Security this, security that… Lately, most of the new rules, laws, or software features include somewhere in their description the word “security”.
Trouble is, most of the time, it’s not about security, but rather stability and/or bullying. I have two examples that make me wonder if anyone other than me reads Bruce Schneier’s blog.
A few weeks ago, I was in the United States, and a friend of mine said she wanted a hotdog from the Yankee Stadium. You have to know that I must look like a terrorist or something, because I get searched in airports a lot. Besides, with all the TSA rules that get more and more cryptic and obtuse (again, read Cryptogram), it was a no-brainer that I would get busted or something.
What do you know? The guys saw the hotdog all wrapped up in my bag, asked me stuff about it, I explained it was for a yankee fan, etc, etc. They made me unwrap it, I had to beg a little, but they let me get on the plane with it (hey, a hotdog could be a very dangerous weapon). What they didn’t make a fuss about, though, was that I had two boxes of matches (from some NYC club), a Zippo, and a very nice electronic screwdriver about 15cm long, sharp and slim. When you think about it, even though there’s absolutely no way to stop a determined terrorist, I guess some dangerous items are more obvious than a hot dog. And yes, I know, it was a stupid bet.
The second thing that bugs me about security is the way people sometimes claim to handle security the easy way for my own sake. I have some sensitive data on my computer. I access some sensitive data from my (secure) servers at home through a (secure) VPN. Well, I never found an easy way to enforce the VPN at all times.
On my mac, whenever I change networks, the VPN disconnects. And I have to reconnect manually. Except that all the services (mail, remote storage, etc) try to reconnect (sending all my passwords, sometimes in the clear) before I can activate the VPN, automagically. It drives me nuts to see my mails downloading on my iPod Touch without the VPN, even though I had it activated just 5 minutes before and it turned off in the meantime. Agreed, I should choose a provider that uses SSL connections for the mails, but still.
Unless I get my hands dirty and hack it into believing that there is no route outside of the VPN one (which is hard to do, and tedious to implement), no one seems to think it’s a real issue.
People, security is not about show. Security is not just to reassure everybody and to pretend everything’s under control. Agreed, security sometimes is a heavy process and sometimes gives you more hassle than you really want to handle. But if security is what you mean, you have to think this through before you implement it.