[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [SAGE] Getting hit by a truck (was Re: Thoughts onpremise security.)

To: Sage <sage-members@usenix.org>
Subject: Re: [SAGE] Getting hit by a truck (was Re: Thoughts onpremise security.)
From: Chuck Yerkes <chuck+sage@snew.com>
Date: Tue, 21 Oct 2003 13:53:24 -0400
In-Reply-To: <3F95326C.DEAAA9DC@deaddrop.org>
Mail-Followup-To: Chuck Yerkes <chuck+sage@snew.com>,Sage <sage-members@usenix.org>
References: <200310201911.h9KJBj54026279@seasnake.esn.us.ray.com> <p06002009bbbab1cf87f9@[200.10.10.62]> <3F95326C.DEAAA9DC@deaddrop.org>
Reply-To: sage-members@sage.org
Sender: owner-sage-members@usenix.org
User-Agent: Mutt/1.4i

Quoting Etaoin Shrdlu (shrdlu@deaddrop.org):
> Brad Knowles wrote:
> > At 12:11 PM -0700 2003/10/20, Mario Obejas wrote:
> > >  S&G = Sargent and Greenleaf.
> > >  a standard for US defense contractor file cabinet locks for decades.
> > >  http://www.sargentandgreenleaf.com/prod_padlocks_8077ad.php
> > 
> >         We never used locking bars on file cabinets.  We only ever used
> > full-blown safes.  I looked at every single picture on the entire
> > website, and not a single thing looked familiar.
> 
> Depends on the level of clearance, as to whether an S&G is appropriate, or
> whether you need a fancy spin dial safe from hell (the proper name of those
> escapes me). It is more common on the DOD side than on the
> compartmentalized side. You'd mentioned, I think, that you'd had an SCI of
> some type, at some time. More likely you'd have had safes than standard
> file cabinets with locking bars. I mean, those suckers can be taken apart
> with a few tools (but it's going to be obvious).

I'm just recalling reading the semi-auto biography/assorted amusing
ramblings) of Richard Feinman ("surely you're joking, mr feinman") and
his knack for breaking into file cabinets and areas that the military
*knew* were impossible to break into.

In the practical world, we generated root passwords and put them in
an envelope.  Said envelope went into the safe of the president of the
co.   Theoretically, someone in our group took a look at the envelope
every week.

In reality, we were trying to defend ourselves against a CTO who
was a programmer (and system admin was a subset of programming to him)
and gave us the opportunities to fix the same problems 4 or 10 times.
Long ago, I've since learned to use RCS and CVS and AIDE/Tripwire,
but the generated root password sticks around.

In a different env, we have root and other useful passwords in a
file and it's PGP encrypted.  Pondering that it should be on one
of those USB key dongles and passed with the "on call" pager/phone
around.  Auditing is done via trust:  "I had to get on the your
systems at 4AM, so I got the root password.  And I (still know
it|have utterly forgotten it)."   We change those passwords frequently.

It's simple enough to make it speak Chal/Response or SecureID,
but there risk:reward  numbers don't make it worthwhile.

References:
- Re: [SAGE] Getting hit by a truck (was Re: Thoughts on premise security.)
  - From: Mario Obejas <obejas@phylum.esn.us.ray.com>
- Re: [SAGE] Getting hit by a truck (was Re: Thoughts onpremise security.)
  - From: Brad Knowles <brad.knowles@skynet.be>
- Re: [SAGE] Getting hit by a truck (was Re: Thoughts onpremise security.)
  - From: Etaoin Shrdlu <shrdlu@deaddrop.org>

Prev by Date: [SAGE] Re: Help with Office / Samba samba-2.2.7a on FreeBSD 4.9-RC
Next by Date: Re: [SAGE] Thoughts on premise security.
Prev by thread: Re: [SAGE] Getting hit by a truck (was Re: Thoughts onpremise security.)
Next by thread: Re: [SAGE] Getting hit by a truck (was Re: Thoughtsonpremise security.)
Index(es):
- Date
- Thread