There’s a lot of talk about computer security these days. You know, what with all those evil hackers and identity theives out there, it’s important to keep your data secure.
There’s especially a lot of talk about computer security here at IU. It seems like every time I open my inbox, there’s a new letter from UITS about some class they’re offering me to keep things even tighter than they were already keeping them the last time they mailed me. And indeed, the cycle of business around here seems to go something like this: some administrator has some friend who owns some software company that would like to sell IU some software. So bi-annually they replace the somewhat functional system we were using with an even less functional system and sell it as a “security upgrade.” I think that was the official explanation for the steaming pile of poop we bought from PeopleSoft, anyway.
Anyway, all this got me thinking about many ways that a software system can fail to inspire confidence in its security features. One of them goes something like this:
Say you download a bunch of stuff from an undisclosed school repository using wget, which means you sent it your password in the clear, oh, about 20 times. Probably no one was watching, but you know, these things get logged on the server, so eventually some admin might come across it in log files. So you go to the appropriate site - let’s call it http://passphrase.iu.edu just for kicks - to set a new passphrase. You go through all the painful hoops, and along with the normal “this won’t take effect for as many as 20 minutes,” it sends you a bunch of error messages. For days, you go around using the new passphrase, sure that your 20 minutes have passed, only to be told again and again that it isn’t valid. So you use the old one instead, which magically works, despite supposedly having been reset. Gradually you begin to suspect that your passphrase hasn’t been changed at all and will never be changed. So you cheefully go back to using the old one. Until one day, two weeks later, you can’t get into your library account anymore. After about 25 tries of typing REAL SLOW WITH YOUR TWO POINTER FINGERS JUST TO MAKE SURE, it becomes obvious that it’s just not cooperating. From somewhere buried deep in your subconscious, you have this vague itch of a memory of having tried, unsuccessfully, to change your passphrase. And what the hell, right? Why not - nothing else is working - so you type it in and it works.
Yes, folks, it took the IU system TWO WEEKS to register my passphrase change. But it isn’t just that - it’s that as far as I can tell, it’s only the library computer that’s bothered to notice. Email, Onestart, all that other stuff still happily accepts no substitute for the old one.
It occurs to me that this is the kind of thing that might tend to deflate one’s confidence in the security of a particular software system.
So - the moral of the story is this:
Dear People Responsible for Third-party Software Purchases at IU -
You are to your jobs what tubby 60-year-olds are to the world of stipping. You maintain a system the way Mike Tyson engages in foreplay. Your attention to detail is like unto a stick figure I would draw with finger paint.
Sincerely,
Someone Who Can Do Better