Re: closing unwanted ports - and what is 1720/tcp filtered H.323/Q.931

To: debian-security@lists.debian.org
Subject: Re: closing unwanted ports - and what is 1720/tcp filtered H.323/Q.931
From: Javier Fernández-Sanguino Peña <jfs@computer.org>
Date: Sun, 18 Dec 2005 17:55:43 +0100
Message-id: <[🔎] 20051218165543.GA7203@javifsp.no-ip.org>
Mail-followup-to: debian-security@lists.debian.org
In-reply-to: <[🔎] 20051216131415.GC2883@mathom.us>
References: <[🔎] dnrntt$dtr$1$8302bc10@news.demon.co.uk> <[🔎] 20051215170144.GR19881@morgul.net> <[🔎] dnsq65$bqf$1$8300dec7@news.demon.co.uk> <[🔎] 20051215225434.GV19881@morgul.net> <[🔎] 20051216122757.GA3388@javifsp.no-ip.org> <[🔎] 20051216131415.GC2883@mathom.us>

On Fri, Dec 16, 2005 at 08:14:15AM -0500, Michael Stone wrote:
> On Fri, Dec 16, 2005 at 01:27:57PM +0100, Javier Fernández-Sanguino Peña 
> wrote:
> >On Thu, Dec 15, 2005 at 05:54:34PM -0500, Noah Meyerhans wrote:
> >>Well, at least there's still *some* level of physical security there;
> >>an attacker has to be at your user's desk to get the password.  Plus,
> >
> >Noah, meet binoculars:
> >http://www.thinkgeek.com/electronics/cameras/798d/
> 
> Don't be flippant, it lowers the level of the discourse. His point was
> that the password written on the paper is a completely different
> category of security risk, and may be a much less serious risk
> (approaching non-existence) based on the environment in question--and
> that point is entirely valid. Don't make knee-jerk reactions to security
> dogma like "don't write down passwords" unless you have an understanding
> of the risks involved in a particular situation.

I'm not against people writing out passwords, actually, a very good
security mechanism is generating a random password, writing it down, and
keeping it in your wallet only taking it out when you forget it (but make
sure you don't write down what does the password give access to, in case your
wallet gets stolen). However, putting them in a screen and *thinking* that
only people next to it will be able to read it out is missing the obvious.

In most work environments I've been (and I've been to many offices outside my
own) you can just walk down the office and remember passwords written in
screens or, even, read the passwords of users from an opposite building.

So my "knee-jerk reaction" is for people thinking that putting their
passwords in plain view provides sufficient security. Had he said that he was
dropping the post-it to his desk drawer I wouldn't have jumped in.

> FWIW, I'd love to know how your binoculars would be effective in an
> environment where the computer is facing a blank wall. 

Useless, but in office environments there is typically only *some* computers
facing the blank wall. They are typically contented as they provide the
higher privacy, but they are still few.

I welcome people to test my theory in their own offices and think if writing
down a password in a post-it (even if virtual, on screen) is a good idea.

Regards

Javier

Attachment: signature.asc
Description: Digital signature

Reply to:

References:
- closing unwanted ports - and what is 1720/tcp filtered H.323/Q.931
  - From: kevin bailey <kbailey@freewayprojects.com>
- Re: closing unwanted ports - and what is 1720/tcp filtered H.323/Q.931
  - From: Noah Meyerhans <noahm@debian.org>
- Re: closing unwanted ports - and what is 1720/tcp filtered H.323/Q.931
  - From: kevin bailey <kbailey@freewayprojects.com>
- Re: closing unwanted ports - and what is 1720/tcp filtered H.323/Q.931
  - From: Noah Meyerhans <noahm@debian.org>
- Re: closing unwanted ports - and what is 1720/tcp filtered H.323/Q.931
  - From: Javier Fernández-Sanguino Peña <jfs@computer.org>
- Re: closing unwanted ports - and what is 1720/tcp filtered H.323/Q.931
  - From: Michael Stone <mstone@debian.org>

Prev by Date: Re: hardening checkpoints
Next by Date: unsubscribe
Previous by thread: Re: closing unwanted ports - and what is 1720/tcp filtered H.323/Q.931
Next by thread: Re: closing unwanted ports - and what is 1720/tcp filtered H.323/Q.931
Index(es):
- Date
- Thread