The Effect of Snake Oil Security
Sep 08, 2010, 19:03 (0 Talkback[s])
(Other stories by Robert Hansen)
"I've talked about this a few times over the years during
various presentations but I wanted to document it here as well.
It's a concept that I've been wrestling with for 7+ years and I
don't think I've made any headway in convincing anyone, beyond a
few head nods. Bad security isn't just bad because it allows you to
be exploited. It's also a long term cost center. But more
interestingly, even the most worthless security tools can be proven
to "work" if you look at the numbers. Here's how.
"Let's say hypothetically that you have only two banks in the
entire world: banka.com and bankb.com. Let's say Snakoil salesman
goes up to banka.com and convinces banka.com to try their product.
Banka.com is thinking that they are seeing increased fraud (as is
the whole industry), and they're willing to try anything for a few
months. Worst case they can always get rid of it if it doesn't do
anything. So they implement Snakeoil into their site. The bad guy
takes one look at the Snakeoil and shrugs. Is it worth bothering to
figure out how banka.com security works and potentially having to
modify their code? Nah, why not just focus on bankb.com double up
the fraud, and continue doing the exact same thing they were doing