Schneier on Security
A blog covering security and security technology.
« U.S. Strategy to Prevent Leaks is Leaked |
| Whitelisting vs. Blacklisting »
January 27, 2011
Security Theater, Illustrated
Security theater, illustrated.
Posted on January 27, 2011 at 1:11 PM
• 38 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I'm guessing government work.
Haven't you ever lost anything doctor Bronx? Your purse? Your car keys? Well, it's rather like that: Now you have it and now you don't.
my father was a surveyor and had considerable experience with chains across roads to which he needed access. His solution? A bolt cutter (great hulking thing) and a supply of locks.
Cut link, insert lock - and he had his own access through the chain.
Maybe someone ran out of locks, but had a cable tie handy? Don't blame the chain-owner.
YOU are the Weakest Link! Goodbye.
On a more serious note... if your only alternative is NO CHAIN, isn't this better than nothing?
The reason I say that is that the chain and lock are visible from a much greater distance than the cable tie. You have to get right up to the chain before you see that its really just a facade for security.
I'm not saying its worth much... just that its still better than nothing, especially when you consider the cost of the cable tie. Its hard to draw parallels between this and airport security, because the cost the TSA and its procedures are exponentially larger than the value they provide.
The cable tie provides little security, but it's cost is equally as low.
When does the STI swimsuit edition come out?
Iconic intro for any security presentation. Reminds me of the duck smashing a PC with a hammer. I think I already saw this passing buy a while ago on Slashdot or The Register.
At one place where I contract, we kept losing the ladder that we kept in their storage room. It was never stolen, just borrowed by building staff or another contractor who had legitimate use for a ladder, and who then didn't bother to return it. We lost a lot of time to searching for our ladder or a substitute.
So an eye-bolt was placed in the wall, and a steel cable with a prominent padlock was looped through the ladder, and attached to the wall with a quick-link.
We did not have to issue keys or combination to our staff, and yet our ladder was always there when we needed it. The magic of it appearing to be secured has, for our purposes so far, been better than it actually being secured, because actually locking something up has costs also.
It's probably just as illegal to cut the ziptie as it would be to pick the lock.
Look at it from a different perspective. If all you want or need is as much security as is provided by a zip tie (for example, secure against being opened by a moderate wind), but want to add the convenience of being able to open and close it, it's entirely reasonable to add the chain and lock.
Or think of it from this perspective: I want to zip tie this gate closed, but my zip tie isn't long enough. However, I happen to have a chain here which is mostly useless because it's got this lock on it and I've lost the key. Solution: Use the chain with the lock to extend the zip tie.
Third possibility: I've just used bolt cutters to break into an area secured by a chain and lock. While I am doing my nefariousness, I don't want it to be obvious to casual passersby that a break-in has occurred. I didn't have the foresight to bring my own lock for this purpose, but I do happen to have this zip tie that will work in a pinch.
Lots of possibilities. Only a few of them are really theatrical.
I don't know about you, but I've got a new desktop background.
I saw something very similar on a hut in Mexico. Chain and padlock, and on the other side hinges made of rope.
I suspect that was an attempt to get someone else to pay the disposal fee for a piece of crap that someone didn't want at the end of the school year.
you might be a redneck if...
In security theater, the chain is as strong as the strongest link!
Actually it took me a few moments to notice the zip tie; I thought they were referring to the chain wire fence. It's almost as fragile as the zip tie, at least compared to the locking chain.
Nice analysis, but at the end of the day using a ziptie to secure a fence is not even close to a security solution. That's the entire joke of the picture. It will deter a bad observer, but is not going to stop anyone else for more than 10 seconds. If just to keep it from being blown open by the wind, any former boyscout knows how to do an appropriate knot with a small piece of rope.
At the risk of sounding pedantic, but this is really what many of the discussions on this blog are about: is something a valid security solution or just theatre ? Is a policy, method, control or technology sound or is it not ?
Which kinda reminds me of an old running joke in which a guy for lack of a lock leaves his bicycle outside putting a note on it saying "Property of Mike Tyson. Back in 2 minutes". By the time he gets back, the bike is gone, flipside of the note reading "Pursuit pointless. Lance Armstrong".
Speaking of the Moscow bombing, I'm amused that people are now blaming the game "Call of Duty" for that because of the scenario of Russian terrorist Makarov and a US secret agent (which is the really interesting part) gunning down everyone at a Russian airport (and by the way, not only outside the security line but all the way through it AND a firefight with responding security).
So of course the first thing the US Congress wants to do is slap pointless "warning labels" on those evil "violent video games".
You can watch the "No Russian" scenario on YouTube: http://www.youtube.com/watch?...
Not for the feint of heart (i.e., the US Congress) since it does depict pretty well what an effective terrorist attack could do to an airport.
"my father was a surveyor and had considerable experience with chains across roads to which he needed access. His solution? A bolt cutter (great hulking thing) and a supply of locks."
Given the security theatre of padlocks, how about a big honking bolt cutter and a small gas welding kit? Cut the chain to get through and weld it shut (no padlock) behind you.
"Given the security theatre of padlocks, how about a big honking bolt cutter and a small gas welding kit? Cut the chain to get through and weld it shut (no padlock) behind you."
I'd assume he wanted to get back out at some point?
@Richard: That *is* the Daily Mail. Wait until you see it from a reputable source. The Daily Mail appears to publish whatever they think will get the most attention, truth be damned.
I'm not saying it didn't happen, just that the Onion's satirical reporting has proven more accurate on several notable occasions.
Have I overread something? The important question on motivations is "Why? The chain would have been long enough without the extra link."
The plastic link has been introduced, probably to increase the length of the chain. Realizing, that they lengthened it by 3 links, but used only one, it must be, that the chain is one link short otherwise. Except that it is obviously is not. There is plenty of slack.
I don't get confused because somebody probably tried the best he could get under dire circumstances, I get confused by the lack of necessity to do it here. I would have understood that whoever needed that fence closed took whatever he could get by when the middle link of his trusty chain suddenly disappeared, this is just unnecessary.
I took that photo, but I forgot to take a photo to the giant hole in the fence on the right...
Is it me (or the poor resolution on this mobile phone) or does the link on the left of the zip tie show a bright mark very very similar to that you would expect from a "junior hacksaw" blade?
Thus I suspect that a link has been cut out of the chain and left three links on the padlock.
The only question thus is who put in the zip tie, the person who cut the chain or the person who found the chain cut.
Oh and for those saying zip ties are a weak link, tests have shown that people who are tied up by their thumbs with a couple of zip ties. find it more difficult to get out of than being tied at the wrists with rope, and in the case of a well known brand of US LEO handcuffs being cuffed as well...
@ Richard Steven Hack,
with regards to what the UK satirical magazine "Private Eye" effectionatly referes to as the "Daily Fail" it was a newspaper launched for a certain class of woman to read over the breakfast table whilst the servents were busy running around.
It enabled these "wives of the upper middle classes" to think they where keeping up on current events. However in those days wives where still regarded by many as chattels with the unfortunate side effect of "requiring to talk incessantly about banalities at meals" thus the news paper served the purpose of keeping them more or less silent at breakfast.
It had a secondary purpose of giving these women something to get "all a twitter about" when talking to their peers (after all when you are upper middle class you don't gossip).
If you fast forward a century or so you arive at our present times where the Daily Fail is still read by a certain class of woman, who these days aspires to be a "Lady who lunchess" or a stalwart of the local Woman's Institute or Conservative Association (The Conservatives being the right of center UK political party but in effect a little left of the US Democratic party in outlook).
The Dail Fails story lines are usually about some latest "health sccare" invented by their editorial team that appeare collectivly not to have any qualifications in any field of science or economics and often their basic maths is a little doubtfull likewise journalism. They of course have to have some "serious stuff" but it makes the likes of the US National Enquirer look a little staid in comparison.
With the word "Illustrated" at the end of the title and the fact it linked to a "picture" I thought "ugh huh Bruce has gone a little racey in his old age" and was fully expecting some "promo shot" of a young lady in a very low budget costume holding some "snake oil" or equivalent. Sadly for this old man it was not as imagined, ahh well there's allways next time...
This image from a UK message board should tell you all you need to know about the Daily Mail.
Stories about immigrants, "political correctness gone mad", Muslims, gays etc. are all grist for the mill. Basically the paper exists to push buttons in its largely white, right wing, middle class readership who believe the world in general is out to get them and needs a newspaper to confirm it.
I'm quite aware that the Daily Mail is a tabloid - as is the Sun, which is also carrying the story.
As is The Mirror, which is also carrying the story.
I'm not sure about The Australian, also carrying the story, or Travel Weekly, or The Express, or The Examiner. I know The Register is carrying it, too.
All of these with separate pictures of the offending item and other details of the event.
Even The National Enquirer has been known to post articles of real events from time to time.
One would expect, but not be surprised to find it's not always true, that someone from these varied media would have called the airport to verify the report.
In short, my dear Clive, unless you know it didn't happen, pointing to the original media in question is not relevant just to play one-up-manship, old man. Bloody pip-pip and all that.
And if you don't like that example, a reader posted this comment on The Register's post:
Robert G Ward
Same happened to my son 2 years ago at Stanstead #
Posted Friday 28th January 2011 11:40 GMT
While waiting for checking with Ryanair to open, I bought my 4 year old son the fireman sam magazine. attached to the front was a very cheap plastic water pistol.
while he passed through security, the officers informed us that we could not take a replica firearm into the flight - even though it was still attached to the fireman sam magazine!
obviously, you can image I now had a screaming 4 year old on my hands for the entire flight and he was completely confused as to why it happened.
he still mentions it every time we go through security, so it obviously had an effect on him,
@ Richard Steven Hack
Give Clive a break, hombre. Everybody has a pet peeve he/she gets carried away with from time to time.
@Bruce the minute I saw that I heard Aretha Franklin singing "Chain of Fools"
What no duct tape?
@ Richard Steven Hack
"In short, my dear Clive, unless you know it didn't happen, pointing to the original media in question is not relevant just to play one-up-manship, old man. Bloody pip-pip and all that"
I was not in any way disputing the basic story (I have similar going back long prior to 9/11 involving toddlers with what might be camo teeshirts or even cartoon images of gunsand pre-teens with chewing gum and cans of a well known cola).
No the point I was making was the generaly overly sensational or "OHG think of the..." view and style the Daily Fail takes in it's editorial direction. In that respect it is not a normal tabloid paper, and exists almost in a world of it's own in that respsect within the UK (as others have commented here).
Thus it was serving as a generalised warning about what to expect and a heads up to put the appropriate "mental filters" in place to sift the facts from the OMG asspects of the reporting style.
As for the "pip pip" etc I assume it was in response to my (slightly) tongue in cheek portrayal of todays commonly held (and probably incorect) view of how men in that class behaved at the time the Dail Fail was launched. I was not in any way intending to play a game of "one upmanship" with you and I'm sorry if you felt that way it was not in any way intended.
And just in closing this is not the first time I have passed comment on the style of various UK newspapers on this blog nor I suspect will it be the last. As others have noted in the past when I have either quoted or linked to a report I take care to set it in context where I either doubt the information or the spin being put upon it (most recently was the reporting of supposed executions of Iranian Nuclear Scientists over stuxnet as reported in an Israeli online newspaper).
No problem, Clive. As a heads up, it just came across as being dismissive of the report because of the media source - which I understand fully, I don't trust tabloids - and especially their reactions - either. If the National Inquirer had broken the story, I might have dismissed it (although I do know they break real stories). And for all I know, it really was a Mail hoax. But until I know otherwise, I suspect it was all too real.
Even if it isn't, it really does show "security theater" at its clearest, which was my point.
Maybe there is another explanation. I saw something like this on an Animal Cops TV-show. The cop had a warrant and cut the gatechain to rescue a dog. Afterwards he closed the chain with a tie-rap "in order to leave the premises visibly closed again. Otherwise the owner could sue the council for damages in case something was missing.". It is another kind of theatre, but apparently it happens...
favourite comment on page #2 is actually quite relevant to this blog:
"Bob 28 Jan 2011 10:28 AM
I worked at a factory where we did something similar at the parking lot entrance to the property. We had a hook to hang a link on, with the padlock visible. We knew it was theater, but it discouraged those whom we wanted to discourage from coming on the property. Without the theater, semis would park on our parking lot overnight. With it, no such problem. Every employee with a legitimate reason to be there did not need to carry a key. The main facility had much more elaborate security, but the security theater did what we asked of it. "
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.