|
|
| Author |
Message |
| 25 new of 226 responses total. |
steve
|
|
response 125 of 226:
| 
May 7 00:22 UTC 1995 |
Marcus isn't gaurding it, he's kept it in a place where the files
don't disappear. I have access to all the stuff Marcus has worked on.
Valerie, if you want a copy of something, let me know and I'll get
a copy of whatever for you. But unforunately, you'll likely have to
download it to your system for safekeeping. Some combination of mdw
gregc and I need to beat on the controller again (the scsi-3) to see
if we can't run on just it. If that doesn't work then onto getting
the 4-200 in one of our spares for getting Grex SPARCable.
|
mdw
|
|
response 126 of 226:
|
May 7 07:04 UTC 1995 |
I also spent a hellish month last fall fixing newuser.
I am not eager to repeat the process more than necessary.
|
nephi
|
|
response 127 of 226:
|
May 7 08:38 UTC 1995 |
Can't the code for the programs be stored on a different disk than home?
Wouldn't it be safe there?
|
nephi
|
|
response 128 of 226:
|
May 7 09:07 UTC 1995 |
(Oh, and sorry about mixing up the login and newuser programs.)
|
ajax
|
|
response 129 of 226:
|
May 7 15:24 UTC 1995 |
Wasn't the main reason for keeping the code off-line to prevent
hackers/thieves from getting it? If it's just concern about disk
corruption, wouldn't tape or net-accessible off-site backups be
adequate, with main copies on Grex?
|
sidhe
|
|
response 130 of 226:
|
May 7 23:37 UTC 1995 |
The principle isn't the program, it's what it does.
|
selena
|
|
response 131 of 226:
|
May 8 19:21 UTC 1995 |
Look guys.. if I never run into it, that's great. **I** don't care
about that. I don't like a FORCED change. Period.
|
adbarr
|
|
response 132 of 226:
|
May 9 02:44 UTC 1995 |
<thinking this may be a mistake> Perhaps someone could define the
term "force" or "forced" so we can understand what we are talking
about? I think of stormtroopers taking me to a concentration camp
at the point of a gun as "forcing" me to do something. I am not
"forced" to have a driver's license, because I can easily choose
not to drive - and the requirement becomes moot. No one "forces"
anyone to use their modem or terminal to access a computer system.
Where is the "force"?
|
ajax
|
|
response 133 of 226:
|
May 9 03:44 UTC 1995 |
As a guess, the scenario is something like this: after a year of using
Grex, you'd type in your login id and password, and be greeted with:
Your password is too old, gimme a new one: xxxx
Ok, give it to me once more to be sure: xxxx
Sorry, that password stinks, gimme another one: xxxxxxx
Give it to me again to be sure: xxxxxxx
That's only remotely better. C'mon now: xxxxxxxxxxxxxx
You know the routine: xxxxxxxxxxxxxx
Updating password database...
<wait wait wait>
Your password has been changed.
And if you didn't give a new password, you couldn't use Grex anymore.
You aren't forced to to anything at all, but generally....
You are forced to obey stormtroopers *if* you want to live.
You are forced to get a license *if* you want to drive legally.
You are forced to change your password annually *if* you want to keep
using your account on Grex.
|
scg
|
|
response 134 of 226:
|
May 9 04:44 UTC 1995 |
You are forced to type a login and password correctly to use Grex at all,
and for most Grexers that's a lot more than once a year. Isn't that more
oppressive than a forced password change once a year?
|
ajax
|
|
response 135 of 226:
|
May 9 05:18 UTC 1995 |
Actually, I'd prefer at least the option of not having a password, but
that's a separate issue :). I think this question boils down to what one
considers a reasonable security measure or not. Almost everyone agrees
that user ids and and passwords are a reasonable security measure. If the
system were to make everyone type "supercalifragilisticexpialidocious" every
time they logged in, for no real reason, almost everyone would agree that's
not a reasonable thing to force us to do. But an annual password change is
in between, and I think the reason some people support it and others don't
is that we draw arbitrary lines as to how reasonable we think it is.
Anyway, back to reasons I think it's not a great idea: I bet more people
are inconvenienced by forgetting their passwords and having to have staff
reset them than would be inconvenienced by hackers cracking their passwords
because it's more than a year old. What's the one-year hangup? Is someone
gnawing at our passwords on a Cray for several months at a time? And why
compel people to change their password, rather than just periodically
suggesting it and explaining why? Just to reiterate, I don't think it's
worth the effort changing the software, but I don't think a forced annual
change is the best solution. If you do, why do you think it's preferrable
to allowing each person to decide for him/herself whether to change it?
|
rcurl
|
|
response 136 of 226:
|
May 9 07:48 UTC 1995 |
In part because each person's security affects everyone's security.
|
adbarr
|
|
response 137 of 226:
|
May 9 12:23 UTC 1995 |
I want to play baseball, but I want 4 strikes for me, and no one else.
I want to play golf at the country club, but I want to set my
own time to start - if someone else is on the green they will have
to wait for me to play through.
I want other people to set up and run Grex, but I want to use
it according to my rules, not theirs. Otherwise I am being
"forced" to do something I don't want to do?
|
popcorn
|
|
response 138 of 226:
|
May 9 12:50 UTC 1995 |
Re 137: Well, but Grex is a system run by its users. The idea is not
to force people to play by rules that were set up by some mysterious
"in group" (in reality, just the schmoes who get stuck doing all the
work), but rather to give everybody input into system policies. This
particular system policy is just getting a lot of input. :)
Re 126: As I understand it, you were cleaning up the shadow database code,
not the basic changes to newuser, such as asking people to enter an
alternate e-mail address. There's a list of changes and bugfixes that
newuser needs now, such as passing the user's site and terminal type to
the login program. I'd be happy to work on these, but 1) the code isn't
on Grex, and 2) I'm told that it would be a Bad Idea to do development on
newuser on Grex.
<sigh>
|
ajax
|
|
response 139 of 226:
|
May 9 17:06 UTC 1995 |
Re 137, so if we were "forced" to type "supercalifragilisticexpialidocious"
every time we logged in, you'd think that's fine? And even if the staff did
exclusively own Grex (they don't), I'd still have the opinion that typing
such a thing would be a non-ideal policy. Should my opinion be "gee, this is
the best possible policy, simply because that's the way it is?" That seems
to be what you're driving at, and I think it's a seriously flawed idea.
|
scg
|
|
response 140 of 226:
|
May 9 22:39 UTC 1995 |
There is no rule or piece of software saying that passwords, old or new,
have to be any where near as long or as much of a pain to type as that, Rob.
|
adbarr
|
|
response 141 of 226:
|
May 10 01:45 UTC 1995 |
re 139, Yes! Except you forgot to add some puncutation characters
to make it harder to crack.
|
ajax
|
|
response 142 of 226:
|
May 10 14:25 UTC 1995 |
I'm not saying passwords have to be that long; I'm saying if everyone had
to type that exact word, in *addition* to passwords, it would be obviously
pointless, and worth complaining about. While most of this item has debated
the merits of forced password changes, Arnold seems to be suggesting that we
shouldn't even suggest changing things, because nothing on the system could
ever be "forced," and that people setting things up should make the rules.
|
tsty
|
|
response 143 of 226:
|
May 10 17:54 UTC 1995 |
heh - 14 yr old passwds ... i know a story about that ...
|
steve
|
|
response 144 of 226:
|
May 10 22:18 UTC 1995 |
Related to MTS?
|
adbarr
|
|
response 145 of 226:
|
May 11 01:11 UTC 1995 |
re 142 - Rob - I just experienced a cool breeze on the top of my head!
Uh? Please be more specific. Not getting that - you are "breaking up, Base.
Please say again!"
|
selena
|
|
response 146 of 226:
|
May 11 01:57 UTC 1995 |
<oh, Selena just hugs everyone!>
Sorry, not in an argumentitive mood..
|
popcorn
|
|
response 147 of 226:
|
May 11 14:28 UTC 1995 |
<valerie hugs selena back, rather enjoying the cheerful selena>
|
ajax
|
|
response 148 of 226:
|
May 11 14:41 UTC 1995 |
<back to arguing :-)> Ok, from the top, maybe clearer this time....
AdBarr (133): No one "forces" anyone to use their modem or terminal
to access a computer system. Where is the "force"?
AdBarr (137): I want other people to set up and run Grex, but I want
to use it according to my rules, not theirs. Otherwise
I am being "forced" to do something I don't want to do?
It's my contention that you can be "forced" to do things on Grex. Forced
password changes are trivial, but your argument could be made to apply to
anything. As an example, what if you had to type your name ten times every
time you logged in, or something equally useless? You shouldn't accept it
merely because "you aren't forced to log on to Grex," and "it's up to other
people to decide."
#137 implies that everyone should accept whatever rules are made by "other
people" who "set up and run Grex." Again, I disagree: members are *supposed*
to have a say in the rules.
|
peacefrg
|
|
response 149 of 226:
|
May 11 18:15 UTC 1995 |
I just joined this item, but I don't see the big deal here.
What the problem with changing your password once a year?
It takes you 2 minutes. If that.
|