On Wed, 14 Mar 2001, you wrote:
> > And they just give 'em out. No checks, no confirming with the
> > customers, nothing. There's little hope of
> > securing stuff if people can be socially
> > engineered so easily.
>
> That's a matter of setting policy. If there's no policy in place to
> prevent that, then you can expect people to do it. If you have a security
> policy which states that you will fire people for such gross breaches -
> and more importantly, you *enforce* it - then it won't happen more than
> once or twice.
ahh .. 'enforce' .. lets be clear here .. when you say 'fire' someone are
we talking about simple termination of employment, something involving a
large cannon or something involving a stake some rope and a quantity of
firewood? .. i believe 1) is popular in the coporate world but BOFH's
realise that no 3) is more likely to win respect of the front line troops.
> Anyway, how on earth can the helldesk grunts get at passwords? Not even
> the sysadmin should be able to tell you a user's password. They should
> *never* be stored in plain-text. If they are, fire the sysadmin.
never a truer word ... of course if you _did_ want to discover a users
password its not that hard .. there are ways ... I believe we have some
world renowned experts on the topic at hand ... now where is 'merlin' when
you need him :)
--
Robin Szemeti
The box said "requires windows 95 or better"
So I installed Linux!
