security theater is useful, stop abusing it [was: PCI]

[Gadi Evron <ge () linuxbox org>]

Jon Kibler wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Anton Chuvakin wrote:
> > > same answer: "I don't participate in security theater." I think this
> > First, I am amazed how people so intelligent can hold opinions so
> > shortsighted :-)
>
> I unquestionably stand by my assertion that PCI DSS is pure security
> theater at its worst. Perhaps you do not understand the concept of
> "security theater"?

Security theater does in fact have uses. Secrecy can be a strong line of 
defense and psychological barriers are in fact barriers, as we are 
dealing with human beings. So, security by obscurity is an extremely 
useful tool, the problem is when it is the only one, it then becomes a 
single, lonely, point of failure, and potentially a waste of resources 
(TSA).

Naming misuse of Security by Obscurity "Security Theater" gives it 
negative connotations. It already had enough on its own. I'd be 
interested in how people implement it successfully, as obviously the way 
the industry just disses on it, is raising a generation of security 
professionals who don't understand secrecy or how human nature is 
manipulated positively, rather than just negatively.

I don't see anyone here dissing on the underline concept of egress 
filtering just because most frak it up. Think for yourselves, people.

Semi related, Imri and I wrote an article on how security theater can 
work, and how it in fact helps stop terrorist bombing in Israel. You can 
find it here:
http://www.csoonline.com/article/468569/Sometimes_Security_Theater_Really_Works
(URL may break, so: http://tinyurl.com/5u2qmq)

        Gadi.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.