Skip to main content

Getting around security

Posted by daniel on February 3, 2004 at 7:47 AM PST

You create a secure environment for users - how do you help them take advantage of your security features or at least be aware when they have bypassed them.

When you scan for available wireless, you will often encounter people who have left the default settings on. There are some who run their wireless open so that other people can use them. These often have no password requirements. I'm talking about what happens when you encounter a network whose name is linksys, for example. There is a pretty good chance that they have never changed the default settings.

One option could be to require that the settings be entered on first use. If a user wanted to use the customary defaults for some business or personal reason, they could but they would have to enter these defaults by hand. The decision would need to be a conscious one. The point is that the router comes with security built in. A user can name it and create a login and password. We just don't force them to and so they often don't.

This came to mind because of a conversation I overheard yesterday. Actually, I overheard many conversations yesterday but one stuck with me. It seems more common on flights these days that until we pull back from the gate and as soon as we land, people are talking on cell phones. On the last flight the person next to me was talking about a court case. I didn't know anything about it so I didn't think much more of it.

But yesterday in the shuttle van on the way to the hotel, one of the Eclipse stewards talked loudly on a cell phone about board business. I know who he was because he had to spell his name to the van driver. That didn't mean anything to me until he made a phone call and loudly talked about a meeting he was going to have with "Skip" about procedural issues in choosing (what I inferred to be) the next executive director. In fact, the man at the other end of the phone was a candidate for the position who was being assured that he was on the short list and the list would not be opened up again. It was impossible not to listen. Conversation on the shuttle among families halted during his high volume phone call.

Less than ten minutes later he was at his hotel and could have made his call privately. But it made me ask the question I began with. How do you structure security in your app so that people like our friendly steward are aware when what they are doing is not secure.

Perhaps the SAML folks have thought about this. In today's Weblogs , Eve Maler blogs about the upcoming annual RSA Conference in SAMLblogging. The "Security Assertion Markup Language (SAML) vendors will be there to take part in an interoperability demonstration that's third in a long-running series.