|
|
12-09-2008
Registered User
26,240,
27
Fools at the Gate
I recently pulled up to the entrance of a gated community, and an SUV was parked there. Not at the keypad pedestal, where you can usually find someone on a cell phone asking for the code from someone inside the enclave. Instead, this SUV was parked right in front of the gate, front bumper almost touching the iron spires. No one would be allowed to pass through this gate unless he went first. And he didn't have the code. He came out of his truck with a cell phone at his ear, and shrugged with a “what can I do?” look. "Get out of the way," I tried to gesture. He wouldn't budge.
I knew the code. But I wasn't going to cave in to what I was seeing as a pressure tactic. Instead I got out my own cell phone to dial 911. Meanwhile, another car pulled up behind me, stopped, and the driver got out.
“Forget the code?” he asked me as he went up to the keypad. “You're going to give him access?” I answered. He typed in the code.
“You're gave him access!” I said a little louder. The gate opened and the SUV went on through.
So who was let through the gate? Good question. Why is there even a gate? That's a better question. I posit that having a gate may actually be introducing more risk than having no gate at all. In Bruce Schneier's books such as Secrets & Lies, he preaches continually that the biggest weakness in security is often in its implementation. You can have the best encryption in the world, but if there's a way to get around it, what's the point? The same goes for the gate. Sure, it'll withstand a truck slamming into it at 30 miles per hour, but if you have residents gladly opening the gate for anyone (without authentication) then why have the gate at all? Save some money. With the gate, the community residents feel safer, and may be more likely to leave garage doors open, cars in their driveway unlocked, windows open, etc. They believe the gate will always keep the bad guys out. But it is a false sense of security.
Instead, if they didn't have a gate, the onus of good security would be theirs alone. Some recommendations:
Don't give residents an excuse to become passive, in other words. There's plenty of analogies to be made for over-reliance on PC security vendor products, by the way.
People want the easy path. Vendors know this, and make plenty of money by selling “solutions” that appeal to this human trait. But the best way to ensure good security is to practice it, understand that it is each individual's responsibility, and accept that there can be no single solution.
More...
I knew the code. But I wasn't going to cave in to what I was seeing as a pressure tactic. Instead I got out my own cell phone to dial 911. Meanwhile, another car pulled up behind me, stopped, and the driver got out.
“Forget the code?” he asked me as he went up to the keypad. “You're going to give him access?” I answered. He typed in the code.
“You're gave him access!” I said a little louder. The gate opened and the SUV went on through.
So who was let through the gate? Good question. Why is there even a gate? That's a better question. I posit that having a gate may actually be introducing more risk than having no gate at all. In Bruce Schneier's books such as Secrets & Lies, he preaches continually that the biggest weakness in security is often in its implementation. You can have the best encryption in the world, but if there's a way to get around it, what's the point? The same goes for the gate. Sure, it'll withstand a truck slamming into it at 30 miles per hour, but if you have residents gladly opening the gate for anyone (without authentication) then why have the gate at all? Save some money. With the gate, the community residents feel safer, and may be more likely to leave garage doors open, cars in their driveway unlocked, windows open, etc. They believe the gate will always keep the bad guys out. But it is a false sense of security.
Instead, if they didn't have a gate, the onus of good security would be theirs alone. Some recommendations:
- Get rid of the gate
- Have home owner association meetings to discuss neighborhood security, and invite local police
- Start a neighborhood watch and post signs
- Put a camera at the entrances
- Ask local police to occasionally drive through the neighborhood
People want the easy path. Vendors know this, and make plenty of money by selling “solutions” that appeal to this human trait. But the best way to ensure good security is to practice it, understand that it is each individual's responsibility, and accept that there can be no single solution.
More...