funsec mailing list archives
Re: security theater is useful, stop abusing it [was: PCI]
From: Imri Goldberg <lorgandon () gmail com>
Date: Tue, 24 Mar 2009 19:03:04 +0200
On Tue, Mar 24, 2009 at 5:23 PM, Benjamin April <ben_april () trendmicro com>wrote:
A layer of security is nothing more than a time-delay device. Some layers provide more delay than others. Very often the so called "security theatre" provides a delay equal to the time spent studying it for weaknesses. Security theatre and security by obscurity suffer from the same weakness in that once the attacker know what is going on behind the curtain the benefit is negated. Either is a valid layer of secruity IMHO, however it must be accepted that once breached all value is lost.
Let's consider a terror attack. While this may be true for planner, the man actually carrying out the attack might not see things as clearly. While being under the stress of the attack, he might not have the clarity of mind to go through a check without looking very nervous and alerting the guard. Furthermore, if you accept that some security checks depend on the thoroughness of the guard, then when an attacker decides to face the guard, he is taking the chance that the guard will not be thorough. Under these circumstances, he might decide to attack a different place, with less chance of being stopped, even if it means less casualties. If you accept that, then you agree that even if the attacker knows about the security theater, it still prevents him from implementing his original attack. -- Imri Goldberg -------------------------------------- www.algorithm.co.il/blogs/ -------------------------------------- -- insert signature here ----
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: The PCI sky *isn't* falling!, (continued)
- Re: The PCI sky *isn't* falling! Paul Ferguson (Mar 23)
- Re: The PCI sky *isn't* falling! security curmudgeon (Mar 23)
- Re: The PCI sky *isn't* falling! Drsolly (Mar 24)
- Re: The PCI sky *isn't* falling! Anton Chuvakin (Mar 24)
- Re: The PCI sky *isn't* falling! Justin D. Scott (Mar 23)
- Re: The PCI sky *isn't* falling! Drsolly (Mar 24)
- Re: The PCI sky *isn't* falling! Justin Scott (Mar 24)
- Re: The PCI sky *isn't* falling! Jon Kibler (Mar 24)
- security theater is useful, stop abusing it [was: PCI] Gadi Evron (Mar 24)
- Re: security theater is useful, stop abusing it [was: PCI] Benjamin April (Mar 24)
- Re: security theater is useful, stop abusing it [was: PCI] Imri Goldberg (Mar 24)
- Re: security theater is useful, stop abusing it [was: PCI] nick hatch (Mar 24)
- Re: The PCI sky *isn't* falling! David Harley (Mar 24)
- Re: The PCI sky *isn't* falling! Jon Kibler (Mar 24)
- why is certification useful anyway? [was: PCI] Gadi Evron (Mar 24)
- Re: The PCI sky *isn't* falling! Rob, grandpa of Ryan, Trevor, Devon & Hannah (Mar 23)
- Re: The PCI sky *isn't* falling! Gadi Evron (Mar 24)