Stupid Security

Buck Mulligan writes "The folks at Privacy International are holding a stupid security contest to discover the "world's most pointless, intrusive, annoying and self-serving security measures." Nominations can be submitted by email: stupidsecurity@privacy.org. My vote goes to the Ronald Reagan 'Free Trade' Center in Washington, where you have to show your driver's license to visit the food court. (Having a driver's license proves that you aren't dangerous!)"

How about ...

[a2800276]

this

Stupid Security

[Captain+Large+Face]

How about...

Using a one million bit key and claiming it's uncrackable on Slashdot?

Re:stupid security

[trezor]

I recall some campus rules where I study (they were ultimately changed :). They went something like this (I am -not- kidding):

• Computer-monitors should be turned off when Internet is not being used.

Signature via fax

[DrSkwid]

& also "Company Letterhead via fax"

I've encountered both of those as some sort of "security"

Re:Signature via fax

[rikkus-x]

Some years ago I went to a branch of my bank in the middle of nowhere. I didn't have my card for some reason so they got me to sign something and faxed it to my 'home' branch for verification.

Seems close enough to safe to me.

Rik

I got one.

[TripleA]

US web-vendors that requires international customers to e-mail or fax in a copy of their ID and credit card. Mailing a picture of the card kinda defeats the purpose of the secure, encrypted order form.

Re:I got one.

[bmetzler]

Mailing a picture of the card kinda defeats the purpose of the secure, encrypted order form.

How's that? I mean it would seem like an ID complements a secure, encrypted order form. The encrypted page just means that no one else can get your transaction. It has nothing to do with authenticating you. Every legitimate buyer is going to have access to their ID and credit card. At least if you are going to approve stolen CC #'s make sure that they stole the whole card, and not just a number out of a hack database someplace.

-Brent

Re:I got one.

[TripleA]

Well, the picture of the card is not sent via encrypted email, so it's not secure at all. Anyone sniffing up that mail will have the customers complete CC#, as well as a lot of additional info on the customer (if the ID is sent in the same mail).

Re:I got one.

[bmetzler]

Well, the picture of the card is not sent via encrypted email, so it's not secure at all.

Oh.

I missed the email part. I just saw fax and mailing, and thought that it was a physical copy that they actually wanted to receive. Obviously email a graphic isn't a very good idea, considering it's probably easy to photoshop a CC image to begin with.

-Brent

(Chemical) labs at universities

[tsa]

I find it strange that there is (almost) no security at all in many chemical labs at universities in Holland where I've been. Anyone can walk in and pick up some chemicals, some of which are very dangerous if you don't know how to handle them. Of course people who work there can always take anything they want, but people who just happen to be there are not (much) resticted.

Re:(Chemical) labs at universities

That's not poor security so much as criminally poor chemical handling. Chemicals should be separated according to class, acids with acids and bases separate. Flamables away from the oxidizers etc... They should be in the proper cabinets and locked. And lastly anyone who works in a lab should keep everyone who doesn't need to be there out. No exceptions.

Re:(Chemical) labs at universities

[Amazing+Quantum+Man]

Reminds me of when I was at college (WUSTL). Some buddies stole HN03, H2S04 and HCl from the lab so they could make nitroglycerin. DISCLAIMER: IANAChemist, so I have no clue if they really needed those three for that.

Anyway, they wound up dropping acid on beetles. Of course, somebody knocked over one of the bottles, and it ate away a 6 ft^2 area of the carpet all the way to the concrete. before somebody got some baking soda to dump on it.

(voluntarily self-modded -1:OT by "No Karma Bonus")

Re:(Chemical) labs at universities

[Alsee]

Some buddies stole HN03, H2S04 and HCl from the lab so they could make nitroglycerin. DISCLAIMER: IANAChemist, so I have no clue if they really needed those three for that.

HN03 - Nitric acid. Need it, check.
H2S04 - Sulfuric acid. Need it, check.
HCl - Hydrocloric acid. Nope, don't need it.

The third ingredient you need is glycerine which I believe you can get at your local drugstore. It's insanely simple to make. You just mix the glycerine, nitric, and sulfuric acids and you get nitroglycerine as an oily liquid on top. The acids need to be very concentrated though.

You just have to mix it insanely carefully. The sulfuric acid generates heat. Heat is bad when you are making nitroglycerine. Very very bad. Even if you try to keep it cold the sulfuric acid tends to generate hot-spots. Did I mention hot-spots are bad? Very very bad. Don't try this at home. It will most likely blow up in your face.

IANAChemist either, for all I know it may blow up just because it doesn't like the color of your shirt.

-

Re:(Chemical) labs at universities

[PsychoMatt]

some of which are very dangerous if you don't know how to handle them Actually, I'd be more worried about some of the ones who KNOW how to handle them. ;-)

Airport questions

[Col.+Klink+(retired)]

I guess they've stopped doing this, but the airline ticket agents asking if you're a terrorist always seemed pretty stupid to me.

Re:Airport questions

[loydcc]

My favorite airport questions are "Did you pack your bags yourself?" and "Have your bags been out of your control?" But the all time favorite one I got from British Airways was "Have you accepted any gifts from strangers?"

Are there any kids who went to a public school in the 70's who remember the Redlight-Greenlight movies? I know I must have seen one every friday in the cafetorium from K through 4th grade. I won't even look at strangers after seeing those movies. Nevermind accepting presents from them.

Re:Airport questions

[Dr+Caleb]

Airline ticket agents since 9-11 in Canada have been asking me a doosy: "Is there anything in your bag of which you are not aware..."

Huh? How the he11 would I know?

Good thing the last few time I've flown, it's been on a charter. I bring my own flats of beer. Note to the community: Don't drink lots of beer on a 4 hour flight in a plane with no 'facilities'.

Re:Airport questions

[will_die]

I once had a 3 hour wait at the airport so I actually answered correctly on thoses questions. I had left my bags at a paid train storage area, and in the storage area of the train. The person at the desk just looked at me and said to answer that I had packed them and they had been in my control.

Network Solutions takes the cake

[ip_vjl]

How about the "Fax us the change request on company letterhead" for making changes when you don't have the admin password.

Like nobody could possibly fake that.

--

When transferring a domain to another party, I had to have the form notarized, then fax it in.
What's the point of the notary seal (embossed) when I'm going to fax it?

Re:Network Solutions takes the cake

[qengho]

Like nobody could possibly fake that.

Yeah, I actually had to create my company letterhead when they asked me to do this (can you tell I don't communicate much by snail mail?).

What's the point of the notary seal (embossed) when I'm going to fax it?

The notary also signs it, but faxed signatures are being derided elsewhere in this thread...

Identification

[david+duncan+scott]

Having a driver's license proves that you aren't dangerous!

No, of course not, but showing a DL makes you somewhat accountable -- would you rather chase "Caucasion male between 5'6" and 6', with brownish-blondish hair and average build", or "John Smith, 123 Maple Sreet, Clevland OH"?

Sure, credentials can be forged, but at least you've raised the bar.

Re:Identification

[mithras+the+prophet]

But I doubt they're actually keeping your driver's license on file, or making a photocopy, or anything like that.

Probably you just flash your ID, and a bored guard looks at it, and waves you on in. Meantime, your jacket full of jellybean-explosives...

Re:Identification

[Glass+of+Water]

That is, if they even look at the driver's license. I can't remember a time when a security guard even read my name! So it's more of a check that I have a driver's license.

The other thing is that they're not likely to remember anything on the license more than a minute later.

Besides, the guys who hijacked the planes on 9/11 didn't use fake ID. A suicide bomber doesn't care as much about hiding his identity.

All this fake security depresses me.

Re:Identification

[david+duncan+scott]

You're right about 9/11, of course, but suicide bombers are the extreme case. A truck bomb could certainly flatten my house, but I still lock the dead-bolt at night because I'm also concerned with ordinary criminals. I lock my car even though a moderately-skilled thief could still take it, because there are also even less skilled thieves who will be stopped unless I leave the keys in the ignition.

As for what security guards will remember, you never know. Ask one of them sometime. Some of those guys are ex- or off-duty cops, and cops often have remarkable memories. Furthermore, there may be a camera in the ceiling overhead.

Re:Identification

[parliboy]

You've circuitously explained the real problem. The true state of security is such that I would get in with a DL that says, "John Smith, 123 Maple Sreet, Clevland OH"

Re:Identification

[rark]

Eh. Except that in context, what are the chances that whomever is checking IDs in the food court is going to remember that that dude (rather than one of the fifty people before or after him) is John Smith, according to his driver's license.

Not to mention, one assumes that you were already in the building. Do they figure that the food court is a particularly attractive target?

Re:Identification

[david+duncan+scott]

Again, all you've done is raised the bar. Hell, the true state of security is such that I could probably get in by driving a truck through the front door. Does that mean we shouldn't bother with locking the doors at night?

Besides, I'll lay money that there is, in fact, a John Smith living in Cleveland, and a Maple Street.

Re:Identification

[Amazing+Quantum+Man]

Besides, the guys who hijacked the planes on 9/11 didn't use fake ID.

Agreed. I always thought one of the stupidest rules they came up with after 9/11 was "Only ticketed passengers past security".

HELLO! The hijackers had tickets! This is just part of the mentality to show that they're Doing Something! Anything(tm)...

Re:Identification

[SomeGuyFromCA]

That's not the point of those requirements.

Since they became a lot more through about security checks after 9/11, the "Only ticketed passengers past security" rule was designed to lighten the load on the checkpoint personnel.

Before 9/11 - two passengers + four friends = 20 minutes. After - two passengers = 45 minutes.

Re:Identification

Do they figure that the food court is a particularly attractive target?

Well, if it's anything like my high school's cafeteria, it would be.

The food there was enough to drive anyone to suicide :o)

JavaScript

[SoCalChris]

JavaScript on web pages that won't allow you to right click. Very stupid "security", and highly annoying too! Not to mention that it is super easy to get around...

Re:JavaScript

[sporty]

super easy to get around...

The early 90's are calling. THey want their phrase back.

Sorry, couldn't help it :)

Re:JavaScript

[fulldecent]

Yes, and client-side validated forms. Wow, I registered the "*@comcast.net" email address. I didn't work as I expected, but I have it registered it to me nonetheless.

Re:JavaScript

[Alsee]

I registered the "*@comcast.net" email address. I didn't work as I expected

What happened? Did you get all eight hundred and fourty three million pieces of spam sent to comcast customers that week? :)

-

XP explorer

[octalgirl]

When you use Explorer, which used to mean you would see everything about your computer in one fell swoop, clicking or double-clicking on My Network Places does nothing. You now have to right-click and Explore again if you actually want to get there. It seems it's because some users were getting into Network Neighborhood accidentaly and noticing there were other computers out there, possilby not locked down properly. But really, making someone right-click again, that is not better security, it's reduced functionality.

Re:XP explorer

Clicking and Double-Clicking works for me, perhaps you haven't configured your Windows XP very well or there's some problem with it.

Turning on the computer

[www.sorehands.com]

They used to have you turn on the laptop computer so they can see something on the screeen. As is you could not remove the hard drive and replace it with a weapon.

Going into the JFK Federal building in Boston, one of the security guards told me that they had it because of the Oklahoma bombing. Yes, if they had Timothy take the truck through the metal detector, they would have caught him.

Re:Turning on the computer

Of course had he been obeying the speed limit in the getaway car, he never would have got caught.

Mother's maiden name

[kindbud]

As if somebody who was able to find my CC number and my full name would be stumped trying to figure out this bit of top-secret information.

"What's your mother's maiden name?"

"31337h@ck3rm0m"

Drivers licence discrimination

you have to show your driver's license to visit the food court.

Heh
Being blind this _really_ anoys me. The number of places that won't accept anything other than a drivers licence as a form of identity.

Before now I've had to explain to people _why_ I don't have a drivers licence!

Re:Drivers licence discrimination

[david+duncan+scott]

Where do you live that they don't have a state ID card available? Here in Maryland the process is the same as that for a driver's license, except that no driving is involved (and they waive the vision test :)), so that the result is just as valid for ID purposes. Hell, it even looks like a DL.

I'm working a cash register these days, and we see these all the time. No fuss, no muss.

Re:Drivers licence discrimination

In NJ, you can go to the DMV and apply for an non-DL identification card. They give you a DL#, take your photo, address, other info, and laminate it on the same card used for normal licenses with an extra note "For Identification Purposes Only" printed at the top.

If someday you decide to get a real driver license, that DL# transfers over.

Re:Drivers licence discrimination

If you're blind, how did you read Slashdot?

Re:Drivers licence discrimination

[metamatic]

In MA, the identity card says "NOT A LICENSE" in big letters.

(I'm not blind, I just don't drive.)

Re:Drivers licence discrimination

[metamatic]

If you're blind, how did you read Slashdot?

If you're that stupid, how did you work out how to post?

Re:Drivers licence discrimination

[AngryPuppy]

Google can clue you in.

Protect the sandwiches!

[SomethingOrOther]

No, of course not, but showing a DL makes you somewhat accountable

I take it then, the policy of showing a driving licence (What if I don't drive?) has drasticly reduced the theft of pork pies and people punching each other in the dinner line?

(Some people need to get a life and stop invading others privacy for there own power games)

Re:Protect the sandwiches!

[david+duncan+scott]

Well, I wasn't addressing the issue of whether any security was needed at the food court, just whether or not this was at all an appropriate form of security. My guess (and only a guess) is that other parts of the place may be business offices and other areas visted largely by appointment (I have no idea what goes on at a "Free Trade Center", but I doubt that it's a flea market.)

As for not driving, I know Maryland has ID cards for those who don't drive, and I'm sure other states do as well. "Drivers license" is generally short-hand for "driver's license or other state- or Federally-issued photo ID". Even non-drivers have the option to write checks at the grocery store.

"Are you a communist"?

Heh
Any internationl flight into the US you have to fill out a little slip declairing that you arn't a communist!

That's my plans to start a revolution fucked then.

The VISA application for the US

[aWalrus]

Have you guys ever seen one of those things? There's this form you have to fill when you request a VISA for travelling into the US. I think it's the same for most foreign countries. In Mexico, at least, it has about 10 checkboxes that look something like this:
- I am a member of a violent terrorist organization yes / no
- I am trafficking drugs/weapons/any sort of illegal substances into the US yes / no
- I am an active member of a hate/racist group involved in violent attacks of minorities yes / no
- I engage in satanic rituals.... etc. etc.

I'm not kidding you. This is the sort of things the form actually asks. I guess there may be a legal precedent as to the need for these questions, but it's funny as hell anyway. Or maybe it actually works for stopping extremely stupid hatemongers / drug dealers from travelling into the country.

Re:The VISA application for the US

[duffbeer703]

That sort of thing helps the prosecution in court.

"Mr aWalrus, is it not true that on January 1, 1980, you submitted a signed statement asserting that you a not a member of a violent terrorist organizatino"

Proving that the accused is a liar is a powerful force in criminal trials.

Re:The VISA application for the US

[aWalrus]

Yeah, I thought that may be the motivation behind it. Still looks funny, though.

Re:The VISA application for the US

[infolib]

Read it, it's hilarious

The relevant passage says:
Do you seek to enter the united States to engage in export control violations, subversive or terrorist activities, or any other unlawful purpose? Are you a member or representative of a terrorist organization as currently designated by the U.S. Secretary of State? Have you ever participated in persecutions directed by the Nazi government of Germany; or have you ever participated in genocide?

Re:The VISA application for the US

[Hubert_Shrump]

Proving that the accused is a liar is a powerful force in criminal trials.

Also probably helps that it's a federal crime to knowingly lie on one of them babies. ;)

Re:The VISA application for the US

[jo42]

Hey, for permanent resident status in YankeeLand, the DoD wants to know if you ever used the services of a prostitute...

MS Outlook Express 6

disable unsafe attachements.

it only disables non-MS Office attachments.

iframe junk still works
iframe MSWord macros still work
etc...

PDF, GIF, PNG, JPEG don't work, they are too UN-SAFE

Re:MS Outlook Express 6

Didn't they tell you? They're unsafe to Microsofts profits!

Windows 95/98 password

[pkphilip]

the password prompt that pops up on system startup, which can be safely ignored.

Why?

Being blind this _really_ anoys me...Before now I've had to explain to people _why_ I don't have a drivers licence!

I'd rather have you out there driving than most of the fuckwits with a license, especially here in SoCal where 1) half the drivers are uninsured and 2) most see a minor accident as their own personal lottery ticket ("Oh my neck, eeet hurts").

Stupidest security...

[velcrokitty]

My favourite as of late is applying to security-minded companies, and embedding an image in my email from a server that I have access to. I can watch it as my cover-letter is passed from one department to another. I get to see what systems they are using, and I've found that a lot of companies have their IT department running one version of OS with a Google browser, while HR runs another version of OS (usually XP), and internal managers or reviewers running yet again another OS...

Sillies. You want security, don't claim to be a security firm and yet allow people to view your internal operations... Sillies...

Re:Stupidest security...

Reading comprehension: low
Apparent intelligence: low
Apparent believed intelligence: superior

Re:Stupidest security...

Very nice technique... Putting a "web bug" to work internally... Of course it might not work with someone clued in enough to use a text based email client (or a GUI based client with html email switched off).

But never the less, a very nice probe method.

"What's the Pythagorean Theorem?"

[GuyMannDude]

My friend (who is Australian but of Indian decent) recently re-entered the country from a vacation Down Under. At the airport, the guards put him through all sorts of questions. Among them was "How did you get your Green Card?". When my friend, a professor of Mathematics, replied that he got it through an Outstanding Researcher program, the guard asked him "So, are you an outstanding researcher in mathematics?". My buddy, groggy from a double-digit-hour flight, replied "Well, I guess I am." The guard then asked him "What's the Pythagorean Theorem?" to test him. My friend couldn't believe his ears. This question was supposed to determine whether my friend really was a mathematics professor? Every kid who went through high school math knows that one!

I feel safer already knowing we've got such intelligent guards monitoring our borders...

GMD

Re:"What's the Pythagorean Theorem?"

[jpsst34]

On a related, but different note, I once went into CompUSA with my girlfriend. She was wearing her university's Computer Engineering t-shirt. Upon seeing this, the mo working there said, "Oooh, computer engineering. Quick! What's RAM mean?"

Re:How about ...

How can something be modded redundant if it's the first post to say it?

Invading Iraq...

[Black+Parrot]

...to prevent terrorism.

(YOMV, but I suspect it will ultimately cause more.)

The Passport Bureau

I'm utterly serious. I went to renew my passport, and they wouldn't accept as ID either my birth certificate or learner's permit (Current and valid non-driver ID in the state of NY - good as a driver's license for any legal identification purpose!).

What they DID accept was my recently expired college ID. WHAT???

And if you want to call and complain to the passport office, it's a toll number!

Re:The Passport Bureau

[bill_mcgonigle]

And if you want to call and complain to the passport office, it's a toll number!

Democracy is rarely free, it just makes you free.

stupid security

[pamdirac]

I worked for Georgia Tech in college, so I was technically a state employee. As such I had to go through a standard application that included these gems:

Are you or have you ever been a member of the Communist? yes/no
Have you ever advocated that violent overthrow of the government of the state of Georgia? yes/no

Besides being useless screening tools, the first is irrelevant, and the second, well, what the hell would you do if you did violently overthrow a state government?

On another note, I've worked at two companies where you could not change your Windows network password; only an Administrator could do that. Both required frequent password changes, and the protocol was to send a clear text email to a sys admin with your new password.

The last place I worked allowed you to change the Windows password yourself (and required a new one), but there was no mechanism for changing the VSS password. Again the mechanism was to send your new password in clear text to the guy that administered SourceSafe.

And what about using proprietary VPN solutions that require a Windows machine to connect to Unix boxes? Talk about a backdoor. Now you are relying on the impregnability of Windows 98/NT/2000 to keep people from accessing your network.

I worked for another company that required you to shut off your machine every night (can't just logout) for security purposes.

The list for this topic is sadly quite long.

Not a security measure...

[cperciva]

but it's a result of stupid bureaucrats nonetheless.

Graduate students in the computing lab at Oxford University have swipe card access to the building 24 hours a day. University regulations stipulate that anyone who could be working alone must take a first aid course; consequently, all graduate students in computer science are required to attend this course.

The first aid course in question is basic CPR.

I've done that

Don't drink lots of beer on a 4 hour flight in a plane with no 'facilities'.

Just open a window and relieve yourself that way. When I did that we were flying over Paris.

Securing the cafeteria is actually a good idea

[gentlewizard]

Terrorists want to create maximum impact from their actions, so they target areas where large numbers of people will be congregated. Sure, there are no state secrets in the cafeteria, but that's not what terrorists are after. By exploding a bomb in a very crowded place at lunchtime, they create the terror they are looking for.

I was a visitor at M$ corporate campus recently, and everyone has to "badge in" to the lunchrooms (guests must be escorted). The rule is "no tailgating" - one person, one badge swipe.

Google browser?

[Amazing+Quantum+Man]

I've found that a lot of companies have their IT department running one version of OS with a Google browser

WTF is a "Google Browser"?? I thought Google was a search engine!

Cardiff Airport

[rpjs]

This was a few years ago, back in 1999,so may well have changed (probably got stupider). Here in the UK we still don't need to show ID when checking in for domestic flights (a couple of airlines require it since 9/11, but it's not required by the government). However when me and my girlfriend flew from Cardiff to Belfast in June 1999, after having gone through the gate, before boarding the plane we had to show our boarding passes to a plain-clothes policeman who wrote down our names. No doubt this was because of the ongoing unpleasantnesses in Northern Ireland, and the police were taking it seriously enough that when the guy in front of us objected he was pulled from the line and eventually was last onto the plane bearing a very pissed-off expression.

The thing is though, is that the *only* ID they asked for was the boarding passes, with no corroboration that the names on them were our real names. Presumably the South Wales Police have come to an understanding with the IRA and UVF who've agreed that their guys would never dream of buying airline tickets cash and supplying a false name, or with a fake/stolen card.

How about...

[aztektum]

Patriot Act?

Mod this up.

Seriously, mod this guy up.

I've got a great one!

The Department of Homeland Security. 'Nuff said.

You've got to be kidding. . .

[Fritzed]

At my first community college, there were several rules that you could not create new accounts, you could not shut down remote systems, you could not format hard drives, etc. . .

Now, these may seem like normal rules at first glance, and most people at the school didn't find them odd. However, I was working in the IT department at the time and I know that these rules were only added after it was pointed out to the lead Network Administrator that the Computer Management Console was openly available to all accounts.

Funny thing is, the Computer Management Console remained open for the next few months.

->Fritz

EULA

[dtabraha]

Yeah... right!

Like reading a EULA has ever convinced someone to that they shouldn't install the software from the pirated CD they have.

I think MS should do usage statistics to determine how many people actually scroll down the EULA or just click Agree.

1 x 10^(-1000000)

MS Bob!

[schon]

MS Bob had this wonderful security feature.. you could set it to lock your computer so nobody else could use it.

Only, that wasn't terribly user-friendly, so if you entered the wrong password three times in a row, Bob figured that you must have forgotten it, so it asked you if you wanted to change it.