Step away from the security policy, sir
ONE OF THE THINGS I REALLY HATE ABOUT FACEBOOK is how dumb it makes people. I already kinda knew that, and saw no personal reason to sign up. I only created an account because my wife and kids bugged me repeatedly until I did. I have never sent an invite to anyone, although I have accepted them. An old boss who’s actually a real slug reached out to me. So have a few other colleagues whom I’ve never really hung out with. To me, that’s what LinkedIn is for.
But from the very beginning, I’ve always managed to remember that, once I’m connected to someone, they can see whatever I post. And I don’t post much, but when I do, BANG, it’s out there. I’ve gotten friend invites from some younger folks, mostly neighbors and friends of my kids. These I tend to ignore, since an older gentleman such as myself, though suave and debonair and upstanding, being friends with a young kid on Facebook is downright creepy.
Anyway, it annoys the ^#&$^ out of me that people who should know better use UNBELIEVABLE language in their Facebook posts when they KNOW who all can see it. This includes even relatives. And it’s not just the language itself, but the application of that language, to describe behavior and bodily functions and other things that should go unmentioned in public. I regularly, privately remind people, “Your nephew/niece/DAUGHTER can see this stuff. What are you thinking?”
And so I fall back on that old chestnut, “Just because you CAN doesn’t mean you SHOULD.”
I also can’t believe the poorly thought-out stuff I’ve seen as far as security policies.
I once put in some auth/AZ software at a large manufacturer where the partner proceeded to custom-code SO many auth policies that it took up to a minute to log in. They put in FIFTY-SEVEN policies, to be exact. And then when it blew up in load testing, the partner screamed and said, “Boy, is the customer ever mad at YOU. Your product is dying. Get somebody in here, fast.” And when we found out it was their crappy custom code that was killing everything, I made those clowns write a check for our T&E to parachute in on a Saturday.
And I’ll beat this one up again. If a site doesn’t allow strong passwords, such as the use of special characters, it’s because they’re too lazy to put in logical defenses against SQL injection. Instead of banning the right characters, they just ban any non-alphanumerics.
And hosting security off-site, as in "Come to my domain, I'll send you to another domain to log in, then I'll see you right back here shortly," often results in REALLY lousy performance.
This is why policy decisions should be peer-reviewed, and why at least one person on any committee should be somebody who picks up a magazine once in a while to see what the rest of the world is thinking. Security, unlike bodily functions, is everybody’s business.