Ofcom Do Security

Francis Davey fjmd1a at gmail.com
Fri Aug 6 08:23:41 BST 2010 

On 6 August 2010 08:00, Ian Batten <igb at batten.eu.org> wrote:
>
> The end result is that their elaborate password "security" is reduced to the
> password on my email account, which they cannot know the strength of,
> because I am resettting for every purchase.  I've complained, but they
> haven't had the courtesy to do more than forward it to their developers.
> Guidelines for systems handling sensitive personal data or protectively
> marked material are I think less stringent.  It's a classic case of letting
> the geeks play at security without actually thinking about usability issues.
>

This was (roughly) the casus belli that caused me to give up my career
as a sysadmin.

A new boss had appeared in the firm - the "deployment manager" - but
we weren't quite ready to deploy so he was bored and had nothing to
do. He was given my team to manage and managed to do considerable
damage in his short career.

One day he breezed in and said "right, we are going to have a password
system that resets everyone's password on the first of each month and
that will store all previous passwords and prevent you from re-using
any". He absolutely could not see any problem with this. Anyone I'd
hire as a sysadmin should see instinctively that why this is almost
certainly wrong (with exceptional rare cases perhaps).

Worse, we had a mixture of machines using NT style windows passwords
and linux/solaris boxes. At the time there was no straightforward way
of managing passwords for both sets of systems and so everyone
resetting their passwords would have to do so twice and in about 50%
of cases where they had no easy access to NT systems would have to ask
me to do so (or ask a friend who did).

Even this didn't persuade him at first. Initially he tried a "and
that's an order" (her literally used those words - amazing) on me.
Eventually he conceded that it might not be our first priority.

I was by that time convinced that I wanted to do a job that was (a)
less stressful (b) less complicated and (c) where people would respect
my expertise rather than ignore it. So I became a barrister.

(he was dismissed from the company a relatively short time after I
left, so there's a happy ending 8-).

-- 
Francis Davey

More information about the ukcrypto mailing list