Why fulfilling demand is sometimes a mistake
When it comes to anything really but particularly software development, sometimes people feel that every whim should be catered to, every need filled and every request served. But so often it pays much better to address the real, underlying issue that is the source of the "need" in the first place.
As an example for sometime there was no way in Java to get the MAC address of a network adapter. Now to begin with as a caveat, "no way" isn't entirely true. One could do it, but it required native code or using executing another process (like ipconfig). But true enough there wasn't a Java API method to do it.
But there sure were alot of requests (read demands) for this feature.
So lo and behold in Java 1.6 Sun added a method getHardwareAddress() to the java.net.NetworkInterface class that returns the MAC address.
And all was well.
What's actually happened is the questions about how to get and use the MAC address have actually increased. The problem is that exactly zero of these questions now (or ever before) were based on a valid idea. Nineteen times out of twenty the "requirements" that lead to the MAC address questions are security related. That is that the questioner is attempting to use the MAC address to authenticate a user. This couldn't be more wrong-headed.
As a quick aside it's wrong headed for a bunch of reasons, not the least of which being it provides exactly zero-security. It is trivial to change a MAC address on most computers these days. Plus it has the added drawbacks of not working when it otherwise might and generally frustrating the real users all while doing nothing to discourage the malicious ones.
Back on point, I'm hard pressed to imagine a better example of when giving the masses what they "need" is actually a step-backward. It's never a good idea in my opinion to encourage bad security ideas and thoughts rather than addressing the real underlying problem. Which in this case is a total lack of understanding of what authentication means, how it works, and what it must have to be successful. Namely an authentication model that allows trivial spoofing is a failure.
Besides all this what about that one in twenty who does have a real need for the MAC address? Well to be honest one in twenty is high because I haven't seen one yet, but nevertheless such information was always available really. One just needed to spend a bit of time figuring out how.
|© 2008 Max Stocker|