Seth points out that being creative and actually thinking takes a lot more effort then blindly following a given set of rules. It's also easier to feel successful shouting at people who dare to have a bottle of water on them when going through a boarding gate... at least for certain type of people. It's no wonder then that usually people of this type just give up on thinking. And a result is pretty... disturbing.
How hard do you think it is to blow a plane apart with 3.3 ounces of liquid explosives of whatever kind? I'm willing to bet quite a lot that there's no difference between 3.3 ounces and 10 gallons, when we talk about such sensitive thing as a plane. It's just a matter of know-how.
So, the question is: why? Why does it make such a difference if it's less or more then 3.3 ounces? Surprise — it doesn't. So why? My guess is, to keep security staff paying attention. If there were no quantity limit, it automatically would be off the checklist. And if there is a limit, there is also a pretty good chance that security guys checking the exact capacity of a shaving creme can might pay some attention to it's actual content. Or at least the bad guys may be afraid of them doing so...
Think Internet Explorer. Still significantly more popular then other web browsers. Lets put aside its ifamous incompatibility with w3c standards and concentrate on its security. Or insecurity rather. A friend of mine got almost scammed lately by an online banking password harvesting trojan. Happened under IE and wouldn't happen under say Firefox or Opera... at least by now.
Unfortunately it's not very likely it has something to do with a more secure design or a better coding of the alternative browsers. The design of each browser gives a choice of virtually the same amount of potentially vulnerable places. Also the code is similarly big and complicated and thus bug prone. What is the difference then?
It seams like nothing more and nothing less, but the popularity.
Even if you had a perfectly exploitable flaw in say Firefox, it's times more profitable to find and exploit one in a lot more popular IE. So, just wait until the alternative web browsers gain more userbase and it's pretty likely we'll see the amount of attacks on them comparable to those aimed at IE.
The bottomline — the more popular something is, the more impact on security it can potentially have.
Usually it's pretty hard to appropriately protect a communication channel which uses couple of layers of really complicated software. Say we run an internet banking site through an ssl-ed http server. The client needs to have 1) a web browser of which there's couple quite popular ones and each of them once in a while turns out to be vulnerable to some kind of an attack, 2) an ssl library of which, again, there's couple of implementations and they already proved not being entirely bug free (not to mention the algorithm itself from time to time revealing its weaknesses) and finally 3) all this has to make use of an operating system of some kind and the most popular OSes tend to resemble a good Swiss cheese in terms of security.
There's of course a good deal of reason for all this to still be insecure. One of which being the amount of code which is not easy to be managed. And so on, and so on. But actually it doesn't matter what the reason is, the important thing is that we are not secure enough and we won't be in any near future (no, I don't think Vista is going to surprise us here — actually, judging from what it already shown, it's going to be even worse than it already is). So, instead of relying entirely on the one potentially unsafe channel it's better to use a totally independent additional channel to check and confirm the sanity of the primary one. Think SMS.
It's not totally impossible to take over the additional channel also, but it's difficult and expensive enough to render the whole thing totally not worth an effort. Of course it still relies on user awareness, but at least now there's something one can be pretty sure to be an accurate piece of information.
So, before typing out a money transfer confirmation code from an SMS received from your bank, please check if the account number in the SMS really matches the one you wanted your money to be sent to. You'll make scammers' lives harder and your money will be a wee bit more safe.
People are lazy, that's our nature. So, when constructing security procedures it's pretty well worth it to take this laziness into account and either enforce some rules by technical means or make the secure way the easiest. And frankly, it's better to organise it in the most convenient way, because it can turn out that the designer has seriously underestimated people's imagination and creativity in making life easier.
Example? Imagine there's an inconvenient and difficult procedure of getting a spare key card when you left one home by accident. Say involving talking to more then two people or filling-out some forms. Guess what will happen. My bet is no-one will care to follow the procedure and people will end up borrowing cards from each other or, behold, blocking self-closing door to some sensitive place, say with an extinguisher.
The thing is not about people doing something wrong on purpose and not giving a damn about security. It's all about convenience. There is always a limit of an effort someone is willing to make before trading security for convenience. The trick is to stay as far from this limit as possible when designing security solutions.
Just a quick thought — why exactly do we care about rules? Is it because we are so law-abiding, or maybe it's just about being afraid of the punishment? If you didn't know there's anything like traffic police, how often would you care not to speed?
So, how much do you think user cares about the security policy if they have no idea there's someone watching?
Conclusion? Inform your users about the security measures and auditing facilities implemented. It lets people realise they can actually get caught doing something illegal. Which in turn may sometimes make them think twice before trying to do it.
This page contains all entries posted to Michal Sobiegraj | Security Consultant and Evangelist in November 2006. They are listed from oldest to newest.
October 2006 is the previous archive.
January 2007 is the next archive.