Skip to navigation
   
Simon Bisson & Mary Branscombe's Blog
RSS

From security theatre to security cabaret, or why too much security is worse than none

By Simon Bisson & Mary Branscombe in Editorial

Posted in People, Business, Identity, Futures, Security on April 12, 2008 at 6:46 am

Permalink | Author Profile

Security theatre is what security expert Bruce Schneier calls measures designed to make us feel safer that don’t actually make us any safer at all. He discussed the positive effects of this at the RSA conference this week; flying is one of the safest forms of transport and if having to take off your shoes and abandon your bottle of water make you feel that airport security is good enough to catch terrorists and you fly rather than taking a more dangerous method of transport, then the security theatre has made you more secure.

Here’s another paradox. Too much security makes you insecure. If someone in your company is emailing customer information to their Gmail account and copying market forecasts to their laptop and keeping old price lists for months after they’re out of date, it’s more likely that they’re just trying to get their job done on the road than that they’re stealing data to pass to a competitor - and that you didn’t give them a better way to do it. Make it impossible to do my job securely and I’m going to break or bypass your security so I can actually do my job.

The wireless network at the RSA conference was a good example of this. It was secure. Very secure. So secure that without the five pages of instructions I didn’t manage to get connected, and I didn’t meet anyone else at the conference who managed it either. If I’d wanted to hack into the laptops of anyone at the show, I wouldn’t have tried to steal them. I’d have set up an open free wi-fi connection on the show floor and everyone would have connected to that instead, giving me a great opportunity to see anything that didn’t go through a VPN.

Hugh Thompson of People Security has a good grasp of security and security theatre; you’ll have seen him if you watched Hacking Democracy, the documentary about the security problems with voting machines. He closed the conference with a chat show that ranged from a funny song about SQL injection (not a very funny song, but still) to Eric Drew’s tale of having his identity stolen by a lab technician at the hospital where he was being treated for leukemia and tracking the man down himself (a story Drew makes funny in the retelling that would have been a tragedy if he wasn’t in remission).

Thompson had a semi-serious conversation with Bill Cheswick, co-inventor of the firewall. Cheswick jokingly referred to malware as a “denial of spare time attack” that at least means you spend time with the family and friends who ask you to fix their computers. He was also slightly tongue in cheek when he said that he hadn’t used a firewall in a decade because he wants to use a secure computer instead; “it’s that whole crunchy outside, chewy centre thing; now we have much bigger liquid centres and once you’re past the outside you have access to everything.” But Cheswick also had some serious predictions to finish off Thompson’s security cabaret.

  • “IPV6 has been three years away for the last 15 years. We’re finally approaching it - so all those firewall rules are going to need redoing. That will be fun…”
  • “More attacks are going to come in through the browser so it may not matter so much what that the OS underneath is. You go to the wrong page, or the right page that has the wrong advertising agency - you did the right thing on your site but the other guy got hacked. To deal with that there’s going to be more sandboxes. I want users to be able to do everything online. I want them to run free in a sandbox. I used ASCII email for twenty years. ASCII email is safe but you want to be able click on the pictures.”
  • “Computers are going to get better. We’re in the barnstorming era now. We’re going to look back and say ‘remember when you had to be careful about what you clicked on?’”.
12345
Not yet rated
Loading ... Loading ...

Previous Post | Next Post

 
 
Comments
This article has no comments yet.

Make a comment

* required

* required

We stop spam using reCaptcha.
Type the words below and click Submit Comment.

   
Tag cloud

cisco streaming media merger battery SSVAGENT.EXE LHC Google IO Ray Ozzie fingerprint scanner active digitiser isps identity theft forensics digital signature OQO WinHEC IIW2008b Jeff Hawkins national museum of computing social networking terabytes Volume Shadow Copy green printing images html iPhone Loki blog geek tourism cracking spin todo list green IT gaming BT HR automation phone management MIX08 xT9 Internet Explorer 8 UMPC Opsware server moscow power AuthenTec VSSAdmin hardware telecoms business intelligence upgrade Ruby On Rails colossus eu 24 hours 3G RIA Corsair adfs onboarding GPU business technology automation mobile ofcom network EEE timezones mythbusters network processors amherst HP business continuity user interface CardSpace SapphireSteel analytics Fire Eagle Lenovo RAZR numbers Barracuda pen computing Wyse media disk space TNT regulation codec utilities disk pgp Trend Micro Location ucsd dual display ubuntu Trampoline ballmerbot quiz Microsoft fire patch Tuesday QWERTY office etech Palm HSDPA Express Gate voice recognition hierarchical temporal memory provisioning Large Hadron Collider business control panel security paradox education optical interconnects Bill Gates wubi politics vulnerabilities flash credit crunch distributed computing Google Sets licensing open source Windows Server 2008 accessories fraud .NET Beacon spam beta transcoding advertising Motorola electricity price wireless USB data centre CUDA Hugh Thompson Windows Mobile oracle mysql O'Reilly WPF mobile data tariffs Palladium ruggedized AMD wifi fault visualisation mscape Vista Nuance legislation IDF geotagging windows 7 Visual Studio productivity machine learning Firefox Google GPS bletchley park hacking CTO MacWorld 2008 smartphone Internet MacBook Air Frauenhofer HTML 5 history conferences information Mono Girl Geek Dinners cosmic rays geneva Ask.com Tablet PC Gartner SSD Salesforce community Nokia support yahoo 64-bit OFCOM Tablet Kiosk BBC identitity Crossfader HMT installer IBM mash-up TSA National Insurance video open browser Windows Live Delphi Numenta hp microsoft research Secunia hold music benchmark data thin client payroll patent NAS sun MING fibre power cuts camera WWW bombe virtual desktop security evernote DSL Internet Explorer enterprise architecture RSA 2008 biometrics traffic SMB 2 SBS Asus conference bbc iplayer email interoperability Embarcadero robot TouchSmart deperimeterization Mercury lawsuit nvision08 mobile mobile working Trolltech natural interface service oriented enterprise Tripit fingerprint information cards Reqall Enterprise 2.0 mobile Linux geocaching Facebook offload NexT acquisitions AskEraser SP1 Linux regulations business technology optimisation co-processor DisplayLink ADFS 2.0 accelerator LiveID macbook O2 Live Mesh storage security theatre Google Spreadsheets Xobni bea whitelist Netscan laptop i-mate Jeff Jones cables mobility Verbatim Tom Hogan Dell NGSCB performance developer enterprise CERN anti-virus Apple Mozilla griffin. microsoft research IT value desktop. PC power supply Intel TechEd 2008 Xen MRDA winhec2008 RBL user experience greenplum CIO HTC OEM cloud service google online applications Moonlight exchange Hp 2710p Ruby OpenID Credentica ProCurve christmas Toshiba Portege R500 Greasemoneky management firewall privacy Tim Berners-Lee networks Adobe case NVIDIA software Seagate high performance computing Web 2.0 migration CPU bandwidth wildfire calit2 Previous Versions virtualisation parallel computing EMC T9 automation Dopplr Bill Cheswick toshiba turing IT transformation CES Gears exabytes IT automation spam fighting identity metasystem isp troubleshooting Silverlight
Advertisement

   
Archives

   
Most commented posts

   
Highest Rated Blog Posts

Advertisement
Advertisement