It's a blog.
In: Uncategorized29 Nov 2009
It’s easy to think of security as a negative action: keeping the bad guys out. A security guard is supposed to keep anyone bad from getting in, and question anyone suspicious. A firewall keeps out malicious network traffic. Anti-virus keeps bad software from running. Locks keep criminals and creeps from letting themselves in.
But security isn’t just the “negative,” keeping bad things from happening, at least in my book. Sometimes paranoid, “negative” security leads to what I think of as a less-secure environment. The other day I almost got locked out of my apartment. I think I want to give some neighbors — who are friends I’ve known for years — a set of keys. From a paranoid/negative-security standpoint, this makes me less secure: it’s like opening another hole in the firewall, or adding another window to a secure building. But overall, the odds of a criminal getting into my home are only nominally increased, but the odds of me getting locked out would be greatly decreased. Security isn’t keeping the bad people out, it’s keeping the bad people out and letting the good people in.
I’m also locked out of my work e-mail. Exchange (perhaps Active Directory) forces me to change my password periodically. Since I don’t use Windows, this manifests itself as me losing all access to Windows-based network resources until I can get a Windows admin to let me reset my password. [Aside: I think forced password changes are often counter-productive. I'm usually royally annoyed and choose something mediocre so I can quickly get back to work. This is where "password1" and then "password2" come from. No, my passwords aren't that bad, but they're not 30 characters of random symbols, either.] I also learned the hard way that several incorrect login attempts lock the account out.
To me, this isn’t security. It’s insecurity. For all I know, I’m receiving urgent e-mails about servers being breached or odd behavior noticed on the firewall, or something equally as important. But I’m oblivious, because I can’t get to my e-mail, and I have to wait until Monday to do anything about it. (It’s also a denial of service attack waiting to happen: if you have access to a list of employees, you can lock pretty much the whole office out.)
Ultimately, a security guard isn’t a zealot who shoots anyone who looks suspicious. He’s the guy who denies bad guys access, but who will use his master key to let you into your own place when you lock yourself out, provided he’s positive it’s really you and not your doppleganger.