Bright Stove

Our office at the new business park is an attraction in many regards. There are massage chairs in the lobby area, free flow of coffee and tea in the open pantry, and various forms of open and semi-open areas for local on-site collaboration as well as video-on-demand, telepresence collaboration with remote sites. As in many other companies’ offices, badge access is a norm, and so do ours.

Interestingly, the washrooms at our floors, which are situated outside the badged area, near the lift lobby of each floor, have their own access controls. Each has a mechanical number lock installed on the door. As the washroom is a shared facility, with many people using it, the “secret” number to unlock the lock has to be known to all employees, contractors, and visitors. If however you belong to one of these groups, but still don’t know the number, there’s no need to worry or do a brute force attack to crack the secret numbers. You can simply follow someone in, or wait for someone to come out and hold the door to get in. Alternatively, you can go to the mail room nearby and ask the folks there cordially, and they will give you the number. In fact, if you ask anyone who happen to walk by, cordially, they will also happily reveal to you the secret to the valuable rest room.

The question is, why do “someone” decided to have such a lock that provides a real sense of insecurity and a false sense of safety to people in the building?

I found out later that the requirement was raised (by “someone”) as those washrooms have shower facilities in them, and the access control is to provide as a form of safety to people taking shower as well as prevent some other people from taking shower. Seems like a reasonable requirement. Clearly, the security solution implemented has not met the requirements, and everyone else just “follow the flows”.

At another floor in the same building, another “someone” somehow decided to use a badge access control for the washrooms access, inline with those for the normal office access. This provides better consistency, and serves its purpose, i.e., meeting the requirements. Furthermore, with an electronic badge access system, if the shower gets overused, someone can turn on the logging and start monitoring the usage of the facility to find out who have been showering all the time.