Harmful Security

I’m in line at the guard post. The lady at the front desk is in her 50s. She speaks German on the phone, then English to the person in front of me. She then asks for my ID in French. I glance around the room. Security guards are keeping the entrance and the exit. Outside the bunker, a gate is also heavily guarded by employees who filter out the small amount of cars allowed to go through.

– Who are you here to see?
– Joseph Leblanc (name changed) from the flight performance department.
– Let me call him in. Please have a seat until he comes to pick you up.

Outside, people pass through one-way gates, using electronic badges to go through. The gates only leave room for one person at a time. Even if they tried, security officers carefully watch what comes in and out. One message is clear: security at Airbus is not taken lightly.

Today is July 1st, 2006 in Toulouse, Southern France. Joseph arrives, smiles and greets me as we shake hands. He then goes to the front-desk, signs a bunch of forms and I trade my ID for a temporary badge.

The M01 building is on the left. It’s shaped like an eight figure. Joseph uses his badge to open the front doors. We take the elevator to the 3rd floor. I get a bunch of forms letting me know that I’m forbidden to carry any USB key or external storage device from outside the premices. I cannot bring in my own laptop and cannot bring home anything from Airbus. Those caught with sensible data will face suspension.

I arrive at my desk and turn on my desktop computer, excited to discover what hardware I was provided.

Crap, it’s at least 5 years old. I sigh and as I greet my new teammates, I notice something intriguing: some keyboards have sticky notes next to them. It appears to be some sort of serial number for each computer…

Back at my desk, I am asked to enter my first password. Not just any password. Ten chars minimum, with a required mix of numbers, letters, uppercase and special characters. It takes me a good minute to think of a solid password I can remember. Done. I then try to install Visual Studio. No admin privileges. “Oh you can’t install anything on your machine, We have to issue a ticket for that.” We do. 2 hours later, some guy from an the outsourcing company remote-desktops to my machine, opens up the network folder and installs Visual Studio. 1 hour of installation passes by.

I go on the internet and start browsing developper forums, but most of the time I am greeted with a “Forbidden Site” intranet page. With time, I realize that the blacklist of forbidden URLs is huge. I am told that “it’s a security measure for everyone, to ensure that noone downloads a virus.”

As the days go by, I notice that people regularly change the serial numbers on their stickers… And within just a few weeks, I am greeted by the system for a new password. Already!? Yes, passwords change very frequently here. Security Measure. When working on things as sensible as the upcoming A-380 airplane flight data, a lot of precaution is taken. I talk with someone about using a rotation number, but they apparently received a security warning regarding that behaviour.

It takes me 2 minutes to create and memorize a new password. Deep inside, I actually have no desire to memorize it, knowing that within a few weeks it will already be obsolete. As a result, I often mismatch it with my first password. With time, I finally manage to forget the first one and remember the second one. And then before I knew it, it was back: “Change password.”

No, I don’t want to memorize yet another password you stupid fat-bordered dialog. Luckily, there’s no harm in me carrying the password on me. I take a pen and write down a random password on a sticky note, which I then put in my wallet. The process quickly becomes fastidious. I am constantly taking it in and out of my wallet… One day, taken by other thoughts, I put the paper back directly in my pocket, outside its protective wallet. The washer seizes the opportunity and destroys the note before I can realize it.

The next day, I’m of course unable to find the yellow piece of paper. It’s OK I’m pretty smart I managed to remember it. “Account locked”. Guess not. Time to talk to my superior.

Joseph: “Aie, that’s not good… OK let’s call IT support and see if they can reset your password”.

We call in. I explain my situation and indicate that I find all the security measures a bit extreme.

I receive a sermon on how critical and sensible all the data is, as well as why all the security measures in place are so important and shouldn’t be taken for granted. The guy is clearly in a bad mood. Either he’s just really French, or I’m not the first one having password issues. He finally resets my password. I get back to my computer, hoping he will choke on a croissant the next breakfast.

I attempt to log on. And there it was again, smiling at me like the clown who never dies in horror movies: “Change password”.

Sorry, but I’m done. I take a sticky note, write down a new random password, and put the sticky note under my keyboard. Another serial number. Guilt and remorse start kicking in. I kick it right back in the face through idiotic self-justification: “who cares anyways, it’s always my team in that open space… everyone does it… it’s ridiculous, they asked for it…”

And there I was, creating yet another flaw in a system designed to be so secure. The security’s absurd rigidity had become its biggest vulnerability.  It was just a start, as I couldn’t work properly with so many websites blocked. I didn’t feel protected, I felt in jail and compelled to get out.

7 years later, I have become a security software engineer. I look back at those times and regret my irresponsible behaviour. I have empathy for the IT guy who was doing his best to educate the employees about the importance of security. Having strong passwords, changing them often, enforcing strong security policies, mastering what is done by the users, etc. are all somehow necessary evils. And yet, having personally seen so many sticky-note passwords around me, I cannot wave away the thought: Creating the most secure system without focusing on its users is like looking for the strongest ciment for a house built on San Andreas Fault.

One thought on “Harmful Security

Leave a Reply

Your email address will not be published. Required fields are marked *