Admins Without a Clue
by Kevin Crow
Here is a collection of quotes that have been gathered during the recent past that express a position on security that I would like to entitle "Famous Last Words."
"If someone's hacked our system, we'd certainly like to know about it, although it's very doubtful; more likely, this is just someone trying to make you nervous."
Here we have the system administrators of Netcom Communications out of San Jose, California responding to a very real hack on their system. This kind of attitude towards security will oftentimes lead to disaster.
"Sorry for not responding sooner. :) As per our other email, your account has been restored. Your home directory was accidentally misplaced due to our error."
In another letter, Netcom actually blamed themselves, not even considering the possibility. Way to go!
"Your home directory has been restored. Please let us know if you have any more trouble."
These sorts of security hacks are oftentimes directed towards a person specifically, but sometimes they can be much more malicious. Perhaps next time there is "more trouble" they won't need to be told, they'll just find out themselves when they're staring directly at empty disks.
"We have no record of removing your account, but we apologize for any inconvenience we have caused."
Again, if they refuse to keep their eyes open, they may have no records at all!
Now I'd like to move on to another collection. This one comes from a computer science university. In the words of the system admin:
"About 40 percent of the passwords on the computer science system have been cracked."
At least in this case, the security administration was admitting to problems.
"If you leave lollipops sitting in front of the store, somebody's going to take one."
"It's not possible to make a system completely secure."
Yes, this is true. But there are at least certain measures to be taken so that compromising system security isn't as easy as picking lollipops off the floor.
"If people become more aware of the possible penalties, there will be many fewer people that will be willing to take those risks."
This is not a solution to system security, as oftentimes there is simply no way to track down the people involved. Threats like these can lead to challenges in the eyes of some system crackers.
"The system is secure from everyone who is properly using the system."
Brilliant. Now that they've mastered that, perhaps it would be a good idea to secure the system from those who aren't using it properly! Security is an issue that is a constant. Security isn't set up to keep out the people who aren't going to try to come in anyway. If it were, it wouldn't be called security.
"I don't think we'd use that standard for any other phase of our lives."
Well, it seems to me that if "that standard" isn't used for any phase of his life, then maybe he should consider his arrogance to computer security, and do something about it. Otherwise, he really is taking no action towards computer security.
I hope that those of you reading this will benefit from this arrogance. While it's not always possible to spend time securing a system, the first step is recognizing that a security problem can exist.