Linux Today: Linux News On Internet Time.

More on LinuxToday

The Effect of Snake Oil Security

Sep 08, 2010, 19:03 (0 Talkback[s])
(Other stories by Robert Hansen)

"I've talked about this a few times over the years during various presentations but I wanted to document it here as well. It's a concept that I've been wrestling with for 7+ years and I don't think I've made any headway in convincing anyone, beyond a few head nods. Bad security isn't just bad because it allows you to be exploited. It's also a long term cost center. But more interestingly, even the most worthless security tools can be proven to "work" if you look at the numbers. Here's how.

"Let's say hypothetically that you have only two banks in the entire world: banka.com and bankb.com. Let's say Snakoil salesman goes up to banka.com and convinces banka.com to try their product. Banka.com is thinking that they are seeing increased fraud (as is the whole industry), and they're willing to try anything for a few months. Worst case they can always get rid of it if it doesn't do anything. So they implement Snakeoil into their site. The bad guy takes one look at the Snakeoil and shrugs. Is it worth bothering to figure out how banka.com security works and potentially having to modify their code? Nah, why not just focus on bankb.com double up the fraud, and continue doing the exact same thing they were doing before?"

Complete Story

Related Stories: