you mean?" the PFY asks. "I think it's three sheets of plasterboard – but that's mainly for soundproofing."
"I think he means network firewall," I chip in, "and we definitely have one of those!"
"And it's an enterprise level, next-generation firewall?"
"What's Star Trek got to do with it?" the PFY asks.
… more scribbling with the red pen …
"Antivirus?" Brian asks.
"Yep. Every one of our users has Security Essentials installed."
"Microsoft Security Essentials?" Brian asks, horrified.
"Yes."
"Does that even run on Windows 11?" Brian asks.
"Windows 11?" the PFY asks.
"Windows 10 then," Brian responds, hopefully.
"Windows 10?" the PFY asks.
"You can't be still on Windows 8!" Brian gasps.
"Windows 8?!" the PFY asks.
"Are you on Windows 7?!" Brian asks.
"Yeah," the PFY says. "We bought a volume licensing key on eBay years ago – and it's the gift that keeps on giving! It has saved us a FORTUNE!"
>scribble< >scribble<
… about 15 minutes later Brian asks to borrow a red pen from us because his has run out …
[6]BOFH : The Boss pulled the plug on our AI, so we pulled the pin on him
[7]BOFH : AI consultant rapidly transitioned to new role as automotive surface consultant
[8]BOFH : The true gravity of the Boss and the 3-coffee problem
[9]BOFH : I get locked out, but I get in again
THE NEXT DAY
"It's a disaster!" the Boss blurts. "Our insurance premium is astronomical! It's more than four times what last year's premium was, and comes with a list of caveats. We simply can't afford it."
"So the money that we'd budgeted for the software is now available to spend on … other software?" I ask.
"…?!" the Boss replies. "Did you do that on purpose?"
"Do what?" the PFY asks.
"Did you make us uninsurable?"
"Have you ever read the policy?" I ask.
"I …"
"You're aware of the plethora of situations which would invalidate the contract?"
"I …"
"How broad the term 'reasonable care' is and how pernickety the definition of 'up-to-date' is, when applied to software, firmware, antivirus, operating systems, access control systems, etc?"
"I … So things aren't as bad as Brian was saying?"
"Well … we do have a password policy …"
[10]BOFH: The whole shebang
[11]The Compleat BOFH Archives 95-99
Get our [12]Tech Resources
[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offbeat/bofh&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2Zy3vWjK4FuHbq-6fef4bbgAAAMM&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offbeat/bofh&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zy3vWjK4FuHbq-6fef4bbgAAAMM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offbeat/bofh&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zy3vWjK4FuHbq-6fef4bbgAAAMM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offbeat/bofh&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44Zy3vWjK4FuHbq-6fef4bbgAAAMM&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_offbeat/bofh&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33Zy3vWjK4FuHbq-6fef4bbgAAAMM&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2024/10/25/bofh_2024_episode_20/
[7] https://www.theregister.com/2024/09/27/bofh_2024_episode_18/
[8] https://www.theregister.com/2024/08/09/bofh_2024_episode_15/
[9] https://www.theregister.com/2024/03/08/bofh_2024_episode_5/
[10] https://www.theregister.com/data_centre/bofh/
[11] http://www.bofharchive.com/
[12] https://whitepapers.theregister.com/
Insurance and warranties ..... only get them if legally or contractually required!
If the insurance company is making a profit from them then on average you'll get back less money than you put in! Always a losing strategy for most gamblers, most of the time!
Ah yes, like the wonderful life insurance bet. The insurance company bets you are not going to die in the next x years and if they lose your will says who gets the winnings.
Minor nitpick: In many countries, such as the UK, the life insurance pays out to a named beneficiary. It's nothing to do with your will. (Maybe there are countries that do it differently?)
The reason for that is that your will divides up your "estate" - everything you owned. Many countries, including the UK, tax estates. So if the life insurance money went into that pot it would be taxed. By paying it directly you avoid that tax. Also if sorting out the estate takes a long time, that doesn't delay the life insurance payment.
Death and Taxes
Some people take out a life insurance to pay the death duties - otherwise, if you have valuable assets (like a house!) you can't sell it until you get probate and of course you can't get probate until you've paid the death duties : CATCH 22
Your will says who ought to get the winnings. Usually people ignore it.
As the old saying goes, "Where there's a will, there's a relative"
I always look at Home Insurance in this way - I could put the money I spend in a bank account in case I ever had a fire and needed to rebuild. And in the long run I would absolutely save a ton of cash. However, if my house burns down at the end of the first year (or first 10 years), before I have the money to rebuild saved up. Well then, frankly, I'd be up sh&t creek without a paddle, and the choco crocs would be circling.
Home Insurance allows me to not have to worry about when that fire happens, whilst knowing the pot of money will be there to rebuild if/when it happens (and fingers crossed, it never does happen). Ok, you have to take in the millions of caveats that the insurer will use to try and get out of it's obligation, but it is still a better option, if you cant have the money there from the start.
Cyber Insurance though, is a complete waste of everyone's time, and the sooner it dies, the better for everyone...
Only insure something if you cannot afford to lose it AND if you cannot afford to replace it.
Otherwise you're better off putting the same money you'd pay to the insurance company into your bank account.
Ouch!
"Yes – because we use a different cupboard sometimes – to mix it up a bit."
This is far too close to one of my previous employers to be a coincidence, surely.
The Generation Game
> And it's an enterprise level, next-generation firewall?
Ummm, if it is deployed then that (by definition) makes it the current generation.
A "next generation" firewall can only exist in the R&D departments of firewall makers. And you definitely wouldn't want to be running one of those. Not until it gets released as a product and therefore becomes the new current generation.
Brilliant
Slight deviation for the original BOFH password policy:
[1]"... Modify the user's password minimum from 6 to 32 letters, give the password a 1 day lifetime, set it so that they HAVE to use the password generate utility when they change their password (so their password will always be something that looks like vaguely pronouncable line-noise), add a secondary password with the same as the above, then redefine their CLI tables so that the only command that works is DELETE, and all other commands point to it."
Sheer genius.
Somehow this episode reminds me of the time my wife was pissed off at the sysadmins at her work, because they wouldn't let her stick a post-it with her password on her computer monitor. The spoilsports!
She was quite offended when I heartily agreed with the sysadmins.
[1] https://bofh.bjash.com/bofh/genesis2.html
Re: Brilliant
Your wife - what a silly lady! Everyone knows how insecure the post-it note with password stuck to your screen is. That's why the Post-it note goes under your keyboard! I thought everyone knew that!
Re: Brilliant
You could always use KEYBOARD as the password and save a whole entire post-it!
Re: Brilliant
My password is "Incorrect" so when I type it in wrong, the system tells me that my password is incorrect
Re: Brilliant
In a shared office, it's a bad idea, but for a home user it's not so bad. It's about the interplay between physical, and network, security.
Lock it up in a box...
In a previous job, all the server passwords were written down on small cards and placed inside one of those little cashboxes that was kept in the bottom drawer of my desk.
It was locked, obviously, but nothing a good screwdriver couldn't break open.
The reasoning of the person who suggested this was if ne'er-do-wells could get to the box it was already a security fail.
Re: Lock it up in a box...
It's like locking internal doors. If they are already in, all that's going to happen is you have more doors to replace.
Warning...
Common sense is not allowed here. Most password requirements devolve into using post-it notes (as described above). Especially if password managers are not allowed (like the last place I worked).
Insurance? Paying Vinny usually worked quite well...
Insurance is just betting against yourself.
Why would you bet against yourself if you know what you're doing?