I got the following today in my email:
Workplace Security Check Pass
Why you are receiving this notification:
Peeter Joot, you have received this notice because your workplace was reviewed during an after hours Workplace Security Check. Your workplace passed the test. Workplace Security passes are reported to SWG Executives on a monthly basis.
I could enumerate many ways that security is busted in DB2 development here at work. In fact I wrote a big rant about security stupidity policy at IBM last week after having to crack root on some of our Unix machines since they don’t give us the required access anymore. I refrained from posting it since it was too sad — it was fun to write though.
However, I now pass the bogus checking that is reported to the executives. I failed last time for leaving blank scrap paper on my desk. I now hide my blank scrap paper behind a big cheerios box on my book shelf.
They also didn’t notice one of the security violations they got me for last time … leaving the key in my empty laptop docking station. A clever coworker was able to figure out how that could be a security risk (I couldn’t) : you could sneak in after hours, duplicate the key, and then steal the laptop later when I’m out of my cubicle on a bathroom or coffee fetching break. None of that is required of course since I never actually take the key out of the docking station to lock it when I leave my cube, also violating policy. Because of the security checking I took to hiding the docking station key under a coffee cup for a while when I left for the day (and know others who do the same).
Most of these checks are totally pointless IMO. The biggest and only risk in my opinion is insider action. Any student intern can walk out with all important bits of DB2′s source code on a USB key, and I’ll bet countless people in the lab leave home every day with the code on their laptops with easily cracked passwords. Has our code ever been maliciously acquired by a compeditor this way. I doubt it. Even if they got it, we have enough trouble figuring it out ourself. Without guidance, build infrastructure, design plans, regression and performance and system test infrastructure, and on and on, the direct utility of our code in vanilla state is somewhat minimized. That isn’t even counting the angry pack of vicious IBM lawyers that would be hunting you down if you tried to steal or sell or use the code in underhand ways.
I don’t know how corporate security works in other companies, but in mine it seems to be all about appearances. There are a set of rules defined that give some security executive a happy feeling. So long as everybody reports up the command chain that they are following the rules corporate security is intact and the security execs are happy. The rules don’t actually have to be followed and the enforcement is often not there, but management has to be told or pretend to be told that the rules have been followed and then everybody is happy.