Schneier on Security
A blog covering security and security technology.
« TSA's Secure Flight |
| Automobile Virus »
February 1, 2005
The Weakest Link
As this photo shows, it doesn't matter what kind of security you implement if it's easy to get around.
Posted on February 1, 2005 at 8:00 AM
• 21 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Another win for the adage: "Hindsight is always 20/20"
Well yes. And well spotted too.
But have you considered, given the CCTV camera, that this might just be a nice little earner for the estate management company and their turfing contractor. That is by tempting people into minor wrongdoing.
That would be a step away from TSPs benefiting from internet dialer scams, by failing to introduce security measures, that only they could introduce, to protect their customers.
An illustrative picture but it wasn't taken in the United States. Note the road signs at the bottom.
O.K. So that was a bad design decision... But is the barrier really there for security purposes?
Looking at the photo, you have an unfenced flat grassy area which even if you couldn't drive across it you could readily walk across it. And in the middle is a road with a barrier. My guess is that this is the parking lot at a commercial building. The barrier is there to be inconvenient. The company management review the logs from when the barrier raises and lowers (and who triggers it) and then fire anyone who always uses it for lack of imagination...
If this was a security gate I would have thought a fence and a sliding gate would have been a better choice. Thus, this is not there for security purposes.
My guess it that's its a place where police cars can turn around but they don't want ordinary citizens using it. In Berkeley, CA, they have a number of road barriers that are designed in such a way that you can still drive through them (and risk a ticket) for this reason.
Most likely, this road block was not put there to seriously prevent people from passing it. Often, there are security measures put in place just to satisfy minimum requirements of insurance companies, for example. At the university I attended, there are road blocks at the two entrances from 8pm to early morning. They stop you and ask for an ID and where you are going. This provides very little security, and I often wondered why they bother (because a semi-trailer can enter at 7:57pm w/o being checked.) I gather that it has to be some requirement from a regulatory body, the city or the insurace company.
Heh, it reminds me of that scene from "Blazing Saddles" where they try to delay the bad guys from destroying the town by putting a toll booth in the middle of the desert. Of course, in the movie it works: "Someone's gotta go back and get a sh*tload'a dimes!"
I believe Kevin Mitnick's "the art of deception" has a similar story: the lobby of a building had an Xray machine to scan briefcases. But not purses. Nor did they complain when someone just walked past with a briefcase without submitting it for a scan.
Turns out the 'security measure' was just somethig they did so they could get cheaper insurance.
Bruce had provided a similar anecdote about a company he visited that had "security for show", mostly for reduced insurance rates.
On the insurance angle, if the assumption is true (that these ineffective controls are in place only to reduce the cost to the policy holder), I have to wonder how the insurance company is really reducing their risk (to allow the lower cost) if these same controls are not implemented properly.
Or is it more likely that this is really an advantage for the insurance company in that if someone where to get past these improperly managed entry controls (i.e. scanner, xray, gate, etc.) and "shoots the place up", the insurance company will not pay on the policy because their insurance investigators will determine that the required entry controls were implemented improperly by the policy holder. So, the policy holder, while they are paying less, and implementing ineffective controls, actually end up taking on more risk.
The insured then sues the subcontractor who provided the scanning services, who in turn sues the mannufacturer of the scanner, who in turn sues.......
In the end, the lawyers win and the victiums loose (as usual).
John wrote: "An illustrative picture but it wasn't taken in the United States. Note the road signs at the bottom." ........
Why mention that? Who cares? Bruce is pointing out a perfectly valid (and somewhat amusing) example of easily-circumvented security. It doesn't matter if it was on the *moon*, the point is valid.
Or is cryptogram only meant to be about "security in the US"? I don't think so.
Apologies for the rant, but ridiculous and unnecessary US-centricism contributes to a worldwide feeling that "many USA residents think that the rest of the world doesn't exist." This may actually be part of the reason why many in the "rest of the world" hate the US. I do not hate the US, not at all, but it does no-one any favours to put forward an unnecessary US-centric attitude.
It wasn't a US-centric comment, it was an observation, and an interesting one. I, for one, was wondering where the photo was taken and didn't notice the signs.
This isn't the place for US-bashing, thanks.
Let's face it, if I'd said "An illustrative picture but it wasn't taken in Paraguay. Note the road signs at the bottom.", you'd have thought it was a pretty strange remark, no? Why not just ask "Does anyone know where this was taken?" It was the *implication* that "by default" the photo must have been taken in the US that I was addressing.
And, for what it's worth, I was not "US-bashing". I was not attacking the US. I was expressing my displeasure with *US-centricism*, which is a different matter altogether.
As for the place it's in England, I sent the URL to a friend who indicates it's at a hospital in the UK where he has done contract work.
Apparently the barrier is to alow ambulances through but not cars (that have to take a much longer route)
Has anyone come across a slightly higher resolution version of this photo?
My company manufactures security equipment and access control devices. We'd like to use the picture in our marketing. Does the rights to the picture belong to the "KiwiSyslog" page it's hosted on? I'm going to contact them as well, but if anyone can give me info, I'd appreciate it.
I think it's a funny picture, but without the context it's hard to start bashing someone about poor security. For example, I've seen a lot of companies have this kind of gate guarding the "Executive Parking" area. Just to get into the lot you had to go through a securuity checkpoint to ensure you were an employee. The executives got nicer spots, usually covered and close to the building. If you parked there, and were caught (security had your plate # and type of employee) you were towed.
at least someone has a birds-eye view, which clearly shows tracks in the "detective" grass and dirt (measure of the flow/rate of offenders).
imagine if they had paved *three* lanes but only put a guard rail for the middle *one*. you might then have an even closer analogy for what information security pen-testers find all too often...
OMG! The photo was taken up at my university - Bielefeld (Germany) - takes place long time on my webspace and now this.... ;o
this picture is taken about two years ago. It is at the university of Bielefeld, Germany.
At this time they made new ways for support cars and others. The barrier at the entrance was open in the beginning but the barrier to get aout was close (this is just one). Now you have to get a ticket and if you stay longer than half an hour you have to pay to get aot again. When it was new you couldn't get out becaus you couldn't get a ticket. Now it is working. I studied there so I now it.
Oh no, "this isn't the place for US-bashing". Can anyone give me directions?
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.