If you tell enough stories, perhaps the moral will show up.

2006-11-22

Commuter 2

Today I found out how Champagne sales ladies sell lots of Champagne to restauranteurs.

The glamorous lady opposite me on the train home was working very hard and very loudly on her phone shifting cases of "Pol" and arranging visits. Normally I'm a bit irked by the louder sort of commuter, but she was charming: her blouse didn't even pretend to have any buttons above the bottom of her sternum, and her push-together bra was working as hard as she was. She leant forward every time she wrote down a sale or an appointment. Those visits must have been devastating.

Commuter 1

Today I popped out at lunchtime to buy a new raincoat. It was a bit cold, but I didn't really need it today.

During the afternoon it began to rain heavily. How splendid is that?

2006-11-01

The Userid Con

Activity logs are good. We grant all sorts of access to staff "merely" because they can't do their jobs without it, and trust them not to abuse it. The way Ronald Reagan put this was "trust, but verify," and he was right. Audit logs are our verification. My first security effort here was to replace a shared admin userid with personal IDs, simply to make the logs mean something, and it's probably the most useful single thing I've done.

So, we configure the systems to generate logs, and we squirrel them away safely and the auditors and investigators are profoundly happy. But if we ever want to use them as evidence there's a little con trick we have to carry off first. That trick is called "User equals userID".

It's a con because it's untrue, and we depend on users not knowing it's untrue. Ask yourself, where you work, which has the worst career outcome a) "yes, I sent those emails" or b) "everyone knows I leave my password on a note under my keyboard"? If you're like my employers, admitting password sloppiness is going to go a lot better, especially if you've been doing the sort of thing people get investigated for. I sometimes wonder how many people have lost their jobs or reputation after assuming that logs with their name on were irrefutable evidence, when they could have hung on by saying that someone else was on their account. It must be a lot. I've seen this benign con work in environments where no-one even pretends to have a secret password.

Perhaps it's not totally grim. A single event may be deniable, but a pattern or a sequence of offending behaviours is much harder to walk away from. And a good evidence recovery can cause people to collapse when they are shown exact texts, pictures, times.

We can deal with this:

  1. Let's look again at the rules on password sharing in the AUP. And,
  2. I think it's time to dust off that plan for smartcard tokens -- they are hard to share accidentally.
But in the meantime, well now, I think we'd better keep this to ourselves. Otherwise, there'll be a password under every keyboard in your firm.

Authentically Spooky

Well, I was walking home along the lane last night -- I'd just passed a batch of trick-or-treaters -- when I heard a cat calling. I couldn't see it though, until we passed the neighbour's lamp.

I crouched down to stroke her and ask her name and she circled me, rubbing my legs and crooning. She was big, black and shiny, the blackest cat I ever saw, with yellow eyes and she liked me enough to follow me home.

She was through the door as soon as it opened and making herself at home nosing around the kitchen. Mrs U fed her but drew a line when she started to explore the beds updstairs. The kitten scarpered, the more mad cat maintained a glaring distance and Fleabag just kept out of the way. I canvassed the lane, but no-one knew where she came from. I made her a bed in the freezer room -- warmer than it sounds -- and put her in it so she knew where it was, but I don't know if she stayed.

For maximum Halloween effect, she ought to have vanished by morning, but at 05:10 she picked me up by the gate and follwed me down the lane and halfway across the field, calling all the way. I hope she goes back indoors.