The Back to my Mac security semi-issue reminds me of something that happened at my last job. I don’t feel like writing out all the details, but you’ll understand the point.
A senior employee shared her password with another employee who was then released, and the released employee created a security incident. When this was brought to the attention of the network admin team (me and one Other Person), we had two ideas for preventing the problem in the future.
Long ago, I learned to differentiate between technical problems and personnel problems. This case definitely seemed like a personnel issue to me: If you share your password and we find out it causes a security incident, you’re fired. Don’t share your password.
The Other Person, however, had a different idea. This is where it gets hairy. Originally, there were two different checkpoints where the released employee would have been prompted for a password. The senior employee had used the same password for both checkpoints, so getting past them was easy. The Other Person decided that the senior employee’s password for checkpoint one should be reset to something else, and then her software set to automatically login to it. The password for checkpoint two should be changed, but without automatic login. Then, senior person was expected to forget the password for checkpoint one, thereby disabling her from sharing it, and all was secure.
Let me state that again in case you didn’t catch it: It was considered good security to set a password a user was supposed to forget so she couldn’t share it.
I resisted this idea. The real issue here was that someone shared a password when they shouldn’t have, and that was being completely ignored. We could layer a thousand passwords throughout the network, and if she shared every one of them, we’re right back to the beginning. Again, not an issue with technology, but an issue with personal behavior. The solution was to make it clear to this senior employee that sharing her password again would result in termination.
No. The Other Person wouldn’t hear of it. There must be a technical solution to this problem. I tired of arguing because I knew the people just above us would agree with him and order it done because of the buddy system that existed in that office. And I was right.
Some time later, the Other Person was promoted to management (surprise!) and I left the company for greener pastures.
What does this have to do with Back to My Mac? If I’m reading the descriptions correctly, only users that have entered their .Mac passwords into accounts other than their own are affected. If you’ve kept your .Mac password contained in machines and accounts that are under your direct control at all times, there’s no issue. I wanted to use this story to illustrate that the real security failure is not a lack of authentication layers (even ones you’re supposed to forget), but a lack of password-handling sense.
Loading …
My .Mac Web Gallery
Recent Comments