Sunday, May 4, 2014

Security theater is neither secure, nor entertaining

Bruce Schneier is known for coining the term "security theater" to describe security procedures that "look" like something is being done, when in fact, no actual security is provided.

On a recent trip with my family, we saw this yet again with the TSA agents at the airport.  My wife, son and I all have Nexus IDs issued by the border patrol.  To get such an ID, we had to pass a security background check, had our fingerprints taken, and they did an iris scan (biometrics of the eyes).  The TSA now offers a "TSA Precheck" program for travelers who have such IDs to expedite travel through the security lane at participating airports and airlines.

This program is pretty nice, making air travel nearly as easy as before the 9/11 changes that have done little to improve actual security.  (It's recognized that securing the cockpit doors and general passenger awareness have been the true security improvements despite the billions spent on other things.)  We no longer have to remove our laptops or take off our shoes, and we generally only have to pass through a metal detector.  It is a breeze.

What I didn't realize is that the nonsense about "3 ounce fluid" limits is still in place.  We bought two jars of blueberry preserves from Andersen's in Buellton, California, one for ourselves, and one as a gift.  Since Alaska Airlines charges $25 per checked bag, we skipped this convenience that was once the norm and is still practiced by a few better run airlines.  The TSA agent gave us the option to return to the counter and check our bags, but it wasn't worth $25 to bring two jars of blueberry preserves home in one bag while the other two bags would still have to be carried on lest we pay $75 for them all.

Who even thought preserves were a fluid?  We thought they were fruit.

The TSA confiscated the jars and, knowing that they could very well be a blueberry bomb, tossed them into a plastic bin right behind them.  They are so concerned about the safety of the airplane that they make no effort to secure confiscated items where they work all day and thousands of passengers pass by, proving that there is no actual security concern.  I mean, they even offered that I could check my bags as if a blueberry bomb is secure in the cargo hold, but not in the cabin.

Was the TSA really concerned that blueberry preserves, carried by a family all with their sophisticated IDs, after returning from a weeklong trip to a robotics competition, visiting our 80-year old aunt and uncle, and then visiting friends we've had since the mid-1980s when we worked together at a bank?  Did they make any attempt to think about anything?  Ask us any probing questions about where we got them like Customs would do for international travelers?  The answer to all is "no."

That's security theater.

Ironically enough, while waiting at the gate, Alaska Airlines offered to check our bags for free and give us priority boarding to do so.  All of the passengers that simply paid $25 to check their bag paid too much and never received preferential boarding.  We saved $75 and boarded early.  How's that for a nonsensical policy?

There are other examples of poor security in the name of usability, including "link/URL shortening," those links that Twitter, Google,, Facebook, LinkedIn and others send out that essentially hide the true nature of a link behind a name like "".  This makes it much easier for spammers and virus writers to distribute their payloads because you cannot determine the validity of the web site you will be visiting.  This is a "convenience" that only increases the likelihood that more victims will suffer.

Before link shortening, Microsoft did something similar with Windows when it decided to hide file suffixes.  We all learned early on that files that end in .EXE, .COM and .BAT could be run on your PC, and we later learned that .PIF, .ZIP and .PDF were also often dangerous and could be used to carry malicious content.  Then Microsoft decided that helpful information like this was "too long" and started to hide them by default.  So now files like Resume.doc.exe were shown to users as Resume.doc, making a malicious executable appear to be a Word document.  Not showing a few characters may have seemed a good idea, but there are untold numbers of users who suffered because of this security mistake.

We see this also in mobile browsers, both on phones and tablets, where the browser hides the details about links in the location field and just shows the domain name.  Once again, this user interface convenience just allows for hiding details that are useful to those who are security conscious and show some interest in the data being sent in link parameters.

The Firefox browser has taken to showing a warning icon next to secure web sites using HTTPS if they only secure the domain name rather than the company that owns the domain name.  This makes perfectly secure web sites appear to be less than secure, adding no real benefit except to vendors who sell more expensive web site SSL certificates.  The problem is that many web sites are service providers, so trust shouldn't just be placed in the vendor operating the web site, but the customer who is using that service to send you information, take your order, etc.  If you are buying from Vendor A, but they use Provider B's web service, you will see Provider B's domain name and "verified" certificate status, but there's no reason to misplace trust in Vendor B because you may trust Provider A who has been vetted only slightly more.

Sadly, this lack of security understanding goes to many well established e-signature/web-contracting vendors.  It seems that many such vendors, despite their fancy web sites and millions of investor dollars, do not even take the basic security precaution of encrypting your documents and data when stored on their systems.  They proudly proclaim they use 2048-bit encryption, but this only is for the short HTTPS transfer of data over the Internet.  Once stored for a much longer time in their system or database, your data is entirely exposed to system administrators and potentially to hackers who constantly find ways to steal such data through other sloppy coding.  This happens repeatedly, yet such "well known" vendors often do not take the simple precaution of securing your data for you and helping you comply with laws and regulations surrounding securing financial and personal information.

We have also discovered that quite a few e-signature vendors don't even apply digital signatures when you sign.  This seems most unusual since digital signatures are the tech standard for this purpose and long pre-date the vendors who are offering e-signature services.

Trust is misplaced when you realize that your e-signature vendor neither secures your data nor digitally sign the documents when you apply your electronic signature.  Such sloppy security practices only serve to save them a few dollars while putting their entire customer base at risk.

Security theater is neither secure, nor entertaining.

Yozons has the right solution for your enterprise as we understand security, keeping your data secure at all times and applying a digital signature at every step of your online process.


  1. If your e-sign vendor/tech doesn't encrypt your data when stored on disk, you do not comply with privacy and financial laws and regulations. Plus it's just bad business to leave your customers' data unsecured. Just ask the Target CEO who was fired after hackers stole tens of millions of credit card data.

  2. If your e-sign vendor/tech doesn't apply a digital signature when someone signs, your process most likely will not comply with the U.S. E-Sign Act. The law requires that there be a reliable record of what was agreed to, and that's what digital signatures provide. Simple hashes or storing values in a DB are insufficient as they can simply be updated at any time and the update cannot be proved one way or another.