Wednesday, March 25, 2015
Cyber security/defense is something fluid, there are ebbs and flows in attacks and countermeasures as networks adapt to evolving threats, and deal with users who do clueless things like leaving machines on, and logged on.
So, what occurs for those that do not either engage in cybercrime or display amazing negligence is that they are burdened with time consuming training (from multiple and not very well coordinated sources) or inconveniences that become onerous as they accrete. Case in point from my institution:
A few days ago all users were sent an email to the effect that all computers, including those in classrooms, will now be rigged in such a way as to log off after 15 minutes of inactivity, more precisely, after 15 minutes of lack of input from the user. So, for instance, if I am showing a video or film (as I do) or should I not move to the next slide in a powerpoint or engage the machine in some other way that counts as input, the machine will log off.
This is obviously going to run up against the typical rhythm of a classroom. Say you are lecturing or running a discussion, while using a Ppt. Should you NOT input during that time the machine will do this. Not quite a blue screen of death, but bloody inconvenient, and interrupting of the natural flow of discussion or lecture. You’ll have to log back in, call up the file, find your spot and resume. Not the end of the world, but disruptive.
If you are showing a film, ditto. You’ll have to log back in, find that film, then find the spot where you lost connection, and resume the show.
So, we receive an email informing us of this security measure. It suggests we wiggle the mouse periodically, in order to avoid the log off. A mouse wiggle counts as input. Inconvenient, and dare I say, something that will slip the mind of quite a few people in the middle of a class session.
Well, not too surprisingly, people began to look for ways to avoid this, some, while clever, not particularly wise, and word of this somehow made its way to the security team. A stern warning ensued, making clear to us that some of the methods under consideration,(brainchilds of the code-adept no doubt) in particular; writing “mouse jiggler programs,” fit the definition of “insider threat” that we have all seen in at least one of the pieces of required training. In no uncertain terms, this was forbidden. One can lose one’s account for such things.
So adapt we much.
No. No. That is not what I said. Resist we much not. We much not.
Why does all of this remind me of Cool Hand Luke?
I have this image in mind. It is a Tuesday or Thursday afternoon. Somewhere deep in the bowls of security central, there is a bank of monitors, each tied in with a classroom computer, one of which is mine. The monitors are being watched by a guy in aviator shades. It has been nearly fifteen minutes since my last input. He leans forward, the reflection of the monitor quite visibly reflected in the shades. You swear you can see him squinting, a hint of a smile.
14:58 ticks off. 14:59… then as I dutifully wiggle that mouse for the 5th time while showing a film, I mumble to myself, “shakin’ it boss, I’m shakin’ it.”