Social Security
I work at a big company now, and that means I wear a little plastic ID badge with my picture on it. I can use this to beep through locked doors and get into buildings on the corporate campus.
Recently, a bunch of signs were posted on locked doors saying "No Piggybacking - don't let people in without a badge." I'm guessing this is a way of increasing security. I shouldn't let anyone come when I open the door if they don't have a badge.
Except that I don't want to enforce this. If I open a door and someone steps in behind me and isn't wearing a badge, what should I do? Should I tell them not to? And what if they come in anyway? Am I supposed to physically stop them? Should I call security? Frankly, the whole thing is so socially awkward that I do nothing.
I have a friend who does network administration for large companies. Years ago, he got a frantic call from a Vice President in Marketing saying he was in Japan, standing in front of a room full of people, and his password wasn't working. He had the login name, and even mentioned his assistant's name and how he couldn't reach her. "Quick! Could you just reset my account before this whole deal goes to hell?"
Later, when the FBI came to interview my friend, he found out he'd been socially hacked by the infamous Kevin Mitnick. Modern thieves, it turns out, don't need packet sniffers or brute force attacks to be successful. The weak link is usually just a person who already has access. Social engineering can be way easier than the technical variety.
Security is really hard, and I was reminded of all of this when the piggybacking signs went up at work. Even the most advanced systems can thwarted by people just wanting to be friendly.
This entry was written by Jeffrey Veen and posted 10 August 2006 at 9:57 AM. It was filed under Technology. | View blog reactions
Interesting design opportunity. First off, the signs. Aren't those always a ridiculous post-hoc attempt to change behavior, and suggesting that it's probably already too late, that the behavior that is desired isn't occurring because it isn't natural or easy (or worse, as you describe)?
Second, the redesign of the doorway. What's a doorway design that wouldn't turn the place into a fortress but that would help social-reengineer the interaction.
Chevron has turnstiles and revolving doors between buildings that only allow one person at a time, but I agree that the holding-the-door interaction is an important one, but what would be a mechanism (physical or otherwise) that wouldn't require you to be a security agent but would enable both you and the rushing-to-catch-up person to be validated and acknowledge to each other that the entry is okay.
Maybe I'm over-reacting and the signs will work, if Google's culture can evolve to establish some new rituals and norms for this interaction. Maybe the mechanism to be designed is in fact this ritual.
1. On 10 August 2006 at 10:53 AM Steve Portigal wrote:
Very interesting. I find that that quote on Kevin Mitnick amazing. I would feel soooo bad and also so vulnerable. Isn't crazy how modern thieves work these days. It's all about the weakest link...
2. On 12 August 2006 at 8:48 PM Miguel wrote:
What about the Seinfeld apartment situation, when you don't let someone in and they in fact live in your building, security can backfire too I guess. Don't think this is an easy nut to crack.
3. On 14 August 2006 at 6:22 AM Farhan Lalji wrote:
Let the truth be spoken.. as steve said a good design opportunity..
One idea is to have RFID based tags which set off an alarm if someone without a valid ID tries to enter through, kinda like EZpass stations in NJ.
This removes your responsibility and system shouts instead of you, and this might just eliminate the need for doors whch means free-er access across office which would be nice..
Thoughts?
Alok Jain
4. On 14 August 2006 at 8:07 PM Alok Jain wrote:
I think the problem with 'no piggybacking' is that you only get half of the solution. This seems really common - you get told 'don't let someone in' but you don't get told how to stop them. Is it your job anyway? You're not employed as a security guard. You're not trained to handle things should the situation turn ugly.
By the time the signs go up, I wonder sometimes if it's nothing more than the company protecting its insurance premiums :)
5. On 14 August 2006 at 11:42 PM Ben Buchanan wrote:
Or you could take it to the extreme by carrying around a stun-gun and zapping everybody that fails to show credentials.
Or you carry around notes to give to people that tell them they have entered without a pass and they should go see the principal to be reprimanded.
Come up with something outrageous, take it as far as you can and see how quickly do the signs stay up.
6. On 15 August 2006 at 8:28 PM Andres wrote:
Currently:
() More...
About Me
Bio: Jeffrey Veen
Book: "The Art & Science of Web Design"
Book: "HotWired Style: Principles For Building Smart Web Sites"
Work: My LinkedIn Profile
Travel: China, Tuscany, Kayaking in Baja, Touring Costa Rica, Studying Theater in London
Categories
» Business (6)
» Cycling (27)
» Information Architecture (15)
» Personal (80)
» Software (14)
» Technology (90)
» Travel (38)
» Web Design (96)
Popular Posts
» Making a Better Open Source CMS
» Seven Steps to Better Presentations
» A Contrast in Urban Design
» IA Jargon Watch
» On Writing Short
» Pain and Cycling
Recent Photos
XML Feeds
Subscribe to my site
Click the link above to be notified automatically every time I add a new post.
