[Techtalk] Administration, was Re: Hacked on Solaris

Caitlyn Martin cmartin at rateintegration.com
Wed Aug 28 10:57:25 EST 2002


Hi, Dan,
> 
> Also, we all know that information should be locked up to prevent
> unwanted access. But it should freely flow to the people who need it.
> While PHB's err towards making it available, programmers err towards
> locking it up. The information can't be both easily available and
> locked away securely. There have to be sacrifices both ways. Think
> about the traveling salesman: must he be cut off from the company for
> days at a time?
> 
> The point is not that security is bad; just that it's not the only
> thing to consider. The system administrator is responsible not only
> for making the system secure, but also for making it usable. So think
> about the poor user sometimes.

The fact is that reasonable security can be in place without pain to
users and many companies don't bother.  I've had users complain that
there was a password at all, or else complain that they had to change it
(with no restrictions whatsoever) every 90 or 180 days.  I've had users
complain that they aren't given root on a UNIX box (and, like, what
can't you do with sudo -s if you have all priveleges?) or that root
passwords are different from box to box.  Too bad.  These same users
will call for my head if they are hacked and their work is touched, or
if they are down for more than five minutes.

Sorry, the give the poor user a break speil just does not cut it with
me.

The admin should try to make security as painless as possible, granted. 
Tell me, what is harder about ssh <machine name> than telnet <machine
name> or rlogin <machine name>?  Nothing.  It's just a matter of
instilling good habits into the user community and taking away the
really bad ones.  People are resistant to *any* change.  That isn't an
excuse for bad or no security.

Admins who don't install patches or setup good central authentication
schemes are equally at fault.  

The key is to create the best, most secure environment possible with the
least impact on users possible.  Still, users do not have the right to
tell me that they don't want anti-virus signature downloads on their
Windows box.  It's company policy to have an up to date AV program, and
that policy is there for good reason.

PHBs?  Part of an admin's job is to make sure that they understand that
you value their work and you are trying to protect it for them.

Regards,
Cait



More information about the Techtalk mailing list