Archive for Security Issues
DARPA: The Internet’s Midwife
Posted by: | CommentsIn the late 1980’s, early 1990’s, DARPA (Defense Advanced Research Projects Agency) of the US began to see how the Internet could become a significant player in the nation’s defense. These exact visionaries were so proud of their creation because the internet did exactly what it was supposed to. They were ahead of the rest of the world technologically speaking, and they celebrated the birth of their newest baby. Soon, various communications and activities began taking place within the internet. It was then found that this was by far a faster and more accurate way to work.
However, as with all children, the internet grew up. Other governments began implementing the code, began connecting themselves across the network of fiber optic cables that had now been laid and they “went online” doing many of the same things the US government did. Then, it was that the creators of this marvelous invention learned that, as a teenaged creation, it had many of the problems a normal human teen had.
The Internet and its Growing Pains
Fast forward to present time, the internet as we know it is about 20 years old right now and is experiencing the issues that many young adults do when they are given their first taste of freedom. They start letting in friends that their parents don’t like (Viruses). As people are taught to understand how to program and code for the military also for civilian causes, there was going to be those people who learned how to get around systems security and how to exploit weaknesses in code. In fact, there are hundreds of people hired annually by various governments that this is their only talent. They affect the system that has been created so that those who own the system can make it stronger. As was only expected though: there are those who do not put their skills to such use and, either through actual malicious intent or just idle curiosity, they begin to do things such as hack into satellites and take control of them. Perhaps they just wanted to peek in on the young women who are skinny dipping in the ocean. On the other hand, they might have been testing their ability to do so in order to go ahead and hack into one of the spy satellites and gather valuable classified information and use it against that country. Unfortunately, in this day and age we dare not take any chances when guessing the motives of the individuals in question.
Those are the Money Words, my friend.
The knowledge of an assault that occurred some years ago was finally released to the public last week, in which it was suspected that Chinese nationals hacked into 2 satellites and took total control of them. While china denies the allegations made, the fact remains that someone did. This means that, as a nation, we are vulnerable in a way that no one thought would happen. So it was that military and government agencies have begun to reach out to what they are calling the “visionary hackers” for assistance in the matter. A visionary hacker, from what I can conclude, is a hacker who is capable of doing all of these things but only does them in order to:
- See if they can
- To sell their knowledge to governments in order to secure paid positions
What better way to do combat in the world west than to hire those who would be outlawed by the rules of “more civilized society”?
The phrase of the time seems to be the desire to “converge with the threat” which can only be done by getting into the heads of those who are capable of launching these types of attacks.
Where did we go wrong?
After some advanced analysis, it was shown that the governments’ security systems are based off of huge banks of code, running into tens of thousands of lines. In comparison, most malware is only a negligible 125 lines. Short, clean, simple and to the point seems to be the key to their effectiveness. Most coders who choose to do this as a living, either legally or illegally, pride their ability to deliver what they call “elegant” code. This means that the code is well notated so that others can see exactly what the code is supposed to do. The longer that a program’s code is, the more chances for failure present themselves.
Unfortunately, it would not be the logical thing to totally disable nations system of protection protocol and software in order to clean up the system and to make it simpler. There is only one option left to those in power and that is to engage in those who can get into the base of the code and clean it up while it is still doing its job. This is not a simple task and presents its own dangers, of course, but at least it would not leave the entire nation unprotected while it was being worked on.
Where does this leave us as a country?
First, we need to make sure that we are not just looking at this as a one country only problem. We are actually experiencing the birth of a global community and global economy. Never before in our history have so many countries been interdependent for basic needs such as defense and economics; if one link fails, the whole house of cards will be tumbling down.
Once that viewpoint is strengthened and we are looking at the situation with those lenses, we can begin to work on the actual problem at hand. We have a need for simpler, more stringent code. We also need to make sure that we do not take so many human positions out of the picture that we leave ourselves open to attacks that were not possible before. When you replace a human soldier on a reconnaissance mission with an unmanned drone, you open yourself up to hack attacks and, potentially, will lose control of that drone. When that occurs, on whose head are the deaths caused by the drone firing on the people of the country that created and deployed the drone in the first place?
Simpler code, more human positions and common sense will be the answers to these problems, if ever those in power can come to see it.
Related posts:
SOPA – The IP Hammer Has Swung
Posted by: | CommentsThe rise of the Internet as an intractable piece of the global social engine has brought with it a number of large scale societal problems. One of the ones that has resisted a common ground solution the hardest is that of how to protect intellectual property in the information age.
Piracy of information has been a problem for a long time. Bootlegs of concerts and copies of videotapes have been black market staples for decades. The advent of the internet, though, has raised this problem to a new level. Just about all but the most in-person art forms are now easily digitizable. If they are digitized, then they can be copied to every person on the planet almost instantaneously.
This is a startling development that few people saw coming, and a monumental problem for defenders of intellectual property. In turn, they have often taken what amounts to “scorched earth” policies to combat it. Arguably, the worst of these yet is now under consideration. It is known as “SOPA” or the “Stop Online Piracy Act” … and it has internet freedom advocates sounding the alarm like never before.
Is it that bad?
As with all modern legislation, 112 HR 3261 is a plate of legalese spaghetti. At 78 pages, it’s actually kind of short as modern legislation goes. If you are reading it, though, and you fall on your face as you try to cut your way through lines such as…
“If an effective counter notification is made under subsection (b)(5), or if a payment network provider fails to comply with subsection (b)(1), or an Internet advertising service fails to comply with subsection (b)(2), pursuant to a notification under subsection (b)(4) in the absence of such a counter notification…”
…you could be a bit forgiven. As always, then, we have to go by the read from the “experts” on this, and we know how often they’re in agreement. Still, going to the authorities that we trust most here, such as the Electronic Freedom Foundation, this looks really bad.
A first power – private enforcement of complaints, and lots of it
What seems to make SOPA so bad is that its approach to potential “rogue” web sites or copyright infringers is little less than “Whatever you have to do”. The main target for this legislation is anyone who abets the web site in question. This includes not only those who host the site but anyone who has even an indirect hand in its continued operation, with payment processors the primary target.
The way that SOPA works for most reviews is this. Someone lodges a complaint against a web site. The web site operator passes the complaint on to the web site operator, who has 5 days to issue a retort. At that point, if the original one complaining wants to, they would take legal action.
This is not new; it is roughly how the DMCA (Digital Millennium Copyright Act) works. What makes this worse is that it is not just web hosts that are required to cut off the accused web site, but payment processors and ad networks as well. The potential for abuse here is obvious.
Enforcements expands to almost everything
Search engines would also be saddled with the duty to prevent the offending site “from being served as a direct hypertext link”. Software to get around any such blocks would be outright illegal. This is an especially ominous precedent, as it states that certain types of programming now be made illegal. Step back for a second and just picture what a future based on that kind of idea could lead to.
A further extension of this attack exemplifies why such blunt measures often have the potential to do far more harm than good. ISPs would be included in the list of companies whose responsibility it would be to cut off access from the offending site. But this is like finding a fish by draining the ocean. A domain name can handle traffic that serves all manners of functions related to all types of web sites. Forcibly shutting it down over a single complaint could rip the interplay of websites, indeed the very concept of the “web” apart. A past example of this occurred when 84,000 sub-domains of “mooo.com” were shut down due to a complain about the content on one of them.
Finally, the bill ventures into the creepy territory occupied by enforcement agencies which require that their citizens spy on each other. Websites that don’t sufficiently target sites “dedicated to infringing activities” are also considered in violation. As is often the case, what constitutes sufficient enforcement on their part is unclear.
Please tell me that some people are standing up against this!
Yes, they are, and it’s not just the EFF. US Representative Zoe Lofgren, one of the most consistent voices in Washington DC against most intellectual property legislation, stated this legislation would bring about “the end of the Internet as we know it”. From anyone else this might be laughable alarmism, but as the Congresswoman representing Silicon Valley, Lofgren has been described by one tech group as someone who “understands how the Internet works.”
Other opponents to the bill include Google Chairman Eric Schmidt, who vowed that even if passed, “we would still fight it”, a bold declaration of resistance. Fred Wilson of the Business Insider described the bill as being crafted “without any input from the technology industry”. Even some artists have spoken up stating that, to the contrary, SOPA will stifle creativity.
Why is this happening?
This is happening because the media empires of the world are getting frantic. Oceans of copyrighted data are passing through networks all around the world and the efforts of those trying to stop it are roughly the equivalent of someone trying to keep the rain from hitting the ground by running around with a bucket. Data about how much less money people are spending on copyrighted content comes in every day. Sorry to be putting it in cynical sounding terms, but in the end, it is simply about money.
This isn’t to short-circuit the debate about intellectual property entirely. This has been a long-discussed topic in technical and political circles, and even without this new legislation was likely to not be going away anytime soon. In the meantime, though, this legislation from all we’ve seen signifies a very worrisome turn. It seems to have been stalled for now. We can only hope that this continues until something that seems like it responds to the IP conundrum with something less than taking a hatchet to the entirety of the Internet is crafted.
Related posts:
Email Encryption: Protecting Yourself and Your Information
Posted by: | CommentsYou decided to write a steamy email to your lover late at night from your home computer. Pet names were used as well as some other language that, if anyone else but your lover saw, you would just die of embarrassment. The problem is you did not use any form of encryption on your email at all because you thought that encryption was only for governments and big corporations. Now, your favorite pet names and steamy details have been read by:
- Anyone at your email or Internet provider who wants to
- Anyone at your lover’s email or Internet provider who wants to
- Anyone who works at any of the places in between that house the routers that handled the data from your email who wants to.
Your secrets are not safe when you do not use encryption on your email. While this situation is personally embarrassing, imagine how devastating this would have been if it were a corporate email sent speaking about the release details of their newest offering in the technology world. The competition now has them and you might as well begin again at the drawing board, assuming that you still have a job. With this article we hope to help you set up email encryption for your computers so that these situations never have to become a personal reality.
Software Solutions
Perhaps the simplest and least aggravating approach to applying encryption to your email messages is to make use of one of the many software solutions out there. The very oldest and most well-known software for this would be PGP (Pretty Good Protection).
Using 128-bit encryption, this software (which is now owned by Symantec, creators of Norton) takes a lot of the guesswork out of the encryption experience by automatically discovering certificates and keys as needed and automatically encrypting all sent and received email without the user needing to do much of anything. This particular software supports both common forms of encryption, S/MIME and OpenPGP, and uses a proxy as a method of keeping your information secure.
If you are brand new to encryption, then you would do well to look past the price tag, and realize that you are buying a lot of peace of mind. This software is highly recommended as it does not disrupt the recipient or the senders email experience at all.
Client-based solutions
Many email clients now offer the ability to send and receive encrypted email through the use of settings within the program itself or add-on programs for the client. At this time, the two most well-known clients for offering these options are:
Microsoft Outlook uses what they call a digital ID, which is essentially a personal security certificate for your email that gets sent to the email recipient for encryption along with your message. If the recipient does not have your digital ID, they cannot read your encrypted emails (although you will be given an option to send it in unencrypted formatting in this case).
Mozilla Thunderbird makes use of an add-on called Enigmail in order to facilitate encrypted email sending and receiving. Once Enigmail is installed on your Thunderbird client, then it can and will automatically encrypt, decrypt and manage all encryptions keys for you, making it a very simple option for those who just want the basics. It can be expanded upon by also downloading GNUpg which allows for further cryptographic functions.
There are other email clients also offering similar features. However these two are the easiest and most straightforward to configure on your own without having to call your local techy friend for help. If you wish to go ahead and plunge in deeper, by all means do so, but make certain that you read the manual: incomplete or incorrect security is about the same as no security.
Don’t want to bother with encryption? There are other ways.
Without encryption you will always lose some information to easily readable sources. However, if for some reason you do not want to engage in encryption use, here are some suggestions on how to keep yourself as safe as possible.
- Make absolutely certain that you have two different email addresses. Use one for a small list of well-known friends and associates and the second email address for mailing lists and other more open forum email and subscription mail.
- When creating your personal email, keep it simple and professional such as using your first initial and your last name.
- When creating your public email do not use any kind of personally identifiable information.
- When emailing back and forth, do not send any information that you do not wish to be read by everyone on the World Wide Web at any time. This includes; names, addresses, phone numbers or passwords.
- Do not open email from sources that you have any reason to be wary of.
- Again, use an antivirus program that offers email scanning.
- For goodness sake, do not send personal email from a work email address. More often than not, these email addresses are monitored by your company and their contents can get you in trouble! This is more a precaution on their part than a danger on yours, as they usually have plenty of security procedures in place on their end as well. Still, this danger potentially takes the form of unemployment. If anything, learn from your employer’s security procedures, and consider implementing the same thing on a personal level.
If you follow these steps, you should be able to keep yourself relatively safe while emailing.
It’s privacy, and it’s personal
In the end, only you can decide how much encryption is comfortable for you to use. Privacy is a personal matter and must be seen to in accordance with personal comfort levels. More privacy is more secure, but it is also more work. How much work you want to do is up to you.
There are people out there whose entire computer systems and networks are encrypted. They often do not do so for any reason other than they can, and that they enjoy that level of privacy not because they have something to hide. There are those who will only encrypt their emails and be happy with that. Then there are those who trust their firewalls and antivirus programs to do their jobs and keep them safe. Whatever you choose, just be aware of the basics of how email security works, and you should be able to find the comfort level that’s right for you.
Related posts:
Securing Your Private Wireless Network
Posted by: | CommentsIt has been all over the news lately that corporations and even government computer systems have been broken into. While this is happening, sensitive data is being stolen and leaked onto the Internet or used to distribute company secrets. This is the nightmare of every head of network security in the world at this time as well as for home users and telecommuting workers all around the globe. When careful attention is paid to trends in the news and through specialty publications that focus solely on network security, there is a far better chance of keeping protocols up to date and avoiding any significant breaches. Within this article, the focus will be on Wireless LAN security and the various pitfalls and methods currently in use that has proven to be reliable.
Closed Networks
Most networks will be a closed system of one flavor or another. It can be a home network where a user does personal banking or a telecommuting employee whose laptop is like the best friend and travelling companion. The most common example of a closed network is a home network or a small organization or company network. It is those that we will be focusing on in this article. When configuring this setup, the most effective point of security will be the access point itself. Through the access point, there is access to options that will govern how information is sent and received and at what level of encryption. There are a few options available to ensure this; some are more effective than others. There are some methods of network protection like WIPS that will require more physical hardware.
They are:
- MAC address screening
- Using a Wireless Intrusion Prevention System
- Use of a Captive Portal
- Use of a secure VPN
MAC Address Screening
The best option is to require MAC address screening and to disable ESSID broadcasting entirely. The combination of these two precautions makes the network connection itself difficult to detect by outsiders let alone to initiate information theft. This option does not require the purchase of additional hardware or software and is configurable through the router gateway itself. This is the most popular choice and will be the option that most people require without additional steps. There are those individuals and organizations whose networks require more security though and the following options are available to them. Most often these options below are used by those who conduct work from home or for those who telecommute and may be anywhere in the world.
Use of a Wireless Intrusion Prevention System
In a nutshell, a wireless intrusion prevention system (also known as WIPS) is simply a network device that scans the wireless signals for unauthorized access point and then begins the process of locking them down and sending a notification through an instant messaging (IM) system or a pop-up or page to the currently on duty network administrator. This is an additional piece of equipment and the cost can vary from couple hundred dollars to many thousands, depending on the size of your network. Most private residences and networks will not have this protection unless they tend to work from home and are in a high security IT-related field.
Use of a Captive Portal
This is a fairly common approach taken by small businesses who either offer wireless access for its customers only, or for those who sell wireless access by the hour, day, week etc, like hotels. A captive portal turns the web browser into an authentication site that all traffic is driven to before having access to the entire network in order to provide authentication through a guest password, receipt number or payment type and only when those forms of identification are met, will a user have access to the entire network. This security will most often be seen at hotels, coffee shops and other places where customers might spend a usable amount of time with their laptops while enjoying the location they are at. Many city parks now have such wireless access, in fact.
Use of a Secure VPN
The use of a virtual private network, or more commonly called a VPN, is found most often with telecommuting workers who need access to the company’s entire network and applications, but on a secure line. Think of a VPN as a secret passage way through the World Wide Web, which protects the user from eavesdroppers and those who would virtually pick your pockets by stealing bits of private and valuable data while the user exchanges information between your network and your personal mobile computer.
In the past, companies would spend lots of money to lease telecommunications lines in order to ensure that their network was shut off from the internet. With the resurgence of VPN (for it is decidedly much not new technology) companies have the option to cut costs significantly, take some of the weight off of their likely over-worked IT network administration team and offer their workers a bit more in the way of flexibility when it comes to the location in which they choose to work.
When all is said and done, network security is becoming one of the world’s hottest topics because of how fast technology is moving along. In some cases, it is developing faster than there are ways to be found to protect one’s self from the privacy shredding changes that are being made. From cell phones having tracking and GPS abilities that make your information available to the manufacturer to programs that track your usage under the guide of a “customer experience improvement” program, there is no dearth of new learning available for those who choose the career of network security professional. There is also much to learn for the small corporate and home users.
When choosing a method of wireless security for a closed wireless network, the options are out there. Making certain that the settings are correct and hardware is installed right should fall to a network security professional. This will ensure that slight mistakes do not make your network open to those who would relish the secrets that your network will share with its users. Once implemented, you can be rest assured that the information shared on the network will remain safe, and out of the hands of those who are no better off than they should be.
Related posts:
What is Tor? A Closer Look at The Onion Router
Posted by: | CommentsIt’s been a hot topic in the news for years now. Privacy on the Internet is something that users not only want but expect, even if they know they shouldn’t. So much of our daily activity resides there. From our entertainment and paying bills to shopping for gifts, clothing and bulk household items, Internet service has become a utility, not just a frivolous addition to your cable TV package. With so much activity going on in the strange in-between world of the Internet, there was bound to develop an underground. Much like in your day-to-day world where the world’s secret places thrive, there is an equivalent world on the Internet where anarchy is king and the rules are few. One of the ways you can get to this place is called Tor.
In the Beginning:
Tor was once an acronym standing for “The Onion Router” which was a reference to how the program layered and encrypted the users on the network; it became its official name in early 2006. Tor began as a project of the United States Naval Research Laboratory for reasons that to this day are shrouded in mystery. When it came to be funded through the Electronic Frontiers Foundation (EFF), it ceased to be a military endeavor and took its first breaths as an independent project. It is currently run by “The Tor Project”, an educational 501c3 devoting its time and services to developing a web browser designed to preserve anonymity on the Internet.
The gritty details
Let’s get a little more technical and see how this works. Tor protects the user by taking the outgoing signal and bouncing it through various relays across the globe. In order to do this however, one must download and install a Tor browser package which is available on the Tor Projects homepage. The browser itself is very pared down and as no-nonsense as it gets, allowing no scripts to come through that you do not by hand approve and no cookies to be saved so that your information remains private.
When you visit a website, it sends out the signal to the first relay and that relay encrypts it which sends it along to the next for further encryption, and so on. By the time it reaches its destination, often hundreds of relays have been used to get there. This still usually happens in a matter of seconds, making Tor browsing not that much slower than using your normal services. The browser itself is set up to access a different type of web page called an “unindexed site” or a “hidden service”: these are web sites that are invisible to everyday search engines. They achieve this by using public encryption keys and 16 character hash tags followed by the pseudo-top level domain marker “.onion”.
Doesn’t make sense? That’s the point: to most browsers, it’s not supposed to. Normal web browsers cannot decrypt the information produced by a .onion service or page. When a user starts the Tor/Onion browser and enters in a .onion domain address the information going forward to the first relay gets encrypted and sent forward to the next relay. Because the next relay in the line cannot tell from where the incoming connection came, the user is effectively protected from any attempt at traffic analysis. Even if someone could either decrypt one node or get some legal order to release the data, it’s one of dozens or hundreds of nodes. In summary, the traffic is effectively impossible for anyone to trace, even the people who themselves take part in it. There’s literally not a single person on the planet who could trace a request made through Tor.
Oooh, this is intriguing! What can Tor be used to reach, then?
In a word: anything. This is the Internet unchained, the picture that many of you probably had of it when you first heard of it. This also includes all of your “normal” sites, though naturally browsing Sesame Street is not going to be the first idea that comes to mind. What does come to mind is all of the stuff that you imagined must exist somewhere out there on the Internet, if only you knew how to find it.
It is at this point, then, that we have to issue more than just a typical warning, and state that there is no, we repeat, no endorsement of any activity through this article. Truthfully, we know a lot of you will be naughty. That’s the reality, and we can’t stop it, no matter how stupid it might make you. But we can tell you that these things are underground for a reason. You investigate any of this at your own risk, and that’s not a risk we want to see any of you take. Are we all clear?
Tor in the News and the future of anonymous usage
The development of Tor is not an isolated phenomenon. While it may have been a military project initially, it’s still true that there is a higher push for privacy on the Internet as time goes on. Tor is a somewhat accidental response to it, but it’s nonetheless one that answers this call.
That being the case you would think that Tor would be in the headlines more. It has instead attracted oddly little attention. A branch of the collective Anonymous used it recently to infiltrate a child pornography web site. It was the subject of governmental ire for giving access to a network that they couldn’t reach (ironic, no?). It was also cited as a tool that was used by Egyptian rebels in their recent insurrection. Despite these isolated incidents, though, this pathway to the electronic underground remains mostly as invisible as the sites that it accesses.
It’s hard to say what this all means. One thing we can say is that the technology is solid. One renowned security expert accessed a black market selling just about every manner of illegal goods, to try to find a security weak point anywhere whatsoever in the process. Shockingly, he could find none. Think for a moment about what that would mean if that were to remain the case and become more publicly known.
There’s really only about one thing we can say for certain regarding the future of Tor and its relationship to web security: it’s going to be mighty interesting.
Related posts:
The Case of the Overzealous Security Guard
Posted by: | CommentsJust last week, I had an interesting experience with a web host that I use (as always, names of the guilty withheld). It highlighted some of the things that I’ve talked about in this column about customer service, security, and employee empowerment. It wasn’t that big of an issue, but it was a reminder of how little problems can easily cascade, eventually resulting in lost customers (which I considered becoming before they fixed the problem).
Let me hit rewind and go through the play-by-play. I think there are some important lessons to be reminded of here.
The prosecutor’s case
I was attempting to setup a common CGI package on my account. I went on for a while and ran into problems that I knew meant that there was something wrong with either their servers or the installation process. The host’s online help docs didn’t get me anywhere, so I went searching around the net. With a little Google mojo, I found a good lead. There was a configuration file that needed to be adjusted.
The problem was that it wasn’t clear exactly how it was supposed to be adjusted. I tried just about everything obvious. Nothing worked. Finally at a standstill, I threw in the towel. I dropped an email to their tech support. They had an online submission form, but it went to the email that the host provides, which I’d never used or redirected.
The defendant’s case
I received a reply back pretty quickly. It stated that since my address wasn’t the primary email address for the account that, per their security procedures, they would have to contact the address that was, and see if this was a valid address to offer tech support to. From that point on it was mostly smooth sailing.
Well, gee, that doesn’t sound all that bad. So where’s the problem?
The cross-examination
There were a few of them. First of all, even though it was true that I wasn’t writing from the contact address on file, I did include in my email to them the domain name that I was working on, and two forms of customer ID numbers that you can only get from within the account. Furthermore, I pasted in the entire error message that I was getting, again something that proves that I was already in. Given all of the information that I gave to them, it would have been trivial as well to check through their logs to see that I was, indeed, doing the work on this site that I said I was.
In short, it should have been clear that I already had full access to the site. One could counter that this doesn’t necessarily mean that I didn’t hack into it. There are problems with this response as well, though. For starters, I could just as easily hack into someone’s email as I could their web hosting account, so how would that have been de facto more secure? Additionally, if I really did hack in and wanted to contact them for help, why would I have “tipped them off?” There were certainly ways to write them that wouldn’t have. I could have actually used the in-house contact form. I could have just changed the contact email address once I was in there. On the other hand, it’s common for multiple people with different addresses to be working on the same account.
The verdict: guilty of misdemeanor
In the end, this only resulted in a short waste of time for us, but what if that time had been critical? It was, in truth, something I was trying to setup quickly, and the delay was quite irritatingly timed. The greater problem, though, was that it was unnecessary. The amount of assumptions that you would have to make to conclude that I was an intruder is too high to be easily plausible.
Of course, no web host wants to take unnecessary chances on security. So maybe was there another way? Yes: the host could have responded to my request with the necessary technical information, then dropped a separate note to the email address on file telling them of the conversation and verifying with them that I was indeed authorized to be working on the site.
The sentence: make your security more dynamic
This approach would accomplish multiple things. It would, of course, let me continue working on the site immediately. On the miniscule chance that I really was a bad guy, it would still let the account holder know about it.
It would also have another subtle advantage on this note. If I were truly a hacker, and I got an email saying “We’re going to check on you”, that would be my cue to cause whatever damage I was meaning to and get out of town. Instead, using the above approach, you can keep a quiet eye on them to see exactly what they are doing. This approach would have been more secure.
This goes back to the inherent deficiency of unbending rules. We mentioned in the past that it’s better to cut your employees some slack and given them the room to make judgment calls. This is a great example of why. A single tech worker given the room to think about this email could easily have come to the above correct conclusions.
On the other hand, if you make your security procedures rigid to the letter, you hand the people who really do want to cause damage a road map telling them exactly how to get in. If your procedure is dependent partially on well thought-out rules and partially on “common sense”, an intruder will have a harder time penetrating it. Meanwhile, the entire tech world is filled with people who have been locked out of their own accounts because of overly strict security doors that they lost the key to.
A co-worker I once had summed it up eloquently: “Laziness and security never go together.” A hard set of rules that you apply in all cases, even the most ridiculous, is lazy. Some workers may want to fall back on being that lazy, but that does no one any good. The sentence in this case is to teach your workers a bit more about how to spot the little things that signify that something is wrong, and then gives them the free hand to react to it intelligently, based on the specifics of each situation. It’s a little time invested for a lot of reward.