Wednesday, October 14, 2009's wall of shame was dead-on...

... and you should all be ashamed of yourselves for being caught on it.

for those missing the background, last week's sector security conference had this thing called the wall of shame. it was information gathered by sniffing the network. a lot of people thought it was gathered by sniffing the wireless network but it was actually gathered by sniffing the wired network. they got all in a huff because they thought by using the secure wireless option they'd actually be secure.

are you face palming yet? yeah, securing your wireless connection to a network doesn't secure your use of that network. this is a network none of those people controlled - it's about as secure as a public access terminal in a cybercafe and still they thought it was safe? these are security pros no less, at a security conference.

this is pretty unbelievable to me, that security pros can't keep their own shit secure at a security conference. no wonder security appears to be so hard and we have so many breaches - you folks aren't paranoid enough! you absolutely belong on a wall of shame if you thought you could use some strange networking service and just naturally be secure. use an encrypted tunnel to a proxy on a network you control for crying out loud, or better still just don't use the network at all.

i didn't even bring a laptop (or any electronics device except for a cheap mp3 player) and i managed to enjoy the conference without incident. i could say the reason i didn't bring any connected devices was because i've heard of shenanigans like this at security conferences in the past (as should you all have), but the truth is i just like to travel light.

it both scares and saddens me, though, to think that some of my data might actually rest in the hands of some of these people. frankly i think we need a version of the darwin awards for security and you folks on the wall of shame are all contenders. i can't decide, however, whether it should be called the shannon awards or the kerchoff awards.

finally, while i realize there are legitimate concerns about the legality of how the wall of shame was implemented, i would also argue that if you think the law is going to solve your network security problems then you might be a security idiot. the law is a deterrent, but as preventative controls go it's not particularly reliable.


Andrew Hay said...

I think you're showing exactly what is wrong with "us security folk" (yourself included). Dave Shackleford said it best:

"Wow, this really is funny. No wonder people hate smug "security people" who preach from their little soapboxes about how everyone should have "known better". Is this the best way to send a message? We want MORE business people at conferences like these, not less, and behavior like this just smacks of immaturity and geeky self-righteousness. All comments re: the law aside, security "professionals" (read - those who are trying to get more integrated into business instead of living in our little Mountain Dew-fueled silos) should be condemning this behavior across the board."

kurt wismer said...

well, with all due respect to yourself and mr. shackleford, that is a rather obvious strawman.

this was not a case of 'everyone should have known better'. this was a case of the elite minority who are supposed to know these things should have known better.

as for whether we want more business people at conferences like sector - no thanks. more people who lack the fundamentals means more dumbing down of the content to the point where it's no longer interesting to the people who do know the fundamentals. let the attendees go back and communicate the relevant bits to the business people and/or let the business folks find a 'security for management' conference out there somewhere.

and finally, on the matter of security "professionals" - i haven't the words to express how much i loathe the notion of making compromises to suit the whims of business. security shouldn't be in the business of making compromises, it should be in the business of stopping them.

Anonymous said...

canada. what'd you expect? ;-)