Lars Effendic had the general demeanour of a Bond villain and the personality of a filing cabinet. Add to this the warmth of a penguin’s arse and Margaret Thatcher’s humanity and it is not hard to see that Lars was born to work in IT Security.
As a child his first word had been “no” and he still found it impossible to say “yes” without adding “but” to it. Lars sat on one side of the table in the meeting room and Dave Starling sat on the other. Alongside Dave was Chris Tackle, his lead developer. Chris wore his standard issue XXXXL tee shirt which looked like it should have been sold with tent pegs but was still visibly struggling to perform the role it had been given. This particular tee shirt had an AC/DC album cover on it.
Not having much luck at establishing himself as the leader of the team, Dave had decided to give it a rest for now and focus instead on delivering his latest project. Between him and success sat Lars Effendic.
“How many firewalls are there in your design?” Lars asked.
“Three.” replied Dave.
“Not enough. Our new policy requires all applications to have six zones.”
“Six?”
“Six. Firstly, there is ZPI. The zone of probable intent.”
“You mean the internet?”
“That’s not what we are calling it now.”
“It’s very hard for us to keep up when you keep giving new names to things that already had perfectly good names.”
“Security aren’t the only ones to do this you know.”
“True. Okay, what are the other five zones.”
“External buffer zone. Internal buffer zone. Trusted application zone. Trusted middleware zone. Trusted database zone.”
Dave looked blankly at Lars. “Can I ask you a question?”
“As long as it relates to work.”
“How many front doors does your house have?”
Lars looked at him as if he had been asked a trick question. “Main concrete outer door with three deadbolts and a Yale lock. Inner steel door with biometric thumbprint. Only one door can be open at a time. Cameras covering all angles. Sniffer equipment in inner zone to detect explosives.”
“Silly question. I have one front door, like everyone else, and two zones. Outside and Inside.”
“Well if you get robbed by hackers, don’t come crying to me.”
Dave realised he wasn’t going to win. “Okay, we’ll put in the firewalls. Anything else?”
Lars gave a massive toothy grin. “Plenty.”
So far Chris Tackle hadn’t said a word, but at this point he let out a long slow fart.
“Sorry folks.”
Lars looked vaguely repulsed.
“Actually.” Chris continued, “I better go and check that one.”
As he got up to leave, Dave said “Could you leave the door open please Chris.”
Once they were alone, the tone changed completely. Lars leant across the table with his fingers interlaced in a menacing manner.
“Look.” said Lars, “This isn’t your first rodeo. You know how this works, and since for some unknown reason, I quite like you, I’m willing to go easy on you.”
“I’m listening.”
“I have five demands. If you agree to four of them, I’ll let you off with the last one. You can choose which.”
“Okay, what have you got.”
“The firewalls. Two factor authentication. 512-bit encryption keys. Data Masking and Log Shipping.”
Dave thought for a minute. “I get the firewalls. Two factor authentication – you just want to make it harder for people to get into my application. I understand that. The 512-bit encryption is just a number you pulled out of your arse.”
Dave was watching Lars to see which of these things he cared most about so he could pick that one to go on the exception list. Lars wasn’t biting.
Dave continued, “You know we are using 128-bit encryption, which is almost impossible to crack. You could suggest doubling that to 256, but you start at 512 in the hope we’ll see if 256 will be enough. All it does is slow down our application and increase the amount of disk space we need.”
“No sub-negotiations.” said Lars, “You can either opt to drop the encryption, or it has to be 512.”
“Okay, what are the other two?”
“Data Masking means that any important data that you show on the screen must be blanked out by default and the user has to explicitly click on it to see what is in that field.”
“For fuck sake. So they ask to see some data but I have to say ‘here you go, but you can’t actually see it unless you click on another button for the final reveal’. Do you want me to ask them if they are really, really sure as well?”
“It’s security best practice. Take it or leave it.”
“What is Log Shipping, apart from what I think Chris might be up to given how long he’s been away.”
“All security related logs get sent to another server, so they can’t be tampered with.”
“We don’t have access to change the logs on our production server, what is the point?”
“Best practice.”
“Okay. I will choose not to do…”
Lars waited, and waited.
Dave looked like he was mentally rolling a dice. “I choose not to do two factor.”
“You can’t. That one’s mandatory.”
“Why did you put it on the list then?”
“I didn’t think you’d choose it. Try again.”
“Data Masking. That one is seriously fucking stupid.”
“It’s a deal.” Lars extended his hand and the two men made a dubious arrangement in which the users of the application were the only obvious losers.
Lars smiled, “I’ll send you my report by Friday.”
At that moment Chris returned. “Did I miss anything?”
“Not really.” said Dave, “Just the beginning of the end of society as we know it.”