Skip to navigation
   
Simon Bisson & Mary Branscombe's Blog
RSS

From security theatre to security cabaret, or why too much security is worse than none

By Simon Bisson & Mary Branscombe in Editorial

Posted in People, Business, Identity, Futures, Security on April 12, 2008 at 6:46 am

Permalink | Author Profile

Security theatre is what security expert Bruce Schneier calls measures designed to make us feel safer that don’t actually make us any safer at all. He discussed the positive effects of this at the RSA conference this week; flying is one of the safest forms of transport and if having to take off your shoes and abandon your bottle of water make you feel that airport security is good enough to catch terrorists and you fly rather than taking a more dangerous method of transport, then the security theatre has made you more secure.

Here’s another paradox. Too much security makes you insecure. If someone in your company is emailing customer information to their Gmail account and copying market forecasts to their laptop and keeping old price lists for months after they’re out of date, it’s more likely that they’re just trying to get their job done on the road than that they’re stealing data to pass to a competitor - and that you didn’t give them a better way to do it. Make it impossible to do my job securely and I’m going to break or bypass your security so I can actually do my job.

The wireless network at the RSA conference was a good example of this. It was secure. Very secure. So secure that without the five pages of instructions I didn’t manage to get connected, and I didn’t meet anyone else at the conference who managed it either. If I’d wanted to hack into the laptops of anyone at the show, I wouldn’t have tried to steal them. I’d have set up an open free wi-fi connection on the show floor and everyone would have connected to that instead, giving me a great opportunity to see anything that didn’t go through a VPN.

Hugh Thompson of People Security has a good grasp of security and security theatre; you’ll have seen him if you watched Hacking Democracy, the documentary about the security problems with voting machines. He closed the conference with a chat show that ranged from a funny song about SQL injection (not a very funny song, but still) to Eric Drew’s tale of having his identity stolen by a lab technician at the hospital where he was being treated for leukemia and tracking the man down himself (a story Drew makes funny in the retelling that would have been a tragedy if he wasn’t in remission).

Thompson had a semi-serious conversation with Bill Cheswick, co-inventor of the firewall. Cheswick jokingly referred to malware as a “denial of spare time attack” that at least means you spend time with the family and friends who ask you to fix their computers. He was also slightly tongue in cheek when he said that he hadn’t used a firewall in a decade because he wants to use a secure computer instead; “it’s that whole crunchy outside, chewy centre thing; now we have much bigger liquid centres and once you’re past the outside you have access to everything.” But Cheswick also had some serious predictions to finish off Thompson’s security cabaret.

  • “IPV6 has been three years away for the last 15 years. We’re finally approaching it - so all those firewall rules are going to need redoing. That will be fun…”
  • “More attacks are going to come in through the browser so it may not matter so much what that the OS underneath is. You go to the wrong page, or the right page that has the wrong advertising agency - you did the right thing on your site but the other guy got hacked. To deal with that there’s going to be more sandboxes. I want users to be able to do everything online. I want them to run free in a sandbox. I used ASCII email for twenty years. ASCII email is safe but you want to be able click on the pictures.”
  • “Computers are going to get better. We’re in the barnstorming era now. We’re going to look back and say ‘remember when you had to be careful about what you clicked on?’”.
12345
Not yet rated
Loading ... Loading ...

Previous Post | Next Post

 
 
Comments
This article has no comments yet.

Make a comment

* required

* required

We stop spam using reCaptcha.
Type the words below and click Submit Comment.

   
Tag cloud

user experience wes connectivity Moonlight training Active Directory HSDPA Ray Ozzie trends ec2 windows market share navteq Salesforce conference fingerprint information cards IT value desktop. PC MIX AuthenTec macro mobile network Windows Server anti-trust installer Windows Live Tim Berners-Lee offload business continuity Ask.com SSD voice recognition netbooks ClipMate patent Acrobat Pro Clear RX target lawsuit IM Skyfire Eee PC data tariff Intel HMT moblin service oriented enterprise mythbusters collaboration Netscape patch Tuesday high performance computing BitLocker Istanbul Motorola gameboard co-processor competition flex legacy Microsoft management hard drive Express Gate bombe SKU html old software mms 2009 dual boot Numenta OEM performance thermo annotation data atom consolidation battery life BBC Crossfader network T9 business technology automation relocation cold fusion pen computing office politics sun video EEE security theatre Wyse cisco storage evernote T-Mobile database Bill Cheswick hacking electricity price open source power cuts business model ATI Facebook outlook ikea optical interconnects media center Dopplr rc distributed computing docking station routing web 2.0 expo BT Palm Web 2.0 isps Nuance geek tourism turing apps IT automation processors hardware screen exabytes web Ruby identity metasystem netiquette 965 Firefox p2v macbook data centre virtual desktop transcoding mobile ofcom network SP1 Greasemoneky GPS aws multiple monitors Google Sets phone management data loss prevention NVIDIA hold music toshiba licensing WEI webkit DOS Qualcomm calit2 MING anti-virus legislation fingerprint scanner CERN Internet ubuntu RAZR Loki magic Trampoline firewall moscow private cloud wifi IDF MWC data loss microsoft security essentials Silverlight usb fault VSSAdmin education microsoft research FUD search bug Jeff Jones AskEraser IBM bletchley park mobility gabriola cloud g-2 october amazon Ruby On Rails Smartbook robot mysql remove back applications Nokia TechEd 2008 no signal biometrics Xen vulnerabilities fire mobile data tariffs Seagate oracle Gartner iPhone credit crunch security paradox fonts merger system management hp microsoft research disaster recovery Internet Explorer Frauenhofer g-1 installation hyper-v business intelligence Trend Micro iPass CTO terabytes Live Mesh pgp Pal ANR Hugh Thompson international roaming d2c mscape tennis IO tele atlas rich client geocaching regulation Windows 7 vs Windows Vista machine learning productivity BlackBerry developer user interface keyboard Embarcadero active digitiser NAS disk space Mini-Note enterprise people switch Girl Geek Dinners MRDA enterprise architecture NexT Java development dvi utility Bill Gates accessories ADFS 2.0 eu traffic anti-patterns mash-up advertising Tablet Kiosk wave social engineering voice congestion charge netbook futura community Itanium gaming timezones wubi interoperability Toshiba Portege R500 virtualisation RIA Xobni beta test Treo Pro CES parallel computing Google augmented reality GPU downturn software ports radeon spam flash drive O'Reilly thin client Fire Eagle cam regulations rtm BES adfs CPU direct access vmware CIO web2expo Mono xT9 HTC Protected View nvision08 Hp 2710p demo09 benchmark LiveID winhec2008 emulator information appstore safend monitor hdmi ProCurve control panel conferences citrix amherst SBS innovation security QWERTY DSL LHC bugs case Chrome DOSBox email instant messaging Mercury numbers ipv6 OQO uninstall Tom Hogan workflow semiotics encryption wireless USB migration SapphireSteel i-mate whitelist national museum of computing Asus RSS search business RIM Reqall it pro Location christmas streaming media support windows server 2008 r2 greenplum Corsair ultraportable Beacon Quest information rights management utilities how do I get the back off? Credentica telecoms visualisation Barracuda lockdown Mark Hurd politics colossus bea malware bolt server green IT Google IO mobile working cosmic rays demo fibre mobile Volume Shadow Copy analytics camera server sprawl codec deborah adler networks MIX08 identity theft phone settings IT policy quiz context Gears logitech hibernation application compatibility designer acquisitions DLP WinHEC Vodafone design tablet Internet Explorer 8 ucsd teched geotagging isp Safari MacBook Air UMPC Enterprise 2.0 64-bit ballmerbot drivers NGSCB cloud computing display HSPA venture capital spam fighting cloud service google online applications Vista accelerator bandwidth IIW2008b identitity appzero secure MacWorld 2008 ribbon police griffin TouchSmart Mozilla infrastructure clean install EMC bbc iplayer city Tripit claims windows 7 images flash dual display Netscan OpenID screencam .NET OFCOM Previous Versions Jeff Hawkins twitter culture O2 ipsec insert SIM SMB 2 catalyst Magny-Cours project android AMD icons business technology optimisation Opsware ruggedized laptop beta navigation data centre transformation backhaul Opera mainframe lost server disk MAX CUDA Secunia geneva smartphone DisplayLink Adobe Large Hadron Collider system center Delphi M&A todo list Lenovo power saving cellcrypt WWW Tablet PC forensics hierarchical temporal memory Visual Studio cracking HTML 5 Google Spreadsheets maps exchange HP natural interface history power supply london office 2010 Tombstone Objects wildfire mobile Linux RBL RSA 2008 Apple Palladium public cloud Bing green printing CardSpace WPF pre-boot setup Verbatim privacy task bar Windows Mobile Dell verdana mobile broadband pixetell deperimeterization gamer media browser power troubleshooting TSA mapping 2009 Wimbledon social networking etech cables meaning Opteron GPL future in review virus AIR goview Sony 3G Windows Server 2008 IT transformation Linux office ontier 2.0 open upgrade Trolltech yahoo
Advertisement

   
Archives

   
Most commented posts

   
Highest Rated Blog Posts

Advertisement