I need a good boffin.

Board-related issues and help forum. Announcements, too!
Dr. Medulla
User avatar
Atheistic Epileptic
Posts: 115993
Joined: 15 Jun 2008, 2:00pm
Location: Straight Banana, Idaho

Re: I need a good boffin.

Post by Dr. Medulla »

revbob wrote:
02 Mar 2023, 12:07pm
Dr. Medulla wrote:
02 Mar 2023, 11:51am
So my school's IT has introduced a new set of security protocols for mobile devices. Basically another round of PIN entry in case your phone or tablet is stolen. However, for it to work, you need to switch your email client to Outlook. In other words, you won't be able to access your university account if you rely on non-Microsoft products. Like Apple's Mail app. The whole thing smells to me like Microsoft forcing its clients to switch to all their products. If someone steals my phone and can break my first PIN to get in, it seems reasonable to think that they'll be able to break the next PIN (which for most people is likely going to be the same six-digit code) to access Outlook or Word or whatever. The Boss and I have already taken the "temporary" opt out and I've said that unless they let me use the apps of my preference—i.e., Mail—I just won't be getting university mail on my mobile devices (and isn't that a good and productive thing). Never thought I'd say this, but I hope some asshole law prof decides to get on their high horse about this.

More amusing, I got my official acknowledgement this morning:
Screen Shot 2023-03-02 at 10.38.48 AM.png

They want us to jump thru their hoops of quality control and yet their auto-response includes that?
IT people love people like you.
Here's the thing: I already have a PIN and face ID to open my phone. What purpose does another PIN/face id serve? And in the q & a session they did, they couldn't explain it. They just kept on repeating as a mantra, "If your phone is lost or stolen, this protects you."
"I never doubted myself for a minute for I knew that my monkey-strong bowels were girded with strength, like the loins of a dragon ribboned with fat and the opulence of buffalo dung." - Richard Nixon, Checkers Speech, abandoned early draft

Dr. Medulla
User avatar
Atheistic Epileptic
Posts: 115993
Joined: 15 Jun 2008, 2:00pm
Location: Straight Banana, Idaho

Re: I need a good boffin.

Post by Dr. Medulla »

revbob wrote:
02 Mar 2023, 12:28pm
I dont use my personal phone to access work resources. I wont use the guest wifi either.
We have to. If you access a computer at school, to get into your account you need to do the MFA thing. Which requires a mobile device. I mean, I never owned a cell phone until MFA forced me to get one.
"I never doubted myself for a minute for I knew that my monkey-strong bowels were girded with strength, like the loins of a dragon ribboned with fat and the opulence of buffalo dung." - Richard Nixon, Checkers Speech, abandoned early draft

revbob
User avatar
Unknown Immortal
Posts: 25332
Joined: 16 Jun 2008, 12:31pm
Location: The Frozen Tundra

Re: I need a good boffin.

Post by revbob »

Dr. Medulla wrote:
02 Mar 2023, 12:36pm
revbob wrote:
02 Mar 2023, 12:28pm
I dont use my personal phone to access work resources. I wont use the guest wifi either.
We have to. If you access a computer at school, to get into your account you need to do the MFA thing. Which requires a mobile device. I mean, I never owned a cell phone until MFA forced me to get one.
Many places still offer a hard token to use but an mfa authenticator isnt that intrusive to have on your personal phone. I have a separate work phone so it is much easier to skirt any of that crap on my personal phone.

Dr. Medulla
User avatar
Atheistic Epileptic
Posts: 115993
Joined: 15 Jun 2008, 2:00pm
Location: Straight Banana, Idaho

Re: I need a good boffin.

Post by Dr. Medulla »

revbob wrote:
02 Mar 2023, 1:25pm
Dr. Medulla wrote:
02 Mar 2023, 12:36pm
revbob wrote:
02 Mar 2023, 12:28pm
I dont use my personal phone to access work resources. I wont use the guest wifi either.
We have to. If you access a computer at school, to get into your account you need to do the MFA thing. Which requires a mobile device. I mean, I never owned a cell phone until MFA forced me to get one.
Many places still offer a hard token to use but an mfa authenticator isnt that intrusive to have on your personal phone. I have a separate work phone so it is much easier to skirt any of that crap on my personal phone.
That was an initial option but it was temporary—gotta get a smartphone for MFA, I was told. And, it turned out, they were either ignorant or lying about that. I found out afterwards that I could use my iPad, which is wifi-only, to do the MFA. Nope, we were told, gotta be a smartphone. (Similarly, it was only thru multiple emails that The Boss found out that we couldn't use Mac's Mail app. There are tons of OSX and iOS users on campus, so you'd think they be front and centre explaining that it wouldn't be allowed and why. But nope, either ignorance or stonewalling.) I'm fine with jumping thru some hoops if it's properly explained to me—like, MFA is a bit of a pain but I get the argument and accept its rationale—but the experiences with the IT people here have exhausted my tolerance and trust.
"I never doubted myself for a minute for I knew that my monkey-strong bowels were girded with strength, like the loins of a dragon ribboned with fat and the opulence of buffalo dung." - Richard Nixon, Checkers Speech, abandoned early draft

revbob
User avatar
Unknown Immortal
Posts: 25332
Joined: 16 Jun 2008, 12:31pm
Location: The Frozen Tundra

Re: I need a good boffin.

Post by revbob »

Dr. Medulla wrote:
02 Mar 2023, 1:51pm
revbob wrote:
02 Mar 2023, 1:25pm
Dr. Medulla wrote:
02 Mar 2023, 12:36pm
revbob wrote:
02 Mar 2023, 12:28pm
I dont use my personal phone to access work resources. I wont use the guest wifi either.
We have to. If you access a computer at school, to get into your account you need to do the MFA thing. Which requires a mobile device. I mean, I never owned a cell phone until MFA forced me to get one.
Many places still offer a hard token to use but an mfa authenticator isnt that intrusive to have on your personal phone. I have a separate work phone so it is much easier to skirt any of that crap on my personal phone.
That was an initial option but it was temporary—gotta get a smartphone for MFA, I was told. And, it turned out, they were either ignorant or lying about that. I found out afterwards that I could use my iPad, which is wifi-only, to do the MFA. Nope, we were told, gotta be a smartphone. (Similarly, it was only thru multiple emails that The Boss found out that we couldn't use Mac's Mail app. There are tons of OSX and iOS users on campus, so you'd think they be front and centre explaining that it wouldn't be allowed and why. But nope, either ignorance or stonewalling.) I'm fine with jumping thru some hoops if it's properly explained to me—like, MFA is a bit of a pain but I get the argument and accept its rationale—but the experiences with the IT people here have exhausted my tolerance and trust.
I think it will basically come down to they have no control of imail or applemail or whatever on tour personal phone. But if you're using outlook and is an app thry will have some control over

oliver
Graffiti Bandit Pioneer
Posts: 1344
Joined: 27 Jun 2008, 11:55am

Re: I need a good boffin.

Post by oliver »

Dr. Medulla wrote:
02 Mar 2023, 1:51pm
That was an initial option but it was temporary—gotta get a smartphone for MFA, I was told. And, it turned out, they were either ignorant or lying about that. I found out afterwards that I could use my iPad, which is wifi-only, to do the MFA. Nope, we were told, gotta be a smartphone. (Similarly, it was only thru multiple emails that The Boss found out that we couldn't use Mac's Mail app. There are tons of OSX and iOS users on campus, so you'd think they be front and centre explaining that it wouldn't be allowed and why. But nope, either ignorance or stonewalling.) I'm fine with jumping thru some hoops if it's properly explained to me—like, MFA is a bit of a pain but I get the argument and accept its rationale—but the experiences with the IT people here have exhausted my tolerance and trust.
We were told we had to use the MS Authenticator app on a smartphone too. Turns out the TOTP part of keepassxc (which I use on Linux/Android) works without a problem (at the cost of having to enter a code rather than clicking 'approve')
That was two years ago and I still don't have MS Authenticator on my phone.
Putting a little stick about. Putting the frighteners on flash little twerps

Dr. Medulla
User avatar
Atheistic Epileptic
Posts: 115993
Joined: 15 Jun 2008, 2:00pm
Location: Straight Banana, Idaho

Re: I need a good boffin.

Post by Dr. Medulla »

revbob wrote:
02 Mar 2023, 2:14pm
Dr. Medulla wrote:
02 Mar 2023, 1:51pm
revbob wrote:
02 Mar 2023, 1:25pm
Dr. Medulla wrote:
02 Mar 2023, 12:36pm
revbob wrote:
02 Mar 2023, 12:28pm
I dont use my personal phone to access work resources. I wont use the guest wifi either.
We have to. If you access a computer at school, to get into your account you need to do the MFA thing. Which requires a mobile device. I mean, I never owned a cell phone until MFA forced me to get one.
Many places still offer a hard token to use but an mfa authenticator isnt that intrusive to have on your personal phone. I have a separate work phone so it is much easier to skirt any of that crap on my personal phone.
That was an initial option but it was temporary—gotta get a smartphone for MFA, I was told. And, it turned out, they were either ignorant or lying about that. I found out afterwards that I could use my iPad, which is wifi-only, to do the MFA. Nope, we were told, gotta be a smartphone. (Similarly, it was only thru multiple emails that The Boss found out that we couldn't use Mac's Mail app. There are tons of OSX and iOS users on campus, so you'd think they be front and centre explaining that it wouldn't be allowed and why. But nope, either ignorance or stonewalling.) I'm fine with jumping thru some hoops if it's properly explained to me—like, MFA is a bit of a pain but I get the argument and accept its rationale—but the experiences with the IT people here have exhausted my tolerance and trust.
I think it will basically come down to they have no control of imail or applemail or whatever on tour personal phone. But if you're using outlook and is an app thry will have some control over
And I've got a serious problem with them wanting control over how I send and receive email on my phone or iPad. If the university wants to issue me a work phone for that shit, cool, I'll follow all their rules. Or if they decide, nope, Outlook or nothing on your personal phone, fine, then everyone associated with the university has to accept that unless I'm at home, they can't reach me by email. And, again, this is over a new security protocol whose need they haven't explained. Why is one PIN or fingerprint or face id suddenly unsafe now? I'm not just being obstinate for no good reason. If I can't see the argument myself and they can't explain it, I fail to see why I should just trust them.
"I never doubted myself for a minute for I knew that my monkey-strong bowels were girded with strength, like the loins of a dragon ribboned with fat and the opulence of buffalo dung." - Richard Nixon, Checkers Speech, abandoned early draft

Dr. Medulla
User avatar
Atheistic Epileptic
Posts: 115993
Joined: 15 Jun 2008, 2:00pm
Location: Straight Banana, Idaho

Re: I need a good boffin.

Post by Dr. Medulla »

oliver wrote:
02 Mar 2023, 2:17pm
Dr. Medulla wrote:
02 Mar 2023, 1:51pm
That was an initial option but it was temporary—gotta get a smartphone for MFA, I was told. And, it turned out, they were either ignorant or lying about that. I found out afterwards that I could use my iPad, which is wifi-only, to do the MFA. Nope, we were told, gotta be a smartphone. (Similarly, it was only thru multiple emails that The Boss found out that we couldn't use Mac's Mail app. There are tons of OSX and iOS users on campus, so you'd think they be front and centre explaining that it wouldn't be allowed and why. But nope, either ignorance or stonewalling.) I'm fine with jumping thru some hoops if it's properly explained to me—like, MFA is a bit of a pain but I get the argument and accept its rationale—but the experiences with the IT people here have exhausted my tolerance and trust.
We were told we had to use the MS Authenticator app on a smartphone too. Turns out the TOTP part of keepassxc (which I use on Linux/Android) works without a problem (at the cost of having to enter a code rather than clicking 'approve')
That was two years ago and I still don't have MS Authenticator on my phone.
So are the IT people ignorant about what is necessary (not a comforting thought) or are they bullshitting (also not comforting)?
"I never doubted myself for a minute for I knew that my monkey-strong bowels were girded with strength, like the loins of a dragon ribboned with fat and the opulence of buffalo dung." - Richard Nixon, Checkers Speech, abandoned early draft

Flex
User avatar
Mechano-Man of the Future
Posts: 35802
Joined: 15 Jun 2008, 2:50pm
Location: The Information Superhighway!

Re: I need a good boffin.

Post by Flex »

The only times I've had an IT dept have control over my email, passwords and so forth, the companies also helped subsidize my phone and paid for my mobile plan, so I was like "sure, whatever." I probably would have preferred a work phone (having a separate work laptop was always nice) but it was always kind of a pain. At one point in my life I'd have had to carry around 3 different phones which wasn't going to happen.

I agree IT departments are almost always horrible at explaining the underlying logic of why we need to do x, y or z. I know enough about tech to at least usually be able to explain why we're doing stuff to less inclined coworkers, but I instinctually rankle at complying with orders that come with a message of "just do it because we say so."
Wiggle, wiggle, wiggle like a bowl of soup
Wiggle, wiggle, wiggle like a rolling hoop
Wiggle, wiggle, wiggle like a ton of lead
Wiggle - you can raise the dead

Pex Lives!

Flex
User avatar
Mechano-Man of the Future
Posts: 35802
Joined: 15 Jun 2008, 2:50pm
Location: The Information Superhighway!

Re: I need a good boffin.

Post by Flex »

I should add that I'm actually pretty sympathetic to IT departments too, whining above aside. Trying to implement standardized protocols across what are often a huge spectrum of devices - and dealing with as many different sorts of people - is pretty challenging. And when it comes to security, a combination of user ineptitude and always increasingly sophisticated methodsmof attack, don't make things easier.
Wiggle, wiggle, wiggle like a bowl of soup
Wiggle, wiggle, wiggle like a rolling hoop
Wiggle, wiggle, wiggle like a ton of lead
Wiggle - you can raise the dead

Pex Lives!

Dr. Medulla
User avatar
Atheistic Epileptic
Posts: 115993
Joined: 15 Jun 2008, 2:00pm
Location: Straight Banana, Idaho

Re: I need a good boffin.

Post by Dr. Medulla »

Flex wrote:
02 Mar 2023, 2:49pm
I should add that I'm actually pretty sympathetic to IT departments too, whining above aside. Trying to implement standardized protocols across what are often a huge spectrum of devices - and dealing with as many different sorts of people - is pretty challenging. And when it comes to security, a combination of user ineptitude and always increasingly sophisticated methodsmof attack, don't make things easier.
The latter is something I do sympathize with them over. Academics are, fancy degrees and titles aside, some of the most clueless people alive. That they might be sloppy with security doesn’t surprise me.
"I never doubted myself for a minute for I knew that my monkey-strong bowels were girded with strength, like the loins of a dragon ribboned with fat and the opulence of buffalo dung." - Richard Nixon, Checkers Speech, abandoned early draft

revbob
User avatar
Unknown Immortal
Posts: 25332
Joined: 16 Jun 2008, 12:31pm
Location: The Frozen Tundra

Re: I need a good boffin.

Post by revbob »

Dr. Medulla wrote:
02 Mar 2023, 3:14pm
Flex wrote:
02 Mar 2023, 2:49pm
I should add that I'm actually pretty sympathetic to IT departments too, whining above aside. Trying to implement standardized protocols across what are often a huge spectrum of devices - and dealing with as many different sorts of people - is pretty challenging. And when it comes to security, a combination of user ineptitude and always increasingly sophisticated methodsmof attack, don't make things easier.
The latter is something I do sympathize with them over. Academics are, fancy degrees and titles aside, some of the most clueless people alive. That they might be sloppy with security doesn’t surprise me.
You accessing your phone via a pin or whatever is also not the same as an app on your phone accessing the email server.

Im so glad I dont wok with end users. They are mostly terrible especially in an educational setting. Also users in general do what they are told they shouldn't and then act surprised or blameless when something goes wrong.

Flex
User avatar
Mechano-Man of the Future
Posts: 35802
Joined: 15 Jun 2008, 2:50pm
Location: The Information Superhighway!

Re: I need a good boffin.

Post by Flex »

revbob wrote:
02 Mar 2023, 3:57pm
Im so glad I dont wok with end users. They are mostly terrible especially in an educational setting. Also users in general do what they are told they shouldn't and then act surprised or blameless when something goes wrong.
I mean, I think this is part of the problem. IT solutions seem to rarely be tailored to actually take into account real world behavior. That "change your password every X days" guidance is a good example. In a vacuum it made some sense, but practically it just encouraged everyone to make even more braindead passwords and come up with a bunch of insecure ways of remembering them and so guidance has (finally) changed to counsel against doing that.

I don't know if there's really great solutions. End users want things to not take extra time and not have to remember anything, and obviously IT security requires like... the opposite of that. But I'd say any protocols that add extra layers of memorization or time should bake into the analysis of its effectiveness that most people will try to make a new code/app/password take as little time or extra mental bandwidth as possible.

Personally, I HATE those authenticator apps but have finally, begrudgingly migrated to using them after reading up on the flaws of sms 2fa. But that puts me in the company of, what, 1% of the population? Less? It seems like security needs to take into account how users will actually behave. And, I dunno, maybe having email and document access and whatnot not just be readily available in everyone's pocket all the time and instead only available under more directly secure conditions is the ultimate move towards security. I think a lot of people would be secretly happy with that, although probably not the bosses who have gotten used to 24/7 access to employees.

Addendum: I realized I'm sort of conflating two discussions: one on business/corporate IT security and one on just general best practices for an end user when it comes to personal security. For the former, I think moving to just more direct corporate controlled stuff makes sense and just accepting it's going to necessarily limit business access to employees to some extent. For the latter, I'd imagine services like 1password are the way to go to hit the security/ease of use sweet spot, but I don't know how you convince most people to spend the time (and money) to migrate to a service like that. I'm actually doing that myself right now and it's tedious a.f. and once I'm done I know I have more hours of setting things up for my wife. Bleh.
Last edited by Flex on 02 Mar 2023, 4:40pm, edited 1 time in total.
Wiggle, wiggle, wiggle like a bowl of soup
Wiggle, wiggle, wiggle like a rolling hoop
Wiggle, wiggle, wiggle like a ton of lead
Wiggle - you can raise the dead

Pex Lives!

Flex
User avatar
Mechano-Man of the Future
Posts: 35802
Joined: 15 Jun 2008, 2:50pm
Location: The Information Superhighway!

Re: I need a good boffin.

Post by Flex »

In any case, revbob can hack into my phone if he comes to SLAPSHOT next weekend!!!!
Wiggle, wiggle, wiggle like a bowl of soup
Wiggle, wiggle, wiggle like a rolling hoop
Wiggle, wiggle, wiggle like a ton of lead
Wiggle - you can raise the dead

Pex Lives!

oliver
Graffiti Bandit Pioneer
Posts: 1344
Joined: 27 Jun 2008, 11:55am

Re: I need a good boffin.

Post by oliver »

Dr. Medulla wrote:
02 Mar 2023, 2:28pm
So are the IT people ignorant about what is necessary (not a comforting thought) or are they bullshitting (also not comforting)?
I think they just don't want to support every possible authenticator, which is understandable but I wish they'd say something like "the only supported method is xyz" rather than "you have to install xyz"
Putting a little stick about. Putting the frighteners on flash little twerps

Post Reply