Skip to navigation
   
Simon Bisson & Mary Branscombe's Blog
RSS

From security theatre to security cabaret, or why too much security is worse than none

By Simon Bisson & Mary Branscombe in Editorial

Posted in People, Business, Identity, Futures, Security on April 12, 2008 at 6:46 am

Permalink | Author Profile

Security theatre is what security expert Bruce Schneier calls measures designed to make us feel safer that don’t actually make us any safer at all. He discussed the positive effects of this at the RSA conference this week; flying is one of the safest forms of transport and if having to take off your shoes and abandon your bottle of water make you feel that airport security is good enough to catch terrorists and you fly rather than taking a more dangerous method of transport, then the security theatre has made you more secure.

Here’s another paradox. Too much security makes you insecure. If someone in your company is emailing customer information to their Gmail account and copying market forecasts to their laptop and keeping old price lists for months after they’re out of date, it’s more likely that they’re just trying to get their job done on the road than that they’re stealing data to pass to a competitor - and that you didn’t give them a better way to do it. Make it impossible to do my job securely and I’m going to break or bypass your security so I can actually do my job.

The wireless network at the RSA conference was a good example of this. It was secure. Very secure. So secure that without the five pages of instructions I didn’t manage to get connected, and I didn’t meet anyone else at the conference who managed it either. If I’d wanted to hack into the laptops of anyone at the show, I wouldn’t have tried to steal them. I’d have set up an open free wi-fi connection on the show floor and everyone would have connected to that instead, giving me a great opportunity to see anything that didn’t go through a VPN.

Hugh Thompson of People Security has a good grasp of security and security theatre; you’ll have seen him if you watched Hacking Democracy, the documentary about the security problems with voting machines. He closed the conference with a chat show that ranged from a funny song about SQL injection (not a very funny song, but still) to Eric Drew’s tale of having his identity stolen by a lab technician at the hospital where he was being treated for leukemia and tracking the man down himself (a story Drew makes funny in the retelling that would have been a tragedy if he wasn’t in remission).

Thompson had a semi-serious conversation with Bill Cheswick, co-inventor of the firewall. Cheswick jokingly referred to malware as a “denial of spare time attack” that at least means you spend time with the family and friends who ask you to fix their computers. He was also slightly tongue in cheek when he said that he hadn’t used a firewall in a decade because he wants to use a secure computer instead; “it’s that whole crunchy outside, chewy centre thing; now we have much bigger liquid centres and once you’re past the outside you have access to everything.” But Cheswick also had some serious predictions to finish off Thompson’s security cabaret.

  • “IPV6 has been three years away for the last 15 years. We’re finally approaching it - so all those firewall rules are going to need redoing. That will be fun…”
  • “More attacks are going to come in through the browser so it may not matter so much what that the OS underneath is. You go to the wrong page, or the right page that has the wrong advertising agency - you did the right thing on your site but the other guy got hacked. To deal with that there’s going to be more sandboxes. I want users to be able to do everything online. I want them to run free in a sandbox. I used ASCII email for twenty years. ASCII email is safe but you want to be able click on the pictures.”
  • “Computers are going to get better. We’re in the barnstorming era now. We’re going to look back and say ‘remember when you had to be careful about what you clicked on?’”.
12345
Not yet rated
Loading ... Loading ...

Previous Post | Next Post

 
 
Comments
This article has no comments yet.

Make a comment

* required

* required

We stop spam using reCaptcha.
Type the words below and click Submit Comment.

   
Tag cloud

mobile data tariffs Moonlight Adobe i-mate rich client Reqall Google Spreadsheets teched Delphi Embarcadero bandwidth TNT amherst police dvi Beacon AMD data loss routing Lenovo spam Crossfader gaming ucsd MING instant messaging hardware Palm networks National Insurance T9 Pal 965 tennis 2.0 thermo DSL hacking international roaming Google Microsoft MAX software mobile ofcom network flex case design HP bletchley park rc Quest display Opteron LHC network AskEraser power saving Vodafone CUDA ontier regulation power cuts WWW Corsair Jeff Hawkins Opera EEE backhaul utilities Internet Explorer todo list market share mms 2009 business continuity voice recognition cold fusion dual display Silverlight Secunia outlook biometrics vulnerabilities Google Sets patch Tuesday Hugh Thompson pre-boot processors GPS fingerprint HSDPA geek tourism bea productivity BitLocker timezones anti-virus BES SSVAGENT.EXE workflow ports privacy social networking UMPC catalyst iPhone MacWorld 2008 AdaLovelaceDay09 logitech usb conference screencam aws vmware digital signature hold music system center utility beta test mobile mobility SapphireSteel encryption trends analytics moscow lockdown business technology automation direct access HTC designer insert SIM social engineering Nokia Vista disk isp LiveID server sprawl thin client upgrade public cloud Internet WinHEC appzero history goview distributed computing battery life virtual desktop wes ec2 london Fire Eagle M&A Barracuda docking station Wyse credit crunch culture Windows Live Tripit ruggedized Windows Server 2008 BBC browser virtualisation active digitiser RSS search web2expo co-processor geneva Ray Ozzie images CPU HTML 5 codec yahoo enterprise architecture screen it pro Web 2.0 Mark Hurd Tombstone Objects Mono information cards beta Large Hadron Collider Trend Micro regulations natural interface accelerator WPF VSSAdmin hyper-v bbc iplayer data Jeff Jones maps data centre desktop. PC Eee PC installer Linux laptop navteq green printing Itanium Windows Mobile fire training private cloud remove back CTO netbook CERN cosmic rays Safari Previous Versions virus optical interconnects CES switch netbooks task bar OQO Enterprise 2.0 smartphone community visualisation geocaching oracle Chrome ADFS 2.0 Sony uninstall BlackBerry business IT transformation green IT people IDF multiple monitors lost server open TechEd 2008 ATI Location HMT fibre media developer web Volume Shadow Copy spam fighting power g-2 office support Dopplr deborah adler Salesforce radeon Apple ultraportable gameboard WEI Intel hp microsoft research interoperability database politics ballmerbot downturn greenplum IO BT terabytes server web 2.0 expo relocation accessories competition whitelist service oriented enterprise christmas cam video licensing forensics evernote education xT9 gamer identity metasystem Acrobat Pro venture capital Live Mesh GPU target keyboard html windows infrastructure amazon CardSpace Netscape RSA 2008 magic firewall IT value consolidation IBM mobile working mscape Numenta Opsware Firefox EMC DisplayLink windows 7 nvision08 MRDA disk space flash drive how do I get the back off? Active Directory pen computing Google IO Mini-Note Gartner colossus user experience Visual Studio Windows 7 vs Windows Vista migration numbers applications Xobni claims SMB 2 acquisitions connectivity twitter demo cloud ipsec Palladium system management netiquette MacBook Air cables transcoding Asus OFCOM TouchSmart cellcrypt mash-up management p2v pgp IIW2008b drivers .NET IT automation TSA disaster recovery g-1 CIO Express Gate Loki O'Reilly congestion charge QWERTY legislation benchmark rtm Facebook icons annotation Netscan user interface exchange dual boot Xen MWC media center SKU parallel computing wubi Dell october hierarchical temporal memory innovation microsoft research NexT wave etech business technology optimisation anti-patterns geotagging 2009 ClipMate data tariff ANR wireless USB mapping SBS NVIDIA macro patent national museum of computing Seagate storage mobile Linux quiz machine learning RIM bug navigation exabytes IT policy fault monitor flash Wimbledon Ruby On Rails Tablet Kiosk security theatre Internet Explorer 8 O2 windows server 2008 r2 Toshiba Portege R500 d2c email mythbusters advertising hdmi telecoms merger identity theft macbook office politics business model wifi Skyfire griffin pixetell troubleshooting eu Tom Hogan IM no signal information streaming media toshiba AuthenTec Ruby high performance computing power supply SSD ipv6 cracking OEM Bill Cheswick offload electricity price DLP collaboration RAZR RIA demo09 Mercury Ask.com adfs control panel mainframe robot safend Clear RX NAS MIX08 business intelligence 3G Frauenhofer Motorola installation secure RBL development T-Mobile performance wildfire Greasemoneky Istanbul calit2 fingerprint scanner turing security cloud computing Magny-Cours isps bombe open source NGSCB enterprise Gears Hp 2710p Girl Geek Dinners citrix SP1 cloud service google online applications security paradox Tim Berners-Lee project Trampoline Verbatim identitity ProCurve mysql phone settings Treo Pro deperimeterization Credentica city MIX mobile network tele atlas augmented reality phone management future in review winhec2008 ubuntu traffic android lawsuit Nuance hard drive Trolltech voice Bill Gates Windows Server camera 64-bit sun data centre transformation OpenID cisco Tablet PC Mozilla conferences
Advertisement

   
Archives

   
Most commented posts

   
Highest Rated Blog Posts

Advertisement