At a recent trip to an office building, in the restroom there was, up in the corner, a battery-powered  air freshener that automatically sprays potpourri scent every half hour. It is a white box about the size of 2 stacked VHS tapes (remember those?) mounted up in the corner against crimson tile.  And it had, to my amazement, a brass lock to keep the lid securely closed.

The lock was a simple, inexpensive brass lock anyone can buy at Home Depot for a few bucks, screwed into the plastic side with standard gold-colored  screws. So, I was wondering...why was it locked? I don't know the history, nor do I deal with air fresheners often. I myself cannot think of a good reason for doing this. So I wanted to do some deconstruction of the impetus behind what I find to be a somewhat irrational act.

To set the stage, this bathroom is not located in a secure facility. It is a nondescript typical corporate office building in the suburbs. Therefore, the logic used for locking the device, as far as I can see, falls into one of two categories (or both):

• Security: so no one can steal the air freshener can or batteries
• Public safety: so no one can install a can of aerosol anthrax

And the lock down was probably facilitated by either:

• An overzealous organizational security policy
• An overzealous security officer
• An overzealous custodial engineer

But again, perhaps this is a wise practice, to lock down air fresheners in corporate restrooms, and it's me who is being naive. I would hate to be the one who has to answer why I didn't lock down the air freshener after such an attack (or theft) occurred. If I do start to see this more, I may chalk it up to a weak economy, where people steal air freshener parts similarly to how thieves steal copper pipe and wire from homes in economically-depressed areas. But for now, I tend to see this as an irrational act of security, the result of watching too much local news and crime dramas.

Also, some concerns:

• If someone who steals air freshener components is being allowed into the building, why and how?  What else is at risk?
• The lock is cheap and easily compromised
• Has equal attention been made to other possible vectors of whatever attack the lock was intended to prevent?

I guess the point is, if you're going to implement a security measure, make sure it is in response to a definitive requirement, that it is effective, and that you don't let it eclipse other threats and vulnerabilities that also need to be mitigated.




More...