[…] Terminally Incoherent: Symmetric Encryption: The Password Problem Share this:Twitter Leave a Comment by Sin Trenton on Jun 22, 2012  •  Permalink Posted in Scrapbook […]

Actually, your are right. It depends on the users. If it’s just a random employee then it’s their fault for not backing up. If it’s a director or one of the “golden boys” who can do no wrong in the eyes of the powers that be, then it’s my fault for not trying hard enough to recover it, or for not maintaining the machines well enough to prevent this from happening.

But yes, tenure is a funny thing. Gotta love the academia. ;)

Yeah, centralized data is on servers and backed up here as well. But their individual data is a whole other issue. Yeah I know it’s personal, but somehow it always ends up being our responsibility to try to recover.

I think that this happens due to the main difference between your users and mine – tenure. Enough said. :(

Well, I found out that the best way to teach people about backups is to do it the hard way. You give them bunch of memory sticks, or an external HD and show them how to use it. Then you tell them – back up your data as often as you can.

If they don’t they are the ones who will lose work and get chewed out by the boss.

The main office here is OK because 90% of our data is located on the 2 windows servers. They are set up with DFS replication so the network shares are essentially mirrored in real time. Both servers are RAID 1, and there is a nightly backup to the tape on a weekly rotation. I usually take one of the tapes offsite at night.

The desktops are not backed up but users simply use their local drives as temporary working area and then drop the files on the network shares where others can access it. It works out well and it is a pretty solid setup.

The field employees are a whole other story. They are the problem children.

But you are right – user education is important. But you can only educate people who care enough to listen or are able to understand the significance of what you are saying.

I wish getting users to encrypt their communication was our only problem. We also have issues getting them to backup THEIR data. I’m talking about a weekly backup to another disk of stuff THEY need, not me, I don’t care for it to be honest with you. Well, let me clarify that…I care for the university/college private data (admin info, student/employee info, budgets,…), but I really couldn’t care less about photos they took of stupid orange gates in Central Park last year (or was it two years ago?).

On the other hand, some system admins at times have trouble syncing SSL certs on their servers which is also very frustrating and annoying. Policies are important but the real progress can only be made with right people in right places (IT) and user education. They need to understand why this is important, not to look at is as another thing IT folks came up with to make their lives more difficult.

National Penis Day – LOL! That is actually pretty amusing.

But yes, my situation is not that much better. Fortunately we do not have any students trying to hax the system around here bur the level of competence is about the same. :P

You are spot on about the fear of technology with users. I work in a school district and teachers are one of the hardest groups to teach anything to. We had our first password change in three years and a month later we are still reseting passwords. We sent out pictures, with step by step directions about the change, which would only require the users to change their passwords after the have logged in. Users are still complaining about having to memorize a new password. People tape the password to their monitors and students are logging in as a teacher and causing chaos. I am not kidding when yesterday, i had to show a teacher how to use a flash drive and a fourth grade special ed student was making fun of the teacher who couldn’t use it. People are sometimes ashamed to admit that they don’t know something, this is human nature. I shudder to think of the weak passwords that “protect” so much sensitive data in schools. The password change was started because a administrator at a high school had a password of password, and a student logged in as that user and made a event on the school web page for national penis day. The administrator could not understand how “a hacker” could do that and that we could not find out who it was. Our network admin and our director of IT tried to explain how a smart kid(or a dumb one) could guess his password and failed to impart understanding of this simple concept of social engineering and a secure password. Or those who set their password to their first name, which students know. Basically only 1/3 of users have a password that a student or staff member couldn’t guess or read off of a post-it note.
And we are talking about Phd’s and Master Degrees required for these jobs. The irony of educators not willing to learn is staggering.

I admit GPG is only useful if people on both sides use it. I have an automation to create a GPG key if I add a new user on the linux server, and I have an automated Thunderbird setup (all windows clients run freesshd, so this is a matter of a simple scp).
Currently all outgoing mail is signed by default, but not encrypted. I wish the medical laboratories we make business with could be convinced to encrypt emails with sensitive medical data …

Oh, right, I misread that.
7-Zip also supports AES encryption, by the way, and it’s OSS.

Yeah, AES is open. Winzip charges arm and a leg cause they are greedy. Unfortunately this is also an application that users are intimately familiar with and use on daily basis. So Winzip seems a logical choice – brining in some new encryption app would add confusion but it is not out of question.