.NET in General

[David Bayley]

ForumMonster,

> > * Microsoft is the most hacked domain on the planet.
>
> Seems like exactly the wrong place to upload anything of worth to,
> then, doesn't it?

Exactly... Unlike the Sun/Oracle vision, MS recognise that users want to
keep sensitive data on the client offline.

BTW, how are you getting on with Delphi's OOP and manual memory handling?

--
David.

[Jeff Peil]

"Mike Mitchell" <kylix_is@hotmail.com> wrote in message
news:3a7b4527.17660941@news.devx.com...
>
> Bad in the 80's, and then they learned their lesson and improved their
> security. This needs to happen in the online world, and fast. For
> example, people have been talking FOR YEARS about microcash for online
> payments, and still the only one way that is acceptable all over is
> the credit card. Why isn't there a credit card that is valid for only
> a single transaction? That's why all the DotComs went bust recently.
> No one wants to trust them by buying anything.

Mike,

Banks did tighten up security, but the game is far from over, banks just
don't let the general public find out about things till years after they're
over, in general.

I certainly don't doubt that security problems at banks continue to this
day, and people I know in that industry would lead me to believe that its a
constant war for them that will never end, they just generally don't let
news of such cases leak out, as the impact of the public finding out about
it would be very bad for that bank.

[Jon Ogden]

"Mike Mitchell" <kylix_is@hotmail.com> wrote in message
news:3a7b4527.17660941@news.devx.com...
> Why isn't there a credit card that is valid for only
> a single transaction?

American Express's Private Payments enables their members to use an
instantly generated, limited life, transaction number instead of an actual
cardnumber to make purchases online.

That's why all the DotComs went bust recently.
> No one wants to trust them by buying anything.

I had friends at Furniture.Com. They went belly up because they got far more
orders than they could handle. From everything I've heard, an awfully of the
dotcoms did just fine selling things, it was just delivering them after
they got the order that killed 'em - including the take-backs that
card-companies would institute when customers cancelled their order.

Good Luck
Jon

[Joe \Nuke Me Xemu\ Foster]

"Mike Mitchell" <kylix_is@hotmail.com> wrote in message <news:3a7b4299.17006378@news.devx.com>...

> So what's the alternative? You never have them change their passwords,
> and they still share them (we know they do). They say "Tracey, if you
> need to access my spreadsheet while I'm out of the office the password
> is..." We know this happens. And then Tracey leaves the company for

That's what you get for not tracking simultaneous logins.

> whatever reason and because that password has been lingua franca for
> so long, she won't forget it in a hurry. A new boyfriend perhaps, and
> soon that password is winging its way across the city. But if Tracey's
> colleague had changed the password regularly, then the knowledge that
> Tracey had would have naturally timed out over time. Surely it isn't
> too difficult to enter a different password once in a while and
> remember it without writing it down?

Audit early, audit often. It *is* better to be feared than loved.

> Just no one THINK of getting one of those retinal scanners looking in
> MY eyes, thanks all the same! Only needs one recalibration snafu and
> my eyes are toast. Same with the daft fingerprints. How long will it
> be before someone gets their finger chopped off for nefarious
> purposes? Else if it catches on, people will walk around the whole
> time with their hands in their pockets and bump into things.

Iris scanners are pretty nonintrusive and are about as likely to
blind you as your average webcam. Thumbprint scanners now tend to
look for jitter indicative of a pulse. I've been looking into them
because if I have to set one more Winblows login password to the
name of the luser's pet, I'm going to go postal!

--
Joe Foster <mailto:jfoster@ricochet.net> Space Cooties! <http://www.xenu.net/>
WARNING: I cannot be held responsible for the above They're coming to
because my cats have apparently learned to type. take me away, ha ha!

[Joe \Nuke Me Xemu\ Foster]

"Mike Mitchell" <kylix_is@hotmail.com> wrote in message <news:3a7b0dd4.3495944@news.devx.com>...

> Like the banks, credit card companies, building societies, Western
> Union, etc? You don't hear too much about *their* security being
> compromised. My bank, for example. I've been with it for twenty years,

They're merely better at sweeping it under the rug. You don't hear
much about Andy Mueller-Maguhn and the Automatic Teller Machine
network, for example.

--
Joe Foster <mailto:jfoster@ricochet.net> Space Cooties! <http://www.xenu.net/>
WARNING: I cannot be held responsible for the above They're coming to
because my cats have apparently learned to type. take me away, ha ha!

[Jonathan Allen]

> > So what's the alternative? You never have them change their passwords,
> > and they still share them (we know they do). They say "Tracey, if you
> > need to access my spreadsheet while I'm out of the office the password
> > is..." We know this happens. And then Tracey leaves the company for
>
> That's what you get for not tracking simultaneous logins.
>

Changing passwords does nothing to solve the password sharing problem. You
could easily have a group of clerks sharing the exact same password. Since
passwords tend to expire at the same time, it is not unheard of for a group
of clerks to all change their passwords to match. That way if one forgets,
the others will remember.

The only way to have real security is through proper training. Reward those
who keep their passwords secret and punish those who share it. It only takes
a couple public punishments in a large office for everyone to get the point.

When I was still in college, there were serious repercussions when someone
walked away from their console while logged on. The standard practice was...

1. Using their own email account, send a letter to them (and anyone in their
address book) saying how much of a screw up they are.
2. Rename or move (never delete) a few files to drive the point home.
3. Give yourself access to their private folders.
4. Log them out

The last one was used as proof when we totaled up the number of scores. Who
ever had the most access at the end of the semester gets the bragging
rights.

--
Jonathan Allen


"Joe "Nuke Me Xemu" Foster" <joe@bftsi0.UUCP> wrote in message
news:3a7cf009@news.devx.com...
> "Mike Mitchell" <kylix_is@hotmail.com> wrote in message
<news:3a7b4299.17006378@news.devx.com>...
>
> > So what's the alternative? You never have them change their passwords,
> > and they still share them (we know they do). They say "Tracey, if you
> > need to access my spreadsheet while I'm out of the office the password
> > is..." We know this happens. And then Tracey leaves the company for
>
> That's what you get for not tracking simultaneous logins.
>
> > whatever reason and because that password has been lingua franca for
> > so long, she won't forget it in a hurry. A new boyfriend perhaps, and
> > soon that password is winging its way across the city. But if Tracey's
> > colleague had changed the password regularly, then the knowledge that
> > Tracey had would have naturally timed out over time. Surely it isn't
> > too difficult to enter a different password once in a while and
> > remember it without writing it down?
>
> Audit early, audit often. It *is* better to be feared than loved.
>
> > Just no one THINK of getting one of those retinal scanners looking in
> > MY eyes, thanks all the same! Only needs one recalibration snafu and
> > my eyes are toast. Same with the daft fingerprints. How long will it
> > be before someone gets their finger chopped off for nefarious
> > purposes? Else if it catches on, people will walk around the whole
> > time with their hands in their pockets and bump into things.
>
> Iris scanners are pretty nonintrusive and are about as likely to
> blind you as your average webcam. Thumbprint scanners now tend to
> look for jitter indicative of a pulse. I've been looking into them
> because if I have to set one more Winblows login password to the
> name of the luser's pet, I'm going to go postal!
>
> --
> Joe Foster <mailto:jfoster@ricochet.net> Space Cooties!
<http://www.xenu.net/>
> WARNING: I cannot be held responsible for the above They're
coming to
> because my cats have apparently learned to type. take me away,
ha ha!
>
>

[Brian G. Rice]

Microsoft is not protecting the same type of data that your banks are. For
every site, there is an appropriate amount of time and money to be spent on
security. A primarily content oriented site certainly does not need the
same level of security as a financial institution.

As to hotmail, if you are that concerned about someone reading all of the
SPAM sent to your hotmail account, change the password yourself every month.

"Mike Mitchell" <kylix_is@hotmail.com> wrote in message
news:3a7b0dd4.3495944@news.devx.com...
> On Fri, 2 Feb 2001 10:12:11 -0800, "Sjoerd Verweij"
> <nospam.sjoerd@sjoerd.org> wrote:
>
> >> Until security is spotless
> >
> >Security is never spotless. Ever. On any platform. Besides, if you have a
> >foolproof way to prevent DoS attacks, I think there are a few companies
that
> >might want to talk to you.
> >
>
> Like the banks, credit card companies, building societies, Western
> Union, etc? You don't hear too much about *their* security being
> compromised. My bank, for example. I've been with it for twenty years,
> and never a mention of any outage. And yet Microsoft, the most
> significant software company on planet earth (we are led to believe),
> suffers not one, but two outages in the space of a few days.
>
> For example, where I work we have to change passwords regularly. Does
> Hotmail ever prompt me to change my password? No, it never did.
>
> MM

[Mike Mitchell]

On Sat, 3 Feb 2001 22:52:35 -0800, "Jonathan Allen"
<greywolfcs@bigfoot.com> wrote:

>The only way to have real security is through proper training. Reward those
>who keep their passwords secret and punish those who share it. It only takes
>a couple public punishments in a large office for everyone to get the point.

Ah, humiliation! Would this work, too, to educate kids?

>
>When I was still in college, there were serious repercussions when someone
>walked away from their console while logged on. The standard practice was...
>
>1. Using their own email account, send a letter to them (and anyone in their
>address book) saying how much of a screw up they are.
>2. Rename or move (never delete) a few files to drive the point home.
>3. Give yourself access to their private folders.
>4. Log them out

Or you could have one bathroom for the good guys and another for the
others.

Or you could tell their moms what dozy kids they raised.

Or you could have security pretend to 'arrest' them.

Or [add further crass punishments here].

Proper training, eh? It's the business!

MM

[Mike Mitchell]

On Fri, 2 Feb 2001 19:02:42 -0800, "Jeff Peil" <jpeil@bigfoot.com>
wrote:

>I certainly don't doubt that security problems at banks continue to this
>day, and people I know in that industry would lead me to believe that its a
>constant war for them that will never end, they just generally don't let
>news of such cases leak out, as the impact of the public finding out about
>it would be very bad for that bank.

In a slightly different vein (I can't find any others...), what do you
think of the likelihood that consumers will eventually tire of the
Internet, cease trading their trinkets, and go back to buying in
shops? Over here, teens are already leaving the Internet big time, as
they get more enjoyment out of their mobile phones and SMS. I wonder
whether the Internet for ordinary folks may go the same way as CB
radio.

MM

[Mike Mitchell]

On Sun, 4 Feb 2001 00:03:13 -0800, "Brian G. Rice" <bgrice@entier.org>
wrote:

>Microsoft is not protecting the same type of data that your banks are. For
>every site, there is an appropriate amount of time and money to be spent on
>security. A primarily content oriented site certainly does not need the
>same level of security as a financial institution.

What about information about a company's employees, their private
addresses, their bank details? What about company documents which
could affect the share price? What about medical information which
could stop you from getting insurance or treatment? What about details
discussing your kids' education, where they go to school?

Let us hope that this information and much more is held as secure as
that in a financial institution, because lots of it could be even more
valuable to one's life than just money.

>As to hotmail, if you are that concerned about someone reading all of the
>SPAM sent to your hotmail account, change the password yourself every month.

Oh, no, I'd better not do that until Hotmail remind me....!

MM

[Jeff Peil]

"Mike Mitchell" <kylix_is@hotmail.com> wrote in message
news:3a7d4035.8614358@news.freeuk.net...
>
> In a slightly different vein (I can't find any others...), what do you
> think of the likelihood that consumers will eventually tire of the
> Internet, cease trading their trinkets, and go back to buying in
> shops? Over here, teens are already leaving the Internet big time, as
> they get more enjoyment out of their mobile phones and SMS. I wonder
> whether the Internet for ordinary folks may go the same way as CB
> radio.

This is really getting off-topic for this group, if you want to repost over
in the off-ramp, we can continue there.

[Karl E. Peterson]

You contradict yourself, regularly. No arguments there!
--
http://www.mvps.org/vb


"Jonathan Allen" <greywolfcs@bigfoot.com> wrote in message
news:3a7b8394@news.devx.com...
> Do you have any real arguments to contradict me, or are you just grasping at
> straws?
>
> --
> Jonathan Allen
>
>
> "Alessandro Coppo" <a.coppo@iol.it> wrote in message
> news:3a7b2eaa@news.devx.com...
> > Jonathan Allen wrote in message <3a7b17db@news.devx.com>...
> > >That has the greatest potential for security leaks in many companies. By
> > >forcing the user to change their password on a regular basis, many
> > employees
> > >start to have trouble remembering their latest password. This causes them
> > to
> > >do dangerous things like writing it on a post-it note and placing it
> under
> > >the keyboard or on top of a drawer.
> >
> >
> > <sarcasm mode="on">
> > You are right. Password scheduling is useless. By the way, why don't give
> > every user a default, unchangeable password using e.g. (in US) is IRS
> > number? easy to remember and they won't write it down because Uncle Sam
> has
> > already done it...
> > </sarcasm>
> >
> > Alessandro Coppo
> > a.coppo@iol.it
> >
> > P.S.: visit http://www.counterpane.com/labs.html
> >
> >
> >
>
>

[Steve Dee]

Mike,

> the credit card. Why isn't there a credit card that is valid for only
> a single transaction? That's why all the DotComs went bust recently.

There are several that are valid for only a single transaction. Pretty new
stuff though.
Oh, and the DotComs mainly went bust because they didn't have valid
products. People threw money into DotComs thinking they would hit gold or
another Microsoft.....Kindof like when Netscape went public. Tons of free
cash, but no product. DotComs are dying because they are not
producing...not because of Credit Card's and transactions.