[Cryptography] best practices considered bad term
Kent Borg
kentborg at borg.org
Sat Jan 31 20:40:11 EST 2015
On 01/31/2015 07:04 PM, Jerry Leichter wrote:
> SAP took the point of view that they wouldn't customize their software
> - customers had to adapt to their *right* way of doing things. They're
> answer to the complaint from a customer who organized things
> differently was "Oh ... you mean you don't follow industry best
> practices?"
I love that history. Thanks.
> A *good* description of "best practices" would actually help things.
> It would certainly include such advice as "Keep systems patched",
> "Don't continue to use Windows XP", "Don't reuse passwords at multiple
> sites" (yes, you can make exceptions for very-low-value sites; I'm
> talking about general advice), "Don't leave default passwords on any
> devices", "Have backups at an offsite location to which your systems
> have effectively append-only access", "Have a procedure in place to
> quickly revoke all access to your systems by people who leave their
> jobs, for whatever reason", and many more.
Yes, but that is a large list that requires a lot of thought to expand
into practice.
And don't pretend everything is so harmonious as all that. There are
still disagreements about whether we should frequently change passwords
or not; whether to write down passwords or not; whether passwords are
any good or not; whether firewalls are good (they cut off lots of bad
packets) or not (they make people think insecure networks are safe).
On NPR the other day I heard a host blah-blah the standard list of
everyone-knows security advice, but I heartily disagreed: change
passwords she said but no mention of not reusing passwords. And we
wonder how Central Command can have its Twitter and You Tube accounts
both hacked on the very *same* day!?
The little thing of not reusing passwords is really a gigantic
thing--extremely vanishingly small numbers of people actually do that.
This stuff is still full of controversy. (But thanks for the SAP story.)
-kb, the Kent who asserts firewalls have been terrible for
security--that they should only be installed secretly, as a safety net,
because otherwise people let their computers and data run around naked,
thinking they are safely behind The Firewall.
More information about the cryptography
mailing list