It’s like outsourcing your accounting – why would anyone do that? It’s an invitation to being ripped off, as we have already seen.
There was a time when you would never hear a discouraging word from the corporation mass. Now you can’t shut them up. If the company isn’t loyal to the workers, the workers won’t be loyal to the company. It doesn’t take long for the short term savings to disappear and the long term costs to become evident.
]]>Other favorite places for people to write passwords: On a post-it note stuck *under* the keyboard. On a post-it note stuck under the desk calendar (back in the days when people had desk calendars). On a post-it note stuck to the inside of the top drawer of the desk. Back in the days when I had a need to do so, I rarely had to go hunt down someone for the password to critical IT systems that I needed access to. I just needed the IT director to let me in to the office and nine times out of ten, I was in the system within minutes. (The other 1/10th of the time, he had to call someone to get the password). Indeed, about 20% of the time I found out that the person in question had turned off the monitor or terminal but was still logged in to the IT system! A quick hit of the ‘Refresh’ button and there I was, in the system.
Regarding cleaning crews, outside cleaning crews are a massive, massive security breach and companies which outsource their janitorial services are playing with fire. The only sensible thing to do from a security point of view is to hire your own janitorial staff and subject them to the same background checks as anybody else who deals with your critical data. But it costs more to hire people than to contract, according to the bean-counters (or more likely, contracting lets you “hire” illegals to clean your business without your company being held responsible if ICE comes in and does a raid). I swear, if I wanted to know the secrets of half the companies in the Valley, I’d start by buying up a janitorial company that already has contracts in those companies. (Not my employer’s secrets, of course — we don’t make that mistake — but then, in the business we’re in, you wouldn’t expect us to).
– Badtux the Security Geek Penguin
]]>The number one security problem for major corporations is the post-it note. The number of times I have visited a location to see the passwords on post-it notes stuck on the screen is mind-boggling, and I visited accounting departments.
The rolodex is number two, it is usually readily available under “P”.
$50 to a member of the cleaning crew will get you all of the passwords you ever wanted, and the executive offices were the worst offenders.
We bust our butts securing things and protecting them, and management pitches it all out the door for convenience. They’ll spend millions in court costs defending “trade secrets”, but won’t memorize a password to make their system secure.
There was better security on the college system I administered, than at Fortune 50 companies [there were two of them] that I worked for.
]]>The NSA doesn’t need to crack AES, and doesn’t want to, and can’t short of technological advances that seem unlikely at the moment. They just need to sniff the passphrase (see: keyboard sniffers), and they have your stuff. Which shows the limits of depending upon a secure algorithm for your data security. Sure, the algorithm is secure. But what about the cryptosystem that it’s a part of? Does it leave plaintext passwords lying around in memory or in swap? Is the OS that it’s running upon secured to prevent software-based passphrase sniffers from operating? Are the physical facilities secured to prevent someone from breaking in and placing a hardware-based password sniffer into the keystream? Are you physically securing the passphrase-encrypted key in a separate location when it is not necessary in order to use to encrypt or decrypt data? If I want to break a cryptosystem, virtually every one in existence today — including Truecrypt — is child’s play, even though I can’t break AES. But I don’t need to break AES. Not as long as we have OS’s with more holes than swiss cheese that let me insert sniffers into the keystream. Even with Linux kernel-based implementations it’s difficult but not impossible to break every cryptosystem that I’ve looked at thus far. Makes me wonder about all these compromised systems spewing viruses, and who’s behind all that…
— Badtux the Crypto Penguin
(And now I’ve told you more about my day job than perhaps I should have…shrug. Let’s just say that I’m with the good guys, the ones wondering about what to do about all this, and leave it at that.)
Apple is Apple, Badtux, and they have never changed or claimed to be anything they weren’t. If it works, you know what you’re getting and the terms. Steve Jobs hasn’t been running around DC asking for more H-1B slaves.
]]>-Badtux the Geeky Penguin
]]>I use TrueCrypt for most things and a very good Russian (based on the work of Peter Guttman) one that is not publically available, for things I REALLY want secure! 🙂 Peter has an excellent crypto tutorial I recommend: Godzilla Crypto Tutorial
TrueCrypt is pretty good. It uses AES, Serpent, Twofish and Cascades encryption algorithms, and RIPEMD-160, SHA-512 and Whirlpool hash algorithms.
It can be used to creat a completely hidden partition or drive, and even a hidden OS.
I am sure, Bryan, I don’t have to say what I think of AES, or any algorithm sponsored by the NSA (or any US agency for that matter). 😉
Steve, if you are interested, I am getting a couple promo copies of that ‘Native Inka’ CD (titled: ‘The Andes’) if you’d like one. 🙂 Let me know, we can arrange something.
Cheers! 😀
]]>It’s an extension that Nitro created to help promote their own reader and PDF editor, but it’s unobtrusive and works very well. 🙂
PDF Download by Nitro PDF Software lets you regain control over PDF files in Firefox. When you click on a PDF file, PDF Download lets you know, can tell you how big it is, and can then give you the choice to open, download, or convert it to HTML. The add-on for Firefox lets you decide what to do with the PDF files you click on and customize and automate how they should be handled.
Control PDF files in Firefox* Stop PDF files crashing your browser.
* Stop PDF files taking forever to open.
* Make PDF files download like other files in Firefox.When you click on a PDF file on the web, PDF Download notices and (depending on your settings) will do things like:
* Ask you what you want to do with the file.
* Convert the PDF to HTML automatically.
* Download the PDF automatically.
* Open the PDF in the browser automatically.The settings let you configure PDF Download to the way you like to work with PDF files. Other popular features let you:
* Set default PDF viewer. Choose the PDF reader you’d prefer to use, including Foxit Reader.
* Check PDF file size. Get PDF Download to tell you the file size of the PDF before you start downloading, opening or converting it.
Enjoy! 😀
]]>OTOH, when I’m looking for something on the ‘Net and what I want turns out to be a bloody .PDF, I get more than a little annoyed, especially when the process is interrupted by Adobe telling me that I really should upgrade as they have discovered that their software is a malignant tumor magnet.
]]>