SnakeOil Security @ #cpartyeu

I am attending Campus Party in Madrid, a conference organized by
Spain’s EU presidency. It contains section about computer security,
so I believe it’s a good idea to blog about Snake Oil security
implemented here.

Spain is a country with a quite high theft rate (including such
advanced scam schemes as armed fake policemen stopping cars
and stealing money). For this reason, I welcomed the fact, that
there is a security measure against laptop theft at this conference.
Sadly, I realized, it’s a snake oil (security theatre) protection,
because it does not work.

Here’s how it should work: You get a badge, that has your passport or
ID number, you get a sticker on laptop, that has the same number. When
you leave conference room, they check your bag, compare the numbers
of laptop, if it’s a match, you can go, otherwise, you are a burglar.

The problem is this: They check the whole bag only if you say you
have no laptop. If you have a laptop and show them, they check
only the laptop and don’t bother with checking the bag. That means,
if you want to steal a laptop, you need to own another one (it does
not have to work, it just needs to look as a laptop). When
you are getting out, you just show the legitimate one and get out
with a stolen one.

Why this is bad? It actually makes the security situation worse –
people think they are protected, so they are leaving laptops on
the tables, because they think nothing bad can happen to it, they
are checked!

When applying any security measure, you need to make sure, that
you understand what you are protecting against, develop a policy
that works and make sure it’s implemented correctly.

This is, sadly, not the case with this conference. I am taking my
laptop with me everywhere.


Written by Juraj Bednár //