Stupid Security
News Humor Howlers
search Stupid Security:
  
Exposing Fake Security Since 2003
 
Stupid Security
- About
- FAQ
- RSS
- Discussions
- Journals
- Messages
- Topics
- Authors
- Preferences
- Older Stuff
- Past Polls
- Submit Story

Stupid Security
Portions of Stupid Security are copyright 2003 by Nat Howard and his licensors.

 

Stupid Security FAQ

It's a good idea to read at least some of this before posting or asking questions.

Q. What is this site all about?

A. The intent of stupidsecurity.com is to expose a particularly seamy aspect of modern life -- misguided thrashings labeled "security" and defended -- if at all -- by an appeal to paranoia.  My hope is that by providing a chronicle of really stupid security measures, we can make it more uncomfortable for pointy haired bosses of various types to approve really stupid security measures.  

Q. Does this include things that aren't really security -- but where "security" is used as the excuse to hide some other motive?

A. Yes, absolutely. The dishonest use of "security" to justify land-grabs, tyranny, and nosiness are all examples of this sort of thing. I created this site partly to make it all the more obvious when this particular sort of lying occurs.

Typically, if a security measure is really about something else then the "security" aspect will be pretty shaky -- probably stupid. For example, if someone's using strip-searches to sexually harass airport clients, the airport is going to lose more than it gains by this policy. If the security measure is actually justified (say, prisoners are strip-searched after a prison riot when they had access to weapons), then it may advance some other agenda, but the security measure, by hypothesis, will be justified.

Q. So should I send you stuff about security holes?

A. Generally, no. You see, what I'm after are stories where security is being implemented in a way that is inherently needless or counterproductive. If someone merely forgets to lock a door, then it's a mistake -- the general idea of a locked door on your house is OK. If you forget to lock the door, nobody's inconvenienced: if anybody suffers it is you. If, however someone assigns guards to check ID at only two of the four doors that's just stupid. In the first case, an OK idea is being (slightly) bungled, but nobody's being inconvenienced. In the second, honest people are inconvenienced, and security isn't really being increased. It's the second sort of case I'm interested in covering here.

Here are examples of articles I've rejected on this basis: a story about a bank that let contractors take customer data home on a thumb drive; a story about a railroad station who's for-pay wi-fi network was easily hacked; several stories about passwords being poorly chosen.

This is, admittedly, something of a judgment call. In this case, implementation of a normally-reasonable idea was so laughable that I included it in the "humor" category.

Q. Is it OK to send a security person to look at the site regarding complaints about his institution? For example, is it OK to send TSA folks to look at an article about egregious searches at a particular airport?

A. Yes! When it's dead easy, we notify such people ourselves that their institution has been mentioned and that perhaps they'd like to respond. It may happen (and has happened) that some measure that seems stupid to someone actually makes a lot more sense when explained properly.

For me, a home run for the site would be if I'd heard that a stupid measure had be removed or prevented because decision makers feared being derided here. That's a lot more likely to happen if those decision makers know all about the site.

Q. Should I identify who's making the stupid mistake?

A. That depends on context, particularly the likely consequences of your actions.  For publicly known stupidities, such as the legendary "three questions" that the airlines asked, there's no apparent harm in doing so.  For private parties whose livelihood might be destroyed if some illusion of security were to be shown to be an illusion, you probably want to show some mercy: we suggest you merely report on the practice "A well-known defense contractor is protecting its computer room by telling employees that there are vicious dogs in the computer room -- but there are no dogs".  Also, the person running the web site doesn't particularly want to get sued.  The majority of the cases are bound to be in a middle zone and we suggest you err on the side of mercy, er, caution.  

Also, please don't put classified information or other information that would get you deeply in trouble if found out.  We're not running an anonymizer here.

Q. Who is running an anonymizer?

A. Anonymizer.com  

Q. What if I want to send you an article using PGP and anonymous remailers?

A. You can find anonymous remailers in various places, and you're probably more secure if you find them without our help (that way we can't "force" one on you). That said, you can try this google search for "anonymous remailers"
Send the mail to "submissions@not-stupidsecurity.com". Except that you should remove the "not-" so that the thing after the "@" reads "stupidsecurity.com". Here's our PGP key: 
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.2.2 (Darwin)

mQGiBEQZYHURBAC3wZks1qw5gY/O/DwbDt8N7y/EmBMCWx6122ezic655MIv5Hn1
iswvxmozMQ2WMwUc4PmHugOIg0JxtpqjtVFXsv0RoofWTJuO51EK8i04qpc60FlD
ctV3mvY22P9ue4lSzDmaItgz/vKuD1o5pyRk0EhmMQCRgkSIccdI/rGvGwCg8brV
aIImE4MYbtTBTrDhmAY2HrkEAI4uguLEeSyyd1Y+G1ChQHHariJr05oK7t985DfZ
Sth4q7HKz2SYrmjn60p6G9wlW9QDMcQsoi0jfWL6WFkYCUN9MvJQZJDhk0pfLojQ
KlNExPmcw5fAhQHtGJOKaqRZqPzAUs8Oattpj72iGGoXWKx3Wt5l0yZ6aaYYzKac
AHJlA/9ZvXl7lymFSaI756WO1THLJF9cHTyjwj4H4GM/6fsp/4456aBcD5x2JJqG
ZWJHQJnm+P88GN8mEfFH6RDxgN91hzXrAtUChWMeay9y7YBXZqDq8e/DG6SRx8/w
6+BECEi6vCr9cGb7G4z0a3YQ5yG0K7ifwR6myno2oHDh/WL68LQ8U3R1cGlkIFNl
Y3VyaXR5IFN1Ym1pc3Npb25zIDxzdWJtaXNzaW9uc0BzdHVwaWRzZWN1cml0eS5j
b20+iGYEExECACYFAkQZYHUCGwMFCQHhM4AGCwkIBwMCBBUCCAMEFgIDAQIeAQIX
gAAKCRBeMDW5sbh35ggoAJ9ysLXaZiwVULN7R63mZ81lAbOn3ACggwRjPVlkAm3M
/Xf7dVb2V/BiFoi5BA0ERBlhIhAQAIssTabdfNnTcnaQVPZClZBxhiPrXkHGbdqu
Ws+mZYTARWAaHWgLu65b4lg4UuBDKfPshW+HMsW8qt5P8h9RBUusl2GyNqePrtGX
fLgv48IvnxYJMbfqjVIL5JUdrV3n7KxtFRHKRzKcugWHMJVjFY47ueAbXw1dl2yk
W4+TEfmB/lymcE4Qh9C/kdgtwfgQY3oaQc2p9u7Nn79ciCKR8C21cb89Ayg+GmuY
2KlY1OytUN1vfYFo5K18LwhywLg5TeSnajGdUB51UFrK5mj2EDFbOdpkSKoZBtwJ
X6VU0QWs/cJx/J7wtISiO6Q0dVgrdn0c/PsTHvg5RDkdPs6jzvbWdKSxzHgoirY1
Y4ojncr08ExxfH1Oy3qefe9/Ellh672QxGJ1XrG/NOpip/nIB2PWZONBNustmG+I
4CHZa1WXxiGPx0/r8gCVv4RYuDEqw52oKGqwmKBgTamuX6JvE6mt07J19jL+cI00
8xXFRGC45Sw9+O+QNt+NvW5zzffy8Fu1x3bHD+yeRCFx87lLpNwUoW4AVKkF2eVd
lGlkwI1DPbaeZTPN9Lm33vU1V1OnIRw/Aiaf2U8sRQxIXoYgu9iuqfg+qJxu7UDI
gPqD/DKjRU0JDW/jzl4pgLIuRNFWPyK8sCjXZY2sA5YhHhnBh34uvmQqxhH/o1Gd
Tb2fKnGPAAMHD/48AZuYpiGUbj/KfSOlndvmkVfZeKL7wRvy7U4CyEIpyMDTI6OC
oiXDzWG29XrpetLF7N2X721W1sn4tMToZvd7m9zUV4nQ1LOrYI1Sr6ShFLEJLsc7
Btpr9ZiubaJzvPySr637uKBb6MYd62sWH6EM1mApjRl2n9lmfYuvbu4Hoq8CmQxs
67h9uFq34R5+ouWu9xsBwaYxuqJV/bQJhxPpvUTJOiDeupCvSxRJQOYltfbuvTXO
GEUyCe8A9pXVCNzoomV0fs/BpsVX18W/f1Xr1Ly+4aAhUpIwtTKD20QLbNoRorX7
D4acjFvuKp750A1vK88q+fFYOIE2nk4n/Y8Xm2In4fNIK1zlL+b6UCQwEzPChu3T
wtAzeUdwaYYDVn6wrDK6VFIgSEToIFogSLi7wxiZHzO5Gjqfu8yPmFoonbWE4MPr
zFkcPNalZGhYb/GDnrNJyYO8RzrNEwiO+cdErTG37ALktWee+upglRU7+IfdcsF0
jlZAWm0GxXzgfxCsOp8gvwGIgEc7hq1byENXrjabnQ1omCJumstRbCz45OcCRvOn
pKYpDMODoPji5Q+cjamWBBkycnxBM5H6IjiQc2Mdd4tntskKoMwC2HUigIvvHNXR
chpBG+5pus7IWiLBm3X6IwgMnf6hSpC9c9aEMxseDH65U5VRkeAECigmyIhPBBgR
AgAPBQJEGWEiAhsMBQkB4TOAAAoJEF4wNbmxuHfmlPcAoLGpjLRf7Jj8nPmOOz26
Vg0nd1D8AJ9sRaL25eIISryoT2GiRvLzQiDziA==
=x7sa
-----END PGP PUBLIC KEY BLOCK-----

Q. What's the difference between the topics "Howlers" and "News"?

A. Howlers are bits of stupidity that someone is doing.  It would, for example, be a Howler if you reported on a farmer closing a barn door after the horse has left.  "News" is reserved more for nonspecific information about security practices: for example, if the Department of Homeland Barn Door Security were to put on their web site a suggestion that farmers finally stop closing the barn door after the horse has left, that would be "News", but it's not really a Howler.

Q.   What's the topic "Smarties" for?


A. "Smarties" are the opposite of "Howlers".  Nobody stays perfectly on-point, and what with all the stupidity, we want to allow our submitters a chance to describe really clever solutions to security problems.  Of course, this will only make the Howlers look even worse...

Q. I have discovered an amazing cryptographic algorithm (which I'm going to keep private)  that offers total security.  Of course, I won't reveal the source.  Also, my company makes dowsing rods that let your guards detect contraband without searching people.  May I post these under "Smarties"?

A. No, those go under the topic "Snake Oil".

Q.  What software do you use to run the site?

A. Slashcode -- tell 'em we sent you and you get the code for free!


Q. Can I get RSS/RDF/XML/WML?

A. Yes -- you can get those respectively at:
    http://www.stupidsecurity.com/stupidsecurity.rss
    http://www.stupidsecurity.com/stupidsecurity.rdf
    http://www.stupidsecurity.com/stupidsecurity.xml
    http://www.stupidsecurity.com/stupidsecurity.wml



Q. How do I email the editor? The maintainer?

A. You can mail to me as "editor@not-stupidsecurity.com" or "nrh@not-stupidsecurity.com" -- except remove the prefix "not-". Sorry for that misdirection, but take my word for it, it's helpful.


Q. Helpful How?

A. For misdirecting spammer robots!