Andrew Pollack's Blog

Technology, Family, Entertainment, Politics, and Random Noise

Professional Driver - Closed Course

By Andrew Pollack on 12/20/2005 at 09:32 PM EST

Ever seen those warnings? "Professional driver, closed course" or "Do not try this at home" --- It applies to I.T. work as well.

This is for all of you who think you can just give your users Quickplace and leave them unsupervised. Folks, end users are the web-site equivalent of little children. Just because you give them a nifty tool, or a new bike, or a forty five caliber automatic -- does not mean you can leave them unsupervised.

Today, I and many other people got an email from someone at a big company. He's working on a bit of fluff and wants to collect some general nonsense in an anonymous form. Now, I don't want to run down this person -- he's good at what he's doing. What he's not good at is geek-work like setting up anonymous forms with security and stability. That didn't stop him though, because he has QuickPlace.

So, this business capable but technology end user created a form in Quickplace and then setup a single userid and password. He sent the email out with the username, password, and the URL to the form. So, here's a list of the problems this caused:

1. The URL wasn't right. Didn't work. A few of us geeks figured out the problem and got past that.

2. Everyone had the same username & password -- this leads to the rest of the issues

3. Anyone who clicked the link to edit their profile (aka, ME) re-set the display name for that userid to their own name, rather than setting up a unique profile, its global. Now all new questionnaires get filled as if authored by that name. I saw two or three by "me" before I went in and changed the profile to something anonymous.

4. All the results of any form filled in by anyone are visible and editable by anyone who got the email.

5. All the other documents in that quickplace are available including things I'm fairly sure are not meant for external distribution.

Again, people -- these are tools, not toys. A good, truly anonymous form done in a Lotus Domino database can be ready 5 minutes. In 10 minutes you can make it look pretty. Anonymous users can use the form, reader name for the admin role gets applied at save time, encryption applied just for the heck of it with one click, and bingo -- secure, anonymous data collection.

When you need a geek, get one. Don't try this at home.


There are  - loading -  comments....

I blame software vendors (IBM) for this...By Karen Hobert on 12/21/2005 at 01:25 PM EST
Like children, if you go around telling customers they can do anything an adult
Geek can do then you get shit like this. After that it's like talking to a
teenager when Geeks try to explain to customers that they really need us. "Yea
but..." Sigh.

I don't blame the poor user, he was walking on thin ice when he was told it was
solid. Where was the Adult Supervision at IBM when the QuickPlace interface
was created? This problem couldn't have be prevented ahead of time?

I agree users get into the darndest things. However, IMHO, I believe this
situation is the equivalent of neglect on the software design end.

Your help/assistance was software therapy. "So how does that make you feel?"
My own thoughts on this are...By Rob on 12/22/2005 at 05:37 PM EST
Not sure I agree 100% with Karen in this instance...the big issue was one of
authentication and its effect on use cases, not QuickPlace's bad handling of it
that could have been designed out. You can never prevent a user from sending
out one URL, name and password, and it'll inevitably be a bad idea regardless
of the software. It just happens to be more of a bad idea in QuickPlace with
its end user management facilities.

Educate educate educate. Or at least, if you give people powerful tools, have
them check with you on new ideas!
Oh yes, very true ......By Jens on 12/22/2005 at 04:18 AM EST
Jens


Other Recent Stories...

  1. 03/26/2019Undestanding how OAUTH scopes will bring the concept of APPS to your Domino serverWhile a full description of OATH is way beyond what I can do in this quick blog entry, I wanted to talk a bit about how "SCOPES" interact with the already rich authorization model used by Domino. Thanks to the fantastic work by John Curtis and his team, the node.js integration with Domino is going to be getting a rich security model. What we know is that a user's authorizations will be respected through the node.js application to the Domino server -- including reader names, ACLs, Roles, and so on. The way ...... 
  2. 02/05/2019Toro Yard Equipment - Not really a premium brand as far as I am concernedDear Toro Customer Service, I arm writing about the following machine: Toro Power Max 1120 OXEModel:38654S/N:31000#### Specifically, bearing part #:63-3450 This is the part ($15 online / $25 at the local dealer) that caused me to raise my objections on-line. This piece of garbage is supposed to be a bearing. It carries the shaft which drives both stages of the auger. The shaft passes through the bearing (which is what bearings do) after the auger drive pulley as the shaft goes through the back (engine ...... 
  3. 10/08/2018Will you be at the NYC Launch Event for HCL Domino v10 -- Find me!Come find me in NYC on Wednesday at the Launch Event if you're there. I really do want to talk to ...... 
  4. 09/04/2018With two big projects on hold, I suddenly find myself very available for new short and long term projects.  
  5. 07/13/2018Who is HCL and why is it a good thing that they are now the ones behind Notes and Domino? 
  6. 03/21/2018Domino Apps on IOS is a Game Changer. Quit holding back. 
  7. 02/15/2018Andrew’s Proposed Gun Laws 
  8. 05/05/2016Is the growing social-sourced economy the modern back door into socialism? 
  9. 04/20/2016Want to be whitelisted? Here are some sensible rules for web site advertising 
  10. 12/30/2015Fantastic new series on Syfy called “The Expanse” – for people who love traditional science fiction 
Click here for more articles.....


pen icon Comment Entry
Subject
Your Name
Homepage
*Your Email
* Your email address is required, but not displayed.
 
Your thoughts....
 
Remember Me  

Please wait while your document is saved.