Log in

No account? Create an account

Previous Entry | Next Entry

Counterproductive Security Measures

Originally published at BunkBlog. You can comment here or there.

The base computer network seemingly doesn’t trust any security certificates from any signing authority other than Verisign. This means that every web site that uses any other registrar (which is to say, a truly stupendous number of sites) gets an error message that the site’s security certificate cannot be verified to a trusted issuer. This happens with my company timecard system, as one rather important example. Since the network doesn’t trust Entrust or others, this means there is no way to be sure that the sites I connect to which are not Verisign-approved are real sites or phishing expeditions. This means that every site which is not Verisign-approved is a giant red beacon of “ignore this security warning because it’s really not a problem after all.” Every non-Verisign site adds one more item to the list of things to ignore which good security practices tell you NOT to ignore.

Although the Air Force has decided (for reasons which escape me) to allow Youtube and Facebook access on-base (but not Google Plus or even Google Calendar), this week Flash is broken. This is a security configuration issue, as the flashing error bar on the top of the page says the addon has been disabled, not that Flash is literally broken. So, one more flashing error bar to add to the list.

Again, this just encourages users to assume that every error message is, in fact, in error itself. If we get inundated with false positives, we are being trained to ignore actual positives. This also applies to the wave of “helpful” messages which greet us whenever we log in; I challenge any user here at Goodbuddy to honestly claim they read those every time they log into the network. Just more noise to ignore, and train people to ignore all messages because most of them are trivia or wrong.


( 5 comments — Leave a comment )
Jul. 13th, 2011 12:04 pm (UTC)
Gary, regarding the Flash thing - if you check the plugins list, do you see it? I did a line by line compare with the airman sitting next to me who had that problem, and it wasn't even installed in his browser. He was on the phone with Comm at the time, and added that factoid to his tale of woe.

I find it amusing that opensource.gov gets the cert error. And you're absolutely right. I click through it.
Jul. 13th, 2011 12:17 pm (UTC)
Adobe Shockwave ActiveX control is present and accounted for. The error message we've been getting is not that there is no Flash, but that it has been purposely blocked by security settings. Settings, of course, that we have no control of and our local network shop is in some other county or state now...*sigh*

We have to ignore errors in order to actually get any work done, yet ignoring errors is counter to all good security practices. We're being thoroughly trained to be security risks, and we'll carry those behaviors to other networks and systems that aren't so horribly misconfigured, thereby actually BECOMING computer security risks somewhere down the road. It's stupid.
Jul. 13th, 2011 10:00 pm (UTC)
I'm glad to see the AF is still maintaining the high standards of computer security and general IT competence they held back in my day.
Jul. 13th, 2011 11:24 pm (UTC)
With their new-ish policy of centralizing all help desk responsibilities, the local people are almost guaranteed to be incompetent. They aren't allowed to handle anything complicated, and therefore never get the experience to handle anything more complicated than "install printer driver" or "replace bad hard drive."
Jul. 14th, 2011 12:11 am (UTC)
That's pretty much the way it was ~15 years ago, at least for me. One of my secondary duties was "computer systems security NCO" for the base ER, which was a source of endless frustration for me because I wasn't allowed to make any of the fairly basic fixes our computers needed by myself; I had to go through the hospital's centralized IT department which was, I swear to God, staffed by people who enlisted because they couldn't cut it at the University of Phoenix or ITT Technical Institute.
( 5 comments — Leave a comment )