Allegations of security theater should start with discussing the threat model. This is just somebody complaining about a crappy key card system.
Allegations of security theater should start with discussing the threat model. This is just somebody complaining about a crappy key card system.
To be fair, he was pointing out that the invisible "credentials in cookies" issue was much harder to get fixed:
The turnstiles were visible. They were expensive. They disrupted everyone's day and made headlines in company-wide emails. Management could point to them and say that we're taking security seriously. Meanwhile, thousands of employees had their Jira credentials stored in cookies. A vulnerability that could expose our entire project management system. But that fix required documentation, vendor approval, a month of convincing people it mattered. A whole lot of begging.
Again, not security theater. Signs of general dysfunction yes. Embarrassing. Fun to tease about for sure.
Aside: the more times I re-read the article the more annoyed I am with the self-righteous tone. It feels like the author is mimicking the style of legendary Usenet posts, but the story just isn’t that interesting and the writing not that witty, it falls flat.
If it isn't outright fake it's at least embellished. It even has the "and then everyone clapped" line!
The writing is clearly AI-generated or at least AI-assisted, so I think it's safe to assume it's also a work of fiction.
I’ll take your word for that. I don’t know how to tell. But I did notice that the writing was conspicuously terrible throughout. Entire sentences make no sense, such as “I'd slip in suspiciously while they contemplated the email that clearly said not to let anyone in with your own card.”
Turnstiles aren't theater and Redis doesn't make password storage secure so the entire thing seems a little el-el-emish..
But what about that sentence does that not make sense? They are describing tailgating..
It doesn’t make sense as a whole. But, for example, what was he suspicious of?
"I'd slip in suspiciously" means the "slipping in" was suspicious.
You sure? I wasn’t.
“John regarded Mary suspiciously”
“Sharon suspected her husband of cheating. She looked through his emails suspiciously.”
It can mean either. "Suspicious behavior" doesn't mean that the behavior thinks that you've done something wrong.
"She's suspicious" can mean either that I suspect her intentions or that she suspects someone else's intentions.
The last two paragraphs are mainly what stood out. I've spent hours trying to get LLMs to stop writing like that. It's hard because you can't just say things like "don't write lists of three items" because sometimes you want a list of three items. The rest of the text could be written by a person as it's kind of disjointed, but that could also be the result of trying to prompt out the AI-isms.
[dead]