I’ve always been fascinated by security that was “just good enough”. I think lots of security actually qualifies (see The News), but I think fencing (and maybe bike locks) take first prize.
As a kid I used to love breaking into stuff. Nighttime construction sites. Abandoned buildings. Whatever. And the older I got the more I started paying attention to how silly most fences are.
They’re like, suggestions. They’re like the opposite of winks. They scream at the top of their lungs,
Um, like, maybe don’t come in via exactly this spot. Unless you want to. That’s totally fine too.
So I was walking around earlier today near a construction site and saw all the different fences that were keeping people out of the area after hours. It was hilarious. Like I was snapping photos and laughing out loud, which people normally only do while texting.
Nobody OPSEC me based on the atomic composition of the fence please.
The first picture at the top was a classic—a 5-pound chain threaded through one link of the cheapest fencing available on Sol-3.
Oh, and then look at this one. This one will keep anyone out, as long as that anyone doesn’t have a wrench.
And the further I walked, the funnier it got.
This one was just a piece of wire. I opened it with my ultra-soft IT-person fingers.
And then after a few more feet, I came to the next fence challenge…
That’s right, you can just like…keep walking…for a few feet and just find a spot with less fence. In this case, no fence.
So we’ve got the one-link defense, followed by the twisty-tie defense, followed by the invisible-section defense.
But here’s the crazy thing: was the place being raided? Were people behind the barrier? I talked to a security guard there, and did they tell me there was a lot of theft?
No. Virtually none.
Because of the fence.
It’s a strange world where so many security systems hover at this nebulous barrier between nothing at all and something substantial. And any nudge in one direction would push it over the line.
Doing better than a twisty-tie? –> Way better security. Someone actually wanting to go inside? –> One could spend three times as much and it wouldn’t stop them. These paper fences stop lumber thieves, and taking your shoes off at the airport probably stopped dozens of shoe bombers.
Until it doesn’t.
It’s getting hard to make fun of Security Theater when it seems to work so well.
As it turns out, the right amount of security—by definition—is that which is “good enough”. The clue is in the name.
It’s a perfect economic dance. Reduce the Theater by just a shade and you lose all your lumber. But spend $0.37 on an extra rusted twisty-tie and you’ve wasted money.
House door locks, construction fences, etc.
Most security sits on this psychological razor’s edge just this side of worthless. If you apply any scrutiny to it, or put any effort into bypassing it, it’s garbage. But because most people don’t apply any effort or scrutiny, it actually does exactly what it was supposed to do.
I see a lot of security systems this way now, and I can’t unsee it.
- It’s the same for residential locks. Trivial to pick, and they have been for decades. But they’re good enough.
- Also reminds me of Why Software Remains Insecure.