Spam filters suck

Author's note: Here's another little rant that's been sitting in my drafts folder for years. Twelve years, to be precise - I created this on March 28, 2007. That was toward the end of my "government IT guy" days.

I'd forgotten how much of a pain the internet filtering was. These days, I hardly think about it. The government job was the last time I worked anyplace that even tried to filter the web. And e-mail filtering hasn't been something I've worried about in a long time either. These days, the filtering is more likely to be too lax than anything else. And if something does get incorrectly filtered, you generally just go to your junk mail folder to find it. No need for the rigamarole of going back and forth with the IT people. It's nice to know that at least some things get better.

I'm really starting to hate spam filters. Specifically, our spam filters at work. And our web filters. In fact, pretty much all the filters we have here. Even the water filters suck. (Actually, I don't think there are any water filters, which, if you'd tasted the municipal water, you would agree is a problem.)

I asked a vendor to send me a quote last week. I didn't get it, so I called and asked him to send it again. I checked with one of our network people, and she tells me it apparently didn't get through our first level of filters. So she white-listed the sender's domain and I asked the guy to send it again. It still didn't get through.

As I've mentioned before, our web filters also block Wikipedia.

On opinions and holding them

Strong Opinions Loosely Held Might be the Worst Idea in Tech.  I think the name of that article pretty much says it all.

This is essentially something I've thought since I heard about he concept of "strong opinions loosely held".  I can see how it could work in certain specific cases, or be mindfully applied as a technique for refining particular ideas.  However, that only works when everyone in the conversation agrees that that's the game they're playing, and that's not usually how I've seen the principle presented anyway.  Rather, it's usually described in terms more like "be confident in your opinions, but change your mind if you're wrong."  And that's fine, as far as it goes.  But it's far from clear that this works out well as a general principle.

To me, "strong opinions loosely held" always seemed kind of like an excuse to be an jerk.  Fight tooth and nail for your way until someone and if someone proves you wrong, oh well, you weren't that attached to the idea anyway.  It seems to fly in the face of the Hume's dictum that "a wise man proportions his belief to the evidence."  Why fight for an idea you don't care that much about?  If you're not sure you're right, why not just weigh the pros and cons of your idea with other options?

I suppose the thing that bothers me the most about it is that "strong opinions loosely held" just glorifies the Toxic Certainty Syndrome, as the article's author calls it, which already permeates the entire tech industry.  Too often, discussions turn into a game of "who's the smartest person in the room?"  Because, naturally, in a discussion between logical, intelligent STEM nerds, the best idea will obviously be the one that comes out on top (or so the self-serving narrative goes).  But in reality, nerds are just like any group, and getting people to do things your way is orthogonal to actually having good ideas.  So these conversations just as often degrade into "who's the biggest loud-mouth jerk i the room?"

I'm not sure how I feel about the article's specific "solution" to preface your assertions with a confidence level, but I do empathize with the idea.  My own approach is usually to just follow the "don't be a jerk" rule.  In other words, don't push hard for something you don't really believe in or aren't sure about, don't act more sure about a position than you are, and be honest about how much evidence or conviction you actually have.  It's like I learned in my Philosophy 101 class in college - to get to the truth, you should practice the principles of honesty and charity in argument.  Our industry already has enough toxic behavior as it is.  Don't make it worse by contributing to Toxic Certainty Syndrome.

A different take on password managers

I've posted several entries in the past about the benefits of password managers.  Well, I just read a very interesting article that also detailed some of the risks of password managers.

The article is by a security professional who offers a very good take on some of the aspects of password management that I've rarely considered.  For instance, using a password manager can very much entail putting all your eggs in one basket.  For instance, what if you get malware that steals your master password?  What if you forget the password?  That might seem far-fetched, but you never know - you could hit your head, have a stroke, or any number of things.  So in addition to security, there are things like recovery strategy to consider.

While I've been guilty of making blanket statements that "everybody should use a password manager," I now see that that's a mistake.  I still believe password managers are a very good for many, if not most people, but it needs a more nuanced assessment.  Depending on your risk profile and tolerance, you might want to avoid putting all your eggs.  You might want to avoid password managers altogether, or use them only for low-value, or perhaps use multiple password vaults to partition things by importance.

The point is that security is not a one-size-fits-all thing.  There are lots of use-cases and it's important not to get stuck in thinking that yours is the only one or even the most common or important one.  Consider the situation and the trade-offs involved before making a decision or recommending a course of action to others.

Yup, password expiration is dumb

I posted an entry a while back about passwords.  Well, turns out that Microsoft is no longer recommending rotating your passwords and is removing the password expiration policies from Windows.

So yup, I was right.

But really, what was the point of always changing your passwords anyway?  Well, I guess it does mitigate against the possibility that a re-used password has been compromised somewhere else.  But what's the cost?  Users can never remember their passwords.  And since coming up with a good, memorable password is hard, they're not going to put in the effort. Instead, they'll come up with some pattern that meets the minimum complexity requirements and just cycle through it. 

Is this better?  I'm no expert, but it's not clear to me that it is.If you want extra protection, there are better ways to get it.  For example, setting up two-factor authentication.  That's also a bit of a pain for users, but at least it provides more real protection.

And on a semi-related side-note, I'd like to point out KeepassAndroid now integrates with Firefox Mobile.  I've mentioned this app in some previous posts about KeePass.  I do a lot of my non-work web browsing on my phone these days, so this app is really a necessity for me.  This new integration is really nice because it means I can now get the same user experience on both my laptop and my phone.  I just tap on the login box and get promoted to auto-fill the form.  Perfect!