Yes, this is me, sporting the four-digit Slashdot ID. I'm not certain, but that might actually pre-date Google.
Yes, those are some hard qualifications to meet. Most people would suffer from insomnia, depression, and a host of other maladies just from encountering even a few of those problems.
This is merely a distraction from the actual problem that freedom of the press is as big of a joke as freedom of speech and freedom of assembly. If you want any of those 'freedoms' you basically have to bribe someone for them or you get thrown in jail for daring to use them.
Net-security.org, for their part, are only inflaming matters further by restating things an even more inflammatory manner.
Basically, you need to ask something that this article neglects to question: Did 26% of the respondents merely say they were aware of other employees *using* the shared passwords, or did it specifically detail abuse of a shared password to gain unauthorized access to information that ethically-speaking, they shouldn't be going anywhere near. Both of those are cases are considered felonies, by the way. It's very easy for someone to argue that *any* shared password use is an "abuse" and that any information access from that point is "illicit"--but without knowing specifically what question was asked, these "results" are more likely just a distortion of fact in order to sell products and services.
I am personally aware of shared passwords in many organizations. I am also occasionally privy to information I shouldn't be--specifically, people's emails. The key difference being, I *don't want to know*. I, and thousands of admins like me, wind up seeing your boring little emails while trying to figure out why they didn't arrive in your inbox already. Over time, we develop the ability to be self-redacting and immediately forget what was just on our screens--because not being able to do that means being burdened with other people's secrets that you'd feel better not knowing. This is a far, far cry from the sort of "abuse" this report pretends to show, but vendors loooove to construe one as the other in order to sell service contracts.
Frankly, this doesn't sound any more realistic than the old one about employees giving up their passwords for a candy bar. What you don't get told about those is that the employees are usually being told they have to give their password up to their immediate supervisor, and not being given any guidance as to why they're being directly ordered to violate company policy. In most offices, people who ignore direct orders being given by a live person over something written on a policy paper tend to suffer bouts of sudden and chronic unemployment--so... plenty of reason to "violate policy" there, normally "secure" employees are going to capitulate for that kind of request. Then the people doing the "analysis" stand around later and say "oh my gosh people give up their passwords for no reason!". I've personally, been given such a request in the past, and frankly since I was being directly instructed to do so, I turned over a hand-written copy of my password on the form provided...or at least, what my password was at that specific moment in time. Since I'm a twisted bastard I made up a new password just for them, set it in the system and then filled in the blank.
Don't be a gullible noob. Trust no "survey" coming from a vendor selling a related product unless you are being shown the exact details of the survey--because they're going to lie about it. Of that you can be sure.
Release it already.
The 90's were great because there were active threats from all sides, spurring people to meet the challenge with actual defenses against the mayhem. By comparison now things are much more secure, but they are also incredibly less exciting, and markedly less progressive. If developers/coders are driven by a need to scratch an "itch" then by all means let's make things itchy again.
The software is non-malicious you say? Great! If nothing else it'll serve as some things for people to think about as they continue to develop their environments, and at the very least it sounds like you may have identified some genuinely soft spots in the current generation of Linux distributions. You would be far from the first person to post non-malicious proof-of-concept code to say, Bugtraq. This is not new ground--no one is going to claim you did something wrong by publishing.
Release it already!
Either we're tough enough to handle it, or we'll get tough enough to handle it.
What I don't get is how this slipped past their attorney without him realizing it actually constitutes a violation of the Computer Fraud and Abuse Act.
Follow along with me carefully here...
The TOS of most of these sites only allows the individual to use their account for their own uses, and generally explicitly forbids sharing the account with anyone for any reason (barring the strange convolutions of minor-guardian relationships). Doesn't matter what Bozeman puts on the form--it doesn't and can't change the existing agreement between the user and the social networking site.
Violating the TOS basically invalidates the account, meaning it's very much not okay for someone other than the actual account owner to use it.
That's absolutely using a set of authentication credentials to exceed ones access knowingly, because it doesn't matter *what* the girl from HR was doing in that Facebook account--it's not their account, the owner can't legally give it to them, and Facebook expressly prohibits anyone other than the account owner from using it. This is rather explicitly illegal and has been for oh, about twenty years now.