turbodog
Flashaholic
I've been against p/w reset for YEARS. Microsoft just made that part a little easier a couple of years ago, officially coming out AGAINST p/w reset provided the existing p/w is strong.
Cyber attack EMP event/attack discussion Not Political
- Thread starter Poppy
- Start date
Help Support Candle Power Flashlight Forum
I've been against p/w reset for YEARS. Microsoft just made that part a little easier a couple of years ago, officially coming out AGAINST p/w reset provided the existing p/w is strong.
idleprocess
Flashaholic
The every 90 day password reset interval is the dumbest thing and has been for years. Any IT Security department worth their budget should be actively monitoring logins and should mandate resets only if something suspicious occurs. If a user in Ohio is suddenly trying to login from Washington - or Belarus - and doesn't travel, maybe just maybe something's rotten in the state of Denmark.
jtr1962
Flashaholic
+1
The site where you pay NYC real estate taxes does that. Don't really see the point. Besides, even if someone got into my account somehow it's not like they can steal anything from me. All you can do is pay the taxes. If someone wants to hack in and pay my taxes all power to them.
Yep. The end result of different password rules for different sites is that you often use completely different passwords instead of the same one, or variations on the same one. Good luck remembering 30 different passwords.
I can't wait until the day most sites use biometric stuff like fingerprints or retinal scans. Of course, the hardware people use has to be capable of that, but it will make things more secure, as well as making life easier for people.
True story:
I had my eBay account hacked a few years ago. My fault actually because I was tired and fell for one of those phishing emails. Anyway, I knew it happened once I couldn't log into my eBay account. What I did was click on "I forgot my password" or whatever they call it, got an email, reset my password to something completely different so the scammers couldn't try to hack my account again using variations of my original password. Now here's the good part. When I got back into my account I saw a few expensive things in the shopping cart, including a higher end MacBook. I deleted all of it from the cart immediately, and removed any things the hackers added to my watch list. They were probably getting ready to buy the items in the cart just as I logged back into my account. I would loved to have seen their faces when they perhaps tried to do that, and got a message that they were no longer logged in.
We are making some progress in small degrees. All phone providers will have to have verified caller ID by June 30, 2021. I'm sure it's not hack-proof but the general idea is the harder and more expensive you make something, the fewer people will engage in it. Telemarketing has been a nuisance for decades. Anything that can mostly get rid of it is welcome news. Hopefully we can eventually do something similar for IP spoofing.
Last edited:
idleprocess
Flashaholic
There are two major problems with biometrics as online credentials:
- Immutability : By their nature, biometric patterns are immutable. If your fingerprint, retina/iris scan, vein pattern on the back of your hand, a 3D map of your face, etc is compromised you're SOL - your credentials can be revoked, but unlike a password or security token you can't change said aspects of your body readily.
- Cheating : Everyone reads about means of defeating fingerprint readers, face ID, etc (generally in the context of Apple smartphones since they've often been at the forefront of these technologies) and marvels at the effort required. Of course it's probably not worth trying to lift fingerprints or approximating a 3D scan of a face to get into a smartphone. But these are also convenience features backed up by conventional passwords within a tightly-integrated single piece of hardware. If you're going to use biometrics online the potential for cheating is greater since the chain of custody is as vulnerable as password breaches and the remote system's ability to ensure a 'live scan' is at best limited.
Thus, I doubt we'll see biometrics used outside of convenience features (device unlocking) or as a way to augment in-person identity verification or other monitored situations where the opportunity to cheat is largely eliminated.
turbodog
Flashaholic
Yup. Biometrics = bigtime PITA.
turbodog
Flashaholic
That's fine, and probably warranted. But good luck stopping it. The money is simply too easy, abundant, and tempting.
Ransomware, at its heart, is simply a virus. So we are saying that we are going to outlaw viruses. Hasn't worked so far. We are going to stop them technologically? Failure on that front also.
+
Writing virus code is like writing/playing bad music.
The problem isn't the virus, it's how easily it's moved. That needs to be the focus.
..how it's far too easily clicked on, in any OS,. that's the issue.
~Have some kind some kind of verification process, of a link, in the OS.
~Maybe a secondary key/password to open a link.
..it needs to be hard to open something, regardless of wanting more speed & more speed ect..
Get some clever little pricks to start with the OS,, hell make it Federal Law.
Writing virus code is like writing/playing bad music.
The problem isn't the virus, it's how easily it's moved. That needs to be the focus.
..how it's far too easily clicked on, in any OS,. that's the issue.
~Have some kind some kind of verification process, of a link, in the OS.
~Maybe a secondary key/password to open a link.
..it needs to be hard to open something, regardless of wanting more speed & more speed ect..
Get some clever little pricks to start with the OS,, hell make it Federal Law.
idleprocess
Flashaholic
This is the fundamental problem with cybersecurity - doing the wrong thing if often similar to doing the right thing in terms of effort and subconscious ease of differentiation.
This would greatly interfere with getting things done in a timely fashion. The differentiation between the broader internet and the local intranet is somewhat weak in the modern office environment. Web apps have taken over so many things and they might be hosted on the intranet or by a third party.
Right now on my work machine I have the following open: Outlook, SQL console, several internal network reference portals (browser), an agent portal to the main OSS application I support (browser), the desktop client for the OSS application, another web portal to the OSS application (browser), Teams, Slack, a ticketing system (browser), a vendor EMS desktop app, and a logfile portal (browser). I often have to use vendor ticketing systems via browser. Company sharepoint portals are hosted by MSFT. I also have to search things using the broader internet often - bits of SQL, vendor websites, telecom standards, etc.
For all its various and many faults, Windows has become reasonably solid - the NT codebase that Windows 2000 and subsequent versions evolved from is quite hardened relative to the disaster that was Windows 95/98/Me. The perimeter is all but gone from the modern enterprise network - all endpoints are initially treated as potentially hostile. Firewalls abound.
At the end of the day it boils down to the user since they need adequate access and permissions to get work done - even if you add in additional Are You Sure... prompts. The tradeoff to additional authentication and prompts signing away your firstborn if you f__k up is that productive work is slowed or doesn't happen. And we know that such earnings lose effectiveness quickly or are soon bypassed because they introduce needless noise.
raggie33
*the raggedier*
- Joined
- Aug 11, 2003
- Messages
- 13,553
its a act of war we should do what we do to those who attack us. if this is politcal ill delete it.
turbodog
Flashaholic
And these are just the attacks du jour.
The targeted attacks are wicked and getting worse. If I had your email address, and you had advance warning, I bet I could compromise you given a decent amount of time to try (30-60 days).
On a more specific note... it's clear assertions are being made without the expertise to vet them. I can name a dozen business critical programs in use that I deal with where the vendors forgot to code (properly) for security... and the program must be given full admin access. So a sweeping federal law would either 1) force illegal actions or 2) put the vendor and all their clients out of business overnight. Meanwhile, the virus attacks rage on.
Apple, long viewed as the security darling, dropped a nuclear bomb of security goof ups the other day. If your program lacked the description of what it was... it simply got a pass and was allowed to install/run. So much for 'code signing'.
If you look at viruses/ransomware, many of them utilize unpatched zero day exploits floating around the web, both for the o/s and application software. No verification, clicking, password, etc needed.
If we negate (not gonna happen) viruses/ransomware through burdensome security, we still lose. Productivity _matters_.
raggie33
*the raggedier*
- Joined
- Aug 11, 2003
- Messages
- 13,553
i trully hate hackers. every singe time i see captcha i never ever get it right my brain cant see them letters. also second verifaction. im a old bitter man i guess
IMA SOL MAN
Flashlight Enthusiast
Cyberattack on Kansas town affects email, phone, payment systems
The City of Pittsburg, Kansas, is one of several local governments responding to cybersecurity incidents in recent weeks.
Similar threads
