[Discuss] can one safely login multiple times to the same user on a modern Linux desktop?

[gaf at blu.org (Jerry Feldman)]

Basically I am of the "walking away and not bothering" variety. I think
that in an enclosed office environment with coworkers, this lapse of
security is ok. A coworker of mine in Toronto got gigged a couple of
weeks ago because he did not comply with the security policy and either
left his laptop (locked) on his desk or some papers. However, I do take
my laptop with me when I leave at night because I don't know who is
cleaning the office.

On 09/07/2012 05:48 AM, Derek Martin wrote:
>
> No, I asked for a *likely* example, where the cost was justified by
> the threat.  You didn't provide one, and I offered simple counters for
> the example you did provide, which DOES invalidate the example,
> reducing it to an education issue or an administrative issue.  Your
> example also assumed a complete lack of security awareness (weak
> filesystem permissions)... a fact not in evidence, neither in my case
> nor in the case of anyone posting in this thread, and one unlikely to
> be true given this list's educated user base, but required for
> validity of your example.  And even if you did have such users in your
> environment, as a security-oriented system administrator, detecting
> and correcting them is utterly simple using tools found on every
> Unix-like system, and YOUR responsibility.  
>
> I thus conclude that your premise -- "Walking away from a workstation
> and 'forgetting' to log out is a bad practice" -- is completely false.
> Again, this is not to say that logging out daily has no value
> whatsoever in a security frame of reference; it is rather to say that
> a requirement of mindlessly doing so is probably not worth the cost of
> lost productivity in the typical case.  You have to know your
> environment (and threat model) and adjust your policy appropriately.
>
> The point is this:  Security admins often overlook that too much
> security is as bad if not worse than too little, and security training
> does not focus enough on this idea, in my experience and opinion -- or
> at least it didn't when I had mine, which admittedly was quite some
> time ago.  For your policy to be effective, your users need to trust
> you, and they won't if they see you as a mindless zealot who only
> knows how to get in their way.  If you make policy that makes educated
> users think thusly, they're going to ignore you on general principle,
> and complain about your policies to coworkers who are already looking
> for a reason to ignore your cumbersome security measures, which only
> reduces the overall security of your environment.  And worst of all,
> in most environments, you're not going to have the teeth to back up
> your policy, as management generally isn't about to fire productive
> employees for forgetting to log out of their workstations, which only
> tends to make you look even worse (to offending employees) for
> complaining about it...  So you may as well design your policy to make
> those discussions you'll inevitably have with your users actually
> matter as much as possible.
>
> On the other hand, if you do actually work at, say, a defense
> contractor, managing the systems used to design the next super-secret
> insta-kill-all-the-bad-guys weapon, then go ahead and steamroll your
> users with your policy, and bring a big LART when they fail to comply.
>


-- 
Jerry Feldman <gaf at blu.org>
Boston Linux and Unix
PGP key id:3BC1EB90 
PGP Key fingerprint: 49E2 C52A FC5A A31F 8D66  C0AF 7CEA 30FC 3BC1 EB90