And all in the name of security

Over the years (which, in truth, means far more years than I am prepared to admit to) I have seen a trend in limiting access to functionality and settings on the company computer.  Many reasons have been given including

  • to protect the settings;
  • to stop users breaking it; and
  • to maintain consistency.

And recently the main reasons given are often to do with security: protecting our assets, or preventing malicious attacks.  And the more that the devices are locked down, the less that some people can self-resolve; the more that devices are secured, the more exceptions that have to be made for developers and certain types of individual.  The more secured we are the more we pay in security, software, and resolver groups.

But if you are a target then you have to have the security – you can’t just open the doors and let everyone in.  The inside must be protected from marauders, whether they want to steal your secrets (as in the IT example) or blow up your cities (a more traditional security consideration).

So, in the name of security we accept constraints to our daily lives: we undergo searches when we board aircraft, we accept CCTV beyond even Orwellian imagination, and we are tracked by numerous databases in every aspect of our daily life.  Some of these are more intrusive than others, some are easier to forget, but all are sold as making our lives more secure and to help us sleep at night. And we probably do sleep more soundly in our cocoon of protection.

If I protect my house with high security locks and a burglar alarm does that mean that I won’t be burgled? As far as opportunists go, yes it probably does.  But I can’t guarantee security against a determined thief who will find the weak points.

And that’s essentially my point – we have a lot of protection against a known (or perceived) threat, and that’s all to the good.  But what if the opposition isn’t necessarily all about harm or destruction? What if their aim is to add complexity, cost, and obstruction? If this is the case, have they already won?

There is no wholly right or wrong answer; countermeasures are implemented against a perceived threat landscape.  But on this occasion I just want to pose a counter-argument to promote a bit of thought.

Advertisements

The perils of the cloud

Hardly an issue of any IT journal goes by without mentioning the efficiencies which can be achieved through cloud computing – and as recent blogs will attest, I’m a big fan of DropBox and Evernote. Not only can such services help efficiency, but there are economies of scale to be achieved too.

Simplicity and efficiency in this context come at a price.  The cost in cash terms to “run and maintain” is easy to quantify – but how is your risk appetite for fines and imprisonment, just for saving to the cloud.  I can hear lawyers everywhere sucking in their breath!

Imagine the scenario: Continue reading

Self-defence, shooting burglars, and sexual harassment

BurglarA headline caught my eye recently: “No charges for Oklahoma teen mother who called 911 to ask permission to kill burglar“.  The story is about a woman who called police to ask if she could shoot an intruder if he entered her home. He entered; she killed him with a shotgun.  In a country where gun ownership is prevalent, and in some communities even encouraged, you would think that would be a deterrent to burglars and other intruders.  But with 215 justifiable homicides in 2009, it would seem not.

But what is a deterrent? The death penalty? Abolition of hanging in the UK didn’t appreciably increase the murder rate, and death row is overflowing in the USA.

Perhaps people living in a great environment are less inclined towards crime? The government of the Seychelles would disagree,

Fear of being caught maybe? Anecdotal evidence suggests that, rather like Norman Stanley Fletcher, imprisonment is simply viewed as an occupational hazard – and for some even an educational opportunity.

So, if there is no adequate deterrent, should we be allowed to shoot burglars – or, in the UK where we can’t own guns, perhaps politely berate them with golf club? Continue reading

Passwords – and what is secure enough?

As I returned to work this morning after ten days off, I took a moment to see if I could remember my password.  As it happens, I was successful and (unlike a few others) logged in first time.  But this got me thinking about passwords – and whether we set them sensibly.

If I can make a fundamental assumption that no everyone can remember long, complex passwords, then there are three basic areas I’d like to consider:

Appropriateness

Like pretty much everyone else, I have a variety of userids and passwords.  For example, I have one set for my bank, another for an online game, yet another for wordpress.  Would anyone disagree that the password which protects my money is more important than the one which guards an online game? Which should be more complex, and which should I protect more diligently?

The security level of the password used for any purpose should be commensurate with the damage which could be caused if it were compromised – more damage to my bank account than to a game which I could recreate, for example.

How, I hear you cry, can I determine the security level? I’m glad you asked … Continue reading