Marx Brothers on Security

Count the security lessons: bad password management, protocol failures, poor authentication, check fraud, and -- I suppose -- an attack made possible by poor bounds checking. What else?

Posted on April 10, 2007 at 1:17 PM • 21 Comments

Comments

Geoff LaneApril 10, 2007 2:22 PM

For a "man in the middle" attack I guess we would have to move on to The Three Stooges?

Hoochie ScoochieApril 10, 2007 4:47 PM

Well let's see, no one at the bar getting carded, the only woman in the joint is a picture on the wall... oh wait, but this is a speakeasy, not a place that has to play by any of society's rules.

AlanApril 10, 2007 4:50 PM

The Marx Brothers are also responsible for creating commercial cryptography in the movie "A Day at the Races".

Douglas MuthApril 10, 2007 5:05 PM

I think the moral of the story is that some things never change. (In this case, it looks like more of a bad thing than a good thing...)

derfApril 10, 2007 5:09 PM

A sticky note is one thing, but carrying around an iconic representation of the password? Does he work for Homeland Security?

Steve ParkerApril 10, 2007 5:20 PM

One of the (recurring) themes is that (as the 419 scam shows in particular,) an individual's greed can be a strong factor in weakening any security mechanism.

Lis RibaApril 10, 2007 6:19 PM

Inappropriate granting of admin priveleges? Allowing an unauthorized user to change passwords

(Contributed by my husband, "Xiphias" -- who got his handle from that scene...)

Lawrence D'OliveiroApril 11, 2007 2:03 AM

"Horse Feathers", 1932, according to my "Complete Films of the Marx Brothers" book.

ArchangelApril 11, 2007 9:09 AM

Trojan made possible by poor inspection of token (button), resulting in theft of massive quantities of data (jackpot). The button approximated the response protocol for access to the machine (small, round object of particular diameter, thickness and mass), and no further check was made (is it metal? &c), nor was a second authentication factor brought into play. This is like hash collision - the attack and the expected token produce like results when the system inspects them, and it accepts the attacker as an authorized user.

ArchangelApril 11, 2007 9:14 AM

security software that can be preempted to obtain access without authentication, or reverse-engineered from output to discover the expected protocol and tailor input appropriately (SAMBA 'attack') - the problem isn't even so much that the password manager gave out the password, as that he responded to bad input at all. Failing silently may not be user-friendly, but it is more secure than handing out debugging context to invalid users.

ArchangelApril 11, 2007 9:25 AM

Phishing attack - redirect of data (scotch) from sender (barkeep) to 'shot glass' funnel - looks like appropriate recipient, but is really a link to somewhere very different (bottle), not designed to use and discard data, but to retain it for future use at the new recipient's convenience. Pass-thru, maybe, since it can be said that the proper data did reach the proper recipient (one shot, to Harpo), but the same authentication channel did not expire, and was then used to obtain far more data from the sender for the recipient's private use.

elixxApril 11, 2007 11:59 AM

HAHA! I'm glad someone brought that up, as well as the commenter who referenced the scene in ADATR as "commercial cryptography". I am guessing that you are referring to where Chico sells Groucho a series of interdependent books regarding the impending race. I actually had to lol.

Marx fans++

AlanApril 11, 2007 12:20 PM

HAHA! I'm glad someone brought that up, as well as the commenter who referenced the scene in ADATR as "commercial cryptography". I am guessing that you are referring to where Chico sells Groucho a series of interdependent books regarding the impending race. I actually had to lol.

"You have to have the master codebook for that."

flaugaardApril 11, 2007 4:39 PM

Three weeks ago, I used a Zombie movie to teach students about security:

The backdoor, securing points of entry, detection, "Trojans", Defense-in-depth, Access control, Don't panic, KISS, etc...

Next time I'll add Swordfish :-) It's so much better to show movies and have fun while learning, than to sit and watch the never-ending slideshows :-)

DaveApril 12, 2007 3:36 AM

Unfortunately the video is gone now.
"This video has been removed by the user."

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..