New Specialty Qualification?

[JC004]

It's not even good INFOSEC because a password that complex and used that rarely will have to be written down and that blows the whole thing. Frankly the IT weenies that enforce this crap are idiots.

We should give a tiny tutorial (paragraph or so) on how to do a password that is easily remembered but very hard to crack (not unlike I mentioned to you, actually).

[JeffDG]

[jeders]

^
You beat me to it.

[davidsinn]

I had that very strip in mind when I wrote my reply.

[Thom]

XKCD has the answers to most of life's questions.

However...I'll be interested to see in a couple of years, just how high up the 'common password' lists the phrase 'correcthorsebatterystaple' climbs, thanks to people who read but don't understand.



Thom

[Eclipse]

There's no such thing as a password that's "hard to crack" - the only issue is how interested in your data the other person(s) is.

[Phil Hirons, Jr.]

... thanks to people who read but don't understand.

How many other CAP situations could this apply to?

[Spaceman3750]

3. Open notepad on the toughbook and type in your password before you take off. Then when trying to enter the password in while bumping around in the air, you can simply paste it in. Will save you from locking out the account, as you only get three attempts.  Cannot overstate the importance of this. Three classes at NESA managed to lock out 9 of 12 training accounts, if I recall correctly.

Let me guess - 8-10 characters, alpha-numeric, mixed-case.  The password should be entered once, saved, and not a factor for the operator.

By the third of fourth time someone locks out a system you'd think they'd have changed the procedure.

No, nothing that simple:

   
• 15 characters
• At least 2 "Special Characters"
• At least 2 numbers
• At least 2 upper case and at least two lower case
• Must not be one of your last 10 passwords

You have just seen the epitome of security folk vs. everyone else. Those standards are very good from an INFOSEC standpoint, but not very good from an operational standpoint. Can you log in on the ground?

It's not even good INFOSEC because a password that complex and used that rarely will have to be written down and that blows the whole thing. Frankly the IT weenies that enforce this crap are idiots.

Actually, on the first point, you have a point. However, IT folk (I'm one of the idiots by the way, thanks :angel:) typically think in terms of how hard a password is to crack, not how likely someone is to write it down, because no matter what many of your users are going to write it down anyways (I routinely see people write down single-word dictionary passwords like "kittens" and "password").

[JeffDG]

Don't tar all of IT with that brush...I'm an IT guy!  It's the IT Security folks that are annoying!

I once ran L0ftcrack on a domain of a client (ok...long time ago!) and found that 70% of passwords in the domain were the company name...yes, I recommended some password policies...reasonable ones...to that client!

[Spaceman3750]

Don't tar all of IT with that brush...I'm an IT guy!  It's the IT Security folks that are annoying!

I once ran L0ftcrack on a domain of a client (ok...long time ago!) and found that 70% of passwords in the domain were the company name...yes, I recommended some password policies...reasonable ones...to that client!

I know that the Canuck in you is showing, but it's L0phtcrack .

[JeffDG]

Don't tar all of IT with that brush...I'm an IT guy!  It's the IT Security folks that are annoying!

I once ran L0ftcrack on a domain of a client (ok...long time ago!) and found that 70% of passwords in the domain were the company name...yes, I recommended some password policies...reasonable ones...to that client!

I know that the Canuck in you is showing, but it's L0phtcrack .

OK, it's been a while since I used hacking administrative tools like that.

[Thom]

In this instance we have even less choice than normal. The entire system is run by the military, and CAP is only one (small) user of the system. Everything is engineered and run to whatever the current .mil security requirements are, whether good or bad.

One good thing is, in this instance, just like Surrogate Predator, CAP is being invited to the table with the big boys. That doesn't come lightly. Unfortunately, once there some of the food may not be to our liking.


Thom

[N Harmon]

Another IT guy here: Having a password provide authentication and access to the server is beyond silly. Issue a browser certificate and be done with it.

[Extremepredjudice]

Another IT guy here: Having a password provide authentication and access to the server is beyond silly. Issue a browser certificate and be done with it.

Agreed...

Or dump the idea of the password all together.

I assume this is kept at a secure location? Only authorized people allowed to access it?
Unless you want the photos and videos tagged with who took it, than it really isn't needed.

[Spaceman3750]

Another IT guy here: Having a password provide authentication and access to the server is beyond silly. Issue a browser certificate and be done with it.

Easily intercepted.

Smartcard wouldn't be bad (as long as it was single-factor and not two-factor auth) until someone loses the smartcard into the fold of a Cessna.

[N Harmon]

Another IT guy here: Having a password provide authentication and access to the server is beyond silly. Issue a browser certificate and be done with it.

Easily intercepted.

What, with a man-in-the-middle attack? I would assume such an implementation would be based on a mutually trusted CA.

[ProdigalJim]

Just finished GIIEP training, and now that I've done it, I've gotta agree that the password restrictions were pretty rich...the CT screenshot of the XKCD comic definitely made the rounds during the lecture!

PROS --

1. Low-cost way to do (kinda) what TV news helicopters have been able to do for years...live video, back to the Mother Ship. No microwaves or $250,000 mast trucks required!
2. Super-portable.
3. Works on any airplane/vehicle/ground team member, etc.
4. Any dummy (read "Yours Truly") can become competent in its operation in a short period of time.
5. Significantly improves the real-time operational picture/situational awareness for those back at the Mother Ship.

CONS --

1. Password restrictions are so severe that they're being defeated by human nature (sheets with password reminders on them, stickers on machines, etc.). If it's so hard that everyone writes them down, it DEFEATS THE PURPOSE!
2. The Toughbook (at least the four units we were using) seems to be slow as molasses. Terrible latency moving the mouse around via the touch-pad.
3. Persnickety relations between the GIIEP client and the Google Earth Enterprise common operational picture.

IT'S NOT UP TO ME (OR EVEN CAP), BUT IF IT WERE --

1. Recommend color-coding the different GIIEP units/teams in the chat window to match the colors those teams are streaming in the Common Operational Picture. With a lot of chat lines going by, color-coding could make it easier to find the team you need more quickly.
2. Coding a few functions to force compliance with conventions; so, for example, you can't name a mission profile in any way other than the date/time convention recommended in the initial training.
3. Improve the speed of the various pieces on the laptop. A lot.
4. Include two items in the go-box: a laminated inventory sheet (like the picture-book slide in the training materials) and a laminated operator checklist, just like the one you'd use as a pilot. You can challenge/response it if you like: Dongle? Connected. Update Rate? 5 History? 9999 And so on. Sequence is EXTREMELY important in firing up and using GIIEP, and a checklist can help the operator ensure they're doing everything in the correct order.
5. Label every item in the go-box, so components don't get mixed up in a busy mission base with (potentially) multiple GIIEP units. Make it "firefighter proof" (my brothers and sisters out there know what I mean!     ). Unit VA2 gets all green dots on each component, Unit VA1 gets all orange dots. Or something like that.
6. With the air card service so picky (cell towers are optimized, after all, to work with things on the ground, not in the air) maybe CAP or AFNORTH could, through some sort of MOU with the Army/NatGuard, etc., bring the giant CAP repeater network into play somehow? Make it CAP's contribution to the evolving GIIEP national asset...Guard could use CAP repeater network for domestic stuff they may be working on, and we would have a robust comms link. I'm not a comms guy, so I don't know exactly how it would work, but it FEELS like something we should be able to do...essentially creating a giant, advantaged Wi-Fi network.

Overall, GREAT training and a great weekend!  :clap:  :clap:

[SARDOC]

No, nothing that simple:

• 15 characters
• At least 2 "Special Characters"
• At least 2 numbers
• At least 2 upper case and at least two lower case
• Must not be one of your last 10 passwords

You also forgot... it has to be changed every 90 days

[SARDOC]

5. Label every item in the go-box, so components don't get mixed up in a busy mission base with (potentially) multiple GIIEP units. Make it "firefighter proof" (my brothers and sisters out there know what I mean!     ). Unit VA2 gets all green dots on each component, Unit VA1 gets all orange dots. Or something like that.

These are some good suggestions, except and you have to be realistic about this...There is no such thing as "Firefighter Proof"   There are things that are Firefighter Resistant....but not firefighter proof.

Yes...this weekend was definitely a good class.

[Eclipse]

When I worked for a municipality and we used to have conversations about making things "Firefighter Proof", it had to meet three criteria.

You should not be able to:

Lose it.

Break it.

or Eat it.