Common Sense

Does anyone really think that sneezing into your arm is common sense? I suspect that if you do you must have small kids and have been trained by some sort of Elmo video. I don’t recall any mass agreement on sending snot flying into my shirt sleeve as a method of good hygiene.
At Shmoocon Bruce Potter compared the common sense of sneezing into your sleeve (to him apparently a good thing) with common sense security steps. Maybe he’s right, a password policy is kind of like getting snot all over yourself.
My notes seem to have mangled the opening remarks from Shmoocon 2010. The general summary is that it’s a waste to spend a boatload of money on security when you don’t have your policies and procedures clear. You’ve got to start with the basics.
A password policy needs to be applied consistently across all systems. Often the development can be compromised and then hop back across to the production systems. The dev systems need policy as well.
Network segmentation is important. Soft gooey center anyone?
Auditing. If you aren’t watching, how do you know something bad happened.
We laugh at the TSA, but they have fair less fail in their results.


  1. I can’t find the email (ha ha ha) but the ‘sense’ here is that you haven’t just sneezed germs all over your hands, but you have still prevented most of your hazmat aerosol from escaping.
    “Defense in depth” is more akin to “dress in layers”.

  2. Dear Mr so and so,
    Of course it makes sense. It’s better than spraying all around you with potential viral or bacterial infection.
    Yours in common sense,
    Montana John

  3. I think your pretense of courtesey is rather deflated by calling me Mr So and So.
    The alternative to using your suit as a snot rag isn’t letting it fly. Its using your hand and then washing it in cases where a tissue or napkin is unavailable.
    The point is that Sebillious was widely mocked for lecturing a reporter on the subject. If it was a widely held belief that our long sleeves are emergency kleenex that wouldn’t have been the case.

  4. Policies and procedures are great but if you don’t have an awareness program in place then the weakest link in your security system becomes the people. I believe it was someone from Cisco that coined the term “human firewall”. For example, having a password policy (or standard) without letting people know about the need for security and basing that need on their business needs is a recipe for failure.

Comments are closed.