Log in

No account? Create an account

Previous Entry | Next Entry


Computer security feels like this.

I want to drive but I can't. The car keys are locked inside a combination lockbox inside a safe inside a bigger safe. Each combo lock has at least 16 characters, which have to include upper case, lower case, symbols, and special punctuation marks used only in Estonian. And they can't be the same as each other in any way. And they can't be the same as any other combination I have ever used, in any of my 184 other key locks (which are all simialrly protected). And I can't write them down. So of course I get the combination wrong, and if I do, the whole thing locks up. And oh, by the way, this whole cockeyed security system was imposed on me. I didn't ask for it, I didn't agree to it, I just tried to get my keys one day and found they were locked up inside this monstrosity.

And every week they add another layer of safes, and make all the combinations four characters longer. Each.

I can't get in, I end up locking the system time and again. So I call the dealership. After giving them a large amount of personal data on the phone, which I am not supposed to give anyone on the phone, they talk me through unlocking the nested safes and getting my keys.

"I don't like this. I want to get my car keys out and go driving whenever I want."

"Well," the salesman says, self-righteously, "it's for your own protection after all. It may be inconvenient to have to go through all this rigamarole every single time you want to unlock anything, however trivial, but it would be even more inconvenient if the Bad Guys stole your car."

"That may be so, but if the Bad Guys steal my car it won't be because I didn't lock my keys in a safe in a safe in a safe. It will be because you guys keep everyone's keys in a suitcase conveniently marked ALL THE KEYS, located next to the intern's desk in the sales department. Remember how the Bad Guys walked in and stole 397,582 separate driver's keys from you, just last week."

"It is unkind of you to say that. We are working hard here. Your Security is Very Important to Us. The suitcase of keys has been moved. It is now under the Assistant Manager's desk. Much safer."

"And besides that," I continue, "the car is built so that all you have to do is run a jumper wire across the cigarette lighter and it starts right up. Your engineers didn't do ANYTHING to implement security on that car."

"Lies! The Belchfire Six is the most secure car on the market. Years of work..."

"I read how to do it in twelve different car thief websites."

"Well, maybe, but if you talk about it the terrorists win. We're working hard to fix that little problem because Your Security is Very Important to Us."

"So I don't want to lock up my car keys any more."

"Why would you want to make it easy for the Bad Guys..."

"I don't want to make it easy for the Bad Guys! I just want to be able to use the CAR I BOUGHT as easily as the Bad Guys can steal it! Your so-called security only keeps out the legitimate users, it doesn't do a thing to stop the professionals!"

"Well," he says, huffily, "if you don't give a damn about Security, I guess there's no point in my talking to you."
My Stories , My Books for Sale


( 1 comment — Leave a comment )
Nov. 28th, 2013 05:36 pm (UTC)
Estonian? I use Babylonian cuneiform, but I'm working on an Sanskrit implementation that doubles security by adding a ROT-13 on top of it.

Totally agree. With the number of intermediate processors that get compromised, there's nothing that you can do to totally protect yourself if people to whom you have no access or recourse are hacked. I remember I was in Phoenix, getting ready to go to a gaming trade show in Las Vegas, when I saw an $80 withdrawal from my checking done at a gas station in North Carolina. Came to find out that a credit card processor in Albuquerque was hacked.

I've read an interesting proposal for doing electronic merchant payments. At the POS, the merchant submits an encrypted invoice to your phone or banking device, which signs and further encrypts it (the authorization for payment step) and submits it upstream to your bank, which performs a similar transfer sending the money to the merchant's bank. The merchant never sees your credit card number, and it greatly reduces the number of points at which your information can be compromised because strong, signed security is in play at all levels.

Purest fantasy and optimism.
( 1 comment — Leave a comment )