[Techtalk] Administration, was Re: Hacked on Solaris
Dan Richter
daniel.richter at wimba.com
Wed Aug 28 16:12:35 EST 2002
Hi there. I'm going to say something you probably don't want to hear.
Hopefully you won't flame me to a crisp. :-)
The conflict between the IT guy and the boss is quite classic. Often the
boss, who thinks he knows everything (that's why he's the boss), tries to
push the system administrator to do something stupid. I know it; I've seen it.
But let's not forget that most people aren't programmers and find high
security to be a pain. For example, when forced to change their passwords
regularly, most people just tack the month/year on the end. Now, the
password "$i.php3" may be easy to remember for you and me, but it's enough
for most people to choose passwords other than their first names. And
remember that you're supposed to use different passwords for e-mail, PC
accounts, etc., etc. That's hard enough to do when the passwords don't
change; most people could never handle them if they changed - unless they
wrote them down.
Also, we all know that information should be locked up to prevent unwanted
access. But it should freely flow to the people who need it. While PHB's
err towards making it available, programmers err towards locking it up. The
information can't be both easily available and locked away securely. There
have to be sacrifices both ways. Think about the traveling salesman: must
he be cut off from the company for days at a time?
The point is not that security is bad; just that it's not the only thing to
consider. The system administrator is responsible not only for making the
system secure, but also for making it usable. So think about the poor user
sometimes.
I think I'll go crawl into a hole now before the napalm starts dropping. ;-)
More information about the Techtalk
mailing list