From security theatre to security cabaret, or why too much security is worse than none
By Simon Bisson & Mary Branscombe in Editorial
Posted in People, Business, Identity, Futures, Security on
Security theatre is what security expert Bruce Schneier calls measures designed to make us feel safer that don’t actually make us any safer at all. He discussed the positive effects of this at the RSA conference this week; flying is one of the safest forms of transport and if having to take off your shoes and abandon your bottle of water make you feel that airport security is good enough to catch terrorists and you fly rather than taking a more dangerous method of transport, then the security theatre has made you more secure.
Here’s another paradox. Too much security makes you insecure. If someone in your company is emailing customer information to their Gmail account and copying market forecasts to their laptop and keeping old price lists for months after they’re out of date, it’s more likely that they’re just trying to get their job done on the road than that they’re stealing data to pass to a competitor - and that you didn’t give them a better way to do it. Make it impossible to do my job securely and I’m going to break or bypass your security so I can actually do my job.
The wireless network at the RSA conference was a good example of this. It was secure. Very secure. So secure that without the five pages of instructions I didn’t manage to get connected, and I didn’t meet anyone else at the conference who managed it either. If I’d wanted to hack into the laptops of anyone at the show, I wouldn’t have tried to steal them. I’d have set up an open free wi-fi connection on the show floor and everyone would have connected to that instead, giving me a great opportunity to see anything that didn’t go through a VPN.
Hugh Thompson of People Security has a good grasp of security and security theatre; you’ll have seen him if you watched Hacking Democracy, the documentary about the security problems with voting machines. He closed the conference with a chat show that ranged from a funny song about SQL injection (not a very funny song, but still) to Eric Drew’s tale of having his identity stolen by a lab technician at the hospital where he was being treated for leukemia and tracking the man down himself (a story Drew makes funny in the retelling that would have been a tragedy if he wasn’t in remission).
Thompson had a semi-serious conversation with Bill Cheswick, co-inventor of the firewall. Cheswick jokingly referred to malware as a “denial of spare time attack” that at least means you spend time with the family and friends who ask you to fix their computers. He was also slightly tongue in cheek when he said that he hadn’t used a firewall in a decade because he wants to use a secure computer instead; “it’s that whole crunchy outside, chewy centre thing; now we have much bigger liquid centres and once you’re past the outside you have access to everything.” But Cheswick also had some serious predictions to finish off Thompson’s security cabaret.
- “IPV6 has been three years away for the last 15 years. We’re finally approaching it - so all those firewall rules are going to need redoing. That will be fun…”
- “More attacks are going to come in through the browser so it may not matter so much what that the OS underneath is. You go to the wrong page, or the right page that has the wrong advertising agency - you did the right thing on your site but the other guy got hacked. To deal with that there’s going to be more sandboxes. I want users to be able to do everything online. I want them to run free in a sandbox. I used ASCII email for twenty years. ASCII email is safe but you want to be able click on the pictures.”
- “Computers are going to get better. We’re in the barnstorming era now. We’re going to look back and say ‘remember when you had to be careful about what you clicked on?’”.
Not yet rated
Loading ...Trackback by - February 9, 2012 on 3:41 am
will smith and jada pinkett house…
[…]against Lennox and his family is now out of the palms of Belfast City Council […]…
Trackback by - February 9, 2012 on 7:57 am
greenpeace logo…
[…]I wouldn’t be capable to pursue all of these different goals while at the same time dedicating the energy […]…
Make a comment
Tag cloud
Archives
- September 2009
- August 2009
- July 2009
- June 2009
- May 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
Most commented posts
- Java's SSVAGENT.EXE: training the monkey
128 comments
- When Windows 7 upgrades won’t hibernate (the solution)
- Do you need IPv6 for DirectAccess? Yes and No
- Chrome OS: what happens when "always connected", isn't?
- The ColdFusion Renaissance
- Make Adobe Acrobat Pro deactivate
- Is there a showstopper bug in Windows 7 CHKDSK?
- There’s a reason smartphones are locked down
- At sixes and Windows 7s
- The LHC isn
Highest Rated Blog Posts
- Songs of distant satellites (100%)
- Nobody knows what Web 2.0 really is (100%)
- Log in and lock in (100%)
- Top tips for speeding up Vista (100%)
- Mommy, why is there a home server in the office? (100%)
- Employees are our most valuable asset (snigger) (100%)
- Locking down IT or blocking creativity (100%)
- Consumer BlackBerrys are good for business (100%)
- HD Trek (100%)
- Join the (beta) community (100%)
