Automation’s a fantastic way to improve your overall efficiency, but, as Charles Mangin points out, there are some things that should never be automated.
My mantra with regards to automation has always been, “If you do it more than twice, automate it.”
And I stick by that, with a few exceptions. There are some things you should never trust to an automated script.
User data deletion
I should make clear the difference between “user data” and things like temporary files, caches, scratch disk, and their ilk. In most cases, the operating system or applications that create those temporary files are also designed to purge them periodically. When the OS falls down on its job, and those purgeable folders start to fill up the drive, a well-aimed script can make a big difference—as long as you make absolutely certain that what gets deleted is only those files and paths that can safely be purged. A script that does this for you can save the time of manually finding and selecting folders as well as prevent the kind of mistake that nearly deleted “Toy Story 2”.
User data, on the other hand, is something that was created by a person, not a process. Even if it’s an installer that user has downloaded 10 copies of already, or another kitten meme, no script should be responsible for permanently deleting it. I would go so far as to say your scripts shouldn’t even empty the Mac trash or the Windows recycle bin. I have personally witnessed—on more than one occasion—a user that was devastated when the only copy of a file they needed was deleted after support emptied the trash.
Eric Harless, head backup nerd at N-able, says: “The phrase ‘Measure twice, cut once’ works as well for data protection as it does for carpentry. Before you ‘cut’ data (i.e., format a volume, delete a directory, or even empty a recycle bin), it’s best you ensure that you have a validated backup and that you (or your end user) don’t truly need the data you’re about to remove.”
Check out Eric’s blog series on Backup monitoring to learn more, Backup Monitoring: Part 1—Manage by Exception.
Like Hippocrates said, “First, do no harm.” If the drive is getting full, and something’s got to go, purge whatever you can from the caches and temporary files. And if there’s still no room? An automated task should be able to notify the user that there’s a few gigabytes hiding in their downloads folder in files they haven’t touched for 30 days or more. If they were to empty the recycle bin they would get a few more gigabytes back, but leave it up to them to take that action and make it all disappear forever.
Bypassing security for convenience
Modern secure systems often rely on multiple factors to authenticate the person using them. These come down to something you know (like a password), something you have (a token from your phone or an RSA key fob), and something you are (biometrics, like fingerprints).
Security professionals sometimes liken simple password authentication to a locked door—to a determined thief, it’s only a brief hindrance. Anyone can watch a few YouTube videos to learn lock-picking, buy an inexpensive set of tools, and they’re in. If you’re leaving the key under the welcome mat, why even have a lock?
Often, you will need to log into another system as part of automating your work. If that server only requires a password for authentication, it’s tempting to just save that in your script. It would save you a step each time you run your task to not have to stop and type in a password. But just how secure is the text file that represents that script? And the laptop or server it’s stored on? You don’t have to look far to find stories of breaches, ransomware, or other attacks that were made possible by a user’s credentials stored in the clear.
Lewis Pope, head security nerd at N-able, says: “As your coding skills improve and the complexity of the tasks you automate through scripting increase, so does the damage an ‘oops’ moment can have. Leaving a highly privileged set of credentials in plain text in a script is one of those moments. Using plaintext passwords directly in scripts is one of the cybersecurity bad habits that almost everyone is guilty of having done at some point when first learning how to write scripts.”
Read more in Lewis’s blog on security bad practices.
Now, what do you think?
Are there more exceptions to the mandate to “automate all the things”? Send an email to macnerd@n-able.com, and let me know. Just make sure to add a personal touch. Automated emails tend to get tagged as spam.
Charles Mangin is Head Mac Nerd. You can follow him on Twitter at @mac_mgmt_nerd or connect on LinkedIn here.