funsec mailing list archives
Re: security theater is useful, stop abusing it [was: PCI]
From: Benjamin April <ben_april () trendmicro com>
Date: Tue, 24 Mar 2009 11:23:56 -0400
A layer of security is nothing more than a time-delay device. Some layers provide more delay than others. Very often the so called "security theatre" provides a delay equal to the time spent studying it for weaknesses. Security theatre and security by obscurity suffer from the same weakness in that once the attacker know what is going on behind the curtain the benefit is negated. Either is a valid layer of secruity IMHO, however it must be accepted that once breached all value is lost. I'll be the first to admit that every time I go through a TSA check-point and surrender my bottle of water I keep waiting for the lights to come up and the TSA staff to join hands and start singing and dancing. Thankfully it has not happened yet. I can smell a production number from a mile away and all these folks need is a band. Anyone who doubts the validity of security by obscurity as a valid layer need look no further than confiker. Can anyone doing analysis there tell me SBO is not an effective tool? Yes its effectiveness will run out, but at the moment it is kicking our collective asses. FTR: I spent about 15 years as theatrical stage-hand somehow the "theatre" spelling stuck with me. Thanks Ben Gadi Evron wrote:
Jon Kibler wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Anton Chuvakin wrote:same answer: "I don't participate in security theater." I think thisFirst, I am amazed how people so intelligent can hold opinions so shortsighted :-)I unquestionably stand by my assertion that PCI DSS is pure security theater at its worst. Perhaps you do not understand the concept of "security theater"?Security theater does in fact have uses. Secrecy can be a strong line of defense and psychological barriers are in fact barriers, as we are dealing with human beings. So, security by obscurity is an extremely useful tool, the problem is when it is the only one, it then becomes a single, lonely, point of failure, and potentially a waste of resources (TSA). Naming misuse of Security by Obscurity "Security Theater" gives it negative connotations. It already had enough on its own. I'd be interested in how people implement it successfully, as obviously the way the industry just disses on it, is raising a generation of security professionals who don't understand secrecy or how human nature is manipulated positively, rather than just negatively. I don't see anyone here dissing on the underline concept of egress filtering just because most frak it up. Think for yourselves, people. Semi related, Imri and I wrote an article on how security theater can work, and how it in fact helps stop terrorist bombing in Israel. You can find it here: http://www.csoonline.com/article/468569/Sometimes_Security_Theater_Really_Works (URL may break, so: http://tinyurl.com/5u2qmq) Gadi. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
TREND MICRO EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: The PCI sky *isn't* falling!, (continued)
- Re: The PCI sky *isn't* falling! Amrit Williams (Mar 23)
- Re: The PCI sky *isn't* falling! Paul Ferguson (Mar 23)
- Re: The PCI sky *isn't* falling! security curmudgeon (Mar 23)
- Re: The PCI sky *isn't* falling! Drsolly (Mar 24)
- Re: The PCI sky *isn't* falling! Anton Chuvakin (Mar 24)
- Re: The PCI sky *isn't* falling! Justin D. Scott (Mar 23)
- Re: The PCI sky *isn't* falling! Drsolly (Mar 24)
- Re: The PCI sky *isn't* falling! Justin Scott (Mar 24)
- Re: The PCI sky *isn't* falling! Jon Kibler (Mar 24)
- security theater is useful, stop abusing it [was: PCI] Gadi Evron (Mar 24)
- Re: security theater is useful, stop abusing it [was: PCI] Benjamin April (Mar 24)
- Re: security theater is useful, stop abusing it [was: PCI] Imri Goldberg (Mar 24)
- Re: security theater is useful, stop abusing it [was: PCI] nick hatch (Mar 24)
- Re: The PCI sky *isn't* falling! David Harley (Mar 24)
- Re: The PCI sky *isn't* falling! Jon Kibler (Mar 24)
- why is certification useful anyway? [was: PCI] Gadi Evron (Mar 24)
- Re: The PCI sky *isn't* falling! Rob, grandpa of Ryan, Trevor, Devon & Hannah (Mar 23)