Schneier on Security
A blog covering security and security technology.
« "Nut Allergy" Fear and Overreaction |
| Security Cartoon: Overly Specific Countermeasures »
December 19, 2008
Dilbert on Computer Security
Posted on December 19, 2008 at 10:05 AM
• 23 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I suppose that this "defence system" is a pluggable USB device with drivers for Windows only...
P.S. Don't get me wrong, I am a big fan of Dilbert, but this one presents a horrible misconception about people leaving their computers unlocked. Shame.
I work in a security group.
Failure to lock up your keyboard may mean that "you" send out an email telling everyone that you're bringing in donuts tomorrow.
(@Alex. Um. What "horrible misconception about people leaving their computers unlocked" does this present?)
Isn't that an illustration of entrapment?
I think the point is more that "undefended" systems may not be. This one had active security and a pager notification system. Any analogies to honeypot systems are probably intended :)
One of my friends has a simple system for logging out of his laptop: when his bluetooth phone gets more than about 20 feet away, the screen locks automatically. When he returns, it unlocks.
Personally I am still waiting for the xlock mode that simulates a desktop and tells me all an attacker tried to do ;-)
Unless locking also means re-encrypting your file, isn't locking completely useless unless you are just stepping away for a couple of minutes?
Locking means that an attacker has to leave traces (reboot) and possibly tamper with the hardware. An attack then takes more than 30 seconds and has a higher probability of the attacker being caught. Also, if there is a BIOS password, a reboot may not even be enough to get into the machine.
Of copurse an attacker that is willing to steal the hardware will not be hinderd by a locked screen. But that is a high-risk attack.
@Davi O -
This is a common misperception about the nature of entrapment.
Entrapment can only be the result of action by a member of law enforcement (or another government agent).
Entrapment is a defense to an accusation that a person committed a crime. Basically, if a law enforcement agent caused you to commit an illegal act that you would not have otherwise committed, then you may claim as a defense that you were entrapped. If, on the other hand, it's something that you would do anyway, and the law enforcement agent just gave you the opportunity to do it, then you may not succeed with the entrapment defense.
For an entrapment defense to succeed,
1) The idea for committing the illegal act must have come from the law enforcement agent and not from the accused;
2) The law enforcement agent must have coerced, persuaded or otherwise convinced the accused into committing the illegal act. Simply giving a person the opportunity to commit the crime is not the same as persuading the accused to commit the crime; and
3) The accused was not ready and willing to commit the illegal act before the law enforcement agent spoke with him/her.
Thus, for example, a honeypot is not entrapment because (a) it usually isn't set up by law enforcement, (b) the idea for attacking it doesn't usually come from a law enforcement agent, and (c) the attackers are rarely coerced or persuaded by law enforcement agents to attack the honeypot. Even if a honeypot were set up by law enforcement, without the persuasion/coercion element, the defense of entrapment is not available to the attacker.
@Anonymous For A Reason:
"Failure to lock up your keyboard may mean that "you" send out an email telling everyone that you're bringing in donuts tomorrow."
Does that mean disconnect and lock the keyboard in a drawer, or to lock the terminal? **smirks**
Quote: Entrapment is a defense to an accusation that a person committed a crime. Basically, if a law enforcement agent caused you to commit an illegal act that you would not have otherwise committed, then you may claim as a defense that you were entrapped. If, on the other hand, it's something that you would do anyway, and the law enforcement agent just gave you the opportunity to do it, then you may not succeed with the entrapment defense.
Disgracefully, In Australia entrapment is not a defence. If you did the crime they will convict you anyway.
Why do you think the attacker has such a limited amount of time? That's a assumption that doesn't hold in many office situations.
Well, let 'em try to reboot. My company enforces PGP whole-disk encryption on all PCs. Rebooting w/o the decryption PW won't buy anyone much of anything.
At a hacker space where I hang out, failure to lock your screen when stepping away will result in an email to the group mailing list, or possibly a random email contact, telling them all about how you have no pants.
So saith an internal website at a well-known software company: "<Random cultural touchstone> is very disappointed that you didn't lock your screen."
Hostname is, obviously, "lockyourscreen".
I want the NAS version of that (Networked Attached Stranglehold). And it should have a builtin UPS (Underwear Perimeter Stretcher).
My computer is never locked. Ever.
Because we can all log into the machines and the only people i don't trust have a root password anyway... And its not a dishonest "distrust" but more of a compentance one.
So i can't "fix" the computer to be secure so i don't treat it as secure.
besides I hate having to type my password every 5min while i'm watching youtube....
This could be the first documented example of the EOU character since the era of the DECWriter.
Pretty sure the reboot suggestion was in reference to the cold boot attacks developed at Princeton, see http://citp.princeton.edu/memory/ . It's possible to pull the encryption key from DRAM. There are possible mitigations, but if they are not taken your data is most likely vulnerable. Still, not a very likely attack.
It's funny. The computer was really secured and locked. However, I am wondering it won't happen for a certain organization and enterprise.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.