Blog

Turning Bad Security Into Competitive Advantage

By Rich

Back when I used to do physical security in Boulder, Colorado, there was a core group of us that were often called in by various bars, hotels, or concert venues when they needed help for a special event or to buffer up their staff. Sometimes I ended up working a few nights as a contract bouncer at random bars I was much more likely to be drinking than working at.

One of these places, a bar called Potters, was run by a sketchy manager who shall remain nameless. A buddy and I were called in when they had a big staff turnover and needed some last minute help. Just the two of us, for one of the busiest bars in a college town.

Our first instruction? If the girl was cute, and had anything slightly resembling an ID, let her in. This isn’t all that uncommon; many businesses make a pretense at complying with the law to reduce their risk of being busted, but would rather have a lot of cute 18-20 year old girls pushing up the guys’ bar tabs. I’d been to all sorts of training to spot fake IDs and was pretty darn good at it, but that didn’t matter. And sorry guys, we weren’t supposed to let you slide.

Today I read more about Apple leaving some really obvious security holes in the iPhone. This time, it’s free ringtones (instead of forcing you to pay $.99). The iPhone isn’t supposed to allow third party applications, but it’s been thoroughly cracked, and the latest updates have done nothing to restrict users. Contrast this to Sony, who seems hell bent on pissing off their users by constantly fighting the homebrew hackers that just want to add a little software to the PSP. Apple’s done this before, most recently with the AppleTV. TiVo is another company that follows this track- it took me all of 3 minutes to add 750 GB to my TiVo Series 3 this weekend (that’s about 90+ hours of HD recordings, or 900 hours at standard definition).

Is Apple doing this on purpose? It wouldn’t surprise me, but I’d hate to be responsible for screwing up my future iPhone applications (I’m waiting for a 3G version) by pointing this out. Apple has two classes of users- those who like their products because they look nice and work well, and those who can be a bit more fanatical and love digging in. Yet Apple can’t afford to piss off too many of their media partners by giving users the complete freedom they want. The compromise? Pay lip service to the demands of the media partners while leaving holes that only the really hard-core geeks will take advantage of.

In martial arts we sometimes leave an “opening” for our opponent to entice them into taking a predictable action. Perfect security isn’t always best, sometimes leaving a hole creates an advantage.

Plausible deniability; consumer electronics style.

No Related Posts
Comments

If you like to leave comments, and aren’t a spammer, register for the site and email us at info@securosis.com and we’ll turn off moderation for your account.