funsec mailing list archives
security theater is useful, stop abusing it [was: PCI]
From: Gadi Evron <ge () linuxbox org>
Date: Tue, 24 Mar 2009 14:46:44 +0100
Jon Kibler wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Anton Chuvakin wrote:same answer: "I don't participate in security theater." I think thisFirst, I am amazed how people so intelligent can hold opinions so shortsighted :-)I unquestionably stand by my assertion that PCI DSS is pure security theater at its worst. Perhaps you do not understand the concept of "security theater"?
Security theater does in fact have uses. Secrecy can be a strong line of defense and psychological barriers are in fact barriers, as we are dealing with human beings. So, security by obscurity is an extremely useful tool, the problem is when it is the only one, it then becomes a single, lonely, point of failure, and potentially a waste of resources (TSA). Naming misuse of Security by Obscurity "Security Theater" gives it negative connotations. It already had enough on its own. I'd be interested in how people implement it successfully, as obviously the way the industry just disses on it, is raising a generation of security professionals who don't understand secrecy or how human nature is manipulated positively, rather than just negatively. I don't see anyone here dissing on the underline concept of egress filtering just because most frak it up. Think for yourselves, people. Semi related, Imri and I wrote an article on how security theater can work, and how it in fact helps stop terrorist bombing in Israel. You can find it here: http://www.csoonline.com/article/468569/Sometimes_Security_Theater_Really_Works (URL may break, so: http://tinyurl.com/5u2qmq) Gadi. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: The PCI sky *isn't* falling!, (continued)
- Re: The PCI sky *isn't* falling! Anton Chuvakin (Mar 23)
- Re: The PCI sky *isn't* falling! Amrit Williams (Mar 23)
- Re: The PCI sky *isn't* falling! Paul Ferguson (Mar 23)
- Re: The PCI sky *isn't* falling! security curmudgeon (Mar 23)
- Re: The PCI sky *isn't* falling! Drsolly (Mar 24)
- Re: The PCI sky *isn't* falling! Anton Chuvakin (Mar 24)
- Re: The PCI sky *isn't* falling! Justin D. Scott (Mar 23)
- Re: The PCI sky *isn't* falling! Drsolly (Mar 24)
- Re: The PCI sky *isn't* falling! Justin Scott (Mar 24)
- Re: The PCI sky *isn't* falling! Jon Kibler (Mar 24)
- security theater is useful, stop abusing it [was: PCI] Gadi Evron (Mar 24)
- Re: security theater is useful, stop abusing it [was: PCI] Benjamin April (Mar 24)
- Re: security theater is useful, stop abusing it [was: PCI] Imri Goldberg (Mar 24)
- Re: security theater is useful, stop abusing it [was: PCI] nick hatch (Mar 24)
- Re: The PCI sky *isn't* falling! David Harley (Mar 24)
- Re: The PCI sky *isn't* falling! Jon Kibler (Mar 24)
- why is certification useful anyway? [was: PCI] Gadi Evron (Mar 24)
- Re: The PCI sky *isn't* falling! Rob, grandpa of Ryan, Trevor, Devon & Hannah (Mar 23)