Never-locked systems and the interesting case of the sales person
Here's something you don't consider as a software developer: the way your users behave to make things easier for them :
I was going with a a friend yesterday into a cell phone store (he had a problem with his phone). While he was talking to the nice young sales lady I was sitting next to him talking about various geeky stuff while we were waiting for her to go and come back every few minutes (getting stuff from the back of the store for him).
Of course, the first thing we did was look at her screen to see what kind of software she was using (vantive over terminal services). Before we finished our business, I thought I saw her do something on the keyboard screen flicker like made for a bit. I took a closer look at her keyboard and saw that she had wedged a small folded piece of paper into her right error key on the keyboard, so that it is kept pressed at all times. Which of course made the menus on her screen flicker.
"Why are you doing this?" I asked, and when she replied both my friend and me were smiling in awe at the various ways users can surprise you.
She was keeping the arrow pressed so that the system will not "go to sleep" - a keep-alive signal of her own. When the system "goes to sleep" all the terminals seem to shut down and locked up, meaning that if rush hour came along she would take a long time to start-up all the systems involved before she could start taking care of customers. That was her way of making sure the system was always in a ready -state.
I'm sure she didn't come to learn that way on her own. she got it form other people in the store who'd worked there for a while and so could teach her their "secrets" to better customer management. I a lot of the sales people who work with such configuration know about this trick and are using it - so just imagine how many "never-locked" systems are out there right now, because of software design that didn't take into consideration the quick-availability factor.
Of course, it was also a great way to make sure that whoever came by her machine while she wasn't near it could use it without entering a password and whatnot, but that wasn't her point. her point was availability which the current configuration did no provide for her.
If you think about it, the design of the various software components integrated with each other (terminal services with her sales software and vantive) were inherently insecure because they forced the users to keep the system alive at all times, instead of it being quickly available.