One of the things we’re not very good at, in general, is assessing risk. We saw how that all played out during the covid farce when people went a bit loopy. To be fair, a large part of the blame for this can be placed on governments, the media and the evil corporate blob. We were
4. Assess cost of 1-3 and preventing/mitigating the event.
Reason being, if the cost of protecting something is greater than its worth, you're doing it wrong.
Example:
You can have your eight-digit code, locked windows, and good security. Then I come along with my coolant spray-can, hammer and chisel, and a hinge-breaker and ignore your locking mechanism. There's not one place I've worked at, schools or other places, that I couldn't jimmie the lock or in other ways gain access in under a minute if prepared - without breaking windows.
Alarms and sensors can be spoofed or disconnected. Yeah, they'll send a car round to check. Maybe reset the alarm.
You think they'll do that the tenth time it goes off in the same night? Nope. They disconnect it and notify the techs, who'll pop around at nineish the next day, at earliest. Unless it's a holiday, then the alarm will be off until next weekday.
Speaking from experience, you need far fewer tries than 10 000. About twenty-thirty will do it, most of the time If:
The keypad has metal keys. Lean in close and breathe on it. Unless it is cleaned every day, fat from the fingertips of anyone entering the code will show up, because your breath will condense differently, giving you 4 numbers (or fewer, if a number occurs more than once in the code).
Your typical locker has an bolt going through the door with a flange fitting into a slot in the side of the locker, right? So, put a 4" metal bar (piece of rebar f.e.) through the lock and twist counter-clockwise; you'll easily turn the entire thing in the door. Takes about 5-10 seconds.
Or, if it's the kind of lockers schools favour for storing students' laptops, just turn the entire thing out from the wall so the back is clear. Most such lockers only have the top and side plates folded over the back plate to keep it in place - unfolding you can do with a metal butter knife, or a proper tool. Then peel the back off.
Sorry, I may have missed your actual point, getting locked in on the wrong stuff maybe, but there's a point to it: the tech is never better than the brain using it.
I probably should have gone into a bit more on the cost/benefit side of things - but that's definitely the critical part. The idea is to make breaking something more 'expensive' than the benefit in so doing - and also to make implementing those security measures less costly than your projected losses in the event of a break without them. It can be a tricky exercise with all sorts of imponderables factored in. How much is a company's reputation worth, for example?
As you so rightly point out, something like putting an expensive lock on a cardboard door is dumb.
I worked (for a time) in a security 'lab' at the large industrial research institution I was at and we had a small team who evaluated security products. Most of them had great crypto (only one was broken because of poor crypto), but every single product they assessed was broken - almost always by the tech equivalent of using the jimmie approach. I won't mention any names, but even some extremely well-known companies produced insecure products.
Thought of another thing, security-cost related, what a mate of mine pointed out when we were running about in Get-a-grips and rolled-up blue jeans in our youth:
"If they got real expensive locks and cameras and stuff, you can always nick that instead"
It's true too. We used to be a bunch of foulmouthed yobs hanging about around Hötorget (Haymarket) Subway station in Stockholm back then, and to sort us out the council ordered camera surveillance to the tune of cameras at 10 000:- apiece (about £ 850 in 198- money), all included.
Whereupon the cameras were promptly nicked within a week.
So they bought new ones, mounted inside plexi-glass boxes.
Which were sprayed over within a week.
So they resorted to placing fake cameras all over the area instead.
Which were left alone. Us roustabouts were happy, since we could get up to no good without getting filmed, the council was happy because it looked as if they'd sorted out a problem, travellers felt safer since there was cameras about.
What they should have done is, brought in some knuckledragging security guards to pester us until we moved somewhere else - but that was deemed too expensive.
Makes me wonder about that wonderful term "intelligence", it does.
After 25 years in mission critical military software engineering I needed a change. After a chat with The Boss, I took on a new role aimed at improving our corporate cyber security posture. At the end of that period, our top national domestic security agencies stated that we were worldwide exemplars for cyber security. Far more so than our major banks and government departments, for example.
I was pleased with myself, but along the way had to deal with events such as the employee who, being bored at lunchtime used his best efforts to covertly install a computer game he'd downloaded off the net onto our internal network. This game contained Chinese malware of course, and set off alarms like atom bombs at our network perimeter as soon as it tried to connect to the mothership. He left our employment shortly thereafter.
Then there was the time I had to provide a security lecture to the CEO of one of our smaller suppliers. They had Nigerian malware on their internal network, which intercepted an invoice being prepared. The bad guys changed the payee details to their own bank account, and payment of nearly $100K went to them instead of to the supplier. The content of the lecture was "This is why you didn't get paid. Tough shit. Be more careful in future".
I could go on and on for hours...NorK spooks approaching our staff (and me!!) under the guise of being Brits looking for work etc...
Most civilians have no idea what a fantastically dangerous place the internet is.
My brother used to work as a "IT-kuli" as he called it, troubleshooting and fixing problems for companies after employees inevitably effed things up (which included a surprising number of IT-companies).
9 out of 10, the problem was human factor-related. Anything from stupidity to laziness to ignorance to cheapness, or a nice mix of all of them.
It's amazing how many people seem to believe in the myth of 'perfect' security.
It encompasses everything from the fancy crypto tech to the processes by which the company operates, to physical security. You can't just look at one bit and say "yup, that's secure - so we're good to go"
Thankfully, I got a lot more cognizant about risk by figuring out all the BS around MPT, modern portfolio theory, and its flawed definition of risk as 1 year volatility, on top of this being on the basis of totally unrealistic assumptions, like unlimited borrowing at the risk free interest rate.
I did wonder a lot why Brits, who are deemed to be passionate and knowledgeable about betting, were so bad at risk assessment and management during Covid.
On elections in the UK, I recently noted that they are not anonymous at all.
My postal voting ballot papers were numbered and the number was linked to my personal details with the council.
The electoral officer defended that and listed all the safeguarding procedures but the fact is: they can trace you to your ballot paper.
And he stated that the ballot papers are also numbered and linked when you vote in person.
In Germany, ballot papers are never numbered and the postal voting is still as secure as it can be.
And I am pretty sure that in Eastern Europe noone would put up with this, as they experienced where it leads to.
I'm going to be boring:
4. Assess cost of 1-3 and preventing/mitigating the event.
Reason being, if the cost of protecting something is greater than its worth, you're doing it wrong.
Example:
You can have your eight-digit code, locked windows, and good security. Then I come along with my coolant spray-can, hammer and chisel, and a hinge-breaker and ignore your locking mechanism. There's not one place I've worked at, schools or other places, that I couldn't jimmie the lock or in other ways gain access in under a minute if prepared - without breaking windows.
Alarms and sensors can be spoofed or disconnected. Yeah, they'll send a car round to check. Maybe reset the alarm.
You think they'll do that the tenth time it goes off in the same night? Nope. They disconnect it and notify the techs, who'll pop around at nineish the next day, at earliest. Unless it's a holiday, then the alarm will be off until next weekday.
Speaking from experience, you need far fewer tries than 10 000. About twenty-thirty will do it, most of the time If:
The keypad has metal keys. Lean in close and breathe on it. Unless it is cleaned every day, fat from the fingertips of anyone entering the code will show up, because your breath will condense differently, giving you 4 numbers (or fewer, if a number occurs more than once in the code).
Your typical locker has an bolt going through the door with a flange fitting into a slot in the side of the locker, right? So, put a 4" metal bar (piece of rebar f.e.) through the lock and twist counter-clockwise; you'll easily turn the entire thing in the door. Takes about 5-10 seconds.
Or, if it's the kind of lockers schools favour for storing students' laptops, just turn the entire thing out from the wall so the back is clear. Most such lockers only have the top and side plates folded over the back plate to keep it in place - unfolding you can do with a metal butter knife, or a proper tool. Then peel the back off.
Sorry, I may have missed your actual point, getting locked in on the wrong stuff maybe, but there's a point to it: the tech is never better than the brain using it.
Spot on Rikard.
I probably should have gone into a bit more on the cost/benefit side of things - but that's definitely the critical part. The idea is to make breaking something more 'expensive' than the benefit in so doing - and also to make implementing those security measures less costly than your projected losses in the event of a break without them. It can be a tricky exercise with all sorts of imponderables factored in. How much is a company's reputation worth, for example?
As you so rightly point out, something like putting an expensive lock on a cardboard door is dumb.
I worked (for a time) in a security 'lab' at the large industrial research institution I was at and we had a small team who evaluated security products. Most of them had great crypto (only one was broken because of poor crypto), but every single product they assessed was broken - almost always by the tech equivalent of using the jimmie approach. I won't mention any names, but even some extremely well-known companies produced insecure products.
Thought of another thing, security-cost related, what a mate of mine pointed out when we were running about in Get-a-grips and rolled-up blue jeans in our youth:
"If they got real expensive locks and cameras and stuff, you can always nick that instead"
It's true too. We used to be a bunch of foulmouthed yobs hanging about around Hötorget (Haymarket) Subway station in Stockholm back then, and to sort us out the council ordered camera surveillance to the tune of cameras at 10 000:- apiece (about £ 850 in 198- money), all included.
Whereupon the cameras were promptly nicked within a week.
So they bought new ones, mounted inside plexi-glass boxes.
Which were sprayed over within a week.
So they resorted to placing fake cameras all over the area instead.
Which were left alone. Us roustabouts were happy, since we could get up to no good without getting filmed, the council was happy because it looked as if they'd sorted out a problem, travellers felt safer since there was cameras about.
What they should have done is, brought in some knuckledragging security guards to pester us until we moved somewhere else - but that was deemed too expensive.
Makes me wonder about that wonderful term "intelligence", it does.
After 25 years in mission critical military software engineering I needed a change. After a chat with The Boss, I took on a new role aimed at improving our corporate cyber security posture. At the end of that period, our top national domestic security agencies stated that we were worldwide exemplars for cyber security. Far more so than our major banks and government departments, for example.
I was pleased with myself, but along the way had to deal with events such as the employee who, being bored at lunchtime used his best efforts to covertly install a computer game he'd downloaded off the net onto our internal network. This game contained Chinese malware of course, and set off alarms like atom bombs at our network perimeter as soon as it tried to connect to the mothership. He left our employment shortly thereafter.
Then there was the time I had to provide a security lecture to the CEO of one of our smaller suppliers. They had Nigerian malware on their internal network, which intercepted an invoice being prepared. The bad guys changed the payee details to their own bank account, and payment of nearly $100K went to them instead of to the supplier. The content of the lecture was "This is why you didn't get paid. Tough shit. Be more careful in future".
I could go on and on for hours...NorK spooks approaching our staff (and me!!) under the guise of being Brits looking for work etc...
Most civilians have no idea what a fantastically dangerous place the internet is.
My brother used to work as a "IT-kuli" as he called it, troubleshooting and fixing problems for companies after employees inevitably effed things up (which included a surprising number of IT-companies).
9 out of 10, the problem was human factor-related. Anything from stupidity to laziness to ignorance to cheapness, or a nice mix of all of them.
It's amazing how many people seem to believe in the myth of 'perfect' security.
It encompasses everything from the fancy crypto tech to the processes by which the company operates, to physical security. You can't just look at one bit and say "yup, that's secure - so we're good to go"
Thankfully, I got a lot more cognizant about risk by figuring out all the BS around MPT, modern portfolio theory, and its flawed definition of risk as 1 year volatility, on top of this being on the basis of totally unrealistic assumptions, like unlimited borrowing at the risk free interest rate.
I did wonder a lot why Brits, who are deemed to be passionate and knowledgeable about betting, were so bad at risk assessment and management during Covid.
On elections in the UK, I recently noted that they are not anonymous at all.
My postal voting ballot papers were numbered and the number was linked to my personal details with the council.
The electoral officer defended that and listed all the safeguarding procedures but the fact is: they can trace you to your ballot paper.
And he stated that the ballot papers are also numbered and linked when you vote in person.
In Germany, ballot papers are never numbered and the postal voting is still as secure as it can be.
And I am pretty sure that in Eastern Europe noone would put up with this, as they experienced where it leads to.
I'm good with the idea of numbered ballots (this is useful in post-vote monitoring to ensure only official ballots are cast, for example).
What is definitely NOT good is associating this number with an individual voter. That's a big no-no.
Well, pay attention on 4.7.. This is exactly how it is set up in the UK.
I can send you the electoral officer's response.
Postal voting can also safely be done without numbered ballots, as Germany demonstrates since 1949.
I might ask on Thursday
I have my polling card and my ID all good to go!
I'm, personally, OK with everyone knowing I'm voting Reform, but that cannot (and should not) be taken to be the 'normal' state of affairs.
This is how we deal with risk management in the USA https://www.budsgunshop.com/
🤣