[Techtalk] Administration, was Re: Hacked on Solaris

[Dan Richter]

Hi there. I'm going to say something you probably don't want to hear. 
Hopefully you won't flame me to a crisp.   :-)

The conflict between the IT guy and the boss is quite classic. Often the 
boss, who thinks he knows everything (that's why he's the boss), tries to 
push the system administrator to do something stupid. I know it; I've seen it.

But let's not forget that most people aren't programmers and find high 
security to be a pain. For example, when forced to change their passwords 
regularly, most people just tack the month/year on the end. Now, the 
password "$i.php3" may be easy to remember for you and me, but it's enough 
for most people to choose passwords other than their first names. And 
remember that you're supposed to use different passwords for e-mail, PC 
accounts, etc., etc. That's hard enough to do when the passwords don't 
change; most people could never handle them if they changed - unless they 
wrote them down.

Also, we all know that information should be locked up to prevent unwanted 
access. But it should freely flow to the people who need it. While PHB's 
err towards making it available, programmers err towards locking it up. The 
information can't be both easily available and locked away securely. There 
have to be sacrifices both ways. Think about the traveling salesman: must 
he be cut off from the company for days at a time?

The point is not that security is bad; just that it's not the only thing to 
consider. The system administrator is responsible not only for making the 
system secure, but also for making it usable. So think about the poor user 
sometimes.

I think I'll go crawl into a hole now before the napalm starts dropping.   ;-)