Grant's Space

Life, The Universe, and Funny Stuff

Faux Security

without comments

I’m really tired of what I call “faux security”. You know, inconveniences written off as “for your security”?

I’d like to get his basic principle out there. Please repeat it, remember it, email it to your bank (through their “secure” messaging feature…), etc:
Less Convenient Does Not Equal More Secure!

In fact, the best security is transparent to the person who is allowed to do something, and completely impossible for the person who isn’t.

Faux security is dangerous. Because it’s so complicated for you to, say, log in, you feel that it must be difficult for anyone to log in. However, the complexity frequently opens up gaping security holes.

Some examples I’ve seen:

  1. A “secure” apartment building in which I used to live.
    Ooh, it was so secure. Call box, elevator key, cameras, alarms in the units, the works. Big deal. Even if there wasn’t someone to follow in, there was an easy-to-climb fence into a hallway about 20 feet to the right of the main door. My friend used to make it a point to get to my door without me letting him in every time he’d come over. The alarm in the unit was only triggered by the front door, and even then I don’t think anyone actually responded. It was all designed to look secure. All it did was add inconvenience. If you were going in the “right way”, you had to use your garage opener, then your key in the garage door, then your key again in the elevator, then again in your door, then turn off your alarm. The wrong way: jump the fence or follow someone in, go up the staircase to the roof (unlocked for fire safety), jump down onto the balcony (made easy by the stepped/sloping roof), and slide open the balcony door (probably not locked due to the false sense of security).
  2. Your bank
    This one frequently pisses me off – bank’s “secure” login requirements. I generate extremely secure passwords. But when a bank requires me to follow stupid, random password requirements (or use a simple pin but have to click it on my screen, verify a picture, remember my customer ID, etc), it creates a scenario in which I can’t remember how to log in. That means I need an alternate way of remembering this information. Therefore, somewhere outside of my well-secured (and convenient) method of storing login info, I have to store my bank’s stupid login requirements. Less convenient, probably less secure. Because really, if you store your logins in your browser and lock your computer, what are you going to do with login information that you can’t store in your browser? It’s probably going to end up on a post-it note… (note: products like LastPass and 1Password provide alternate ways of securely storing this information, but you frequently still need manual interaction with them, causing you to display your login information on your screen for everyone in Starbucks to see…)
  3. The airport
    This is my biggest pet peeve. I understand that they need to react to events to make people feel secure, but the real thing stopping something like 9/11 from happening again is the passengers, not the TSA. (i.e. someone rushes the cockpit these days, they get tackled by passengers). Securing the cockpit is a good idea, and the security screening is partly secure, but mostly faux-secure. Think about it for two seconds and I bet you can find a menacing instrument you can bring on a plane with which to threaten passengers. That’s all the 9/11 terrorists reportedly did. And none of the TSA’s current inconvenient restrictions prevent that. In fact, since “terrorism”‘s purpose is to cause governments to change things (i.e. cripple the airline industry), one could argue that it worked. And that pisses me off. I just hope that behind the scenes, they actually know what they’re doing and just aren’t telling us (which would be secure…).

Some things implement security well, such as:

  1. MacOS X
    Secure keychain coupled with secure login. Easy to use if you’re you, near impossible if you’re not. It’s also simple, which means things don’t fall through the cracks (like the jumpable fence…). Ubuntu Gnome has a similar keychain. You can also generate truly secure passwords (long, with special characters).
  2. LastPass and 1Password
    1Password adds a bit of inconvenience, at least in the iPhone app (2 passwords required to get to items), but overall is well designed. LastPass is also simple, and lets you fill in those stupid bank password fields, so you can use real passwords and not write them on a post-it.
  3. Office tap cards
    Lots of secure office environments use simple transponder cards. Tap it on a pad, and you’re in. Simple if you have the card. Hard if you don’t. (Better would be a fingerprint scan, but hey, there’s always “better”).

So, start complaining when you see faux security and remind them:
Less Convenient Does Not Equal More Secure.

Be Sociable, Share!
Email This Post Email This Post

Written by grant

July 16th, 2010 at 7:20 pm

Posted in Theories and Observations

«
»

Leave a Reply

Bad Behavior has blocked 133 access attempts in the last 7 days.