Schneier on Security

A blog covering security and security technology.

« Ordinary People Being Labeled as Terrorists | Main | There Aren't That Many Serious Spammers Out There »

April 10, 2007

Marx Brothers on Security

Count the security lessons: bad password management, protocol failures, poor authentication, check fraud, and -- I suppose -- an attack made possible by poor bounds checking. What else?

Posted on April 10, 2007 at 1:17 PM • 21 Comments

To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.

Comments

Skippern • April 10, 2007 1:48 PM

blowfish would be better?

Jeff Pettorino • April 10, 2007 2:14 PM

About as accurate as the movie of the same name. :)

jay • April 10, 2007 2:15 PM

Add Social Networking to that.

Geoff Lane • April 10, 2007 2:22 PM

For a "man in the middle" attack I guess we would have to move on to The Three Stooges?

nobody • April 10, 2007 4:11 PM

It's "social engineering", not "social networking".

Anonymous Pilot • April 10, 2007 4:37 PM

The password-based authentication protocol is insecure.

Hoochie Scoochie • April 10, 2007 4:47 PM

Well let's see, no one at the bar getting carded, the only woman in the joint is a picture on the wall... oh wait, but this is a speakeasy, not a place that has to play by any of society's rules.

Alan • April 10, 2007 4:50 PM

The Marx Brothers are also responsible for creating commercial cryptography in the movie "A Day at the Races".

Douglas Muth • April 10, 2007 5:05 PM

I think the moral of the story is that some things never change. (In this case, it looks like more of a bad thing than a good thing...)

derf • April 10, 2007 5:09 PM

A sticky note is one thing, but carrying around an iconic representation of the password? Does he work for Homeland Security?

Steve Parker • April 10, 2007 5:20 PM

One of the (recurring) themes is that (as the 419 scam shows in particular,) an individual's greed can be a strong factor in weakening any security mechanism.

Lis Riba • April 10, 2007 6:19 PM

Inappropriate granting of admin priveleges? Allowing an unauthorized user to change passwords

(Contributed by my husband, "Xiphias" -- who got his handle from that scene...)

Lawrence D'Oliveiro • April 11, 2007 2:03 AM

"Horse Feathers", 1932, according to my "Complete Films of the Marx Brothers" book.

jay • April 11, 2007 8:13 AM

Sorry. My mistake it should be Social Engineering.

Archangel • April 11, 2007 9:09 AM

Trojan made possible by poor inspection of token (button), resulting in theft of massive quantities of data (jackpot). The button approximated the response protocol for access to the machine (small, round object of particular diameter, thickness and mass), and no further check was made (is it metal? &c), nor was a second authentication factor brought into play. This is like hash collision - the attack and the expected token produce like results when the system inspects them, and it accepts the attacker as an authorized user.

Archangel • April 11, 2007 9:14 AM

security software that can be preempted to obtain access without authentication, or reverse-engineered from output to discover the expected protocol and tailor input appropriately (SAMBA 'attack') - the problem isn't even so much that the password manager gave out the password, as that he responded to bad input at all. Failing silently may not be user-friendly, but it is more secure than handing out debugging context to invalid users.

Archangel • April 11, 2007 9:25 AM

Phishing attack - redirect of data (scotch) from sender (barkeep) to 'shot glass' funnel - looks like appropriate recipient, but is really a link to somewhere very different (bottle), not designed to use and discard data, but to retain it for future use at the new recipient's convenience. Pass-thru, maybe, since it can be said that the proper data did reach the proper recipient (one shot, to Harpo), but the same authentication channel did not expire, and was then used to obtain far more data from the sender for the recipient's private use.

elixx • April 11, 2007 11:59 AM

HAHA! I'm glad someone brought that up, as well as the commenter who referenced the scene in ADATR as "commercial cryptography". I am guessing that you are referring to where Chico sells Groucho a series of interdependent books regarding the impending race. I actually had to lol.

Marx fans++

Alan • April 11, 2007 12:20 PM

"You have to have the master codebook for that."

flaugaard • April 11, 2007 4:39 PM

Three weeks ago, I used a Zombie movie to teach students about security:

The backdoor, securing points of entry, detection, "Trojans", Defense-in-depth, Access control, Don't panic, KISS, etc...

Next time I'll add Swordfish :-) It's so much better to show movies and have fun while learning, than to sit and watch the never-ending slideshows :-)

Dave • April 12, 2007 3:36 AM

Unfortunately the video is gone now.
"This video has been removed by the user."

Post a comment

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.

Subscribe via Kindle

Blog Menu

Search

Powered by DuckDuckGo

Blog Home Page
100 Latest Comments

Archives by Date

2013 J F M A M
2012 J F M A M J J A S O N D
2011 J F M A M J J A S O N D
2010 J F M A M J J A S O N D
2009 J F M A M J J A S O N D
2008 J F M A M J J A S O N D
2007 J F M A M J J A S O N D
2006 J F M A M J J A S O N D
2005 J F M A M J J A S O N D
2004 J F M A M J J A S O N D