Schneier on Security
A blog covering security and security technology.
« NSA Forms |
| Hacking Mifare Transport Cards »
August 6, 2008
Security Idiocy Story
From the Dilbert blog:
They then said that I could not fill it out -- my manager had to. I told them that my manager doesn't work in the building, nor does anyone in my management chain. This posed a problem for the crack security team. At last, they formulated a brilliant solution to the problem. They told me that if I had grocery bag in my office I could put the laptop in it and everything would be okay . Of course, I don't have grocery bags in my office. Who would? I did have a windbreaker, however. So I went up to my office, wrapped up the laptop in my windbreaker, and went back down.
People put in charge of implementing a security policy are more concerned with following the letter of the policy than they are about improving security. So even if what they do makes no sense -- and they know it makes no sense -- they have to do it in order to follow "policy."
Posted on August 6, 2008 at 1:52 PM
• 38 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
This is certainly true. When I worked at IBM, the focus for security was not on making systems secure, but on being "audit compliant." Customers could have any settings they want that weren't secure as long as there was a proper paper trail signed off.
Note that the security policy certainly had many settings that actually were secure. However due to the exception process, these were easily circumvented for convenience.
This story is the coming metaphor for American society. "more concerned with following the letter of the policy than they are about improving security. So even if what they do makes no sense -- and they know it makes no sense -- they have to do it in order to follow "policy.""
Get used to "it". "It" is the future. Apparently it is the present in some places. But it will spread.
To be fair, the person at the gate in this instance may not have the authority to question the policy, let alone re-interpret it. If the beleaguered person in question was mugged and policy was breached, the guard could get into trouble.
The problem with defining these policies is that even with the best intentions in mind (i.e. protecting people) things still go awry. The best way to handle this type of incident is to have a means of reporting this up so the policy failing can be managed and policy can be changed where needed.
Now if only the TSA did that...
I really wish Bruce would stop blaming the people who EXECUTE policy and start looking a little more critically at the people who MAKE policy.
I personally think that wrapping the laptop in a windbreaker met the security objective -- to conceal the laptop from a grab-and-run theft while being carried out to a car, etc, while reminding the employee that they need a laptop bag in the future. I would tell the guard, "Good thinking" and ask if they had any other ideas for how to handle such a situation.
I can think of several off the top of my head: Make loaner "cover bags" available. Provide a one-time escort to the employee's vehicle. Ask a second employee to walk with the first to their vehicle. Have the employee go get their vehicle and the guard carry it out to them just outside the door. Put the laptop in a FedEx box or large manila envelope.
Beating on "dumb" guards, receptionists, etc. is like shooting fish in a barrel.
The snippet's a little bit out of context, unless you read the whole page and realize that policy is not to allow laptops out of the building unless they're in a bag. An extra line of explanation before hand would make the excerpt far more readable.
All of the solutions you propose would be performed by the guards in question. That they did not propose them speaks very poorly of them. The big problem with the guards (and not with the people who make the policies) are that they tend to act like mindless drones, with no willingness or capability to think creatively in the face of an unexpected situation.
I want everyone I deal with to be able to think creatively in an unexpected situation, or to realize that they're out of their depth and contact someone who can. But I can't expect it because most people are dolts.
Steve, that "If the beleaguered person in question was mugged and policy was breached, the guard could get into trouble" is exactly the point. This policy was aimed at stopping the people coming out of the building with an evident laptop, not at protecting rightful owners from theft. The best way to handle this type of incident requires thinking on both sides of the equation.
I have a grocery bag in my office. It still has groceries that I bought at lunch.
Opening my desk, there are a half grocery bags, holding a sundry items; a gift I forgot to give someone, a book, some toiletries, another book, couple of empty bags stuffed in the corner. Not to mention a bunch of bags that I get from shopping that I neatly fold up and store to be reused as garbage bags at home.
How about manilla folders? Use a few to "wrap" the laptop. Blank paper? Cardboard? Used newspaper? He really had nothing he could have used? *That* is hard to believe.
Although I think I might have used a clear plastic garbage bag just to mess with the guards.
Most people are not dolts. The average (yeah, by definition) IQ is 100...dolts are much lower than that.
Even if we make a (bad) assumption that most people on some form of guard duty are somehow less intelligent than the rest of the populace, one has to admire their ability to stick to the task at hand no matter how little sense it makes on the surface.
There are just too many underemployed attorneys here in the U.S. for anyone with a public-facing position to exercise any form of critical reasoning. It has to be "by the book" (no matter how incredibly stupid the book might be) or one will become a defendant sooner or later.
>> All of the solutions you propose would be performed by the guards in question. That they did not propose them speaks very poorly of them.
What makes you think they didn't? There are three typical answers when a guard approaches their supervisor with a suggestion. Stripped of niceness, they are:
1) "You're not paid to think."
2) "You don't like working here? Here's your last check, give me your badge."
3) "Good point. Let me run it by my boss. In the meantime, do it the company way."
In no case is the customer going to know.
>> The big problem with the guards (and not with the people who make the policies) are that they tend to act like mindless drones, with no willingness or capability to think creatively in the face of an unexpected situation.
When creativity is ACTIVELY PUNISHED by supervisors and managers, what do you expect? This is a garbage in, garbage out problem. TSA is merely the most extreme form of this.
This is particularly obnoxious in emergency situations. I recall one critical incident in which a guard responded as trained to a medical emergency. He went to the patient, dropped a first aid kit next to the patient, and ran off to open the bollards so that emergency vehicles could access the patient.
The client was furious. We pointed to the bold print in the post orders, inserted at client demand. "SECURITY WILL NOT PERFORM FIRST AID."
Common sense suggests that the guard should have stayed with the patient until someone else shows up (hopefully someone trained in first aid, which is an OSHA requirement in many places folks).
However the guard had been throughly trained to NOT do first aid (to the point of not knowing the contents of the sealed kit) and performed as expected.
I will bypass discussing the many situations in which the "right" thing to do is less obvious to the general employee or the public. Being told I'm an idiot for doing the right thing is part of the job description for this industry.
>> I want everyone I deal with to be able to think creatively in an unexpected situation, or to realize that they're out of their depth and contact someone who can.
I agree completely. This is what you pay for when you select security guards from a source other than the lowest bidder. Remember to insist on management that can also pour body fluids out of a boot, too.
>> But I can't expect it because most people are dolts.
Most people lack common sense. There is nothing about physical security which rises above the level of common sense.
So if most people had common sense and willingness to take ownership, there would be no need for security.
I fear not for my continued employment.
I dont know what was more amusing: The article, or all the comments about it on the dilbert blog page.
In a "risk management" sort of analysis, the guard has just fulfilled his duty by following the policy.
It is now the guy carrying the laptop who is at fault if something happens, not the guard to who let him leave.
If the guy had left with his laptop all out in the open (willfully non-compliant), it would be all on him, unless the guard had waved him through with a nod and a "yeah, yeah, I remember you."
Paper trails and approvals (in cases like this) are more about who gets the blame when something fubars than about actual security.
There is nothing wrong with that.
If the policy is dumb, then management should amend it with the input of internal audit and corporate security.
This is really the way people think in general. The letter of the law is more important than the intent (justice, security, whatever).
It's partly a lowest common denominator problem; those hired to enforce a policy are rarely able to understand the intent, or simply don't care.
It's also partly a basic human flaw - the desire to avoid responsibility. By implementing the letter vs. the intent, you avoid negative judgment. No fault, no foul.
As a result, exploitation by those not limited in their thoughts is trivial.
As an example, an acquaintance at a previous job used to take restricted documents and his laptop home with him every day, in direct opposition to corporate policy. The security guards were ordered to search briefcases on exit for the "contraband". So what did he do? he put the items in a shoulder bag, and told the guard that it was his "purse". Since purses were exempt from search, he had no problem walking out with the material. The guards didn't care - they were following the policy, which didn't limit purses to women. Not that women are exempt from security violations, just from corporate management's thinking process.
We didn't get to be at the top of the food chain by being nice. For some reason, security folks tend to forget that a top predator does what it needs to to get what it wants. Even if it means bending or breaking a policy.
How is a laptop bag supposed to prevent a laptop from being stolen? The thief, who is probably smart enough to recognize that it *is* a laptop bag, would just grab the whole bag.
As mentioned, the quoting removed essential context. The "laptop must be in a bag" rule was not because it would make it less likely to be stolen in the future, it was because anyone who rightfully owned a laptop would of course have it in a bag (like, duh!). Obviously someone holding a laptop that isn't in a bag must be suspected of stealing it.
They want to discourage laptop theft. Okay so far.
They fear that thieves will outsmart security by boldly carrying a laptop in plain view out the front door. Okay so far.
Here it becomes apparent they have lost their minds. Their defense is two-fold: (1) to disallow people walking out with laptops in plain view, and (2) to encourage people to sneak laptops out concealed.
In the real world, how would we do it? 1. Check visible laptops against serial numbers on file. 2. Search for hidden laptops.
Let's look at it from the guards' point of view. They aren't mindless drones. They are people who make dirt salaries, often have families to support, and who can lose their jobs if they are caught violating the rules, no matter how irrational the rules might be.
The other thing is that the guards aren't jerks, so they'll often propose workarounds like this that allow them to credibly argue that they saw nothing.
Posted a story just like this recently:
The TSA checkpoint in Albuquerque was comparatively overstaffed (in relation to LAX’s). This meant that the same number of screeners had far less time pressure than their compatriots in Los Angeles. Side effect? While putting on my shoes, I saw a total of four women (one being my wife, which is why I was hanging around the checkpoint long enough to notice) have their bags unpacked, their toiletries unbagged from the gallon-sized clear plastic bag they were packed in, and *repacked in a quart-sized bag*, then marched back through the security queue. Why? Because the toiletries need to be in a *quart-sized bag*.
The meaning of form and function is irrelevent to those who spell those words as pass the buck.
If you have a problem you can not handle or things are out of control, implement policies like TSA is doing, attention and higher ups come to help out. See it as whistleblowing.
Given this, what is next is to try to build bridges to help, and/or implement changes/attention to negotiate necessary actions for change.
Thankfully Bruce Schneier is bringing this to attention, and hopefully blog community gets the pump primed for action/answers.
What is disturbing, is that a very expensive government is not doing this, and making suck action problematic.
Sure sounds like a Microsoft government.
The Enlightenment and Reformation ages are coming, just hold on through these dark ages...
Perhaps putting laptop into a bag might allow for easier trackablility of laptops with security cameras.
If bags also had some form of identification RFID/Barcode/etc then it is easier.
At first blush, laughable, latter perhaps some benefit?
What do you expect when you treat people like replaceable objects, aka "human resources"?
You want them to be stupid and risk themselves in a context where they are expendable?
I see this among IT security people -- "We have a policy of using 'enterprise solutions'". What does that mean? Doing whatever gives them insurance, rather than solving the security problem. Why should they bother with anything else? Why should they take responsibility when they have no real power or protection?
It's like the good 'ol Soviet Union.
Reminds me of some job, where I should sign a paper, not to bring my own data medium to the company.
I asked about cellphone, phone-card, digital bike tachometer, banking card, health-care-card, ...
The other person was a bit surprised to realize, what digital data medium most people carry with them.
Especially bringing foreign programs with me was prohibited - I was engaged as programmer and brought my laptop with me.
Of wouldn't bring malicious software with me - I would write it in my working time.
As a security procedure, it has merit.
Most laptops are stolen from within a company by opportunist thieves, and usually by people who are authorised to be there. They will see an unattended, unsecured laptop, scoop it up and leave the area as quickly as possible. Most will not stay in the area long enough to find the laptop bag, as that increases the risk of discovery. They will then try to walk out of the building. They will be nervous of getting caught, and anxious about what will happen to their job or their liberty if they are caught.
If a security guard challenges them, most will not have the presence of mind to think up a convincing story on the spot, and most will not have the chutzpah to go back, find a grocery bag, and risk detection by walking past the same, now suspicious, security guard a second time. Instead, many will back off, abandon the laptop and leave.
Yes, the process has flaws. No, it will not work against someone very confident or quick thinking. No, it will not work against someone who studies the security process from every angle to find exploitable flaws. But it is cheap, it is easy to implement, and it will be effective against a significant proportion of opportunist thieves. A 100% solution is likely to cost significantly more, be intrusive to legitimate laptop users, and deliver little extra value.
I would also congratulate the security guard on guessing that the blogger he was dealing with didn't fit the profile of an opportunist thief, and finding a creative workaround to help him achieve what he needed with a minimum of fuss while still staying within policy. I would hazard a guess that if the blogger had been nervous, and didn't have a confident story about why he was taking a laptop out of the building, the guard would not have been so helpful.
One time I was stopped from bringing a repaired computer part *into* a building because it didn't have a property transfer form. Of course they only checked that kind of stuff at the lobby entrance. Through the side doors you could go in and out with just a badge swipe.
The article is just the "tip of the iceburg". Recently I came across articles that state Customs Officers at Checkpoints and airports in the US can "confiscate" laptops, Ipods and all electronics items (including Handphones).
I think that is the worst policies to enforce and I am one person that will definitely not travel to the US.
Come to think about it, only the US is currently enforcing this policy. Although, I think UK will soon follow.
Why did this guy have a windbreaker in the office? Pretty suspicious if you ask me.
You mean I can take my chainsaw in my carry on in NZ. Awesome, I'm shifting from Canada!!
Unfortunately, just about everyone is right:
1) Security now adays is about audit checkpoints, not about making people secure. How many times have you heard: We'll deal with it if it it becomes a problem (or legislation or audit item)?
2) Those in the front line don't think. Whether it's because they can't or won't is irrelevant. I'm very rarely think of issues as black and white and like to understand intent, but in this case it really doesn't matter for handling of the situation. (I'm reminded of a call with a bank where I tried to get something taken care of for my spouse -- the first person got the verbal approval, the second did not and would not let us proceed -- can't blame anyone for it, they were doing their job).
3) Fear is an amazing driver. It drives us to misjudge risk, follow policies blindly, and implement bad policies.
One could argue all sides of this story and be right.
This is why people who write good policies should be paid more.
It's surprisingly hard.
Most (All?) comments justifying this act seem to think the guards were acting according to a policy in pace to prevent bag snatchers from stealing computers while on a pedestrian.
Don't you think it more likely they were trying to prevent people from stealing a laptop from inside the building. And by disallowing the transfer of laptops they think they can reduce the amount of thefts.
The guards in this case were trying to help a guy out by saying "What I don't know can't hurt you". They were following policy but absolutely ruining the effort to reduce computer thefts.
How about a clear plastic grocery bag? :)
"Security now adays is about audit checkpoints, not about making people secure."
Welcome to ISO9000, where _everything_ (not just security) is about following a written procedure and documenting that you did, and not about doing anything sensible. You can and will be fired for any application of "common sense" that is in conflict with even a typo in the published procedure. Also, of course, for missing a deadline while waiting for the typo to be fixed/checked/approved/uploaded to the corporate documentation site/pushed to your location
ISO_9000; it is all about writeoff and writedowns. The pen is mightier than the mind.
What else would you expect from a bunch of lawyers, attorneys, media, everywhere? A LAME world.
Policy IS NOT NECESSARILY security.
Actually, they are mindless drones. Having managed security crews in large financial insitutions, i can honestly say the "security" is more like a show of force than practical application. I fear the day someing happens in San Francisco during the night shift- talk about an ill prepared mindless staff of security city wide.
(Not to mention the reason most buildings have security is not so much as to insure the safety of objects or persons, but for insurance rate purposes.)
Lots of comments here and on the other blog about how the laptop-must-be-in-a-bag rule might be mandated by the insurance company.
Makes me wonder if a similar thing would happen in software if liability/insurance ever take off.
The laptop/insurance/bag rule (if that's what it is) is probably based on statistics.
A laptop in a car is more likely to be recognized and stolen if it is not in a bag. A laptop being carried from one building to the next is safe whether or not it's bagged. The bag rule applies universally though the conditions under which it makes sense do not.
Finding correlations is easy. Determining cause and effect is not.
Are similarly silly rules going to be enforced on software once the insurance auditors and statisticians get their hands on them?
"Software titles must be labeled as service pack 3 or later" (everyone knows XP-SP3 is safer than XP-pre-SP3!)
"Installers must not have a blue background" (all of ACMEs apps do and they all suck)
"Program sizes must be evenly divisible by 17" (who knows what wacky correlations you'll find once you start looking)
What's really funny about this is all of the different "well the obvious right thing to do is...".
C'mon guys, why all of the different right things to do? Isn't there just only one "obvious right thing to do?"
"The drones should have done it my way!" Yeah, I've seen more of those than I bother to count here.
"They should think on their feet and make policy decisions as they see fit."
Um, yeah, up until the time they make a decision that inconveniences you. At that point it's back to bashing mindless drones again.
Oh, and laptops are more likely to be _dropped_ when not in a bag.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.