February 23, 2005
Unfortunately, in computer security, login and passwords are the defacto first line of defense to keep out unauthorized users. But here's where life becomes a real bitch!
I have no less than 6 systems... and every damn week I'm introduced to another… and there seems to be this weird crap you have to do when it is time to change your passwords…
Yes, every system you log in to requires yet another login and password. Each password is supposed to be hardened as much as possible against password cracking software. This means that the stupid things not only can't have any meaning, they also have to contain special characters - to further throw a wrench into the path of a hacker... *sigh* And if you're really stringent you make sure that each password MUST be changed every 30-45 days PLUS you make sure that the user name is not shown by default in the login screen. Oh joy!
Sadly for the sake of security... we poor humans have great difficulty remembering abstract strings of any sort, make it more than 1 and you cause real problems for users. So the most likely thing to happen is for the employee to write everything down and leave it where it's handy. In the top desk drawer, under the keyboard, even out on top of the desk, or in a spreadsheet or word doc right on the desktop itself.
Now if you have an employee looking to cause trouble or steal some info to sell, he doesn't want to use his own login to do this - way too traceable... nope, just wander on by the desk of a coworker who isn't being careful and write all his passwords down, instant untraceable access.
You may be wondering... why can't I just log in to one computer and viola! I'm on the system? Well, there are several reasons.
First and foremost, if the company is big enough to have multiple computer systems to sign into, they've been around for a while. Few companies spring up overnight with that sort of computer array. And if you've been in business for a while, you have lots of "legacy systems". You will have computers that are brand new all the way back to computers that have been in use since nearly the beginning of the computer age. Each one runs it's own operating system, each system has different requirements for login and password, none of them are compatible... there's a surprise. So a password that works on a new system is totally unusable on an older system, but you want to use the strongest password possible, not default to the lowest denominator of the bunch.
Secondly, there is the notion of layered defense. Sure someone may get in to your desktop computer, but maybe that's as far as they get. It does make things more difficult if they have to login to each system. If you use a single sign on (or maybe I should say, if you can get a single sign on to work on your systems), all they have to do is break one door down and they're in - now they can romp madly through the system with no restrain (or at least, only your user restrains).
There is much controversy over the best way to authenticate users to the system... how does the computer know you are you? The movement is toward biometrics (fingerprint, palm scan, retinal scan, face print) however there is significant cost involved, especially in large companies including the cost of equipping each computer with a reading device and the not insignificant price of startup (getting everyone's original scan) and what happens if you're using a fingerprint and you cut that finger?
Other methods are smartcards used with a login and password. But what happens if you lose the card? In a large company with thousands of employees... how many cards will they have to dole out daily? And once again the cost of equipment to scan the cards and set them all up.
Then you MUST consider your IT department. Most people working there are fine just doing their own jobs. You have a few really intelligent people (at least in most places) who love dabbling in new stuff, but most don't have the ability or desire to do any type of computer security work. IT often takes the hit when budgets get tight and security takes even more of a hit.
Then there's the latest rounds of legislation that have dumped lots of extra work on the IT department... Sarbanes-Oxley (SOX) and HIPAA(health information privacy). When you are under the gun to prove you have done something to keep the bad guys out... password security is the first thing jumped on with relish. It's easy to set up and it's, above all, CHEAP!!!
So it's time to take a deep breath and relax. The mess that's been created isn't going to go away anytime soon and will likely get worse before it gets better. I'm hoping some really intensely bright computer person is working on this problem and comes up with a solution that doesn't cost 99% of a company's revenue for the year AND actually works with all systems... yeah, dream on.
February 09, 2005
*** Okay - some strange stuff going on at Blog o'Ram. I always check my links and when I checked the one above I got an error - so I tried to go back to the main page... the most recent post now says Feb 1.... I'll have to check again later and see what's up.
**** Looks like the permalink is fixed - still no trackbacks though.
February 07, 2005
Now being a woman in an IT job, I was curious to know why I was an endangered species - therefore I clicked through. Here is what I have to say about the article.
Some of it is good - much is utter hogwash.
Naturally they have to start out with the heart wrenching personal story...
The computer science world was anything but welcoming to Maribel Gonzalez.
After a harrowing first year, she quit the computer science program at the University of California at Los Angeles. Until that point -- six years ago -- Gonzalez had excelled at mathematics and had looked forward to a computer-centric career. But at UCLA, she felt overwhelmed by the programming experience of her mostly male peers. With no programming classes under her belt, the "sink or swim"-style courses, she said, did not suit her.
There are 2 different dynamics here - so let's start with the hogwash part. First of all, you can not rate an entire field by the experiences of one person. WAAAAYYYY back in the mists of time, I knew any number of people who excelled at math and science in high school, only to flounder miserably in college.
The prominent reasons for that failure were either - the high schools they attended did not teach to a rigorous enough schedule, so the student is then unprepared for the level of difficulty in college courses. Then there is the fact that you generally finish all the material for a class in 16 weeks in college as opposed to an entire 180 day school year in HS - a pace that about triples the rate of new material presented in a very short time for the university student... in EVERY class. It's difficult to get your head around that if you liked the pace of high school. (personally I was always losing my focus in HS because it moved like molasses)
Another problem is kids just skating through HS courses with little or no work on their part. "This is easy" they think. Then they get to college and all the "easy" homework that was spread out over the year is now crunched into a few weeks time - they are overwhelmed! This has never happened before! Their brain can't deal with it! They say...
"I never worked so hard to get Cs," recalls Gonzalez, now a public-school teacher in New York. "It was a blow to my ego, and it scared me."
And they either go into teaching or English as a major. Basically what they are saying is that they don't think the end result is worth the amount of work they would need to put in. If they can't have fun then it's too much work. If they can't make straight A's without effort - it bruises their egos... sorry no sympathy here!
The second dynamic is the manner in which Computer Science is taught. I started back around 1990 - I was around 30 years old and had never touched a computer before in my life. I didn't own one, had never programmed one. At the time I figured a CS degree was a good way to earn some money, so there I was... a returning college student with a husband, 2 kids, and a dog - not very typical at the time.
Back then it was NOT assumed you knew anything about programming before entering the field. The very best class I EVER took was called Programming Logic. I'm quite sure it's never taught anymore - most people laughed at it. (sneered would be a better word) Yet, this class of drawing flow charts depicting the logic of a program from beginning to end - took all the guess work out of the logical progression in later programming classes. Every single solitary programming class I took - I could use that logic, learned in that little funky sneered about class... and all I had to learn in the programming class was the syntax. Syntax can be enough of a pain - but at least I knew what steps my program should take and the order they should be done - this left far more time for learning the other parts of programming.
The worst mistake made by Computer Science departments is for those doing the teaching to forget how they got to the point of knowing programming logic. They need to go back and revisit the very basics - in other words - when you teach math you don't start kids in Algebra - you start them with learning their numbers then adding... etc. CS departments need to give students a square ONE to start with and progress from there! This is what I find to be the current huge failing with CS degree programs. They lose not only women with this type of program, but men too (but hey we don't have to worry about losing men... right... only women count... riiight)
I will skip the completely ridiculous argument about the masculine/feminine appeal of CS - it's nonsense. Women have proven over the years that if they want to pursue a career they are quite capable - and now days there is nothing stopping them except their own dislike of the field.
But I find some of the lengths to which CS departments are trying to make things "easier" on the student - are very scary to me.
Another focus is reforming college computer science programs to make them less about weeding out weak students and more about encouraging all comers to succeed.
If you think programs are poorly written now... just wait until this group gets out there and starts trying to work for a living. It's just crap - either you can write programs or you can't. What they want to do is make students feel all warm and fuzzy - who cares if they can do the work... Well, we all will when onboard systems start failing in cars, airplanes, health equipment... just because we didn't want to scare off the nice little girls!
And THIS tactic makes me want to just scream....
Students can now send questions to the professor during class via wireless instant messaging rather than having to raise their hand -- a strategy designed to aid shy students. The instructor can either discuss the question with the whole class or answer it privately later.
Just how is this helping students? If they are too shy to speak up in class and can't conquer that - what are they going to do out in the work force? At some point in time they will HAVE to speak to coworkers and bosses in meetings. This will put them at a tremendous disadvantage once they leave school.
As usual - in trying to make things easier - they are actually entrenching more problems that will come back to haunt us at a later date.
I was encouraged to see this though from Carnegie Mellon:
While still requiring high test scores, especially in mathematics, the school no longer puts as much weight on prior programming experience. Freshman accelerated-programming classes generally level the playing field by the student's sophomore year, said Lenore Blum, a CMU computer science professor.
That's more like it. In every other discipline, if you want to go back to school and earn your degree, you can find classes that will take you from the beginning through degree completion. The fact that Computer Science doesn't offer this choice in many places, is the primary reason they don't have as many people opting for this degree as they could have. This includes men and women. In the end, it might come down to the fact that you have to spend an extra year in school to catch up before starting your degree work. This happens to engineering students all the time.
This is the direction I think Computer Science should take to get more of a choice of students in their discipline. That and quit whining about women finding the work too hard for their delicate little selves... it's demeaning to those of us who do work hard!
February 03, 2005
*** I love playing with new stuff!
70 queries taking 0.0141 seconds, 237 records returned.
Powered by Minx 1.1.6c-pink.