Back in 1994 there was a corporate communications sent to everyone that requested that staff not store firearms in their car glove compartments when parked on campus. Being Canadian, this was just absurd to me.

Feynman was the best lock picker that never was!

Not sure of the book, but "Richard Feynman Lecture -- "Los Alamos From Below"" is a well told story.

yeah, it's a wonder he didn't get himself shot just once ... :)

Among them is a story that after Feyman demonstrated to security people how easily their measures could be evaded, they, in classic security cop tradition, concluded that HE was the security problem.

And how many of them ended up in building 8 to be meet by?.. It would make for a few good stories.

I'll keep that in mind when I get hired at Microsoft in my next lifetime maybe?

The BBC had something similar at Television Centre in London. They had news studios numbered from N1-N6 and N8-N10. There was no N7 because they used the main studio TC7 for some news programmes and didn't want confusion between the two. So "I'm off to N7" usually meant going to the bar for a few drinks!

There in all likelihood a different equally valid reason why it doesn't exist, but I wonder if it works out to be the power-box for the carpark lights. You know about a meter high and here at least the outer case is made of fiberglass.

A quick google search on the map shows it's under construction.

@@cykes5124 *REPORTED* lol

Deviant Ollam approves.

Haha i laugh

wel password sharing is now banned in most orgs... mainly because if someone messes up, you need to know who to blame 😁

Worked at a it company in Dublin. Every time we saw an unlocked computer we used to open the group chat at write stuff like “anyone hitting the pub after work. Pints on me!” It was fun and you only left your workstation unlocked once (unless you really liked buying pints for your work mates, but hey, you could do that anyways :) )

@@fredskronk we'd send a mail saying "I'm getting married!" and people would walk up to them and congratulate them and it'd be a while before they realized what actually happened.

Corporates in the late 90's / early 2000's used to have security check whether PCs were turned off at night for energy savings, all good until you came in the next morning and had to spend 30 / 60 minutes waiting for all the B.S scrips / A.V and crap to finish. Say average $35 per hour at the time times, 1000 workers every morning. Yeah, we were saving the planet and personally making bank whilst drinking coffee 20 years before the woke climate change people turned up.

I'm new to computer architecture/software dev and curious about this book, where can one find a copy?

@@joeldejonge2986 see the first entry in the video description

Not much has changed. Working at IBM for 22 years now at their Toronto Lab, I feel that only the NSA has stronger security than IBM.

should've left the desk unlocked with a dye pack in it

I just wanted to address some of your questions / statements if you don't mind. "you had to hand in your mobile phone at the security (why is beyond me because we couldn’t film or steal data on a Nokia in 2001)" Back in the bad old days mobiles and sheildings were non existant, mobile phones in the datacenter was a sure fire way to cause network problems, and data corruption if you ever left it on a server, today shielding is much better but you still surrender your phone. Everything inside a datacenter is critical, you don't want photos leaking out, or photos of racks and switches being public, and depending on the datacenter and its DSS and TIER Raiting its a security requirement today. "It dawned on me that some idiot developer, forgot to realize that it’s okay to enter during your service window but not to exit after it expired" It dawns on me you wasn't authorised to be in the datacenter, and access in and out is denied, emergency exits are in place to let you out without a card anyways. If your authorisation was till 7am, you should have been out at 06:59, None of my datacenters will allow you to enter or exit if your window has expired, staff are onsite anyways to let you folks out, and write up the security breach report for DSS and TIER certification requirements. "The guy that took me, was like: “oh yeah I’m rewiring the phones lines, there. That makes sense, I’ll fix that one right away. I guess it’s more important than we’d thought.”" That would have got him fired even way back when, those phones have to be tested daily and a secondary option must be available (but that's a newer rule)

@@AnIdiotAboard_ the no phones was indeed a stupid, shielding excuse. Like hospitals and airplanes had. IBM is overly cautious. At least that’s why I think it was. In the two times I had to be in the grid, I never really thought about it. Just handed it in. But makes sense because the grids were individual blocks within the DC that were locked so even if you had access to the DC you could only get into the grid where your stuff was. And that’s compartmentalized per client. And each grid (or kavel we call it in Dutch) was also shielded. Because CRT images could easily be captured. Not that I would think any of my colleagues would care. As all of us that had access to that wing supported all those servers. Oh perhaps that was the reason why phones weren’t also allowed. As you could call someone over and open the door for them and they could provide access to a different grid. Don’t know, don’t care. Not working there anymore and don’t want to go back to IBM. Hated it there! Poorly paid over managed shit show. It makes no sense to allow someone in and not out. Because I can do the same amount of damage, so it’s nonsensical to not allow an authorized person out. Unless you would proactively send security, who I trust far less than a senior grid owner. I am not helped with crashing my own grid as grid owner. My clients would call me 😄 In every other DC I went to, granted not private DC like IBM but public DCs where anyone can host their crap, you just registered your time of arrival. You could always leave. Otherwise with a severity 1, you would always be hustling to get extension. Because you don’t know how long something takes and that would slow down. Also by work law we are not allowed longer than 1 hour in a noisy environment without a break outside of that environment. That’s why you have grids with key access too within the cooled area. Emergency exits when your open them required by Dutch law to let the alarm go off. And when an alarm goes off, everything needs to be unlocked. I thought that to be very excessive I sat nicely and comfortably on the wiring guy’s cable spool. And the guy being fired over one phone not yet being wired up? A bit excessive, he probably had that planned anyways. Who is usually in a locked data center at 6/7am? At IBM nobody usually starts that early, except is externals who keep the place running 🤪

@@CallousCoder I mean you could still phone a friend on the outside who was writing everything you said to them down.

@@unicodefox well that would be very inconvenient because the only phone was at the entrance and I’m pretty sure that was an inside line only. Although I never found out because when I needed to call the security to let me out, it wasn’t hooked up. And after that I’ve never touched the red phone.

There are always what I call "Professional Naysayers" in every company. They do provide a function. 1 time out of 10, they will trigger a thought in you, "no, I didn't actually think of that". The other nine times tho.....? 😕

This actually applies to a lot of things

lol

As an InfoSec professional of a decent number of years I must agree. Password rotation is a bigger risk than password retention.

@koyaanisqatsi316 It was not him who presented the Bidick on national Television

Everybody does that. It's impossible to come up w/ a unique password every month and remember which is the current after 2 years. ;)

@@meneerjansen00 Which is why I wrote my password on a sticky note on the laptop. F them and their stupid policy. Fortunately they dropped the password change requirement.

My last work had implemented PCI compliance rules requiring password rotations every 3 months. I just tacked on the quarter (Q1, Q2 etc) and the next year the month (5 passwords were retained to prevent frequent reuse).

Yep, that's exactly what I do now.

Password rules are cancer If some bozo wants to use 1234, that's their problem

All undone by setting domain password rules for *minimum* password age. :)

@@EdgeDC This lol. Complexity required, max password age 90 days, min password age 70 days, last 100 passwords remembered. Have a nice day. 😈

@@aperson9495 …except that Windows & AD won’t let you set the # of passwords remembered to be higher than 24, but otherwise yes, I agree. 🙂

I find it easier to remember one password (and change it - I follow a pattern that's easy to create the next password from my current one) and muscle memory takes over after about 2 days. The brain is sometimes easier to program than a computer!

Yep, gotta love corporate security. Saw my coworker's password by accident one time: "Believe55". Better believe she is now on Believe58 since it's been nine months since then...

you rebel. Butter everywhere quakes with unnecessary fear...

*REPORTED*

One problem with unlocked cabinets is that some one else might use your cabinet to store things they would not want to be associated with, which could end up putting you into trouble. If its small things like narcotics it might be hidden enough for you to not notice.

That's how it should be done. Development on the user's main terminal where they deal with their corporate admin should be prohibited. Instead developers should do their actual development via a VDI. Tbh i'd go so far as allowing a virtual machine on the developers host was incorrect. You could literally run anything you like to attack the wider network in that case. It should still be a managed and monitored machine but can have relaxed controls to enable development, hence VDI.

@@lmaoroflcopter The issue here is that the blanket policy to forbid arbitrary executable code pre-dated the provision of virtual desktops / virtual machines by several months.

@@zymurgic Really? Because you appear to be against the premise of execution arbiters in your first post, you make no mention of timelines, just the security policy of only allowing "whitelisted" software delivered via application packaging. Granted there is a right way and a wrong way to implement things, ensuring folk can do their work for one, but the cry of 'but I'm a dev and I wanna' should not be pandered to.

@@lmaoroflcopter Meh, maybe it should be done like that (I'm not convinced btw), but I wouldn't want to work that way.

@@clonkex you may not want to work that way, I'd rather not spend my days implementing security controls for an environment, but sadly there's a reason why we do.

I worked at Symantec too! And I never tried to setup private servers or anything like that, but I did notice that filesharing sites were not blocked. I never did anything illegal, although I do not remember ever having to go through any sort of training about what was allowed and what wasn't!

@@KristopherNoronha You sound like a 'content' addict 😉

It was marked MICROSOFT-CONFIDENTIAL. 😉

"there weren't any security holes" That's hilarious and a little sad.

My understanding of The Password Rule is that if a nefarious actor captures an encrypted password in transit in some way, it'll take time to brute-force break the encryption and figure out what the password was. No problem, as long as the time it takes to expire is shorter than the processing power needed to decode. It assumes the attacker isn't dedicating a processor farm to finding Average Joe's password, so admin credentials expire much faster since they are worth more effort.

@@jbutler8585 Most people don't try to brute force encrypted passwords. It is inefficient. Quite often they will get a number of encrypted passwords at one time. Depending on the source of the passwords, they will either use common password attacks, directed attack, or both. Directed attacks being finding out information about the people that made the password and using common password tropes used on that. If you force people to change a password too often, then the common tropes become almost universally used, or people having to write them down. Both defeating almost any security that a password is supposed to provide. The research showed that people can't keep track of high quality passwords if you change them too often. The fallacy is that they are making really hard, rarely used attack harder, while making the more common attacks almost trivial. Before someone says, you just need better password rules. Many password rules actually make it easier to guess the passwords as it narrows down the possibilities. That's not to say that you shouldn't have any password rules at all, you just have to be very careful to not make them too restrictive. After all, "password" as a password should never be allowed, yet it is one of the most common passwords used on the Internet.

Just get a password manager.

Wow, that's a kind of smart and intuitive way to do that, having some program or person every now and then going through and trying to guess passwords! I like that

@@jaykebird2go security audit

@@duneode that doesn't work for your main account login, and should also be considered a risk since all passwords are locked behind a single one still.

I hear you. At my first job out of college we were located in a converted retail mall. Outlets were at a premium and we had daisy chains of outlet strips plugged into outlet strips. If a circuit breaker popped you just found another chain of power strips that led back to an outlet on a different circuit and plugged into that. Rumor had it the CEO/owner of the company just wrote out a check for the fire inspection fines due to all our violations as it was still cheaper than having the place rewired. It sounds like that may have been a sketchy place but it was a good company to work for, almost everything except for the power strips was good about the place. And before long we moved out of the mall and into our own new building. We had huge boxes full of power strips that were no longer needed so employees were free to take as many as they wanted for personal use. I have a few good heavy duty trip-lite power strips from that company that I still use. (Security there was a joke too, btw. But as others have said those were simpler times).

Where I worked, it was forbidden to plug anything in to a power socket. Only IT had permission to do that.

Old habits die hard!

This should be obvious to anyone with half a brain, but the above message is fraud and not from Dave.

There was an even easier one with windows 95, it was a mathematical algorithm and could be easily cheesed with the serial number 00100-0123456789-00100 I was 14 and bored when I figured that out.

With NT 4 you just had to enter 1111, job done

Which key in the registry are you editing on reboot? I've seen several candidates from version to version. Just curious which key in the registry compare with all mine. (I have a hexadeca-boot computer because total nerd)

@@enzedpcs2 Same with Windows 95. 🙂

Access VBA... ugh, please don't remind me 😆

Why is Access VBA such a chore? Just because MS chooses not to update the ide?

@@heathbruce9928 so, back in the day, I actually liked it... but then I grew up in my expectations of a language. There used to be an Access Deployment Toolkit that allowed to to "compile" an Access mdb and install it as if it was a standalone exe. I used (abused) that to no end. Wrote an instant messaging app (cause IM was against security policy) that gave me backdoor practical jokes I could pull on anyone I could message. I.e. send a special coded message and make their motherboard start beeping every 3 seconds for 10 minutes, or make their cdrom tray eject. All that with Access VBA, and therein lies the problem. If I'd wanted to do major harm, it would have been a breeze. It might be a clunky base-index-1 tortoise of a language, but the dangers were myriad, and there was no way at the time to track down threats. Later, I used those skills to make a realtime multi-player chess game in an excel worksheet. So, could it do great things? Absolutely. Was it slow and clunky? Yes. Was it a security nightmare? Without a doubt.

​@@heathbruce9928ahaha what IDE?

OS/2 might've been partially developed by MS at one point, but it ended up being a competing product - and fairly superior IMHO, having had some experience with it in the mid-/late-90's. Also here in Finland it was still used in the early 2000's by some government services and when I asked them (their workers) about it, they seemed to like it better and more stable than Windows. Fun thing, because of the earlier co-operation between the two, IBM ended up with having rights to use 16-bit Windows source and OS/2 ended up having more stable and reliable 16-bit Windows than Windows itself (doesn't matter if we're talking of 16-bit Windows itself, or the implementation of it in the 32-bit windowses, OS/2 did it better) :)

Two 56k modems combined them for 115k speed called bbs 0S/2 Warp downloaded files need hung the phone up it made slip knot it was done. I have a box OS/2 with several 3.5 disk. Also had Geosworks a small windows program back in the day. later learned MSD format

@@scottmesserschmidt7778 Wow! Awesome! Life in the fast lane back in the day!

I can't rationalize that one, as brace position uses the seatback in front of you. In fact, if you're in the last row, your seatback doesn't come into play at all.

@@DavesGarage It's about making everyone conform so we're all equally miserable. 😁

Not sure if I'd call it modern. While it certainly exists and is still being used, it's hardly the only, or primary, way that money is detected these says.

@@henke37 That's interesting to hear. What are some of the newer ways?

I often wonder if KZbin's AI engineers get pissed when people intentionally mismatch the subtitles to what people are actually saying :P

Part deux!, especially more on that time machine room from the 80's!

Or better yet, the approach sensor that unlocks the door for people leaving is mounted to a ceiling tile that spans the door. Of course there's no wall above the grid. In another office -- we inherited as-is, where are the controls for this door security system - keypad, mag-lock, etc - and no one knew where it was. It was install years ago, and no one's sure where those wires go. They go into the wall and don't come out the other side, so who the fudge knows. (there was so much non-permitted work in that building none of it was on any set of plans, and as we'd later learn none of the plans were actually correct.) When running some stuff from the telco closet, I found it... two big red boxes above the ceiling in the hallway... _outside_ the office it was meant to protect.

@@jfbeam I worked in a dev shop with an in-house data center. It had security doors that were managed by key card, but it was just bog-standard access control that existed in all the rest of the building, and the panels were in the datacenter. I guess it was remarkably competent. There was no getting in over the drop ceiling either, mostly, I assume, because the room was protected by halon and needed to be separated from the occupied areas on the other side of the wall. This was likely a two-way deal -- to minimize halon getting out, and oxygen getting in. The place wasn't without it quirks, though. There were a couple of places in the room with a button mounted in a wall-plate. Nobody had any idea what they did. They weren't labeled, and didn't tie into the UPS systems or anything obvious like that. So, I took it upon myself to take our label maker and fix that. One read "End the world as we know it," and the other said "Break loose all hell." Now that we've moved out, I hope nobody presses them. Lastly, we had a fire alarm panel that would periodically throw a tantrum and beep continuously with gusto. We would have to call and have it serviced, but in the meantime, we were shown that the button on the side could be held for 10 seconds to silence the alarm. So, I labeled that too: "Press and hold to silence this confounded contraption." I had the satisfaction of watching a tech from the fire alarm company read that, chuckle, and summon his partner to come over and see it. haha I miss that label maker.

At this point Dave could just take out every page off of Raymond Chen's blog and turn each into a video, with the magic Plummer touch added, and I'll watch them.

IT/Security is under managed? Is that why the stereotype from my perspective is a bunch of rogues? As a live media guy, my impression of IT, either directly or from stories told by other media people, is either A) nothing whatsoever (I guess they're like us in that if they're noticed, that in itself means that something is wrong!), or B) "Gilligan on a power trip". The general idea seems to be that if anything at all uses IP packets, then it MUST be managed by THEM, using a boilerplate mentality that ABSOLUTELY DOES NOT WORK FOR LIVE MEDIA!!!!! Meanwhile I'm thinking, "Who cares if it uses IP packets internally?! It's an audio patch cord!" Or maybe video, or perhaps a remote control for a camera, or similar. It literally replaces a bunch of thick and heavy analog cables that they certainly wouldn't have touched, with a single Cat-5. (okay, two Cat-5's for redundancy) Perhaps dedicated WiFi for some of it. That's all it is! Just a much thinner and lighter-weight replacement for the analog signals that we used to use. The IP networking stack simply happens to be a convenient way to do it, and it would have been completely and physically isolated from their network if they hadn't insisted otherwise and I lost the argument. So it would have been no threat to them whatsoever. And **I** take full responsibility for MY "network". They don't. At all. Ever. Even if something goes wrong, I still claim it...unless they caused it by their insistence on managing MY gear for me, which are NOT the computers that they're used to thinking of, even if some of it happens to use similar hardware. (live-media-processing and PC-gaming specs are often identical, for example, but the software is different, including the operating system in a fair number of cases......so you can't manage it with Windows PowerShell from your mom's basement: is that where the hangup is? /sarcasm ) I don't know how many times I or someone else has been dutifully locked out of a system that was fully tested and worked perfectly a few days before, because of "IT best practices". In the case of live media, that's a massively big deal because it can easily kill a show at the literal last minute and leave us scrambling and trying to dodge blame for failing our responsibilities, meanwhile the guy that can unlock it again is not answering the phone because it's outside of 9-5 M-F! (and even if we **can** get a hold of him, he's likely to give us a lecture on how "we're a security threat" and require a complete dissertation on why he's supposed to "violate policy" or whatever, AS THE CURTAIN IS ALREADY RISING!!!) (I've been tempted before, to get into "the IT closet" by whatever means necessary, and physically replace their managed switch with my unmanaged one. Their stuff wouldn't work, but mine would, and the show could go on. Then I'd put it all back, at least physically. Fortunately, I've never actually done that, and I hope I never do, but the temptation is quite strong with some of these guys......)

@@aaronduerksen1378 cool story bro

Our company enjoys checking _all_ the boxes in the security options control panel. No repeating digits, no ascending digits, a mix of lower case, upper case, special chars, numbers, and Celtic runes, must be unique over the last 20? 30? 50? passwords, must be at least 12 characters long, and changes every .. I dunno, 45 days or so. It's infuriating, and I believe, counter productive. I would very much like the industry to finally accept that "There once was a man from Nantucket" is a far more secure password than "a&3Jnl$6z(LeX5", and far less likely to require calling in to the help desk to reset.

@@nickwallette6201 The industry does accept that. Your company, however, not so much...

I briefly consulted for some companies with policies like that. A domain password as well as 2 dozen different linux machines all with their own passwords. A nice little stm2 bluepill acting as a keyboard meant that I didn't have to remember nor type in any of the insane passwords... I just pressed the button. It was during lockdown and I was working from home so "my machine = my rules" Now how many silly little usb gadgets are kicking about nowadays??? And how easy is it for them to be keyboards...

@@MrBCRC giving a silly usb gadget your passwords sounds scary, at least if it's a gadget you haven't made yourself or audited

@@nickwallette6201 It is counter-pro… nah, it's counter-secure. As @common_c3nts said, if you're too draconian, people just write it down on a post-it they stick on the underside of the keyboard. Or probably the monitor. :D What I hate even more though is sites that have max password length limits ("min 8, max 64") and forbid characters, like, say, the good old space.

A: who the F sends passwords via email .

@@unnamedchannel1237 This was standard practice back then at Dell. It was just a temporary password, which needed to be changed at the first login. I wonder if they still do it like this :)

He didn't mention the official "TCP/IP Coffee Pot Protocol"?

@@stephenjacks8196 Error 418