Thursday, July 11, 2013

No Progress Bars in Hacking

I have played through the following scenario at least three times now.

Me: Hello Information Security, I need admin access to <server> for <amount of time> to complete <activity>. Would you be able to give it to me?

Info Sec: Thanks for the request. We'll get back to you.

<Time passes....usually longer than I requested the access for>

Info Sec: We don't feel you need access for <amount of time>. In our experience <activity> should only take a tenth of <amount of time>. How about we give you admin access for half of <amount of time>?

Me: *Grumble grumble* That's really not what I need. I won't be able to do my job if I don't have admin access for <amount of time> for trouble shooting.

Info Sec: Fine, you can have admin access for half of <amount of time> plus one day. Thanks!

I think info sec gets the idea from watching movies like Skyfall where the computer guys watches a colorful map that shows what's been "hacked" with a count down for how long the hacking will take.

They assume if I have a dastardly plan, and I requested two months of access, giving me access for five days less than that means my evil plot will get cut off just in the nick of time and everyone will be saved. Yay!

Any real computer person knows that if you wanted to damage a server or steal data any amount of time over 15 seconds is probably plenty.

I know we all have to deal with security theatre, but it doesn't make it any less frustrating.