Comments

AlexDecember 19, 2008 10:40 AM

Stupid.

P.S. Don't get me wrong, I am a big fan of Dilbert, but this one presents a horrible misconception about people leaving their computers unlocked. Shame.

Anonymous For A ReasonDecember 19, 2008 11:01 AM

I work in a security group.

Failure to lock up your keyboard may mean that "you" send out an email telling everyone that you're bringing in donuts tomorrow.

(@Alex. Um. What "horrible misconception about people leaving their computers unlocked" does this present?)

Dave howeDecember 19, 2008 11:18 AM

I think the point is more that "undefended" systems may not be. This one had active security and a pager notification system. Any analogies to honeypot systems are probably intended :)

GweihirDecember 19, 2008 11:38 AM

Personally I am still waiting for the xlock mode that simulates a desktop and tells me all an attacker tried to do ;-)

AnonymousDecember 19, 2008 11:38 AM

Unless locking also means re-encrypting your file, isn't locking completely useless unless you are just stepping away for a couple of minutes?

GweihirDecember 19, 2008 11:59 AM

Locking means that an attacker has to leave traces (reboot) and possibly tamper with the hardware. An attack then takes more than 30 seconds and has a higher probability of the attacker being caught. Also, if there is a BIOS password, a reboot may not even be enough to get into the machine.

Of copurse an attacker that is willing to steal the hardware will not be hinderd by a locked screen. But that is a high-risk attack.

John NDecember 19, 2008 12:52 PM

@Davi O -

This is a common misperception about the nature of entrapment.

Entrapment can only be the result of action by a member of law enforcement (or another government agent).

Entrapment is a defense to an accusation that a person committed a crime. Basically, if a law enforcement agent caused you to commit an illegal act that you would not have otherwise committed, then you may claim as a defense that you were entrapped. If, on the other hand, it's something that you would do anyway, and the law enforcement agent just gave you the opportunity to do it, then you may not succeed with the entrapment defense.

For an entrapment defense to succeed,

1) The idea for committing the illegal act must have come from the law enforcement agent and not from the accused;

2) The law enforcement agent must have coerced, persuaded or otherwise convinced the accused into committing the illegal act. Simply giving a person the opportunity to commit the crime is not the same as persuading the accused to commit the crime; and

3) The accused was not ready and willing to commit the illegal act before the law enforcement agent spoke with him/her.

Thus, for example, a honeypot is not entrapment because (a) it usually isn't set up by law enforcement, (b) the idea for attacking it doesn't usually come from a law enforcement agent, and (c) the attackers are rarely coerced or persuaded by law enforcement agents to attack the honeypot. Even if a honeypot were set up by law enforcement, without the persuasion/coercion element, the defense of entrapment is not available to the attacker.

RHDecember 19, 2008 2:13 PM

@Anonymous For A Reason:

"Failure to lock up your keyboard may mean that "you" send out an email telling everyone that you're bringing in donuts tomorrow."

Does that mean disconnect and lock the keyboard in a drawer, or to lock the terminal? **smirks**

L.M.December 19, 2008 2:58 PM

Quote: Entrapment is a defense to an accusation that a person committed a crime. Basically, if a law enforcement agent caused you to commit an illegal act that you would not have otherwise committed, then you may claim as a defense that you were entrapped. If, on the other hand, it's something that you would do anyway, and the law enforcement agent just gave you the opportunity to do it, then you may not succeed with the entrapment defense.


Disgracefully, In Australia entrapment is not a defence. If you did the crime they will convict you anyway.

LM

AnonymousDecember 19, 2008 4:11 PM

@Gweihirat

Why do you think the attacker has such a limited amount of time? That's a assumption that doesn't hold in many office situations.

BillDecember 19, 2008 4:24 PM

Well, let 'em try to reboot. My company enforces PGP whole-disk encryption on all PCs. Rebooting w/o the decryption PW won't buy anyone much of anything.

AnonymousDecember 19, 2008 5:11 PM

At a hacker space where I hang out, failure to lock your screen when stepping away will result in an email to the group mailing list, or possibly a random email contact, telling them all about how you have no pants.

ChronosDecember 19, 2008 5:30 PM

So saith an internal website at a well-known software company: "<Random cultural touchstone> is very disappointed that you didn't lock your screen."

Hostname is, obviously, "lockyourscreen".

edDecember 19, 2008 7:00 PM

I want the NAS version of that (Networked Attached Stranglehold). And it should have a builtin UPS (Underwear Perimeter Stretcher).

gregDecember 21, 2008 10:30 AM

My computer is never locked. Ever.

Why?

Because we can all log into the machines and the only people i don't trust have a root password anyway... And its not a dishonest "distrust" but more of a compentance one.

So i can't "fix" the computer to be secure so i don't treat it as secure.

besides I hate having to type my password every 5min while i'm watching youtube....

John WatersDecember 22, 2008 3:50 AM

This could be the first documented example of the EOU character since the era of the DECWriter.

PaulDecember 22, 2008 11:57 AM

@bill

Pretty sure the reboot suggestion was in reference to the cold boot attacks developed at Princeton, see http://citp.princeton.edu/memory/ . It's possible to pull the encryption key from DRAM. There are possible mitigations, but if they are not taken your data is most likely vulnerable. Still, not a very likely attack.

RichardDecember 22, 2008 10:34 PM

It's funny. The computer was really secured and locked. However, I am wondering it won't happen for a certain organization and enterprise.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..