New Security Administrator: Grilled-Sarlacc

I can give you tips.

I have a sure way to get banned, but I am not going to bring it up. In this thread at least.

 

Yeah Cpt Obvious

I think you have a way dealing with bans yourself.

But I did tip you didn't I?

 

I will at least explain it.

And yes, you did tip. But I think it's called bribery. Another couple of weeks, right?

 

No it's about another 9 days, I think. Bribe? Me!!

Oh no I call it donation of courtesy.

 

Donations of chocolate coins would be much appreciated.

 

A bit late ... but congrats GS!!

 

Darn... late...


Anyway, congrats G-S!!!!!

 

Let me repeat, what exactly does a security admin do?

 

Find and plug holes. If you want specific detail, you probably won't get it.

 

We could tell you, but then we'd ahve to ban you.

Basically, a security administrator is responsible for the security of the system in general. While he does not have access to the underlying operating system or even the full board software, it is his responsibility to investigate reports of hacked accounts, stolen passwords, and similar security breaches. Additionally, he helps enforce security policies withing the ModSquad (for example, how often moderators should change their passwords).

Kimball Kinnison

 

I am late! congrats grilled

 

Basically, a security administrator is responsible for the security of the system in general. While he does not have access to the underlying operating system or even the full board software, it is his responsibility to investigate reports of hacked accounts, stolen passwords, and similar security breaches. Additionally, he helps enforce security policies withing the ModSquad (for example, how often moderators should change their passwords).

He's responsible to the security of the system, but he does not have access to the actual software or the OS itself? ok....

What 'steps' does a security administrator take to investigate reports of hacked accounts, stolen passwords, etc? I was under the impression that a person without actual access to the software wouldn't be able to do anything in regards to the things you've specified.

 

What 'steps' does a security administrator take to investigate reports of hacked accounts, stolen passwords, etc? I was under the impression that a person without actual access to the software wouldn't be able to do anything in regards to the things you've specified.

While he does not have access to the software itself, he does have access to certain logs of information. He has at his disposal tools to help him gather the information needed to investigate.

That's all you really need to know. If we gave out too many details on it, there are ways to circumvent his ability to investigate. Some of those people know about, some they don't. In any case, we aren't exactly going to post that information for everyone to see.

While "security through obscurity" is a bad idea by itself, in this case it can be effective in conjunction with the other tools at our disposal.

Kimball Kinnison

 

While he does not have access to the software itself, he does have access to certain logs of information. He has at his disposal tools to help him gather the information needed to investigate.

I don't think the logs come etched with the bugs people use to exploit, unless Grilled-Sarlacc here can pull a Sherlock Holmes from the IP addresses.

That's all you really need to know. If we gave out too many details on it, there are ways to circumvent his ability to investigate. Some of those people know about, some they don't. In any case, we aren't exactly going to post that information for everyone to see.

Might that perhaps be due to the lack of any other 'tools' which you can make use of?

While "security through obscurity" is a bad idea by itself, in this case it can be effective in conjunction with the other tools at our disposal.

</dramatic music>

 

I don't think the logs come etched with the bugs people use to exploit, unless Grilled-Sarlacc here can pull a Sherlock Holmes from the IP addresses.

We also have access to zerosleep, who coded up most of the boards for IGN. However, most security breaches are not done through an exploit. They are done through such things as weak passwords or people gaining access to an email account.

For example, in the last month, I know of at least one account that was hacked because the user used his first name (listed in his profile) as his password.

Might that perhaps be due to the lack of any other 'tools' which you can make use of?

I work as a computer security engineer and developer. Windows viruses aside, most intrusions occur through an established account with an insecure password. I have caught many users of my systems using passwords like "password", "123456", or other such easily guessed words. When told to make it a mixuter of upper and lower case, about 90% (at the last review) only captialized the first letter. When told to add a numeric character, 75% added "1" to the end of their old password.

Logs are more than sufficient, among other tools available, to allow the tracking of the most common intrusions.

Kimball Kinnison

 

We also have access to zerosleep, who coded up most of the boards for IGN. However, most security breaches are not done through an exploit. They are done through such things as weak passwords or people gaining access to an email account.

For example, in the last month, I know of at least one account that was hacked because hte user used his first name (listed in his profile) as his password.

I work as a computer security engineer and developer. Windows viruses aside, most intrusions occur through an established account with an insecure password. I have caught many users of my systems using passwords like "password", "123456", or other such easily guessed words. When told to make it a mixuter of upper and lower case, about 90% (at the last review) only captialized the first letter. When told to add a numeric character, 75% added "1" to the end of their old password.

What you just described is stupidity which is far from 'security breaches'. Also, zerosleep != Grilled-Sarlacc.

Logs are more than sufficient, among other tools available, to allow the tracking of the most common intrusions.



You don't need the help of logs for this. You're wandering off-topic, someone setting their password as asdf doesn't count as a 'security breach'

 

What you just described is stupidity which is far from 'security breaches'. Also, zerosleep != Grilled-Sarlacc.

Nope. A security breach is any time that a person gains access to this site that they are not supposed to have. That can include accessing it through an account not their own or accessing portions of the site that they are not authorized for (such as private forums).

Grilled-Sarlac has responsibility for dealing with the normal security breaches, such as accounts being hacked. He also has primary responsibility for removing access to users who go inactive (for example, if a moderator disappears, he is responsible for removing their modsquad access until we hear from them again).

zerosleep is also an administrator and is responsible for the actual security of the software. They will work together at times, but within the boards, Grilled is responsible.

You don't need the help of logs for this. You're wandering off-topic, someone setting their password as asdf doesn't count as a 'security breach'

You don't need the logs to identify that it happened, but they become useful in tracking down who did it. At that point, there are a host of options open to the administration, including possible legal action if so desired.

And no, a weak password by itself is not a security breach. However, once a person other than the account owner accesses the account because ot the weak password, it is a security breach. One of Grilled-Sarlac's responsibilities is to help prevent that from happening (at least for members of the administration).

Kimball Kinnison

 

My password is starwars. That's a good one, right?

In any case, I don't see the point of arguing over the method in which security is applied to these forums. It doesn't seem to be too big of an issue save a few constant thorns, most of which don't normally effect the majority of posters.

 

I need to visit comms more...

Congrats man!

 

Please understand that the actions taken by the security admin aren't going to be discussed beyond general descriptions. Some things aren't even discussed using computers. We don't want to publicly say how we intend to stop things like hacks. If the hacker can read private information, they most certainly have no problem reading things in Comms.

 

I agree with G-S being made an admin as he is the best qualified, but the "security" part makes me giggle.

 

Well I am late.... but congrats Grilled-Sarlaac! I know you will do well!

 

Congrats man.

 

If the hacker can read private information, they most certainly have no problem reading things in Comms.

Understandable....

If you want to truly discuss things in private concerning the security here at the JC....I'm guessing you would do so at a place/arrangement totally independant of the JC.

 

Congrats, G-S.

I feel safer already.