Slashdot Mirror
What Examples of Security Theater Have You Encountered?
swillden writes "Everyone who pays any attention at all to security, both computer security and 'meatspace' security, has heard the phrase Security Theater. For years I've paid close attention to security setups that I come in contact with, and tried to evaluate their real effectiveness vs their theatrical aspects. In the process I've found many examples of pure theater, but even more cases where the security was really a cover for another motive." swillden would like to know what you've encountered along these lines; read on for the rest of his question below.
swillden continues: "Recently, a neighbor uncovered a good example. He and his wife attended a local semi-pro baseball game where security guards were checking all bags for weapons. Since his wife carries a small pistol in her purse, they were concerned that there would be a problem. They decided to try anyway, and see if her concealed weapon permit satisfied the policy. The guard looked at her gun, said nothing and passed them in, then stopped the man behind them because he had beer and snacks in his bag. Park rules prohibit outside food. It's clear what the 'security' check was really about: improving park food vending revenues.
So, what examples of pure security theater have you noticed? Even more interesting, what examples of security-as-excuse have you seen?"
So, what examples of pure security theater have you noticed? Even more interesting, what examples of security-as-excuse have you seen?"
Airports... Need I say more?
No trolling intended, but the war in Iraq now is the biggest piece of security theater on the planet. It does not make the US safer ( indeed it probably does the reverse ) but it does give certain people benefits. Chaney and friends make millions on no-bid contracts, and neocons get to implement policies that in more normal conditions would not be tolerated by the public.
If public CA's are supposed to be trusted authorities of identity on the Internet, why do we have to have "extended validation" of an entity before they get a certificate? If we can't trust the CA to validate entities before issuing certificates in the first place, how can we trust them to issue Extended Validation Certificates in the second?
Oh, I forgot, they are in collusion with Microsoft and other CA's to inflate the cost of digital certificates they already issue.
In 2001 I was living in an apartment complex in a North Dallas suburb. If you got a package that wouldn't fit in those teeny-tiny mailboxes then the mail man would drop off the package at the apartment complex office and you could pick it up in normal office hours.
After September 11th, the apartment management sent out a memo to all residents that because of the heightened state of terrorism awareness the office would no longer allow packages to be held there for the residents.
Of course my first thought was they were just tired of dealing with the packages and saw this as a convenient excuse to stop holding packages for people.
No todo lo que es oro brilla
Oh, and "inspections" of laptops at the border.
Yeah, that will help (actually, it does. It helps because it drastically reduces the number of willing visitors to the US)..
Every time I'm held up by the "No Fly List" because I have an insanely common name, I feel like a victim of security theater. How many would be terrorists have been caught by the no fly list?
In my opinion almost all forms of random searches are security theater.
People putting loaded handguns in their homes in the case of a wood-be assailant or robber breaking in. This is not only security theater, it increases the risk you are putting yourself and your family in. Not to mention that in most instances of murder the victim knew the assailant. You're more likely to die of suicide than a robber killing you.
I don't know if these are examples where the security theater is a cover for another reason--unlikely. But there's clearly examples where it just makes your life worse more often than better.
My work here is dung.
Security theatre in it's finest. It's so unusable that it's clear that any serious user will disable it. So why include it? The article points a valid reason: liability. Micrsoft can't keep your system highly safe without a great cost to them (re-architect the OS and severely damage backwards compatiblility). So they chose to let you either deal with the annoyance, or turn it off, and (symbolically) accept responsibility for anything that goes wrong.
Make sure everyone's vote counts: Verified Voting
I cannot verify this story, anyone else?
Back in ArpaNet days, MIT had machines running an OS called ITS. It was a friendly and happy world and there were user accounts but no passwords. But networking means that strangers can connect and so Arpa insisted that passwords be added. So the ITS developers added a password prompt that ignored the password, and this made the Arpa people happy for a while until they figured it out and made them actually check the password.
In a similar vein, Microsoft file server passwords were originally checked only on the client, a fact which went undiscovered until Samba came along.
The article fails to talk about security as a deterrent.
The RFID bracelets on an infant can give comfort to the parents but its more of a deterrent then anything. Sure the hospital can tell the parents that their child is protected. But the hospital is not protecting the child as much as its protecting itself. For example:
A guard that is in the bank is not there to stop a bank from being robbed. He deters people from committing the crime itself. In a robbery situation the guard himself is useless because the individual or individuals robbing a bank would take him out first. But in most bank robberies, the criminals are going to go after a bank without a guard anyway.
A mall guard doesn't stop people from stealing, he creates the presence of being watched, therefor deterring people from stealing.
Same goes with cameras in stores. Most of the time no one is monitoring the cameras and if anything their used to watch employees over customers. But their deterring employees from doing anything unethical or illegal and they deter people from stealing.
In my opinion the idea of security theater and feeling safe is crap. You might as well spend the time and effort to know your safe then make it seem like you feel like your safe.
...but what the hell is up with these users starting their replies with something like: "I'll probably get modded down for trolling, but..." Are you saying you know your answer will not be appreciated, but you're just the kind of crazy, out-there, don't-give-a-damn, cool guy that says it anyway? Just say what you have to say and stand by it. Stop showing off your insecurity, and/or lack of knowledge on the subject.
What's left to say? It's pretty clear that drugs are more dangerous when they're only available in the unregulated black market than in a regulated legal market. Criminalizing the use of drugs only hurts drug users more, yet it's done in the name of safety.
What's worst is that we've been fighting this war for decades, no end is in sight, we've spent more money and lost more freedoms fighting it than we have in Iraq. And still, no one in power has the balls to speak out against this.
We live in a sick, sad world. People who would meet the non-violent act of drug use with the violent acts of arrest and imprisonment are themselves violent criminals. Yet in this society they are deemed good citizens.
Give me Classic Slashdot or give me death!
rj
See tsa.gov. I have personally taken gasoline soaked garments on an airplane and not had them given a second look. Of course the radios I also carry always get a second look although they are EXACTLY like most of the guards carry (Motorola CP200). However, I do feel infinitely more secure knowing that an airplane will never be highjacked again, not because of anything the government does but because the passengers won't stand for it and will kill the highjackers. I suppose some passengers might die but as far as they were concerned they were dead anyway. In short, pretty much the whole airline security system is security theatre.
But if I were making a joke about the "cup holder" that comes out of the "hard drive", then it would be funny.
:-)
And would lose all its funny if someone decided to point out that it's not a "hard drive" but in fact has some other arcane name, which really doesn't matter in the context of the joke.
We created a delete function, and kept getting reports that the customer accidentally deleted records. (And we had no undelete function.) So we added a "Are you sure?" dialog.
The incidents of accidental deletion did not go down.
So we added text "This cannot be undone. Continue?" and still the incidents did not go down (People just randomly click OK.)
Finally we changed it to "Please key in 'irreversible' to continue with the deletion." This solved the problem.
It also helps politicians pander to ignorant members of the right.
"Not an actor, but he plays one on TV."
The consulting algorithm:
1) Find out what they want. (They will ask for bells and whistles and not tell you core process basics.)
2) Figure out what they actually need. (Research their actual process and design improvements.)
3) Try to convince them to want what they actually need and change the spec go with that.
4) After step 3), give them what they now want, whether it's what they need or not. (Provided it's legal and ethical.)
And of course:
5) Profit!
They are the bosses / customers. They decide what to spend money on. You are the hireling. You agree to do what they want in trade for the fee they pay. After step 3) your moral and ethical obligations are discharged - and if your suggestions are good you've proved your worth. If they're smart they go with what you suggested - or know something about their business that you didn't and reject your suggestion on that basis. But if they decide to do something you think is stupid once they've been informed, it's their business, so it's their call.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
It's rather hard to believe that authorizing everyone to carry firearms can in any way make the society safer... Here, in Europe, if I met a girl who carries a pistol in her purse, I would immediately freak out and run away!
I think I speak for everyone here at the slashdot community when I say:
Shut the fuck up.
You are mistaken.Make no mistake, the TSA is not there for security purposes, if so, then the back end of the airport would be secure as well, it's not.
The TSA exists only to make sure you get good and used to being bullied by thugs with guns while having your rights violated.
No other reason.
No one could ever have something like a four hour drive to the nearest major league stadium which with one wrong turn could include a trip through the seedier part of the city?
That'd never happen because everyone lives in perfect happy little suburban utopias where everything is a five minute walk away.
Sad thing is I predict you'll get insightful and this will get flamebait.
Security systems that will let you in with nothing more than a fingerprint scan. Gee, what's more difficult: guessing the correct password within 3 attampts, or lifting a fingerprint and making a gelatin mold? (hint: see Mythbusters to see how difficult it isn't to create a gelatin mold)
You know, if you manage to offend an entire tree of responders, you may be doing something wrong. It's kind of like those smartasses everyone's met in school/university by now, who may even be right, but aren't making any friends showing off. I'm just saying, take a close look at your priorities.
Sam ty sig.
Of course there are the obvious TSA stories, but I think the more common stuff may actually be worse.
Working as a contractor for a giant Electronics retailer that shall remain nameless, I saw a memo regarding their policy of searching people's bags as they left, and sometimes entered, the stores.
The public reason given for searching those who left the store was, of course, loss of merchandise. The public reason given for searching those entering was safety...
However the REAL reason for both of these, was to (paraphrasing from memory) 'Establish [company name] as the authority figure in the sales transaction and subsequent customer service encounters...'
Yikes! 'We're in charge here, we've got big scary minimum-wage thugs, You'd better Buy as we say!'
Now if that's not 'Security Theatre' at it's worst, I don't know what is....
=R
Why the hell would you have a button that actually says "OK" on it? That's poor design, because you should know that people always click OK. A better design would be to have buttons that say "Delete" and "Cancel", with the Cancel button selected by default. Typing the phrase was a good alternate solution to eventually arrive at, though.
I've read a lot of replies that said that TSA security checks were theatre, and they're right, but nobody has mentioned the requirement to present identification. To me, this is the most glaring bit of airline security theatre, because it has almost no security value at all, but a huge ulterior motive for the airlines.
All computers scattered all over a county are hand configured; there is no DHCP. Reason given: security.
All computers are required to have only Internet Explorer 6. Reason given: security.
All computers have their CD-Rom drive disabled. Reason given: security.
All computers allow USB flash drives. Reason given: security.
At the point the Snack^WSecurity Guard is searching the bag, he has the gun, and the owner of the bag doesn't.
-- Alastair
We're not scared because the knife has a serrated edge. We're scared of crazy motherfuckers who wander around and "always like to mention" that they're carrying around a big goddamn knife. We think you're the freaky weirdo who's going to flip out one day and start filleting people because the government's mind rays are becoming too powerful for your tinfoil-lined hat. And we don't find it comforting that you'll be there to protect us from criminals. We just kind of wish you'd go away.
If the no-fly list weren't a joke (and sadly, it is) then I would hope that people dressed like pilots get more scrutiny than other people. People dressed in a uniform are often given no scrutiny in places where plainclothes would get questions. If people dressed as pilots can get through security without any fuss, then you can rest assured that someone who wants to do harm will dress as a pilot.
I dunno, man. There's a whole lot of amazing confidence in these broad statements:
/. and all, but perhaps there's something to be said for following the same standards of knowing what the f*** you're talking about before you open your mouth that folks here demand of others when they, for example, opine or legislate on tech issues. Otherwise the general perception of this crowd as pointy-headed geeks who are immature children outside their area of professional expertise is...well, justified.
The reason that America hasn't been subsequently attacked had nothing to do with punishing the silly, stupid Taleban in Afghanistan, or fomenting a war in Iraq.
No subsequent acts have occurred for any number of reasons, almost none of which have to do with the wars, as the wars were about pride and oil.
And you know this because....? Because you're tight with the top thinkers inside al Qaeda? You've got good contacts in the backcountry of Pakistan? You speak all the relevant languages and have access to intelligence intercepts of the phone conversations? You've spent two decades studying the history of terrorism from original sources, interviewing suspects and counter-terrorism agents?
Or is it just that these conclusions seems reasonable to you, based on your average-Joe reading of the news and your common sense (supplemented of course by your ideology)?
I'm not saying you're wrong, because I don't have access to all the information necessary to make a judgment one way or the other, and I know that.
But I daresay if some politician made some equally sweeping general statement about why Microsoft is despised by Linux groupies, or whether or not the GNU license model made sense or not, based on a similar combination of what's in the nightly TV news plus his own "gut instinct," you'd jump all over him for being an arrogant ass and speaking far more assuredly than he should about stuff that is for the most part completely outside of his experience.
I realize this is
If the card specifically says "please ask to see id" I doubt that very many clerks would accept the "it's my husband's card". Generally speaking, most stores will not take a card unless they believe that it belongs to the person presenting it. If they can show ID with matching last names, then maybe, if you're lucky they'll take it. Generally, people who share credit card accounts get separate cards with their own names on them. They don't use other people's cards.
Using the card at an ATM requires a PIN number. They aren't going to know your PIN number. There are special credit-to-cash machines in some casinos which process a credit card charge and then give you 95% of the money, but those are not very common outside of casinos, so for those of us who don't live near a casino, it imposes an additional delay.
Using it over the internet usually (although not always) requires the billing address associated with the card. The reason they require this is because it is something that the cardholder knows that someone who stole the card or found a lost card probably doesn't know.
Admittedly, writing "Please Ask to see ID" doesn't offer any improvement over signing the card in the later two scenarios, but just because a security measure doesn't help in all possible situations doesn't mean that it isn't an improvement, especially when those situations are less common anyway.
In the end, what it comes down to is:
1) Signatures are easier to fake than IDs are, especially when you have an example of the signature to work with. Most store clerks, even if they check, are not knowledgeable enough to recognize the difference between someone's real signature and a copy. Making it worse is the fact that the signature field on a credit card is only about half the height of most people's normal signatures, so the signature in the field often doesn't really resemble the person's signature.
2) Even people who don't check the signatures sometimes notice the "Please Ask to See ID" written in the signature line. Several times I've seen clerks not check signatures for people in front of me, but then, when I hand them my card to swipe, they notice what's been written in the field and ask to see my ID.
3) In most states, the driver's licenses have the signature on them, so they can still check the signature even if the card doesn't have one on it.
So, sorry, but this legitimately does make it tougher to use a stolen credit card, whether or not it's inconvenient to you.
It was well documented and everyone knew about it. There's no theater if there's no deception.
That's not a case of security theater, that is just a case of someone using the wrong tool for the job.
If you want authentication on top of sharing files over a network, there are other options for that, none of which is NFS alone.
Granted today NFS tries to take authentication into the picture as well, but originally that was not its intent.
There are now addons to it (such as keylogin) which can be used, and of course one can run NFS over a VPN which handles the authentication and possibly even encryption if you wish.
Thank you. There seem to be so many people who have bought the propaganda to the point that they no longer understand what some words mean, or perhaps they never knew so the definitions have been defined by propaganda.
Insurgents rebel against legal authority, they are individuals within a group that rebel against the group. People from one country who attack another are generally invaders, aggressors or terrorists depending on the scale, government involvement and nature of the attacks.
The US has not experienced an insurgency in Iraq. The Iraqi government has, but that government is of dubious standing in Iraq given that it has been installed by an illegal invader. Hypothetically reverse the conflict and ask yourself if someone invaded the US and installed the government they wanted, would you fight against it or simply accept it? If you would answer the former, you could well be labelled a "terrorist insurgent", or "resistance fighter" depending on the political standpoint of the labeler.
Not many monitors or practitioners of international law consider the invasion of Iraq legal, close to zero. There was no UN mandate to support it, there were mandates supporting the use of force but they were irrelevant to the situation at the time. The only people who argue that it was legal are American neo-cons, hardly known for their understanding or respect of international law, their cronies and idiots who buy the propaganda.
Please re-read the dictionary because while the definition of terrorist has changed recently, the definition of insurgent has not yet been corrupted in the good book.
I don't therefore I'm not.
I was flying internationally (Wellington to Sydney) recently. The security guards stopped me after x-raying my bag --- turned out that I had some roll-on deoderant in there that I had forgotten about. Oops.
So I apologise and hand it over. The security officer places the deoderant in a plastic bag, hands it back to me, and sends me on my way.
Clearly the bag was made of some kind of special anti-explosive plastic...
Repton.
They say that only an experienced wizard can do the tengu shuffle.
Doesn't work in Europe. Every thief knows how to drive sticks. Actually, you'd probably be better off with an automatic, everyone will shy away from stealing those. They're expensive, and only rich (and powerful) people spend money on something as frivolous as not having to shift gears.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Please note that it is VERY difficult to conceal a 4-foot long rifle in the front pocket of a hooded sweatshirt. And walking around on the street with one is likely to get you very odd looks, if not phone calls to and visits from the police.
SRSLY.
Revenue... The shops charge to "fix" the radio.
No it is not. The GP is correct. From a UI perspective, a button does something, i.e. it is an action item, and as such it should be an action word: a verb.
Just because Windows does it wrong so much of the time, does not make it right. "OK" is so vague as to be almost meaningless. One can even argue that Windows doing it wrong so often is why so many users hit "OK" without thinking, just like the OP was complaining of.
when it's the only button on the dialog.In the example given, it was not the only button.
Is that like "only the right (and powerful) people spend money on something as frivolous as not having to butcher their own animals"?
There are legitimate reasons you might not want an automatic transmission -- you might like the additional control, better fuel economy, improved failure modes, etc. -- but dismissing it as "frivolous" just makes you sound envious of people who can afford a lifestyle you'd like for yourself.
When a support admin threatened to permanently kick him off of the system, he replied "That's OK. I won't be alive tomorrow."
Hmm... Elevated threat level, warnings of possible suicide attacks in the next day or so, and a fundamentalist muslim kid warning that he intends to die roughly in that time frame.... Sounds like something worth investigating (if only because we've got a kid that seems to be threatening to kill himeslf ... terrorism or no).
Being a Canadian, I call the Canadian 1-800 terrorism tip line (remember ... less than 6 months since 9/11) and find that it's been disconnected.
I then turn to US sources, and try to leave information in various places. Then I turn to the local US Consulate and leave an urgent message. After about 24 hours of trying various routes (both Canadian and US), I finally get a callback from a completely disinterested consular official who pretty much has the attitude of "explain to me why I shouldn't hang up on you".
Less than 6 months after 9/11, an orange threat level, and a suicidal fanatic on my site, and I'm fighting to explain why a US official should even take a report from me. "call us with any tips you might have" ... Yea, right!
That was the last time I took post 9/11 security fanaticism seriously. (other than as a threat to my civil rights).
Sometimes boldness is in fashion. Sometimes only the brave will be bold.
Europe really is different. Almost everybody drives a manual rather than an automatic. The car hire people tell me the only reason they have automatics is so they can rent out to foreign visitors, British customers will go to a different hire car firm if a manual shift isn't available.
Only two things are infinite, the universe and human stupidity, and I'm not sure about the former. (Einstein)
Yeah, but the US has higher rates of death by people killed by knives than most other countries. We have higher rates of assault (often with cars) than other countries. We are unfortunately, a pretty violent country, with or without guns.
If you look at the situation holistically, it's not clear that guns are a primary cause of the violence. Gun ownership rates are highest in the rural areas, while gun violence rates are highest in the urban areas. This book, has some very interesting, and fairly rigorous statistical analysis.
Many students of the situation note that the gun violence didn't rise in the US, until the war on drugs ramped up. A large amount of gun violence is directly related to drug commerce.
I was taught to respect my elders. The trouble is, it's getting harder and harder to find some.
Easy guy, he's on _your_ side... Let me paraphrase... "There are legitimate reasons you might not want an automatic transmission" The legitimate reasons that you might not want an automatic transmission are that, "you might like the additional control, better fuel economy, improved failure modes, etc."