During last month, I attended two seminars in the Los Angeles area regarding
data security, or better yet, its absence in many system architectures currently
in production around the world. One speaker even went as far as showing us
various techniques for breaking into supposedly secure systems, with the
ultimate goal of warning us about securing systems we develop.
Without going through any details of what this particular speaker shared with
us, I was just thinking about three different experiences I personally had over
the past several years:
Experience #1
It was September 1977 and I had just started my graduate studies towards an M.S.
degree in computer science (and I won't mention the name of the university, for
the reason that you'll find out in a moment).
One of my first complaints about the logistics of that particular school was
that the students' parking lot was too far from the classrooms, while the
faculty parking lot was right next door.
Obviously, I did not have a faculty ID card, so getting to their parking lot was
out of the question. Right?
Wrong! While casually observing the faculty driving into their convenient
parking structure, I happened to notice that some of them didn't show their ID
to the parking attendant; they just waved at the him and he would open the
parking gate for them, apparently since he knew them in person. So I said
to myself: "How can I pretend to be a faculty member?" (and I wasn't
the kind of person who would even think about acquiring a false ID card.)
The solution? I decided one day to change my outfit and, instead of the
regular T-shirt most students wore in those days, I put on a white shirt and a
dress tie. I then drove up to the faculty parking lot and, without opening
the window, just waved at the attendant. He nodded his head in approval
and opened the gate for me.
For the next 20 months that I was in graduate school, I wore a dress shirt and a
tie to school and always parked in the faculty parking lot.
Experience #2
About 15 years ago, I had a database development contract at a major corporation
in Southern California. The computer room at their building was so secure
that you needed to use a magnetic ID card and also sign-in at the door, before
entering the computer room.
So one day, just out of my curiosity, I asked one of the systems operators what
would happen if he forgot to bring his badge from home? Would he have to
go back home and get it, ask a manager to come and sign for him, or what?
His reply, to my amazement, was "None of the above!" He said, instead,
that there is a 2nd entrance to the computer room through the men's room, and
that door in unlocked!
Experience #3
Last week (August 2004), I was at another client location with secure entrance,
magnetic badges and touchpad entry locks, etc. Once inside the facilities,
however, I noticed that the freight elevator went up to the secure floor, but
without any security locks. I actually tried it one day and was able to
use the freight elevator and get inside the secure floor, without requiring a
badge or using an electronic touch pad.
End of story.
For further information, please refer to our feedback
page.
|