D&C GLug - Home Page

[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] which is better? (more secure)

 
Bah. Gmail client annoys me sometimes. Sorry for the blank reply.

> Not necessarily, if it can be accessed remotely.

Yeah, if the machine is running and the encrypted storage is online and
mounted, the crypto isn't going to help much. It's weird how many people
don't seem to realise that! It's for protecting at rest, when the
machine and it's storage is off.

The internet is full of encrypted files that are shared around, often just to idly see how easy it is to crack and to hone skills. There is a murky underworld where you can offer bounties to crack a file if your own abilities aren't up to the job, or you don't have access to enough horsepower and someone with a botnet/fast compromised shell somewhere can make a dollar by doing it for you.

Encryption's useful, of course it is, but it's vulnerable.
 
> Sticky label on a physical machine, especially if it's locked away in a
> cupboard, ain't so bad. If the bad guy has physical access to your
> hardware, you've already lost.
>
>

Not necessarily (see my reply to the other Simon yesterday). It's also
strange - to me at least - that people automatically assume physical
access = game over. There are a lot of gradations of "physical access".

<snip>

You make some good points there, but actually that reinforces my base point. The stereotypical risk factor here is the office cleaner reading passwords off the monitor where they've been post-it'd. (Is that a word?)  I don't doubt it happens, and anyone doing that really is being more than a bit silly, but in many situations the human traffic to a server room, or a comms cupboard, is negligable. Writing a password on something there (perhaps underneath!) is not really so risky imo.

I know others disagree with that, and perhaps they're right to. My view on security is one that is somewhat more pragmatic than others because I work in a relatively low-risk environment handling files that have little corporate value. I also work with people who are mostly not specialists with IT equipment and anything that gets in the way of them doing their job (and I've had some that I've considered were doing well if they ended up facing the right way on the chair), means zero productivity. Sometimes they're too embarrassed to ask about stuff and will sit there doing nothing until they get shouted at.

Hence my attitude which probably raises the hackles on die-hard secrecy fetishists. Usability first.
 
And also, I kinda like that every sysadmin has a different approach. Security through obscurity, cryptography, daily-changing passwords (don't get me started on *those* ) and every permutation of password strength and complexity is GREAT. As long as that sysadmin has actually sat down and thought about their system, their users and their unique situation, I think that the inevitible compromise they arrive at is sufficiently different that it may not be immediately guessable by mr bad guy. (I know this is simplistic, and that the ex or current employee scenario can null your individuality)

But seriously, you physically tie down every machine?  I have never seen that before.
-- 
The Mailing List for the Devon & Cornwall LUG
http://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq