Security by Obscurity

Just realized that our client follows the policy of not allowing root ssh login for security reasons. it does make sense for quick security dev box. ButI would be surprised if they follow only that for the production box. But for all i know, they might be.
(I was talking about it in the context of this:
After all, Security by Obscurity, is good enough in certain narrow conditions, if you want to stop DDOS attacks via a open ssl port.

Human Computer Interaction — principle of least surprise

I remember reading in my Human Computer Interaction course about the principle of least surprise. At that it made theoretical sense, but had the feeling that in practice it doesn’t matter, since there’s always text that can be read for clarification. Now that i am working at a company, with Windows 7 as a base machine and Ubuntu VM(not to mention i have been on mutt mail reader for some time now and am forced to use outlook web access) I find every single instance outlook web access’s rules differs from gmail filters infuriating. (Note: i haven’t had to configure rules in mutt so this is not about graphical vs terminal interfaces. )

The point is there are texts, but they are approximations and a user gets mighty irritated when you change something in his workflow and surprise him. The primary point being i was on my way to write some code, before i set up a rule to move automated mails to a different folder. Now here i am, writing this blog instead, because i was annoyed by the surprises and need to rant it out. A user without the education would have just quit outlook usage altogether and move on. So surprising the user is very powerful heuristic when modifying a UI. Still a heuristic with exceptions. I guess when i finished constructing the rule if there was a pop-up asking me if i wanted to run the rule on existing mail Inbox, that’s a nice surprise*.

Update 03-11-2011: On letting this ruminate, it occurred to me the difference(don’t surprise vs pleasant surprise) can be explained in terms of change in attention required from the user. A surprise always requires a little more attention from the user, but in the pleasant surprise use-cases required attention falls off quickly (perhaps within milliseconds??) as opposed to the annoying surprises.

*– Not sure but think Lotus Notes used to do this in the version around 2004-2007.