BOFH: Can't you just ... NO, I JUST CAN'T
Taking exception to exceptional exceptions
Episode 11 "EVERYONE IS A F**KING EXCEPTION!" the PFY snarls - beating me to the very same exclamation by nanoseconds.
"What do you mean everyone is an exception?" the Boss asks.
"It's the life of a bloody systems admin, people want you to make exceptions for them!" the PFY shouts. "Passwords, web filters, extra file space. People want us to bend the rules."
"But it's just some letters!" the Boss replies, feigning reasonableness, if there is such a word - and as if it could be applied to the Boss anyway.
"And there's the tell-tale sign!" I snap, beating the PFY to THAT exclamation by nanoseconds.
"The.. tell-tale sign?"
"Yep. The word 'JUST'. By using it you assume that what you're asking for is a reasonable request - a couple of simple clicks of the mouse, a tap on the keyboard, and everything's hunky-dory. But it's bloody not!"
"But look, isn't changing the password strength rules for one chap just a couple of clicks?" the Boss asks.
"Of course it is, but that's not the point," I say. "You do that and it affects the security of the entire domain. A longer password makes it unlikely that someone will use their initials twice. Forcing them to use at least one number stops them from just using a plain password, and forcing them to use at least one letter stops them from using their home phone number. But it's not about the password, it's about domain security."
"Could you just make an exception for them?" the Boss asks.
"You did it again," the PFY observes.
"Used the word 'just'. Remember, if the word 'just' is in a sentence it's an unreasonable request. And we don't make exceptions."
"BECAUSE EVERYONE'S A BLOODY EXCEPTION!"
"You said that, but what does it mean?"
"Look, I change one guy's password complexity and the next thing I know someone else will want me to change their password complexity."
"But this is a special case!"
"THEY'RE ALL SPECIAL CASES!" the PFY SHOUTS.
"What my assistant is trying to communicate," I say in calm tones, "is that if I make an exception for this bloke some other basket case will want me to change their password complexity - for a reason they think is a special case too - like they're allergic to using number keys or they've got some special-needs keyboard that makes it harder to use the shift key. Then the next person will come in saying that they can't mix upper and lower case on religious grounds and before we know it the only password people will be able to use is 'A'."
"Or Enter," the PFY says.
"I don't.." starts the Boss.
"Then we'll get some dorky bean counter who wants us to increase the size limit on email messages - JUST for a day - to 50MB so he can send some work home. Only he'll want it again next month and the month after that, and twice in March and April, and then comes the inevitable question: why don't we just leave it at 50MB because he needs it after hours too?"
"Is it that unreasonable?" the Boss asks quietly.
"Yes, it is. It never sounds unreasonable at first, but the mess it causes is."
"I still don.."
"Let me tell you about access control. We have divisional groups, departmental groups and project groups. We have folders on our file-share machine with hierarchical access control based on those groups. And then we have someone who isn't in any group because he's a contractor. And he's only supposed to have access to one file buried in the hierarchy of files.
"Then there's another file in a completely different location. And another. Then he leaves, but he might come back, but no one knows when and so we make an exception for that special case and leave his account open without disabling or expiring it.
"The department head concerned says he'll let me know when the access can stop. Then the guy doesn't come back but another contractor does, and he needs access to different files, all in different places - but not the same files.
"Then the original guy comes back - but now he needs write access to files. And web access to our internal portal - but only certain parts. And he's using an iPad with a shite implementation of Excel, and they need him to be able to synchronise his spreadsheet with the data in one of those files he has access to... through Dropbox - but only on the day before the close of accounts for the month.
"And then the second guy needs the same thing, but he can't use Dropbox because his firewall won't let him because, oh I don't know, it's green and not a black firewall. And he's got three cables coming out of his box, so anyway if we could just give him FTP access to the server then that would be grand. The department head who originally authorised this left six months ago and no one really knows if the first guy's still working for us or not, but he should probably still have access just in case. THAT IS WHAT EXCEPTIONS ARE!"
"Yes, yes, I see your point, but really this is just about one person's password-" >kzerrt!<
"That was just a bit of voltage," I say. "This is just a roll of old carpet. This is just a spade and those are just bags of lime. This is just a map of abandoned forest trails with vehicle access. Ordinarily I would treat this like every stupid and uninformed request and just ignore it - BUT IF YOU WANT - I can make an exception in this case. Is that what you'd like?" ®
Sponsored: Becoming a Pragmatic Security Leader