Proving Voltaire Right: Security Blunders Dumber Than Dog Snot

Talk given by Roger G. Johnston, Vulnerability Assessment Team, Argonne National Laboratory.

Voltaire famously said (sort of) that the main problem with common sense is that it is not all that common. Security is certainly a case in point. As vulnerability assessors, we repeatedly encounter security devices, systems, and programs with little or no security (or security thought) built in. We witness well-designed security products used stupidly, ill-conceived security rules that make security worse, organizations with security cultures beyond pathological, and security programs heavily mired in Security Theater, groupthink, bureaucracy, and wishful thinking.

This talk gives examples of common design blunders, easy-to-exploit vulnerabilities, poor usage, and sloppy thinking associated with various electronic devices involving physical security, including locks, tags, tamper-indicating seals, GPS, RFIDs, biometrics and other access control devices, and electronic voting machines. Common blunders in how organizations think about security and how they deal with the Insider Threat, IT vulnerabilities, and vulnerability assessments will also be discussed.

I'll conclude by proposing some reasons why common sense and security are so often alien to each other and suggest possible countermeasures—some of which involve examining what cyber security and physical security could learn from each other.

Talk given at the 19th USENIX Security Symposium (USENIX Security '10).

Category:

Science & Technology

Tags:

• security
• physical security
• locks
• tags
• tamper-indicating seals
• GPS
• RFIDs
• biometrics
• access control devices
• electronic voting machines

License:

Standard YouTube License