“Fascinating…Full of Thought Triggers”
-- Security Magazine
Security Sound Bites:
Important Ideas About Security From
Smart-Ass, Dumb-Ass, and Kick-Ass Quotations
By Roger G. Johnston
Copyright 2011 Roger G. Johnston
Smashwords Edition
Smashwords Edition License Notes
This ebook is licensed for your personal enjoyment only. This ebook may not be re-sold or given away to other people. If you would like to share this book with another person, please purchase an additional copy for each person you share it with. If you're reading this book and did not purchase it, or it was not purchased for your use only, then you should return to Smashwords.com and purchase your own copy. Thank you for respecting the author's work.
This book is also available in print at most online retailers.
* * * * *
Security Sound Bites:
Important Ideas About Security From
Smart-Ass, Dumb-Ass, and Kick-Ass Quotations
Table of Contents
Chapter 3 - Ciphers & Cryptography
Chapter 7 - The Insider Threat & Social Engineering
Chapter 8 - Human Resources & Security
Chapter 10 - The Expected & the Unexpected
Chapter 13 - Vulnerability Assessments
Chapter 14 - Creativity & Brainstorming
Chapter 15 - Cognitive Dissonance
Chapter 16 - Security by Obscurity
Chapter 17 - Security in Depth/Layered Security
Chapter 18 - Homeland Security
Chapter 19 - Privacy & Civil Liberties
Chapter 21 - Organizational Security & Bureaucracies
Chapter 22 - Security Philosophy
Chapter 23 - Security Planning & Strategy
Chapter 24 - Security Management & Leadership
Chapter 25 - Security Practice
Chapter 28 - Security Training
Chapter 29 - Security Metrics & Standards
Chapter 31 - Stupidity/Ignorance
Chapter 32 - Uh…How’s That Again?
Chapter 34 - Dogs, and What They Can Teach Us
Chapter 35 - Physical Security/Building & Facility Security
Chapter 36 - Inventory is Not Security!
Chapter 37 - Designing & Choosing Security Products
Chapter 38 - Locks, Seals, & Tamper Detection
Chapter 39 - Fakes, Frauds, Counterfeits, & Tags
Chapter 40 - Biometrics & Access Control
Chapter 41 - Alcohol, Drugs, & Drug Testing
Chapter 42 - Maybe Missing the Point?
Chapter 43 - Nuclear Nonproliferation & Safeguards
Chapter 45 - Security & Change
Chapter 49 - Books You Should Read
Chapter 1 - Introduction
I’ve given a lot of talks about physical security and vulnerability assessments. For many years, I would include a short, entertaining quote at the bottom of some of my slides to emphasize certain points I was trying to make. I wouldn’t comment on the quotes directly, just let the audience read them on their own if they were interested. People seemed to like this approach.
At first, I chose quotes with rather straightforward connections to the material I was presenting. But then I discovered something interesting. If the quote was only tangentially related to the point I was trying to make, people afterwards would get into quite lively discussions about the meaning of the quote. In the process, they were thinking more profoundly about the security issues I was trying to raise than would happen otherwise.
This book contains many of the quotes I have used over the years, as well as various observations, maxims, and anecdotes. A lot of these are clearly about security. Others aren’t exactly about security, but maybe they should be. Or maybe they really are about security if you look at them in the right way.
Many of these items are humorous. Others are thought provoking. Some are thought provoking and humorous. A lot are pithy or amazing or cynical. Many are remarkable in their observational clarity or elegance. More than a few are just plain dumb or disturbing. All together, they capture fundamental and profound truths about security that can be ignored only at great peril.
I hope you find these various sound bites entertaining. If so…great, but that’s not the point. If you think carefully about the ideas that each of these snippets represents, then take the lessons they offer to heart, I guarantee you’ll have a better security program. If nothing else, sometimes humor, elegance, cynicism, or boldface stupidity can kick us out of our day-to-day mental rut and get us thinking in new directions.
These quotations can be used as a springboard for discussion with your security colleagues, or as an interesting way to open a meeting or close an email. Or they can be something to ponder on your own.
At the start of each section is a list of some of the key points that I think the sound bites in that section make—or at least hint at. My suggestion is that you read the quotations in each section with these key points in mind. You may well find other, better meanings, too, that I have not paraphrased.
Hopefully in the process of considering these snippets, you can come to some fresh insights about security, security management, organizational behavior, or even just the human condition. These things are, of course, intricately connected. Fundamentally, security is about human beings and all their faults, foibles, and flaws, not to mention their idiosyncrasies, foolishness, maliciousness, arrogance, ignorance, genius, wit, wisdom, courage, stupidity, vision, self-delusion, self-sacrifice, and lunacy. All of which can be found reflected in these sound bites.
The views expressed here are my own and should not necessarily be attributed to my employer, the people quoted here, or anybody else, sane or otherwise. It should also not be assumed that I agree with the words or ideas contained or implied in any given quotation or anecdote that appears in this book. I use some quotations as horrible examples of thinking gone dreadfully wrong, while others I hold up as shining examples of enlightened reasoning.
To the best of my knowledge, all items included here fall under the fair use or public domain guidelines of copyright law in the United States. Quotations remain the intellectual property of their respective originators. I make no claim of copyright for individual quotations, observations, or anecdotes that I did not originate. By quoting any given person here, I do not mean to imply that they have endorsed or approved this book.
I make no claims for the accuracy of the quotes or who gets credit for them. Many quotes are attributed to “Anonymous”, but it is likely that at least their mom knew them. If you’re the originator of the quote, my apologies for not giving you the credit. If I’ve given credit to the wrong person, again my apologies.
Quotations tend to naturally get tweaked over time to both sound better and reinforce their message. Regarding the accuracy of the quotes in this book, I take solace in the following quotes:
Famous remarks are very seldom quoted correctly -- Simeon Strunsky (1879-1948)
Quotation (n): The act of repeating erroneously the words of another. -- Ambrose Bierce (1842-1914?)
What's the use of a good quotation if you can't change it? -- Doctor Who
I have the hubris to quote myself on occasion when I can’t find quotes from others to make the desired points. The intent, however, is not to try to place myself either at the lofty heights of some of the brilliant minds I quote (e.g., Albert Einstein, Demosthenes, Yogi Berra), nor at the frightening depths of the flaming morons who also appear.
This ebook concludes with some suggestions for really interesting books about security (or sort of about security), plus a collection of my cynical—and almost serious—security maxims.
Finally, thanks to my colleague, Dr. Jon Warner, for recommending some quotes, and for his excellent work on security issues. This book is dedicated to Janie.
-- Roger Johnston, Oswego, Illinois, April 2011
Chapter 2 - Cyber Security
Some Key Points:
• It’s more about the user than the security staff or technology.
• Effective IT security requires effective physical security.
There are only two industries that refer to their customers as "users".
-- Edward Tufte
They have computers, and they may have other weapons of mass destruction.
-- Attorney General Janet Reno
Even the smartest IT security staff is no match for user ignorance.
-- Michael Perry
The methods that most effectively minimize the ability of intruders to compromise information security are comprehensive user training and education. Enacting policies and procedures simply won’t suffice. Even with oversight, the policies and procedures may not be effective.
-- Kevin Mitnick
Without physical security, no other security measures can be considered effective.
-- Tom Caddy
It does little good to have great computer security if wiring closets are easily accessible or individuals can readily walk into an office and sit down at a computer and gain access to systems and applications. Even though the skill level required to hack systems and write viruses is becoming widespread, the skill required to wield an ax, hammer, or fire hose and do thousands of dollars in damage is even more widely held.
-- Michael Erbschloe, Physical Security for IT (2005)
Computer Science is no more about computers than Astronomy is about telescopes.
-- E. W. Dijkstra
A Bus Station is where buses stop. A Train Station is where trains stop. On my desk, there is a Work Station.
-- Jojn Wätte
If you don't know how to do something, you don't know how to do it with a computer.
-- Anonymous
Computers make it easier to do a lot of things, but most of the things they make it easier to do don’t need to be done.
-- Andy Rooney
Is it the computer's fault for freezing, or our fault for trusting the worthless piece of crap to begin with?
-- Anonymous
The user's going to pick dancing pigs over security every time.
-- Bruce Schneier
Actual news story: On February 13, 2009, InfoMedia, Inc., which developed iFart for the iPhone, filed a lawsuit in federal district court in Colorado against Air-O-Matic, Inc., maker of the competing app “Pull My Finger” over trademark rights to the phrase “pull my finger”. Both apps simulate farting noises. There are at least 75 total flatulence simulation apps available. [Author’s Comment: It’s pretty darn clear that this kind of software is exactly what Rear Admiral Grace Hopper had in mind when she was pioneering the development of software.]
Definition—portable: (adjective)-exposed to a mutable ownership through vicissitudes of possession.
-- Anonymous
Compaq was considering changing the command "Press Any Key" to "Press Enter Key" because of the flood of calls asking where the Any Key is.
How long is this Beta guy going to keep testing our stuff?"
-- Inquiry from a senior manager
Who were the beta testers for Preparations A through G?
-- Bumper Sticker
Any Internet user knows it is quite difficult to stumble across pornography.
-- Sen. Russell Feingold
I don't understand computers. I don't even understand people who understand computers.
-- Queen Juliana of the Netherlands
Percentage of Canadians who say they approve of the information superhighway: 63%. Percentage of Canadians who say they know what the information superhighway is: 54%
-- PC Magazine
A computer once beat me at chess, but it was no match for me at kick boxing.
-- Emo Philips
On two occasions I have been asked by members of Parliament, "Pray, Mr. Babbage, if you put into the machine wrong figures, will the right answers come out?" I am not able rightly to apprehend the kind of confusion of ideas that could provoke such a question.
-- Charles Babbage (1791-1871)
If you put tomfoolery into a computer, nothing comes out of it but tomfoolery. But this tomfoolery, having passed through a very expensive machine, is somehow ennobled and no-one dares criticize it.
-- Pierre Gallois
Computers are useless. They can only give you answers.
-- Pablo Picasso (1881–1973)
I just feel so sad for the human race after using a PC.
-- Anonymous Mac user
Actual call to a computer help line:
Customer: I bought your fancy graphics card, and my Windows display isn't any better than it was before.
Tech support guy: We'd better look at the installation then.
Customer: You mean I have to install it?
The only truly secure system is one that is powered off, cast in a block of concrete, and sealed in a lead-lined room with armed guards—and even then I have my doubts.
-- Gene Spafford
The only system which is truly secure is one which is switched off and unplugged, locked in a titanium-lined safe, buried in a concrete bunker, and is surrounded by nerve gas and very highly paid armed guards. Even then, I wouldn't stake my life on it.
-- Gene Spafford
If you spend more on coffee than on IT security, you will be hacked. What’s more, you deserve to be hacked.
-- Richard Clarke, White House Cyber Security Advisor
The first phone call to Michael Wolff’s NetGuide hotline, January 2, 1994: “Hello! Is this the Internet?”
Actual Tech Support phone conversation:
Customer: I can't get on the Internet.
Tech support: Are you sure you used the right password?
Customer: Yes, I'm sure. I saw my colleague do it.
Tech support: Can you tell me what the password was?
Customer: Five stars.
In my organization, our online training course in Ethics is password protected. This is presumably to prevent unauthorized personnel from stealing our ideas on ethics.
-- Roger Johnston
Actual call to a computer tech support line: I have a huge problem. A friend of mine has placed a screen saver on my computer, but every time I move the mouse, it disappears.
You can hardly tell where the computer models finish and the real dinosaurs begin.
-- Laura Dern, actress in Jurassic Park (1993)
Chapter 3 - Ciphers & Cryptography
Some Key Points:
• Ciphers do not offer absolute security.
• Ciphers and Data Authentication have their uses, but they add little to zero extra security if you lack good physical security, a good security culture, and haven’t dealt adequately with the insider threat.
• They don’t legitimize raw data that you can’t believe in the first place, or data collected, stored, generated, or transmitted by hardware or software that is not secure.
Definition—encryption: (noun)-(1) Attempting to secure the communications channel between two hopelessly unsecure locations or devices, each controlled, designed, or manufactured by completely untrustworthy or incompetent personnel. (2) A magic band-aid that fixes all security flaws, even those having nothing to do with data or communications security. (3) Evidence that nobody has spent any time thinking about security.
Definition—data authentication: (noun)-A magical technique that gives us 100% confidence in the veracity of data even though the machine that generated or transmitted it, and the people who handle or made the machine can’t be trusted, are knuckleheads, and the data is probably wrong anyway.
Never underestimate the time, expense, and effort an opponent will expend to break a code.
-- Robert Morris
Using encryption on the Internet is the equivalent of arranging an armored car to deliver credit-card information from someone living in a cardboard box to someone living on a park bench.
-- Gene Spafford
There is no assurance that a foreign government cannot also "break" the [DSS] system, running the risk of a "digital Pearl Harbor"—a devastating loss of the security of the entire national financial and business transaction systems.
-- D. James Bidzos
Definition—computationally secure: (adjective)-a weasel term applied to the security of ciphers that really means, “We’re not imaginative enough to envision a successful attack.”
Factoid: The one-time keypad (Vernam cipher) is the only cipher that can be shown mathematically to be unbreakable.
When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl
-- 6&nL#bi~8r!
One of the most singular characteristics of the art of deciphering is the strong conviction possessed by every person, even moderately acquainted with it, that he is able to construct a cipher which nobody else can decipher. I have also observed that the cleverer the person, the more intimate is his conviction. In my earliest study of the subject, I shared in this belief, and maintained it for many years.
-- Charles Babbage (1791-1871), Passages from the Life of a Philosopher
The security of a cipher lies less with the cleverness of the inventor than with the stupidity of the men who are using it.
-- Waldemar Werther
Anyone who attempts to generate random numbers by deterministic means is, of course, living in a state of sin.
-- John von Neumann (1903-1957)
Red Herring Maxim: At some point in any challenging security application, somebody (or nearly everybody) will propose or deploy more or less pointless encryption, hashes, or data authentication along with the often incorrect and largely irrelevant statement that “the cipher [or hash or authentication algorithm] cannot be broken”.
Comments: Product anti-counterfeiting tags and International Nuclear Safeguards are two security applications highly susceptible to this fuzzy thinking.
With anti-counterfeiting tags, it is no harder for the product counterfeiters to make copies of encrypted data than it is to make copies of unencrypted data. They don’t have to understand the encryption scheme or the encrypted data to copy it, so that the degree of difficulty in breaking the encryption (usually overstated) is irrelevant. Indeed, if there was a technology that could preventing cloning of encrypted data (or hashes or digital authentication), then that same technology could be used to prevent cloning of the unencrypted original data, in which case the encryption has no significant role to play. (Sometimes one might wish to send secure information to counterfeit hunters in the field, but the security features and encryption typically employed on cell phones or computers is good enough.)
What makes no sense is putting encrypted data on a product, with or without it including encrypted data about an attached anti-counterfeiting tag; the bad guys can easily clone the encrypted data without having to understand it. When there is an anti-counterfeiting tag on a product, only the degree of difficulty of cloning it is relevant, not the encryption scheme. The use of unique, one-of-a-kind tags (i.e., complexity tags) does not alter the relative unimportance of the encryption as an anti-counterfeiting measure.
Sometimes people promoting encryption for product anti-counterfeiting vaguely have in mind an overly complicated (and usually incomplete/flawed) form of a virtual numeric token (“call-back strategy”). ([See RG Johnston, “An Anti-Counterfeiting Strategy Using Numeric Tokens”, International Journal of Pharmaceutical Medicine 19, 163-171 (2005).]
Encryption is also often thought of as a silver bullet for International Nuclear Safeguards, partially for reasons given in the Dumbestic Safeguards Maxim. The fact is that encryption or data authentication is of little security value if the adversary can easily break into the equipment holding the secret key without detection (as is usually the case), if there is a serious insider threat that puts the secret encryption key at risk (which is pretty much always the case), and/or if the surveillance or monitoring equipment containing the secret key is designed, controlled, inspected, maintained, stored, observed, or operated by the adversary (as is typically the case in International Nuclear Safeguards).
Chapter 4 - Psychology
Some Key Points:
• People are complex, flawed, and weird.
• You can’t understand security without understanding psychology.
Most men are within a finger's breadth of being mad.
-- Diogenes the Cynic (412–323 BC)
The only normal people are the ones you don't know very well.
-- Joe Anci
Remember as far as anyone knows, we're a nice normal family.
-- Homer Simpson
Don’t accept rides from strange men, and remember that all men are strange as hell.
-- Robin Morgan
People will believe anything if you whisper it.
-- Anonymous
Why do we press harder on the TV remote keys when the batteries are getting weak?
-- Anonymous
That which does not kill us, only makes us stranger.
-- Aeon Flux
If the brain were so simple we could understand it, we would be so simple we couldn't.
-- Lyall Watson (1939-2008)
It is easier to understand Man in general than to understand one man in particular.
-- François de La Rochefoucauld (1613-1680)
You talk to God, you're religious. God talks to you, you're psychotic.
-- Doris Egan
A man generally has two reasons for doing a thing. One that sounds good, and a real one.
-- J. Pierpoint Morgan (1837-1913)
When truth is discovered by someone else, it loses something of its attractiveness.
-- Alexander Solzhenitsyn (1918-2008)
He was a great patriot, a humanitarian, a loyal friend; provided, of course, he really is dead.
-- Voltaire (1694-1778)
Anyone who goes to a psychiatrist ought to have his head examined.
-- Samuel Goldwyn (1879-1974)
I told my psychiatrist that everybody hates me. He said I was being ridiculous—everybody hasn’t met me yet.
-- Rodney Dangerfield (1921-1997)
There are many kinds of intelligence. Scientists just haven’t identified mine yet.
-- Anonymous
Understanding is reached only after confrontation.
-- Miss Ivannah, the topless fortune teller in Mallrats (1995)
To predict the behavior of ordinary people in advance, you only have to assume that they will always try to escape a disagreeable situation with the smallest possible expenditure of intelligence.
-- Friedrich Nietzsche (1844-1900)
The public will believe anything, so long as it is not founded on truth.
-- Edith Sitwell (1887-1964)
Nobody eats at that restaurant anymore because it’s always so crowded.
-- Yogi Berra
Factoid: Sports teams that wear dark uniforms are penalized more than teams that wear white uniforms.
Humor is a good test for sanity. If you laugh, you are sane. Unless, of course, you laugh constantly, at nothing at all.
-- Anonymous
Man is the only animal that laughs and weeps; for he is the only animal that is struck with the difference between what things are and what they ought to be.
-- William Hazitt (1778-1830)
A harmless hilarity and a buoyant cheerfulness are not infrequent concomitants of genius; and we are never more deceived than when we mistake gravity for greatness, solemnity for science, and pomposity for erudition.
-- C.C. Colton (1780-1832)
It is our responsibilities, not ourselves, that we should take seriously.
-- Peter Ustinov (1921-2004)
We must avoid here two complementary errors: on the one hand that the world has a unique, intrinsic, pre-existing structure awaiting our grasp; and on the other hand that the world is in utter chaos. The first error is that of the student who marvelled at how the astronomers could find out the true names of distant constellations. The second error is that of the Lewis Carroll's Walrus who grouped shoes with ships and sealing wax, and cabbages with kings...
-- R. Abel
If trees could scream, would we be so cavalier about cutting them down? We might, if they screamed all the time, for no good reason.
-- Jack Handey
That's the difference between me and the rest of the world! Happiness isn't good enough for me! I demand euphoria!
-- Calvin from Calvin & Hobbes
The capriciousness of our temperament is even stranger than the whims of fortune.
-- François de La Rochefoucauld (1613-1680)
This guy walks into a psychiatrist’s office and says, “Doc, you’ve got to help me!” “Sure,” says the psychiatrist, “What’s the problem?” “Well, Doc, it’s my brother. He thinks he’s a chicken.” “My goodness!” says the psychiatrist, “How long has this been going on?” “About seven years,” says the man. “Seven years!” exclaims the psychiatrist. “Why didn’t you come to me sooner?” “Well I would’ve,” says the man, “but we needed the eggs.”
-- Old Vaudeville joke
We are more ready to try the untried when what we do is inconsequential. Hence the fact that many inventions had their birth as toys.
-- Eric Hoffer (1902-1983)
To punish me for my contempt for authority, fate made me an authority myself.
-- Albert Einstein (1879-1955)
Don’t tell me that worry doesn’t do any good. I know better! The things I worry about don’t happen!
-- Anonymous
If you think you can, or you think you can’t, you are right.
-- Henry Ford (1863-1947)
The food here is terrible, and the portions are so small.
-- Woody Allen
In my opinion, we don’t devote nearly enough scientific research to finding a cure for jerks.
-- Calvin from Calvin & Hobbes
Chapter 5 - Polygraphs
Some Key Points:
• Current polygraphs (lie detectors) are pseudo-scientific nonsense.
The polygraph is a ruse, carefully constructed as a tool of intimidation, and used as an excuse to conduct illegal inquisition under psychologically and physically unpleasant circumstances.
-- The Committee for the Scientific Investigations of Claims of the Paranormal (CSICOP)
Factoid: No persons captured as U.S. spies in the last 3 decades failed a polygraph exam. A number passed polygraph exams multiple times.
In 2002, the National Academy of Sciences completed an independent, $860,000 study on the effectiveness of polygraphs (“lie detectors”). See http://www.nap.edu/books/0309084369/html.
Some conclusions from this study:
• “Polygraph test accuracy may be degraded by countermeasures…”
• “…overconfidence in the polygraph—a belief in its accuracy that goes beyond what is justified by the evidence—…presents a danger to national security…”
• “Its accuracy in distinguishing actual or potential security violators from innocent test takers is insufficient to justify reliance on its use in employee security screening…”
Definition—polygraph, a.k.a. “lie detector”: (noun)-a pseudo-scientific device invented by William Marston in the 1920’s with about as much grounding in reality as his other major invention (the comic book character Wonder Woman).
A polygraph does not detect lies. It detects physiological responses which are not well correlated with dishonesty. If you’re a narcissist, or you believe your own lies, or you not particularly emotionally responsive, or you know the various techniques to fool the polygraph, or the polygraph examiner likes you, you won’t fail the “exam” even if you don’t tell the truth.
-- Anonymous
You don’t fool a polygraph, you fool the polygraph examiner.
-- Anonymous
Factoid: It has been pointed out that most states require more training to become a licensed barber than to become a certified polygraph examiner.
Chapter 6 - Security Culture
Some Key Points:
• “Security Culture” is the official and unofficial, formal and informal behaviors, attitudes, perceptions, strategies, rules, policies, and practices associated with security. An organization is unlikely to have good security without a good security culture. Sometimes, the security hardware is considered a component of security culture (in the same sense that archaeologists consider physical artifacts to be part of culture), but this isn’t especially helpful. Sometimes the unofficial and informal aspects are separately called “security climate”.
• Your security is no better than your security culture and climate.
• People are the security.
• Nobody can foresee all the threats and vulnerabilities, and it’s silly and ignorant to expect them to.
• A good security culture needs to be based on motivating employees, not threatening them.
Be Afraid, Be Very Afraid Maxim: If you’re not running scared, you have bad security or a bad security product.
The best safety lies in fear.
-- William Shakespeare (1564-1616), Hamlet, 1:3
Real Security makes you feel bad because you have to think and work hard, and because you will come to understand its problems, limitations, and vulnerabilities. Security Theater makes you feel good because it (falsely) purports to solve the problem relatively painlessly, without making you have to think.
-- Roger Johnston
Health is not simply the absence of sickness.
-- Hannah Green
Accountability Maxim: Organizations that talk a lot about holding people accountable for security will never have good security. Security needs to be motivated, not threatened.
Firing people does not engender accountability, just cover-ups, scapegoating, and deceit. It also makes security the enemy of employees.
-- Anonymous
Distrust all in whom the impulse to punish is powerful.
-- Friedrich Nietzsche (1844-1900)
Scapegoat Maxim: The main purpose of an official inquiry after a serious security incident is to find somebody to blame, not to fix the problems.
When all candles be out, all cats be grey.
-- John Heywood, (1497-1580)
What’s Wrong with This Picture?
“I think the worst problem was the way the security was set up for this particular project. The people who set it up were actually trying to be very conscious of security, but they didn't make a plan that addressed all the potential risks.”
-- Testimony to Congress after yet another serious security incident at Los Alamos National Laboratory
Somebody Must’ve Thought It Through Maxim: The more important the security application, the less careful and critical thought and analysis has gone into it.
What’s Wrong with This Picture?
“While serious, the incident in question was the result of human error, not a failure of security systems. We have a robust system in place to report and investigate potential violations. In my opinion, this is a circumstance where those systems worked well."
-- Official government agency statement after yet another serious security incident at Los Alamos National Laboratory
Those security guys are really starting to get on my nerves.
-- From the movie Menno’s Mind (1996)
Protection and security are only valuable if they do not cramp life excessively.
-- Carl Jung (1875-1961)
Jack Byrnes: Trust me, Greg. When you start having little Fockers running around, you’ll feel the need for this type of security.
-- From the movie Meet the Parents (2000)
Schneier’s Second Maxim (Control Freaks Maxim): Control will usually get confused with Security.
Chapter 7 - The Insider Threat & Social Engineering
Some Key Points:
• Identifying the insider threat is a challenge.
• Mitigating it is even harder
• Much of the insider threat is non-deliberate (complacent and careless employees), but still dangerous.
• Troublemakers aren’t automatically an insider threat.
• Employee perceptions of fairness, not objective reality, are all that matter for employee disgruntlement—a key factor for insider threat.
• People who are treated badly but expect to be don’t tend to be disgruntled.
• People who appear to be treated well may be disgruntled over seemingly minor issues.
• Background checks rely primarily on information provided by the subject.
An autobiography is only to be trusted when it reveals something disgraceful.
-- George Orwell (1903-1950)
No one can build his security upon the nobleness of another person.
-- Willa Cather (1873-1947)
We have met the enemy and he is us.
-- Walt Kelly (1913-1973), the words of Pogo in an Earth Day 1971 cartoon strip
We Have Met the Enemy and He is Us Maxim: The insider threat from careless or complacent employees and contractors exceeds the threat from malicious insiders (though the latter is not negligible.)
People often represent the weakest link in the security chain and are chronically responsible for the failure of security systems.
-- Bruce Schneier
Insider Risk Maxim: Most organizations will ignore or seriously underestimate the threat from insiders.
Honesty may be the best policy, but it's important to remember that apparently, by elimination, dishonesty is the second-best policy.
-- George Carlin (1937-2008)
Whatever you condemn, you have done yourself.
-- Georg Groddeck (1866-1934)
Show me a liar, and I will show thee a thief.
-- George Edward Herbert (1866-1923)
There is no safety for honest men but by believing all possible evil of evil men.
-- Edmund Burke (1729-1797)
Who naught suspects is easily deceived.
-- Francesco Petrarch (1304-1374)
It takes greater virtues to withstand good fortune than bad fortune.
-- François de La Rochefoucauld (1613-1680)
I have not a particle of confidence in a man who has no redeeming vices.
-- Mark Twain (1835-1910)
It has been my experience that folks who have no vices have very few virtues.
-- Abraham Lincoln (1809-1865)
It's awful hard to get people interested in corruption unless they can get some of it.
-- Will Rogers (1879-1935)
Envy aims very high.
-- Ovid (43 BC – 17 AD)
The true hypocrite is the one who ceases to perceive his deception, the one who lies with sincerity.
-- André Gide
Everybody is a moon, and has a dark side which he never shows to anybody.
-- Mark Twain (1835-1910)
There's a deception to every rule.
-- Hal Lee Luyah
A man isn’t honest simply because he’s never had a chance to steal.
-- Yiddish proverb
Many are saved from sin by being so inept at it.
-- Mignon McLaughlin (1913-1983)
Slight are the outward signs of evil thought.
-- Old proverb
Those you trust the most can steal the most.
-- David Pauly
A thing worth having is a thing worth cheating for.
-- W.C. Fields (1880-1946)
I'm not corrupt, I'm morally flexible.
-- Anonymous
Evil: That which one believes of others.
-- H.L. Mencken (1880-1956)
Why do we never expect dull people to be rascals?
-- Mason Cooley (1927-2002)
I worry that the person who thought up Muzak may be thinking up something else.
-- Lily Tomlin
Factoid: No captured major U.S. spy was mentally ill at the time of his capture. They were jerks, traitors, and narcissists, certainly, but not crazy.
Don't place too much confidence in the man who boasts of being as honest as the day is long. Wait until you meet him at night.
-- Robert C. Edwards
If only there were evil people somewhere insidiously committing evil deeds, and it were necessary only to separate them from the rest of us and destroy them. But the line dividing good and evil cuts through the heart of every human being, and who is willing to destroy his own heart?
-- Alexander Solzhenitsyn (1918-2008)
The world is a stage, but the play is badly cast.
-- Oscar Wilde (1854-1900)
Honest and sincere acts mislead the wicked and cause them to lose their path to their own goals, because mean-spirited people usually believe that people never act without deceit.
-- Madame de Sablé (1599-1678)
Nothing can tell us so much about the general lawlessness of humanity as a perfect acquaintance with our own immoderate behavior. If we would think over our own impulses, we would recognize in our own souls the guiding principle of all vices which we reproach in other people; and if it is not in our very actions, it will be present at least in our impulses.
-- Madame de Sablé (1599-1678)
When we see men of a contrary character, we should turn inwards and examine ourselves.
-- Confucius (551 – 479 BC)
Many a man's reputation would not know his character if they met on the street.
-- Elbert Hubbard (1856-1915)
Many of us believe that wrongs aren't wrong if it's done by nice people like ourselves.
-- Anonymous
The fly that doesn't want to be swatted is most secure when it lights on the fly-swatter.
-- Georg C. Lichtenberg (1742-1799)
Forbidden things have a secret charm.
-- Pubilus Cornelius Tacitus (56 – 117 AD)
It is with trifles, and when he is off guard, that a man best reveals his character.
-- Arthur Schopenhauer (1788-1860)
They are not all saints who use holy water.
-- English proverb
Your religion is what you do when the sermon is over.
-- Anonymous
All of us are experts at practicing virtue at a distance.
-- Theodore M. Hesburgh
Level with your child by being honest. Nobody spots a phony quicker than a child.
-- Mary MacCracken
Americans do not abide very quietly the evils of life.
-- Richard Hofstadter (1916-1970)
In every American there is an air of incorrigible innocence, which seems to conceal a diabolical cunning.
-- A. E. Housman (1859-1936)
Some people would be less dangerous if they had no good in them at all.
-- François de La Rochefoucauld (1613-1680)
The only difference between the fool, and the criminal who attacks a system is that the fool attacks unpredictably and on a broader front.
-- Tom Gilb
Call me paranoid but I don't trust spiders, I don't trust Predacons and I don't trust dames who sneak in and out of classified areas when they think that nobody is watching.
-- From the movie Beast Wars: Transformers (1996)
The only difference between saints and sinners is that every saint has a past while every sinner has a future.
-- Oscar Wilde (1854-1900)
“I’d be glad to swear a loyalty oath. Hell, yes I’m loyal, you #*&~@$!”
Definition—Grawlix: (noun)-the #*&~@$! symbols used in comics to represent swearing.
Definition—CAPTCHA: (noun)-visually distorted letters, numbers, or words that (ideally) only humans can read. Used on the Internet to establish that a human being is interacting with a web page, and not a software program. The term is an acronym for “Completely Automated Public Turing test to tell Computers and Humans Apart”.
Agents of disruption, subversion, sabotage and disinformation tunnelers and smugglers, listeners and forgers, trainers and recruiters and talent spotters and couriers and watchers and seducers, assassins and balloonists, lip readers and disguise artists.
-- John LeCarre
Matt: Don't be cynical. Why do you always assume the worst about people?
Gwyn: Statistics.
-- Dialog from the movie Miami Rhapsody (1995)
Watch what people are cynical about, and one can often discover what they lack.
-- George S. Patton (1885-1945)
It is a sin to believe evil of others, but is seldom a mistake.
-- H.L. Mencken (1880-1956)
But who is to guard the guards themselves?
-- Juvenal (55 – 127 AD)
Plato (427-327 BC) offered one answer: They will guard themselves against themselves. We must tell the guardians a noble lie. The noble lie will inform them that they are better than those they serve and it is therefore their responsibility to guard and protect those lesser than themselves. We will instill in them a distaste for power or privilege; they will rule because they believe it right, not because they desire it.
It's amazing the clarity that comes with psychotic jealousy.
-- From the movie My Best Friend’s Wedding (1997)
You can be a rank insider as well as a rank outsider.
-- Robert Frost (1874-1963)
All money is tainted; tain't none of it mine.
-- Thomas Francis McGuire
I can resist anything but temptation.
-- Oscar Wilde (1854-1900)
There are several good protections against temptations, but the surest is cowardice.
-- Mark Twain (1835-1910)
The most perfidious way of harming a cause consists of defending it deliberately with faulty arguments.
-- Friedrich Nietzsche (1844-1900)
We have to distrust each other. It's our only defense against betrayal.
-- Tennessee Williams (1911-1983)
Many a deep secret that cannot be pried out by curiosity can be drawn out by indifference.
-- Sydney J. Harris (1917-1986)
If you would not step into the harlot’s house, do not go by the harlot’s door.
-- Thomas Secker (1693-1768)
Knowledge is power, if you know it about the right person.
-- Ethel Mumford (1878?-1940)
The chief lesson I have learned in a long life is that the only way to make a man trustworthy is to trust him; and the surest way to make him untrustworthy is to distrust him and show your distrust.
-- Henry L. Stimson (1867-1950)
Amateurs hack systems, professionals hack people.
-- Bruce Schneier
Things were run on a need-to-know basis; if you needed to know, you weren't told.
-- Peter Jay on his boss at Maxwell Publishing
Self Respect: The secure feeling that no one, as yet, is suspicious.
-- H.L. Mencken (1880-1956)
Motivations for insider attacks:
1. greed or severe financial need
2. revenge
3. terrorism
4. ideology, political activism, radicalism, or anarchism
5. coercion/blackmail
6. social engineering/seduction
7. narcissism or ego; the need to feel important, gain recognition, or be seen as clever
8. desire to prove that a warned about threat or vulnerability is real
9. desire for excitement
10. mental illness(?)
11. inadvertent compromise of security through carelessness, human error, laziness, ignorance, disregard of good security practices, or arrogance
There are some who become spies for money, or out of vanity and megalomania, or out of ambition, or out of a desire for thrills. But the malady of our time is of those who become spies out of idealism.
-- Max Lerner (1902-1992)
As to the Seven Deadly Sins, I deplore Pride, Wrath, Lust, Envy, and Greed. Gluttony and Sloth I pretty much plan my day around.
-- Robert Brault
A mule will labor ten years willingly and patiently for you for the privilege of kicking you once.
-- William Faulkner (1897-1962)
There is no such a liar as an indignant man.
-- Friedrich Nietzsche (1844-1900)
What do you think spies are: priests, saints and martyrs? They're a squalid procession of vain fools, traitors too, yes; pansies, sadists and drunkards; people who play cowboys and Indians to brighten their rotten lives.
-- John le Carré, The Spy Who Came in From the Cold
Hell has three gates: lust, anger, and greed.
-- The Bhagavad Gita
Heaven hath no rage like love to hatred turned, nor Hell a fury like a woman scorned.
-- William Congreve (1670-1729), The Mourning Bride
Chaperons don't enforce morality, they force immorality to be discreet.
-- Judith Martin
Asking for help is still one of the best social engineering tools for compromising security. There is an inherent desire for people to help other people.
-- Chris Hadnagy
Chapter 8 - Human Resources & Security
Some Key Points:
• The HR Department can be a powerful tool for security and for mitigating the insider threat.
• It most organizations, however, it makes security worse by serving as Secret Police, Judge, Jury, and Executioner, and by not competently mitigating employee disgruntlement.
• The purpose of a grievance process is to reduce the insider threat and improve productivity—not to rubber stamp management blunders.
Question on a job application form: Do you support the overthrow of the government by force, subversion, or violence? Answer from one applicant: Violence.
Few great men would have got past Personnel.
-- Paul Goodman (1911–1972)
I don't hire anybody who's not brighter than I am. If they're not brighter than I am, I don't need them.
-- Paul “Bear” Bryant (1913-1983)
When you go in for a job interview, ask if they ever press charges.
-- Jack Handey
I am free of all prejudices. I hate everyone equally.
-- Anonymous
Girlfriend: Do you really wanna know?
Boyfriend: I asked, didn’t I? I’m playing the role of concerned guy.
-- Dialog from the movie Mallrats (1995)
The human-resources trade long ago proved itself, at best, a necessary evil—and at worst, a dark bureaucratic force that blindly enforces nonsensical rules, resists creativity, and impedes constructive change. HR is the corporate function with the greatest potential—the key driver, in theory, of business performance—and also the one that most consistently underdelivers.
-- Keith Hammonds. See http://www.fastcompany.com/magazine/97/open_hr.html?page=0,0
Not only does our Diversity Director not understand diversity, she wouldn’t be in favor of it if she did!
-- Anonymous
You’re too different to be on the diversity committee!
-- Actual accusation from a senior manager at Los Alamos National Laboratory trying to intimidate an employee into quitting the employee diversity committee
Anger is a signal, and one worth listening to.
-- Harriet Lerner
The purpose of the grievance process is to protect the institution.
-- HR employee
If a pig loses its voice, is it disgruntled?
-- Anonymous
The main purpose of a complaint resolution or grievance process should be to try to turn disgruntled employees into gruntled employees.
-- Roger Johnston
Regard your soldiers as your children, and they will follow you into the deepest valleys; look on them as your own beloved sons, and they will stand by you even in death.
-- Sun Tzu (544-496 BC)
Do not protect yourself by a fence, but rather by your friends.
-- Czech proverb
Employees will get more pissed off about not being consulted on the little things than they will on major new directions for the organization.
-- Anonymous
I consider myself to be a pretty good judge of people. That's why I don't like any of them.
-- Roseanne Barr
Chapter 9 - The Adversary
Some Key Points:
• Never underestimate your adversaries.
• You must get into their heads.
• The bad guys have most of the advantages because offense is easier than defense.
• Good security requires thinking about what the adversaries might do, and how to counter what they might do.
When choosing between two evils, I always pick the one I never tried before.
-- Mae West (1893-1980)
I don’t know of a greater advantage than to appreciate the worth of an enemy.
-- Johann Wolfgang von Goethe (1749-1832)
If you know the enemy and know yourself, you need not fear the results of a hundred battles.
-- Sun Tzu (544-496 BC)
So We’re In Agreement Maxim: If you’re happy with your security, so are the bad guys.
There is no little enemy.
-- Benjamin Franklin (1706-1790)
The bad guys are always going to be one step ahead of the good guys—they're more nimble, have less bureaucracy, are quicker to adapt to new technologies—and in a fast-changing technological world this gap is only going to get worse.
-- Bruce Schneier
Greed is for amateurs. Disorder, chaos, anarchy: now that's fun.
-- The Crow
There is always more spirit in attack than in defense.
-- Titus Livius (59 BC – 17 AD)
May the forces of evil become confused on the way to your house.
-- George Carlin (1937-2008)
Never wrestle with a pig. You can’t win. You both get dirty. The pig loves it.
-- Attributed to Pasquale Capozzi
Friends come and go; enemies accumulate.
-- Anonymous
Your friends sometimes go to sleep; your enemies never do.
-- Thomas Brackett Reed (1839-1902)
And oftentimes, to win us to our harm,
The instruments of darkness tell us truths,
Win us with honest trifles, to betray's
In deepest consequence.
-- William Shakespeare (1564-1616), Macbeth, 1:3
No one will ever win the battle of the sexes; there's too much fraternizing with the enemy.
-- Henry Kissinger
The wise learn many things from their foes.
-- Aristophanes (446–386 BC)
You can discover what your enemy fears most by observing the means he uses to frighten you.
-- Eric Hoffer (1902-1983)
He Who’s Name Must Never Be Spoken Maxim: Security programs and security professionals who don’t talk a lot about “the adversary” or the “bad guys” aren’t prepared for them and don’t have good security.
My colleagues are spherical bastards. No matter how you look at them, they’re bastards.
-- Cal Tech astronomer Fritz Zwicky (1989-1974)
The reverse side has a reverse side.
-- Japanese proverb
A truth that is told with bad intent beats all the lies you can invent.
-- William Blake (1757-1827)
Hell is empty and all the devils are here.
-- William Shakespeare (1564-1616), The Tempest 1.2
Hell is truth seen too late—duty neglected in its season.
-- Tryon Edwards (1809-1894)
Hell isn’t merely paved with good intentions, it is walled and roofed with them.
-- Aldous Huxley (1894-1963)
Hell is a place where the motorists are French, the policemen are German, the cooks are English, the bureaucrats are Italian, and the lovers are Swiss.
-- Anonymous
Morticia: I’m just like any modern woman trying to have it all. Loving husband, a family. It's just, I wish I had more time to seek out the dark forces and join their hellish crusade.
-- From the movie Addams Family Values (1993)
How does Bugs Bunny do it? How does he know when he wakes up in the morning to put in his pocket 3 sticks of dynamite, a physician costume, and a bicycle pump?
-- Anonymous
The average man will bristle if you say his father was dishonest, but he will brag a little if he discovers that his great-grandfather was a pirate.
-- Bern Williams
Why do hackers succeed? They're lucky, they're patient and they're brilliant. They're also better funded than you.
-- John Stewart
She’s as mean as a snake. She reminds me of me.
-- Tennis player Martina Hingis
Nothing in the universe can travel at the speed of light, they say, forgetful of the shadow's speed.
-- Howard Nemerov (1920-1991)
News Correction: In our cover story about Hunter S. Thompson yesterday, we mistakenly attributed to Richard Nixon the view that Hunter Thompson represented “that dark, venal and incurably violent side of the American character”. On the contrary, it was Thompson who said that of Nixon.
-- The Guardian (U.K.)
Yesterday upon the stair,
I met a man who wasn’t there.
He wasn’t there again today.
Oh how I wish he’d go away.
-- Hughes Mearns (1875-1965)
Chapter 10 - The Expected & the Unexpected
Some Key Points:
• Expect the unexpected.
• We see what we expect to see, and miss what we are not prepared to see.
• You need the right mindset to have good security.
If they expect us to expect the unexpected, doesn’t the unexpected become the expected?
-- Anonymous
To expect the unexpected shows a thoroughly modern intellect.
-- Oscar Wilde (1854-1900)
Chance favors the prepared mind.
-- Louis Pasteur (1822-1895)
We are never prepared for what we expect.
-- James Michener (1907-1997)
Anything long expected take the form of the unexpected when at last it comes.
-- Mark Twain (1835-1910)
He who is not prepared today will be less so tomorrow.
-- Ovid (43 BC – 17 AD)
If you do not expect the unexpected, you will not find it; for it is hard to be sought out and difficult.
-- Heraclitus (535 – 475 BC)
As a rule, we perceive what we expect to perceive. The unexpected is usually not perceived at all.
-- Peter Drucker (1909-2005)
The eye sees only what the mind is prepared to comprehend.
-- Henri Bergson (1859-1941)
My sister's expecting a baby, and I don't know if I'm going to be an uncle or an aunt.
-- Chuck Nevitt, North Carolina State basketball player, explaining to Coach Jim Valvano why he was so nervous during a game
Chapter 11 - Makes Sense
Some Key Points:
• The obvious is often more complex than you might imagine.
I declare this thing open—whatever it is.
-- Prince Philip at the grand opening of an annex to the Vancouver City Hall
Welcome to President Bush, Mrs. Bush, and my fellow astronauts.
-- Dan Quayle at a ceremony for the 20th anniversary of the moon landing
Shouldn’t the Air and Space Museum be empty?
-- Dennis Miller
I was still a shock when George died. It was the last thing I thought he’d do.
-- Angie Best
Never wear anything that panics the cat.
-- P.J. O’Rourke
“Product not actual size.”
-- Disclaimer on a TV ad for Burger King showing a giant Whopper crushing a car
Wife: Before we were married, you said mother could stay with us whenever she pleased.
Husband: Yes, but she hasn’t pleased yet.
Every minute was more exciting than the next.
-- Linda Evans
Never work with kids or animals.