Re: [lopsa-discuss] Most simple security policy?

On Jul 22, 2011, at 2:09 PM, Tracy Reed wrote: > On Fri, Jul 22, 2011 at 02:03:49PM -0700, Robert Hajime Lanning spake thusly: >> Not enforcible, unless you use something like a PKCS#11 token, where you >> have to authenticate to the hard token to get access to your private key. > > You can't enf

Re: [lopsa-discuss] How do you relieve your "Sysadmin back pain?"

On Fri, Jul 22, 2011 at 11:41:02AM -0400, Brian Mathis wrote: > I think it's probably a trade-off. If you recline you take some > stress off your back, but you also need to lean your head forward > which moves the strain to your neck. Sitting straight up would make > it easier to balance your hea

Re: [lopsa-discuss] Most simple security policy?

On 2011 Jul 22, at 14:57, Paul Graydon wrote: > On 07/22/2011 09:29 AM, Mark McCullough wrote: >> >> I'm of the firm opinion that passwords themselves are the problem. We >> forbid any user account having a password on a Unix system, and are working >> to even implement such on Windows system

Re: [lopsa-discuss] Monitoring Sucks!

Nagios is rather limited, especially when it comes to trend analysis and bigger picture stuff. No man is an island, but mostly as far as nagios is concerned every item is. It's focussed on noting what's happening in the here and now with a particular thing, which is great for alerting you to

Re: [lopsa-discuss] Most simple security policy?

On 07/22/11 14:09, Tracy Reed wrote: > On Fri, Jul 22, 2011 at 02:03:49PM -0700, Robert Hajime Lanning spake thusly: >> Not enforcible, unless you use something like a PKCS#11 token, where you >> have to authenticate to the hard token to get access to your private key. > > You can't enforce people

Re: [lopsa-discuss] Most simple security policy?

On Fri, Jul 22, 2011 at 11:19:20AM -1000, Paul Graydon spake thusly: > Sure, which is why you rely on a combination of systems to reduce > the damage, surely? Exactly. You have to mitigate either the giving away of the password or the non-encrypting of the keys. Defense in depth etc. There are sys

Re: [lopsa-discuss] Most simple security policy?

On 07/22/2011 11:09 AM, Tracy Reed wrote: On Fri, Jul 22, 2011 at 02:03:49PM -0700, Robert Hajime Lanning spake thusly: Not enforcible, unless you use something like a PKCS#11 token, where you have to authenticate to the hard token to get access to your private key. You can't enforce people not

Re: [lopsa-discuss] Most simple security policy?

On Fri, Jul 22, 2011 at 02:03:49PM -0700, Robert Hajime Lanning spake thusly: > Not enforcible, unless you use something like a PKCS#11 token, where you > have to authenticate to the hard token to get access to your private key. You can't enforce people not simply giving away their passwords or wr

Re: [lopsa-discuss] Most simple security policy?

On 07/22/11 13:59, Tracy Reed wrote: > You encrypt all of your ssh private keys so they would need a password > plus being in possession of the key. Not enforcible, unless you use something like a PKCS#11 token, where you have to authenticate to the hard token to get access to your private key. -

Re: [lopsa-discuss] Most simple security policy?

On Fri, Jul 22, 2011 at 10:49:27AM -1000, Paul Graydon spake thusly: > So if someone manages to get a hold of the SSH key they can then run > whatever (they're permitted to) as root, or am I misunderstanding > something? SSH keys can be used to log in to servers here, but sudo > requires the user

Re: [lopsa-discuss] Most simple security policy?

On 07/22/2011 10:42 AM, Tracy Reed wrote: On Fri, Jul 22, 2011 at 02:29:52PM -0500, Mark McCullough spake thusly: I'm of the firm opinion that passwords themselves are the problem. We forbid any user account having a password on a Unix system, and are working to even implement such on Windows s

Re: [lopsa-discuss] Most simple security policy?

On Fri, Jul 22, 2011 at 02:29:52PM -0500, Mark McCullough spake thusly: > I'm of the firm opinion that passwords themselves are the problem. We > forbid any user account having a password on a Unix system, and are > working to even implement such on Windows systems. Instead, some form > of strong

Re: [lopsa-discuss] Most simple security policy?

Bruce Schneier once suggested that users (who presumably don't or can't use a password manager) treat their password like any other piece of valuable information that they need frequently, and keep it in their wallets. When you lose your wallet, you call your credit card companies to cancel your ca

Re: [lopsa-discuss] Monitoring Sucks!

Funny ... I am just sitting here configuring Nagios, and marveling at how much power there is in an object oriented template system and wondering why it isn't used more ... Adam's xkcd comic had me laughing when it was first posted, now it has me cringing. Tom's mention of the four ponies of the m

Re: [lopsa-discuss] Monitoring Sucks!

On 07/22/2011 09:16 AM, Robert Hajime Lanning wrote: On 07/22/11 09:44, Paul Graydon wrote: On 7/22/2011 2:29 AM, Adam Moskowitz wrote: Paul Graydon wrote: Hopefully with a good wide spread of interest and talents we could finally get a monitoring tool that doesn't actually suck! And what col

Re: [lopsa-discuss] Most simple security policy?

On 07/22/2011 09:29 AM, Mark McCullough wrote: On 2011 Jul 22, at 14:01, Tracy Reed wrote: On Fri, Jul 22, 2011 at 11:25:15AM -0400, Gregory Boyce spake thusly: If a password is compromised in a non-obvious way, it provides a limit on how long it could be used. Generally the account only need

Re: [lopsa-discuss] Most simple security policy?

On 2011 Jul 22, at 14:01, Tracy Reed wrote: > On Fri, Jul 22, 2011 at 11:25:15AM -0400, Gregory Boyce spake thusly: >> If a password is compromised in a non-obvious way, it provides a limit on how >> long it could be used. > > Generally the account only needs to be compromised once and then hors

Re: [lopsa-discuss] Most simple security policy?

On Fri, Jul 22, 2011 at 3:01 PM, Tracy Reed wrote: > On Fri, Jul 22, 2011 at 11:25:15AM -0400, Gregory Boyce spake thusly: > > If a password is compromised in a non-obvious way, it provides a limit on > how > > long it could be used. > > Generally the account only needs to be compromised once and

Re: [lopsa-discuss] Monitoring Sucks!

On 07/22/11 09:44, Paul Graydon wrote: > On 7/22/2011 2:29 AM, Adam Moskowitz wrote: >> Paul Graydon wrote: >>> Hopefully with a good wide spread of interest and talents we could >>> finally get a monitoring tool that doesn't actually suck! >> And what color pony do you want with that? >> >> Seriou

Re: [lopsa-discuss] Most simple security policy?

On Fri, Jul 22, 2011 at 11:25:15AM -0400, Gregory Boyce spake thusly: > If a password is compromised in a non-obvious way, it provides a limit on how > long it could be used. Generally the account only needs to be compromised once and then horse is out of the barn. Information stolen, backdoors pl

Re: [lopsa-discuss] Monitoring Sucks!

Part of the problem is that there are four ponies here not one. - Historical monitoring: Gathering statistics via SNMP or similar, storing them, and drawing pretty graphs. - Real-time monitoring: ping and other "is it up/down?" queries. These two things are so different that I rarely se

Re: [lopsa-discuss] Most simple security policy?

Tom Perrine wrote: > I like Parter's the best so far: > > > Simple: Everyone is responsible for the security of our computer systems > >        and data. > > > > Slightly less simple: > > > >        Security and integrity of our computer systems and data is > >        everyone's responsiblity. Y

Re: [lopsa-discuss] Monitoring Sucks!

On 7/22/2011 2:29 AM, Adam Moskowitz wrote: Paul Graydon wrote: Hopefully with a good wide spread of interest and talents we could finally get a monitoring tool that doesn't actually suck! And what color pony do you want with that? Seriously, given the incredibly wide range of applications, si

Re: [lopsa-discuss] Most simple security policy?

I like Parter's the best so far: > Simple: Everyone is responsible for the security of our computer systems >        and data. > > Slightly less simple: > >        Security and integrity of our computer systems and data is >        everyone's responsiblity. You must take care to assure the >      

Re: [lopsa-discuss] FYI, Facebook group...

- Original Message - > From: "Yves Dorfsman" > Which "group"? Thank you for pointing out my foolish omission. Here it is: http://www.facebook.com/group.php?gid=2476931717 -- << MCT >> Michael C Tiernan. Is God a performance artist? http://www.linkedin.com/in/mtiernan ___

Re: [lopsa-discuss] Most simple security policy?

Tom Limoncelli wrote: > Suppose you have a very small site and do not yet have a written > security policy. What is a good "starter policy"? Based on the > philosophy that "something is better than nothing", what is a 3-5 > sentence policy that can be put in place quickly? (rather than waiting

Re: [lopsa-discuss] How do you relieve your "Sysadmin back pain?"

On Thu, Jul 21, 2011 at 6:39 PM, Luke S. Crawford wrote: > On Thu, Jul 21, 2011 at 12:09:14PM -0400, Brian Mathis wrote: >> The upper-middle part of the screen should be at eye level, so most of >> the screen is level with your eye line or slightly down.  Otherwise >> you need to tilt your head ba

Re: [lopsa-discuss] Most simple security policy?

On 7/22/11 11:20 AM, Dave Close wrote: > Dan Foster wrote: > >> - Periodic password changes > > I have never heard a reasonable explanation for this common policy. If > you don't share passwords and block repeated failures, why does it help? > More importantly, it generally forces people to

Re: [lopsa-discuss] Most simple security policy?

On 7/22/2011 11:25 AM, Gregory Boyce wrote: On Jul 22, 2011 11:22 AM, "Dave Close" > wrote: > > Dan Foster wrote: > > > - Periodic password changes > > I have never heard a reasonable explanation for this common policy. If > you don't share passwords and block re

Re: [lopsa-discuss] Most simple security policy?

On Jul 22, 2011 11:22 AM, "Dave Close" wrote: > > Dan Foster wrote: > > > - Periodic password changes > > I have never heard a reasonable explanation for this common policy. If > you don't share passwords and block repeated failures, why does it help? > More importantly, it generally forces

Re: [lopsa-discuss] Most simple security policy?

Dan Foster wrote: > - Periodic password changes I have never heard a reasonable explanation for this common policy. If you don't share passwords and block repeated failures, why does it help? More importantly, it generally forces people to write them down. -- Dave Close, Compata,

Re: [lopsa-discuss] Most simple security policy?

How about: "Don't test the locks." Seriously, just start with a "Consent to Monitoring" and establish reoccurring security training. Make this a face-to-face class with a large Q and A portion. Not a powerpoint marathon. Let me look through my feed list ... and find a few good places to steal cla

[lopsa-discuss] Job opening: Linux cluster admin, Princeton NJ (two-year term)

NEC Laboratories America in Princeton, NJ is seeking an experienced systems administrator to manage the IT infrastructure of a research and development project in the Computing Systems Architecture department. This position is expected to be have a term of two years. Job Responsibilities: The jo

Re: [lopsa-discuss] Most simple security policy?

On 2011 Jul 22, at 06:18, Tom Limoncelli wrote: > (asking for a friend) > > Suppose you have a very small site and do not yet have a written > security policy. What is a good "starter policy"? Based on the > philosophy that "something is better than nothing", what is a 3-5 > sentence policy th

[lopsa-discuss] FYI, Facebook group...

Just in case no one's noticed. This group is scheduled to be archived Over the next few months, Facebook will be archiving all groups created using the old groups format. When this group is archived, its wall posts, photos and discussion threads will move to the new groups format, but group

Re: [lopsa-discuss] Most simple security policy?

I've found that looking at existing policies is a good way to get ideas. SANS has a huge array of them online here: http://www.sans.org/security-resources/policies/ I don't think it's a good idea to just implement them as written, but you can definitely draw inspiration from the ideas there. --Ma

Re: [lopsa-discuss] Monitoring Sucks!

Paul Graydon wrote: > Hopefully with a good wide spread of interest and talents we could > finally get a monitoring tool that doesn't actually suck! And what color pony do you want with that? Seriously, given the incredibly wide range of applications, situations, SLAs, services, constraints, cond

Re: [lopsa-discuss] Most simple security policy?

Hot Diggety! Tom Limoncelli was rumored to have written: > > Suppose you have a very small site and do not yet have a written > security policy. What is a good "starter policy"? Based on the > philosophy that "something is better than nothing", what is a 3-5 > sentence policy that can be put in

[lopsa-discuss] Most simple security policy?

(asking for a friend) Suppose you have a very small site and do not yet have a written security policy. What is a good "starter policy"? Based on the philosophy that "something is better than nothing", what is a 3-5 sentence policy that can be put in place quickly? (rather than waiting to put to

Re: [lopsa-discuss] Monitoring Sucks!

3rd in a series of blog posts, here are the first 2: http://lusislog.blogspot.com/2011/06/why-monitoring-sucks.html http://lusislog.blogspot.com/2011/07/monitoring-sucks-round-2-fight.html These links might be useful to those who missed some of this discussion: https://github.com/monitoringsuc