IT-DISCUSS Archives

June 2006

IT-DISCUSS@LIST.UVM.EDU

Options: Use Monospaced Font
Show Text Part by Default
Show All Mail Headers

Message: [<< First] [< Prev] [Next >] [Last >>]
Topic: [<< First] [< Prev] [Next >] [Last >>]
Author: [<< First] [< Prev] [Next >] [Last >>]

Print Reply
Subject:
From:
David Houston <[log in to unmask]>
Reply To:
Technology Discussion at UVM <[log in to unmask]>
Date:
Thu, 1 Jun 2006 07:34:36 -0400
Content-Type:
TEXT/PLAIN
Parts/Attachments:
TEXT/PLAIN (71 lines)
Sounds kinda serious!

 	David Houston
 	University of Vermont
 	Phone: (802) 656 2013
 	**
         "You are nestled in our hearts forever"
         **

---------- Forwarded message ----------
Date: Wed, 31 May 2006 15:19:11 -0700
Subject: CAF: chronic authentication fatigue

On May 31, 2006, at 2:08 PM, John C. Welch wrote:
> On 5/31/06 15:54, "Chris Adams" <[log in to unmask]> wrote:
> 
>>> No, because proper user training and education is a critical,
>>> possibly *the*
>>> critical component of any security plan. If you try to implement
>>> any form of
>>> security without user training, you're doomed to failure.

CAF, or chronic authentication fatigue, is an increasingly widespread 
affliction that's causing alarm among the sysadmin community.  The problem 
is expected to worsen as soon as four billion Vista users are forced 
(forced!) to enter their username/password for everything (everything!).

CAF attacks the autonomic nerve system; the afflicted have their reflexes 
confused to the point they hit "OK" without reading on-screen messages and 
dialogue boxes. As if controlled by some strange virus, they click the 
throbbing blue "OK" button without fail, each and every time it appears. 
Nothing can slow them down; they neither pause nor reflect. Their username 
and password is entered -- for the tenth time since lunch -- without fail, 
whenever asked.

One early symptom of CAF is the refusal to read "Terms of Agreement" and 
"User License and Warranty" messages. Here, the individual agrees to 
anything, all the time, every time. They believe they have developed 
prescient knowledge. When asked what they just agreed to, they declare, "I 
already know what it says. Just hit the OK button."

When asked about this new condition, Kathi, a representative from the 
Admissions Office, said, "Look, every day, I get nagged about some 
Microsoft Office update, so I entered my username and password just to 
shut the damn thing up. So then it put some log file here in my hard drive 
icon. See? So when I went to go delete it, I had to enter my username and 
password. Again. Then the next thing you know, I opened a Word document 
and it gave me some message about whether I wanted to open Word. Well, 
duh. Of course I do. So I hit the OK button. I mean, what am I supposed to 
do?"

Janice from Purchasing adds, "It's kinda like wack-a-mole. Every time I 
want to do something, it says, 'are you sure? are you sure?' -- and I keep 
hitting 'OK' a billion times. I have to enter my username and password 
here at the university, it must be, fifty times a day. Seriously. So I 
just do it, because otherwise, I can't get any work done."

"Clearly, this is a case of CAF." says the systems administrator. "We gave 
them handouts. I'm not sure what the problem is. We posted our security 
policy on our intranet. I even sent out an e-mail. Mark, over in the 
Windows group, put some Dilbert cartoons near the coffee maker to lighten 
the mood, but to, you know, spread the word. He put them up there to 
remind users not to blindly hit "OK" every time they're asked. They're 
kind of funny. The cartoons, I mean."

Security experts are stumped. "We're not sure what to do, other than just 
keep on warning people with these dialogue boxes and making people enter 
their username and passwords. We're baffled. But I mean, heck, I don't 
even read those terms of agreements, even the ones that make me scroll all 
the way down, like as if I read it or something."

ATOM RSS1 RSS2