First, in my opinion you're not in keeping with the spirit of the "real name" request (and, in my opinion, you know this).
Second, you called me "a special kind of narcissist." Technically you only implied it, I suppose.
Shared training credentials leaking via the CNN report is a total red herring. There are so, so, so many reasons not to have training accounts on production systems and to not have real data on training instances that anyone who does this (company prohibition or no) is lazy and unprofessional. The bonus is, if this is done, there's no reason to worry about training credentials being revealed.
Really, what's the alternative? Create unique training accounts and high-entropy passwords for every user for every class? How will these credentials be transmitted to the user? If it's in writing, you know some third party would eventually get their hands on that and blow it out of proportion too (even if these unique accounts were deleted at the end of the training session since the bias on the internet seems to be to assume that everyone who is not you is a complete moron).
Michael, name calling isn't very productive. It's an easy thing to do while cloaked in the anonymity of the internet (and while disregarding Techdirt's request to use your real name), but I wonder if you would speak to someone like that in person.
Back to the LAPD: Why do you assume it isn't dummy data? In addition to leading classes, I have also attended dozens and NEVER ONCE has the training system had real data. We don't even use real data in our dev environments-- only UAT and production have real data. AFAIK, this is industry standard. If they have real data on a training instance, THAT is the REAL mistake.
Who cares? I have run IT training many times where I put the shared login up on a whiteboard. It's pretty standard practice to have an isolated training instance and to load dummy data so you don't have to worry about specific user rights.
Save all the hate for real security screw-ups. Piling on to this one just looks like petty cop-hating.
Techdirt has not posted any stories submitted by Matt Goff.
Re: Re: Re: Re: Don't Cheapen Real Security Screw-ups
Second, you called me "a special kind of narcissist." Technically you only implied it, I suppose.
Shared training credentials leaking via the CNN report is a total red herring. There are so, so, so many reasons not to have training accounts on production systems and to not have real data on training instances that anyone who does this (company prohibition or no) is lazy and unprofessional. The bonus is, if this is done, there's no reason to worry about training credentials being revealed.
Really, what's the alternative? Create unique training accounts and high-entropy passwords for every user for every class? How will these credentials be transmitted to the user? If it's in writing, you know some third party would eventually get their hands on that and blow it out of proportion too (even if these unique accounts were deleted at the end of the training session since the bias on the internet seems to be to assume that everyone who is not you is a complete moron).
Re: Re: Don't Cheapen Real Security Screw-ups
Back to the LAPD: Why do you assume it isn't dummy data? In addition to leading classes, I have also attended dozens and NEVER ONCE has the training system had real data. We don't even use real data in our dev environments-- only UAT and production have real data. AFAIK, this is industry standard. If they have real data on a training instance, THAT is the REAL mistake.
Don't Cheapen Real Security Screw-ups
Save all the hate for real security screw-ups. Piling on to this one just looks like petty cop-hating.
Techdirt has not posted any stories submitted by Matt Goff.
Submit a story now.
Tools & Services
TwitterFacebook
RSS
Podcast
Research & Reports
Company
About UsAdvertising Policies
Privacy
Contact
Help & FeedbackMedia Kit
Sponsor/Advertise
Submit a Story
More
Copia InstituteInsider Shop
Support Techdirt