By Bill Brenner
August 25, 2010
I took my share of name-calling as a kid. I did my share of
name-calling, too. We're taught that nothing good comes of such
behavior. I've been thinking a lot about that since writing an article
two weeks ago called "Security blunders 'dumber than dog snot'" during
the 2010 USENIX Security Symposium.
The story is based on a talk of the same title given by Roger G.
Johnston, a member of the Vulnerability Assessment Team at Argonne
National Laboratory. In the presentation, he gave examples of surprising
(or not) examples of what he has seen as a vulnerability assessor:
security devices, systems and programs with little or no security -- or
security thought -- built in. There are the well-designed security
products foolishly configured by those who buy them, thus causing more
vulnerability than before the devices were installed.
Then there are the badly-thought-out security rules and security
programs laden in security theater, lacking muscle and teeth. In fact,
some policies only make some employees disgruntled because they are
treated like fools. In turn, the company risks turning them into
Johnston described three common problems: People forgetting to lock the
door, people too stupid to be helped and -- worst of all -- intelligent
people who don't exploit their abilities for the betterment of security.
Enter what he calls the dog snot model of security-- where intelligence
and common sense exist but are not used.
Subscribe to InfoSec News - www.infosecnews.org