[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Computerbank] too many repeated problems



Bruce McCubbery wrote:
> 
-------- snip -------------------------

>> So, about the following:
> 
> Superglue a plastic tag to each computer sent out with their User Name and
> Password on it. OK, it defeats its purpose for the user BUT it solves two
> of our worries in one go? A small sacrifice to get a free computer ... and
> it can be stuck out of site somewhere where you can remind them it is.
> 
------------ snip ------------------

> At 21:51 9/01/02 +1030, Shaun Branden wrote:
> 
> >
> >The recipients need the password to log in- that is the machine is
> >unusable as a desktop without a password. It is indeed possible to ship
> >out machines without passwords, but no-one would suggest doing that.
> 

I have to agree with shaun here, indeed I believe that there is a good
case for all internet capable computers to *ALWAYS* have user/password
set up (even Windows!).  If they aren't internet capable, then it might
not matter quite so much, although Mum and Dad won't be pleased if
junior logs in to their account and blows away the spreadsheets and
reports for the local craft society just for a lark.

So, I hear you cry, why the fuss ?

Consider ...

If our recipients, or any other user for that matter, have a login set
up with no need to enter a username or password, anyone can use that
computer as if they were the legitimate user, and the system can't
detect the difference. Indeed, it is possible to have the usernames
displayed on the GUI login screen so that no-one forgets them (a bad
development) - and a potential intruder/"friend" doesn't even have to
guess! Having to use a username/password provides some assurance that a
minimal level of user authourisation is present and has been
successfully negotiated by said true user.

And the system, I would strongly suspect, can only be set up to
automatically log in to one account - not sure about this, one of our
linux gurus will be able to confirm or deny ? If this is so, it would
remove a key advantage of linux, ie/. the ability to have separate
accounts and hence separate private areas for users to keep their files.

So without the requirement to enter a username/password, the system is
'wide open' to anyone who happens to pass by. Further consider that our
true user may well have his/her browser set up to do things like
accessing a newsgroups and/or mailing lists, accessing electronic
banking, (banks like that!) and perhaps accessing an ecommerce site
like, say, a book store. 

Of course, all these setups are made 'easy to use' by getting the
machine to remember all the fiddly details, including those pesky
usernames and passwords etc that the banks insist on, so using these
things is often just a matter of pointing and clicking.

So our hypothetical intruder has potentially open slather access to the
true users' bank account, email (to post *really* hostile and defamatory
messages), and a bookshop where a substantial bill can be run up in no
time flat.

Now, even if our hypothetical intruder can't quite get what he/she
wants, they can cause enough mayhem to keep our true user running off to
the solicitors for quite a while, not to mention the expense and time
wasted in cleaning up the mess!

Perhaps the above scenario is a little exaggerated, but you get the
drift ...

I believe we should firmly resist the urge to 'dumb down' the computers
we supply by removing the one minimal user security requirement -
granted it will require persistence and at times lead to frustration,
but I think we should aim for the situation where one of our recipients
takes a look at a friends' Windows box and asks - why is there no login
on this computer?

If a recipient absolutely insists on having an automatic login, we will
ask them to sign an additional undertaking, to which there are no
exceptions, that they bear the *sole* responsibility for any
unauthorised use of their system and if such unauthorised use occurs,
they are not entitled to any assistance from Computerbank.

<Sigh> - That feels better - I'll go quietly now ...

Cheers,

David H.
-- 
--------------------------
David T. Hatton
(davidth@melbpc.org.au)
--------------------------
_______________________________________________
computerbank mailing list
computerbank@lists.linux.org.au
http://lists.linux.org.au/listinfo/computerbank