Security jujitsu, or, How to improve your odds despite your users
A friend and I were talking the other day about how people are by and large not just oblivious to, but downright hostile about, the simplest security practices -- in fact, the simpler the request, the greater the level of grumbling. What to do, besides don a bandolier of tasers and a t-shirt that says "GO AHEAD, ASK ME AGAIN WHY YOU CAN'T MAKE YOUR PASSWORD THE SAME AS YOUR USERNAME?"
To cheer me up (yes, I have been troubleshooting a family member's computer; how did you guess?), my friend told me about a corporate-cultural tradition at a firm at which he recently consulted. The rules around that office require that anyone leaving their desk log out of the system. And if they don't? Their machine is fair game for co-workers, who by tradition go into the culprit's e-mail and send out a "cc:all" message announcing that they're going out for tacos, and would anybody else like some?
Naturally my friend followed this up with a story about punking another consultant who tried something similar on his machine, because security guys are by and large the most industrious and creative SOBs around when it comes to undermining security policies. (Someday I'm going to get me a federal grant and do a study of the correlation between C-level titles and at-work Web surfing of the kind that makes HR folk fibrillate. I will bet you a quarter that the highest levels of surfing for midget porn, questionable downloads, and /b/ are done from the CSO's office.)
But I was well and truly cheered, because it's yet another example of what I call security jujitsu: using users' own habits, self-interests, and misbehaviors to improve security. I collect examples, and I often wonder how the practice can be extended -- with or without tacos.
Security jujitsu, like the physical-conflict kind, requires a close study of the opponent as well as a keen and focused understanding of what one wishes to accomplish, not to mention the skills to make it all look easy, even inevitable. The classic example is the sign next to the cash register at the nearest fast food restaurant telling you that if the cashier doesn't give you your receipt, your food is free. There are variations in different kinds of retail outlets, but the philosophy is the same: If the customer's assertive about getting that receipt, it makes it harder for employees to undertake certain kinds of cash-register-related petty theft. The customer, by pursuing her own self-interest (mm, free stuff), advances the security agenda.
There are bigger and more extraordinary examples too, as well as plenty of instances where the self-interest of the third party isn't as clear (e.g., the bystander who videotaped the Rodney King beatdown). And there are examples where dimwitted ideas about security look like Mr. Bean attempting jujitsu -- for example, rules that ban ordinary folk from shooting video of their kids of public because the footage might include images of other people's kids, which allegedly makes children safer but actually is simply stupid paranoia at best and a tactic for eliminating extra (friendly) eyes on public spaces at worst. (I'm not kidding; this is what they do in Britain now that they've got -- irony alert -- millions of closed-circuit video cameras being monitored by god-knows-who god-knows-why.)
But the taco thing just makes me happy -- it involves a prank, which is something people like to do; it's low-tech and low-training social engineering; it's memorable and funny. And when the boss swings by to lecture the person who didn't log out about following good security practices -- hey, tacos!
And then there's this: Speaking of Britain's nearly ubiquitous security cameras, there's a great discussion happening about the number of cameras actually installed and in use there. David Murakami Wood, the managing editor of Surveillance and Society, set it off in March and the sixth part -- a long, thoughtful piece -- went online just today. You can catch up on the second, third, fourth and fifth posts as well. Very highly recommended, and not just for our UK-based friends.